[Senate Hearing 116-461]
[From the U.S. Government Publishing Office]
S. Hrg. 116-461
STATE AND LOCAL CYBERSECURITY:
DEFENDING OUR COMMUNITIES FROM CYBER
THREATS AMID COVID 19
=======================================================================
HEARING
before the
SUBCOMMITTEE ON FEDERAL SPENDING
OVERSIGHT AND EMERGENCY MANAGEMENT
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
DECEMBER 2, 2020
__________
Available via http://www.govinfo.gov
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
43-278 PDF WASHINGTON : 2021
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida] KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
David M. Weinberg, Minority Staff Director
Laura W. Kilbride, Chief Clerk
Thomas J. Spino, Hearing Clerk
SUBCOMMITTEE ON FEDERAL SPENDING OVERSIGHT AND EMERGENCY MANAGEMENT
RAND PAUL, Kentucky, Chairman
RICK SCOTT, Florida MAGGIE HASSAN, New Hampshire
MICHAEL B. ENZI, Wyoming KAMALA D. HARRIS, California
JOSH HAWLEY, Missouri KRYSTEN SINEMA, Arizona
Greg McNeill, Staff Director
Harlan Geer, Minority Staff Director
Kate Kielceski, Chief Clerk
C O N T E N T S
------
Opening statement:
Page
Senator Paul................................................. 1
Senator Hassan............................................... 2
Senator Rosen................................................ 12
Senator Sinema............................................... 27
Prepared statement:
Senator Paul................................................. 31
Senator Hassan............................................... 33
WITNESSES
Wednesday, December 2, 2020
Brandon Wales, Acting Director, Cybersecurity and Infrastructure
Security Agency, U.S. Department of Homeland Security.......... 3
Denis Goulet, Commissioner, New Hampshire Department of
Information Technology......................................... 15
John Riggi, Senior Advisor for Cybersecurity and Risk, American
Hospital Association........................................... 17
Leslie Torres-Rodriguez, Ed.D., Superintendent of Schools,
Hartford Public Schools........................................ 19
Bill Siegel, Chief Executive Officer and Co-Founder, Coveware,
Inc............................................................ 23
Alphabetical List of Witnesses
Goulet, Denis.:
Testimony.................................................... 15
Prepared statement........................................... 45
Riggi, John:
Testimony.................................................... 17
Prepared statement........................................... 51
Siegel, Bill:
Testimony.................................................... 23
Prepared statement........................................... 63
Torres-Rodriguez, Leslie Ed.D.:
Testimony.................................................... 19
Prepared statement........................................... 61
Wales, Brandon:
Testimony.................................................... 3
Prepared statement........................................... 35
Responses to post-hearing questions for the Record:
Mr. Wales.................................................... 81
Mr. Goulet................................................... 83
STATE AND LOCAL CYBERSECURITY:
DEFENDING OUR COMMUNITIES FROM CYBER THREATS AMID COVID-19
----------
WEDNESDAY, DECEMBER 2, 2020
U.S. Senate,
Subcommittee on Federal Spending,
Oversight and Emergency Management,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 2:31 p.m. in room
342, Dirksen Senate Office Building, Hon. Rand Paul, Chairman
of the Subcommittee, presiding.
Present: Senators Paul, Scott, Hawley, Hassan, Sinema, and
Rosen.
OPENING STATEMENT OF SENATOR PAUL\1\
Senator Paul. I now call this hearing of the Senate
Homeland Security and Governmental Affairs Subcommittee on
Federal Spending Oversight and Emergency Management to order.
The title of our discussion today is ``State and Local
Cybersecurity: Defending Our Communities from Cyber Threats
Amid COVID-19.''
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Paul appears in the Appendix
on page 31.
---------------------------------------------------------------------------
In preparing for this hearing, it has become clear to me
that good cybersecurity practices require a near constant
struggle to stay ahead of events, and the real danger lies in
getting complacent. Effective cybersecurity is an ongoing,
everyday line of effort. The threat landscape is diverse, the
best practices are constantly changing, the information you get
may not always be reliable, the maintenance tasks can seem
overwhelming, and most importantly, the stakes are high. In
this context I have often found myself thinking, effective
cybersecurity cannot move at, quote, ``the speed of
government.''
By that I mean cybersecurity is a 21st century public
policy problem, just is not solvable, or really even manageable
by 20th century government means. Regulation, mandates, and
centralized action, in general, these approaches are inadequate
to match the pace of change that we have witnessed in the
cybersecurity realm in recent years.
Congress needs to make sure that the government's role in
detecting and responding to cyberattacks is clearly defined,
and that they are focused, first and foremost, on the security
of Federal information networks.
Today we will hear from the Department of Homeland Security
(DHS) about their cybersecurity work--how it is evolving and
their approach to this complex range of threats. With respect
to individual actors in industries that are at the greatest
risk of cyberattack--health care, education, financial
services, retail, critical infrastructure--the proliferation of
ransomware attacks over the past several months and years have
made clear that these entities have to take on this
responsibility themselves, on a day-to-day, minute-by-minute
basis.
Irrespective of what the government is or is not doing, all
cybersecurity is essentially local, and so today we will hear
from experts in State government, the health care sector, and
public education on their experience with cyber threats and
incidents, and see the State of cybersecurity in these
industries.
Fortunately for both government and the private sector, the
marketplace for cybersecurity services is continuing to grow
and mature. We will hear today from one such firm, Coveware,
that consults with private and public entities on cybersecurity
and works with them to respond to cyber incidents.
I would like to thank Ranking Member Hassan for suggesting
this hearing, and I look forward to hearing from our panelists.
Senator Hassan.
OPENING STATEMENT OF SENATOR HASSAN\1\
Senator Hassan. Thank you very much, Mr. Chairman, for
working with me to arrange this hearing and for your opening
comments. I deeply appreciate the opportunity to continue
working on an issue that I believe is critical to our national
security, as well as to the economic security of our Nation.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Hassan appears in the
Appendix on page 33.
---------------------------------------------------------------------------
State and local governments have been prime targets for
cyberattacks for a number of years, but the stakes have only
grown as coronavirus disease 2019 (COVID-19) has forced
millions of Americans to migrate their everyday activities to
the online world. Many students now learn from their teachers
on a computer instead of in the classroom. Doctors treat many
patients through telemedicine instead of in person. Governments
handle many essential services online instead of at City Hall.
The massive increase in online activities over these past 9
months means that the targets for cyber criminals have
increased commensurately. Unfortunately, cyber criminals have
taken advantage.
One firm that tracks cyberattacks on schools and school
districts reports that 44 attacks have occurred so far this
school year and many more likely went unreported. We will hear
from the superintendent of one of these schools today.
In the spring, Interpol warned that ransomware attacks
against hospitals have grown significantly as hackers sensed an
opportunity to extort more money in ransoms with hospitals
overwhelmed with COVID patients. About a month ago, a
cyberattack hit the University of Vermont Medical Center,
forcing it to divert patients to other facilities, thereby
jeopardizing the care of many patients, especially those in
nearby rural areas who do not have the resources to travel to
the next closest hospital for treatment.
The Federal Government has a responsibility to help protect
our communities from these threats. While the Cybersecurity and
Infrastructure Security Agency (CISA) has done a commendable
job helping our State and local governments, the number and the
severity of attacks on our communities continues to increase.
This hearing will help us identify ways for Congress and
the Federal Government to better assist State and local
governments in fending off these cyberattacks on our
communities. We have a group of great witnesses who can help us
work through these challenges, including CISA Acting Director
Brandon Wales, who we are happy to have here today.
With that said, we are missing our original Federal
witness, CISA Director Chris Krebs, because he was fired
abruptly by the President 2 weeks ago. Director Krebs led CISA
in a nonpartisan manner, and he approached his agency's most
important task, securing the U.S. election infrastructure, with
professionalism and tenacity. He was fired for doing his job,
and we are less safe because of it.
It is imperative that we have strong, independent
leadership at CISA going forward. As the Biden administration
seeks to fill this position in 2021, I would encourage them to
look to Director Krebs' example when considering his successor.
To all of our witnesses, I appreciate your willingness to
testify, and I want to thank you all for the role you play in
keeping us safe. I look forward to learning from your
experiences as well as your expertise.
Thank you, Mr. Chairman, and I will proceed with
introductions if you would like me to.
We will start, in this first panel, with our Federal
witness. I am pleased today to introduce Brandon Wales, Acting
Director for the Cybersecurity and Infrastructure Security
Agency, at the United States Department of Homeland Security.
Acting Director Wales was the first person to serve as the
Executive Director of the agency before being very recently
elevated to Acting Director. In this role, Acting Director
Wales oversees CISA's efforts to defend civilian networks,
manage systemic risk to national critical functions, and work
with stakeholders to raise the security baseline of the
nation's cyber and physical infrastructure.
Acting Director Wales, thank you for coming before the
Subcommittee today, and I look forward to hearing your
testimony.
TESTIMONY OF BRANDON WALES,\1\ ACTING DIRECTOR, CYBERSECURITY
AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Wales. Chairman Paul, Ranking Member Hassan, and
Members of the Subcommittee, thank you for the opportunity to
testify regarding the Cybersecurity and Infrastructure Security
Agency's support to State, local, Tribal, and territorial
stakeholders in mitigating a broad range of cyber threats
facing our Nation.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Wales appears in the Appendix on
page 35.
---------------------------------------------------------------------------
Whether focused on election security, responding to the
digital transformation brought about by COVID-19, or addressing
the plague of ransomware, I believe that enhancing and
sustaining State and local cybersecurity capacity will be the
defining cybersecurity challenge of the next decade.
