[Senate Hearing 116-461]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 116-461
 
                     STATE AND LOCAL CYBERSECURITY:
                  DEFENDING OUR COMMUNITIES FROM CYBER
                         THREATS AMID COVID	19

=======================================================================

                                HEARING

                               before the

                    SUBCOMMITTEE ON FEDERAL SPENDING
                   OVERSIGHT AND EMERGENCY MANAGEMENT

                                 of the

                              COMMITTEE ON
                         HOMELAND SECURITY AND
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            DECEMBER 2, 2020

                               __________

                  Available via http://www.govinfo.gov

       Printed for the use of the Committee on Homeland Security
                        and Governmental Affairs
                        
                        
                        
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                      
 
 
 
 
                      U.S. GOVERNMENT PUBLISHING OFFICE 
43-278 PDF                   WASHINGTON : 2021  
                        
                        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida]                 KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
               David M. Weinberg, Minority Staff Director
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk

  SUBCOMMITTEE ON FEDERAL SPENDING OVERSIGHT AND EMERGENCY MANAGEMENT

                     RAND PAUL, Kentucky, Chairman
RICK SCOTT, Florida                  MAGGIE HASSAN, New Hampshire
MICHAEL B. ENZI, Wyoming             KAMALA D. HARRIS, California
JOSH HAWLEY, Missouri                KRYSTEN SINEMA, Arizona
                      Greg McNeill, Staff Director
                  Harlan Geer, Minority Staff Director
                      Kate Kielceski, Chief Clerk
                      
                            C O N T E N T S

                                 ------                                
Opening statement:
                                                                   Page
    Senator Paul.................................................     1
    Senator Hassan...............................................     2
    Senator Rosen................................................    12
    Senator Sinema...............................................    27
Prepared statement:
    Senator Paul.................................................    31
    Senator Hassan...............................................    33

                               WITNESSES
                      Wednesday, December 2, 2020

Brandon Wales, Acting Director, Cybersecurity and Infrastructure 
  Security Agency, U.S. Department of Homeland Security..........     3
Denis Goulet, Commissioner, New Hampshire Department of 
  Information Technology.........................................    15
John Riggi, Senior Advisor for Cybersecurity and Risk, American 
  Hospital Association...........................................    17
Leslie Torres-Rodriguez, Ed.D., Superintendent of Schools, 
  Hartford Public Schools........................................    19
Bill Siegel, Chief Executive Officer and Co-Founder, Coveware, 
  Inc............................................................    23

                     Alphabetical List of Witnesses

Goulet, Denis.:
    Testimony....................................................    15
    Prepared statement...........................................    45
Riggi, John:
    Testimony....................................................    17
    Prepared statement...........................................    51
Siegel, Bill:
    Testimony....................................................    23
    Prepared statement...........................................    63
Torres-Rodriguez, Leslie Ed.D.:
    Testimony....................................................    19
    Prepared statement...........................................    61
Wales, Brandon:
    Testimony....................................................     3
    Prepared statement...........................................    35
Responses to post-hearing questions for the Record:
    Mr. Wales....................................................    81
    Mr. Goulet...................................................    83


                     STATE AND LOCAL CYBERSECURITY:

       DEFENDING OUR COMMUNITIES FROM CYBER THREATS AMID COVID-19

                              ----------                              


                      WEDNESDAY, DECEMBER 2, 2020

                                 U.S. Senate,      
                        Subcommittee on Federal Spending,  
                    Oversight and Emergency Management,    
                    of the Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:31 p.m. in room 
342, Dirksen Senate Office Building, Hon. Rand Paul, Chairman 
of the Subcommittee, presiding.
    Present: Senators Paul, Scott, Hawley, Hassan, Sinema, and 
Rosen.

              OPENING STATEMENT OF SENATOR PAUL\1\

    Senator Paul. I now call this hearing of the Senate 
Homeland Security and Governmental Affairs Subcommittee on 
Federal Spending Oversight and Emergency Management to order. 
The title of our discussion today is ``State and Local 
Cybersecurity: Defending Our Communities from Cyber Threats 
Amid COVID-19.''
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Paul appears in the Appendix 
on page 31.
---------------------------------------------------------------------------
    In preparing for this hearing, it has become clear to me 
that good cybersecurity practices require a near constant 
struggle to stay ahead of events, and the real danger lies in 
getting complacent. Effective cybersecurity is an ongoing, 
everyday line of effort. The threat landscape is diverse, the 
best practices are constantly changing, the information you get 
may not always be reliable, the maintenance tasks can seem 
overwhelming, and most importantly, the stakes are high. In 
this context I have often found myself thinking, effective 
cybersecurity cannot move at, quote, ``the speed of 
government.''
    By that I mean cybersecurity is a 21st century public 
policy problem, just is not solvable, or really even manageable 
by 20th century government means. Regulation, mandates, and 
centralized action, in general, these approaches are inadequate 
to match the pace of change that we have witnessed in the 
cybersecurity realm in recent years.
    Congress needs to make sure that the government's role in 
detecting and responding to cyberattacks is clearly defined, 
and that they are focused, first and foremost, on the security 
of Federal information networks.
    Today we will hear from the Department of Homeland Security 
(DHS) about their cybersecurity work--how it is evolving and 
their approach to this complex range of threats. With respect 
to individual actors in industries that are at the greatest 
risk of cyberattack--health care, education, financial 
services, retail, critical infrastructure--the proliferation of 
ransomware attacks over the past several months and years have 
made clear that these entities have to take on this 
responsibility themselves, on a day-to-day, minute-by-minute 
basis.
    Irrespective of what the government is or is not doing, all 
cybersecurity is essentially local, and so today we will hear 
from experts in State government, the health care sector, and 
public education on their experience with cyber threats and 
incidents, and see the State of cybersecurity in these 
industries.
    Fortunately for both government and the private sector, the 
marketplace for cybersecurity services is continuing to grow 
and mature. We will hear today from one such firm, Coveware, 
that consults with private and public entities on cybersecurity 
and works with them to respond to cyber incidents.
    I would like to thank Ranking Member Hassan for suggesting 
this hearing, and I look forward to hearing from our panelists. 
Senator Hassan.

             OPENING STATEMENT OF SENATOR HASSAN\1\

    Senator Hassan. Thank you very much, Mr. Chairman, for 
working with me to arrange this hearing and for your opening 
comments. I deeply appreciate the opportunity to continue 
working on an issue that I believe is critical to our national 
security, as well as to the economic security of our Nation.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Hassan appears in the 
Appendix on page 33.
---------------------------------------------------------------------------
    State and local governments have been prime targets for 
cyberattacks for a number of years, but the stakes have only 
grown as coronavirus disease 2019 (COVID-19) has forced 
millions of Americans to migrate their everyday activities to 
the online world. Many students now learn from their teachers 
on a computer instead of in the classroom. Doctors treat many 
patients through telemedicine instead of in person. Governments 
handle many essential services online instead of at City Hall.
    The massive increase in online activities over these past 9 
months means that the targets for cyber criminals have 
increased commensurately. Unfortunately, cyber criminals have 
taken advantage.
    One firm that tracks cyberattacks on schools and school 
districts reports that 44 attacks have occurred so far this 
school year and many more likely went unreported. We will hear 
from the superintendent of one of these schools today.
    In the spring, Interpol warned that ransomware attacks 
against hospitals have grown significantly as hackers sensed an 
opportunity to extort more money in ransoms with hospitals 
overwhelmed with COVID patients. About a month ago, a 
cyberattack hit the University of Vermont Medical Center, 
forcing it to divert patients to other facilities, thereby 
jeopardizing the care of many patients, especially those in 
nearby rural areas who do not have the resources to travel to 
the next closest hospital for treatment.
    The Federal Government has a responsibility to help protect 
our communities from these threats. While the Cybersecurity and 
Infrastructure Security Agency (CISA) has done a commendable 
job helping our State and local governments, the number and the 
severity of attacks on our communities continues to increase.
    This hearing will help us identify ways for Congress and 
the Federal Government to better assist State and local 
governments in fending off these cyberattacks on our 
communities. We have a group of great witnesses who can help us 
work through these challenges, including CISA Acting Director 
Brandon Wales, who we are happy to have here today.
    With that said, we are missing our original Federal 
witness, CISA Director Chris Krebs, because he was fired 
abruptly by the President 2 weeks ago. Director Krebs led CISA 
in a nonpartisan manner, and he approached his agency's most 
important task, securing the U.S. election infrastructure, with 
professionalism and tenacity. He was fired for doing his job, 
and we are less safe because of it.
    It is imperative that we have strong, independent 
leadership at CISA going forward. As the Biden administration 
seeks to fill this position in 2021, I would encourage them to 
look to Director Krebs' example when considering his successor.
    To all of our witnesses, I appreciate your willingness to 
testify, and I want to thank you all for the role you play in 
keeping us safe. I look forward to learning from your 
experiences as well as your expertise.
    Thank you, Mr. Chairman, and I will proceed with 
introductions if you would like me to.
    We will start, in this first panel, with our Federal 
witness. I am pleased today to introduce Brandon Wales, Acting 
Director for the Cybersecurity and Infrastructure Security 
Agency, at the United States Department of Homeland Security. 
Acting Director Wales was the first person to serve as the 
Executive Director of the agency before being very recently 
elevated to Acting Director. In this role, Acting Director 
Wales oversees CISA's efforts to defend civilian networks, 
manage systemic risk to national critical functions, and work 
with stakeholders to raise the security baseline of the 
nation's cyber and physical infrastructure.
    Acting Director Wales, thank you for coming before the 
Subcommittee today, and I look forward to hearing your 
testimony.

