[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]




 
HOMELAND CYBERSECURITY: ASSESSING CYBER THREATS AND BUILDING RESILIENCE

=======================================================================


                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 10, 2021

                               __________

                            Serial No. 117-2

                               __________

       Printed for the use of the Committee on Homeland Security
                                     



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                               
                 U.S. GOVERNMENT PUBLISHING OFFICE 
44-379 PDF                 WASHINGTON : 2021 
                                
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................     3
  Prepared Statement.............................................     5
The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York:
  Prepared Statement.............................................     7

                               Witnesses

Mr. Christopher C. Krebs, Former Director of the Cybersecurity 
  and Infrastructure Security Agency, U.S. Department of Homeland 
  Security:
  Oral Statement.................................................     8
  Prepared Statement.............................................    10
Ms. Susan M. Gordon, Former Principal Deputy Director of National 
  Intelligence, Office of the Director of National Intelligence:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Mr. Michael Daniel, President and CEO, Cyber Threat Alliance:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23
Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy 
  Accelerator:
  Oral Statement.................................................    29
  Prepared Statement.............................................    31

                                Appendix

Questions From Honorable Michael T. McCaul for Christopher C. 
  Krebs..........................................................    85
Question From Honorable Jake LaTurner for Christopher C. Krebs...    85
Question From Honorable Jake LaTurner for Susan M. Gordon........    85
Question From Honorable Jake LaTurner for Michael Daniel.........    85


HOMELAND CYBERSECURITY: ASSESSING CYBER THREATS AND BUILDING RESILIENCE

                              ----------                              


                      Wednesday, February 10, 2021

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 2:07 p.m., via 
Webex, Hon. Bennie G. Thompson (Chairman of the committee) 
presiding.
    Present: Representatives Thompson, Jackson Lee, Langevin, 
Payne, Correa, Slotkin, Cleaver, Green, Clarke, Titus, Watson 
Coleman, Rice, Demings, Barragan, Gottheimer, Luria, 
Malinowski, Torres, Katko, Higgins, Guest, Bishop, Van Drew, 
Miller-Meeks, Clyde, LaTurner, Meijer, Cammack, Pfluger, 
Garbarino.
    Chairman Thompson. The Committee on Homeland Security will 
come to order.
    The committee is meeting today to receive testimony on 
``Homeland Cybersecurity: Assessing Cyber Threats and Building 
Resilience.''
    Without objection, the Chair is authorized to declare the 
committee in recess at any point. The gentlelady from New York, 
Ms. Clarke, shall assume the duties of the Chair in the event 
that I run into technical difficulty.
    Good afternoon. We are here today to begin what I hope will 
be a bipartisan endeavor in the 117th Congress, making cyber 
space more secure and networks more resilient.
    During the Trump administration, Federal efforts to raise 
the National cybersecurity posture were stunted by a lack of 
steady, constant leadership from the White House. In contrast, 
from Day 1, President Biden has treated cybersecurity as an 
urgent National and economic security issue.
    The President has started by surrounding himself with 
experts to spearhead sound cybersecurity policy. He has already 
confronted Vladimir Putin about Russian election meddling and 
the SolarWinds compromise and has publicly committed to an 
aggressive stance on China. Further, to bolster cybersecurity 
of Federal networks, the President included much-needed funding 
for cybersecurity and technology modernization in the American 
Rescue Plan proposal.
    Thankfully, Congress now has a willing and able 
cybersecurity partner in the White House, and I am optimistic 
about the progress we can make. We must work quickly to make up 
for lost time.
    Our witnesses today are a seasoned group of cyber experts, 
many of whom recently served in Government and made important 
contributions to our National cyber space posture. They are 
here to tell us about the challenges we face and how to chart a 
course toward cyber defense, deterrence, and resiliency.
    In the not-too-distant past, when our witnesses were 
serving in Government, most of us had never heard of 
SolarWinds, but now it dominates cybersecurity conversation. 
Late last year, we learned that Russian actors breached 
targeted Federal networks and critical infrastructure, in part 
through a sophisticated supply chain compromise of the 
SolarWinds Orion platform. For almost a year, Russian actors 
burrowed into networks, hiding their tracks and patiently 
stealing data.
    Although we are engaged in an in-depth investigation with 
other key House committees to learn more about this malicious 
Russian campaign, we know enough to begin asking difficult 
questions and start correcting course.
    For instance, we know that it will take months to fully 
understand the scope and impact of the compromise and eradicate 
bad actors from our network. We also know that, despite prior 
significant investment in Federal network security and active 
defense, the Russian campaign evaded detection.
    The task before us is to zero in on how we can mature our 
defenses to match the capabilities of our adversaries. The 
Russian SolarWinds campaign threatens our Nation and cannot be 
tolerated.
    It is evident that prior responses to cyber attack, such as 
naming and shaming, sanctions and indictments, have not 
deterred bad actors from engaging in malicious cyber behavior 
that threatens our National security. I am interested in 
hearing from our witnesses how we can deter this behavior or 
raise the cost of it.
    We must also be mindful that not every cyber attack is a 
sophisticated one carried out by a well-resourced nation-state 
actor. Cyber criminals ranging in sophistication continues to 
wreak havoc on State and local governments and private-sector 
critical infrastructure with less mature cybersecurity 
capabilities.
    Just this week, for example, a hacker breached a water 
treatment facility in Florida and attempted to poison the water 
supply. This follows a year when cyber criminals hacked 
schools, hospitals, and workplaces transitioning to remote 
work. According to McAfee, cyber crime cost the global economy 
$1 trillion in 2020.
    The Federal Government must work to raise the baseline 
cybersecurity posture across Government entities and the 
private sector to reduce avoidable, opportunistic attacks. This 
will free up talent and resources to focus on more 
sophisticated problems. We must also do as President Biden has 
done and treat cybersecurity as a central National security 
priority and not a boutique add-on.
    To be sure, today is just the first of several hearings 
this committee will hold on the cybersecurity threats facing 
the Nation and how the Government and private sector should 
work together to address them.
    I would like to thank our witnesses for their testimony and 
look forward to continuing the committee's work on this 
critical issue.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                           February 10, 2021
    We are here today to begin what I hope will be a bipartisan 
endeavor in the 117th Congress--making cyber space more secure and 
networks more resilient. During the Trump administration, Federal 
efforts to raise the National cybersecurity posture were stunted by a 
lack of steady, consistent leadership from the White House. In 
contrast, from Day 1, President Biden has treated cybersecurity as an 
urgent National and economic security issue.
    The President has started by surrounding himself with experts to 
spearhead sound cybersecurity policy. He has already confronted 
Vladimir Putin about Russian election meddling and the SolarWinds 
compromise and has publicly committed to an aggressive stance on China. 
Further, to bolster the cybersecurity of Federal networks, the 
President included much-needed funding for cybersecurity and technology 
modernization in the American Rescue Plan proposal. Thankfully, 
Congress now has a willing and able cybersecurity partner in the White 
House, and I am optimistic about the progress we can make. We must work 
quickly to make up for lost time.
    Our witnesses today are a seasoned group of cybersecurity experts, 
many of whom recently served in Government and made important 
contributions to our National cybersecurity posture. They are here to 
tell us about the challenges we face and how to chart a course toward 
cyber defense, deterrence, and resiliency. In the not-too-distant past, 
when our witnesses were serving in Government--most of us had never 
heard of SolarWinds, but now it dominates cybersecurity conversations.
    Late last year, we learned that Russian actors breached targeted 
Federal networks and critical infrastructure, in part through 
sophisticated supply chain compromise of the SolarWinds Orion platform.
    For almost a year, Russian actors burrowed into networks, hiding 
their tracks and patiently stealing data. Although we are engaged in an 
in-depth investigation with other key House Committees to learn more 
about this malicious Russian campaign, we know enough to begin asking 
difficult questions and start correcting course.
    For instance, we know that it will take months to fully understand 
the scope and impact of the compromise and eradicate bad actors from 
our networks. We also know that despite prior significant investments 
in Federal network security and active defense, the Russian campaign 
evaded detection. The task before us is to zero in on how can we mature 
our defenses to match the capabilities of our adversaries. The Russian 
SolarWinds campaign threatens our Nation and cannot be tolerated.
    It is evident that prior responses to cyber attacks such as 
``naming and shaming,'' sanctions, and indictments have not deterred 
bad actors from engaging in malicious cyber behavior that threatens our 
National security. I am interested in hearing from the witnesses how 
can we deter this behavior or raise the cost of it. We must also be 
mindful that not every cyber attack is a sophisticated one carried out 
by a well-resourced nation-state actor.
    Cyber criminals--ranging in sophistication--continue to wreak havoc 
on State and local governments and private-sector critical 
infrastructure with less mature cybersecurity capabilities. Just this 
week, for example, a hacker breached a water treatment facility in 
Florida and attempted to poison the water supply. This follows a year 
when cyber criminals hacked schools, hospitals, and workplaces 
transitioning to remote work. According to McAfee, cyber crime cost the 
global economy $1 trillion in 2020.
    The Federal Government must work to raise the baseline 
cybersecurity posture across Government entities and the private sector 
to reduce avoidable, opportunistic attacks. This will free up talent 
and resources to focus on more sophisticated problems. We must also do 
as President Biden has done and treat cybersecurity as a central 
National security priority and not a ``boutique add-on.''
    To be sure, today is just the first of several hearings this 
committee will hold on the cybersecurity threats facing the Nation and 
how the Government and private sector should work together to address 
them.

    Chairman Thompson. With that, I recognize the Ranking 
Member, the gentleman from New York, Mr. Katko, for an opening 
statement.
    Mr. Katko. Thank you, Mr. Chairman. I appreciate your 
comments. Thank everyone for being here today, including the 
witnesses. Thank you for holding this important hearing.
    As you know, cybersecurity remains an area of great 
bipartisan cooperation in Congress, and for that we should be 
thankful. Because of it, it is also the preeminent National and 
homeland security threat of our time.
    Every action we have heard about the importance of 
cybersecurity is more true than ever before. It underpins 
almost every aspect of our way of life. It impacts resilience 
of every single critical infrastructure sector, and it stands 
between our most sensitive data being secure or being exploited 
by our enemies.
    While general awareness of cyber threats is becoming 
commonplace, the cybersecurity resilience of our great Nation 
leaves undeniable room for improvement. We are still living in 
the wake of the SolarWinds campaign, one of the most 
devastating cyber-espionage campaigns in history, with our 
State and local governments, businesses, and constituents being 
affected by malicious cyber campaigns every single day.
    Think about it: The past year, while we were indicting our 
operatives of the Chinese Ministry of State Security for 
actively trying to compromise COVID vaccine research, Russian 
actors were simultaneously sitting in Federal and non-Federal 
networks, quietly executing what is arguably the most 
sophisticated cyber-espionage campaign in our Nation's history.
    Both of those state-backed campaigns that were taking place 
via a weekly and often daily drumbeat of ransomware campaigns 
crippled city, State, hospital, and school networks already 
heavily impacted by the pandemic.
    In my district alone, the Syracuse City School District and 
Onondaga County Library System both fell victim to ransomware 
attacks that shut down their systems and halted the critical 
services they provide. Just days ago, a hacker reportedly 
gained access to a water treatment facility in Oldsmar, 
Florida, and attempted to adjust the water chemical levels 
through cyber means to poison thousands of residents.
    These cyber threats clearly have real-world consequences, 
and we must do everything we can to help bring these malicious 
actors to justice. The bottom line is that we are still 
struggling against both the highly sophisticated and the 
routine. We can do better, and we must do better.
    There is, luckily, some reason for optimism. The creation 
of CISA as the Nation's lead civilian cybersecurity agency was 
necessary and long overdue. The agency's work to harden 
election systems from 2016 to 2020 was nothing short of heroic. 
Like everyone in this hearing, I extend my heartfelt gratitude 
to Chris Krebs and his team for his service and leadership.
    The Cyberspace Solarium Commission created a venue for 
activists to voice bold ideas and a mechanism for those ideas 
to become law. I am very proud to have helped usher multiple 
new authorities for CISA as part of the fiscal year 2021 NDAA, 
which will bolster its visibility across Federal networks, 
among other important authorities.
    CISA should be doubling down on its implementation of these 
provisions, most importantly the authority to conduct threat 
hunting on agencies' networks. But the work does not stop 
there, not by a long shot. It is easy to sit here and become 
numb to what often feels like a ``breach of the week'' in cyber 
space.
    Complicating this landscape further is that cybersecurity 
risk management, supply chain risk management, third-party 
trust and assurance, and critical infrastructure protection are 
now inexorably linked. They are layers on top of one another, 
impossible to disaggregate.
    The sheer volume of the data that our connected systems 
must secure in transit and at rest is increasing exponentially, 
a reality only accelerated by the deployment of the 5G networks 
Nation-wide.
    Meanwhile, our nation-state cyber adversaries, like China, 
have sophisticated, multi-decade agendas to compromise data and 
leverage it for malicious purposes aimed at eroding America's 
dominance.
    We have a distinguished panel of witnesses who have all 
spent considerable time in the trenches working valiantly to 
keep America safe from cyber threats, and I welcome their 
guidance on how we can strengthen our Nation's cybersecurity 
posture.
    I want this to be a hearing about opportunity for action, 
not just admiration of the problem. We have already ceded 
critical ground to our global adversaries, and there is simply 
no time to waste.
    I remain deeply concerned that the Federal roles and 
responsibilities for dot-gov security are too confederated, too 
clunky, and ultimately inadequate. Giving CISA Federal hunt 
authorities was an incremental step in the right direction, but 
CISA simply does not have the centralized visibility or 
authority to nimbly respond. I look forward to hearing ideas 
from our witnesses about how we can remedy this situation.
    On the heels of SolarWinds, and with enough not-
insignificant potential the Russian actors may still have 
access to some of our networks, I call on all my colleagues to 
work together in a bipartisan manner quickly to find a 
legislative vehicle to give CISA the resources it needs to 
fully respond and protect us.
    Cybersecurity is a team sport that is ultimately about 
partnership. We are all in this together, so let's get to work.
    I yield back, Mr. Chairman.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
                           February 10, 2021
    Thank you, Mr. Chairman.
    Thank you for holding this important hearing. As you know, 
cybersecurity remains an area of great bipartisan cooperation in 
Congress.
    For that, we should be thankful, because it is also the pre-eminent 
National and homeland security threat of our time.
    Every axiom we've heard about the importance of cybersecurity is 
more true than ever before. It underpins almost every aspect of our way 
of life, it impacts the resilience of every single Critical 
Infrastructure sector, and it stands between our most sensitive data 
being secure--or being exploited--by our enemies.
    While general awareness of cyber threats is becoming commonplace, 
the cybersecurity resilience of our great Nation leaves undeniable room 
for improvement.
    We're still living in the wake of the SolarWinds campaign--one of 
the most devasting cyber espionage campaigns in history, with our State 
and local governments, businesses, and constituents being affected by 
malicious cyber campaigns every single day.
    Think about it, this past year, while we were indicting operatives 
of the Chinese Ministry of State Security for actively trying to 
compromise COVID vaccine research, Russian actors were simultaneously 
sitting in Federal, and non-Federal networks, quietly executing what is 
arguably the most sophisticated cyber espionage campaign in history.
    Both of those State-backed campaigns were taking place while a 
weekly, and often daily, drumbeat of ransomware campaigns crippled 
city, State, hospital, and school networks already heavily impacted by 
the pandemic. In my district, the Syracuse City School District and 
Onondaga County library system both fell victim to ransomware attacks 
that shut down their systems and halted the critical services they 
provide.
    Just days ago, a hacker reportedly gained access to a water 
treatment facility in Oldsmar, Florida, and attempted to adjust the 
water chemical levels through cyber means to poison thousands of 
residents.
    These cyber threats clearly have real-world consequences, and we 
must do everything we can to bring these malicious actors to justice.
    The bottom line is that we are still struggling against both the 
highly sophisticated and the routine.
    We can do better. We must do better.
    There is, luckily, some reason for optimism.
    The creation of CISA as the Nation's lead civilian cybersecurity 
agency was necessary and long overdue. The agency's work to harden 
election systems from the 2016 to 2020 elections was nothing short of 
heroic. Like everyone in this room, I extend my heartfelt gratitude to 
Chris Krebs for his service and leadership.
    The Cyberspace Solarium Commission created a venue for experts to 
voice bold ideas, and a mechanism for those ideas to become law. I am 
proud to have helped usher multiple new authorities for CISA as a part 
of the fiscal year NDAA, which will bolster its visibility across 
Federal networks, among other important authorities.
    CISA should be doubling down on its implementation of these 
provisions, most importantly, the authority to conduct threat hunting 
on agencies' networks.
    But the work doesn't stop there.
    It's easy to sit here and become numb to what often feels like a 
``breach of the week'' in cyber space. Complicating this landscape 
further is that cybersecurity risk management, supply chain risk 
management, third-party trust and assurance, and critical 
infrastructure protection are now inexorably linked. They are layers on 
top of one another, impossible to disaggregate.
    The sheer volume of the data that our connected systems must secure 
in transit and at rest is increasing exponentially--a reality only 
accelerated by the deployment of 5G networks.
    Meanwhile, our nation-state cyber adversaries, like China, have 
sophisticated, multi-decade agendas to compromise this data and 
leverage it for malicious purposes aimed at eroding America's 
dominance.
    We have a distinguished panel of witnesses who have all spent 
considerable time in the trenches working valiantly to keep America 
safe from cyber threats and I welcome their guidance on how we can 
strengthen our Nation's cybersecurity posture.
    I want this to be a hearing about opportunity for action, not just 
admiration of the problem. We have already ceded critical ground to our 
global cyber adversaries, and there is simply no time to waste.
    I remain deeply concerned that the Federal roles and 
responsibilities for .gov security are too confederated, too clunky, 
and ultimately inadequate. Giving CISA Federal hunt authorities was an 
incremental step in the right direction, but CISA simply does not have 
the centralized visibility or authority to nimbly respond. I look 
forward to hearing ideas from our witnesses about how we can remedy 
this situation.
    On the heels of SolarWinds, and with the not insignificant 
potential that Russian actors may still have access to some of our 
networks, I call on all my colleagues to work together, quickly, to 
find a legislative vehicle to give CISA the resources it needs to fully 
respond.
    Cybersecurity is a team sport that is ultimately about partnership. 
We're all in this together, so let's get to work.

    Chairman Thompson. Other Members of the committee are 
reminded that, under the committee rules, opening statements 
may be submitted for the record.
    [The statement of Honorable Garbarino follows:]
               Statement of Honorable Andrew R. Garbarino
                           February 10, 2021
    I am honored to have been selected by Ranking Member Katko to serve 
as the Ranking Member of the Cybersecurity, Infrastructure Protection, 
and Innovation (CIPI) Subcommittee. I believe that cyber attacks are 
the most pressing threat to our National security today. Nation-state 
actors are growing more sophisticated and increasingly infiltrating our 
networks and stealing National security secrets, personal data, and 
intellectual property. I am eager to get to work to defend our Nation's 
most critical infrastructure from foreign adversaries like Russia, 
China, Iran, and North Korea.
    As the lead Federal agency tasked with helping stakeholders 
understand and manage risk across all 16 critical infrastructure 
sectors, the Cybersecurity and Infrastructure Security Agency (CISA) 
plays a key role in ensuring every aspect of our society is resilient 
to cyber threats. As such, CISA must operate as a strong, centralized 
authority to ensure the cyber resilience of all the lifeline services 
that Americans so heavily rely on--including the Nation's electric 
grid, telecommunications systems, health care institutions, and water 
facilities. In fact, just today it was reported that a water utility in 
Florida was the victim of a cyber attack that put the clean water 
supply of 15,000 Americans in jeopardy.\1\ We must do better to ensure 
underfunded and under-resourced utilities in every critical 
infrastructure sector have the security protections in place to provide 
reliable services to Americans.
---------------------------------------------------------------------------
    \1\ Hack exposes vulnerability of cash-strapped U.S. water plants: 
https://apnews.com/article/water-utilities-florida-coronavirus-
pandemic-utilities-882ad1f6e9f80c053ef5f88a23b840f4.
---------------------------------------------------------------------------
    As my constituents on Long Island and all Americans across the 
country continue to adapt to working and learning remotely as a result 
of the COVID-19 pandemic, I believe it is now more important than ever 
to work with agencies like CISA combat malicious cyber actors from 
targeting COVID-19 relief programs for our struggling small businesses, 
as well nation-state actors such as China targeting pharmaceutical 
institutions involved in vaccine development. We must keep Chinese-
owned technology and telecommunications companies, like Huawei, out of 
our data, infrastructure, and networks across all critical 
infrastructure sectors. I will be tough on all companies influenced by 
the Chinese Communist Party, as well as any other nefarious nation-
state actors.
    The recent SolarWinds cyber espionage campaign launched by a 
sophisticated nation-state actor, likely Russia, is one of the worst 
intrusions of U.S. Government and private-sector networks in our 
Nation's history. We will be dealing with the impacts of this campaign 
for years to come. We must move forward by centralizing Federal network 
authority under CISA, understanding the current risk landscape, and 
holding cyber adversaries accountable. I look forward to continuing to 
address these complex issues with Ranking Member Katko and the CIPI 
subcommittee in the months ahead.
    As we begin the 117th Congress, I strive to improve our Nation's 
cybersecurity posture at every level of government, including 
preventing ransomware attacks at the State and local level. Throughout 
2020, ransomware attacks increased significantly and targeted many 
health care organizations and schools that were already overwhelmed by 
the COVID-19 pandemic. In fact, just a few months ago, both the Bay 
Shore and Lindenhurst school districts on Long Island were hit with 
cyber attacks.\2\ I am determined to work with hospitals, schools, and 
small businesses in New York's 2d district and across the country to 
improve their cybersecurity posture in the wake of increasing threats.
---------------------------------------------------------------------------
    \2\ Cyber attack disrupts operations in Bay Shore school district: 
https://www.newsday.com/long-island/education/bay-shore-schools-hack-
1.50010940.
---------------------------------------------------------------------------
    I am ready to get to work with the Nation's leading cybersecurity 
experts from both the public and private sectors and I look forward to 
engaging with all these stakeholders in my new role on the 
subcommittee. I look forward to combating this threat as one Nation and 
finding bipartisan and innovative ways to protect our communities 
moving forward.

    Chairman Thompson. Members are also reminded that the 
committee will operate according to the guidelines laid out by 
the Chairman and Ranking Member in our February 3 colloquy 
regarding remote proceedings.
    I welcome our witnesses.
    Mr. Chris Krebs, who is no stranger to this committee, 
served as the director of the Cybersecurity and Infrastructure 
Security Agency, commonly referred to as CISA, until November 
2020. Since leaving Government, he has founded the Krebs Stamos 
Group, and he is now serving as Newmark senior cyber fellow at 
the Aspen Institute. SolarWinds is one of Mr. Krebs' clients; 
however, he is testifying today in his personal capacity as a 
former CISA director.
    Ms. Sue Gordon served as the principal deputy director of 
national intelligence at the Office of the Director of National 
Intelligence from August 2017 to August 2019. Ms. Gordon has 
served in the intelligence community for over 3 decades in a 
variety of leadership roles spanning numerous intelligence 
organizations and disciplines.
    Mr. Michael Daniel is the president and CEO of Cyber Threat 
Alliance. Prior to joining CTA in February 2017, Michael served 
from June 2012 to January 2017 as special assistant to 
President Obama and cybersecurity coordinator on the National 
Security Council staff.
    Mr. Dmitri Alperovitch is executive chairman of Silverado 
Policy Accelerator, a nonprofit focusing on advancing solutions 
to critical geopolitical and cybersecurity policy challenges. 
He is cofounder and former chief technology officer of the 
cybersecurity firm CrowdStrike, Incorporated.
    Without objection, the witnesses' full statements will be 
inserted in the record.
    I now ask Mr. Krebs to summarize his statement for 5 
minutes.