This is my first appearance before the Committee in my new
capacity as Acting Director, and I am honored to lead the men
and women of our agency as we defend today and secure tomorrow.
I want to begin by thanking the CISA workforce and the
entire election security community for their tireless work over
the last 4 years, culminating in the November 3rd election. Our
goal was simple: to make the 2020 election the most secure in
modern history. We succeeded in building a robust election
security community made up of State and local election
officials, key Federal agencies, and private sector election
vendors, in surging the technical capacity of CISA to improve
cyber defenses nationwide and in harnessing the capabilities of
CISA, the Federal Bureau of Investigation (FBI), the National
Security Agency (NSA), U.S. intelligence community (IC), and
the Department of Defense (DOD) to identify threats, respond to
potential incidents, and take decisive action, when necessary.
As a result, layers of security and resilience measures are
put in place by election officials and the community reacted
quickly to disrupt efforts by foreign nations to interfere in
the election. For example, we were able to rapidly share
information on Russian intrusions into State and local
networks, and attempts by Iranian government actors to send
spoofed voter intimidation emails were publicly outed within 27
hours.
Our election security mission continues, and CISA will
remain in an enhanced coordination posture until after election
results have been certified in every State. We also stand ready
to support States holding runoff elections in the coming
months, such as Georgia and Louisiana.
This year has not only been focused on elections. Beginning
in February, we have been working to support the nation's
response to COVID-19, including helping to secure the
development and distribution of potential vaccines under
Operation Warp Speed (OWS). Since the pandemic's earliest days,
we have seen malicious cyber actors targeting vaccine research
and development, exploiting the dramatic expansion of remote
work, and using COVID to advance criminal schemes.
In response, CISA ramped up information-sharing efforts on
emerging threats, established a telework resource hub, and
surged cybersecurity services to high-risk entities in the
health care sector through our Project TAKEN. Now, under the
Department of Health and Human Services (HHS) and DOD-led
Operation Warp Speed, we are prioritizing services to companies
deeper in the pharmaceutical supply chain to protect U.S.
vaccine development and distribution.
Recently, hospitals across the country were hit with
ransomware launched by a cybercriminal organization looking to
profit from disruptions of critical health delivery during the
pandemic. This was appalling, but not surprising, given the
growth of ransomware incidents over the past 6 months.
Ransomware is quickly becoming a national emergency. We are
doing what we can to raise awareness, share best practices, and
assist victims, but improving defenses will only go so far. We
must disrupt the ransomware business model and we must take the
fight to the criminals.
While election security, a pandemic response, and
ransomware may all look completely different, the one thing
they have in common is a reliance on the networks at the State
and local level. These are the networks that keep our
communities running despite global challenges. These are the
networks that help us respond to emergencies. These are the
networks that run local hospitals and schools, and they are in
need of urgent assistance.
CISA is taking action to help by strengthening operational
partnerships, hiring additional cybersecurity coordinators to
boost engagement in State capitals across the country, in
supporting cyber proposals in the Federal Emergency Management
Agency (FEMA) preparedness grantmaking process, and continuing
to push CISA resources out from headquarters to where our
partners are, in States and communities.
In conclusion, I want to thank the Committee for its
leadership on legislation that has advanced the authorities of
our agency and for your support for legislation still moving
through Congress that will push CISA even further. This
Committee has been an essential partner in our mission, and I
look forward to continuing to work with you to defend today and
secure tomorrow.
Thank you again for the opportunity to appear before you,
and I look forward to your questions.
Senator Paul. Thank you. Senator Hassan had to go vote so
she will be back in a few minutes.
You mentioned, I believe, Russia and Iran, and it went by
pretty quickly and I did not catch everything you had to say.
You said these were attempts to actually change votes or to
interfere in the election somehow? What did you exactly say?
Mr. Wales. Sure. The activity was a little different in
both cases. In the case of Russia, Russia had launched a fairly
broad campaign to target State, local, private sector, and
Federal networks, using exposed vulnerabilities.
Senator Paul. Using what?
Mr. Wales. Exposed vulnerabilities, fairly well-known
vulnerabilities. They were looking for those vulnerabilities
and trying to get inside of networks. We did discover that----
Senator Paul. You are talking about election networks that
count votes? What are you talking about?
Mr. Wales. I am talking about general networks. These could
be private sector networks in things completely unrelated to
elections. It did include, in one case, where they compromised
a local county network and downloaded some information that had
to do with the election. But this was not an attempt----
Senator Paul. But this was not tabulation of the election.
Mr. Wales. No, absolutely no.
Senator Paul. And what did you say about Iran?
Mr. Wales. Iran sent spoofed voter intimidation emails.
Senator Paul. OK. Trying to disincentive people to vote, or
something, to trick people into not voting.
Mr. Wales. Correct. They are trying to create a narrative
that the election was----
Senator Paul. But to your knowledge, there were no votes
changed by a foreign actor. In fact, was that true? No votes
were changed by a foreign actor, that you know of?
Mr. Wales. We have no evidence that votes were changed by
an actor.
Senator Paul. And no attempts were directly stopped. Is
there sort of an existing voting network? You cannot really
hack into a voting network, can you, that is just sort of
there?
Mr. Wales. We have numerous advantages, in part because we
have a highly decentralized system. There is not an election
network. There are hundreds and thousands of election networks
across the country. In addition, the actual vote tabulation
systems, those are not networked on the Internet. The places
where we see the most activity tends to be those highly
centralized, internet-enabled systems, for example, voter
registration or election night reporting. But even in those
cases we did not see any adversary capable of compromising
those systems to----
Senator Paul. But it sounds like, as a general rule of
thumb, if we are looking for advice on how to protect
ourselves, the whole push of modern technology is to make us
more connected, and maybe part of the advice is that we do not
need to be too connected, having separate systems or
separating. Is some of that advice taken within the Federal
Government? You said we are protected in the electoral system
because we have States and then we have counties and they are
not completely integrated. We probably do not want to
completely integrate or Federalize things with elections.
Is it true, within the Federal Government, that there is
compartmentalization on purpose, to try to protect against
hacking?
Mr. Wales. Yes. One of the major recommendations to any
entity is to be thoughtful about how you network your systems,
where you should segment your systems, where you should
completely air-gap your systems. There is a reason why the
classified networks that are operated by the intelligence
community and Department of Defense are not accessible readily
through the Internet. You want to keep those things separate.
Same thing for industrial control systems that operate the
most sensitive, critical infrastructure in the country. You
want to build additional barriers to prevent people from easily
moving from small compromises onto parts of networks that could
have much more significant consequences.
Senator Paul. How much of the problem with attacking a
network is coming through an email versus another way of
attacking a network?
Mr. Wales. Frankly, it varies. Coming through an email,
that normally includes things like spear phishing, where you
get an email that says ``click on this,'' and you click on a
link and all of a sudden that malicious payload comes and
compromises your computer.
I would say right now we are seeing, while that has been
traditionally one of the more significant ways we have seen
networks compromised, over the last year we have seen dramatic
growth in people compromising networks by exploiting
vulnerabilities in virtual private network software. In part,
this is as a result of the dramatic expansion of people
teleworking, remote working, and a dramatic increase in the
number of----
Senator Paul. What does that mean? You are not attacking it
through an email. You are attacking it through the cloud
somehow, through software that communicates with the cloud?
Mr. Wales. Not necessarily the cloud but, for example, if
you are connecting through a virtual private network, which is
the way that maybe you call in to your company's network--I am
at home, I am on my laptop, calling in to my company's
network--I am connecting through a virtual private network
(VPN) software. There are vulnerabilities in some of the more
common VPN software, most of which have been patched, but if a
company has not patched that vulnerability an actor may be able
to exploit that vulnerability, compromise the connection----
Senator Paul. But they are not logging into your computer.
They are logging into your network and then bouncing back into
your computer once again, if your network----
Mr. Wales. Or, more importantly, they want to get into that
network, so they are exploiting that vulnerability to gain
access to that network, and then once they are inside, using a
variety of other vulnerabilities, they are trying to elevate
their privileges. They have administrative capabilities, so
they can create new accounts, and they can do whatever they
want.
Senator Paul. What is a guess on the percentage? How much
of this is an email problem? Is half of it email, 75 percent,
25 percent? Just a guess.
Mr. Wales. It is a little bit hard to say right now. I
would say probably at least half is still kind of spear
phishing-related intrusions.
Senator Paul. Right. Because it seems like that there would
be a technological solution to some of that in really trying to
protect email networks from the network, almost as if maybe you
have a separate complete network that never communicates. They
communicate with each other, so you can talk to each other, but
never communicates with--I mean, almost somehow a complete
separation of your email network from the rest of your network.
Mr. Wales. It is hard today, given the amount of
interconnection between the various tools that you use in terms
of any business. But most of the ways in which networks are
compromised today are exploiting vulnerabilities where patches
are available and where the solutions to mitigate these
problems are readily available and they are just not being
implemented by the information technology (IT) security
professionals at companies.
Senator Paul. How rapidly does it change? How rapidly does
someone have to figure out that there is a brand new phishing
or, technology?
Mr. Wales. You need to stay on top of it. Every day new
patches are released for software. Now it may not be every
single day for every piece of software, but on any given day
there are new patches that come out for software. IT security
professionals need to stay on top of that, understand what the
nature of those vulnerabilities are, and prioritize their
efforts to close those vulnerabilities. Obviously, the bigger
the network you have the more complicated this is.