 TESTIMONY OF BRANDON WALES,\1\ ACTING DIRECTOR, CYBERSECURITY 
AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Wales. Chairman Paul, Ranking Member Hassan, and 
Members of the Subcommittee, thank you for the opportunity to 
testify regarding the Cybersecurity and Infrastructure Security 
Agency's support to State, local, Tribal, and territorial 
stakeholders in mitigating a broad range of cyber threats 
facing our Nation.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wales appears in the Appendix on 
page 35.
---------------------------------------------------------------------------
    Whether focused on election security, responding to the 
digital transformation brought about by COVID-19, or addressing 
the plague of ransomware, I believe that enhancing and 
sustaining State and local cybersecurity capacity will be the 
defining cybersecurity challenge of the next decade.
    This is my first appearance before the Committee in my new 
capacity as Acting Director, and I am honored to lead the men 
and women of our agency as we defend today and secure tomorrow.
    I want to begin by thanking the CISA workforce and the 
entire election security community for their tireless work over 
the last 4 years, culminating in the November 3rd election. Our 
goal was simple: to make the 2020 election the most secure in 
modern history. We succeeded in building a robust election 
security community made up of State and local election 
officials, key Federal agencies, and private sector election 
vendors, in surging the technical capacity of CISA to improve 
cyber defenses nationwide and in harnessing the capabilities of 
CISA, the Federal Bureau of Investigation (FBI), the National 
Security Agency (NSA), U.S. intelligence community (IC), and 
the Department of Defense (DOD) to identify threats, respond to 
potential incidents, and take decisive action, when necessary.
    As a result, layers of security and resilience measures are 
put in place by election officials and the community reacted 
quickly to disrupt efforts by foreign nations to interfere in 
the election. For example, we were able to rapidly share 
information on Russian intrusions into State and local 
networks, and attempts by Iranian government actors to send 
spoofed voter intimidation emails were publicly outed within 27 
hours.
    Our election security mission continues, and CISA will 
remain in an enhanced coordination posture until after election 
results have been certified in every State. We also stand ready 
to support States holding runoff elections in the coming 
months, such as Georgia and Louisiana.
    This year has not only been focused on elections. Beginning 
in February, we have been working to support the nation's 
response to COVID-19, including helping to secure the 
development and distribution of potential vaccines under 
Operation Warp Speed (OWS). Since the pandemic's earliest days, 
we have seen malicious cyber actors targeting vaccine research 
and development, exploiting the dramatic expansion of remote 
work, and using COVID to advance criminal schemes.
    In response, CISA ramped up information-sharing efforts on 
emerging threats, established a telework resource hub, and 
surged cybersecurity services to high-risk entities in the 
health care sector through our Project TAKEN. Now, under the 
Department of Health and Human Services (HHS) and DOD-led 
Operation Warp Speed, we are prioritizing services to companies 
deeper in the pharmaceutical supply chain to protect U.S. 
vaccine development and distribution.
    Recently, hospitals across the country were hit with 
ransomware launched by a cybercriminal organization looking to 
profit from disruptions of critical health delivery during the 
pandemic. This was appalling, but not surprising, given the 
growth of ransomware incidents over the past 6 months. 
Ransomware is quickly becoming a national emergency. We are 
doing what we can to raise awareness, share best practices, and 
assist victims, but improving defenses will only go so far. We 
must disrupt the ransomware business model and we must take the 
fight to the criminals.
    While election security, a pandemic response, and 
ransomware may all look completely different, the one thing 
they have in common is a reliance on the networks at the State 
and local level. These are the networks that keep our 
communities running despite global challenges. These are the 
networks that help us respond to emergencies. These are the 
networks that run local hospitals and schools, and they are in 
need of urgent assistance.
    CISA is taking action to help by strengthening operational 
partnerships, hiring additional cybersecurity coordinators to 
boost engagement in State capitals across the country, in 
supporting cyber proposals in the Federal Emergency Management 
Agency (FEMA) preparedness grantmaking process, and continuing 
to push CISA resources out from headquarters to where our 
partners are, in States and communities.
    In conclusion, I want to thank the Committee for its 
leadership on legislation that has advanced the authorities of 
our agency and for your support for legislation still moving 
through Congress that will push CISA even further. This 
Committee has been an essential partner in our mission, and I 
look forward to continuing to work with you to defend today and 
secure tomorrow.
    Thank you again for the opportunity to appear before you, 
and I look forward to your questions.
    Senator Paul. Thank you. Senator Hassan had to go vote so 
she will be back in a few minutes.
    You mentioned, I believe, Russia and Iran, and it went by 
pretty quickly and I did not catch everything you had to say. 
You said these were attempts to actually change votes or to 
interfere in the election somehow? What did you exactly say?
    Mr. Wales. Sure. The activity was a little different in 
both cases. In the case of Russia, Russia had launched a fairly 
broad campaign to target State, local, private sector, and 
Federal networks, using exposed vulnerabilities.
    Senator Paul. Using what?
    Mr. Wales. Exposed vulnerabilities, fairly well-known 
vulnerabilities. They were looking for those vulnerabilities 
and trying to get inside of networks. We did discover that----
    Senator Paul. You are talking about election networks that 
count votes? What are you talking about?
    Mr. Wales. I am talking about general networks. These could 
be private sector networks in things completely unrelated to 
elections. It did include, in one case, where they compromised 
a local county network and downloaded some information that had 
to do with the election. But this was not an attempt----
    Senator Paul. But this was not tabulation of the election.
    Mr. Wales. No, absolutely no.
    Senator Paul. And what did you say about Iran?
    Mr. Wales. Iran sent spoofed voter intimidation emails.
    Senator Paul. OK. Trying to disincentive people to vote, or 
something, to trick people into not voting.
    Mr. Wales. Correct. They are trying to create a narrative 
that the election was----
    Senator Paul. But to your knowledge, there were no votes 
changed by a foreign actor. In fact, was that true? No votes 
were changed by a foreign actor, that you know of?
    Mr. Wales. We have no evidence that votes were changed by 
an actor.
    Senator Paul. And no attempts were directly stopped. Is 
there sort of an existing voting network? You cannot really 
hack into a voting network, can you, that is just sort of 
there?
    Mr. Wales. We have numerous advantages, in part because we 
have a highly decentralized system. There is not an election 
network. There are hundreds and thousands of election networks 
across the country. In addition, the actual vote tabulation 
systems, those are not networked on the Internet. The places 
where we see the most activity tends to be those highly 
centralized, internet-enabled systems, for example, voter 
registration or election night reporting. But even in those 
cases we did not see any adversary capable of compromising 
those systems to----
    Senator Paul. But it sounds like, as a general rule of 
thumb, if we are looking for advice on how to protect 
ourselves, the whole push of modern technology is to make us 
more connected, and maybe part of the advice is that we do not 
need to be too connected, having separate systems or 
separating. Is some of that advice taken within the Federal 
Government? You said we are protected in the electoral system 
because we have States and then we have counties and they are 
not completely integrated. We probably do not want to 
completely integrate or Federalize things with elections.
    Is it true, within the Federal Government, that there is 
compartmentalization on purpose, to try to protect against 
hacking?
    Mr. Wales. Yes. One of the major recommendations to any 
entity is to be thoughtful about how you network your systems, 
where you should segment your systems, where you should 
completely air-gap your systems. There is a reason why the 
classified networks that are operated by the intelligence 
community and Department of Defense are not accessible readily 
through the Internet. You want to keep those things separate.
    Same thing for industrial control systems that operate the 
most sensitive, critical infrastructure in the country. You 
want to build additional barriers to prevent people from easily 
moving from small compromises onto parts of networks that could 
have much more significant consequences.
    Senator Paul. How much of the problem with attacking a 
network is coming through an email versus another way of 
attacking a network?
    Mr. Wales. Frankly, it varies. Coming through an email, 
that normally includes things like spear phishing, where you 
get an email that says ``click on this,'' and you click on a 
link and all of a sudden that malicious payload comes and 
compromises your computer.
    I would say right now we are seeing, while that has been 
traditionally one of the more significant ways we have seen 
networks compromised, over the last year we have seen dramatic 
growth in people compromising networks by exploiting 
vulnerabilities in virtual private network software. In part, 
this is as a result of the dramatic expansion of people 
teleworking, remote working, and a dramatic increase in the 
number of----
    Senator Paul. What does that mean? You are not attacking it 
through an email. You are attacking it through the cloud 
somehow, through software that communicates with the cloud?
    Mr. Wales. Not necessarily the cloud but, for example, if 
you are connecting through a virtual private network, which is 
the way that maybe you call in to your company's network--I am 
at home, I am on my laptop, calling in to my company's 
network--I am connecting through a virtual private network 
(VPN) software. There are vulnerabilities in some of the more 
common VPN software, most of which have been patched, but if a 
company has not patched that vulnerability an actor may be able 
to exploit that vulnerability, compromise the connection----
    Senator Paul. But they are not logging into your computer. 
They are logging into your network and then bouncing back into 
your computer once again, if your network----
    Mr. Wales. Or, more importantly, they want to get into that 
network, so they are exploiting that vulnerability to gain 
access to that network, and then once they are inside, using a 
variety of other vulnerabilities, they are trying to elevate 
their privileges. They have administrative capabilities, so 
they can create new accounts, and they can do whatever they 
want.
    Senator Paul. What is a guess on the percentage? How much 
of this is an email problem? Is half of it email, 75 percent, 
25 percent? Just a guess.
    Mr. Wales. It is a little bit hard to say right now. I 
would say probably at least half is still kind of spear 
phishing-related intrusions.
    Senator Paul. Right. Because it seems like that there would 
be a technological solution to some of that in really trying to 
protect email networks from the network, almost as if maybe you 
have a separate complete network that never communicates. They 
communicate with each other, so you can talk to each other, but 