   STATEMENT OF CHRISTOPHER C. KREBS, FORMER DIRECTOR OF THE 
    CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Krebs. Chairman Thompson, Ranking Member Katko, Members 
of the committee, good afternoon, and thank you for inviting me 
to appear today.
    As the director of the Cybersecurity and Infrastructure 
Security Agency, or CISA, leading CISA, I had the pleasure to 
work with many of you as Members of the primary oversight 
committee, and I have testified, as you pointed out, many times 
in front of this committee.
    To the new Members of the committee, congratulations on 
being given the honor to represent your constituents in the 
117th Congress.
    I look forward to helping as I might, and thank you for 
holding this timely hearing.
    The cyber threat landscape is more complicated than ever, 
with foreign governments and criminal gangs alike using 
capabilities that enable everything from run-of-the-mill cyber 
crime, information operations, intellectual property theft, 
destructive attacks, and operations with kinetic effects.
    The bulk of the malicious cyber activity targeting the 
United States emanates from 4 countries: Russia, China, Iran, 
and North Korea. Even in those countries, the difference 
between State action and criminal activity is increasingly 
blurred as contracted or proxy cyber actors support or act on 
behalf of State-directed operations. As long as the tools are 
available, vulnerabilities exist, money and secrets are to be 
had, and a lack of meaningful consequences persist, there will 
be malicious cyber actors.
    Complicating matters further, oftentimes we make it far too 
easy for the bad guys. When an organization is struggling to 
make payroll and keep systems on a generation of technology 
created in the last decade, even the basics of cybersecurity 
can be out of reach.
    Even then, the purpose of IT is to make things easier to 
manage. So it is almost counterintuitive that managing a system 
over the internet might be a bad thing.
    So we have a dilemma on our hands. But all is not lost. In 
my written testimony, I provide a series of recommendations 
that can put us on a collective path toward a more secure and 
resilient economy. Are we going to stop every attack? No. But 
we can take care of the most common risks and make the bad guys 
work that much harder and limit their success.
    To get there, we must make 3 strategic shifts.
    First, we need stronger cybersecurity leadership in 
industry and more centralized oversight in Government. This 
includes building on the authorities provided to CISA in the 
National Defense Authorization Act, including the 
administrative subpoena authority and continuous hunt over 
Federal civilian agencies.
    Second, we must allocate more and smarter investments into 
private-sector capabilities and increase support to all levels 
of Government. This includes accelerating investment into 
Federal IT modernization, boosting CISA's ability to execute, 
and providing grant programs for State and local governments 
like the post-9/11 antiterrorism programs.
    Third, industry and Government must come together 
collectively to democratize cybersecurity, better understand 
where our real risk lies, increase capacity, and work in a 
meaningful way beyond information sharing. This includes coming 
together to counter the scourge of ransomware.
    The parts are in place for our Nation to dramatically 
improve our cybersecurity defenses. As a society, we need to 
accept that every organization in the country, whether in the 
private sector or in Government, can be targeted by a cyber 
actor. The Government cannot stop all attacks, but there is 
much that the industry can do on their end. Companies have a 
responsibility to their customers, their stakeholders, and, 
depending on where they sit in the economy, a responsibility to 
the country.
    Meaningful progress will take time, and we may never see a 
finish line, but change for the better is possible. To get 
there, we need to employ the courage and resolve that has 
driven American innovation throughout our National history.
    Before I conclude, I would once again like to thank the 
committee for your steadfast support of CISA in its 
cybersecurity mission. You deserve great credit for the 
agency's progress in the last few years. I firmly believe that 
we are on the right track and can accomplish much more 
together.
    Thank you again for the opportunity to testify today, and I 
look forward to your questions.
    [The prepared statement of Mr. Krebs follows:]
               Prepared Statement of Christopher C. Krebs
                           February 10, 2021
                              introduction
    Chairman Thompson, Ranking Member Katko, Members of the committee, 
my name is Chris Krebs, and it is my pleasure to appear before you 
today to discuss ``Homeland Cybersecurity: Assessing Cyber Threats and 
Building Resilience.'' As you know, I previously served as the first 
director of the Cybersecurity and Infrastructure Security Agency 
(CISA), leading CISA and its predecessor organization, the National 
Protection and Programs Directorate, from August 2017 until November 
2020. Over the last several years, I have had the pleasure of working 
with many of you as Members of the primary oversight committee for CISA 
and have testified in front of this committee many times. To the new 
Members of the committee, congratulations on being given the honor to 
represent your constituents in the 117th Congress. I look forward to 
working with you.
    It is an honor to appear before this committee to testify about the 
current cybersecurity threat landscape and how it intersects with 
American businesses and Government agencies. Given my recent experience 
as CISA director, and now as founding partner of the Krebs Stamos 
Group, a cybersecurity risk management consultancy, as well as the 
Newmark senior cyber fellow at the Aspen Institute, I am continuing my 
efforts to improve the Nation's cybersecurity and resilience. My time 
at CISA most acutely helped shape my view of the effectiveness of our 
current approach and its shortcomings, particularly with a focus on 
critical infrastructure. Operating from an assumption that our 
adversaries are technically capable, both opportunistic and highly 
targeted, yet bound by the laws of physics and the realities of the 
Gregorian calendar, I firmly believe that we can make progress in 
defending our cybersecurity.
    In order to make progress, I believe there are several truisms that 
are useful to framing an organization's approach to cybersecurity and 
resilience: First, the Federal Government is not going to save you, but 
they are an essential partner. Second, cybersecurity competency 
requires leadership buy-in. Third, good guys and bad guys alike make 
mistakes, how fast you find both makes a difference. Fourth, your 
mistakes are likely going to get out anyway, the faster you protect 
your customers, the better off everyone will be. And fifth, everyone 
has bad days, preparation will determine how bad that day is. These 
truisms represent a simple acknowledgement that 100 percent security is 
not the desired or realistic end-state, instead a resilient 
organization that is empowered, informed, humble, and agile cannot just 
survive in today's environment, but actually thrive.
    In my testimony today, I will provide a series of recommendations 
to improve our approach to making the internet a safer and more secure 
place for all Americans. These recommendations are rooted in the need 
to continually improve our understanding of our Nation's physical and 
digital infrastructure, introduce friction into the adversaries' 
activities, and increase investments and centralized services for 
Government and industry alike. My recommendations align with the more 
defensive actions associated with ``Deterrence by Denial.''
    (1) Continue to invest in CISA's National Critical Functions (NCFs) 
        Initiative, improve our understanding of the risk facing our 
        Nation's infrastructure, and expand roll out to highest-risk 
        functions.
    (2) Prioritize identification of systemically important enterprise 
        software and services, update Federal contracting for greater 
        transparency and sharing, and launch operational defensive 
        partnerships called for in the 2021 National Defense 
        Authorization Act.
    (3) Launch a National countering ransomware initiative to improve 
        defenses, disrupt the ransomware business model, and use 
        broader set of authorities against actors.
    (4) Proceed with Department of Commerce rulemaking on Executive 
        Order 13984, ``Taking Additional Steps to Address the National 
        Emergency With Respect to Significant Malicious Cyber-Enabled 
        Activities'' to counter adversary abuse of Virtual Private 
        Servers.
    (5) Improve Federal cybersecurity posture through enhanced 
        governance, increased funding, and centralized services offered 
        by CISA.
                        understanding cyber risk
    When thinking about the cybersecurity risks we face today, I find 
the traditional risk formula most useful to organize the various 
players on the field: r=t*v*c.
    Where r = risk, t = threat, v = vulnerability, and c = consequence. 
Likelihood of an attack is assumed within the t variable.
    Those 3 variables combined yield the risk we are constantly trying 
to manage. The 3 variables, however, are not static nor are they 
singular, and therefore a risk manager's job is never done. The cyber 
implications of COVID-19 are a useful case study. In the spring of 
2020, our Nation's critical infrastructure risk shifted dramatically. 
The coronavirus spread across the country sickening many Americans and 
overwhelming hospitals, particularly in New York City. The consequences 
of a threat--non-state actor ransomware--hitting a hospital would lead 
to loss of life due to reduced capacity in patient care. To manage the 
risk in the calculation, through CISA's ``Project Taken'' we engaged to 
both minimize vulnerabilities in patient care facilities, but also by 
messaging threat actors to avoid attacking those facilities. There were 
also state actor threats from China and Russia conducting espionage on 
vaccine manufacturing research labs. Those intrusions, exploiting 
vulnerabilities in the networks and systems of the labs, if conducted 
recklessly, could result in disruptive consequences to vaccine 
development, where days and weeks delay in vaccine roll out meant real 
lives lost. In part, through Operation Warp Speed, CISA worked with 
vaccine developers to minimize vulnerabilities by sharing threat 
intelligence, investigate suspicious activity, and scanning for 
unpatched systems. We also worked to better understand supply chains 
and manage consequences by identifying and diversifying or hardening 
single points of failure in the chain from research and development to 
shots in the arm.
    Both real-life scenarios offer just a glimpse into the challenges 
facing information security teams and risk managers in general across 
the country. They also highlight the focus cannot solely be on 
understanding and stopping the threat actors--we must also invest in 
our ability to understand why we might be targeted by threat actors, 
how they might come at us, and if they do, how do we survive or 
minimize any attack.
                         the t(hreat) variable
    The cyber threat landscape is more complicated than ever, with 
state and non-state actors investing in and building capabilities that 
enable everything from run-of-the-mill cyber crime, information 
operations, destructive attacks, and operations with kinetic affects. 
Over the last few years, the ``state actor cyber club'' has evolved 
from the traditional big 4 of cyber adversaries--China, Russia, Iran, 
and North Korea--to a more stratified set of actors. The sorting is 
based on capability, with China and Russia at the top of the pyramid, 
and Iran and North Korea, while still capable, a rung below. Non-state 
actors including cyber criminals are also gaining ground.
    Further complicating the ability to paint a clear picture of the 
cyber threat actor landscape is the increasingly blurring line between 
state and non-state actors. For example, contracted or proxy cyber 
actors support or act on behalf of state-directed operations. 
Conversely, state actors sometimes moonlight as cyber criminals after-
hours to earn additional income. And in other cases, non-state cyber 
actors operate with the tacit approval of the home state, if the actors 
do not target their own domestic organizations, in other words ``anyone 
but us.'' New actors enter and leave the playing field daily. Agencies 
reorganize, break up, and consolidate. Criminal gangs are busted, go 
dark, or give up the life of crime. If the tools are available, money 
and secrets are to be had, vulnerabilities exist, and a lack of 
meaningful consequences persist, there will be malicious cyber actors.
    Unfortunately, across the full set of actors, there is no 
authoritative perfect picture or master list of the agencies and their 
tradecraft, tools, personnel, or targeting lists. Instead, we have a 
modern-day parable of the ``Blind Men and the Elephant,'' where 
different defenders have a unique perspective based on their viewpoint 
from where they sit across American infrastructure or from their 
incident response investigations. This leads to a confusing mashup of 
threat actor names, be they pandas, APTs, or Periodic Table elements. 
And that is just from the cybersecurity vendor community. Inside 
Government and across allied partners there are myriad codenames and 
jargon for the cyber actors knocking on our networks every day.
Case Study: Same Nation, Different Tactics
    Cyber actors use various techniques, from opportunistic and 
commonly available, to highly sophisticated and only available to those 
with resources and time. We saw both play out last year. The Russian 
FSB, the main successor to the Soviet-era KGB, carried out a broad 
campaign scanning for unpatched network access points known as VPNs in 
a variety of sectors, from Federal, State, and local government, to the 
aviation sector and the defense industrial base. There was nothing 
particularly sophisticated about this activity, they simply looked for 
the out-of-date VPNs and exploited them with common techniques. At the 
same time, the Russian SVR, the main foreign intelligence service, 
launched a stealthy campaign in late 2019 that used a variety of 
techniques exploiting trust--the that keeps networks going the world 
round. They moved downstream from Texas-based information technology 
(IT) company SolarWinds into customer networks, while also exploiting 
authentication techniques to gain access to email systems. As we were 
chasing the noisy FSB (and other actors, like the Iranians and 
ransomware crews) around the country, the ghostlike SVR was lost in the 
noise, patiently moving through a select list of targets. And that is 
just 2 actor sets from 2 agencies within 1 foreign adversary. Each 
agency has multiple groups, each nation has multiple agencies. Each 
group, agency, and nation have different strategic objectives and 
tactics to achieve them.
           the challenge of securing domestic infrastructure
    Our critical infrastructure is what drives our economy, supports 
National security, and contributes to public health and safety. Most 
critical infrastructure in the United States, however, is owned and 
operated by the private sector with only a patchwork of security 
oversight in place. It is hard to overstate the massive scope of the 
critical infrastructure security and resilience challenge. The levers 
Government has at its disposal to change behaviors, on the other hand, 
is underwhelmingly small.
    This leads to 3 conditions limiting the ability of Government and 
industry to collectively improve critical infrastructure cybersecurity: 
(1) Lack of a deep understanding of what is truly systemically 
important across the economy, (2) a need for more meaningful methods 
for operational engagement with industry to address risk; and (3) 
insufficient funding and investment in security improvements.
Understanding Risk
    The first challenge to overcome in enhancing the cybersecurity of 
our Nation's infrastructure is our understanding systemic importance 
must improve. Even within classic infrastructure sectors and systems 
that are generally easy to define--banking and finance, energy, and 
transportation--only now are we really identifying the highest-risk 
functions within those sectors. Fortunately, the effort to understand 
systemic importance of industry functions is a growing area of focus 
for the Federal Government, in part driven by CISA's National Risk 
Management Center through the National Critical Functions (NCF) 
initiative.\1\ By gaining a deeper understanding of the critical 
functions and systems that drive our Nation's economy the Government 
can bring together key players to operationalize risk management 
partnerships and make measurable progress toward a more resilient 
economy.
---------------------------------------------------------------------------
    \1\ National Critical Functions/CISA.
---------------------------------------------------------------------------
    One of the most critical aspects of the NCF work will be to support 
efforts to understand the prevalence of more intangible sectors like 
information technology and communications. The IT sector is a 
horizontal or enabling sector rather than a vertical sector. The 
products and services offered by the IT sector, like computer operating 
systems, network management software, and cloud computing, are core to 
nearly every aspect of the economy--even our Nation's agriculture 
sector increasingly relies on automated technology to improve 
efficiency and increase capacity.
    To more broadly understand systemic importance of enterprise 
software and platforms, Government and industry must work together to 
map the key components and players of our Nation's IT and 
communications infrastructure. Of particular focus should be those 
companies that have a dominant position in their market segment, and 
any disruption or compromise would have cascading and outsized impacts 
on the ecosystem. As a byproduct of enjoying economic success, those 
companies should recognize they have broader corporate citizenship 
responsibilities and must dedicate resources, personnel, and expertise 
to protect the very economy they so richly benefit from. At a minimum, 
companies should reexamine and ensure their approach to securing their 
products, processes, and customers.
NCFs In Practice: Defending the 2020 Election
    The concept of organizing around a key NCF was central to the 
success of the protection of the 2020 election. Led by CISA, the 
election security community across Government and industry came 
together to understand the greatest risks to the administration of the 
election, developed strategies and plans to improve security of the key 
subfunctions and successfully defended the election. We must repeat 
that intensity of effort across the rest of the NCF set. The NCF 
initiative, as shown in the defense of the 2020 elections, has already 
laid the groundwork for the Continuity of the Economy recommendation in 
the 2020 Cyberspace Solarium Commission (CSC) report, subsequently 
included in the 2021 National Defense Authorization Act.
Improving Engagement between Government and Industry
    In addition to improving our understanding of infrastructure, we 
must improve the methods by which we collectively engage on risk 
management efforts. CISA can lead this important endeavor. The agency 
supported the President's National Security Telecommunications Advisory 
Committee (NSTAC) in developing the 2014 Report to the President on 
Information and Communications Technology (ICT) Mobilization.\2\ The 
core concept of the report was to develop a working partnership between 
industry and Government that could be immediately activated in the 
event of a large-scale cyber attack approaching a National emergency, 
yet many of the lessons of the report equally apply to steady-state 
resilience building activities. Two recommendations emerged from the 
report that are even more important than they were just a half decade 
ago.
---------------------------------------------------------------------------
    \2\ NSTAC--Information and Communications Technology Mobilization 
Report 11-19-2014.pdf (cisa.gov), https://www.cisa.gov/sites/default/
files/publications/NSTAC%20-%20Information-
%20and%20Communications%20Technology%20Mobilization%20Report%2011-19-
2014.pdf.
---------------------------------------------------------------------------
    (1) Conducting a Unified Risk Assessment.--The first is tighter 
        integration between the collectors and analyzers from industry 
        and Government of foreign cyber actor intelligence, in part 
        through a Unified Risk Assessment Process for Mobilization. 
        This fusion of private and public intelligence expertise can 
        overcome the current imperfect nature of understanding, 
        decision making, and response. A unified risk assessment 
        process in both steady-state and response scenarios would bring 
        together informed and experienced hands to determine means, 
        intent, and ability to understand a potential or on-going 
        threat actor campaign. Most importantly, the private sector and 
        civilian agency experts can bring context and relevance to 
        intelligence analysts that may not have a sufficient 
        understanding of the domestic infrastructure landscape, which 
        can lead to overlooking the relevance of collected 
        intelligence. This risk assessment process and the contributing 
        analysts should be a core function of the Integrated Cyber 
        Center recommended by the Cyberspace Solarium Commission 
        (Recommendation 5.3) and included in the 2021 NDAA, Section 
        1731 (Establishment of an Integrated Cybersecurity Center). The 
        concept also echoes the recommendation of the President's 
        National Infrastructure Advisory Council (NIAC) for the 
        establishment of a Critical Infrastructure Command Center 
        (CICC).\3\
---------------------------------------------------------------------------
    \3\ https://www.cisa.gov/sites/default/files/cisa/
NIAC%20Actionable%20Cyber%20Intelli-gence_DRAFT-
PREDECISONAL_508c%20(002).pdf.
---------------------------------------------------------------------------
    (2) Establishing a ICT Enablers Working Group.--The 2014 NSTAC 
        report also ``developed a working model of the functional 
        capabilities (in 6 categories) associated with the broader 
        global ecosystem.''\4\ The companies that execute these 
        capabilities are known as ``ICT Enablers.'' While the core 
        functions of the ICT Enablers no doubt require a fresh look and 
        update, the purpose is the same--we must understand the core 
        functions and the companies that substantially make up those 
        functions. This is the essence of systemic importance in the IT 
        Sector, those companies that dominate or hold a lynchpin 
        position in the ecosystem have an outsized responsibility to 
        contribute to the National defense. We must know who these 
        companies are and then establish meaningful partnerships 
        between industry and Government. Not just to trade business 
        cards, but to share information on emerging threats or observed 
        attacks.
---------------------------------------------------------------------------
    \4\ NSTAC Report to the President on Information and Communications 
Technology Mobilization, pg 14.
---------------------------------------------------------------------------
    Through the knowledge transfer associated with trusted 
partnerships, combined with the commitment and support of corporate 
leadership, the baseline of security across the ICT enablers should 
improve. Prior models have fallen short principally due to a lack of 
specificity in tasks and the inability of Government to host industry 
representatives outside of a handful of Information Sharing and Center 
(ISAC) representatives. By adopting a risk management agenda with 
discrete tasks and skillsets required, and industry organizing itself 
with deliberate representation of the companies that truly matter, much 
like the United Kingdom's National Cyber Security Centre Industry 100 
model, CISA can more effectively identify and work with industry 
partners. The entity resulting from the Integrated Cyber Center or CICC 
mentioned above, building on existing CISA coordination mechanisms, can 
bring Government and industry together to improve partnership models to 
operationalize intelligence and risk management efforts.
Increasing Funding for States and Incentivizing Industry Investment
    Even by identifying our infrastructure of concern and creating the 
mechanisms for engagement, it requires resources to secure systems, 
hire and train personnel, and engage in collective efforts. For State 
and local government partners, even if awareness is not an issue, lack 
of funding is an ever-present inhibitor to improving security.
    1. State and Local Cyber Grants.--Congress should identify grant 
        programs, much like the Homeland Security Grant Program, to 
        distribute funding to State and municipal infrastructure 
        programs to help improve their security programs. Grant 
        programs should incentivize regional collaboration and 
        coordination, creating a mutually supporting culture and 
        community of security.
    2. Expanding Training to Government Infrastructure.--CISA should 
        also be authorized and funded to provide entry and mid-level 
        information security and operational security education and 
        training programs. These programs should prioritize remote 
        learning opportunities in order to engage more students, but 
        where more advanced or hands-on learning is more effective, 
        CISA should be funded for mobile training capabilities to bring 
        training to the students where they are.
    3. Industry Incentives.--Industry should similarly be encouraged to 
        invest in security programs, ideally through sector self-
        organization and implementation. In the mean time, the 
        Executive branch should conduct a meaningful review of existing 
        regulatory programs for cybersecurity requirements or extant 
        authorities that could be used to require additional security. 
        We are also seeing a emerging class of corporate leaders that 
        understand the importance of cybersecurity and the need to 
        invest. Conversely, there will always be a set of executives 
        that look to shave costs and minimize outlay until forced to 
        spend, if even then. With the appropriate engagement and 
        education, the former class--particularly when identified as 
        systemically important and provided the opportunity to best 
        improve the security of their operations--should outpace the 
        latter. After a period of time, all executives may prefer a 
        more prescriptive approach with certainty.
    4. Government Contracting Requirements.--The Government should 
        start with where it does business with industry, Government 
        should require standardized security practices as a matter of 
        contracting. The U.S. Government can immediately improve 
        visibility and understanding across Federal networks (though 
        there will be cascading benefits to industry) by amending the 
        contracting process to require transparency about the software 
        itself, the level of access the software requires to operate, 
        and the security measures in place to ensure the software 
        cannot be manipulated through development, build, installation, 
        operation, or maintenance. In addition, CISA should be included 
        in the contract as an authorized recipient of vulnerability and 
        incident notifications. As of now, privity of contract and the 
        bounds of Non-Disclosure Agreements (NDAs) limit the sharing of 
        information on risks or incidents beyond the vendor and the 
        customer. This puts the vendor in the position of not being 
        able to share information with CISA for broader understanding 
        of an emerging or on-going incident.
               the growing ransomware national emergency
    Today's cyber threat landscape is not monopolized by state actors, 
in fact, the threat that most immediately and measurably affects the 
average American is cyber crime. Ransomware, specifically, has been on 
a steady rise over the last several years, with ransomware gangs 
typically operating out of countries that turn a blind eye toward their 
crimes, as long as the victims are foreign, and the money comes back 
home. According to the 2020 Verizon Data Breach Report, ransomware 
accounts for 27 percent of malware incidents, with the highest rate of 
occurrence in the education, health care, and Government administration 
sectors.\5\ Ransomware crews have been propelled and professionalized 
by commodity malware and specialization across various hacking 
techniques, but also thanks to the availability of cryptocurrencies 
that allow for anonymous financial transactions.
---------------------------------------------------------------------------
    \5\ 2021 Verizon Data Breach Report, Figure 5., pg 7. Available for 
download here.
---------------------------------------------------------------------------
    The United States along with our allies need to take a new, more 
strategic and coordinated approach to overcoming the emerging National 
security emergency posed by ransomware. The counter ransomware 
``triplet'' includes improving cyber defenses, disrupting the 
criminals' business model, and increased coordinated action against 
ransomware gangs and their enablers. This strategy will require 
Government and the private sector to contribute and commit to 
partnering together to break the ransomware cycle.
Improving Defenses
    First, we must improve defenses of our businesses and agencies 
across all levels of Government. Ubiquitous use of multifactor 
authentication (MFA) for access to networks can limit credential abuse, 
updated and patched systems can prevent actors from exploiting known 
vulnerabilities, and a well-practiced incident response plan 
accompanied by backed up and off-line systems can enable rapid reaction 
and restoration. In many cases, even these straightforward steps are 
beyond the reach of many companies or State or local agencies. We need 
to rethink both our approach to technology deployment, including MFA by 
default, and the Federal Government should consider increasing 
technology upgrade grants to States and localities to retire legacy 
systems and join the digital transformation. The return on investment 
will extend beyond increased security and improve the efficiency of 
citizen services, support the U.S. technology sector, and open up more 
skilled technology jobs for a sluggish American workforce.
Disrupting the Ransomware Business Model
    Second, we must break the business model of ransomware. Simply put, 
ransomware is a business, and business is good. The criminals do the 
crimes and their victims pay the ransom. Often it is easier to pay and 
get the decryption key than rebuild the network. There are 3 problems 
with this logic: (1) You are doing business with a criminal and 
expecting them to live up to their side of the bargain. It is not 
unusual for the decryption key to not work. (2) There is no honor 
amongst thieves and no guarantee that the actor will not remain 
embedded in the victim's network for a return visit later, after all 
the victim has already painted themselves an easy mark. (3) By paying 
the ransom, the victim is validating the business model and essentially 
making a capital contribution to the criminal, allowing them to hire 
more developers, more customer service, and upgrade delivery 
infrastructure. And, most worrisome, go on to the next victim. A useful 
law school exam question may be whether in a string of ransomed 
companies, if a victim of a subsequent ransomware attack might pursue 
legal action against a prior victim of the same crew that had paid off 
the criminal. There is likely no viable course of action here but 
continuing to allow for ransom payments is a net public policy 
negative.
    We must address the ransomware business model head-on and disrupt 
the ability of victims to pay ransom. First, cryptocurrencies should be 
either more heavily-regulated or provide for more transparency via Know 
Your Customer regimes for cryptocurrency exchanges. Second, we need a 
National policy conversation on whether payments should be lawful. The 
Office of Foreign Asset Control (OFAC) has already started this dialog, 
declaring ransom payments to identified entities may be a violation of 
economic sanctions laws. Because the identity of the ransomware actor 
is not always obvious, the OFAC advisory may have an overall chilling 
effect on ransom payments.
More Aggressive Action Against Ransomware Actors
    Third, we need more coordinated action against ransomware actors 
using the range of authorities available to Federal agencies, as well 
as capabilities and rights resident in the private sector. To be 
perfectly clear, I am not suggesting extrajudicial kinetic actions 
against ransomware gangs. However, other authorities available to law 
enforcement and military should be on the table, with great care taken 
not to blur the lines between the two. Traditional approaches have 
clearly not been sufficient to prevent the outbreak of ransomware. More 
aggressive disruption of malware command and control infrastructure, 
like the recent action against Emotet, is a good start.\6\. Where there 
are clear ties between ransomware actors and state actors or a 
potential imminent threat to an event or infrastructure of significance 
like a National election, action should be on the table. The private 
sector also has options available, as demonstrated by Microsoft's 
aggressive policing the abuse of its trademark and source code, 
including last fall's operation against Trickbot.\7\ When coordinated 
and jointly conducted, private and public sector can make the internet 
an inhospitable place for cyber criminals. The recent establishment of 
the National Ransomware Task Force, hosted by the Institute of Security 
and Technology,\8\ is a promising private-sector collaboration to 
change the rules of the game, assuming strong engagement and 
coordinated action with the Federal Government.
---------------------------------------------------------------------------
    \6\ Emotet Botnet Disrupted in International Cyber Operation/OPA/
Department of Justice. https://www.justice.gov/opa/pr/emotet-botnet-
disrupted-international-cyber-operation.
    \7\ New action to combat ransomware ahead of U.S. elections--
Microsoft On the Issues. https://blogs.microsoft.com/on-the-issues/
2020/10/12/trickbot-ransomware-cyberthreat-us-elections/.
    \8\ Institute for Security and Technology (IST) Ransomware Task 
Force (RTF). https://securityandtechnology.org/ransomwaretaskforce/.
---------------------------------------------------------------------------
             adversary abuse of infrastructure as a service
    Much of the state and non-state actor cyber activity targeting U.S. 
businesses and agencies uses our very own technology against us. State 
and non-state actors alike are using cloud infrastructure services and 
the protections afforded by law and the Constitution to steal 
intellectual property and potentially position themselves for future 
attacks. According to Ambassador Robert O'Brien, President Trump's last 
National Security Advisor, ``(m)align actor abuse of United States 
(Infrastructure as a Service) products has played a role in every cyber 
incident during the last 4 years.''\9\ To stem the abuse of IaaS 
products, the last administration signed out Executive Order 13984, 
``Taking Additional Steps to Address the National Emergency With 
Respect to Significant Malicious Cyber-Enabled Activities.''\10\ The EO 
directs the Department of Commerce to release for notice and comment 
regulations within 180 days that describe a regime that would require 
cloud service providers to implement ``Know Your Customer'' and 
Suspicious Activity Reporting measures.
---------------------------------------------------------------------------
    \9\ Press Release--Statement from National Security Advisor Robert 
C. O'Brien/The American Presidency Project (ucsb.edu). https://
www.presidency.ucsb.edu/documents/press-release-statement-from-
national-security-advisor-robert-c-obrien-9.
    \10\ 2021-01714.pdf (govinfo.gov). https://www.govinfo.gov/content/
pkg/FR-2021-01-25/pdf/2021-01714.pdf.
---------------------------------------------------------------------------
    While the new administration is obviously within its rights to 
review and revise or withdraw any pending rulemaking, this regulation, 
with adequate input from industry and cloud users, can limit abuse of 
cloud services through increased transparency. Even in the absence of 
the regulation, it would be wise for industry to consider adopting a 
voluntary set of transparent practices that would achieve the same 
outcome, absent Federal Government intervention.
            improving federal civilian agency cybersecurity
    As demonstrated by recent Russian intelligence activities, Federal 
agencies remain at the top of the targeting list for foreign cyber 
actors. Our Nation's 101 Departments and Agencies civilian agencies 
hold a wealth of unclassified information across a vast assortment of 
unevenly secured, monitored, and even mapped networks and systems. 
Despite an increased availability and deployment of cybersecurity tools 
via the National Cyber Protection System and the Continuous Diagnostics 
and Mitigation (CDM) program over the last 6 years, more must be done. 
Other shifts and gaps in the Federal Government IT space have hampered 
the ability of agencies to keep pace with the threat landscape. At the 
macrolevel, there are 3 general themes that hamper our ability to 
properly secure the .gov, even after several years and billions of 
dollars invested in security. First, there is still insufficient 
funding for modernization and new security tools. Second, there is a 
need for stronger governance across agencies. And third, visibility 
into network traffic is eroding due to increased use of encryption (a 
good thing!) and a shift to cloud-based services (also a good thing, if 
done properly).
Accelerated Investment in CISA Security Programs
    Investing in Federal IT is not a one-shot deal, maintaining a 
modern and secure environment is simply the cost of doing business in 
today's world. This is particularly true as more and more services go 
digital and most of the Federal workforce remains remote due to COVID 
(and may remain remote for the foreseeable future). In the face of the 
these shifts and the attackers' relentless efforts to find seams in our 
defenses, Congress must not blink, even in the wake of the SolarWinds 
supply chain compromise.
    The CDM program remains the critical core of Federal cybersecurity, 
though it is not currently deployed broadly or deeply enough in part 
due to agency ability to deploy at scale quickly, underestimation of 
required services, and funding constraints. CDM focuses on who and what 
makes up the network, including assets, identity, and data. Recently, 
NDAA Section 1705 authorized CISA to conduct proactive threat hunting 
across civilian networks, a key development in improving visibility 
across the 101 agencies. For this advancement to be successful, CISA 
will need to deploy detection capabilities, hire analysts to conduct 
the activities, gain access to the appropriate data, and the buy-in and 
cooperation from the agencies CISA is hunting across. With accelerated 
capability coverage and additional Federal agency support through 
expanded financial resources, CDM will more effectively and efficiently 
serve Federal agencies to search for and where necessary remediate 
Russian actor intrusions. CDM can also serve as a force for change and 
modernization across the Federal Government. Last spring, as COVID 
sprung up and threat actors targeted Health and Human Services 
networks, the program rapidly responded to help HHS upgrade security 
and systems to protect pandemic response and research. [sic] can be a 
catalyst for continued IT and cyber modernization across the Federal 
enterprise.
Stronger Governance Across Federal Civilian Agency Networks
    At the governance level, roles and responsibilities across the 
Federal Government are unclear, potentially further complicated by the 
newly-authorized National Cyber Director (NCD) created by Section 1752 
of the NDAA. Regardless of the organizational structure, the Executive 
branch must establish a comprehensive strategy and vision for Federal 
network modernization and security, drawing in the Budget side of the 
Office of Management and Budget (OMB) to coordinate and consolidate 
budgetary oversight, the Federal CISO as the policy framer, CISA as the 
tool provider and enforcer of security policy. The respective roles and 
responsibilities of the Federal CISO and CISA should also be examined. 
In effect, CISA is serving as the operational CISO for the Federal 
Government, particularly with the recent NDAA authorities--this 
position should be strengthened. Federal agencies are of course a part 
of this effort, but as time and our adversaries have proven, there are 
currently not enough technical resources and personnel available at the 
individual agency level to meaningfully protect the .gov in 101 
different instantiations. Therefore, the Federal Government must set 
very clear cybersecurity expectations and standards for agencies and 
Congress should fund those expectations. There should be two paths for 
agencies to choose: (1) You either meet the enhanced standards set out 
or (2) CISA can do it for you. The first option, while achievable and 
likely appealing to agencies mature and confident in their ability to 
manage their enterprise risk, will also require funding unavailable to 
most agencies. Even then, it is economically inefficient for even the 
most mature agencies if a comparable offering exists elsewhere.
Increasing Visibility Through Centralized Services
    The second option plays into the third area for improvement, 
increased visibility through centrally-managed services. The NDAA 
threat-hunting authorities provided to CISA will provide increased 
visibility at the host level, however, there are additional visibility 
gaps that need to be addressed. For example, as agencies have shifted 
to cloud-based services--particularly during the pandemic--CISA lost 
visibility into network traffic. That decrease in visibility is in part 
due to increased encrypted traffic, but also because the entire point 
of modern cloud-based ``Workplace as a Service'' is for the user to 
interact directly with the cloud rather back to the agency's network 
via a trusted connection. To do this securely, however, requires 
consistency and discipline in implementing the appropriate security 
controls, as well as collecting and maintaining the forensic records to 
empower detection, analysis, and response. To ensure consistency and 
appropriate logging, CISA should work with OMB and GSA to create a 
customer-centric, security-first hardened cloud-based email 
environment. This approach would be economically sensible at the macro 
and micro levels and would be centrally defensible to adversary 
attacks.
    Even this may be too permissive of an arrangement and only a half-
step toward the most logically defensible arrangement for civilian 
agencies--a centrally-managed and secured ``Govnet.'' Common services 
that touch the public internet, including email, should be consolidated 
as much as possible, ideally by CISA's Quality Service Management 
Office (QSMO).\11\ Such a configuration would clearly be an attractive 
target to attackers, and yet by consolidating security teams, 
visibility, and ability to act, a more resilient infrastructure is 
possible.
---------------------------------------------------------------------------
    \11\ Cyber QSMO Marketplace/CISA.
---------------------------------------------------------------------------
                               conclusion
    The piece parts are in place for our Nation to dramatically improve 
our cybersecurity defenses. We need to as a society accept that that, 
yes, each and every organization in the country whether private sector 
or Government, can be targeted by a cyber actor. And no, the Government 
is not going to save you. And yes, there is something that you can do 
about it, in fact you have a responsibility to your customers, 
stakeholders, and depending on where you sit in the economy, a 
responsibility to the country.
    The key ingredients needed are leadership awareness and commitment 
in the private sector and a bolder vision from Government. That alone 
will not immediately solve the problem, but with those two pieces 
folded together, investment will follow, defenses will improve, and 
organizational and economic resilience will increase. It will take time 
and we will never reach or even see a finish line. Cybersecurity is an 
ever-evolving discipline, and the threat actors are motivated by a 
variety of incentives that we may never fully comprehend. But change 
for the better is possible, we just need to stop waiting for it to 
happen to us and instead, to quote Mahatma Ghandi, ``be the change we 
wish to see in the world.''
    Thank you not only for this opportunity to testify before the 
committee today on this critical issue, but also for your partnership 
over the last several years. I have no doubt that my successor will 
enjoy a productive working relationship with the committee and that 
together we can continue to improve the Nation's cybersecurity and 
resilience.
    I look forward to answering any questions you might have.