Senator Paul. When you come up with a patch, are you able
to keep that somewhat secret from the criminals, or can they
immediately see the patch and respond to the patch?
Mr. Wales. They can generally see it. These patches are
made publicly available, so that as many individuals can
protect their networks. It is a cat-and-mouse game. Every
change we make on the defensive side, an offensive cyber actor
is going to look to see what they need to do to get around
that.
Senator Paul. Are we able to, when we have a state actor
that is going after classified information, and we have
creative ways that State actors are using, are we able to share
them with the private sector, or are we too worried that
getting that knowledge out reveals that we know how to combat
certain things? Are we sharing, on a consistent basis,
knowledge that you gain with the private sector?
Mr. Wales. Absolutely. The partnership that we have with
the intelligence community, in particular the National Security
Agency, is better than any time in my entire 15-year history
with the department. We are getting a significant amount of
information from them, of things that they are seeing overseas,
activity that they are seeing from foreign nations, getting
that information to be declassified so that we can get it out
to people, whether that is a specific incident at an individual
location or, more importantly, information that could benefit
the entire community.
A lot of the alerts that we are pushing out, alerting the
community to different tactics that our adversary is using, are
based upon intelligence sources that we are receiving from the
intelligence community. That process is happening quickly.
Senator Paul. Does it work both ways? Getting information
back from private industry as well?
Mr. Wales. There is a vibrant cybersecurity community right
now that has grown up over the past decade and a half, and
there is a lot of information out there for everyone. We,
ourselves, rely upon information provided by private sector
cybersecurity firms to help improve our defenses at the dot-
gov. There is a benefit to this community sharing as much
information as possible, because that is the way we are going
to have a more secure and a more defended cyber ecosystem.
Senator Paul. As someone like myself who is very concerned
with privacy, I have been concerned about having--I am all for
telehealth and for allowing the Internet to allow us to see
doctors remotely. As a physician, I think it is a good thing.
But I am concerned about having a unique patient identifier
where all of our data goes into one place and it is stored in
one place. It goes back to this idea of compartmentalization.
When the Office of Personnel Management (OPM) was hacked,
22 million people's records were released, and I know that was
a big mistake and hopefully we have learned from that. But
there is a danger, and I think one way, from a patient point of
view and from a point of view that there are sensitive things,
whether you have an infectious disease that is acquired
sexually, whether you have a psychiatric disorder that you do
not want the whole world to know about--there are a lot of
things that could be very private.
Starting with my father 20 years ago and continuing today,
we have been trying to get away from a unique patient
identifier that the Federal Government has and I think it would
be nice if people could equate that not only with privacy but
also with the idea of hacking, that the more centralized your
health care records are, it may be easier but it also might be
easier for bad actors to get into your health community and
extort people or damage them publicly with releasing private
information. Any thoughts on health care security with regard
to unique patient identifier?
Mr. Wales. I think that the challenges that you are
describing there are the same challenges that we deal with in
every cybersecurity challenge, and that is how do you balance
the need to create more efficient, more effective systems with
the risk that that poses because of the nature of connected
systems being potentially vulnerable.
We encourage people to be thoughtful and take a really
risk-based approach--how much information needs to be
centralized, how much information needs to be networked--and be
thoughtful. Then once you make that decision, then go to the
next step and say, how do I defend the information that needs
to be networked to the maximum extent possible? If I am going
to have sensitive information that is Internet accessible, I
need to make sure that my cybersecurity practices are going to
be sufficient to defend that. I need to make sure that my patch
management is good. I need to make sure that my configuration
management is good.
Senator Paul. Right, and I would just conclude by saying
that the moral I get from your discussion on elections is there
is some advantage to disconnectedness, to compartmentalization,
to having counties, States, and the Federal Government be
somewhat separate, where you can actually go to a county and
verify an election. It does not go into some sort of mass
network or computer. We are very lucky, I think, that we have
sort of the Federal-State operation with regard to elections.
But I think people need to think that through before the
efficiency experts say, oh, it would be so easy to have your
medical records everywhere. They will be at every doctor, all
of the time, anywhere in the United States, and they will be
centralized. It is going to be easy until a hacker gets in
there and all your private information is all over the
Internet. I say be careful what you wish for, as some of those
who really the centralization of things, because there is a
danger of losing your privacy. Senator Hassan.
Senator Hassan. Thank you very much, Mr. Chair, and I thank
you for what you just covered in your questions. I want to
start with a question really focusing on how we help State and
local governments protect against cyber threats.
Acting Director Wales, your agency is responsible for
securing Federal information technology infrastructure from a
wide range of cyber threats. It is widely accepted that your
work to secure the Federal space is critical. However, some
might argue that it is not the Federal Government's job or
responsibility to also try to secure State and local
governments from cyber threats.
Let me ask you, does the Federal Government have an
obligation or responsibility to also protect State and local
governments from cyber threats?
Mr. Wales. Cybersecurity is a shared responsibility in
multiple domains, and CISA takes seriously the responsibility
we have to utilize the information, the knowledge, the
expertise on cybersecurity to help all aspects of our critical
infrastructure, whether those are State and local governments,
if those are private companies operating our power grids, if
those are hospitals or if those are chemical plants. We have a
responsibility to help them.
Now, every system owner bears some responsibility for
managing the security on their networks, and so I think it is
trying to figure out where their responsibilities and our
responsibilities intersect. We understand that we have a lot of
information, we have a lot of expertise that we can provide. We
can make sure that they are armed with all of the information
that we have been able to glean from both the intelligence
community, from our own visibility into the cyber activity of
our adversaries, and the tactics that they are using, and it is
our job to provide that as broadly as possible, to make sure
that they are prepared.
Each of those individual asset owners needs to go through
that process that Senator Paul and I just discussed, that risk-
based process, to say how much security do I need in what parts
of my network and how can I put that in place to be as robust
as is required by the risks that I am facing?
Senator Hassan. Thank you, and just to follow up, if a
State or a community is vulnerable to cyber threats, how does
that broadly impact the security of Americans who do not live
directly in that State or community?
Mr. Wales. The State governments across the country, and
local governments, operate some of our most critical
infrastructure, whether it is operating water treatment
facilities, in some States and communities, municipal power
authorities in others. They also, obviously, at the State
level, distribute significant amounts of funds through which
Federal programs funnel money through.
States are a critical part of our fabric for both our
economic and our homeland security. It is an important interest
of the Federal Government that States have as much of our
cybersecurity knowledge and expertise as possible to help
safeguard those critical systems.
Senator Hassan. Thank you. Various proposals have been
introduced in Congress that establish a standalone Federal
cybersecurity grant program for State and local governments
that would pay for cybersecurity upgrades at the State and
local level. Without specifically evaluating each bill, can you
please describe for me the elements and considerations that
Congress should be thinking about if we authorize a grant
program of this nature? Are there any elements of a grant
program that CISA views as being must-have items?
Mr. Wales. I think we would be happy to work with Congress
on what a grant program would be, how a grant program could be
structured to serve the maximum value. I would say until that
time we have been working closely with FEMA over the past year
as FEMA has required, as part of its last round of homeland
security grants, that a portion of it go to a certain set of
high-priority items, including State cybersecurity. We spent
the last year working with States, working with FEMA, to review
the proposals that were submitted, and I think this will
provide us a good baseline to understand how States are
thinking about investing in cybersecurity utilizing Federal
grants, how we can provide additional information to them to
better shape and focus those grants on the highest-risk aspects
of their networks.
But grantmaking is obviously a complicated topic, one that
CISA does not have direct responsibility for managing, so I
would probably refer you to people at FEMA who know more about
kind of the grantmaking sausage. But at the more macro level, I
think that we have a lot to add to help shape grants so that
they actually target those things that we need to protect the
most, and that it reflects the true partnership that exists
between the Federal Government and our State and local
governments on cybersecurity.
Senator Hassan. Thank you. Cyber insurance is an important
tool that helps companies and entities prepare for, prevent,
and respond to cyberattacks. However, an August 2019 report by
ProPublica revealed that if an entity has cybersecurity
insurance, policyholders will use their cyber insurance policy
to pay the ransom during a ransomware event, which, in turns,
serves as a further incentive for hackers to launch ransomware
attacks. The report also shows that hackers target cyber
insurance policyholders because the likelihood of the victim
paying the ransom is much higher.
During the COVID-19 pandemic, our country's increased
dependency on online services may increase the incentive to pay
ransoms so that critical services can be restored more quickly.
Does CISA or your partner agencies generally know when an
insurance company pays out a ransom?
Mr. Wales. As a general rule we have recommended against
paying ransom, in part because it furthers the business model,
as I indicated in my opening remarks. Ransomware is not going
to go away as long as the business model is viable, as long as
ransomware operators can do it.
Senator Hassan. Right.
Mr. Wales. CISA generally focuses our efforts on ransomware
before an event happens, helping companies prepare themselves,
helping State and locals prepare themselves. We are generally
not involved in decisions related to whether ransom is paid.
That tends to be an individual decision at that company and
they do not consult CISA as part of this.
Senator Hassan. Generally speaking, you may not know if an
insurance payment has been made.
Mr. Wales. That is correct.
Senator Hassan. OK. Additionally, are cyber insurance
companies working with you to tackle any of these negative
incentives that seemingly drive more attacks?
Mr. Wales. I am not aware of engagement with cyber
insurance companies on that issue right now.
Senator Hassan. Do you think there is a role for Congress
to play to help address this?