never communicates with--I mean, almost somehow a complete 
separation of your email network from the rest of your network.
    Mr. Wales. It is hard today, given the amount of 
interconnection between the various tools that you use in terms 
of any business. But most of the ways in which networks are 
compromised today are exploiting vulnerabilities where patches 
are available and where the solutions to mitigate these 
problems are readily available and they are just not being 
implemented by the information technology (IT) security 
professionals at companies.
    Senator Paul. How rapidly does it change? How rapidly does 
someone have to figure out that there is a brand new phishing 
or, technology?
    Mr. Wales. You need to stay on top of it. Every day new 
patches are released for software. Now it may not be every 
single day for every piece of software, but on any given day 
there are new patches that come out for software. IT security 
professionals need to stay on top of that, understand what the 
nature of those vulnerabilities are, and prioritize their 
efforts to close those vulnerabilities. Obviously, the bigger 
the network you have the more complicated this is.
    Senator Paul. When you come up with a patch, are you able 
to keep that somewhat secret from the criminals, or can they 
immediately see the patch and respond to the patch?
    Mr. Wales. They can generally see it. These patches are 
made publicly available, so that as many individuals can 
protect their networks. It is a cat-and-mouse game. Every 
change we make on the defensive side, an offensive cyber actor 
is going to look to see what they need to do to get around 
that.
    Senator Paul. Are we able to, when we have a state actor 
that is going after classified information, and we have 
creative ways that State actors are using, are we able to share 
them with the private sector, or are we too worried that 
getting that knowledge out reveals that we know how to combat 
certain things? Are we sharing, on a consistent basis, 
knowledge that you gain with the private sector?
    Mr. Wales. Absolutely. The partnership that we have with 
the intelligence community, in particular the National Security 
Agency, is better than any time in my entire 15-year history 
with the department. We are getting a significant amount of 
information from them, of things that they are seeing overseas, 
activity that they are seeing from foreign nations, getting 
that information to be declassified so that we can get it out 
to people, whether that is a specific incident at an individual 
location or, more importantly, information that could benefit 
the entire community.
    A lot of the alerts that we are pushing out, alerting the 
community to different tactics that our adversary is using, are 
based upon intelligence sources that we are receiving from the 
intelligence community. That process is happening quickly.
    Senator Paul. Does it work both ways? Getting information 
back from private industry as well?
    Mr. Wales. There is a vibrant cybersecurity community right 
now that has grown up over the past decade and a half, and 
there is a lot of information out there for everyone. We, 
ourselves, rely upon information provided by private sector 
cybersecurity firms to help improve our defenses at the dot-
gov. There is a benefit to this community sharing as much 
information as possible, because that is the way we are going 
to have a more secure and a more defended cyber ecosystem.
    Senator Paul. As someone like myself who is very concerned 
with privacy, I have been concerned about having--I am all for 
telehealth and for allowing the Internet to allow us to see 
doctors remotely. As a physician, I think it is a good thing. 
But I am concerned about having a unique patient identifier 
where all of our data goes into one place and it is stored in 
one place. It goes back to this idea of compartmentalization.
    When the Office of Personnel Management (OPM) was hacked, 
22 million people's records were released, and I know that was 
a big mistake and hopefully we have learned from that. But 
there is a danger, and I think one way, from a patient point of 
view and from a point of view that there are sensitive things, 
whether you have an infectious disease that is acquired 
sexually, whether you have a psychiatric disorder that you do 
not want the whole world to know about--there are a lot of 
things that could be very private.
    Starting with my father 20 years ago and continuing today, 
we have been trying to get away from a unique patient 
identifier that the Federal Government has and I think it would 
be nice if people could equate that not only with privacy but 
also with the idea of hacking, that the more centralized your 
health care records are, it may be easier but it also might be 
easier for bad actors to get into your health community and 
extort people or damage them publicly with releasing private 
information. Any thoughts on health care security with regard 
to unique patient identifier?
    Mr. Wales. I think that the challenges that you are 
describing there are the same challenges that we deal with in 
every cybersecurity challenge, and that is how do you balance 
the need to create more efficient, more effective systems with 
the risk that that poses because of the nature of connected 
systems being potentially vulnerable.
    We encourage people to be thoughtful and take a really 
risk-based approach--how much information needs to be 
centralized, how much information needs to be networked--and be 
thoughtful. Then once you make that decision, then go to the 
next step and say, how do I defend the information that needs 
to be networked to the maximum extent possible? If I am going 
to have sensitive information that is Internet accessible, I 
need to make sure that my cybersecurity practices are going to 
be sufficient to defend that. I need to make sure that my patch 
management is good. I need to make sure that my configuration 
management is good.
    Senator Paul. Right, and I would just conclude by saying 
that the moral I get from your discussion on elections is there 
is some advantage to disconnectedness, to compartmentalization, 
to having counties, States, and the Federal Government be 
somewhat separate, where you can actually go to a county and 
verify an election. It does not go into some sort of mass 
network or computer. We are very lucky, I think, that we have 
sort of the Federal-State operation with regard to elections.
    But I think people need to think that through before the 
efficiency experts say, oh, it would be so easy to have your 
medical records everywhere. They will be at every doctor, all 
of the time, anywhere in the United States, and they will be 
centralized. It is going to be easy until a hacker gets in 
there and all your private information is all over the 
Internet. I say be careful what you wish for, as some of those 
who really the centralization of things, because there is a 
danger of losing your privacy. Senator Hassan.
    Senator Hassan. Thank you very much, Mr. Chair, and I thank 
you for what you just covered in your questions. I want to 
start with a question really focusing on how we help State and 
local governments protect against cyber threats.
    Acting Director Wales, your agency is responsible for 
securing Federal information technology infrastructure from a 
wide range of cyber threats. It is widely accepted that your 
work to secure the Federal space is critical. However, some 
might argue that it is not the Federal Government's job or 
responsibility to also try to secure State and local 
governments from cyber threats.
    Let me ask you, does the Federal Government have an 
obligation or responsibility to also protect State and local 
governments from cyber threats?
    Mr. Wales. Cybersecurity is a shared responsibility in 
multiple domains, and CISA takes seriously the responsibility 
we have to utilize the information, the knowledge, the 
expertise on cybersecurity to help all aspects of our critical 
infrastructure, whether those are State and local governments, 
if those are private companies operating our power grids, if 
those are hospitals or if those are chemical plants. We have a 
responsibility to help them.
    Now, every system owner bears some responsibility for 
managing the security on their networks, and so I think it is 
trying to figure out where their responsibilities and our 
responsibilities intersect. We understand that we have a lot of 
information, we have a lot of expertise that we can provide. We 
can make sure that they are armed with all of the information 
that we have been able to glean from both the intelligence 
community, from our own visibility into the cyber activity of 
our adversaries, and the tactics that they are using, and it is 
our job to provide that as broadly as possible, to make sure 
that they are prepared.
    Each of those individual asset owners needs to go through 
that process that Senator Paul and I just discussed, that risk-
based process, to say how much security do I need in what parts 
of my network and how can I put that in place to be as robust 
as is required by the risks that I am facing?
    Senator Hassan. Thank you, and just to follow up, if a 
State or a community is vulnerable to cyber threats, how does 
that broadly impact the security of Americans who do not live 
directly in that State or community?
    Mr. Wales. The State governments across the country, and 
local governments, operate some of our most critical 
infrastructure, whether it is operating water treatment 
facilities, in some States and communities, municipal power 
authorities in others. They also, obviously, at the State 
level, distribute significant amounts of funds through which 
Federal programs funnel money through.
    States are a critical part of our fabric for both our 
economic and our homeland security. It is an important interest 
of the Federal Government that States have as much of our 
cybersecurity knowledge and expertise as possible to help 
safeguard those critical systems.
    Senator Hassan. Thank you. Various proposals have been 
introduced in Congress that establish a standalone Federal 
cybersecurity grant program for State and local governments 
that would pay for cybersecurity upgrades at the State and 
local level. Without specifically evaluating each bill, can you 
please describe for me the elements and considerations that 
Congress should be thinking about if we authorize a grant 
program of this nature? Are there any elements of a grant 
program that CISA views as being must-have items?
    Mr. Wales. I think we would be happy to work with Congress 
on what a grant program would be, how a grant program could be 
structured to serve the maximum value. I would say until that 
time we have been working closely with FEMA over the past year 
as FEMA has required, as part of its last round of homeland 
security grants, that a portion of it go to a certain set of 
high-priority items, including State cybersecurity. We spent 
the last year working with States, working with FEMA, to review 
the proposals that were submitted, and I think this will 
provide us a good baseline to understand how States are 
thinking about investing in cybersecurity utilizing Federal 
grants, how we can provide additional information to them to 
better shape and focus those grants on the highest-risk aspects 
of their networks.
    But grantmaking is obviously a complicated topic, one that 
CISA does not have direct responsibility for managing, so I 
would probably refer you to people at FEMA who know more about 
kind of the grantmaking sausage. But at the more macro level, I 
think that we have a lot to add to help shape grants so that 
they actually target those things that we need to protect the 
most, and that it reflects the true partnership that exists 
between the Federal Government and our State and local 
governments on cybersecurity.
    Senator Hassan. Thank you. Cyber insurance is an important 
tool that helps companies and entities prepare for, prevent, 
and respond to cyberattacks. However, an August 2019 report by 
ProPublica revealed that if an entity has cybersecurity 