    Chairman Thompson. Thank you very much.
    I now ask Ms. Gordon to summarize her statement for 5 
minutes.

STATEMENT OF SUSAN M. GORDON, FORMER PRINCIPAL DEPUTY DIRECTOR 
 OF NATIONAL INTELLIGENCE, OFFICE OF THE DIRECTOR OF NATIONAL 
                          INTELLIGENCE

    Ms. Gordon. Good afternoon, Chairman Thompson, Ranking 
Member Katko, and distinguished Members of the committee. I am 
absolutely delighted to be here to testify on this issue of 
utmost National security interest. It is great to see you all 
again, even as a private citizen and not as your principal 
deputy director of national intelligence.
    There is little more important work we do as a Nation and 
as a free and open society than that which you are tackling 
here today and in the days to come.
    I am here today to discuss 3 aspects of the issue: The 
nature of the cyber threats we face and that are emerging, the 
domains in which those threats manifest, and the imperatives 
that must drive solutions. My colleagues will discuss the 
specifics of recent attacks and proffer specific next steps. I 
hope to put each of those in context.
    First, in terms of threat, offensive cyber capability is a 
global commodity, the means by which every interest of our 
adversaries and competitors is increasingly achieved. In a 
digitally-connected world, one need not travel great physical 
distance or expend great resource to achieve malign outcome.
    Fifteen years ago, offensive cyber was the tool only of the 
great powers, wielded in a largely unconstrained environment 
with very specific, narrow intention against Governmental 
targets. Today, while it is especially destructive in the hands 
of some, like Russia and China, it is a tool of anyone who 
wants to do harm. While some are more capable than others of 
achieving strategic impact, all are capable.
    In the hands of malign actors, cyber action can have 
physical, political, military, economic, and societal impact, 
as we have just witnessed this past year with ransomware 
attacks, intellectual property theft, theft of PII, 
disinformation campaigns, intelligence collection, and 
disruption of service.
    We need to stop acting like these attacks are special or 
rare or somehow beyond our ken or ability to respond because 
they are happening digitally. This digital activity has 
physical consequence, and the outcomes that cyber actors are 
producing threaten our National security, sometimes in 
isolation, sometimes in aggregate.
    In terms of domain, it used to be that governments held all 
the vital information, the secrets worth stealing, and wielded 
all the power and made all the decisions worth influencing. No 
longer. The engine of our great society also lies in our 
companies and our communities, and the decisions made in 
boardrooms and voting booths have global impact. As private 
companies and private citizens have become a threat surface, 
they, too, must receive National attention.
    Threat actors today target whatever and whomever serves 
their purpose: Government and non-Government, critical 
infrastructure and private citizens, academic institutions and 
research centers, huge multinational corporations, and small 
businesses.
    While in some cases the victim is the target, sometimes 
they are just the transportation and access to the intended 
quarry. Said differently, if you aren't the target, you may 
still be targeted. No one--no one--gets off free.
    But most of all what we are seeing today are attacks on the 
most important aspect of free and open societies: Trust, in all 
its instantiations. We cannot allow that to continue undeterred 
and unthwarted.
    Enough problem-identifying; I am with you. Your purpose, 
our collective purpose, and one that I know my fellow witnesses 
and I will commit ourselves to with you is to find a solution. 
Let me offer a few imperatives or first principles to guide 
your next steps.
    First, solutions cannot be exclusively Federal or 
exclusively Governmental or exclusively United States. The 
Cyber Solarium report is a remarkable, important document, and 
it produced outstanding recommendations, and yet they focused 
more on Government response than shared responsibility with the 
private sector or other partners. There is opening here for 
new.
    Second, solutions cannot be exclusively technical. For all 
our advances in network security, security is most effective 
when it addresses the entire operating ecosystem. There is no 
technology magic bullet. The best solutions address personal, 
physical, and operational security in combination.
    Solutions cannot be only for the resource-rich. Since we 
are all connected, the least of us can affect the whole of us. 
Solutions cannot focus solely on single entities. Every 
organization is part of the larger end-to-end system. Did 
SolarWinds understand the responsibility they carried when they 
sold their products to the Treasury Department?
    On a personal note, intelligence must also be more widely, 
more openly shared, especially about intent. I know that that 
is anathema to my former colleagues because knowing an 
adversary's intent is our most closely guarded advantage. But 
if we don't share it more broadly, how will a non-Governmental 
entity ever get ahead of their attackers?
    Finally, we need to bring the problem into the light, 
ruthlessly, because evil can't survive there. There is still 
too little sharing, for many reasons, none of which are 
sufficient in light of the exposure we face by not taking 
advantage of our shared knowledge. Security and trust 
disproportionately favor the good guys, and we need to press 
our advantage.
    To close out, I offer that we must approach today's 
rapidly-changing posture with continually-evolving practices. 
Where we have previously focused on tangible threats, we must 
now constantly face those that are intertwined and are part of 
the digital environment.
    I look forward to your questions more. I look forward to 
being a resource for you as we find our way forward and 
overcome this threat, as we have so many in the course of our 
history. I look forward to your questions. Thank you so much 
for the opportunity.
    [The prepared statement of Ms. Gordon follows:]
                 Prepared Statement of Susan M. Gordon
                            10 February 2021
    Good afternoon, Chairman Thompson, Ranking Member Katko, and 
distinguished Members of the committee. Thank you for the opportunity 
to testify on this issue of National security interest--cybersecurity 
and resilience. It's great to see you again, even as a private citizen 
not your principal deputy director of national intelligence.
    Though my colleagues and I sitting before you all come from 
different backgrounds and have different perspectives on the issue, I 
think we all believe there is little more important work we can do as a 
Nation and as a free and open society than that which you are tackling 
here today and in the coming days.
    I am here to discuss 3 aspects of the issue: The nature of the 
cyber threats we face and that are emerging, the domains in which those 
threat manifest, and the imperatives that must drive solution. My 
colleagues will discuss the specifics of recent attacks and proffer 
specific next steps, I hope to put those in context.
    First, in terms of threat, offensive cyber capability is a global 
commodity--the means by which every interest of our adversaries and 
competitors is increasingly achieved. In a digitally connected world, 
one need not travel great physical distance or expend great resource to 
achieve malign outcome.
    Fifteen years ago, offensive cyber was the tool of the great 
powers, wielded in a largely unconstrained environment, with very 
specific, narrow intention against governmental interests. Today, it is 
the tool of criminals, nation-states, and non-nation-state actors, and 
while some are more capable than others in achieving strategic impact, 
all are capable. In the hands of malign actors, it can have physical, 
political, military, economic, and societal impact, as we have 
witnessed just this past year with ransomware attacks intellectual 
property theft, and theft of PII, disinformation campaigns, 
intelligence collection activity, and disruption of service.
    We need to stop acting like it's special, or rare, or somehow 
beyond our ken or ability to respond because it's happening digitally. 
This digital activity has physical consequence. The outcomes that cyber 
actors are producing threaten our National security.
    Second, in terms of domain, it used to be that governments held all 
the vital information (kept the secrets worth stealing) and wielded all 
the power (made all the decisions worth influencing.) No longer. The 
engine of our great society lies in our companies and our communities, 
and the decisions made in board rooms and voting booths can have global 
impact, so the threat surface includes private companies and private 
citizens, and their decisions can have direct effect on National 
security as surely as it would if they held Government position.
    Threat actors today target Government and non-Government, critical 
infrastructure and private citizens, academic institutions and research 
centers, huge multi-national corporations and small businesses. While 
in some cases the victim is the target, sometimes they are just the 
transportation and access to the intended quarry. Said differently, if 
you aren't the target, you might be targeted--no one gets off free. But 
most of all, what we're seeing today are attacks on the most important 
aspect of free and open societies--trust--and we cannot allow that to 
continue.
    Success of the opportunistic predator often can be thwarted by the 
cyber equivalent of locking the front door and putting your valuables 
in a safe. But in the case of relentless pursuers--most likely nation-
states with massive resources and strategic patience--success can only 
be thwarted by understanding the intention of the actor and committing 
to whole-of-organization, whole-of-Nation, whole-of-society persistent 
attention to risk management.
    Third, enough problem identifying. Your purpose--our collective 
purpose--is to find solution. Let me offer some imperatives or ``first 
principles'' to guide next steps.
   Solutions cannot be exclusively Federal, or exclusively 
        Governmental, or exclusively United States.
   Solutions cannot be exclusively technical.
   Solutions cannot be only for the resource-rich.
   Solutions cannot focus solely on single entities.
   Intelligence must be more widely, more openly shared, 
        especially about intent.
   Bring the problem into the light, ruthlessly, because evil 
        can't survive there.
    To close out with these principles in mind, and in the pursuit of 
solutions, I offer that we must approach today's rapidly-changing 
threat posture with continually-evolving defense practices. Where we 
previously focused on tangible threats, we must now constantly be 
adapting to the challenges presented by the digital world. To achieve 
this defensive agility, the intelligence community, Government, 
industry, and must work closer together.
    I look forward to your questions. Thank you.

    Chairman Thompson. Thank you very much.
    I now ask Mr. Daniel to summarize his statement for 5 
minutes.