Mr. Wales. I think that this is an incredibly challenging
problem. No one has cracked the code on what the answer is yet,
and it is going to take more work between Congress and the
executive branch to figure out what are the right tools we have
to change the business model and to disrupt the business model
on ransomware and make more progress in this space.
Senator Hassan. Thank you, and, Mr. Chair, I see I am out
of time. If we have a second round on this witness I will have
one more question.
Senator Paul. Senator Rosen.
OPENING STATEMENT OF SENATOR ROSEN
Senator Rosen. Thank you, Chairman Paul, Ranking Member
Hassan, for holding a hearing on protecting our communities
from cyberattacks. During the COVID-19 pandemic the number of
cyberattacks has significantly increased, and cyberattacks, of
course, they are expensive, they are debilitating, especially
for small organizations like schools, hospitals, and local
governments. I am glad we are coming together in this
bipartisan way to talk about how we can protect vulnerable
communities, of course, in this challenging time.
But I want to focus on school cybersecurity because
elementary schools, secondary schools, they face many
challenges as they transition to online learning during the
pandemic, including the constrained budgets, bridging the
digital divide, ensuring the health and safety of students and
faculty, and, of course, continuing to educate and support our
students.
As schools struggle to meet these challenges they remain
particularly vulnerable to hostile cyber actors. Earlier this
spring, the FBI warned that K-12 institutions represent an
opportunistic target to hackers. As many school districts, they
just lack the budget and the expertise to dedicate to network
integrity.
Last August, the Clark County School district, which is
Nevada's largest school district and our country's fifth-
largest school district, was the victim of ransomware attack.
The hacker published documents online containing sensitive
information, including social security numbers, student names,
addresses, and grades. This is absolutely unacceptable and the
Federal Government must find and help the schools obtain the
tools and the resources to protect and combat these kinds of
cyber threats, something I have raised with both CISA and the
Department of Education.
Mr. Wales, can you speak to what steps CISA is taking to
prevent cyberattacks, including these ransomware attacks like I
had in Clark County School District, against K-12 schools, and
how are you ensuring that we are not having more of these in
the future?
Mr. Wales. Thank you, Senator, and I know that some members
of the CISA team, along with the Department of Education, are
planning on briefing you in your office later this week on this
topic.
In the meantime, the first thing I would say is we have
expanded our focus on K-12 education since the beginning of the
pandemic, putting out additional information on how schools can
improve their cybersecurity with their distance learning.
In addition, we are encouraging schools to participate
through the information-sharing mechanisms that have been
created, for example, the Multi-State Information Sharing and
Analysis Center (MS-ISAC), which is a free resource available,
that we have invested in, from the Department, for State and
local governments.
Today, 2,000 school districts, schools, and IT service
organizations are part of that Multi-State ISAC, and there are
additional resources and tools that States and school districts
can take part in that can help them ensure their protection
against ransomware and other attacks. For example, the MS-ISAC
offers malicious domain blocking, so that known malicious
domains that are used by ransomware operators would be blocked
from activity on those networks.
But only about 120 schools are actively using that service
that is offered for free today. What I want to see is much like
we have done in the past 4 years in the election security
context, how do we build a national community with the school
districts to get them focused on the security aspects related
to their networks that is not going to go away, even after the
pandemic is over? We need to arm them with the same
information, the same resources, and that is going to start
with them taking advantage of the no-cost services that are
currently offered across the country to State and local
governments and the entities that exist within them.
This is obviously a big problem. There are over 13,000
school districts across this country. It is going to take time,
attention, and focus. I am confident that if the Executive and
Congress work together we can find creative ways of leveraging
the capabilities that we have and getting more school districts
signed up for these services.
Senator Rosen. I appreciate that because I was going to ask
you, I know you said 2,000 school districts are using it. In
some cases now only hundreds of schools or school districts out
of the 13,000. But you talk about malicious ware, ransomware.
We have small school districts, rural school districts, that
may not have the capacity or any expertise to even take
advantage of your free services. Are there grant programs? What
kind of support can we give, or that you can give, to be sure
that the folks that are really sitting in those administrative
offices can take advantage of what you are offering? Then we
need to get it out there to 13,000 school districts, for sure,
but not all of them have somebody who knows enough to really
take advantage of it.
What are you doing there? What kind of programs are you
offering for training for people who work in schools?
Mr. Wales. I think we have long recognized that the small
and medium-sized businesses and government entities have unique
challenges. What we had put in place earlier this year was
something called CISA Cyber Essentials. These are the basic,
bare minimum things that you need to put in place to get some
baseline level of cybersecurity. It is geared for the small and
medium-sized businesses and it is also geared for large
companies to send out to their smaller suppliers to get them to
a baseline level of security.
Over the past several months, we have been issuing monthly
modules, toolkits, that could be used, step-by-step guides to
take, for how to put in place the baseline level of
cybersecurity. What are those things you need to do to make
sure that you have challenging passwords, or two-factor
authentication, how to set that up on your network, making it a
little bit clearer and easier for you to walk through.
But if States, if cities, if communities push that kind of
information out, even to their smaller school districts, this
is the kind of information that is powerful in the hands of
those small companies, because the reality is ransomware
operators are looking to make money quickly, and so they are
going to look for whoever is the most vulnerable. If you have
done some of the basics, if you have put in place the bare
minimum level of cybersecurity, there is a good chance that
that ransomware operator is going to go on to the next victim
and they are not going to target you.
By investing a small amount of energy in putting in place
cybersecurity, at even a bare level, you can have a significant
impact and dividend for your overall level of security.
Senator Rosen. I appreciate that, and my next question--I
know I am out of time--would be we need the same kinds of
things for our small businesses around the country as well. I
look forward to speaking with you offline about how maybe we
can get your message out for this training and the programs and
all of the cyber hygiene to as many folks as possible, because
we cannot afford not to communicate your hard work and what you
have been doing to give people the ability to take advantage of
these programs. Thank you.
Mr. Wales. Absolutely. I think any help we can get in
amplifying the work that is already out there. The tools and
resources that Congress has already invested in through CISA
are available for all of the country to utilize, and we want
more people to take up and use them. Anything you can do to get
that message out there and amplify the work that we are doing,
our agency is going to be grateful for.
Senator Rosen. Wonderful. Thank you.
Senator Paul. Thank you, Mr. Wales, and I hope you will be
willing to respond to any questions we have in writing, if we
have further questions from Members. I want to also thank you
for reminding us that decentralization is a part of our defense
against hacking of our elections, and as a great fan of the
Federalist system that we had set up from the very beginning,
even in our modern age, decentralization and
compartmentalization are a big part of our defense and can make
our elections more reliable.
Thank you very much for your testimony.
Mr. Wales. Thank you.
Senator Hassan. I join the Chairman in thanking you for
your testimony and for your service, and please, to all the
women and men you work with, please take back our thanks as
well.
Mr. Wales. I appreciate that and so do they. Thank you,
ma'am.
[Pause.]
Senator Paul. We are ready for our other panelists, whoever
is in charge of that.
[Pause.]
We are doing the whole panel together, this panel, on one
panel, if we can. Everybody can come in.
[Pause.]
OK. I misunderstood. These are virtual, so you can go ahead
and do the introductions, Senator Hassan, please.
Senator Hassan. Thank you very much, Mr. Chair. To all of
our witnesses for this second panel, thank you for being here
today, and I will introduce each witness directly before your
testimony. I will start with our first witness, Denis Goulet.
I am pleased today to introduce Mr. Denis Goulet, who
serves as Commissioner of the Department of Information
Technology from my home State of New Hampshire. Commissioner
Goulet has served admirably since he was appointed in February
2015. Commissioner Goulet also serves as President of the
National Association of State Chief Information Officers
(NASCIO).
Thanks for joining us, Commissioner Denis Goulet, and thank
you for your exemplary leadership to strengthen cybersecurity
efforts in New Hampshire and across the country. I look forward
to your testimony.
TESTIMONY OF DENIS GOULET,\1\ COMMISSIONER, NEW HAMPSHIRE
DEPARTMENT OF INFORMATION TECHNOLOGY
Mr. Goulet. Good afternoon and thank you, Chairman Paul,
Ranking Member Hassan, and distinguished Members of the
Subcommittee for inviting me to speak today on the
cybersecurity challenges facing State government that have been
amplified during the COVID-19 pandemic. As Commissioner for the
Department of Information Technology in New Hampshire and
President of the National Association of State Chief
Information Officers, I am grateful for the opportunity to
highlight the vital role that State information technology
agencies have played in providing critical citizen services and
ensuring the continuity of government throughout this public
health crisis.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Goulet appears in the Appendix on
page 45.
---------------------------------------------------------------------------
Cybersecurity has remained the top priority for State CIOs
for nearly a decade. There is growing recognition at all levels
of government that cybersecurity is no longer an IT issue. It
is a business risk that impacts the daily functioning of our
society and economy, as well a potential threat to our nation's
security.
State and local governments continue to be attractive
targets for cyberattacks, as evidenced by the many high-profile
and debilitating ransomware incidents. Inadequate resources for
cybersecurity has been the most significant challenge facing
State and local governments. The question of why Federal
Government should be contributing to cybersecurity of the
States is straightforward. States are the primary agents for
the delivery of a vast array of Federal programs and services.
According to our recent national survey, State
cybersecurity budgets are typically less than 3 percent of
their overall IT budgets. Half of the States lack a dedicated
cybersecurity budget. As State CIOs are tasked with additional
responsibilities, including providing cybersecurity assistance
to local governments, they are asked to do so with shortages in
both funding and cyber talent.