insurance, policyholders will use their cyber insurance policy 
to pay the ransom during a ransomware event, which, in turns, 
serves as a further incentive for hackers to launch ransomware 
attacks. The report also shows that hackers target cyber 
insurance policyholders because the likelihood of the victim 
paying the ransom is much higher.
    During the COVID-19 pandemic, our country's increased 
dependency on online services may increase the incentive to pay 
ransoms so that critical services can be restored more quickly. 
Does CISA or your partner agencies generally know when an 
insurance company pays out a ransom?
    Mr. Wales. As a general rule we have recommended against 
paying ransom, in part because it furthers the business model, 
as I indicated in my opening remarks. Ransomware is not going 
to go away as long as the business model is viable, as long as 
ransomware operators can do it.
    Senator Hassan. Right.
    Mr. Wales. CISA generally focuses our efforts on ransomware 
before an event happens, helping companies prepare themselves, 
helping State and locals prepare themselves. We are generally 
not involved in decisions related to whether ransom is paid. 
That tends to be an individual decision at that company and 
they do not consult CISA as part of this.
    Senator Hassan. Generally speaking, you may not know if an 
insurance payment has been made.
    Mr. Wales. That is correct.
    Senator Hassan. OK. Additionally, are cyber insurance 
companies working with you to tackle any of these negative 
incentives that seemingly drive more attacks?
    Mr. Wales. I am not aware of engagement with cyber 
insurance companies on that issue right now.
    Senator Hassan. Do you think there is a role for Congress 
to play to help address this?
    Mr. Wales. I think that this is an incredibly challenging 
problem. No one has cracked the code on what the answer is yet, 
and it is going to take more work between Congress and the 
executive branch to figure out what are the right tools we have 
to change the business model and to disrupt the business model 
on ransomware and make more progress in this space.
    Senator Hassan. Thank you, and, Mr. Chair, I see I am out 
of time. If we have a second round on this witness I will have 
one more question.
    Senator Paul. Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Chairman Paul, Ranking Member 
Hassan, for holding a hearing on protecting our communities 
from cyberattacks. During the COVID-19 pandemic the number of 
cyberattacks has significantly increased, and cyberattacks, of 
course, they are expensive, they are debilitating, especially 
for small organizations like schools, hospitals, and local 
governments. I am glad we are coming together in this 
bipartisan way to talk about how we can protect vulnerable 
communities, of course, in this challenging time.
    But I want to focus on school cybersecurity because 
elementary schools, secondary schools, they face many 
challenges as they transition to online learning during the 
pandemic, including the constrained budgets, bridging the 
digital divide, ensuring the health and safety of students and 
faculty, and, of course, continuing to educate and support our 
students.
    As schools struggle to meet these challenges they remain 
particularly vulnerable to hostile cyber actors. Earlier this 
spring, the FBI warned that K-12 institutions represent an 
opportunistic target to hackers. As many school districts, they 
just lack the budget and the expertise to dedicate to network 
integrity.
    Last August, the Clark County School district, which is 
Nevada's largest school district and our country's fifth-
largest school district, was the victim of ransomware attack. 
The hacker published documents online containing sensitive 
information, including social security numbers, student names, 
addresses, and grades. This is absolutely unacceptable and the 
Federal Government must find and help the schools obtain the 
tools and the resources to protect and combat these kinds of 
cyber threats, something I have raised with both CISA and the 
Department of Education.
    Mr. Wales, can you speak to what steps CISA is taking to 
prevent cyberattacks, including these ransomware attacks like I 
had in Clark County School District, against K-12 schools, and 
how are you ensuring that we are not having more of these in 
the future?
    Mr. Wales. Thank you, Senator, and I know that some members 
of the CISA team, along with the Department of Education, are 
planning on briefing you in your office later this week on this 
topic.
    In the meantime, the first thing I would say is we have 
expanded our focus on K-12 education since the beginning of the 
pandemic, putting out additional information on how schools can 
improve their cybersecurity with their distance learning.
    In addition, we are encouraging schools to participate 
through the information-sharing mechanisms that have been 
created, for example, the Multi-State Information Sharing and 
Analysis Center (MS-ISAC), which is a free resource available, 
that we have invested in, from the Department, for State and 
local governments.
    Today, 2,000 school districts, schools, and IT service 
organizations are part of that Multi-State ISAC, and there are 
additional resources and tools that States and school districts 
can take part in that can help them ensure their protection 
against ransomware and other attacks. For example, the MS-ISAC 
offers malicious domain blocking, so that known malicious 
domains that are used by ransomware operators would be blocked 
from activity on those networks.
    But only about 120 schools are actively using that service 
that is offered for free today. What I want to see is much like 
we have done in the past 4 years in the election security 
context, how do we build a national community with the school 
districts to get them focused on the security aspects related 
to their networks that is not going to go away, even after the 
pandemic is over? We need to arm them with the same 
information, the same resources, and that is going to start 
with them taking advantage of the no-cost services that are 
currently offered across the country to State and local 
governments and the entities that exist within them.
    This is obviously a big problem. There are over 13,000 
school districts across this country. It is going to take time, 
attention, and focus. I am confident that if the Executive and 
Congress work together we can find creative ways of leveraging 
the capabilities that we have and getting more school districts 
signed up for these services.
    Senator Rosen. I appreciate that because I was going to ask 
you, I know you said 2,000 school districts are using it. In 
some cases now only hundreds of schools or school districts out 
of the 13,000. But you talk about malicious ware, ransomware. 
We have small school districts, rural school districts, that 
may not have the capacity or any expertise to even take 
advantage of your free services. Are there grant programs? What 
kind of support can we give, or that you can give, to be sure 
that the folks that are really sitting in those administrative 
offices can take advantage of what you are offering? Then we 
need to get it out there to 13,000 school districts, for sure, 
but not all of them have somebody who knows enough to really 
take advantage of it.
    What are you doing there? What kind of programs are you 
offering for training for people who work in schools?
    Mr. Wales. I think we have long recognized that the small 
and medium-sized businesses and government entities have unique 
challenges. What we had put in place earlier this year was 
something called CISA Cyber Essentials. These are the basic, 
bare minimum things that you need to put in place to get some 
baseline level of cybersecurity. It is geared for the small and 
medium-sized businesses and it is also geared for large 
companies to send out to their smaller suppliers to get them to 
a baseline level of security.
    Over the past several months, we have been issuing monthly 
modules, toolkits, that could be used, step-by-step guides to 
take, for how to put in place the baseline level of 
cybersecurity. What are those things you need to do to make 
sure that you have challenging passwords, or two-factor 
authentication, how to set that up on your network, making it a 
little bit clearer and easier for you to walk through.
    But if States, if cities, if communities push that kind of 
information out, even to their smaller school districts, this 
is the kind of information that is powerful in the hands of 
those small companies, because the reality is ransomware 
operators are looking to make money quickly, and so they are 
going to look for whoever is the most vulnerable. If you have 
done some of the basics, if you have put in place the bare 
minimum level of cybersecurity, there is a good chance that 
that ransomware operator is going to go on to the next victim 
and they are not going to target you.
    By investing a small amount of energy in putting in place 
cybersecurity, at even a bare level, you can have a significant 
impact and dividend for your overall level of security.
    Senator Rosen. I appreciate that, and my next question--I 
know I am out of time--would be we need the same kinds of 
things for our small businesses around the country as well. I 
look forward to speaking with you offline about how maybe we 
can get your message out for this training and the programs and 
all of the cyber hygiene to as many folks as possible, because 
we cannot afford not to communicate your hard work and what you 
have been doing to give people the ability to take advantage of 
these programs. Thank you.
    Mr. Wales. Absolutely. I think any help we can get in 
amplifying the work that is already out there. The tools and 
resources that Congress has already invested in through CISA 
are available for all of the country to utilize, and we want 
more people to take up and use them. Anything you can do to get 
that message out there and amplify the work that we are doing, 
our agency is going to be grateful for.
    Senator Rosen. Wonderful. Thank you.
    Senator Paul. Thank you, Mr. Wales, and I hope you will be 
willing to respond to any questions we have in writing, if we 
have further questions from Members. I want to also thank you 
for reminding us that decentralization is a part of our defense 
against hacking of our elections, and as a great fan of the 
Federalist system that we had set up from the very beginning, 
even in our modern age, decentralization and 
compartmentalization are a big part of our defense and can make 
our elections more reliable.
    Thank you very much for your testimony.
    Mr. Wales. Thank you.
    Senator Hassan. I join the Chairman in thanking you for 
your testimony and for your service, and please, to all the 
women and men you work with, please take back our thanks as 
well.
    Mr. Wales. I appreciate that and so do they. Thank you, 
ma'am.
    [Pause.]
    Senator Paul. We are ready for our other panelists, whoever 
is in charge of that.
    [Pause.]
    We are doing the whole panel together, this panel, on one 
panel, if we can. Everybody can come in.
    [Pause.]
    OK. I misunderstood. These are virtual, so you can go ahead 
and do the introductions, Senator Hassan, please.
    Senator Hassan. Thank you very much, Mr. Chair. To all of 
our witnesses for this second panel, thank you for being here 
today, and I will introduce each witness directly before your 
testimony. I will start with our first witness, Denis Goulet.
    I am pleased today to introduce Mr. Denis Goulet, who 
serves as Commissioner of the Department of Information 
Technology from my home State of New Hampshire. Commissioner 
Goulet has served admirably since he was appointed in February 
2015. Commissioner Goulet also serves as President of the 
National Association of State Chief Information Officers 
(NASCIO).
    Thanks for joining us, Commissioner Denis Goulet, and thank 
you for your exemplary leadership to strengthen cybersecurity 
efforts in New Hampshire and across the country. I look forward 
to your testimony.