 STATEMENT OF MICHAEL DANIEL, PRESIDENT AND CEO, CYBER THREAT 
                            ALLIANCE

    Mr. Daniel. Thank you, Mr. Chairman and Ranking Member 
Katko and other distinguished Members of the committee, many of 
whom I have worked with before in various capacities, so it is 
a pleasure to be here before you today.
    I appreciate and applaud you for taking the time to 
actually have this hearing so early in the sequence for this 
Congress. It shows the importance that you place on this issue.
    As our previous 2 witnesses have said, the cyber threats 
facing this Nation are urgent and they are serious. So I am 
going to talk about 3 aspects, though, of the cybersecurity 
issue, of the cyber threats that we face, that should shape how 
this committee thinks about and how we as a Nation have to 
think about improving our ability to address this problem.
    The first one of which is that, just as important as the 
urgency and the seriousness of the threat, the threat is 
getting steadily worse. There are really 5 trends a that are 
driving this evolution.
    First is growth. Cyber space as an environment is literally 
getting bigger every second, because we keep hooking more and 
more devices up to the internet. No other domain--land, sea, or 
air--exhibits this behavior of steady and remarkably almost 
exponential growth.
    But also diversity. The kinds of devices that we are 
hooking up to the internet are wildly varying now. It is no 
longer just about wired desktops or laptops, but about watches 
and cars and industrial control systems like water plants.
    It is also about danger. It is no longer that we are 
talking about simple website defacement or even theft of 
information, but now effects, physical effects, through cyber 
space can cause harm and even death.
    It is also about numbers. As Sue was just talking about, 
everybody and their cousin, practically, is now involved in 
cyber space--terrorists, hacktivists, nation-states, criminals. 
The numbers are quite staggering. Everyone has discovered that 
cyber is a good way to carry out their interests and achieve 
their agenda.
    Finally, dependence. We, as a society, as Representative 
Katko pointed out, are highly digitally dependent. So things 
and disruptions that would have 25 years ago been minorly 
annoying are now organizationally catastrophic if they occur.
    Another aspect of the nature of cyber space and 
cybersecurity is how it crosses boundaries and how it crosses 
silos. There is no other issue that I have looked at in public 
policy that is as 
``inter-'' anything you want to put in there.
    It is interagency. We cannot successfully simply take cyber 
and make it the responsibility of any one agency in the Federal 
Government. That simply will not work. Nor can we create an 
agency that can take all of those different aspects of 
cybersecurity and have that function either. So it is 
inherently an interagency issue.
    It is also an intergovernmental issue, meaning that it is a 
State and local issue just as much as it is a Federal issue, as 
the elections that we just had back in November amply 
demonstrate.
    It is an international issue because it crosses boundaries 
and borders. As Chris Krebs pointed out, you know, the majority 
of the malicious activity actually emanates from foreign 
places.
    It is inherently public and private at the same time, 
because the vast majority of cyber space is owned and operated 
by the private sector.
    Finally, there is also the issue of our mindset. We do not 
have the right mindset to actually think about cybersecurity 
correctly. In many ways, we suffer from problems that--of how 
we approach the problem that hinder our ability to tackle it 
well.
    First of all, as Sue said, it is not just a technical 
problem, and we want to make it that--one that we can simply 
buy a gadget to fix. But it is not. It is an economic, it is a 
business, it is a privacy issue, a National security, law 
enforcement, psychological problem all rolled into one.
    We also want to make it a problem that we can solve. But, 
as you will hear many of us talk about, you can never solve 
this problem. We will never achieve 100 percent security. So it 
is a risk, instead, that we have to manage.
    We also tend to think about keeping our adversaries out of 
networks, but that is not going to work either. We can never 
keep them out of a network. Instead, we need to think about how 
we thwart the goals that our adversaries are trying to achieve, 
rather than simply keeping them out. That will give us many 
more bites at the apple.
    We also tend to try to make cyber space work like the 
physical world, but it doesn't. The physics and math of cyber 
space are different. It is a nodal network that operates at 
light speed, and concepts like borders and distance and 
proximity all have different meanings.
    Finally, we tend to think of cyber space as if it were some 
sort of global commons, but that is not true. Every bit of 
cyber space is owned by somebody. Those boxes and computers and 
laptops and servers all exist on somebody's territory. There is 
no equivalent to international waters in cyber space.
    So, just to conclude this, you might think that, given all 
that I have laid out, that I am actually a pessimist, but I am 
not. I actually do believe, as Sue said, that we can make cyber 
space safer and we can reduce our risk. It will be hard, and it 
will require us to be innovative not just in technology but in 
our organizational structures and processes and laws and 
policies as well, but I believe we can do these things.
    I look forward to your questions and working with the 
committee on this topic. Thank you very much.
    [The prepared statement of Mr. Daniel follows:]
                  Prepared Statement of Michael Daniel
                           February 10, 2021
    Thank you for the opportunity to appear before you today for this 
hearing on Homeland Cybersecurity: Assessing Cyber Threats and Building 
Resilience. My name is Michael Daniel, and I am the president & CEO of 
the Cyber Threat Alliance (CTA)--an information-sharing organization 
that now includes 32 of the world's leading cybersecurity companies. 
Prior to CTA, I served for over 20 years in the U.S. Federal 
Government, including 4\1/2\ years as special assistant to President 
Obama and cybersecurity coordinator at the National Security Council.
    Let me begin my testimony by thanking the committee for holding a 
hearing on this important issue. The cybersecurity threats facing the 
United States are significant, urgent, and potentially life-
threatening--and our Nation must improve its ability to counter them. 
This committee plays a key role in enabling the Federal Government to 
meet this challenge. This testimony will lay out the cyber threat 
landscape the United States faces, the types of adversaries conducting 
cyber operations, and some long-term goals and principles to address 
these threats. I will also touch on Federal Government organization, 
Federal agency cybersecurity, and how to think about cybersecurity in 
more productive manner.
                       the cyber threat landscape
    We live in a digital age. Digital technologies increase efficiency 
and productivity, shrink distances, and enable news ways of working and 
connecting. However, digitization also brings challenges and potential 
vulnerabilities that--left unchecked--threaten to undermine our 
National security, economy, and public health and safety. Although the 
United States faces a myriad of cyber threats, 5 trends are making 
these threats worse over time:
    (1) Cyber space is expanding.--As we connect more devices to the 
internet, we are making cyber space bigger. It is the only human 
environment that is continually expanding at a meaningful pace. Land, 
sea, air, and near-earth orbit are not growing to any appreciable 
degree, but cyber space is different. While estimates vary, everyone 
agrees that the growth is enormous. For example, Cisco conservatively 
estimates that by the end of 2021, 27.1 billion devices will be 
connected to internet, an increase of 10 billion devices since 2016. 
That figure translates to 5.5 million devices per day or 60 devices 
every second.
    (2) Cyber space is becoming more heterogenous.--Beyond raw 
expansion, the variety of devices connected to the internet keeps 
increasing. These devices are not just desktops, laptops, or 
smartphones. They are light bulbs, refrigerators, cars, thermostats, 
sensors, machine tools, dams, water purification plants, oil rigs, toll 
collectors, and thousands of other ``things''--a huge array of 
different kinds of devices with different functions, protocols, and 
security features. The combined growth in volume and heterogeneity 
makes effective cyber defense extremely difficult.
    (3) Malicious cyber actors are becoming more numerous.--The number 
of malicious actors in cyber space continues to grow rapidly as 
hacktivists, criminals, and nation-states all learn that they can 
pursue their goals relatively cheaply and effectively through cyber 
space. The barriers to entry are low and the potential return on 
investment is high. As a result, the volume and frequency of malicious 
cyber activity is increasing dramatically.
    (4) Cyber threats are becoming more dangerous.--As recently as a 
decade ago, cyber actors generally limited their malicious activities 
to stealing money or information, temporary denial-of-service attacks, 
or website defacements (the digital equivalent of graffiti). But over 
the last 10 years, malicious actors have shifted to more destructive 
and disruptive activities. The physical disruption of the Ukrainian 
power grid, the use of cyber-enabled information operations to 
influence electoral processes, the release of the destructive NotPetya 
malware, and the scourge of ransomware are all examples of this trend.
    (5) Cyber incidents are becoming more disruptive: as we have become 
more and more digitally dependent, the potential impacts of a cyber 
incident have also increased.--It is becoming harder for us to operate 
without access to the internet; the need for a significant portion of 
the workforce to work remotely during the pandemic highlights that 
dependence. What would have been a nuisance a few years ago can now 
kill people if they cannot get access to timely medical care due to a 
network outage.
Specific threats
    Within these broad trends, I would highlight 2 specific threats:
    Ransomware.--Over the last couple of years, one key threat that has 
emerged is ransomware. This malware encrypts data on a victim's system 
and in order to regain access to the data, the victim has to pay a 
ransom. In addition, adversaries are also stealing private information 
prior to encrypting it and threatens to release the data publicly or 
onto the dark web if the victim does not pay. This threat has grown to 
such a degree that it is no longer just an economic nuisance but a 
National security and public health and safety threat.
    Operational Technology malware.--for many years, the computers that 
run operational processes in manufacturing, power generation, water 
distribution, and other industrial activities were largely proprietary 
and difficult to access from the internet. However, these systems are 
becoming increasingly connected and more standardized. As a result, the 
ability for adversaries to target and disrupt these systems has 
increased. A cyber attack against one these systems would have a much 
higher impact across our digital ecosystem that the typical criminal 
activity.
                           cyber adversaries
    While the number of malicious actors in cyber space can seem almost 
limitless, these adversaries are typically operating as 1 of 4 types. 
Each type has different goals, motivations, and resources, and while 
individuals can operate as different types at different times, this 
typology is useful for thinking about how to counter the activities of 
a specific type.
    Terrorists.--Many terrorist groups make extensive use of cyber 
space for recruiting and communication, but fortunately very few are 
able to undertake disruptive or destructive actions. However, these 
groups almost certainly have aspirations to conduct visible, 
spectacular attacks and if a nation-state decides that it is in their 
interest to train and equip a terrorist group, the result could be a 
destructive attack.
    Hacktivists.--This type of actor has decreased in importance over 
the last few years, but they can still cause problems. Their motivation 
is primarily to gain attention for their cause or embarrass their 
opponents. While they might be OK with harming a ``corporation'' or a 
Government agency, they generally are not interested in causing wide-
spread, permanent harm.
    Criminals.--These actors are by far the most prevalent in cyber 
space. The motivation for these actors is simple: Money. They can be 
quite innovative and creative, but money is the driver. They are 
unlikely to spend time and resources trying to gain access to just one 
target; if their first few attempts fail, they will move on to the next 
target, just like in the physical world.
    Nation-states.--These actors are pursuing their National security 
or foreign policy interests through cyber actions. Such interests can 
include espionage, influence operations, theft of intellectual property 
and trade secrets, deterrence, low-grade conflict and disruption, or 
destruction. While some nation-states have less technical capability 
than some high-end criminal groups, nation-states generally have 
discipline, patience, personnel, and complementary capability (such as 
dedicated intelligence agencies) to bring to bear.
                            long-term goals
    Given these trends and malicious actors, the U.S. Government should 
pursue 3 long-term goals to counter the cyber threats we face. It 
should seek to raise the level of cybersecurity and resilience across 
our digital ecosystem; disrupt adversaries at a faster pace and larger 
scale; and respond more effectively to cyber incidents when they occur.
    Raise the level of cybersecurity across the ecosystem.--Despite a 
growing recognition that cyber threats affect everyone, many 
organizations still have not implemented basic cybersecurity measures, 
such as two-factor authentication, and very few have reached a high 
level of maturity, even those that manage or perform critical National 
functions. They also have not developed sufficient resilience to cyber 
incidents. Given this situation, the Federal Government should aim to 
improve cybersecurity and resilience across the board. Setting such a 
goal does not require the Government to treat all organizations the 
same or not prioritize some functions over others; in fact, achieving 
this goal requires such prioritization. However, given the 
interconnected and interdependent nature of cyber space, the goal 
should be that all organizations reach a level of cybersecurity 
commensurate with their size, industry, and overall function.
    Disrupt adversaries at scale.--Since we cannot rely on defense 
alone, the U.S. Government also needs to increase the pace and scale of 
its disruption efforts, whether against nation-states, criminals, 
hacktivists, or terrorists. Disruption should involve all the elements 
of National power, including diplomatic, economic, law-enforcement, 
cyber-technical, military, and intelligence tools. It will also require 
working with private-sector cybersecurity providers and collaborating 
internationally. While we have made significant progress in these 
activities over the last decade, we need to impose greater costs on our 
adversaries.
    Respond more effectively to incidents.--No matter how much we 
improve our defense and offense, our adversaries will sometimes achieve 
their goals. They will succeed in stealing information or money, 
causing disruption, or holding a critical function at risk. To deal 
with those situations, the Federal Government needs to be able to deal 
with such incidents rapidly and efficiently, enabling private-sector 
owners and operators to restore functionality expeditiously.
    The U.S. Government could achieve these goals in different ways; 
indeed, whole books have been written on specific aspects of these 3 
goals. However, based on my experience both in and out of Government, 
employing the following principles will increase the chance of success:
    1. Focus on comparative advantage.--The Federal Government should 
not try to replicate the technical capabilities available in the 
private sector. The technical information available to the 
cybersecurity industry is extensive, and the Government is unlikely to 
have technical information the private sector does not. However, the 
Federal Government does have unique information in the form of 
attribution, context, and a strategic view point. It also has a 
comparative advantage in funding basic R&D into cybersecurity, such as 
how to reduce the exploitable error rate in computer code. While some 
private-sector entities can disrupt adversaries using a variety of 
means (such as Microsoft's legal actions), the Federal Government can 
impose costs on adversaries in ways that the private cannot and should 
not: Public attribution, law enforcement actions, economic sanctions, 
diplomatic actions, and other means. Focusing on each sector's 
comparative advantage will enable the collective whole to be greater 
than the sum of the parts.
    2. Incentivize good cybersecurity behavior.--While at times the 
Government may need to compel certain actions, the Federal Government 
should increase the incentives for organizations to implement better 
cybersecurity:
   Strategic use of existing regulations.--The Federal 
        Government should ensure that existing regulations promote good 
        cybersecurity behavior, not inhibit it. Most of the time, new 
        regulation is not required; instead, agencies should focus on 
        implementing regulations that are already on the books.
   Support and encourage the use of best practices.--The 
        Federal Government can be a neutral, reliable party in 
        identifying good cybersecurity practices. Two good examples are 
        the National Institute of Standards and Technology's 
        Cybersecurity Framework and the Software Bill of Materials 
        initiative.
   Drive industries to set standards of care.--Establishing the 
        generally-accepted level of cybersecurity for organizations 
        within a given industry would have a dramatic impact across the 
        ecosystem. It would remove considerable uncertainty and enable 
        businesses to plan investments. It would address concerns about 
        liability and reduce barriers to collaboration and information 
        sharing.
   Increase publicly-available information.--The Government can 
        facilitate disclosure of information that can help customers, 
        clients, shareholders, and other relevant parties take 
        appropriate defensive actions, better assess risk, and advocate 
        for improved security. Examples of such requirements could 
        include data breach reporting, information about material 
        cybersecurity risks on financial statements, and public 
        acknowledgements about how a publicly-traded company is 
        assessing and managing its cyber risk, particularly at the 
        board of directors' level. Such disclosures do not assist 
        criminals or other bad actors--they already know where the 
        weaknesses are; instead, these requirements allow market forces 
        to operate more efficiently. These requirements should be 
        standardized as much as possible at the National level and 
        harmonized at the international level to the extent possible, 
        to reduce burdens on companies and simplify reporting for 
        consumers.
    3. Reinforce stability in cyber space.--Governments should strive 
to make cyber space a stable, reliable environment in which to conduct 
business. Some key tools include:
   Transparency.--The U.S. Government should set the standard 
        for transparency about its offensive cyber capabilities. Not in 
        terms of details about tradecraft or tactics, techniques, or 
        procedures, any more than we are transparent about the 
        technical specifications for military weapon systems. However, 
        we are quite open about the fact that we have attack fighters, 
        submarines, and tanks. We should apply a similar approach to 
        our use of offensive cyber. For example, we should continue to 
        evolve our doctrine, being clear about how and when we would 
        use cyber capabilities as a tool of National power. We should 
        also be transparent about the fact of offensive cyber 
        capabilities, just as we are open about our kinetic 
        capabilities.
   International norms of behavior.--Norms can put certain 
        activities ``out of bounds.'' Not all nations will adhere to 
        all the norms all of the time, but norms can help constrain 
        behavior. Of course, we must adhere to the norms we promote--we 
        cannot be ``do as we say, not as we do'' country. The United 
        States has been effective in this area over the last decade, 
        and we should continue to build on that success.
   Confidence-building measures.--Adapting these approaches 
        from arms control and conflict resolution field has promise to 
        reduce the risk of escalation due to accidents or unintended 
        consequences.
   Coalitions of the willing.--Given the divergent views among 
        nations regarding cyber space, privacy, and other issues, 
        gaining global consensus on most topics is unlikely. However, 
        this inability to reach consensus should not prevent the United 
        States from assembling coalitions of the willing. Such groups 
        will be far more effective than trying to go it alone or 
        letting the perfect be the enemy of the good.
    4. Increase resilience.--If we increase our ability to weather 
cyber attacks and maintain operations, then the value to our 
adversaries of conducting attacks decreases. Resilience also enables 
U.S. leaders to worry less about pre-empting foreign threats and 
escalating responses.
    5. Increase operational collaboration between the public and 
private sectors.--Unlike in the physical realm, governments do not have 
a monopoly on cyber ``force,'' and they are not likely to obtain such 
dominance any time soon. Therefore, the most effective action in cyber 
space will involve public and private-sector actors working together. 
Such collaboration goes beyond information sharing to synchronizing 
activity and it already occurs in certain circumstances. However, we 
need to vastly expand the scope and scale of these collaborative 
activities if we want to have a meaningful impact on our adversaries.
                    federal government organization
    Given the seriousness of the threats and the broad nature of the 
long-term goals I have outlined, reviewing the Federal Government's 
structure, agency roles and missions, and coordination capabilities 
makes sense. However, traditional policy solutions usually do not work 
for cybersecurity due to 4 unusual aspects about the issue.
Cybersecurity is inherently interagency
    Bureaucracies prefer issues that fit neatly into one organization's 
mission. Cybersecurity is almost the exact opposite. It is a National 
security, military, intelligence, economic, public safety, privacy, 
diplomatic, law enforcement, business continuity, and internal 
management issue all rolled into one. It touches every Federal 
department and agency, and many Federal organizations have a 
legitimate, necessary role in cybersecurity. Thus, cybersecurity far 
exceeds any current agency's remit. Trying to stuff the whole issue 
inside one existing department or agency will fail.
    Creating a ``Department of Cybersecurity,'' will not work either--
in fact, it would be a disaster. Cybersecurity is too integral to too 
many agencies' missions to centralize those functions in one 
department. We cannot remove cyber investigations from the FBI, 
oversight of financial service companies' cybersecurity from Treasury, 
incident response from DHS, and offensive cyber operations from the 
Department of Defense and consolidate them inside one department. FBI, 
Treasury, DHS, and DOD would end up recreating those functions to 
support their core missions. We would end up with even more complexity.
    At the same time, cybersecurity's different aspects are not 
independent--they interact with each other constantly, sometimes in 
unexpected ways. Military cyber operations can disrupt intelligence 
activities or law enforcement investigations. Treasury sanctions could 
upset diplomatic negotiations. DHS's focus on mitigation could hinder 
DOJ's ability to prosecute a cyber crime--or vice versa. Network 
defenders want information from the private sector, but many in the 
private sector are worried about regulatory action if they share.
    As a result, we can employ neither of the standard government 
approaches to emergent issues--make it one agency's mission or create 
mutually-exclusive agency siloes for different aspects of the problem. 
Instead, we must weld these disparate activities together into a single 
whole through regular, intense, sustained interagency coordination. 
Such coordination does not occur naturally in any government or large 
bureaucracy: Personnel have limited incentives to coordinate activities 
across departmental and agency lines. That is not a moral failure or 
laziness, but a reality of human psychology. Instead, we must account 
for this facet of human nature and design our systems accordingly.
Inherently intergovernmental
    Cybersecurity also affects governments at all levels, from 
municipalities to counties to State governments. It does not 
exclusively belong to the Federal Government. As cybersecurity has 
become a more pressing issue for organizations of all kinds and the 
threat of disruptive or destructive activity has grown, the need to 
incorporate State, local, territorial, and Tribal governments into our 
cybersecurity activities has grown. For example, State, local, 
territorial, and Tribal (SLTT) governments play a crucial role in a 
critical National function, elections. As a matter of democratic 
principle, we want to maintain SLTT control over elections; on the 
other hand, expecting an SLTT organization to defend itself against the 
Russians or Chinese without Federal help is foolish. Therefore, we need 
to enable the Federal Government to collaborate more effectively with 
SLTT entities. In particular, the Federal Government will likely need 
to allocate additional resources to improving SLTT cybersecurity. 
However, we cannot make cybersecurity exclusively a Federal or SLTT 
issue.
Inherently international
    Cyber threats cross international boundaries quite fluidly. During 
my time at the White House, virtually no issue was exclusively 
domestic. If nothing else, much of the cyber crime that afflicts U.S. 
citizens and businesses has an international connection. On the flip 
side, what we do domestically has implications abroad. Therefore, 
countering the threats we face requires significant international 
collaboration and cooperation.
    Further, the international cyber environment is very complex, with 
many overlapping and intertwined issues. Internationally, cybersecurity 
involves diplomatic relations, law enforcement cooperation, financial 
interactions, trade issues, intelligence collaboration, and military 
operations, not to mention technology and competitiveness concerns. 
Trying to confine cybersecurity to a specific channel or type of 
interaction will not work.
Inherently public and private
    Finally, cybersecurity forces the Government and the private sector 
into a different kind of relationship. Traditionally, the Government is 
either a regulator or a customer for the private sector. While the 
Government does have those relationships in cybersecurity, the 
Government and private sector can have a third type of relationship in 
this area, that of partner or peer. This peer relationship stems from 
the fact that the private sector owns and operates vast majority of 
cyber space, has equivalent (or better) technical insight and 
capability, and can take action that affects much of cyber space 
without the Government. This type of peer relationship is relatively 
new and we do not have the necessary laws, policy, procedures, or even 
vocabulary to fully manage it, other than the overused public-private 
partnership term. Thus, we need to fully develop the laws, policies, 
and procedures to govern this type of interaction, so that the 
relationships remain aligned with our overall sense of equity and 
appropriate roles for Government versus the private sector.
                      federal agency cybersecurity
    In December, several private-sector companies identified malicious 
activity that enabled the Federal Government to unravel an incredibly 
broad cyber-enabled espionage campaign. This intrusion effectively gave 
the Russian government unfettered access to numerous unclassified U.S. 
Government networks for over 9 months. It is difficult to overstate the 
intelligence value the Russians gained from this access or the likely 
damage to our National security. That said, based on the publicly-
available information, the activity associated with this intrusion 
appears to consist of espionage, something in which all States engage. 
As a result, although extremely damaging to our National security, this 
intrusion is not an ``attack.''
    The fact that the intrusion does not constitute an attack 
necessarily constrains the U.S. response. ``Constrain'' does not mean 
``prohibit.'' We should respond forcefully to this intrusion through 
diplomatic channels, such as by expelling Russian diplomats or exacting 
a cost in other venues. We should also signal that if the incident 
turns out to involve activities other than espionage, the United States 
reserves the right to escalate accordingly. But we should carefully 
calibrate our response with the knowledge that the United States also 
conducts cyber-enabled espionage.
    Regardless of the U.S. response, the intrusion revealed some on-
going weaknesses in Federal cybersecurity structure, practices, and 
funding. While the 2021 National Defense Authorization Act included 
several provisions that directly address some of these weaknesses (for 
example, authorizing CISA to conduct threat hunting across Federal 
civilian agencies), the Federal Government still needs to aggressively 
reduce its cyber risk. First, it needs to continue consolidating 
cybersecurity services within a smaller number of agencies; just as 
with payroll services, only a small number of agencies should provide 
cybersecurity services to most Federal agencies. Second, Congress needs 
to enable agencies to retire their legacy IT systems at a much faster 
rate. Replacing legacy systems would reduce cyber risk, improve 
productivity, and enhance service delivery. The $9 billion for 
cybersecurity originally proposed in the Biden administration's 
American Rescue Plan would help achieve this goal, especially resources 
allocated to the Technology Modernization Fund.
            what we can expect from private-sector companies
    This topic is sensitive one. On the one hand, we do not want to re-
victimize organizations that have suffered an intrusion, theft, 
disruption, or destructive attack; moreover, since no organization can 
prevent all intrusions all of the time, just because a company 
experiences a breach does not mean it has failed--it might have really 
excellent cybersecurity. On the other hand, companies have a 
responsibility to protect customer data or access to other 
organizations, which means implementing at least some cybersecurity 
measures, so it is also possible for a company to be negligent in this 
regard. The question lies in distinguishing which situation a company 
is in. Threading this needle is one of the key policy challenges for 
the United States right now.
    The solution lies in establishing standards of care for 
cybersecurity. These standards should vary, depending on factors such 
as size, industry, function, geography, etc. Standards of care exist in 
many industries for areas such as safety; sometimes the standards are 
entirely industry-driven and sometimes they backed up by regulation. 
These standards should not be static checklists and will need to be 
flexible enough to evolve as technologies and threats change.
    Despite developing and implementing standards of care, the 
resulting improvements to cybersecurity will still be insufficient to 
thwart dedicated nation-state intruders. In fact, no amount of 
cybersecurity investment will prevent a determined nation-state from 
gaining access all of the time. Therefore, we should not expect 
individual companies to defend themselves against highly-capable 
nation-states, such as Russia or China, by themselves. The Federal 
Government should be able to quickly come to the aid of an organization 
facing a nation-state threat, whether at the request of the targeted 
organization or based on its own knowledge.
           how to think about cybersecurity in the long-term
    This testimony has identified multiple challenges for improving 
cybersecurity in the United States. While cybersecurity may seem like 
an impossible task, the truth is that we can improve our cyber 
defenses. The answer is not purely technological, although technology 
is certainly required. The primary change we need to make is in our 
mindset. We need to change how we think about cybersecurity in several 
ways:
   Adopt a risk management approach.--Cyber threats are risks 
        to be managed, not problems to be solved. We will never 
        eliminate cyber threats entirely, nor will we reach a point of 
        100 percent security. Therefore, we need to think in terms of 
        risk management. Just as a company can never eliminate the risk 
        of bad weather disrupting operations, we need to treat cyber 
        threats as a long-term risk management problem.
   Use more than technology to counter the threat.--Managing 
        cyber risk effectively involves more than just employing 
        technical solutions. Technology is necessary but insufficient 
        for addressing cyber threats. Instead, we need to bring 
        economic, psychological, organizational, process, policy, and 
        legal tools to bear on the problem. Only by combining all these 
        tools can organizations manage their cyber risk effectively.
   Prevent adversaries from achieving their goals.--If we think 
        about cybersecurity from a ``castle and moat'' perspective, we 
        will invariably fail. No organization can prevent all 
        adversaries from gaining access to its networks all the time. 
        Instead, if we think of cybersecurity as preventing the 
        adversary from achieving their goals, then we get many more 
        opportunities for success. If we define success as preventing 
        the adversary from achieving their goal at any point along the 
        way, then instead of defenders having to be ``right'' 100 
        percent of the time, the adversary has to make zero mistakes at 
        every step. That mindset provides many more opportunities to 
        thwart the adversary than the old castle-and-moat approach.
   Recognize that cyber space is not a global commons.--One key 
        barrier to thinking about cybersecurity effectively is that 
        because we cannot ``see'' cyber space directly, it feels 
        divorced from the physical world. As a result, we often act as 
        if cyber space is an amorphous domain that resembles the oceans 
        or the atmosphere. In turn, this view leads us to act as if 
        cyber space has large unclaimed, ``international'' zones 
        equivalent to international waters or air space. But cyber 
        space is intimately tied to territory. It exists due to 
        computers, servers, and other devices that are all owned by a 
        person or organization and residing on someone's territory. 
        This recognition has significant implications for how we should 
        view cyber operations in the international context, and the 
        rules under which we want to conduct them. I want to be clear 
        that in adopting a view that cyber space is tied to territory 
        does not mean the United States has to accede to the Russian 
        and Chinese governments' view that the state should completely 
        dominate cyber space, controlling everything from access to 
        content. This conceptual approach should, however, shape how 
        the U.S. Government and other aligned nations act and operate 
        in cyber space.
                               conclusion
    Based on this testimony, many people might conclude that I am a 
pessimist when it comes to cybersecurity. It is easy to be overwhelmed 
by the volume of malicious activity and become fatalistic about 
cybersecurity threats. However, I reject such fatalism. While we will 
never eliminate cyber threats entirely as long as we live in a digital 
world, we can improve our cyber defenses and resilience, disrupt our 
adversaries, and respond to events when they occur. If we achieve these 
goals, then we can continue to reap the benefits and minimize the cost 
of an increasingly connected world. Fundamentally, cyber space is a 
human-created domain and that means humans can choose to make it safer.
    Thank you.

    Chairman Thompson. Thank you very much for your testimony.
    I now ask Mr. Alperovitch to summarize his statement for 5 
minutes.
    I apologize if I butchered your name, but I did the best I 
could.