Almost all the CIOs have the authority and are directly
responsible for cybersecurity in their States, and have taken
multiple initiatives to enhance the status of their
cybersecurity programs. These initiatives include creation of
cybersecurity strategic plan, adoption of the National
Institute of Standards and Technology (NIST) cybersecurity
framework, development of a cyber disruption response plan,
obtaining cyber insurance, and the implementation of security
awareness training programs for employees and contractors.
These initiatives are crucial as Congress considers the
implementation of a cybersecurity grant program for State and
local governments.
For the past decade, NASCIO has advocated for a whole-of-
state approach to cybersecurity. We define this approach as
collaboration among State and Federal agencies, local
governments, the National Guard, education, K-12 and higher,
critical infrastructure providers, and private sector entities.
By approaching cybersecurity as a team sport, information is
widely shared, and each stakeholder has a clearly defined role
to play when an incident occurs.
My written testimony covers legislation that NASCIO has
endorsed during the 116th Congress. I would like to reiterate
my appreciation to this Subcommittee for its attention to
cybersecurity issues impacting State and local governments. If
passed, these bills would greatly improve our cybersecurity
posture and create new, dedicated funding streams.
The pandemic has exacerbated the cybersecurity challenges
for State IT. Since March, my colleagues and I have rapidly
implemented technologies to allow State employees to telework
safely and effectively in this new environment. We have helped
our State agencies quickly deliver critical digital government
services to citizens, including unemployment insurance. In New
Hampshire, I have worked closely with our public health
agencies to ensure they have the necessary tools to improve
capabilities in the area of testing, contact tracing, case
management, data analytics, and personal protective equipment
(PPE) inventory. My colleagues and I have been honored to play
a role in fighting COVID-19. We have taken on additional
responsibilities and incurred new expenses while continuing to
face unrelenting cyber threat environments.
I am truly concerned about how crucial IT and cybersecurity
initiatives will remain funded in the coming months and years.
States have seen significant declines in revenue and will be
forced to make difficult budgetary decisions.
As President of NASCIO, I know I speak for all of my
colleagues around the country when I say that a dedicated,
federally funded cybersecurity grant program for State and
local governments is overdue. Additionally, State governments
should follow the lead of the Federal Government and begin
providing consistent and dedicated funding for cybersecurity
which will also require them to match a portion of Federal
grant funds.
I look forward to continuing to work with the Members of
this Subcommittee in creation of the grant program to improve
our cybersecurity posture.
This concludes my formal testimony, and I am happy to
answer your questions.
Senator Hassan. Thank you, and I think we will move on to
the next three witnesses, and then we will return for
questions. Is Dr. Torres-Rodriguez available now? OK, she is
back online.
Our next witness is Dr. Leslie Torres-Rodriguez, who joins
us today from Connecticut. Dr. Torres-Rodriguez is the
Superintendent of Hartford Public Schools, one of the largest
urban school districts in the State. Dr. Torres-Rodriguez was
raised in Hartford and attended Hartford Public Schools. She
has served as an education leader in the greater Hartford area
for more than two decades.
In September, the Hartford School District was the victim
of a cyberattack. Dr. Torres-Rodriguez, thank you for coming
before the Committee today, and I look forward to your
testimony.
Doctor, you might need to unmute yourself.
She is having connectivity issues, so why don't I do the
other introductions and we will see if she is ready in a minute
or two.
Our next witness will be John Riggi, Senior Advisor for
Cybersecurity and Risk from the American Hospital Association
(AHA). Mr. Riggi is the Senior Advisor for Cybersecurity and
Risk for the AHA. He brings nearly 30 years of experience with
the FBI, including serving as the Senior Executive for the
FBI's Cyber Division Program developing mission-critical
partnerships for the health care and other critical
infrastructure sectors.
Mr. Riggi, I look forward to your testimony as well today,
and I think we should probably proceed with that. Mr. Riggi,
please feel free to proceed.
TESTIMONY OF JOHN RIGGI,\1\ SENIOR ADVISOR FOR CYBERSECURITY
AND RISK, AMERICAN HOSPITAL ASSOCIATION
Mr. Riggi. Thank you, and good afternoon, Chairman Paul and
Ranking Member Hassan, and Members of this Subcommittee. On
behalf of our nearly 5,000 member hospitals and health systems
the American Hospital Association thanks the Subcommittee for
the opportunity to testify on this important issue, and we
stand by, ready to assist as needed.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Riggi appears in the Appendix on
page 51.
---------------------------------------------------------------------------
The AHA has a unique national perspective on cyber threats
facing health care, stemming from our trusted relationships
with the field and government agencies. The ongoing pandemic
has resulted in a significantly increased cyber threat
environment for health care providers. For example, this past
October 28th, CISA, FBI, and HHS issued an urgent warning of an
imminent ransomware threat to U.S. hospitals, and advised the
field to take immediate defensive action. This threat remains
ongoing as of today.
This threat also comes as hospitals and health systems were
already dealing with what I call a COVID-induced cyber triple
threat. The first threat is an expanded attack surface. In
preparation and response to COVID-19, the health care sector
rapidly deployed and expanded network-connected technologies
such as telehealth, telemedicine, and telework. Unfortunately,
this also greatly expanded network access points and
opportunities for the cyber criminals to attack.
The second threat is increased cyberattacks. In conjunction
with the expanded attack surface, cyber criminals have launched
increased and relentless attacks on hospitals and health
systems. HHS Office of Civil Rights (OCR) has reported a
significant increase in hospital hacks since September 1, 2020,
impacting millions of patients. Foreign intelligence services
from China, Russia, and Iran, have launched cyber campaigns
targeting health care, to steal COVID-19 related data and
vaccine research. Of all the attacks, ransomware attacks are a
top concern. These attacks could disrupt patient care, deny
access to critical electronic medical records and devices,
resulting in canceled surgeries and the diversion of
ambulances, thus putting patient lives and the community at
risk.
The third threat hospitals face is resource constraints,
due to reduced revenue as a result of canceled so-called
elective surgeries and patients' reluctance to seek medical
treatment during the pandemic. This situation leaves limited
funds available to bolster network defenses and to recruit and
retain scarce cybersecurity professionals. The above factors
create a perfect storm of cyber threats for hospitals and
health systems.
Regarding ransomware attacks, we believe a ransomware
attack on a hospital crosses the line, from an economic crime
to a threat-to-life crime, and therefore should be aggressively
pursued as such by the government. Most often these attacks
originate from foreign adversarial safe havens, beyond the
reach of U.S. law enforcement. Combined use of military and
intelligence capabilities, along with economic sanctions to
augment law enforcement efforts, can reduce cyber threats to
the Nation. By defending forward, the government can deter and
disrupt these foreign-based cyber threats before they attack.
We believe a hospital victim of cyberattack is a victim of
crime and should be provided assistance, not assigned blame.
Despite regulatory compliance in implementing cyber best
practices, hospitals and health systems will continue to be the
targets of sophisticated attacks, which will inevitably
succeed.
The government often repeats the phrase, ``It is not a
matter of if but when.'' Unfortunately, when a breach occurs,
the Federal Government's approach toward the victims of
cyberattacks is sometimes inconsistent across agencies and may
be counterproductive. For example, Federal law enforcement
agencies often request and need the cooperation of victims of
breaches to further their investigations and disrupt the threat
to the Nation.
Subsequently, or concurrently, a hospital or health system
may become the subject of an adversarial investigation by the
HHS Office of Civil Rights. This can be disruptive and
confusing for the victim and stifle cooperation with Federal
law enforcement.
Given the critical need to defend health care during the
pandemic, along with the increased cyber threat environment,
and a need to incentivize cooperation from victims, we strongly
recommend that additional safe harbor protections from civil
and regulatory liability be provided to hospital and health
system victims of cyberattacks.
In conclusion, hospitals, health systems, and patients are
heavily targeted by cyber criminals and sophisticated nation-
states. Hospitals have made great strides to defend their
networks, secure patient data, and most importantly, protect
patients. However, we cannot do it alone. Health care needs
more active support from the government, including consistent
and automated threat information sharing, to help us defend
patients and their data from cyber threats.
Conversely, the Federal Government cannot protect our
nation from cyberattacks alone either. They need the expertise
in exchange of cyber threat information from the field to
effectively combat cyber threats. What is needed is an
effective and efficient public-private cybersecurity
partnership and a truly all-of-nation approach.
Thank you.
Senator Hassan. Thank you so much. I want to turn now back
to Dr. Torres-Rodriguez. If you are able to join us, Doctor, we
look forward to your testimony.
TESTIMONY OF LESLIE TORRES-RODRIGUEZ, Ed.D.,\1\ SUPERINTENDENT
OF SCHOOLS, HARTFORD PUBLIC SCHOOLS
Ms. Torres-Rodriguez. Good afternoon, Chairman Paul,
Senator Hassan, and Senators of the Committee. I am Dr. Leslie
Torres-Rodriguez, Superintendent of Hartford Public Schools. We
are the third-largest school district in Connecticut, with
approximately 18,000 students.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Torres-Rodriguez appears in the
Appendix on page 61.
---------------------------------------------------------------------------
I appreciate your invitation to address the Committee and
answers questions regarding the cyberattack on Hartford Public
Schools that occurred in September. The cyberattack had
extremely disruptive effects on our school system, our
students, and our staff. We were forced to postpone our first
day of school, on September 8th, following months of intense
planning for in-person learning amidst the COVID-19 pandemic.