   TESTIMONY OF DENIS GOULET,\1\ COMMISSIONER, NEW HAMPSHIRE 
              DEPARTMENT OF INFORMATION TECHNOLOGY

    Mr. Goulet. Good afternoon and thank you, Chairman Paul, 
Ranking Member Hassan, and distinguished Members of the 
Subcommittee for inviting me to speak today on the 
cybersecurity challenges facing State government that have been 
amplified during the COVID-19 pandemic. As Commissioner for the 
Department of Information Technology in New Hampshire and 
President of the National Association of State Chief 
Information Officers, I am grateful for the opportunity to 
highlight the vital role that State information technology 
agencies have played in providing critical citizen services and 
ensuring the continuity of government throughout this public 
health crisis.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Goulet appears in the Appendix on 
page 45.
---------------------------------------------------------------------------
    Cybersecurity has remained the top priority for State CIOs 
for nearly a decade. There is growing recognition at all levels 
of government that cybersecurity is no longer an IT issue. It 
is a business risk that impacts the daily functioning of our 
society and economy, as well a potential threat to our nation's 
security.
    State and local governments continue to be attractive 
targets for cyberattacks, as evidenced by the many high-profile 
and debilitating ransomware incidents. Inadequate resources for 
cybersecurity has been the most significant challenge facing 
State and local governments. The question of why Federal 
Government should be contributing to cybersecurity of the 
States is straightforward. States are the primary agents for 
the delivery of a vast array of Federal programs and services.
    According to our recent national survey, State 
cybersecurity budgets are typically less than 3 percent of 
their overall IT budgets. Half of the States lack a dedicated 
cybersecurity budget. As State CIOs are tasked with additional 
responsibilities, including providing cybersecurity assistance 
to local governments, they are asked to do so with shortages in 
both funding and cyber talent.
    Almost all the CIOs have the authority and are directly 
responsible for cybersecurity in their States, and have taken 
multiple initiatives to enhance the status of their 
cybersecurity programs. These initiatives include creation of 
cybersecurity strategic plan, adoption of the National 
Institute of Standards and Technology (NIST) cybersecurity 
framework, development of a cyber disruption response plan, 
obtaining cyber insurance, and the implementation of security 
awareness training programs for employees and contractors. 
These initiatives are crucial as Congress considers the 
implementation of a cybersecurity grant program for State and 
local governments.
    For the past decade, NASCIO has advocated for a whole-of-
state approach to cybersecurity. We define this approach as 
collaboration among State and Federal agencies, local 
governments, the National Guard, education, K-12 and higher, 
critical infrastructure providers, and private sector entities. 
By approaching cybersecurity as a team sport, information is 
widely shared, and each stakeholder has a clearly defined role 
to play when an incident occurs.
    My written testimony covers legislation that NASCIO has 
endorsed during the 116th Congress. I would like to reiterate 
my appreciation to this Subcommittee for its attention to 
cybersecurity issues impacting State and local governments. If 
passed, these bills would greatly improve our cybersecurity 
posture and create new, dedicated funding streams.
    The pandemic has exacerbated the cybersecurity challenges 
for State IT. Since March, my colleagues and I have rapidly 
implemented technologies to allow State employees to telework 
safely and effectively in this new environment. We have helped 
our State agencies quickly deliver critical digital government 
services to citizens, including unemployment insurance. In New 
Hampshire, I have worked closely with our public health 
agencies to ensure they have the necessary tools to improve 
capabilities in the area of testing, contact tracing, case 
management, data analytics, and personal protective equipment 
(PPE) inventory. My colleagues and I have been honored to play 
a role in fighting COVID-19. We have taken on additional 
responsibilities and incurred new expenses while continuing to 
face unrelenting cyber threat environments.
    I am truly concerned about how crucial IT and cybersecurity 
initiatives will remain funded in the coming months and years. 
States have seen significant declines in revenue and will be 
forced to make difficult budgetary decisions.
    As President of NASCIO, I know I speak for all of my 
colleagues around the country when I say that a dedicated, 
federally funded cybersecurity grant program for State and 
local governments is overdue. Additionally, State governments 
should follow the lead of the Federal Government and begin 
providing consistent and dedicated funding for cybersecurity 
which will also require them to match a portion of Federal 
grant funds.
    I look forward to continuing to work with the Members of 
this Subcommittee in creation of the grant program to improve 
our cybersecurity posture.
    This concludes my formal testimony, and I am happy to 
answer your questions.
    Senator Hassan. Thank you, and I think we will move on to 
the next three witnesses, and then we will return for 
questions. Is Dr. Torres-Rodriguez available now? OK, she is 
back online.
    Our next witness is Dr. Leslie Torres-Rodriguez, who joins 
us today from Connecticut. Dr. Torres-Rodriguez is the 
Superintendent of Hartford Public Schools, one of the largest 
urban school districts in the State. Dr. Torres-Rodriguez was 
raised in Hartford and attended Hartford Public Schools. She 
has served as an education leader in the greater Hartford area 
for more than two decades.
    In September, the Hartford School District was the victim 
of a cyberattack. Dr. Torres-Rodriguez, thank you for coming 
before the Committee today, and I look forward to your 
testimony.
    Doctor, you might need to unmute yourself.
    She is having connectivity issues, so why don't I do the 
other introductions and we will see if she is ready in a minute 
or two.
    Our next witness will be John Riggi, Senior Advisor for 
Cybersecurity and Risk from the American Hospital Association 
(AHA). Mr. Riggi is the Senior Advisor for Cybersecurity and 
Risk for the AHA. He brings nearly 30 years of experience with 
the FBI, including serving as the Senior Executive for the 
FBI's Cyber Division Program developing mission-critical 
partnerships for the health care and other critical 
infrastructure sectors.
    Mr. Riggi, I look forward to your testimony as well today, 
and I think we should probably proceed with that. Mr. Riggi, 
please feel free to proceed.

 TESTIMONY OF JOHN RIGGI,\1\ SENIOR ADVISOR FOR CYBERSECURITY 
            AND RISK, AMERICAN HOSPITAL ASSOCIATION

    Mr. Riggi. Thank you, and good afternoon, Chairman Paul and 
Ranking Member Hassan, and Members of this Subcommittee. On 
behalf of our nearly 5,000 member hospitals and health systems 
the American Hospital Association thanks the Subcommittee for 
the opportunity to testify on this important issue, and we 
stand by, ready to assist as needed.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Riggi appears in the Appendix on 
page 51.
---------------------------------------------------------------------------
    The AHA has a unique national perspective on cyber threats 
facing health care, stemming from our trusted relationships 
with the field and government agencies. The ongoing pandemic 
has resulted in a significantly increased cyber threat 
environment for health care providers. For example, this past 
October 28th, CISA, FBI, and HHS issued an urgent warning of an 
imminent ransomware threat to U.S. hospitals, and advised the 
field to take immediate defensive action. This threat remains 
ongoing as of today.
    This threat also comes as hospitals and health systems were 
already dealing with what I call a COVID-induced cyber triple 
threat. The first threat is an expanded attack surface. In 
preparation and response to COVID-19, the health care sector 
rapidly deployed and expanded network-connected technologies 
such as telehealth, telemedicine, and telework. Unfortunately, 
this also greatly expanded network access points and 
opportunities for the cyber criminals to attack.
    The second threat is increased cyberattacks. In conjunction 
with the expanded attack surface, cyber criminals have launched 
increased and relentless attacks on hospitals and health 
systems. HHS Office of Civil Rights (OCR) has reported a 
significant increase in hospital hacks since September 1, 2020, 
impacting millions of patients. Foreign intelligence services 
from China, Russia, and Iran, have launched cyber campaigns 
targeting health care, to steal COVID-19 related data and 
vaccine research. Of all the attacks, ransomware attacks are a 
top concern. These attacks could disrupt patient care, deny 
access to critical electronic medical records and devices, 
resulting in canceled surgeries and the diversion of 
ambulances, thus putting patient lives and the community at 
risk.
    The third threat hospitals face is resource constraints, 
due to reduced revenue as a result of canceled so-called 
elective surgeries and patients' reluctance to seek medical 
treatment during the pandemic. This situation leaves limited 
funds available to bolster network defenses and to recruit and 
retain scarce cybersecurity professionals. The above factors 
create a perfect storm of cyber threats for hospitals and 
health systems.
    Regarding ransomware attacks, we believe a ransomware 
attack on a hospital crosses the line, from an economic crime 
to a threat-to-life crime, and therefore should be aggressively 
pursued as such by the government. Most often these attacks 
originate from foreign adversarial safe havens, beyond the 
reach of U.S. law enforcement. Combined use of military and 
intelligence capabilities, along with economic sanctions to 
augment law enforcement efforts, can reduce cyber threats to 
the Nation. By defending forward, the government can deter and 
disrupt these foreign-based cyber threats before they attack.
    We believe a hospital victim of cyberattack is a victim of 
crime and should be provided assistance, not assigned blame. 
Despite regulatory compliance in implementing cyber best 
practices, hospitals and health systems will continue to be the 
targets of sophisticated attacks, which will inevitably 
succeed.
    The government often repeats the phrase, ``It is not a 
matter of if but when.'' Unfortunately, when a breach occurs, 
the Federal Government's approach toward the victims of 
cyberattacks is sometimes inconsistent across agencies and may 
be counterproductive. For example, Federal law enforcement 
agencies often request and need the cooperation of victims of 
breaches to further their investigations and disrupt the threat 
to the Nation.
    Subsequently, or concurrently, a hospital or health system 
may become the subject of an adversarial investigation by the 
HHS Office of Civil Rights. This can be disruptive and 
confusing for the victim and stifle cooperation with Federal 
law enforcement.
    Given the critical need to defend health care during the 
pandemic, along with the increased cyber threat environment, 
and a need to incentivize cooperation from victims, we strongly 
recommend that additional safe harbor protections from civil 
and regulatory liability be provided to hospital and health 
system victims of cyberattacks.
    In conclusion, hospitals, health systems, and patients are 
heavily targeted by cyber criminals and sophisticated nation-
states. Hospitals have made great strides to defend their 
networks, secure patient data, and most importantly, protect 
patients. However, we cannot do it alone. Health care needs 
more active support from the government, including consistent 
and automated threat information sharing, to help us defend 
patients and their data from cyber threats.
    Conversely, the Federal Government cannot protect our 
nation from cyberattacks alone either. They need the expertise 
in exchange of cyber threat information from the field to 
effectively combat cyber threats. What is needed is an 
effective and efficient public-private cybersecurity 
partnership and a truly all-of-nation approach.
    Thank you.
    Senator Hassan. Thank you so much. I want to turn now back 
to Dr. Torres-Rodriguez. If you are able to join us, Doctor, we 
look forward to your testimony.