STATEMENT OF DMITRI ALPEROVITCH, EXECUTIVE CHAIRMAN, SILVERADO 
                       POLICY ACCELERATOR

    Mr. Alperovitch. Thank you, Mr. Chairman.
    Chairman Thompson, Ranking Member Katko, distinguished 
Members of the committee, thank you for inviting me to testify 
today.
    I have spanned my 25-year career working in the 
cybersecurity industry, including as co-founder of CrowdStrike, 
now the world's largest cybersecurity firm. Now, as the founder 
of Silverado Policy Accelerator, a new bipartisan public policy 
organization focused on National security, foreign policy, and 
cybersecurity, I am exploring new ways to work with policy 
makers to strengthen our approach to the challenges that 
threaten American prosperity and National security.
    Almost half a decade ago, I coined the phrase that we do 
not have a cyber problem; we have a China, Russia, Iran, and 
North Korea problem. These countries are the 4 primary 
adversaries whose malignant activity we try to counter in cyber 
space on a daily basis, just as we do in the physical world. It 
is also no coincidence that some of the most sophisticated 
cyber criminal groups in the world operate with impunity from 
the safety of these very same countries.
    The latest supply chain attack, sometimes called the 
SolarWinds hack, already the most impactful in our history, has 
drawn attention to serious gaps in the U.S. cyber strategy. 
However, we now know that SolarWinds was only one of the many 
supply chain vectors used by the adversary and perhaps not even 
the largest one. As a result, I, along with other cybersecurity 
professionals, have begun referring to this hack as the 
``Holiday Bear'' operation to indicate how wide-spread this 
activity truly is.
    This event highlights the need for a broader paradigm shift 
in our approach to cyber strategy. Both private and Government 
organizations should adopt what we in the cybersecurity 
industry call an ``assumption of breach'' mindset, where 
defenders actively hunt on their networks for any presence of 
an adversary, believing that they are already there.
    The only safe assumption in cyber is that networks are 
never safe. This approach to cybersecurity is not fundamentally 
different from what we do in the physical world, where we 
expect that foreign spies are already in our Government and 
have counterintelligence teams to identify them and mitigate 
the damage that they can do to our National security. We need 
to adopt the very same strategy in cyber space.
    Mr. Chairman and Ranking Member Katko, I have 5 specific 
recommendations for this committee that can move us forward 
toward this paradigm shift.
    No. 1, Congress should take steps to set CISA on a path to 
becoming the operational CISO, or chief informational security 
officer, of the civilian Federal Government. CISA should have 
the operational responsibility for defending civilian 
government networks, just as Cyber Command does for DOD 
networks. Congress could create incentives for Federal agencies 
to outsource their cybersecurity operations through CISA, such 
as exemptions for agency heads from FISMA compliance, and turn 
that responsibility over to CISA.
    No. 2, Congress should make agencies adopt speed-based 
metrics to measure their response to cyber threats. Under an 
assumption-of-breach approach, the question is not, can we 
prevent an initial compromise? The much better question is, how 
long does it take us to find an adversary on the network and 
eject them?
    In the private sector, I developed what I called the ``1-
10-60 rule'' to measure response times to perceived threats. 
One, detect an intrusion on average within 1 minute, 
investigate it within 10 minutes, and isolate and remediate the 
problem within 1 hour--1-10-60.
    Through legislation, Congress could require agencies to 
adopt speed-based metrics by mandating that they collect data 
on the average time it takes to perform these fundamental 
defensive actions and to report them to CISA, OMB, and the 
relevant oversight committees.
    No. 3, Congress should pass a comprehensive breach 
notification law to require certain companies to report 
technical indicators associated with breach attempts to CISA 
even when no personal information is actually compromised.
    No. 4, Congress should take steps to increase security 
standards for vendors supplying high-risk software via 
Government acquisition processes. Congress should compel all 
Government vendors of high-risk software to undergo annual 
independent third-party audits of their source code and conduct 
penetration exercises of their networks. Agencies should be 
provided the results of these on-going audits as part of their 
procurement process, increasing transparency and incentivizing 
companies to quickly patch vulnerabilities in their networks or 
source code.
    Finally, Congress should target the business model of 
ransomware criminals with stricter know-your-customer, or KYC, 
rules in cryptocurrency payment systems. Ransomware criminals 
rely on cryptocurrency, such as Bitcoin, to anonymously collect 
hundreds of millions of dollars in ransom payments. Congress 
should evaluate how stronger KYC requirements can be used to 
effectively stem ransomware threats and support Treasury 
Department action that achieves these objectives.
    Thank you for inviting me to testify before you here today. 
Silverado is committed to being a long-term partner and 
resource for this committee. I look forward to your questions.
    [The prepared statement of Mr. Alperovitch follows:]
                Prepared Statement of Dmitri Alperovitch
                           February 10, 2021
    Chairman Thompson, Ranking Member Katko, Members of the Committee: 
Thank you for inviting me to testify at today's hearing on 
cybersecurity. This is the policy arena I have spent my 25-year career 
in the technology industry exploring as a senior executive working with 
and advising some of the largest private-sector companies and most 
sensitive Government agencies in the country. Now, as the founder of 
the Silverado Policy Accelerator, a new bipartisan public policy 
organization focused on National security, foreign policy, and 
cybersecurity, I am looking at ways to build upon my experience in the 
private sector to work with policy makers and strengthen our approach 
to new challenges that threaten our critical infrastructure and the 
backbone of our economy.
    Most recently as the co-founder and chief technology officer of 
CrowdStrike, which I helped to grow from an idea into the world's 
largest cybersecurity firm, I witnessed the complexity and scope of the 
challenges that the U.S. Government and businesses face in the cyber 
domain. Our adversaries in cyber space are sophisticated and numerous, 
ranging from global criminal groups conducting ransomware attacks and 
stealing financial and personal data, to nation-states executing 
complex espionage campaigns, stealing intellectual property, and 
launching highly destructive and disruptive attacks.
    Throughout my years at CrowdStrike, I saw first-hand that 
cybersecurity represents a growing part of a broader geopolitical 
struggle between the United States and its adversaries and competitors. 
This inspired my decision to retire from CrowdStrike last February to 
launch Silverado to advance American prosperity and global 
competitiveness in a new era of great power competition. Silverado will 
use a venture capital approach to accelerate bipartisan policy 
solutions to pressing challenges in critical areas of economic, 
strategic, and technological competition. We are set to officially 
launch next week, and I hope this will just be the first of many 
occasions for Silverado to engage with this committee to support your 
important work for the Nation.
    As the United States enters a new era of competition, on 
battlefields old and new, modernizing and further resourcing America's 
cyber strategy is a necessary precondition for achieving any number of 
other critical Government objectives. In my testimony today, I will 
outline a conceptual framework for understanding cybersecurity. I offer 
5 recommendations that I believe will meaningfully improve our ability 
to anticipate and prevent cyber threats and fortify our cyber defenses, 
building on the recommendations and critical work undertaken by the 
Cyberspace Solarium Commission:
    1. Providing the Cybersecurity and Infrastructure Security Agency 
        (CISA) in the U.S. Department of Homeland Security with the 
        authorities and resources to one day become an operational 
        Federal CISO, or chief information security officer, for the 
        civilian Federal Government;
    2. Adopting speed-based metrics to measure agencies' response to 
        cyber threats;
    3. Passing a comprehensive Federal breach notification law;
    4. Increasing security standards for vendors supplying high-risk 
        software through Government acquisition processes; and
    5. Targeting the business model of ransomware criminals with 
        mandatory ``Know Your Customers'' rules in cryptocurrency 
        payment systems.
                            threat landscape
    Almost half a decade ago, I coined the phrase: ``We do not have a 
cyber problem, we have a China, Russia, Iran, and North Korea 
problem.''
    Cyber space is not a separate virtual world, immune from the forces 
that shape the broader geopolitical landscape. Instead, it is an 
extension of that landscape, and the threats we face in cyber space are 
not fundamentally different from the threats we face in the non-cyber 
realm.
    China, Russia, Iran, and North Korea are the 4 primary strategic 
adversaries whose malignant activities in cyber space we try to counter 
on a daily basis, as we do their more traditional tactics in the 
physical world. Oftentimes, these battle lines extend to non-state 
actors, such as the most well-organized cyber criminals. These actors 
inflict enormous damage on our economy by launching ransomware attacks 
and stealing financial data from our businesses and citizens, and it is 
no coincidence that they operate with impunity from the safety of their 
homes in these very same countries.
    These countries conduct a variety of cyber operations against us on 
a daily basis, ranging from cyber-enabled espionage against our 
Government to the theft of intellectual property from our companies to 
destructive attacks that shutdown business operations to the 
interference in the foundation of our democracy: Our elections.
    The challenges we face were highlighted just over a month ago, in 
December 2020, when we learned that multiple customers of SolarWinds, a 
network management company, had been compromised by a sophisticated 
supply chain attack by a nation-state adversary believed to be 
affiliated with one of Russia's intelligence services.
    The latest supply chain attack has drawn attention to serious gaps 
in the U.S. cybersecurity strategy. As a threshold matter, I believe 
that it is misleading to refer to this most recent breach as ``the 
SolarWinds hack.'' Although SolarWinds was a prominent attack vector 
that received early attention in the press, we now know that it was 
only one of many supply chain vectors that the adversary used to gain 
access to private networks. Because investigations into the scope of 
the attack are still on-going, we cannot even say with confidence that 
SolarWinds was one of the largest or most significant vectors. 
Continuing to refer to the breach as ``the SolarWinds attack'' 
distracts from the reality that the breach went far, far beyond a 
single company. As a result, I, along with other security 
practitioners, have begun referring to this hack as the ``Holiday 
Bear'' operation.
    Additionally, as we have learned more about the breach over the 
past 2 months, I've come to believe that it is also misleading to refer 
to this incident as a singular attack, or even as a coordinated 
campaign with a defined end date. Simply put, the sort of 
sophisticated, long-term cyber-espionage enabled by supply chain 
vulnerabilities that came to light through this breach is not a 
discrete or self-contained occurrence; it is the new normal.
    It is clear to me that the Russians have learned from their past 
operations. Throughout 2014-2015, SVR, the Russian foreign intelligence 
agency believed to be responsible for this most recent activity, 
launched a broad campaign which gave them access to the networks of the 
White House, the Joint Chiefs of Staff and the State Department, among 
others. The success, however, was short-lived, as U.S. defenders 
quickly detected the noisy campaign and ejected the adversary within 
weeks. I believe that those original mistakes led the SVR to reevaluate 
how they conduct new cyber operations and focus on compromising 
software supply chains in order to gain access to target networks in a 
much stealthier fashion and to remain in them for weeks, if not years. 
In some ways, this tradecraft is the cyber equivalent of the Russian 
illegals program, long practiced in human espionage operations: An 
extremely patient and long-term effort to gain maximum access to high-
value U.S. targets. Since the 1930's, Russia has been sending covert 
sleeper operatives into our countries under non-official cover to live 
and work amongst Americans and over years get close to powerful 
officials in order to steal our secrets. Unlike the illegals program, 
however, supply chain-based cyber intrusions are much easier and 
cheaper to scale to hundreds of high-profile victims, all without 
putting their human intelligence officers at risk.
    I believe that this is the Russians' new way of doing business in 
cyber operations, and I suspect we will continue to see this new 
approach for years to come. We have also seen China's intelligence 
services leverage supply chain attacks in the past, and we can expect 
them to incorporate valuable lessons from this latest Russian action 
into their own operations.
                            recommendations
    This Holiday Bear operation further highlights the need for a 
broader paradigm shift in both the private sector's and the 
Government's approach to cyber strategy. Across the board, 
organizations should adopt what we in the cybersecurity industry call 
an ``assumption of breach'' approach, where defenders operate on the 
basis that an adversary has already gained access to their sensitive 
networks. The premise is simple:
   No cyberdefense system is 100-percent effective at 
        preventing breaches;
   Even with the best training, human error will inevitably 
        foil the smartest defense strategies; and
   Adversaries are constantly adapting to existing defense 
        mechanisms and designing new ways to circumvent them without 
        being detected.
    The only safe assumption in the cyber battlespace is to assume that 
networks are never safe.
    The assumption of breach approach is the only appropriate paradigm 
to govern cybersecurity strategy in this new era of great power 
competition. Our competitors in this contest are highly sophisticated, 
well-resourced nation-state actors. We underestimate their capabilities 
at our own peril.
    Incidentally, this is not any different from the approach we 
already take in the physical world. As a matter of practice, we assume 
that at any given moment there are people inside our sensitive 
Government agencies who have been recruited by foreign intelligence 
services. Our counterintelligence approach is not merely focused on 
preventing such recruitment. Instead, we explicitly undertake 
significant efforts to identify spies and limit the damage they may be 
able to do to our National security. We need to adopt this same 
approach in cyber space.
    This shift in strategic paradigm necessitates a shift in practice. 
This committee should be commended for its strong leadership in pushing 
for new and significant resources to support the Federal Government's 
cyber strategy, most notably by creating CISA in 2018 and strengthening 
CISA's authorities under the fiscal year 2021 National Defense 
Authorization Act (NDAA). But, more needs to happen to capitalize on 
this momentum and deepen these commitments, and in particular, I have 5 
recommendations for this committee's consideration:
    1. Congress should take steps to set CISA on a path to becoming the 
operational CISO, or chief information security officer, of the 
civilian Federal Government.--The majority of the 137 Executive 
agencies lack the personnel, the knowhow, and the resources to execute 
a comprehensive cybersecurity strategy. Congress took an important step 
toward centralizing Federal cybersecurity strategy by creating CISA in 
DHS in 2018, but the next step is to give CISA both the authority and 
the resources that it needs to effectively execute its mission.
    Ultimately, CISA should have the operational responsibility for 
defending civilian government networks, just as Cyber Command does for 
DoD networks. The recent NDAA, which vested CISA with the authority to 
hunt on agencies' networks without the explicit permission of those 
agencies, was a critical move in that direction. CISA will now need 
additional funding to build a 24/7 threat hunting operations center to 
fulfill the requirements of that mission. Another important step would 
be to create incentives for Federal agencies to outsource their 
cybersecurity operations to CISA, turning it into a cybersecurity 
Shared Service Provider. Such incentives may include exceptions for 
agency heads from FISMA compliance and turning that responsibility over 
to CISA, if it is actually being given the authority to secure that 
agency's network.
    2. Congress should make agencies adopt speed-based metrics to 
measure their response to cyber threats.--In cyber space, the only way 
to reliably defeat an adversary is to be faster than they are. Under an 
assumption of breach approach, the question is not, ``Can we prevent an 
initial compromise?'' The much better question is, ``How long does it 
take us to find and eject them?'' Central to detecting adversaries is 
the speed with which they leverage the initial resource they have 
established as their beachhead within the network, move laterally 
across the environment, and gain access to other sensitive resources. 
Once adversaries are able to do that, what would have been a minor 
security event turns into a full breach that requires a lengthy and 
complex incident response process and that puts defenders' data and 
operations at risk. Stop the adversary quickly, and you have prevented 
them from accomplishing their objectives.
    With this in mind, Congress should require Federal agencies to 
adopt speed-metrics that evaluate agencies' response to cyber threats 
based on the time it takes to begin and complete fundamental defensive 
tasks. In the private sector, I developed what I called the ``1-10-60 
rule'' to measure response times to perceived threats: Detect an 
intrusion on average within 1 minute, investigate it within 10 minutes, 
and isolate or remediate the problem within 1 hour. Through 
legislation, Congress could require agencies to adopt speed-based 
metrics by mandating that they collect data on the average time it 
takes to perform 4 fundamental defensive actions: (1) Detecting an 
incident; (2) investigating an incident; (3) responding to an incident; 
and (4) fully mitigating the risk of high-impact vulnerabilities. Over 
time, these metrics would provide objective and diachronic measurement 
of an agencies' threat response capabilities that they could report to 
CISA, OMB, and the relevant oversight committees in Congress. If the 
metrics prove effective in decreasing agencies' response time to cyber 
threats, Congress should also consider models to extend their adoption 
by the private sector.
    3. Congress should pass a comprehensive breach notification law.--
Such a law would require major private companies, such as those in 
critical infrastructure, to report technical indicators associated with 
breach attempts to CISA, including for breaches where no personal 
information is actually compromised. If there is a single overriding 
lesson from the recent supply chain attacks, it is that the information 
sharing between Government and industry remains a serious challenge. 
Some victims have shared very little information about what took place 
inside their networks; others have not even publicly acknowledged that 
they were targeted.
    At present, there is no comprehensive Federal breach notification 
law, and State-level laws are too decentralized, too focused on 
personal information instead of risk to systemically important critical 
infrastructure, and sometimes create a perverse incentive for companies 
not to investigate attacks. In the case of complex supply chain attacks 
like ``Holiday Bear,'' one company's failure to publicly report a 
breach can have wide-reaching implications. For example, if 
cybersecurity company FireEye had not voluntarily and publicly shared 
evidence of their own compromise and that SolarWinds was the attack 
vector, the public and the Government may not have known about this 
highly impactful attack for many months to come. Yet, FireEye had no 
legal obligation to report this breach under existing law. They should 
be praised for their courageous decision, but unfortunately, not all 
other victims have followed their lead in transparency.
    4. Congress should take steps to increase security standards for 
vendors supplying high-risk software via Government acquisition 
processes.--Government agencies and private-sector businesses currently 
rely on a number of companies such as SolarWinds whose software runs 
with high levels of privilege on their networks. Yet these agencies and 
businesses have little to no sense of the security levels of that 
software. Borrowing from a widely-used private-sector practice, 
Congress should compel these vendors to undergo annual, independent 
third-party audits of their source code and penetration exercises of 
their networks. The Government could require that companies provide the 
results of these stress tests as part of the Federal procurement 
process, or even require companies to publish the results of those 
audits publicly on their website. Not only would this process increase 
transparency for their customers, but it would also incentivize 
companies to quickly and efficiently patch vulnerabilities in their 
networks or source code and get a clean bill of health, as no one would 
want to publish a failed audit.
    5. Congress should support stricter ``Know Your Customer'' (KYC) 
requirements for world-wide cryptocurrency exchanges to target the 
business model of ransomware criminals.--Dangerous ransomware attacks 
pose an existential threat to critical infrastructure and many small 
and medium businesses in this country. For example, criminal attacks on 
hospital systems--a favorite target of ransomware attacks--put the 
lives of American citizens in danger, especially during the pandemic, 
when hospital beds are already in short supply. Ransomware criminals 
rely on widely available and largely anonymous cryptocurrency, such as 
Bitcoin, to collect hundreds of millions of dollars in ransom payments 
without risk of disclosing their identities to victims or law 
enforcement. It is no coincidence that the explosion of ransomware 
attacks occurred only after the invention of cryptocurrency platforms, 
which are the oxygen that fuels the fire of these criminal operations. 
And while it remains very difficult to purchase goods and services, 
such as real-estate, cars, and other luxury items that these criminals 
may want, with cryptocurrency, it is currently easy to anonymously use 
cryptocurrency exchanges to convert ransom payments into reserve 
currency like dollars or euros.
    The bottom line is that we need stronger tools to undermine the 
ability of criminals and nation-states to use cryptocurrency to receive 
and convert ransom payments and purchase illicit goods. The 
international community has already taken some steps to strengthen KYC 
requirements. In June 2019, the intergovernmental Financial Action Task 
Force (FATC) issued guidance recommending that virtual asset service 
providers, including crypto exchanges, share information about their 
customers with one another when transferring funds between firms. In 
December 2020, the U.S. Treasury Department published an advance notice 
of proposed rulemaking that would require cryptocurrency exchanges to 
perform and store KYC information on their customers, just like we 
require banks and other players in the global financial system to do. 
If designed and implemented properly, these types of tools can starve 
ransomware threat actors of the oxygen they need to operate.
    Congress should undertake an evaluation of how stronger KYC 
requirements and other safeguards can be used to effectively stem 
ransomware threats and then propose legislation and support agency 
action that achieves those objectives.
                               conclusion
    I am grateful for this committee's leadership on cybersecurity 
issues, and I believe that these recommendations would further advance 
America's defense by bringing its cybersecurity strategy in line with 
an assumption of breach approach. As the recent supply chain breach has 
made abundantly clear, we cannot afford to delay these actions any 
longer. Every day we fail to act on them is another day that we leave 
the American government and our people vulnerable to cyber attacks, 
intellectual property theft, and espionage.
    These new steps would also serve to preserve America's 
competitiveness in this new era of competition between the United 
States and its adversaries. This contest has reached an inflection 
point: The nations that present bold, long-term strategies to advance 
their economic, technological, and strategic interests will shape the 
future for decades to come, and the Nations that fail to act will fall 
behind. Modernizing America's cyber strategy is a linchpin that makes 
all other efforts to ensure continued American leadership possible.
    Thank you for inviting me to testify before you here today. 
Silverado is committed to being a long-term partner and resource for 
this committee in our shared missions to address these critical 
challenges facing our Nation.
    I look forward to your questions.