While our students have been attending school, either in
person or remotely, for nearly 3 months now, we are still
repairing and recovering from lingering effects of the attack.
Hartford Public Schools and the city of Hartford were
informed by our shared IT department, Metro Hartford
Information Services (MHIS), that early in the morning hours on
Saturday, September 5th, we experienced a severe cyberattack,
specifically a ransomware attack which aims to take control of
targeted servers and sell access back to the owner, back to us.
The attack was unsuccessful, overall, because Metro
Hartford Information Services regained control of its servers
without complying with the attacker's demands, thanks to recent
cybersecurity investments and quick work by the Metro Hartford
Information Services team.
Based on initial analysis by the Connecticut National Guard
and the FBI, the attack was likely conducted by a highly
sophisticated actor, and so in one sense we were fortunate that
we avoided the worst case scenario.
Our district team, Metro Hartford Information Services, and
Mayor Bronin's office worked late into the night on Labor Day,
and in the early hours on Tuesday, September 8th, to ensure
that Hartford Public Schools' critical systems were restored so
that the first day of school could proceed.
Our student information system was restored around
midnight, but as of 3 a.m. our transportation system was still
not accessible. Our transportation company and our schools had
no access to the student bus schedules. Around 4 a.m., I did
have to make that difficult call to postpone the first day of
school. Fortunately, we were able to get our transportation
system back online the evening of September 8th, and we opened
schools for the first time since March on Wednesday, September
9th.
However, 2 weeks later, our systems were still not yet
fully operational and the costs to address the problem,
financially and in terms of resources and staff time, have been
significant. While we have regained control of servers and
data, preventative measures are ongoing and present significant
challenges to getting operations back to normal. For example,
all of our servers needed to be taken offline and reimagined or
restored from backups. The total amount of information that
needed to be restored was over 70 terabytes across the city and
school system, which is a massive amount of information.
Additionally, every computer that had connected to the
district network before the attack, just before the start of
the school year, had to be individually restored to factory
settings before reconnecting with the network. This required a
very fast deployment of new laptops to hundreds of staff
members, which then depleted the stock of laptops that we had
to provide to students at a very critical time in the school
year. While we had ordered laptops with the intention of
ensuring every student had a district device at the start of
the school year, that plan was set back as a result of the
cyberattack.
This was an especially difficult consequence of this attack
as many of our students are participating in online learning
from home and needed reliable devices to engage in their
learning. These preventative measures impeded our ability to
operate normally, and for our teachers to provide student
instruction and impairing even basic functions like scanning
and printing and having access to lesson plans.
I am proud of the work that has been done by our IT team,
our city officials, and district administration, and thankful
for the investigative actions and the support from the
Connecticut National Guard and the FBI. However, we do need to
protect our critical infrastructure by preventing such attacks
in the future.
I thank you again, Senator Hassan, for inviting me to
testify before this Subcommittee on this important issue. While
the attack was unexpected and damaging in many ways, I am
grateful for the way that our local, State, and Federal
agencies collaborated to address the cyberattack and assisted
with the restoration efforts. We are all committed to serving
our constituents, our students, in the best way possible.
Thank you, and I will be happy to answer any questions that
you may have.
Senator Hassan. Thank you, Superintendent. I will now turn
to the Chairman for an introduction.
Senator Paul. Our final witness this afternoon is Bill
Siegel, CEO and Co-Founder of Coveware. Mr. Siegel founded
Coveware in 2018, to provide services to small and medium-sized
businesses threatened by ransomware. They offer a full-spectrum
suite of services, from identifying and closing vulnerabilities
before an attack happens to decryption and navigation of an
attack that has happened, to recovery after an attack.
Coveware and other private sector firms provide solutions
that keep pace with the criminals. We are excited to hear from
Mr. Siegel about the State of cybersecurity marketplace, what
to do if your organization is attacked, and about low-cost
steps that organizations of all sizes can take to enhance their
cybersecurity posture.
Mr. Siegel, you are recognized.
Is he disconnected?
All right. Why do we not begin a round of questions with
Senator Hassan, and we will get back to Mr. Siegel's testimony
when he gets back on.
Senator Hassan. Thank you, Mr. Chair, and I want to start
with a question to Commissioner Goulet.
Commissioner Goulet, you and I know all too well the
challenges of putting together a State budget. Giving more
funding to the State's information technology budget might mean
giving less funding to emergency services, education, public
transportation, or other critical priorities. Moreover, when
recessions happen, State revenues decrease, which leaves budget
officials with even harder decisions to make.
Commissioner Goulet, can you talk about the challenges
States face funding cybersecurity upgrades as they deal with
reduced State revenues from the recent economic downturn? Do
States have the ability to adequately fund their information
technology budgets and better protect against cyber threats?
Mr. Goulet. Thank you for the question, Senator. We have
some really recent data from the 2020 Deloitte NASCIO
Cybersecurity Study, and I will share with you the top five
barriers to overcoming cybersecurity challenges in State
government: (1) lack of sufficient cybersecurity budget; (2)
inadequate cybersecurity staffing, which really relates to
number one; (3) legacy infrastructure and solutions to support
emerging threats. The older systems tend to be much more
vulnerable; (4) lack of dedicated cybersecurity budget; and
finally, (5) inadequate availability of cybersecurity
professionals.
I think that pretty well covers the gamut of the answer to
that question.
Senator Hassan. Thank you. I appreciate that. I will go on
and complete this round.
Dr. Torres-Rodriguez, I want to turn to you, and I first
just want to start by thanking you for participating in this
hearing. All educators are facing unprecedented challenges
right now, but to suffer a ransomware attack on top of
everything else you are contending with means you are busier
even than most other educators.
I want to start by getting a sense of where cybersecurity
falls in the very long list of priorities that a school
district like yours has. You mentioned in your testimony that
there is a Metro Hartford Information Service. What sort of
assistance do you get from them? Do you think that there are
enough cybersecurity professionals to help the school district
with the system you already have, and what sort of assistance
from the Federal Government would be helpful, and did you
receive before and after the attack?
Ms. Torres-Rodriguez. Yes, and just to give you a little
more context, we have about 18,000 students and 3,400 staff
members here in the public school system, and the shared IT
department, which is managed by the city of Hartford, has six
field IT technicians in all. There is one staff member assigned
full-time to cybersecurity, and that is across all of the city
services. There is an opportunity, if you will, for additional
support there.
With regard to the assistance from the Federal Government,
Hartford Police and the FBI liaison there did investigate the
attack and gather additional information. The Connecticut
National Guard provided assistance with the recovery effort for
about 4 weeks, primarily helping to mitigate and reimage our
district devices. That was prioritized, and we are deeply
grateful for that.
The National Guard has a team that specializes in defensive
cyber operations, and their support was critical in assessing
the attack and helping the Metro Hartford Information System
team recover operations and help ensure security.
Overall, it was their assessment that this was a highly
sophisticated and complex attack, that the information system
team took a wide range of appropriate measures, but nonetheless
it impacted school operations.
Senator Hassan. Thank you for that. I am going to turn now
to Mr. Riggi. Thank you for your work for our nation's
hospitals, both in terms of your current position and from your
time working for the FBI. As a cybersecurity professional who
focuses on preventing cyberattacks to hospitals, can you please
lay out for us the type of attack that most worries you?
Mr. Riggi. Thank you, Senator. As I mentioned in my
testimony, the attacks that I am most concerned about are
ransomware attacks, which have the ability to disrupt patient
care and risk patient safety. These types of attacks can lead
to medical records becoming inaccessible at critical moments in
treatment. Even understanding drug allergies for a patient may
not be available. In certain instances we have had ambulances
being diverted to emergency rooms which were further away from
the original intended destination.
In the medical field, obviously, any delay in urgent
treatment increases the risk of a negative outcome. Ransomware
attacks, especially as we have seen the increase recently, is
the top concern, certainly the most significant concern, that
worries us at the moment.
Senator Hassan. Thank you, and if I have a chance I am
going to return to you with one more question. But first I do
want to turn back to Commissioner Goulet.
Over the past decade, cyberattacks have increased in both
their frequency and their ability to threaten our national
security. Just as we have experienced with terrorism, the
impacts of these cyber threats are not confined to far-off
battlefield but to our States, our cities, and our communities.
However, as the threat has increased, Federal support for
State and local governments has not increased commensurately.
As you note in your testimony, only 4 percent of Homeland
Security grant dollars have gone to support State and local
cybersecurity over the past decade.
Can you provide your analysis for why you think that
Federal funding for State and local cybersecurity efforts has
not been commensurate with the threat? What do you recommend
that Congress do in order to address this?
Mr. Goulet. Thank you. I so wanted to address that question
in more detail. Myself and my colleagues around the country
have really a queue of initiatives that we would do to help
State and local governments, and education, and really all of
the State, if we had access to more funds.
We have done as much as we could with those Federal
Homeland Security grant funds that we were able to access, for
example, in New Hampshire we built a nice Federal response
program where we did take a whole-of-state approach. But we
really could do so much more with dedicated cyber grant funding
that flowed in in a separate stream. I think that although we
are slowly improving our cyber posture in State we could very
much accelerate the improvement of cyber posture with dedicated
grant funding.
I would also like to reiterate that any such funding should
include incentives for States to invest in a continuous manner
as well.
Senator Hassan. Thank you, and thank you, Mr. Chair.
Senator Paul. Thanks. I do believe we see Mr. Siegel back
online, and you missed your great introduction and you only get
one introduction. But if you are there we would love to hear
your testimony.