TESTIMONY OF LESLIE TORRES-RODRIGUEZ, Ed.D.,\1\ SUPERINTENDENT 
              OF SCHOOLS, HARTFORD PUBLIC SCHOOLS

    Ms. Torres-Rodriguez. Good afternoon, Chairman Paul, 
Senator Hassan, and Senators of the Committee. I am Dr. Leslie 
Torres-Rodriguez, Superintendent of Hartford Public Schools. We 
are the third-largest school district in Connecticut, with 
approximately 18,000 students.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Torres-Rodriguez appears in the 
Appendix on page 61.
---------------------------------------------------------------------------
    I appreciate your invitation to address the Committee and 
answers questions regarding the cyberattack on Hartford Public 
Schools that occurred in September. The cyberattack had 
extremely disruptive effects on our school system, our 
students, and our staff. We were forced to postpone our first 
day of school, on September 8th, following months of intense 
planning for in-person learning amidst the COVID-19 pandemic.
    While our students have been attending school, either in 
person or remotely, for nearly 3 months now, we are still 
repairing and recovering from lingering effects of the attack.
    Hartford Public Schools and the city of Hartford were 
informed by our shared IT department, Metro Hartford 
Information Services (MHIS), that early in the morning hours on 
Saturday, September 5th, we experienced a severe cyberattack, 
specifically a ransomware attack which aims to take control of 
targeted servers and sell access back to the owner, back to us.
    The attack was unsuccessful, overall, because Metro 
Hartford Information Services regained control of its servers 
without complying with the attacker's demands, thanks to recent 
cybersecurity investments and quick work by the Metro Hartford 
Information Services team.
    Based on initial analysis by the Connecticut National Guard 
and the FBI, the attack was likely conducted by a highly 
sophisticated actor, and so in one sense we were fortunate that 
we avoided the worst case scenario.
    Our district team, Metro Hartford Information Services, and 
Mayor Bronin's office worked late into the night on Labor Day, 
and in the early hours on Tuesday, September 8th, to ensure 
that Hartford Public Schools' critical systems were restored so 
that the first day of school could proceed.
    Our student information system was restored around 
midnight, but as of 3 a.m. our transportation system was still 
not accessible. Our transportation company and our schools had 
no access to the student bus schedules. Around 4 a.m., I did 
have to make that difficult call to postpone the first day of 
school. Fortunately, we were able to get our transportation 
system back online the evening of September 8th, and we opened 
schools for the first time since March on Wednesday, September 
9th.
    However, 2 weeks later, our systems were still not yet 
fully operational and the costs to address the problem, 
financially and in terms of resources and staff time, have been 
significant. While we have regained control of servers and 
data, preventative measures are ongoing and present significant 
challenges to getting operations back to normal. For example, 
all of our servers needed to be taken offline and reimagined or 
restored from backups. The total amount of information that 
needed to be restored was over 70 terabytes across the city and 
school system, which is a massive amount of information.
    Additionally, every computer that had connected to the 
district network before the attack, just before the start of 
the school year, had to be individually restored to factory 
settings before reconnecting with the network. This required a 
very fast deployment of new laptops to hundreds of staff 
members, which then depleted the stock of laptops that we had 
to provide to students at a very critical time in the school 
year. While we had ordered laptops with the intention of 
ensuring every student had a district device at the start of 
the school year, that plan was set back as a result of the 
cyberattack.
    This was an especially difficult consequence of this attack 
as many of our students are participating in online learning 
from home and needed reliable devices to engage in their 
learning. These preventative measures impeded our ability to 
operate normally, and for our teachers to provide student 
instruction and impairing even basic functions like scanning 
and printing and having access to lesson plans.
    I am proud of the work that has been done by our IT team, 
our city officials, and district administration, and thankful 
for the investigative actions and the support from the 
Connecticut National Guard and the FBI. However, we do need to 
protect our critical infrastructure by preventing such attacks 
in the future.
    I thank you again, Senator Hassan, for inviting me to 
testify before this Subcommittee on this important issue. While 
the attack was unexpected and damaging in many ways, I am 
grateful for the way that our local, State, and Federal 
agencies collaborated to address the cyberattack and assisted 
with the restoration efforts. We are all committed to serving 
our constituents, our students, in the best way possible.
    Thank you, and I will be happy to answer any questions that 
you may have.
    Senator Hassan. Thank you, Superintendent. I will now turn 
to the Chairman for an introduction.
    Senator Paul. Our final witness this afternoon is Bill 
Siegel, CEO and Co-Founder of Coveware. Mr. Siegel founded 
Coveware in 2018, to provide services to small and medium-sized 
businesses threatened by ransomware. They offer a full-spectrum 
suite of services, from identifying and closing vulnerabilities 
before an attack happens to decryption and navigation of an 
attack that has happened, to recovery after an attack.
    Coveware and other private sector firms provide solutions 
that keep pace with the criminals. We are excited to hear from 
Mr. Siegel about the State of cybersecurity marketplace, what 
to do if your organization is attacked, and about low-cost 
steps that organizations of all sizes can take to enhance their 
cybersecurity posture.
    Mr. Siegel, you are recognized.
    Is he disconnected?
    All right. Why do we not begin a round of questions with 
Senator Hassan, and we will get back to Mr. Siegel's testimony 
when he gets back on.
    Senator Hassan. Thank you, Mr. Chair, and I want to start 
with a question to Commissioner Goulet.
    Commissioner Goulet, you and I know all too well the 
challenges of putting together a State budget. Giving more 
funding to the State's information technology budget might mean 
giving less funding to emergency services, education, public 
transportation, or other critical priorities. Moreover, when 
recessions happen, State revenues decrease, which leaves budget 
officials with even harder decisions to make.
    Commissioner Goulet, can you talk about the challenges 
States face funding cybersecurity upgrades as they deal with 
reduced State revenues from the recent economic downturn? Do 
States have the ability to adequately fund their information 
technology budgets and better protect against cyber threats?
    Mr. Goulet. Thank you for the question, Senator. We have 
some really recent data from the 2020 Deloitte NASCIO 
Cybersecurity Study, and I will share with you the top five 
barriers to overcoming cybersecurity challenges in State 
government: (1) lack of sufficient cybersecurity budget; (2) 
inadequate cybersecurity staffing, which really relates to 
number one; (3) legacy infrastructure and solutions to support 
emerging threats. The older systems tend to be much more 
vulnerable; (4) lack of dedicated cybersecurity budget; and 
finally, (5) inadequate availability of cybersecurity 
professionals.
    I think that pretty well covers the gamut of the answer to 
that question.
    Senator Hassan. Thank you. I appreciate that. I will go on 
and complete this round.
    Dr. Torres-Rodriguez, I want to turn to you, and I first 
just want to start by thanking you for participating in this 
hearing. All educators are facing unprecedented challenges 
right now, but to suffer a ransomware attack on top of 
everything else you are contending with means you are busier 
even than most other educators.
    I want to start by getting a sense of where cybersecurity 
falls in the very long list of priorities that a school 
district like yours has. You mentioned in your testimony that 
there is a Metro Hartford Information Service. What sort of 
assistance do you get from them? Do you think that there are 
enough cybersecurity professionals to help the school district 
with the system you already have, and what sort of assistance 
from the Federal Government would be helpful, and did you 
receive before and after the attack?
    Ms. Torres-Rodriguez. Yes, and just to give you a little 
more context, we have about 18,000 students and 3,400 staff 
members here in the public school system, and the shared IT 
department, which is managed by the city of Hartford, has six 
field IT technicians in all. There is one staff member assigned 
full-time to cybersecurity, and that is across all of the city 
services. There is an opportunity, if you will, for additional 
support there.
    With regard to the assistance from the Federal Government, 
Hartford Police and the FBI liaison there did investigate the 
attack and gather additional information. The Connecticut 
National Guard provided assistance with the recovery effort for 
about 4 weeks, primarily helping to mitigate and reimage our 
district devices. That was prioritized, and we are deeply 
grateful for that.
    The National Guard has a team that specializes in defensive 
cyber operations, and their support was critical in assessing 
the attack and helping the Metro Hartford Information System 
team recover operations and help ensure security.
    Overall, it was their assessment that this was a highly 
sophisticated and complex attack, that the information system 
team took a wide range of appropriate measures, but nonetheless 
it impacted school operations.
    Senator Hassan. Thank you for that. I am going to turn now 
to Mr. Riggi. Thank you for your work for our nation's 
hospitals, both in terms of your current position and from your 
time working for the FBI. As a cybersecurity professional who 
focuses on preventing cyberattacks to hospitals, can you please 
lay out for us the type of attack that most worries you?
    Mr. Riggi. Thank you, Senator. As I mentioned in my 
testimony, the attacks that I am most concerned about are 
ransomware attacks, which have the ability to disrupt patient 
care and risk patient safety. These types of attacks can lead 
to medical records becoming inaccessible at critical moments in 
treatment. Even understanding drug allergies for a patient may 
not be available. In certain instances we have had ambulances 
being diverted to emergency rooms which were further away from 
the original intended destination.
    In the medical field, obviously, any delay in urgent 
treatment increases the risk of a negative outcome. Ransomware 
attacks, especially as we have seen the increase recently, is 
the top concern, certainly the most significant concern, that 
worries us at the moment.
    Senator Hassan. Thank you, and if I have a chance I am 
going to return to you with one more question. But first I do 
want to turn back to Commissioner Goulet.
    Over the past decade, cyberattacks have increased in both 
their frequency and their ability to threaten our national 
security. Just as we have experienced with terrorism, the 
impacts of these cyber threats are not confined to far-off 
battlefield but to our States, our cities, and our communities.
    However, as the threat has increased, Federal support for 
State and local governments has not increased commensurately. 
As you note in your testimony, only 4 percent of Homeland 
Security grant dollars have gone to support State and local 
cybersecurity over the past decade.
    Can you provide your analysis for why you think that 
Federal funding for State and local cybersecurity efforts has 
not been commensurate with the threat? What do you recommend 
that Congress do in order to address this?
    Mr. Goulet. Thank you. I so wanted to address that question 
in more detail. Myself and my colleagues around the country 
have really a queue of initiatives that we would do to help 
State and local governments, and education, and really all of 
the State, if we had access to more funds.
    We have done as much as we could with those Federal 
Homeland Security grant funds that we were able to access, for 
example, in New Hampshire we built a nice Federal response 
program where we did take a whole-of-state approach. But we 
really could do so much more with dedicated cyber grant funding 
that flowed in in a separate stream. I think that although we 
are slowly improving our cyber posture in State we could very 
much accelerate the improvement of cyber posture with dedicated 
grant funding.
    I would also like to reiterate that any such funding should 
include incentives for States to invest in a continuous manner 
as well.
    Senator Hassan. Thank you, and thank you, Mr. Chair.
    Senator Paul. Thanks. I do believe we see Mr. Siegel back 
online, and you missed your great introduction and you only get 
one introduction. But if you are there we would love to hear 
your testimony.