    Chairman Thompson. I thank the witness for his testimony.
    I remind each Member that he or she will have 5 minutes to 
question the witnesses.
    I now recognize myself for questions.
    This is based on the order of the witnesses' presentation.
    All of us are Members of Congress, and although our last 
witness did a masterful job at the 5 suggestions, I would like 
to hear from the other 3 witnesses: What do you see as the role 
of the Federal Government in protecting cyber space from 
intrusion?
    I will start off with Mr. Krebs.
    Mr. Krebs. Yes, sir. Thank you for that question.
    So there are obviously a range of different authorities 
within the Federal Government. I would start with the 
Department of Defense. They have the ability through Cyber 
Command and the persistent engagement/defend forward philosophy 
to go out there and figure out what the bad guys are doing and 
stop them, ideally, so to speak, catch the arrow before it gets 
here.
    There are some side benefits of that, where they can 
identify targeting lists, like they did in Ukraine and 
elsewhere, against their elections, that we could bring that 
back and help inform domestic elections.
    You have the intelligence community that also tries to 
figure out what the incentives are, what the targets are, where 
the adversary is going, and provide that information to 
defenders so that they can protect their systems. The law 
enforcement community has the ability to go out overseas, work 
with foreign partners, disrupt both state-actor and non-state-
actor activities through indictments and other legal actions.
    Then, finally, you bring it back home to the domestic 
civilian agencies that need to broadly work with the private 
sector, State and local governments, and the Federal Government 
to help raise awareness, drive smart investment in 
cybersecurity solutions, and, overall, you know, as you have 
mentioned in your opening statement, increase the baseline of 
security.
    There is no single approach, though. It does take a team 
effort of disrupting the adversary, getting inside their head, 
knowing our risks, and then closing out our risks as 
aggressively as we can.
    Chairman Thompson. Thank you.
    Ms. Gordon.
    Ms. Gordon. I will give you 3, one that Chris touched on, 
and that is, you can't find a single agency that has all the 
responsibility.
    I actually think CISA's blueprint of attacking election 
security, to participate with law enforcement, intelligence, 
and go all the way from the Federal to the State to the local, 
is a really good model that needs to be codified. Importantly, 
you ought to look at the authorities to make sure that that 
joint participation in sharing is easy to effect and that there 
is someone who's got the con but not all the authority.
    No. 2, after the stock market crash in 1929, you saw the 
rise of the SEC shared responsibility and the introduction of 
generally accepted accounting principles. They did that because 
they recognized what was happening in private companies, in 
public companies, affected our Nation's security. In 2021, is 
it time for us to consider a bipartisan Government and private-
sector approach to looking at generally accepted security 
principles?
    It just isn't satisfying to me that it is up to people's 
choice of basic-level security, particularly if it is a 
publicly-traded company and particularly if it is a Government 
organization. So I think we ought to look at something like 
that.
    The last is, I think in this interconnected world, where 
the boundaries that we created in the past that were physical 
between Government and private sector, Federal and State and 
local have just been obliterated, we are in a place now where 
the threat surface is disproportionately not in Governmental 
control. We almost have to change the incentive structure in 
terms of who is responsible and who is supporting.
    So I think what you could do is create incentives both for 
private companies who accept responsibility to get some 
benefit, and the Government has an obligation to share more of 
its information more usefully.
    Thank you.
    Chairman Thompson. Thank you very much.
    Mr. Daniel.
    Mr. Daniel. Thank you, Mr. Chairman.
    I would identify 4 roles for the Federal Government.
    One is enabler. It should be enabling other elements in the 
economy, other levels of government, to do a better job at 
their cybersecurity, whether that is through providing 
resources or by, you know, providing information or, you know, 
supporting them in a variety of ways.
    The Federal Government is also a disrupter, meaning that it 
should be carrying out actions to disrupt what our adversaries 
are doing, whether they are criminals or nation-states. That is 
through using all the tools of National power, whether you are 
talking economic sanctions, arresting individuals, carrying out 
technical operations, or even military or intelligence 
operations.
    It is also a regulator and an enforcer, because it should 
be, you know, in some cases, setting the rules and enforcing 
those rules, even including in cyber space.
    Those 3 are very traditional roles for the Federal 
Government, but the Federal Government has a fourth one in 
cyber space that is unusual, which is partner. Because the 
private sector has much of the technical capability and a lot 
of the expertise, and, as Sue pointed out, the Government does 
not have a monopoly on the use of force or technical capability 
in cyber space. So, therefore, the Federal Government needs to 
be operating collaboratively, as a partner, as a peer with many 
organizations in the private sector, such as cybersecurity 
vendors, telcos, and platform providers, in order to actually 
disrupt and carry out those other missions that I was talking 
about the Federal Government having.
    Chairman Thompson. Thank you very much.
    Mr. Alperovitch, you talked about those 5 items, and it 
looks like everybody is kind-of on the same page. Do you have 
some comments you would like to make on that, in terms of the 
role of the Federal Government?
    Mr. Alperovitch. Yes, absolutely, especially focusing on 
the defense of the networks themselves. I believe that CISA 
should be in charge of defending the civilian government 
networks and Cyber Command should defend the DOD networks.
    Mr. Chairman, I also believe that, as the other speakers 
have said, we need to go on offense. We need to make it harder 
for the adversaries to conduct these operations. Law 
enforcement, in particular, and Cyber Command need to take 
further actions to disrupt infrastructure of threat actors, 
both criminal groups and nation-states, and raise the bar.
    We need to look at using all the tools of our power to 
really focus on the 4 primary nation-states--Russia, China, 
Iran, and North Korea--and what we can do to deter their 
malignant activity in cyber space.
    Chairman Thompson. Thank you very much.
    The Chair yields to the Ranking Member for questioning.
    Mr. Katko. Thank you, Mr. Chairman.
    I appreciate the comments that I have heard so far. As I 
said in my opening statement, it seems, at least in a dot-gov 
domain, that our efforts for dot-gov security are too 
confederated and too clunky and ultimately inadequate.
    You know, Mr. Alperovitch, what you said with respect to 
CISA being the quarterback, if you will, that you think it 
should be designated as such, that is 1 of the 5 
recommendations I had. I wanted to drill down a little bit more 
on that and see what you envision CISA's role to be as that 
quarterback in the dot-gov domain.
    Mr. Alperovitch. Absolutely. Thank you very much for that 
question, Mr. Katko, and thank you for your leadership on this 
issue.
    I believe that CISA needs to become a shared service 
provider for cybersecurity for agencies. The fact of the matter 
is, when you look at over 130 different Executive branch 
agencies, the vast majority of them will never have the talent, 
the expertise, the resources to defend themselves against the 
most sophisticated nation-states out there, such as Russia and 
China, that are trying to break into their networks.
    Certainly, you have the large agencies, the intelligence 
community, the DOD, law enforcement agencies like the FBI, that 
do have that capacity, but many small ones will never do that. 
As a result, I think that they need to start thinking about 
outsourcing certain cybersecurity tasks to CISA.
    Chris Krebs, when he was director, set up a great set of 
shared services, such as shared email services that are secure, 
that CISA can deliver to agencies. They need to start adopting 
those.
    We need to start thinking about incentives to encourage 
agency heads to start outsourcing that capacity. I think 
looking at FISMA and reducing the overhead of FISMA compliance 
for agencies that turn over that capability to CISA is one way 
that can encourage them to do so.
    Mr. Katko. OK.
    With respect to OMB's role in this, do you believe that 
CISA should, over OMB, play more of a role in that area?
    Mr. Alperovitch. Absolutely. I think it is important to set 
standards so that agencies can look at what works and what 
doesn't work in individual agencies when it comes to 
cybersecurity. And OMB has a role to play to share the 
standards across the Government and try to get agencies to 
adopt similar types of technologies and approaches that have 
already been proven to work.
    That is why I also believe that metrics, particularly 
speed-based metrics, are really effective at getting visibility 
for both CISA and OMB into what agencies are doing to be faster 
than the adversaries, to detect them, investigate, and 
remediate breaches as quickly as possible. Then you can learn 
from, sort-of, the best of the best in Government and try to 
make sure that everyone else adopts the same strategies.
    Mr. Katko. All right. Thank you very much.
    Mr. Krebs, it is nice to see you again, and I appreciate 
your service during your time at CISA. Obviously, you have some 
expertise there, and I am going to kind-of ask you a similar 
question as I did Mr. Alperovitch.
    Do you believe CISA should be playing that centralized 
authority as he described it? If so, what would you do if you 
were king and could shape that for them?
    Mr. Krebs. Yes, sir. Thank you. I agree with pretty much 
everything Dmitri said. I can't take exception with anything, 
in fact.
    Look, the approach we have taken over the last decade-plus 
due to some of the oversight mechanisms that are in place, in 
part by Congress, has taken us a half-step forward. We need to 
take that full step. The 101 Federal civilian agencies are 
simply not in a position to secure themselves all by 
themselves. The reason for that is the lack of resources, the 
lack of personnel, and the lack of follow-through.
    So, you know, I have thought for some time now that, No. 1, 
we need a comprehensive Federal civilian agency cybersecurity 
strategy. We have to pull that together. We need the 
requirements to put in place for the agencies to meet. Those 
requirements will likely be very onerous and very expensive, 
and I can think of maybe a handful of agencies that would be 
able to comply.
    So give them the opportunity to comply, or give them an 
option, as Dmitri said, an incentive, where the CIO in the CISO 
shop can just turn the keys over the CISA, and CISA can build 
those services through the quality service management office, 
like a hardened, secure, cloud-based email instance, and pull 
everyone in.
    As of now, there are 101 different instances of email 
across the civilian agencies. That is just not a defensive 
posture. We have to bring it all into one hardened, single 
ring, so to speak, to make it most defensible. That is going to 
require authorities to compel, and it is going to require 
resources, but it is also going to take some time to implement.
    Mr. Katko. Well, I appreciate it. Basically, what we are 
asking is to do on the dot-gov side what they have already done 
on the dot-mil side with DOD. I dearly hope we can get that 
moving.
    Now, Mr. Alperovitch, quickly, with respect to SolarWinds, 
from your perspective in the private sector, cyber espionage 
campaigns, where does CISA need to be focusing its attention 
going forward?
    Mr. Alperovitch. So I actually believe, Congressman Katko, 
that SolarWinds really represents a new normal for Russian 
intelligence.
    If you look at what they were doing prior to SolarWinds, 
they were trying to be very noisy when they were breaking in 
and to be detected very, very quickly. I believe that they 
reevaluated post-their original compromises of the White House, 
State Department, and the Joint Chiefs of Staff back in 2014 
and 2015 and realized that the supply chain vector, being able 
to compromise, sort-of, these high-risk software, enterprise 
software, like SolarWinds, and using that to gain access to 
high-value networks is really the way to go if you want to have 
long-term access to these networks and remain undetected for 
months, if not years.
    In some ways, this mirrors exactly what they are doing in 
human intelligence with their illegals program, where they are 
sending spies over to this country to implant themselves for 
decades in our society and get close to people in power so that 
they can steal secrets. They are now trying to do the very same 
thing in cyber through the supply chain compromises, and I 
think this is going to continue on for many years to come.
    China, I am sure, is looking at this very carefully and 
trying to adopt the same practices.
    So I think the Government, CISA in particular, needs to 
take a really hard look at supply chain vulnerabilities. As I 
suggested in my testimony, we need to start looking at 
elevating standards for providers of this high-risk software to 
the Government. Requiring them to perform annual audits of 
their source code and of their networks, I think, is one way to 
do so.
    Mr. Katko. OK. Thank you very much.
    I have so much more I could ask, Mr. Chairman, but I am out 
of time, and I yield back.
    Chairman Thompson. The Chair will now recognize other 
Members for questions they may wish to ask the witnesses. I 
will recognize Members in order of seniority, alternating 
between Majority and Minority.
    Members are reminded to unmute themselves when recognized 
for questioning and to then mute themselves once they have 
finished speaking and to leave their camera on so they may be 
visible to the Chair.
    The Chair now recognizes for 5 minutes the gentlelady from 
Texas, Ms. Jackson Lee.
    It appears we have a technical issue. We will fix that. We 
will go to----
    Ms. Jackson Lee. I am here, Mr. Chairman. Mr. Chairman.
    Chairman Thompson. OK.
    Ms. Jackson Lee. Can you hear me?
    Chairman Thompson. Yes.
    Ms. Jackson Lee. All right. Thank you so very much. First 
of all, thank you for this hearing.
    Thank you to the witnesses.
    Let me go with Mr. Alperovitch.
    I believe you gave the 5-point agenda, if I am not 
mistaken?
    Mr. Alperovitch.
    Mr. Alperovitch. Yes, I did.
    Ms. Jackson Lee. Yes. Could you give a little bit more of 
substance to the idea, I am going to call it the cyber czar, 
and the extent of that individual's authority? Would they be 
able to interface with agencies across the landscape, Federal 
agencies? Would they be able to cite them for their failings, 
or would they be instructed in what they need to do? Would they 
provide oversight internally? Obviously, Congress has the other 
part of oversight. What would that individual be responsible 
for doing?
    Mr. Alperovitch. Thank you for that question, Congresswoman 
Lee. I think it is a great question.
    In some ways, I think the Biden administration has already 
resolved part of that issue by appointing an incredible 
individual, Anne Neuberger, as Deputy National Security Advisor 
for Cyber. I have known Ms. Neuberger for many years. She has 
done tremendous work at NSA and Department of Defense for over 
a decade on this issue, so there is literally no better expert 
in Government to work these issues.
    I think, within the National Security Council, she will 
have the authority to coordinate strategy and policy for the 
U.S. Government, working together with the director of CISA. So 
I think we are on the path to getting the Government organized 
for success here.
    Ms. Jackson Lee. Thank you very much.
    Let me move to Ms. Gordon.
    Obviously, we are in a different climate where cyber may 
even be the tool for bad actors--Proud Boys, Boogaloo Bois, the 
Oath Keepers. How, in your capacity dealing with intelligence, 
would you see a new group of domestic terrorists being able to 
utilize cyber to interfere with the Government workings?
    Let me just follow up with a question to Director Krebs.
    Thank you for your service, as I do all.
    The issue with SolarWinds, we had this problem with Mr. 
Snowden--a contractor, unvetted, and had a great deal of--how 
should I say it?--confidence and comfort. I would be interested 
in you following up on Ms. Gordon on how do you put the 
firewall up for these third-party contracts that we seem to be 
completely immersed in in the Federal Government.
    Ms. Gordon, on the idea of cyber being a tool of 
destructiveness and bad acts.
    Ms. Gordon. Yes. Thank you so much for the question. It is 
a great one.
    I think that our domestic extremists and terrorists got a 
pretty good look at the playbook. No. 1 is, disinformation is 
incredibly powerful, the ability to overwhelm airwaves with any 
sort of messaging. We haven't talked much about disinformation 
as a part of the cyber threat, but it surely is and we learned 
it. They learned a lot of the tool kits that have been reused 
over the past 2 or 3 years. So I think that is No. 1, is how 
can they use their voice.
    Then second is, I think you would expect them to use tools 
to disrupt normal business processes, the normal functioning of 
society, the normal ability of people to carry out functions 
that are much more even in order to be able to shape 
activities.
    I think both of those are well within their ken. There are 
tools available to do it. It will take the kinds of things we 
have talked about from a Governmental level to be able to 
attack those.
    We are going to have to look at how intelligence can 
support that. Because it is a little bit of a slippery slope 
with intelligence on domestic, but I think there is some craft 
that the intelligence community has, particularly born of their 
time in the counterterrorism fight, that can be applied to this 
problem.
    Thank you so much.
    Ms. Jackson Lee. Thank you. I would like to work with this 
committee and you on these issues.
    Let me quickly ask Mr. Krebs--and, Mr. Daniel, maybe you 
will be able to follow up in my short time and respond to this 
issue of the water systems being violated and what kind of 
cyber weaknesses do we have when that happens.
    Mr. Krebs on the SolarWinds? Maybe there will be a second 
or so for Mr. Daniel.
    Mr. Krebs.
    Mr. Krebs. Yes, ma'am. I will try to do this quickly.
    I actually think Dmitri did a pretty good job of laying out 
a few of the requirements that need to be in place, 
particularly for Federal Government contractors. That includes 
increased transparency and attestations to the security, not in 
a compliance-based way, which is just a checklist, but actually 
demonstrated security improvements.
    But to get there, we have to have a better understanding of 
what enterprise software and services are systemically 
important. That is a lot of the work that I think CISA and the 
National Risk Management Center should be doing.
    Ms. Jackson Lee. Mr. Daniel, on the violation of the water 
system and the cyber impact? Mr. Daniel.
    Mr. Daniel. Sure. So I think what that shows is that our 
adversaries are willing to go beyond simply stealing 
information or even holding systems at ransom, but are willing 
to move toward destructive acts--acts that could cause physical 
harm.
    I think what it also shows is that, you know, it is--you 
know, water systems are not something that, sort-of, 
immediately spring to a lot of people's minds. People have 
thought about the power grid or the financial system, but it is 
almost any system that is connected to the internet, which is 
essentially almost anything today, can be a target. So we need 
to be thinking very broadly in terms of our cyber defenses.
    Ms. Jackson Lee. Thank you, Mr. Chairman. I yield back.
    Mr. Bishop. Well, I may have lost--Mr. Chairman, did you 
just speak? I lost audio, I think, or couldn't hear you, sir.
    Chairman Thompson. Well, we are recognizing you for 5 
minutes.
    Mr. Bishop. I thought so, sir, but I just couldn't hear. 
Thank you very much, Mr. Chair.
    As I was taking notes over the testimony--Mr. Daniel, I 
think I would come to you first--I noticed both you and Mr. 
Alperovitch focused on something that seemed instinctively 
accurate to me as a layperson that--you said it, I think--that 
we can't keep the adversary out of networks, and that instead, 
we need to thwart their objectives. It does seem to me that 
Government and private enterprise have spent inordinate 
resources to keep people out of networks, and so it makes sense 
to me to finally come to the conclusion that you can't.
    But what does that mean--Mr. Alperovitch, I will come to 
him in a minute, because he talked about maybe substituting 
speed metrics, I believe, to find and eject intruders. I think 
there might be problems with that idea too, but how do you 
thwart their objectives, Mr. Daniel?
    Mr. Daniel. Well, so what I mean by that is that the 
adversary is gaining access to networks for a purpose. They are 
not simply gaining access to gain access. They are looking to 
steal information. They are looking to steal money. They are 
looking to----
    Mr. Bishop. Do damage.
    Mr. Daniel [continuing]. Cause--yes, do damage. They are 
looking to cause disruption. They are looking to achieve some 
objective. So if you change your mind-set to one of, I want to 
look at all of the different actions that the adversary has to 
do to achieve that objective, look at all of the different 
steps that they have got to get through to achieve that end 
goal and focus on where do I have the greatest comparative 
advantage to break that chain, to disrupt their operations, 
then suddenly, instead of the defender having to be right all 
of the time because you are trying to keep the adversary out, 
the adversary has to be right a hundred percent of the way 
through their efforts.
    So you get many more bites at the apple to try to disrupt 
them. So if we start thinking about it in terms of, we succeed 
if they don't get to their end objective. To my mind, that is a 
much more effective way to think about cybersecurity.
    Mr. Bishop. So, again, as a layperson, it seems to me, 
that, for example, when we are worried about avoiding 
information theft, maybe we ought to think in terms of making a 
lot more information public so that we are not worried about it 
being stolen, particularly if it is lower sensitivity. Would 
that be a possible way to think?
    Mr. Daniel. That is certainly one way to think about it. 
You could also think about storing more of that data in 
encrypted form, so that even if the adversary gets it, they 
can't do anything with it.
    Mr. Bishop. If you are concerned about damage being done to 
data, then you can build in redundancy and have multiple copies 
of stuff to avoid damage. Would that be another way to go?
    Mr. Daniel. That would be another way to go. You try to 
think of all the different ways that you could thwart what the 
adversary is doing.
    Mr. Bishop. Speaking--Ms. Jackson Lee just made reference 
to the water system thing, I saw that story, and I wonder, is 
it necessary that things like that, where you can do damage, 
why is that connected to the internet? Why can somebody change 
the way a chemical is put into the water supply over the 
internet? Wouldn't there be a way to defend against the 
possibility of intrusion if you say networks are not 
impenetrable, period?
    Mr. Daniel. Well, certainly, Representative, it is 
certainly one of the principles in industrial control systems 
that you should minimize the number of systems that are 
connected to the internet, and there are best practices for how 
to do that in a way that is more secure.
    But, certainly, you also want to build in multiple layers 
of defenses. Like in the case of the water system, they do have 
them. There are other alarms and things that might have 
detected that change that was made even after it was made.
    But I think you raise a good point about really looking at 
and understanding your network and understanding why you are 
connecting what you are connecting and not just assuming that 
connecting it is a good thing.
    Mr. Bishop. Thank you, sir.
    Mr. Alperovitch, you talked about this same issue and said 
that we need to adopt speed metrics in detecting and ejecting 
intruders. Doesn't the SolarWinds experience suggest that we 
might not be really able to do that either?
    Mr. Alperovitch. Well, I think--and thank you for that 
question, Congressman Bishop. I think SolarWinds' operation 
actually highlights some of the failures but also some of the 
successes. I know of a number of major companies that actually 
detected the intrusion quickly--Palo Alto Networks was one of 
them--and contained it before any damage was done. So it was 
certainly possible. Not everyone was successful at doing so, 
but you do have time.
    When I was in the private sector, I coined this concept of 
break-out time, the time that it takes for an attacker once 
they get in, once they establish a beachhead within the 
network, to actually accomplish their objective, to get off 
that beachhead, to get to other resources within the network, 
elevate their privileges, get access to valuable data, 
ultimately steal that data or destroy it, whatever their 
objective may have been.
    What I found is that, on average, it took adversaries from 
nation-state criminal groups over 4 hours to accomplish that 
objective. That may not seem like a lot, but actually, if the 
defenders are quick enough to detect, investigate, and 
remediate breaches within 1 hour, then you can stop them dead 
in their tracks, they can't get off that beachhead, and you 
eject them before they are able to be successful.
    So if we start measuring every agency on their ability to 
detect, investigate, and remediate breaches quickly, we can 
start holding them to account and make sure that they are 
focusing on what truly matters, which is how they become faster 
than the adversary.
    Mr. Bishop. Mr. Alperovitch, I mean, isn't--and I don't 
think we have had a full accounting of the SolarWinds thing, 
but weren't they undetected for months?
    Chairman Thompson. His time has expired.
    Mr. Bishop. All right.
    Chairman Thompson. The Chair recognizes the gentleman from 
Rhode Island, Mr. Langevin, for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank you 
for holding this hearing. I want to thank our witnesses for 
your testimony today and thank you for all you have done to 
better protect the country on a whole host of National security 
fronts and issues, especially on cyber.
    I think almost all of you have referenced the Solarium 
Commission and its findings at one point or another. Thank you 
for recognizing that. As a commissioner on the Cyber Solarium 
Commission, I was very pleased with our final report and the 
findings in it, and hopefully it is going to be a great 
blueprint going forward for better protecting the country in 
cyber space.
    Mr. Krebs, let me start with you, if I could. In the fiscal 
year 2021 NDAA, we codified the roles and responsibilities of 
sector risk management agencies with respect to their sectors 
and to CISA. The Solarium Commission recommends tying this to a 
5-year National risk management cycle to get a holistic sense 
of where key investments need to be made across the National 
critical functions.
    Do you agree with the Solarium Commission's recommendations 
or assessments?
    Mr. Krebs. Thank you for that question, sir. Yes, I do, in 
fact, agree with the evolved approach to risk management across 
the National critical functions and the fact that it does 
take--it takes all the agencies that have relationships and 
expertise in a specific sector or subsector to play along with 
CISA and the intelligence community.
    Mr. Langevin. Thanks for that insight. I appreciate the 
feedback. By the way, thank you for the integrity you showed 
when you were director at CISA in securing elections and doing 
everything you can to make sure, as you said, they were the 
most secure in U.S. history.
    Mr. Daniel, in one of your--and I have learned a lot from 
you over the years in our discussions, both when you were at 
the White House as cyber coordinator and since you left now to 
be in the private sector. In one of your valedictions as 
cybersecurity coordinator just before the end of the Obama 
administration, you spoke of the need to go beyond information 
sharing and do operational collaboration. I have to tell you, I 
think about that phrase all the time.
    The Solarium Commission recommends creating a common 
toolset for joint collaborative environment for interagency and 
public-private joint analysis of cyber threat data. Do you 
agree with this recommendation? Any comments you have in that 
respect?
    Mr. Daniel. Yes, Congressman. Thank you very much for that. 
I agree that the Solarium Commission did just some tremendous 
work in this area to really highlight some key efforts that 
will really improve the cybersecurity of the Nation as a whole.
    I think that this idea of operational collaboration in a 
collaborative environment is absolutely critical. Information 
sharing is important. I mean, I run an information-sharing 
organization, but you share information with a purpose, and 
that is to take action.
    As Dmitri was saying, we actually need to be able to go on 
the offensive with all of our capabilities, and the only way to 
do that is to do that in a collaborative fashion. So when I use 
the term ``operational collaboration,'' what I mean is that we 
need to move beyond just sharing information back and forth 
between the Government and the private sector, but actually 
enable multiple elements of the Government--law enforcement, 
intelligence, CISA, diplomatic, economic--to be lined up and 
synchronized in time with actions that the private sector can 
take, so that the actions of the Government and the actions of 
the private sector are mutually reinforcing and have a 
strategic impact on the adversary. So that is what I mean by 
``operational collaboration.''
    Mr. Langevin. Well said. Thank you.
    Mr. Krebs, let me go back to you. The fiscal year 2021 NDAA 
also contains a force-structure assessment for CISA to 
determine personnel and facilities needed going forward. How 
would you describe CISA's resourcing versus its mission? Let me 
ask you this also, in your time at CISA, were there times that 
you had to forego important projects due to resource 
constraints?
    Mr. Krebs. Yes, sir. Thank you for that question. So at the 
top line, the budget at CISA, at least as I was director, was 
about $2.2 billion, which seems to be a pretty significant and 
it is, in fact, a significant amount. About $1.2 billion of 
that was focused on cybersecurity investments, cybersecurity 
programs.
    However, of that $1.2 billion, about $800 million is 
focused on 2 programs--the National Cyber Protection System and 
the Continuous Diagnostics and Mitigation Program. So that 
leaves, you know, several hundred million dollars on the end 
for incident response, and actually very little, frankly, for 