TESTIMONY OF BILL SIEGEL,\1\ CHIEF EXECUTIVE OFFICER AND CO-
FOUNDER, COVEWARE, INC.
Mr. Siegel. Thank you, Mr. Chairman, Ranking Member Hassan,
and Members of the Subcommittee. Thank you for the opportunity
to share Coveware's perspective regarding cybersecurity threats
to State and local governments and small businesses. My
testimony today is derived from Coveware's role in
cybersecurity incidents from the perspective that handling
thousands of these incidents has given us over the years.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Siegel appears in the Appendix on
page 63.
---------------------------------------------------------------------------
Before we could try and solve this problem after we founded
the company we recognized that something was missing. There was
no clean data being collected on these incidents. The analogy
that we used is you cannot build safe cars without visiting
crash sites, measuring the skid marks and figuring out what
happened.
Accordingly, when we founded the company we set out to
build a large data set on what actually happens during these
attacks. Our interactions put us right in the middle of these
incidents. We work with forensic investigators, privacy
attorneys, restoration firms, cyber insurance companies, and
law enforcement branches of all kinds. The data that is
exhausted and collected from these incidents, which span
thousands of unique incidents, has given us a fresh
perspective.
We use our data for three principal activities. First, we
used it to contextualize these attacks for victims of these
crimes, so they can understand how comparable companies have
worked their way through these issues. Second, we aggregate
these data findings and we try and publish our research, so to
raise awareness of the very common attack methods that these
actors use. Last, we provide a large subset of our data to law
enforcement very readily to augment their active
investigations.
A typical ransomware attack involves three phases. First is
access. Almost all ransomware attacks are manually carried out.
That means that the threat actor is physically inside the
network of the victim, typically using stolen or harvested
credentials.
The second is encryption, where the attacker employs an
encryption program that locks up computer servers, and delete
or encrypt backups as part of that process.
The third is extortion. This is where, if the company is
not able to restore from backups, they are forced with a
difficult decision of either having to pay a ransom or rebuild
their network from scratch. While it may seem stark, this is a
decision that hundreds of businesses face every single day.
Who are these criminals that carry out these attacks and
what drives them? After thousands of cases and much study, we
have a pretty clear picture of who carries out these attacks
and why. By and large, the criminals that carry out ransomware
attacks are financially motivated. Cyber extortion is their
business, and the manner in which they conduct their business
follows economic power laws. They seek profits just like
legitimate businesses, and accordingly they follow strategies
that maximize the outcome, minimize the costs, and increase the
percent of their tax that they are able to monetize.
Why is cybercrime proliferating so rapidly? Following the
economic theme, we estimate that a given ransomware attack can
earn a single cybercriminal tens of thousands of dollars, with
almost no risk, and profit margins well in excess of 90
percent. Economics 101 dictates that more activity will occur
until the margins are driven down in this economy. It is simply
too profitable and too low-risk to be ignored by would-be
criminals.
Additionally, the cybercrime industry is innovated by an
aim to attract new [inaudible] and thus lowering the barrier to
entry for new criminals. We have detailed in our written
testimony how Ransomware-as-a-Service allows a non-technical
criminal the opportunity to participate. This combination of a
highly profitable industry with low barriers to entry and a
growing population of participants is the reason that these
attacks are proliferating so much.
There are many ways to apply pressure to the economics of
cybercrime. We offer one that we feel would be an effective
means of curtailing activity. When we look at our own data, one
sector stands out. Quarter after quarter, for the last 2\1/2\
years, a sector called Remote Desktop Protocol (RDP), is
consistently the most used by ransomware actors. Properly
securing our RDP is free. All it requires is a bit of time and
effort.
As an example of how effective closing this vulnerability
can be, I cite a recently published study that we cited in our
written testimony, where a group of set out to proactively
reduce the number of RDP-based ransomware attacks that occur.
They contacted these companies, after proactively sustaining
their networks, advised them of their vulnerability, and worked
to patch this issue. The resulting 4 month period showed a 60
percent reduction in ransomware attacks across these
organizations.
This is a free fix. All it takes is a little bit of elbow
grease.
While this recommendation is just one example, we feel that
there are further ways to attack the economics cybercrime,
while proactive security, new policy initiatives, and
relentless pursuit of these criminals by law enforcement will
never have substitutes in this fight. We think working big to
small on reducing the profitability of cybercrime can produce
immediate and material results.
Thank you to the Chairman, and I look forward to your
questions.
Senator Paul. Thank you for your testimony, and I am going
to turn it over for further questions to Senator Hassan.
Senator Hassan [presiding.] Thank you, Mr. Chair. I do want
to return to our witnesses with some follow-up questions, and
Dr. Torres-Rodriguez, I would like to start with you. You
talked about the ransomware attack that the Hartford school
system experienced. Now that it has been a few months since the
cyberattack, can you please share with us what steps you have
taken so far to try to prevent future attacks? What lessons
have you learned?
Ms. Torres-Rodriguez. Yes. Prior to the attack, the city of
Hartford had invested $500,000 upgrading the security system
for Hartford Information Services, which is the shared
services. That alone, helped us actually not have as
significant of an impact as we would have had. Since then, new
end-point security software called Carbon Black has also been
implemented and installed in approximately 4,000 of our
devices. What Carbon Black does is to leverage predictive
security and is designed to detect malicious behavior and help
prevent malicious files from attacking an organization, and can
also assist with rapid restoration, which was one of our
lessons learned, of critical infrastructure, should an attack
happen again in the future.
Senator Hassan. Thank you. I want to talk again to Mr.
Riggi as well. You mentioned in your testimony some of the
critical need for information sharing. Can you please lay out
for us your assessment of cyber threat information sharing
between the Federal Government and hospitals across the
country, and between hospitals is it adequate or could more be
done to improve cyber threat information sharing?
Mr. Riggi. Yes. Thank you, Senator. I think I would
characterize it as greatly improved compared to--one of the
functions that I ran at the FBI was to disseminate information
as we were just understanding how vital that information
sharing is.
I think, one area that has been improved, has been the
timely and actionable notices, highlighted October 28th notice
I mentioned previously. For that information to be declassified
and come out so quickly I think is very commendable, and to
come out jointly by all three agencies is very commendable.
However, I think there still needs to be more improvement in
terms of regular cadence of sharing of cyber threat
information, sharing it in a more automated and broad manner,
and also the sharing of classified information, where possible,
to trusted health care contacts.
It has improved but I think we still have a long way to go.
Senator Hassan. Thank you. I understand that you work with
hospitals across the country to help secure them from cyber
threats. Can you give us the typical profile of a hospital
cybersecurity staff, and how do small and rural hospitals
differ in terms of cybersecurity professionals and resources as
compared with major metropolitan hospitals, for example?
Mr. Riggi. Yes, there is quite the range and spectrum of
resources available, and the profile varies widely, generally,
from small to large urban centers. Generally smaller hospitals
have less resources in terms of less financial, human and
technical resources to devote to cybersecurity. In many
instances, these smaller, more financially challenged hospitals
add on cybersecurity as a duty to, for instance, the chief
information officer or IT director. Larger systems may have the
luxury of having a very large staff. Multistate systems may
have hundreds of people devoted to cybersecurity. However, they
have vastly more complex systems and networks to protect and
defend.
It varies widely. What I can say is that almost all
hospitals now highly prioritize cyber risk as an enterprise
risk issue, and are seeking to bolster their defenses. But they
do struggle under the reduced revenue that they are facing as a
result of COVID-19.
Senator Hassan. Is that reduced revenue the major impact
that you have seen with COVID-19 on this particular issue, or
are there other ways that COVID-19 has affected, for instance,
the staffing for hospital cybersecurity?
Mr. Riggi. I think the reduced revenue has impacted
staffing in the sense that certain hospitals may not have the
financial resources to recruit and retain individuals. We have
not seen a direct impact on COVID-19 reducing hospital
cybersecurity staff, although there have been scattered reports
of just general reduction in staff.
But ultimately I think that the staffing issue is a
challenge for all sectors. Quite frankly, there is a zero
unemployment rate for cybersecurity professionals, and
hospitals are competing not only with other hospitals to
recruit and retain but with other sectors and the government.
Senator Hassan. OK. Thank you. I know that the health care
sector has an Information Sharing or Analysis Center. Can you
provide an assessment of how effective the health ISAC has been
in assisting hospitals, and what are its limitations,
particularly for small and rural hospitals?
Mr. Riggi. The health ISAC, I think, has done a pretty good
job of getting information out. I know the folks over there,
good folks, and they do, as I said, a pretty good job. Some of
the limitations may be in their reach, because they are a
member-driven organization and they do require a membership
fee. Now that fee is a sliding scale and may be fairly
reasonable, depending on the size of the organization.
But again, I think that the issue there is the reach and
timely dissemination. Often the H-ISAC relies on the government
for the threat indicators as well. I think part of the mission
of the H-ISAC and the government, going back to the CISA
legislation of 2015, is to increase automated sharing of threat
indicators, because the ability to share human to human, peer
to peer, is just too slow to keep up with the adversaries. I
think there still needs to be quite a bit of work done there,
from both the government side and on the private sector side,
to increase that electronic bridge for cyber threat information
sharing.
Senator Hassan. Thank you. I have a couple more questions
but I understand that one of my colleagues, Senator Sinema, is
online and ready to ask her questions. Senator Sinema, I will
recognize you for your round of questions.
OPENING STATEMENT OF SENATOR SINEMA
Senator Sinema. Thank you so much, Senator Hassan, and I
want to say thank you to our witnesses for participating today.