  TESTIMONY OF BILL SIEGEL,\1\ CHIEF EXECUTIVE OFFICER AND CO-
                    FOUNDER, COVEWARE, INC.

    Mr. Siegel. Thank you, Mr. Chairman, Ranking Member Hassan, 
and Members of the Subcommittee. Thank you for the opportunity 
to share Coveware's perspective regarding cybersecurity threats 
to State and local governments and small businesses. My 
testimony today is derived from Coveware's role in 
cybersecurity incidents from the perspective that handling 
thousands of these incidents has given us over the years.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Siegel appears in the Appendix on 
page 63.
---------------------------------------------------------------------------
    Before we could try and solve this problem after we founded 
the company we recognized that something was missing. There was 
no clean data being collected on these incidents. The analogy 
that we used is you cannot build safe cars without visiting 
crash sites, measuring the skid marks and figuring out what 
happened.
    Accordingly, when we founded the company we set out to 
build a large data set on what actually happens during these 
attacks. Our interactions put us right in the middle of these 
incidents. We work with forensic investigators, privacy 
attorneys, restoration firms, cyber insurance companies, and 
law enforcement branches of all kinds. The data that is 
exhausted and collected from these incidents, which span 
thousands of unique incidents, has given us a fresh 
perspective.
    We use our data for three principal activities. First, we 
used it to contextualize these attacks for victims of these 
crimes, so they can understand how comparable companies have 
worked their way through these issues. Second, we aggregate 
these data findings and we try and publish our research, so to 
raise awareness of the very common attack methods that these 
actors use. Last, we provide a large subset of our data to law 
enforcement very readily to augment their active 
investigations.
    A typical ransomware attack involves three phases. First is 
access. Almost all ransomware attacks are manually carried out. 
That means that the threat actor is physically inside the 
network of the victim, typically using stolen or harvested 
credentials.
    The second is encryption, where the attacker employs an 
encryption program that locks up computer servers, and delete 
or encrypt backups as part of that process.
    The third is extortion. This is where, if the company is 
not able to restore from backups, they are forced with a 
difficult decision of either having to pay a ransom or rebuild 
their network from scratch. While it may seem stark, this is a 
decision that hundreds of businesses face every single day.
    Who are these criminals that carry out these attacks and 
what drives them? After thousands of cases and much study, we 
have a pretty clear picture of who carries out these attacks 
and why. By and large, the criminals that carry out ransomware 
attacks are financially motivated. Cyber extortion is their 
business, and the manner in which they conduct their business 
follows economic power laws. They seek profits just like 
legitimate businesses, and accordingly they follow strategies 
that maximize the outcome, minimize the costs, and increase the 
percent of their tax that they are able to monetize.
    Why is cybercrime proliferating so rapidly? Following the 
economic theme, we estimate that a given ransomware attack can 
earn a single cybercriminal tens of thousands of dollars, with 
almost no risk, and profit margins well in excess of 90 
percent. Economics 101 dictates that more activity will occur 
until the margins are driven down in this economy. It is simply 
too profitable and too low-risk to be ignored by would-be 
criminals.
    Additionally, the cybercrime industry is innovated by an 
aim to attract new [inaudible] and thus lowering the barrier to 
entry for new criminals. We have detailed in our written 
testimony how Ransomware-as-a-Service allows a non-technical 
criminal the opportunity to participate. This combination of a 
highly profitable industry with low barriers to entry and a 
growing population of participants is the reason that these 
attacks are proliferating so much.
    There are many ways to apply pressure to the economics of 
cybercrime. We offer one that we feel would be an effective 
means of curtailing activity. When we look at our own data, one 
sector stands out. Quarter after quarter, for the last 2\1/2\ 
years, a sector called Remote Desktop Protocol (RDP), is 
consistently the most used by ransomware actors. Properly 
securing our RDP is free. All it requires is a bit of time and 
effort.
    As an example of how effective closing this vulnerability 
can be, I cite a recently published study that we cited in our 
written testimony, where a group of set out to proactively 
reduce the number of RDP-based ransomware attacks that occur. 
They contacted these companies, after proactively sustaining 
their networks, advised them of their vulnerability, and worked 
to patch this issue. The resulting 4 month period showed a 60 
percent reduction in ransomware attacks across these 
organizations.
    This is a free fix. All it takes is a little bit of elbow 
grease.
    While this recommendation is just one example, we feel that 
there are further ways to attack the economics cybercrime, 
while proactive security, new policy initiatives, and 
relentless pursuit of these criminals by law enforcement will 
never have substitutes in this fight. We think working big to 
small on reducing the profitability of cybercrime can produce 
immediate and material results.
    Thank you to the Chairman, and I look forward to your 
questions.
    Senator Paul. Thank you for your testimony, and I am going 
to turn it over for further questions to Senator Hassan.
    Senator Hassan [presiding.] Thank you, Mr. Chair. I do want 
to return to our witnesses with some follow-up questions, and 
Dr. Torres-Rodriguez, I would like to start with you. You 
talked about the ransomware attack that the Hartford school 
system experienced. Now that it has been a few months since the 
cyberattack, can you please share with us what steps you have 
taken so far to try to prevent future attacks? What lessons 
have you learned?
    Ms. Torres-Rodriguez. Yes. Prior to the attack, the city of 
Hartford had invested $500,000 upgrading the security system 
for Hartford Information Services, which is the shared 
services. That alone, helped us actually not have as 
significant of an impact as we would have had. Since then, new 
end-point security software called Carbon Black has also been 
implemented and installed in approximately 4,000 of our 
devices. What Carbon Black does is to leverage predictive 
security and is designed to detect malicious behavior and help 
prevent malicious files from attacking an organization, and can 
also assist with rapid restoration, which was one of our 
lessons learned, of critical infrastructure, should an attack 
happen again in the future.
    Senator Hassan. Thank you. I want to talk again to Mr. 
Riggi as well. You mentioned in your testimony some of the 
critical need for information sharing. Can you please lay out 
for us your assessment of cyber threat information sharing 
between the Federal Government and hospitals across the 
country, and between hospitals is it adequate or could more be 
done to improve cyber threat information sharing?
    Mr. Riggi. Yes. Thank you, Senator. I think I would 
characterize it as greatly improved compared to--one of the 
functions that I ran at the FBI was to disseminate information 
as we were just understanding how vital that information 
sharing is.
    I think, one area that has been improved, has been the 
timely and actionable notices, highlighted October 28th notice 
I mentioned previously. For that information to be declassified 
and come out so quickly I think is very commendable, and to 
come out jointly by all three agencies is very commendable. 
However, I think there still needs to be more improvement in 
terms of regular cadence of sharing of cyber threat 
information, sharing it in a more automated and broad manner, 
and also the sharing of classified information, where possible, 
to trusted health care contacts.
    It has improved but I think we still have a long way to go.
    Senator Hassan. Thank you. I understand that you work with 
hospitals across the country to help secure them from cyber 
threats. Can you give us the typical profile of a hospital 
cybersecurity staff, and how do small and rural hospitals 
differ in terms of cybersecurity professionals and resources as 
compared with major metropolitan hospitals, for example?
    Mr. Riggi. Yes, there is quite the range and spectrum of 
resources available, and the profile varies widely, generally, 
from small to large urban centers. Generally smaller hospitals 
have less resources in terms of less financial, human and 
technical resources to devote to cybersecurity. In many 
instances, these smaller, more financially challenged hospitals 
add on cybersecurity as a duty to, for instance, the chief 
information officer or IT director. Larger systems may have the 
luxury of having a very large staff. Multistate systems may 
have hundreds of people devoted to cybersecurity. However, they 
have vastly more complex systems and networks to protect and 
defend.
    It varies widely. What I can say is that almost all 
hospitals now highly prioritize cyber risk as an enterprise 
risk issue, and are seeking to bolster their defenses. But they 
do struggle under the reduced revenue that they are facing as a 
result of COVID-19.
    Senator Hassan. Is that reduced revenue the major impact 
that you have seen with COVID-19 on this particular issue, or 
are there other ways that COVID-19 has affected, for instance, 
the staffing for hospital cybersecurity?
    Mr. Riggi. I think the reduced revenue has impacted 
staffing in the sense that certain hospitals may not have the 
financial resources to recruit and retain individuals. We have 
not seen a direct impact on COVID-19 reducing hospital 
cybersecurity staff, although there have been scattered reports 
of just general reduction in staff.
    But ultimately I think that the staffing issue is a 
challenge for all sectors. Quite frankly, there is a zero 
unemployment rate for cybersecurity professionals, and 
hospitals are competing not only with other hospitals to 
recruit and retain but with other sectors and the government.
    Senator Hassan. OK. Thank you. I know that the health care 
sector has an Information Sharing or Analysis Center. Can you 
provide an assessment of how effective the health ISAC has been 
in assisting hospitals, and what are its limitations, 
particularly for small and rural hospitals?
    Mr. Riggi. The health ISAC, I think, has done a pretty good 
job of getting information out. I know the folks over there, 
good folks, and they do, as I said, a pretty good job. Some of 
the limitations may be in their reach, because they are a 
member-driven organization and they do require a membership 
fee. Now that fee is a sliding scale and may be fairly 
reasonable, depending on the size of the organization.
    But again, I think that the issue there is the reach and 
timely dissemination. Often the H-ISAC relies on the government 
for the threat indicators as well. I think part of the mission 
of the H-ISAC and the government, going back to the CISA 
legislation of 2015, is to increase automated sharing of threat 
indicators, because the ability to share human to human, peer 
to peer, is just too slow to keep up with the adversaries. I 
think there still needs to be quite a bit of work done there, 
from both the government side and on the private sector side, 
to increase that electronic bridge for cyber threat information 
sharing.
    Senator Hassan. Thank you. I have a couple more questions 
but I understand that one of my colleagues, Senator Sinema, is 
online and ready to ask her questions. Senator Sinema, I will 
recognize you for your round of questions.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you so much, Senator Hassan, and I 
want to say thank you to our witnesses for participating today.
    Even before this pandemic, cybersecurity was a critical 
issue in Arizona with ransomware attacks on Arizona medical, 