broader engagement with the critical infrastructure community.
    That was my biggest concern. My biggest regret was that we 
were not able to plow additional resources into the ability to 
get out there into the field and engage more critical 
infrastructure and State and local partners. However, the 
State-wide Cybersecurity Coordinator Act that was passed as 
well in the NDAA and some of the additional funding has given 
us more capability to get out in the field.
    That is the one distinctive advantage of CISA, is that they 
operate primarily in the unclassified space. In COVID, when you 
can work remotely, you can follow the trends that the 
cybersecurity industry have done as well and actually employ 
people, not in the National capital region, but out in the 
field where you don't actually have to be tied to a Secure 
Compartmented Information Facility.
    Mr. Langevin. Right. I definitely agree that for CISA to 
effectively do its job, it is going to have to be properly 
resourced, and we are not quite there yet. But thank you for 
the work that you did there at CISA, and I look forward to 
staying in contact.
    Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. [Inaudible.]
    Mr. Langevin. I don't know if we can hear you, Mr. 
Chairman.
    Voice. You are muted, Mr. Chairman, I think.
    Mr. Langevin. Mr. Chairman, we didn't hear you. I think you 
were muted. Something is wrong on that communication side.
    Chairman Thompson. OK. Mr. Higgins, the gentleman from 
Louisiana, for 5 minutes.
    Mr. Higgins. Thank you, Mr. Chairman. I think you are doing 
just fine with the technology we are dealing with right now. It 
is a challenge for all of us.
    Mr. Alperovitch, we know that foreign actors are 
continuously looking for flaws in our Nation's cybersecurity 
programs with efforts to threaten our data integrity, our 
public health, our safety. China is our biggest global 
competitor, actively engaged in horrible things in their own 
country, stealing our Nation's economic and National security 
secrets, and vacuuming up large swaths of American data for 
nefarious purposes or for their own design. China works 
overtime to get themselves embedded into our information and 
communications technology supply chain.
    Russia had and may still have total access to our 
unclassified Federal networks. It has been reported Iran was 
heavily involved in a misinformation campaign surrounding the 
2020 election.
    Congress is constantly talking about a deterrent strategy 
regarding cyber campaigns. It is critical that the United 
States imposes real costs on these cyber adversaries to attempt 
to defer future attacks.
    Personally, I think we should strike back in the cyber 
realm. I would like your opinion on that, good sir. In your 
professional opinion, what is the best way to respond to 
foreign cyber attacks?
    Mr. Alperovitch. Thank you, Congressman Higgins. I think 
you hit the nail on the head in terms of the threat 
environment. All of the threat actors--and I would also add 
North Korea--are constantly hitting our networks, they are 
stealing our intellectual property, they are performing 
disruptive attacks, and in some cases, harboring criminal 
groups that are engaged in ransomware operations against our 
hospital networks and small businesses all over this country.
    So we absolutely have to respond. I think we absolutely 
have to strike back, but I think we need to look at the full 
toolkit of our power. Sometimes cyber may be the right tool. 
Sometimes it may be something we do in the physical world, 
whether it be sanctions, diplomatic efforts, or sometimes even 
supporting with military capabilities opponents of those 
regimes, such as, for example, providing military aid to 
Ukraine that we have done to confront what Vladimir Putin is 
doing in that country.
    So I think what we need to do is step back and try to 
figure out what is the best way we can influence the particular 
adversary, and the strategy will be different for each of the 4 
countries that we are dealing with. Sometimes cyber will play a 
role. Sometimes it will be something else, but we shouldn't 
necessarily jump at the tool. We should focus on the overall 
strategy and then figure out which tool works best for it.
    Mr. Higgins. OK. Let me ask you to clarify. How would we--
if we are going to respond in the cyber realm, let's say, if we 
identify a cyber actor, we don't know who that sponsor is, how 
can we tell if it is a nation-state? Do you have confidence 
that with our current technologies and cyber infrastructure and 
the American men and women that are in charge of knowing these 
things, do you have confidence that we can tell the difference 
between a criminal actor operating from within a nation-state 
versus a nation-state-sponsored cyber attack? Do you have 
confidence we can tell the difference?
    If so, why would a solution like a responding cyber 
attack--I have heard it referred to as a cyber bullet--if it is 
going to hit the bad guy, then it hits the bad guy, whether it 
is a nation-state or not, whereas if it is a criminal actor and 
you put sanctions on the entire nation-state, that 
unnecessarily injures our diplomatic relationship with some 
nation-states. In my remaining time, would you respond to that, 
please?
    Mr. Alperovitch. Absolutely, sir. On the first question, I 
do have confidence in the capability of our intelligence 
community. I have worked with them closely over many years, and 
the fact of the matter is, we have better capabilities to 
attribute cyber attack than we have ever had in our Nation's 
history.
    Over the last 10 years, I can't think of a single major 
consequential cyber attack that was not attributed. Many of 
them have been attributed publicly, and the Justice Department, 
the last 4 years in particular, have indicted all of the 4 
major countries--Russia, China, Iran, and North Korea--for 
their malicious cyber activity.
    But even when we don't attribute things publicly, the U.S. 
intelligence community usually knows very, very rapidly, within 
days if not hours, who is responsible, because of the 
phenomenal capabilities we have on tracking cyber adversaries 
and infiltrating their own networks to understand what they may 
be planning to do.
    So I think we do know who they are very well in most of 
these cases, and I think we can craft the right strategies to 
influence their behavior, including in cyber.
    Mr. Higgins. All right. Listen, it is a very important 
subject. I thank the Chairman for holding this meeting, and 
Ranking Member, my colleagues on the committee. We are 
dedicated to addressing this in a bipartisan manner.
    Mr. Chairman, I yield.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentleman from New Jersey for 5 
minutes, Mr. Payne.
    Mr. Payne. Thank you, Mr. Chairman. Thank you, for once 
again being on top of these issues for a decade prior to it 
coming to fruition here.
    Mr. Krebs, during your time at CISA, you launched the Rumor 
Control program. Could you discuss why CISA began the Rumor 
Control program and why it is important?
    Mr. Krebs. Yes, sir. Thank you for that question. So the 
predicate for Rumor Control actually goes back 3\1/2\ years or 
so. In the preparation for the 2020 election, the CISA team, 
the Election Security Initiative, working with our State and 
local partners, spent a significant amount of time threat 
modeling how any actor, whether state actor or non-state actor, 
like a ransomware crew, could target and disrupt an election.
    So we had dozens of scenarios that we subsequently 
deconstructed into their component pieces and were able to 
develop defensive strategies, where we could invest, where we 
could increase awareness and training and capacity. Toward the 
end, though, it became clear that in many ways, an actual hack 
was not the greatest concern. Instead, we were thinking about 
perception hacks, where an adversary could claim that they had 
either access to a machine or a minor cybersecurity event could 
be blown out of proportion.
    Rumor Control was intended to provide factual information 
to the public on how elections actually work and the controls 
that are in place, and that software or hardware is not a 
single point of failure in any election and that there are 
controls, like paper-based ballots, in place to ensure the 
security of the election.
    Mr. Payne. Thank you. During the 2020 cycle, we saw a 
significant increase in lies and conspiracy theories during the 
following election. What are the risk of political leaders 
amplifying election misinformation?
    Mr. Krebs. Well, of course any time you have election-
related misinformation, it can undermine the public's 
confidence in the election itself, the democratic process, 
regardless of the source, whether it is domestic or foreign 
interference.
    Again, that was the concept behind Rumor Control in the 
rapid, real-time debunking of some of these themes, like the 
hammer and scorecard machine algorithm that was being 
manipulated by a foreign deceased dictator.
    The point is, we have to get out in front of these rumors, 
this disinformation and misinformation, as quickly as possible 
and inform the American people on how these processes, these 
machines, elections themselves, actually work.
    Mr. Payne. OK, thank you.
    Ms. Gordon, we are still trying to understand the long-term 
damage that Trump's false, incendiary rhetoric around the 
election, coupled with the physical attack he incited at the 
Capitol, will have on the public's faith in our democratic 
processes.
    Ms. Gordon, was there a noticeable spike in chatter to echo 
and amplify ex-President Trump's disinformation narratives?
    Ms. Gordon. Thank you for the question, Congressman Payne. 
So I have been out of the intelligence community since 2019. So 
I am not tracking the information, but let me give you a little 
bit of perspective.
    We know that our adversaries, particularly Russia, but not 
exclusively Russia, have as their strategic imperative to 
undermine democracy, to use any means that they can since the 
Cold War to be able to insinuate themselves into any rift that 
they see to exacerbate that problem.
    So there will be--our adversaries will use that moment to 
do 2 things. No. 1, amplify messages that are destructive. Then 
the second is to take those images and hold them up globally to 
suggest that what we have long said we were is, in fact, not as 
good as what they have.
    So the global impact is also present in addition to their 
using those events to try and further create risk. That is why 
this notion of protecting the digital space has to include 
disinformation, because what we saw was that----
    Mr. Payne. Yes.
    Ms. Gordon [continuing]. Is as dangerous as anything else. 
Thank you for your question.
    Mr. Payne. Thank you. So, basically, the treasonous 
insurrection that we saw on the 6th plays right into our 
opponents' hands, correct?
    Ms. Gordon. The activities that we have seen where we turn 
on ourselves are very useful to our adversaries.
    Mr. Payne. Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. Thank you. The gentleman yields back.
    The Chair recognizes the gentleman from Mississippi for 5 
minutes, Mr. Guest.
    The Chair will recognize the gentleman from California, Mr. 
Correa, for 5 minutes.
    Mr. Correa. Thank you, Mr. Chairman. Can you hear me OK?
    Chairman Thompson. Yes, we can.
    Mr. Correa. I wanted to thank you and Mr. Katko for holding 
this most important hearing. I wanted to essentially say that 
just listening to our witnesses speak today, I ask myself, how 
did these folks acquire the weapons, the tools to such, with 
ease, penetrate our defenses in terms of cyber?
    You know, as I think back at the history of this country, 
as we dealt with the Soviet Union, we used to have this concept 
called mutually assured destruction, which is, you attack us--
you won't attack us because we can attack you back, and the 
cost is just too expensive.
    Today, like Mr. Alperovitch said, you got China, Russia, 
Iran, North Korea, that essentially attack us, and essentially 
their folks in their area attack us with impunity. So my 
question is, what is it that we can do to essentially establish 
a policy of deterrence?
    Because, in my opinion, these attacks should, in all sense 
and purposes, constitute a declaration of war on the United 
States. What are we doing? What can we do to stop these 
attacks? What is the deterrence that we can develop, can use, 
to have these folks that are essentially operating out of 
countries like Russia from attacking us?
    I will start out by asking Ms. Gordon to answer that 
question or any comments you may have.
    Ms. Gordon. I think it is the perfect question. Thank you 
for asking. I will give a start, and I will let my colleagues 
add on.
    I think we have already given you some of the groundwork. 
No. 1, you can't stop all activity. You can't. So here is what 
you can do. You can increase the cost of attack by doing the 
simple things to make yourselves more secure, so you don't get 
nuisance activity.
    The second is, you can understand--I hate the use of the 
word ``red line,'' but you can understand what the impacts are 
to our society that we cannot tolerate and build policy around 
if those lines are crossed, we will respond.
    Then the third is--and I think everyone has said the same 
thing--don't think of cyber action requiring exclusively cyber 
response. Once you have said what your National interests are 
and that those must be protected, you can find a whole range of 
solution. Cyber may be one of them, but that can't be the only 
one.
    I yield to my friends.
    Mr. Correa. Mr. Krebs.
    Mr. Krebs. Yes, sir. Well, just to build on a little bit of 
what Ms. Gordon said, you know, particularly emanating from 
those 4 countries--China, Russia, Iran, North Korea--the 
behavior will continue until the leadership has decided that it 
cannot tolerate further behavior.
    I think there are still options on the table for more 
destructive attacks and more brazen attacks, particularly for 
Russia. I don't think we have hit the upper limit of their pain 
threshold. For instance, working, I think, with our allies, 
with the United Kingdom and elsewhere, where there are Russian 
ex-pats, Russian oligarchs, that have a significant amount of 
money, you start turning the screws on those individuals, and 
they will go back to the Kremlin and you may see some behaviors 
change.
    Mr. Correa. Mr. Krebs, we have heard this suggestion a 
number of years ago in this committee. You go after their 
pocketbook, you go after the oligarchs. Yet this has not been 
used. What has been deterring our country from using those 
kinds of weapons, which is, you hit them at the pocketbook? 
Excellent solution. Why do you think we haven't used that?
    Mr. Krebs. I think that we have used some significant 
amount of sanctions, penalties against Russian actors, but this 
is not a single country effort. We have many allies and many 
friends that we need to partner with. I already mentioned the 
United Kingdom and the significant amount of Russian capital 
that has flowed into London and elsewhere.
    We have got to go shoulder-to-shoulder with our 
adversaries, but at the same time, recognize that there are 
certain behaviors that, unfortunately, are within the realm of 
acceptable cyber behavior, and to a certain extent, that is 
going to continue to be espionage targeting, for instance, 
Federal agencies, not that it is OK, but those are the rules of 
the road right now.
    Mr. Correa. Thank you.
    Mr. Daniel.
    Mr. Daniel. Well, I would say that to some degree, we 
actually have achieved some degree of deterrence, meaning that 
we have not seen wide-spread destructive attacks carried out 
against the U.S. power grid and other systems. So we have 
achieved a level of deterrence. But I think what you are 
referring to, Congressman, is that we--the level of activity 
that we have not been able to deter is still too high.
    So I think that the way that I would frame it up is that we 
have to continue both increasing the costs from deterrence by 
denial, meaning that--and this was something the Solarium 
Commission talked a lot about--of, you know, making our systems 
harder, but also in figuring out creative ways to disrupt what 
the adversaries are doing. Maybe that is, you know--in the 
criminal networks, that may be going after the money flows, 
particularly going after cryptocurrencies, like Dmitri was 
talking about. Or in the nation-state context, we have to put 
it into that geostrategic context that Dmitri was talking about 
and figure out how to raise the cost on our adversaries in a 
way that causes them to change their behavior.
    Mr. Correa. Mr. Daniel, excuse me. You talked about 
cryptocurrencies----
    Chairman Thompson. Mr. Correa, your 5 minutes are up. I am 
sorry.
    Mr. Correa. Thank you very much, Mr. Chairman. I yield.
    Chairman Thompson. The Chair recognizes the gentleman from 
New Jersey, Mr. Van Drew, for 5 minutes.
    Mr. Van Drew. Thank you, Chairman and Ranking Member. I 
think it is good that you put this meeting and discussion 
together.
    Cyber threats pose a great risk to our Nation, whether 
attacks on State and Federal Governments, businesses, or even 
our hospitals. America is the focal point of the attacks. Our 
adversaries are more capable than ever to cause damage to our 
country. This poses a significant threat to our critical 
infrastructure, supply chains, and even elections.
    Every day we face attacks from Russia, China, Iran, and 
North Korea. In our last election, we were victims of cyber 
attacks from some of the world's most dangerous adversaries. 
Just a few days ago, hackers infiltrated a water treatment 
plant in Florida and temporarily increased lye ratios to lethal 
levels.
    In the third quarter of 2020, the world saw a 50 percent 
increase in the average daily number of ransomware attacks 
compared to the first half of the year. That is unacceptable.
    As it relates to election security, the cybersecurity and 
infrastructure of CISA has become increasingly important in 
protecting our institutions. As the many bad actors in the 
global landscape continue to adapt in their attacks, we need to 
evolve in our response. We must remain one step ahead of our 
enemies, especially as it relates to election security.
    If we do not have faith in our process, we cannot have 
faith in our country. CISA's role, working with State and 
localities, must continue to grow, so that Americans can have 
confidence in our democracy and assurance that the Federal 
Government is doing all that it possibly can do to protect its 
citizens.
    So I have some questions. One is for Christopher Krebs, and 
you know I always talk about the Coast Guard because we have 
the only training center. Every single individual that is in 
the Coast Guard at some point goes through my district in Cape 
May. How does CISA coordinate with the Coast Guard to promote 
cybersecurity of maritime critical infrastructure? That is for 
Christopher Krebs.
    Mr. Krebs. Yes, sir. Thank you for that question. The last 
administration issued a National maritime cybersecurity 
strategy last year. CISA coordinates very closely with the 
Coast Guard. In fact, Coast Guard service members actually sit 
with CISA and actually support our Hunt and Incident Response 
mission.
    It is a very collaborative relationship between CISA and 
the Coast Guard. The relationship in terms of going out and 
working in the maritime sector at ports, on facilities, and 
then coastwise is a budding relationship that I would suggest, 
again, we need to put more resources against.
    Mr. Van Drew. OK. Which makes sense. But it has been 
fruitful to this point.
    Mr. Krebs. Yes, sir, I think so. If I could just make one 
example based on what Sue Gordon, Ms. Gordon, mentioned earlier 
about our election security efforts. What worked so well there 
is that we brought all of the relevant stakeholders together 
and created almost, as I called it, a mini CISA. So we had all 
elements of CISA, with our stakeholders, really intensely 
focused on the mission.
    But elections is just one of the National critical 
functions. We have to identify that top slice, 15 to 20 top 
National critical functions, highest risk, and create little 
mini CISAs around each and every one of those functions. We can 
make rapid, rapid progress in securing those sectors and 
functions if we take that approach.
    Mr. Van Drew. Good. Thank you.
    For Michael Daniel, the recent incident at the Florida 
water treatment facility shows how vulnerable we are to attacks 
from hackers. What can and should be done to prepare for and 
combat the cyber threat to critical infrastructure?
    Mr. Daniel. Well, thank you, Congressman. I think that when 
you really think about it, there is kind-of, I would say, 3 
things that we need to be doing, one of which is very much 
hardening those systems and raising the level of cybersecurity 
across the ecosystem. That is everything from really thinking 
about cybersecurity in different ways that I was talking about, 
but also employing things like the NIST Cybersecurity Framework 
to do that risk management to those systems. But then also 
going on the offense to find those adversaries and to disrupt 
them and to prevent them from doing what they are trying to do.
    Then also being able to know that sometimes both of those 
things will fail and know that we need to be ready to respond 
and recover. This is where what Dmitri was talking about, those 
time-based metrics of how we need to get better at responding 
rapidly, identifying the malicious activity, containing it, and 
then removing it from those networks, so that we can minimize 
the amount of damage that we take.
    I think--and we need to be doing that, as Chris was just 
saying, across, thinking about that from a National, critical 
function perspective about what is important to our economy and 
to the functioning of this country as a whole. Sometimes that 
will not be obvious from the outside, and it requires thought 
and analysis to arrive at some of those critical functions and 
where they are vulnerable.
    Mr. Van Drew. Thank you. I appreciate all, and I thank you 
for your work.
    I yield back.
    Chairman Thompson. Thank you.
    The Chair recognizes the gentlelady from Michigan, Ms. 
Slotkin, for 5 minutes.
    The Chair will recognize the gentleman from Missouri for 5 
minutes, Mr. Cleaver.
    Mr. Cleaver. Thank you, Mr. Chairman.
    You know, I am going to express appreciation, first of all, 
for you doing this hearing because I think it is right on time. 
I thank all of our very knowledgeable witnesses and articulate 
witnesses.
    I want to thank you, Mr. Krebs, for your integrity. It is 
good for the whole country to see what integrity looks like.
    You know, my concern right now is global versus domestic 
terrorism. You know, we are told by the FBI that the greatest 
threats to our country are coming from within, which one of the 
witnesses has already talked about being one of the goals of 
Russia. So I am concerned, frankly, about whether or not there 
is enough intelligence or data that would allow us to know 
whether the domestic threats coming from various groups around 
the country--around the country are also a cyber threat to the 
country.
    So, Mr. Krebs--I would like to hear all of our witnesses 
just briefly hit on that, the domestic threat and whether I am 
overthinking it to believe that that could eventually become 
one of the greatest threats to us, if not already the greatest 
threat.
    Mr. Krebs. Thank you, sir, for that question. It is not in 
the top, you know, 5, probably, of cyber threats that I am 
concerned about right now. I would actually put at the top of 
my list ransomware, targeting State and local and small and 
medium businesses.
    Part of the reason why domestic cyber threats, from a pure 
sophistication perspective, is that they are not given time to 
root. That is because law enforcement, the FBI, has greater 
authorities here to actually go and grab the bad guy and do a 
perp walk, which is different from how some of those ransomware 
gangs that operate in Russia and Eastern Europe and elsewhere. 
The law enforcement community cannot always reach out and touch 
them.
    So that is a distinct deterrence advantage that we have 
here at home to push back on larger-scale cyber activity. Yes, 
there is always going to be identity fraud and, you know, 
lower-level criminal activity, but really truly National 
security- and economic security impact-level of cyber threat 
domestic, I don't believe that is an immediate threat.
    Mr. Cleaver. Do the other witnesses pretty much agree with 
that or do you have anything to add?
    Ms. Gordon. Congressman Cleaver, I will just add a little 
too. I think Chris is right, but I do think in terms of 
National security threats to the Nation, our own extremism is 
problematic. They may not have any particular advantage in 
cyber right now, but the tools they would need are not elusive. 
As I mentioned before, there are foreign actors who may be very 
willing to provide either their expertise or their resources.
    I absolutely believe that there is hope in what Chris said 
about our natural advantages dealing with our problems 
domestically, but this is a concerning threat and it can use 
cyber capabilities in the same way some of our other 
adversaries can.
    Mr. Cleaver. Well, I don't want my time to run out, so I 
will do this very quickly. I have read that 95 percent of 
cybersecurity breaches are the result of human error, and so--
and this may be horrible-sounding. I genuinely don't mean for 
it to sound this way--but in hearing many of the individuals 
who have been arrested for the January 6 attempted coup d'etat, 
you know, and maybe they were good at science and just not good 
at other things, because none of them have come across, you 
know, like, you know, brain surgeons. I don't know what else to 
say.
    So I am just wondering, if we got 95 percent from human 
error, which is not very much, frankly, you know, in terms of 
how far it could go, I am assuming we only have--it is close to 
zero--zero from them. Mr. Chairman, I will listen to the answer 
and I am out. Thank you for the indulgence.
    Mr. Krebs. Sir, I think that is a fair point that I would 
expand upon my earlier answers, that, yes, there is the 
potential for insider threat, disgruntled employees. When you 
think about what happened down in Florida earlier this week, it 
is very likely that that was, in fact, a disgruntled employee 
that conducted that operation. I think we would leave the 
investigation to finalize that.
    That is why it is so important to have visibility over the 
network, controls in place. To Dmitri's point, you know, if you 
are planning for a broader, you know, assumption of breach 
perspective, you will be able to defend against a range of 
different actors.
    Mr. Cleaver. Thank you, Mr. Chairman.
    Mr. Krebs. But that is a good clarifying point, sir.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentlelady from Iowa, Mrs. Miller-
Meeks, for 5 minutes.
    Mrs. Miller-Meeks. Thank you so much, Mr. Chair, Ranking 
Member Katko, and all of the witnesses who are presenting here 
today. Extraordinarily important topic, and I appreciate the 
ability to both listen and learn.
    Before coming to Washington at the beginning of this year, 
I served as a State senator in my home State of Iowa. Last 
year, the Iowa legislature recognized the importance of 
cybersecurity, and we voted to increase funding for 
cybersecurity initiatives to our DCI.
    All of you in your testimony today have recognized and 
brought up and addressed the importance of a combined effort, 
not solely a Government effort, but also State and private.
    Ms. Gordon, in your testimony, you discussed the importance 
of cybersecurity at the State and the private industry level, 
and I am wondering what Federal resources currently exist to 
help States that want to strengthen their cybersecurity.
    Ms. Gordon. So I think what CISA has done and what Chris 
has done in the context of election security has given a great 
blueprint for State and local to be able to use their resources 
but the wisdom of the Federal to put those 2 things together.
    I think there is probably more we can do. One of the 
thoughts that I have is, as the intelligence community got more 
and more securing itself against this, one of the great 
advantages we had was when we went to cloud computing and away 
from all the small infrastructure that is really hard to keep 
up with and patch.
    I think there is an interesting question to be said with 
whether there is some ability to provide for less advantaged 
localities, some sort of access to broader cloud computing that 
could offer that advantage in the same way. Thank you very 
much.
    Mrs. Miller-Meeks. Thank you so much.
    You all had mentioned seeing boundaries and silos, and, Mr. 
Krebs, you had mentioned--talking about ransomware. We 
certainly have had ransomware attacks in Iowa and, again, put 
legislation to deal with that. So if a State is working to 
prevent ransomware attacks or if they are currently 
experiencing a ransomware attack, what assistance or guidance 
is the State able to receive from the Federal Government, 
should the Federal Government provide assistance, and what does 
the process look like for a State seeking guidance?
    Mr. Krebs. Yes, ma'am. Thank you for that. Ransomware is 
a--I think we are on the verge of a global emergency. The rate 
at which we are seeing State and local governments get hit is 
truly frightening.
    CISA, over the last 2 years, working with the FBI and other 
law enforcement partners, has kicked off a ransomware awareness 
campaign. I think we actually need to do more, though. I think 
we need to have a joint public-private sector initiative, like 
the Institute of Security and Technology's Ransomware Task 
Force, where everyone comes together across technology sector 
and Government to make things better.
    But to start, we have to improve defenses. State and local 
governments simply cannot protect themselves. There is too much 
legacy infrastructure out there, still too much reliance on 
single-factor authentication like passwords.
    We have to make that generational leap in technology. The 
Federal Government has to help here. I think we have to either 
match what the Homeland Security grant programs have done for 
counterterrorism or we have to go even further. I think with 
COVID, remote work force, digital transformation, in a 
subsequent funding stimulus bill, I think we have an 
opportunity to put a lot of really meaningful, impactful 
resources into the hands of State and locals, to upgrade their 
systems, to improve citizen services, and ultimately secure 
against this on-going scourge of ransomware.
    Mrs. Miller-Meeks. Mr. Daniel, would you have anything to 
add to that?
    Mr. Daniel. I think it is absolutely right that State and 
local governments, not only in dealing with ransomware, which I 
completely agree with Chris, that we--I think, you know, that 
has moved into the realm of National security and public health 
and safety threat, that we very much have to deal with. We need 
to provide a lot more resources to State and local governments 
for them to both defend themselves and to remediate and have 
options other than paying the ransom if they do get hit with 
ransomware. They really need to have that option.
    But I also think we need to be looking at how we work with 
State and local governments to be ready to respond to other 
kinds of disruptive and potentially destructive attacks to our 
critical infrastructure. There is some work being done by a 
group called the New York Cyber Task Force that will be coming 