Even before this pandemic, cybersecurity was a critical
issue in Arizona with ransomware attacks on Arizona medical,
education, and government organizations. During the coronavirus
pandemic, as more people go online for school, work, and social
interactions, we have seen an increase in system
vulnerabilities and cyber threats across the country and in
Arizona.
Spending has also gone up as State, local, and Tribal
governments work to support their community's information
technology needs. As such, Federal cybersecurity support for
State, local, and Tribal entities during this pandemic is
critical.
Today I am going to direct my questions to Mr. Riggi.
Medical devices with connectivity features are becoming more
common in hospitals. In recent years, ransomware attacks on the
medical community impacted not just hospital computers but also
storage refrigerators. As coronavirus vaccines are approved,
hospitals and health care systems across the country will be
asked to accept shipments and store the vaccines under very
precise conditions.
Has the American Hospital Association and its member
hospitals created sound strategies to protect storage
refrigerators and other systems that will be part of the
vaccine storage and distribution plan?
Mr. Riggi. Thank you, Senator. Our general guidance has
been in terms of protecting all medical devices, to ensure that
when they are, in fact, if they are, in fact, connected to
networks that any potential vulnerabilities be identified and
that they be network segmented. We will be closely monitoring
the vaccine development and distribution, and we will certainly
offer guidance to the field on how to protect those
refrigerated devices. One of the main ways to protect them is
to ensure that they are not network connected, and that if they
are network connected to ensure that they are segmented and
isolated from main networks and potential threats.
Senator Sinema. Thank you. In 2019, as you may or may not
be aware, Wickenburg Community Hospital, which is a hospital in
rural Arizona, was hit by a ransomware attack. Wickenburg is a
small, nonprofit hospital serving a community of about 8,000
residents. The hospital's four-person IT staff did not contact
the cyber criminals to hear their demands. Instead, they began
rebuilding the hospital's computer systems from scratch, using
data the hospital had backed up onto physical tapes. The attack
happened on a Friday, and by Monday the systems were almost
fully functional again.
Now Wickenburg was unique for a small hospital in that it
had an IT team with the expertise to rebuild the system. You
mentioned constrained resources and shortage of qualified
personnel as challenges to hiring qualified health IT security
experts. What needs to be done to overcome these challenges,
and how can Congress help?
Mr. Riggi. Thank you. I think further incentives, perhaps,
to recruit and retain cybersecurity professionals to work in
health care, perhaps modeling other programs across government
offering incentives for health care professionals, for doctors
to work in rural areas, perhaps we need something similar to
that for cybersecurity professionals.
As I said, unfortunately, there is a zero unemployment rate
for cybersecurity professionals. Increased training, perhaps,
of folks displaced from other services. Increased training,
perhaps, or retraining of veterans as cybersecurity
professionals may also be another plausible route to staff some
of these positions.
Senator Sinema. Thank you. The University of Arizona
Medical School has studied the vulnerabilities of medical
devices, and they have invited doctors, security experts, and
government agencies to simulate a cyberattack on an infusion
pump, a pacemaker, and an insulin pump, in 2017.
As you know, medical devices are regulated by the Food and
Drug Administration (FDA) for both safety and effectiveness.
What discussions have occurred between your hospital members,
government regulators, and device manufacturers to prioritize
the medical device security needs?
Mr. Riggi. We feel we have been engaged quite a bit with
the FDA concerning both their premarket and postmarket guidance
on cybersecurity for medical device manufacturers. Although
this still remains guidance, our position has been that we
would like to see most of that, if not all of it, be made
mandatory so that the manufacturers would have to comply with
some of the guidance involving such concepts as security by
design, making sure those features are built in, that the
software bill of materials is provided by the manufacturer to
the end user, so the end user can understand what the potential
vulnerabilities may be in there, and also to provide lifetime
support for the medical device, especially in terms of security
upgrades.
We are constantly monitoring those issues. One of the
things we advise our hospitals and health systems is to ensure
that there is adequate communication between clinical
engineering staff and the information security staff as well,
to keep an accurate inventory of medical devices, identify
vulnerabilities which may be present in those devices, and
ensure that they are network segmented. Of course, the most
precious lifesaving, life support devices like ventilators, are
the ones that are most protected and segregated. Thank you.
Senator Sinema. Thank you so much.
Madam Chair, I yield back the balance of my time, and I
want to thank Mr. Riggi for taking the time to talk to me about
these concerns in Arizona.
Mr. Riggi. My pleasure. Thank you.
Senator Hassan. Thank you very much, Senator Sinema. I have
a couple more questions, and then assuming we do not have any
other Senators join us we will adjourn.
I wanted to take the opportunity, Dr. Torres-Rodriguez, to
turn back to you to get more of a sense from you about the
impact that the recent ransomware attack has had on your
community. As you discussed, it delayed the start of the school
year, but can you share with us how teachers, support staff,
parents, and the rest of the community have been impacted by
this cybersecurity attack, and how has the pandemic exacerbated
these attacks?
Ms. Torres-Rodriguez. Yes. In terms of the ongoing
operational effect of the attack, shutting down functions and
servers did have debilitating consequences for a number of
departments. For example, we did not have access to our
financial management software for 17 days, so this caused
delays in numerous financial processes, including our supply
orders, year-end filing with our State requirements, grant
filings, payroll, among other operations.
When I think about the broader implications, the
disruptions to our school district, including that sudden delay
to the first day of school after weeks of preparation, was
disruptive to our families, given that already, as part of our
mitigation efforts regarding our COVID mitigation, we did have
a staggered, phased-in approach to return back to school. It
caused disruption and confusion there.
The process of restoring well over 10,000 devices--laptops
and desktops--for both students, teachers, and support staff,
was tremendous. It did require a heavy lift in terms of human
capital and time, which is, why the role of our IT department
and the Connecticut National Guard, and even a third-party
technical support that we have to contract out for, because
otherwise we could not have done it. It would have taken
additional weeks to start our school year.
During this time, our teachers did struggle to deliver
quality instruction to both the 10,000 students that were
learning online at home, as well as the 8,000 in their
classrooms.
As part of the planning last spring and into the summer, we
did make a decision to become a one-to-one district, meaning
one device per each student, meaning that every student would
have a district-issued device. There were over 2,000 devices
that were no longer available for our students at the beginning
of the school year because we had to prioritize getting our
teachers to have their devices to deliver the instruction.
As I think about those early weeks, some of our students
did not have access to learning, and we serve communities that
have concentrated levels of need. Every minute, every day
matters to us in terms of having access to instruction, and the
other social and emotional supports that our students need to
have.
Senator Hassan. Thank you very much. That is very helpful.
Commissioner Goulet, I want to follow up on this issue of
K-12 schools with you. Can you give us your thoughts, from the
perspective of State governments, on how best to protect K-12
schools and hospitals? What role, if any, should State
governments be playing?
Mr. Goulet. Thank you, Senator. This really is a great
opportunity to highlight some examples of the whole-of-state
approach that we advocate. I want to start by going back to a
concept that Senator Rosen brought up earlier, which was this
concept of making our activities consumable by those folks we
want to help. If you have a small-staff school, you cannot
throw sophisticated stuff at them, for them to absorb and have
to do.
I know we have been working with MS-ISAC, on how we scale
up some of their programs that were originally designed for
State governments but they need to be tweaked to be absorbed by
schools in local government.
That is one area, but I think it is really being
collaborative, involving these entities in planning. For
example, in New Hampshire, on the school side, it is really
being involved in the rollout of the minimum standards for
security and privacy in schools, which was enacted by the State
legislature in New Hampshire.
On the hospital side, we did involve local hospitals in our
cyber disruption planning grant fund, the DHS grant funded
cyber disruption planning. When we heard what was going up in
Vermont, at the UVM Medical Center, we were able to reach out
to cyber professionals and IT professionals in the hospitals in
New Hampshire and find out what they were doing and whether
they were preparing for or watching carefully to avoid this
cyber risk of ransomware in the hospital, which, of course, as
you have heard, is tremendous.
Those are some small examples there, and I think you really
expect a collaborative, whole-of-state approach. What I use
when I am speaking to people and trying to bring them into the
tent, is there is no I in cyber.
Senator Hassan. Thank you very much for that, Mr. Goulet,
and thank you for your continued work for the people of New
Hampshire.
I have a short closing statement and then I am going to go
ahead, at the Chairman's request, and adjourn the hearing.
First of all, I want to thank Chairman Paul for working
with me to organize this hearing, and I particularly want to
thank his staff, Adam and Greg, for their work in making this
happen. Again, I want to thank all of our witnesses for their
testimony today, and for the role that you all play in helping
to secure our nation from cyberattacks.
Cybersecurity at the State and local level has never been
more important, and it is incumbent on all of us to work
together to solve the unique challenges posed. It is clear to
me that State and local governments, our K-12 schools, and our
nation's hospitals all need additional resources and support to
be able to achieve their missions in the face of cyberattacks.
I look forward to working with our witnesses and Members of
the Committee on potential solutions, such as a standalone
State and local cyber grant program, and improved information
sharing between the Federal Government and schools and
hospitals.
Thank you all for joining us today, our witnesses. I know
how busy you are at this challenging time, and your
contributions today make a world of difference, and we are very
grateful.
Seeing that there are no other Members seeking recognition,
I will thank our witnesses today again for their participation
in this hearing. The Committee record will remain open until
December 17th for Members to submit statements and questions
for the record, and with that this Subcommittee stands
adjourned. Thank you all very much.
[Whereupon, at 4:09 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]