education, and government organizations. During the coronavirus 
pandemic, as more people go online for school, work, and social 
interactions, we have seen an increase in system 
vulnerabilities and cyber threats across the country and in 
Arizona.
    Spending has also gone up as State, local, and Tribal 
governments work to support their community's information 
technology needs. As such, Federal cybersecurity support for 
State, local, and Tribal entities during this pandemic is 
critical.
    Today I am going to direct my questions to Mr. Riggi. 
Medical devices with connectivity features are becoming more 
common in hospitals. In recent years, ransomware attacks on the 
medical community impacted not just hospital computers but also 
storage refrigerators. As coronavirus vaccines are approved, 
hospitals and health care systems across the country will be 
asked to accept shipments and store the vaccines under very 
precise conditions.
    Has the American Hospital Association and its member 
hospitals created sound strategies to protect storage 
refrigerators and other systems that will be part of the 
vaccine storage and distribution plan?
    Mr. Riggi. Thank you, Senator. Our general guidance has 
been in terms of protecting all medical devices, to ensure that 
when they are, in fact, if they are, in fact, connected to 
networks that any potential vulnerabilities be identified and 
that they be network segmented. We will be closely monitoring 
the vaccine development and distribution, and we will certainly 
offer guidance to the field on how to protect those 
refrigerated devices. One of the main ways to protect them is 
to ensure that they are not network connected, and that if they 
are network connected to ensure that they are segmented and 
isolated from main networks and potential threats.
    Senator Sinema. Thank you. In 2019, as you may or may not 
be aware, Wickenburg Community Hospital, which is a hospital in 
rural Arizona, was hit by a ransomware attack. Wickenburg is a 
small, nonprofit hospital serving a community of about 8,000 
residents. The hospital's four-person IT staff did not contact 
the cyber criminals to hear their demands. Instead, they began 
rebuilding the hospital's computer systems from scratch, using 
data the hospital had backed up onto physical tapes. The attack 
happened on a Friday, and by Monday the systems were almost 
fully functional again.
    Now Wickenburg was unique for a small hospital in that it 
had an IT team with the expertise to rebuild the system. You 
mentioned constrained resources and shortage of qualified 
personnel as challenges to hiring qualified health IT security 
experts. What needs to be done to overcome these challenges, 
and how can Congress help?
    Mr. Riggi. Thank you. I think further incentives, perhaps, 
to recruit and retain cybersecurity professionals to work in 
health care, perhaps modeling other programs across government 
offering incentives for health care professionals, for doctors 
to work in rural areas, perhaps we need something similar to 
that for cybersecurity professionals.
    As I said, unfortunately, there is a zero unemployment rate 
for cybersecurity professionals. Increased training, perhaps, 
of folks displaced from other services. Increased training, 
perhaps, or retraining of veterans as cybersecurity 
professionals may also be another plausible route to staff some 
of these positions.
    Senator Sinema. Thank you. The University of Arizona 
Medical School has studied the vulnerabilities of medical 
devices, and they have invited doctors, security experts, and 
government agencies to simulate a cyberattack on an infusion 
pump, a pacemaker, and an insulin pump, in 2017.
    As you know, medical devices are regulated by the Food and 
Drug Administration (FDA) for both safety and effectiveness. 
What discussions have occurred between your hospital members, 
government regulators, and device manufacturers to prioritize 
the medical device security needs?
    Mr. Riggi. We feel we have been engaged quite a bit with 
the FDA concerning both their premarket and postmarket guidance 
on cybersecurity for medical device manufacturers. Although 
this still remains guidance, our position has been that we 
would like to see most of that, if not all of it, be made 
mandatory so that the manufacturers would have to comply with 
some of the guidance involving such concepts as security by 
design, making sure those features are built in, that the 
software bill of materials is provided by the manufacturer to 
the end user, so the end user can understand what the potential 
vulnerabilities may be in there, and also to provide lifetime 
support for the medical device, especially in terms of security 
upgrades.
    We are constantly monitoring those issues. One of the 
things we advise our hospitals and health systems is to ensure 
that there is adequate communication between clinical 
engineering staff and the information security staff as well, 
to keep an accurate inventory of medical devices, identify 
vulnerabilities which may be present in those devices, and 
ensure that they are network segmented. Of course, the most 
precious lifesaving, life support devices like ventilators, are 
the ones that are most protected and segregated. Thank you.
    Senator Sinema. Thank you so much.
    Madam Chair, I yield back the balance of my time, and I 
want to thank Mr. Riggi for taking the time to talk to me about 
these concerns in Arizona.
    Mr. Riggi. My pleasure. Thank you.
    Senator Hassan. Thank you very much, Senator Sinema. I have 
a couple more questions, and then assuming we do not have any 
other Senators join us we will adjourn.
    I wanted to take the opportunity, Dr. Torres-Rodriguez, to 
turn back to you to get more of a sense from you about the 
impact that the recent ransomware attack has had on your 
community. As you discussed, it delayed the start of the school 
year, but can you share with us how teachers, support staff, 
parents, and the rest of the community have been impacted by 
this cybersecurity attack, and how has the pandemic exacerbated 
these attacks?
    Ms. Torres-Rodriguez. Yes. In terms of the ongoing 
operational effect of the attack, shutting down functions and 
servers did have debilitating consequences for a number of 
departments. For example, we did not have access to our 
financial management software for 17 days, so this caused 
delays in numerous financial processes, including our supply 
orders, year-end filing with our State requirements, grant 
filings, payroll, among other operations.
    When I think about the broader implications, the 
disruptions to our school district, including that sudden delay 
to the first day of school after weeks of preparation, was 
disruptive to our families, given that already, as part of our 
mitigation efforts regarding our COVID mitigation, we did have 
a staggered, phased-in approach to return back to school. It 
caused disruption and confusion there.
    The process of restoring well over 10,000 devices--laptops 
and desktops--for both students, teachers, and support staff, 
was tremendous. It did require a heavy lift in terms of human 
capital and time, which is, why the role of our IT department 
and the Connecticut National Guard, and even a third-party 
technical support that we have to contract out for, because 
otherwise we could not have done it. It would have taken 
additional weeks to start our school year.
    During this time, our teachers did struggle to deliver 
quality instruction to both the 10,000 students that were 
learning online at home, as well as the 8,000 in their 
classrooms.
    As part of the planning last spring and into the summer, we 
did make a decision to become a one-to-one district, meaning 
one device per each student, meaning that every student would 
have a district-issued device. There were over 2,000 devices 
that were no longer available for our students at the beginning 
of the school year because we had to prioritize getting our 
teachers to have their devices to deliver the instruction.
    As I think about those early weeks, some of our students 
did not have access to learning, and we serve communities that 
have concentrated levels of need. Every minute, every day 
matters to us in terms of having access to instruction, and the 
other social and emotional supports that our students need to 
have.
    Senator Hassan. Thank you very much. That is very helpful.
    Commissioner Goulet, I want to follow up on this issue of 
K-12 schools with you. Can you give us your thoughts, from the 
perspective of State governments, on how best to protect K-12 
schools and hospitals? What role, if any, should State 
governments be playing?
    Mr. Goulet. Thank you, Senator. This really is a great 
opportunity to highlight some examples of the whole-of-state 
approach that we advocate. I want to start by going back to a 
concept that Senator Rosen brought up earlier, which was this 
concept of making our activities consumable by those folks we 
want to help. If you have a small-staff school, you cannot 
throw sophisticated stuff at them, for them to absorb and have 
to do.
    I know we have been working with MS-ISAC, on how we scale 
up some of their programs that were originally designed for 
State governments but they need to be tweaked to be absorbed by 
schools in local government.
    That is one area, but I think it is really being 
collaborative, involving these entities in planning. For 
example, in New Hampshire, on the school side, it is really 
being involved in the rollout of the minimum standards for 
security and privacy in schools, which was enacted by the State 
legislature in New Hampshire.
    On the hospital side, we did involve local hospitals in our 
cyber disruption planning grant fund, the DHS grant funded 
cyber disruption planning. When we heard what was going up in 
Vermont, at the UVM Medical Center, we were able to reach out 
to cyber professionals and IT professionals in the hospitals in 
New Hampshire and find out what they were doing and whether 
they were preparing for or watching carefully to avoid this 
cyber risk of ransomware in the hospital, which, of course, as 
you have heard, is tremendous.
    Those are some small examples there, and I think you really 
expect a collaborative, whole-of-state approach. What I use 
when I am speaking to people and trying to bring them into the 
tent, is there is no I in cyber.
    Senator Hassan. Thank you very much for that, Mr. Goulet, 
and thank you for your continued work for the people of New 
Hampshire.
    I have a short closing statement and then I am going to go 
ahead, at the Chairman's request, and adjourn the hearing.
    First of all, I want to thank Chairman Paul for working 
with me to organize this hearing, and I particularly want to 
thank his staff, Adam and Greg, for their work in making this 
happen. Again, I want to thank all of our witnesses for their 
testimony today, and for the role that you all play in helping 
to secure our nation from cyberattacks.
    Cybersecurity at the State and local level has never been 
more important, and it is incumbent on all of us to work 
together to solve the unique challenges posed. It is clear to 
me that State and local governments, our K-12 schools, and our 
nation's hospitals all need additional resources and support to 
be able to achieve their missions in the face of cyberattacks.
    I look forward to working with our witnesses and Members of 
the Committee on potential solutions, such as a standalone 
State and local cyber grant program, and improved information 
sharing between the Federal Government and schools and 
hospitals.
    Thank you all for joining us today, our witnesses. I know 
how busy you are at this challenging time, and your 
contributions today make a world of difference, and we are very 
grateful.
    Seeing that there are no other Members seeking recognition, 
I will thank our witnesses today again for their participation 
in this hearing. The Committee record will remain open until 
December 17th for Members to submit statements and questions 
for the record, and with that this Subcommittee stands 
adjourned. Thank you all very much.
    [Whereupon, at 4:09 p.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------     
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]