out later this spring that will look exactly at that topic.
    Mrs. Miller-Meeks. Great. Thank you so much. I appreciate 
all of the testimony from the witnesses, and again, very 
important topic and very timely.
    Thank you, Mr. Chair. I yield back my time.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentlelady from New York for 5 
minutes, Ms. Clarke.
    Ms. Clarke. Thank you very much, Mr. Chairman. Let me thank 
our witnesses for their expert testimony here today.
    Let me just say that the Federal Government is really 
making up for lost time.
    I am sorry, Mr. Chairman, my--somehow I--my technology just 
failed on me. Would you give me 1 minute?
    Chairman Thompson. We can hear you loud and clear.
    Ms. Clarke. OK. One moment, sir.
    Chairman Thompson. We can actually hear and see you.
    Ms. Clarke. OK, very well. Just I am trying to actually 
return to my questions.
    I am sorry, Mr. Chairman. I just--my technology is failing 
me today.
    Chairman Thompson. Well, I tell you, if the gentlelady from 
Nevada will step in, we will come back to you.
    Ms. Clarke. That will be fine, Mr. Chairman.
    Chairman Thompson. The Chair recognizes the gentlelady from 
Nevada for 5 minutes, Ms. Titus.
    Ms. Titus. Thank you, Mr. Chairman. I could never fill the 
shoes of my predecessor there, but thank you for letting me go 
ahead.
    I would just like to shift the attention a little to work 
force needs. If you covered this when I was in T&I markup, I 
apologize, but I don't think so.
    You know, this is one of those areas where the need 
outraces the supply in the case of people who are qualified to 
do this work. There was a study that was released last fall 
that showed that 880,000 professionals work in cybersecurity, 
but there is a work force gap of about 350,000. I know here in 
Nevada, we have approximately 2,700 unfilled cybersecurity 
jobs.
    We are seeing more colleges and universities get involved 
in this kind of training. In fact, UNLV has a new partnership 
with what they call HackerU to start training some of these 
folks and fill in this skills gap.
    I wonder if our panelists, starting with Mr. Krebs, could 
address this shortage and what we might be able to do to help 
fill it at the Federal Government assistance or encouragement 
or information that will help us find the people who can do 
these very important jobs that y'all have been discussing.
    Mr. Krebs. Yes, ma'am. Thank you for the question. I think 
about that as a today problem as well as a tomorrow problem. 
Starting with the tomorrow problem, we have to continue 
increasing digital literacy and supporting K-12 education, STEM 
education, including thinking in security principles.
    You know, I have 5 kids. I have talked about this in 
numerous hearings before. In the public school system, I see 
that they need more science, technology, engineering, 
mathematics education.
    To the today problem, though, I think the people are there, 
the potential work force is there. We just need to make it more 
accessible. I do think, though, that the pandemic and the 
remote work force has actually given us--or at least a glimmer 
of hope.
    Traditionally, in the information security community, there 
are annual conferences all over the place, all over the 
country. They cost money to attend, to fly to, all those 
things. Most of them have gone on-line, and many of them have 
been free and open to the public. That has been a significant 
barrier reduction to opening up access to education, training, 
and awareness. So we need to keep that going.
    We also need to, through the Federal Government, provide 
pathways to cybersecurity positions. I know at CISA, we were 
trying to expand our recent graduates and current students 
internships and hiring. That is a--working with the Scholarship 
for Service Program, we can actually help augment tuition 
assistance. That, to me, is a great opportunity to bring people 
in to the government, train them up for 3 or 4 years, and then 
give them the opportunity to go back out into the private 
sector.
    That actually gives us a couple advantages. One is that we 
have a degree of standardized training, but we also now at 
CISA, we have an alumni network. So if they go out into the 
critical infrastructure community, they know how to work with 
CISA, and they have actually a preference to work with CISA. 
Those are just a couple examples right now that I think that we 
can do more of.
    Ms. Titus. I would think this would be an area where 
veterans might play a role, that we might take advantage of 
some of their skills and knowledge.
    Mr. Krebs. Yes, ma'am. In fact, CISA hired a significant 
number of veterans, but also there are private-sector programs. 
There is the Cyber Talent Initiative, the CTI, that a number of 
private-sector corporations have participated in, as well as 
Microsoft has a dedicated military veteran program, where they 
train up over a course of weeks and offer interview for 
positions those that finish the program.
    Ms. Titus. Well, thank you.
    Anybody else want to add to that?
    Ms. Gordon. Yes. Representative Titus, great question. To 
add on 2 ends of what Chris shared, totally agree with the 
educational aspect, starting in K-12.
    I also think we need to add to that just the realities of 
operating in a digital world. So remember the D.A.R.E. Program 
we had countering drugs in the schools? Where is that, to have 
people understand what is happening to them in a connected 
world and the social responsibility?
    So I think there is a piece of that education of--kind-of 
like ethics of being in and protecting yourself in a digital 
environment that would be a good add.
    The sec is, I think we are missing at the top end of 
organization, so not just the workers but the top end, a 
digital literacy that allows leaders and decision makers to 
understand what is at risk and what their responsibility to 
devote resources.
    So instead of just leaving it to their technical teams, I 
think we need an educational effort focused at leaders. So I 
can bracket the education.
    Then I think there is a real opportunity, as the Federal 
Government doesn't just throw knowledge and requirements of the 
transom to localities, if we start engaging with local and 
regional activities to bring capability in and spawn regional 
capability, that is going to be an attractant for developing 
the jobs that will keep people locally, not just suck them all 
in to a Federal, centralized thing. So I think there are some 
really good opportunities for us to incentivize those sets of 
things.
    Ms. Titus. Well, thank you. I would like to work with you 
on that, and I appreciate it.
    Thank you, Mr. Chairman, and I will yield back.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentleman from Georgia for 5 
minutes, Mr. Clyde.
    Mr. Clyde. Thank you, Mr. Chairman, for having this very 
important hearing.
    You know, we discussed already about the attempt on the 
water supply facility in Florida, and then also in March 2018, 
the Trump administration accused Russia of orchestrating a 
series of cyber attacks that targeted the U.S. power grid.
    My question for Mr. Krebs is, could you estimate how many 
times a day or estimate the scope of how many attempts bad 
actors try when they attempt to breach U.S. critical 
infrastructure networks?
    Mr. Krebs. My dog upstairs is trying to answer the question 
right now. I apologize for that.
    Mr. Clyde. Would you like me to repeat it?
    Mr. Krebs. Would you mind coming back to me?
    Mr. Clyde. Sure, sure, sure, no problem. Could you estimate 
how many times a day a bad actor attempts to breach a U.S. 
critical infrastructure network in our country? Could you give 
us an idea of the scope?
    Mr. Krebs. I will try over the dog's barking. Clearly, 
somebody that is walking dogs on the street.
    It is--when I say try, it is actually really hard to make 
any sort of meaningful quantification. There are both automated 
tools that run on a regular basis looking for vulnerable 
systems connected to the internet, and then there are focused, 
human-powered initiatives or efforts. We are talking--I would 
even, I would hesitate, millions and millions and millions. I 
mean, we are talking just massive numbers of scanning attempts 
on a regular basis. That is just the noise of the internet. The 
more sophisticated, capable efforts are going to be fewer in 
number, going after the bigger fish to catch.
    Mr. Clyde. OK. Thank you very much. I appreciate that.
    My next question is to Mr. Alperovitch. You mentioned in 
your opening statement ransomware. So the best way to reduce 
the threat of an adversary, in my opinion, is to remove the 
incentive. You know, as a small businessman, I called it the 
economic sword.
    I understand that bitcoin is a primary way that many 
ransomware bad actors want to get paid. So could you tell me, 
is there a way to minimize or eliminate simply the ransomware 
bad actors' ability to get paid?
    Mr. Alperovitch. Congressman, that is an excellent 
question. It is no coincidence that the explosion of these 
ransomware attacks occurred about 10 years ago when we saw the 
emergence of these cryptocurrency platforms like Bitcoin, which 
enabled these criminal actors to collect ransom anonymously.
    So, previously, before the emergence of cryptocurrency, to 
get a ransom, you literally had to provide the wire 
instructions for your bank to get the ransom or a place where 
someone could send you a check. As you can imagine, law 
enforcement could easily track that down and get that criminal 
arrested.
    Mr. Clyde. Exactly.
    Mr. Alperovitch. With cryptocurrency, they could do it 
anonymously.
    So I believe that de-anonymizing these types of 
transactions through know-your-customer regulations that the 
Treasury Department can implement can absolutely take the 
oxygen out of this ransomware fire and totally disrupt their 
business ecosystem.
    I think Congress should absolutely be looking at that. I 
know Treasury has put out regulations back in December, 
proposed regulations, in this sphere. I think Congress should 
be supportive of that.
    Mr. Clyde. So you think that would be a very important 
aspect of the cybersecurity solution.
    Mr. Alperovitch. I think that can totally disrupt the 
business ecosystem for these criminal operations and can 
significantly dampen the number of attacks we are seeing 
against our small businesses and hospitals and the like.
    Mr. Clyde. Right. OK. Thank you very much. I appreciate 
that.
    Mr. Chairman, with that, I yield back.
    Chairman Thompson. Thank you very much.
    The gentleman yields back.
    The Chair recognizes the gentlelady from New York, Ms. 
Clarke, for 5 minutes.
    Ms. Clarke. Thank you, Mr. Chairman. I think I have got it 
this time. I want to once again thank our expert witnesses.
    I think what we have heard today is that in the 21st 
Century the line between the physical world and the digital 
world just keeps growing slimmer. When it comes to homeland 
security, malware can disrupt our critical infrastructure as 
effectively as a bomb, and hacked data can be a more effective 
tool of espionage than a human source.
    There is a reason that this is one of the very first 
hearings that we have held this Congress. It is because cyber 
threats are no longer a risk for tomorrow. Our day of reckoning 
has arrived. The SolarWinds breach was far from an isolated 
incident. From the OPM hack to relentless attacks against the 
private sector, IP networks are the new battlefields and have 
been for some time.
    As Chairwoman of the Cybersecurity Subcommittee, I believe 
we are overdue to reimagine DHS and make it reflect this 
reality. It is time to stop spending money on walls that divide 
us and more money on firewalls that protect us.
    Fortunately, President Biden has made it clear from the 
start that he is taking a different approach, nominating 
seasoned experts to National security positions across the 
Federal Government and the White House who recognize the need 
for a whole-of-Government approach to cybersecurity.
    I look forward to working with him to defend American 
networks and not just at the Federal level but also, as has 
been stated by numerous of my colleagues, at the State and 
local level and in the private sector. Nothing less than our 
National security depends on it.
    With that, I want to turn to my questions.
    As a Nation, we have no way of knowing how much of our 
critical infrastructure has been compromised by hostile nation-
states like Russia through cyber hacks like SolarWinds unless 
individual companies decide to come forward voluntarily.
    As Chairwoman of the Cybersecurity Committee, I have been 
following the conversation about requiring critical 
infrastructure owners and operators to report when they 
experience major cybersecurity incidents, as the Cyber Solarium 
Commission recommended last year.
    So, Mr. Krebs, would you have been better equipped to carry 
out our mission as CISA director if you had access to detailed, 
thorough data on successful cyber intrusions targeting critical 
infrastructure?
    Mr. Krebs. Yes, ma'am. Thank you for that question.
    I certainly think it would be helpful to have, or at least 
in terms of significant cyber compromises, an after-action 
process that is, you know, almost a no-fault exercise and not 
constrained by litigation concerns and things of that nature, 
where you could actually get to the root cause of what happened 
and then share findings, even maybe in an unattributed way, 
with the rest of the private sector.
    We have to learn from our past mistakes, or we are going to 
keep repeating them. We also have to really, really emphasize 
knowledge transfer from the haves that have invested to the 
have-nots that are either yet to invest or, you know, beginning 
to realize where they fit in the ecosystem and they want to be 
better corporate citizens and understand their responsibilities 
to the economy.
    Ms. Clarke. Thank you.
    Mr. Daniel, you mentioned the need to create standards of 
care for private-sector critical infrastructure. Can you 
elaborate upon what those standards should look like?
    Mr. Daniel. Yes. Thank you, Representative Clarke.
    I think those standards are going to vary depending on the 
industry, depending on the size of the company, depending on 
what functions it performs and their criticality to the overall 
infrastructure.
    But we have these standards in many other kinds of areas, 
like safety and how you treat customer data and things like 
that in other areas. What we need to start doing is extending 
that into cybersecurity so that companies know what their 
responsibilities are.
    That will also help cut down on that litigation that Chris 
just referenced. Because if they know that they are reaching 
that level of standard of care and they are exercising that as 
due diligence, then they won't be as worried about reporting 
and communicating with the Government.
    Ms. Clarke. Thank you.
    Mr. Krebs, I just want to take the opportunity to thank you 
for doing the right thing during your tenure at CISA and 
refuting Donald Trump's lies and disinformation about the 2020 
election.
    Do you believe you were fired because you created the 
``Rumor Control'' blog and made public statements affirming the 
integrity of the election?
    Mr. Krebs. Thank you for the question, ma'am, and thank you 
for your kind words. I, you know, can't attribute any specific 
motivation to my firing other than what was in the 2 tweets and 
the fact that the President seemed to believe that the 
statement that it was a secure election was, in fact, 
inaccurate.
    Ms. Clarke. Well, thank you, Mr. Krebs.
    Mr. Chairman, I yield back. Thank you very much.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentleman from Texas for 5 
minutes, Mr. Pfluger.
    Mr. Pfluger. Mr. Chairman, thank you very much for this 
hearing, and Mr. Ranking Member. I appreciate the opportunity.
    For the witnesses, thank you for taking the time in a very 
important time.
    You know, cybersecurity and the cyber world affect every 
single American. As somebody who spent 20 years in the military 
flying the most advanced piece of weaponry, we don't fight our 
wars without cyber help, without, as has been mentioned, the 
comparative advantage.
    What I would like to kind-of focus on right now is the word 
``competitive'' advantage.
    Ms. Gordon, I appreciated hearing your thoughts on how 
there is not just one solution, you know, for us as a country 
to remain secure in the cyber world, and it is going to take 
State and local, international partners, our Federal 
Government, private industry. These partnerships are extremely 
important.
    In my district, Angelo State University is seeking to 
become a cyber center of excellence. This is a Hispanic-serving 
institution, in academic year 2021 and 2022 should be a 
minority-serving institution. We are in a rural area. So the 
uniqueness of Angelo State University in the seeking of being a 
cyber center of excellence is one of those pieces of the 
solution and that layered defense, that model.
    When it comes to competitive advantages, just like the 
gentlelady from Nevada, I am worried about our education system 
and the lack of preparing. As somebody who graduated from a 
military academy, studying military tactics is extremely 
important.
    Ms. Gordon, I would like to hear your thoughts on what can 
be done at the university level to really empower these 
universities and higher education to focus on STEM. As one 
report shows, our students in math and science are ranked in 
the bottom 50 percentile, you know, for STEM education. I know 
this has been mentioned, but what can we do to empower these 
universities to continue to improve the quality of education?
    Ms. Gordon, to you.
    Ms. Gordon. Well, thank you, Congressman. That is a great 
question.
    I love hearing what is going on at your university. A good 
friend of mine is Dr. Heather Wilson at UTEP, and she makes the 
exact same point about the remarkable opportunity we have at 
several institutions if we put our focus, give them some 
resources, inspire them with need. I think we have the raw 
material; we just have to apply it to the problem.
    So I think there are 3 things you need to do--we need to 
do.
    No. 1, I think we are already starting to do it, and that 
is to talk about these things as Nationally important, not just 
a question of economics, not just something elusive, but 
actually how important this is to our Nation. So, be expansive 
about the threats we have, the threats to and through 
information, and what can be done. Let's get people wanting to 
participate in that.
    No. 2, I think we see a whole bunch of private-sector 
companies who are recognizing their social responsibility. 
Let's do some things to inspire them to continue to invest not 
only in products and services but in the humans that are going 
to make them run.
    No. 3, I think that, as the Federal Government, as you all 
consider what can be done to couple National wherewithal to 
local action--and with what we have learned about COVID, about 
distance learning, I think we have the opportunity to not have 
to have everyone move to one place to participate but you can 
participate where you are.
    I think the United States has tremendous advantage. Open 
systems, competitiveness, innovation--those are all watchwords. 
Get it applied to this problem, and I think we will be all 
right.
    Mr. Pfluger. Thank you, Ms. Gordon.
    Mr. Alperovitch, quickly in the remaining time, when it 
comes to critical infrastructure, critical vulnerabilities, I 
am very worried about not only the water system, as we have 
heard, but also the delivery of our energy--in my case, oil and 
natural gas and the delivery systems.
    How do we harden those systems? How do we protect those 
systems?
    Mr. Alperovitch. I think we absolutely have to focus on 
this. I am actually on the board of a company called Dragos 
that focuses on these very issues.
    I think that, when you look at the oil sector, you look at 
our manufacturing sector, frankly, industrial control systems 
are very vulnerable. We have not focused on protecting those 
systems.
    We need a different approach to the one that protects the 
enterprise networks, sort of our laptops and servers, to the 
way we protect our systems that interact with the physical 
world, and this absolutely needs to be a Government focus, sir.
    Mr. Pfluger. Thank you.
    Again, to all of you, thank you for thinking outside of the 
box. This is a huge issue.
    Mr. Chairman, Ranking Member, thanks for the time to focus 
on something that will keep all Americans safe, especially 
those things that are providing services and educating our 
children.
    With that, I yield back.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentlelady from Nevada--I am 
sorry--New Jersey for 5 minutes, Mrs. Watson Coleman.
    Mrs. Watson Coleman. Thank you, Mr. Chairman. Thank you for 
having this hearing.
    To each of the individuals who have participated, thank you 
for the information you shared. I am learning a lot. I have a 
lot to digest. This is really quite extensive, quite concerning 
on so many different levels, and quite new to me, actually.
    Mr. Krebs, let me just say to you also, I thank you for 
your integrity as well.
    Mr. Krebs, let me ask you the first question. There was a 
proposal that was offered today to make the CISA director the 
chief information officer or the chief of the information 
sharing for all of the agencies. Do you think that that is a 
good idea?
    Mr. Krebs. Yes, ma'am. There is a Federal chief information 
security officer that resides within the Office of Management 
and Budget. That function really is a policy-setting role, and 
then CISA is in a policy-enforcement role.
    I think if we can expand the resources, capabilities, and 
ability to actually--well, frankly, get agencies to improve 
their security through resources and capabilities, then I think 
we are going to be in a much better place.
    Mrs. Watson Coleman. So do we still have an issue with 
agencies feeling very proprietary over information in their 
jurisdiction and not sharing it in an interagency capacity?
    Mr. Krebs. I think there are a couple issues here.
    One is that privity of contract between agencies and their 
vendors prohibit CISA, for instance, from getting information 
on incidents. In some cases, particularly in some of the recent 
hacks, I had heard--because they happened after I left--that 
when CISA tried to ask a vendor for information, the vendor 
would say, ``I am sorry, I can't give you that, that is up to 
the agency to give you that,'' and then the agencies don't 
always turn that over. So we need to change that and put CISA 
as a part of the contractual relationship.
    But any way you cut it, when an agency is responsible for 
their networks, they are always going to have a sense of 
ownership and proprietary responsibility. We have to change 
that model. We have to make it easier for them, where they 
don't have to hire, where they don't have to invest their own, 
where it is already provided for and it is a turnkey solution. 
That should free up the chief information officers to focus 
more on citizen services and actually delivering value to the 
American people.
    Mrs. Watson Coleman. OK. Thank you.
    I think this is to Mr. Alperovitch.
    You talk about accelerating the detection, investigation, 
and mitigation by increasing the metrics. Is anything needed in 
that regard other than additional resources? Is the capability 
for the agencies to do that already in existence? Is that a 
resource issue?
    Mr. Alperovitch. I think it is a resource issue, but it is 
also policy issue.
    I think Congress should absolutely require agencies to 
start tracking those metrics every single year, report them to 
CISA, report them to OMB, report them to oversight committees, 
so that you actually would have the information needed to 
understand how well are agencies doing in detecting and 
investigating and responding to sophisticated adversaries and 
what more needs to be done.
    Also borrow from examples of agencies that are doing really 
well and trying to make sure that everyone else adopts those 
types of strategies broadly.
    Mrs. Watson Coleman. Uh-huh. Thank you very much.
    Mr. Daniel, can you walk the committee through the problems 
with the security patches? Those are the updates that you see 
from time to time. Can you talk to us about the frequency of 
them and whether or not this is the best way to have this take 
place?
    Mr. Daniel. Well, certainly.
    So all software comes with vulnerabilities and bugs and 
errors in it. It is just the nature of writing software code. 
So companies that manufacture and write that code are going to 
have to update it. So we certainly want the ability to update 
and manage that code, and we want to do that in a fashion that 
is as easy for the customers to do that as possible.
    One of the problems that we have, though, is that there are 
hundreds of these patches that come out very frequently. 
Different companies and different providers are providing these 
patches on a very regular basis. So the challenge for a company 
is to actually figure out how to implement those patches and do 
so in a way that does not disrupt their business operations.
    So patch management and managing those updates to your 
software is actually a very critical problem for many 
enterprises. We need to work toward making that patch 
management and software management as easy and as transparent 
as possible.
    Mrs. Watson Coleman. Can a trickster encourage you to do 
something that will have a negative impact on your device, and 
you are thinking that is the company telling you to update it? 
Can a hackster or a trickster or whatever do that to you? If 
so, is there something that we should be doing, looking at it 
from a Government perspective, as a standard, as a modus 
operandi?
    Mr. Daniel. Well, certainly, Representative, there is 
always a possibility that an actor will try to trick you, to 
try to scam you into clicking a link that takes you to 
someplace that is not legitimate--that is called phishing--that 
will try to misdirect you and get you to download malicious 
software. But what I would say is that, you know, relying on 
trusted vendors that you know and are relying on the normal 
update process, that is the best way to go.
    Even though we know that there are opportunities, like what 
happened to SolarWinds, for that to be compromised, that is far 
from the most common route, and it is much more common for a 
scammer to try to phish you or trick you in that manner. So I 
still think it is critically important that companies and 
individuals and organizations regularly patch and update their 
software.
    Mrs. Watson Coleman. Thank you.
    Thank you, Mr. Chairman. I have a lot of other questions. I 
know my time is up. I yield back.
    You are muted, Mr. Chairman.
    Chairman Thompson. That is technology for you. It said I 
was not.
    But, Mr. LaTurner, if you can hear me----
    Mr. LaTurner. I can.
    Chairman Thompson [continuing]. I will recognize you for 5 
minutes. Thank you.
    Mr. LaTurner. Thank you, Mr. Chairman. I appreciate it. I 
appreciate you putting this panel together.
    I have appreciated all of your testimony.
    I want to focus primarily on ransomware and specifically on 
its impact on small and medium-size businesses. This is a major 
issue that people are struggling with. I could name several 
just in recent history of businesses that have been dealing 
with this. The ransom was huge sums of money. They felt like 
there were almost no resources, no response, no help--a very 
powerless feeling about how to deal with this.
    So, clearly, we have so much work to do at the Federal, 
State, and local level with governmental institutions. But, 
specifically, Mr. Alperovitch, you talk about passing breach 
notification laws, which make some sense. What else can we do 
to partner with and be a better resource to these small and 
medium-size businesses that don't have the resources and really 
feel helpless in the environment that we are in right now?
    Mr. Alperovitch. Thank you, Congressman LaTurner. I think 
this is a great question, because we really have the haves and 
the have-nots in cyber today, where the big organizations, the 
Fortune 500 companies, are doing just fine, spending resources 
and trying to defend themselves against the sophisticated 
attacks, but the same criminals, the same nation-state actors 
that are going after them are also going after the small and 
medium businesses that really have no capacity, no talent to 
defend themselves against these sorts of issues.
    We need to look very seriously at this problem. I think the 
right way to think about this for small and medium business is 
to try to outsource that capability to a cloud provider or 
another manner of service provider that can be responsible for 
their defense.
    But, as I mentioned previously in my testimony, I think in 
ransomware in particular, which is the No. 1 plague that is 
hitting small businesses, as you mentioned, sir, every single 
day, we need to go after these criminals, we need to shut down 
the ways that they can collect these payments anonymously, and 
prosecute them to the full extent of the law. That is the only 
way that we can get a handle on this problem.
    Mr. LaTurner. I appreciate that answer.
    Mr. Krebs, you talk in your testimony--talk about 
disrupting the business model, which clearly we need to do. So 
if you would talk about that just a little bit.
    But then focus more, if you could, on the section where you 
talk about more aggressive action against ransomware actors. 
You say you are not suggesting extrajudicial kinetic actions 
against ransomware gangs, but authorities available to law 
enforcement and military should be on the table.
    So talk a little bit about the business model disruption 
and then about that, if you don't mind.
    Mr. Krebs. Yes, sir. Thank you.
    On the disrupting the business model, I mean, the simple 
fact right now is that ransomware is a business, and business 
is good. I have said that before; I said it in my testimony.
    Mr. LaTurner. Yes.
    Mr. Krebs. It is simply too easy for criminals to extract 
value. As Dmitri mentioned, it is primarily driven by the 
ubiquity of cryptocurrencies and the ability to anonymously 
transact illicit activities.
    So I think, in part, what Treasury did last year with the 
OFAC notice that it is, in fact, a possible sanctions violation 
to pay ransom to a sanctioned entity, like Ryuk, the Ryuk gang, 
that should have a chilling effect.
    I think there are other mechanisms that we can take a 
harder look at. If I said--I meant--I think I said last year.
    So there are some other things--you know, how we facilitate 
the payment beyond cryptocurrency. Should it be legal to pay 
ransoms? When you think about terrorism and ransom of 
terrorists, that is typically unlawful. So I think we need to 
have a policy conversation about whether it is in fact legal to 
pay criminal gangs a ransom.
    So, to your last point of additional action, we have 
already seen a couple cases over the last year, most recently 
in the last month or so, targeted action by law enforcement 
against the Emotet malware infrastructure. Last year, we saw 
Microsoft go after Trickbot and their infrastructure.
    We need to have coordinated activities--law enforcement, 
informed by the intelligence community--to go after the actual 
infrastructure and the people that are conducting these 
activities.
    Again, to the extent we can put hands on them and arrest 
them, that is a good thing. That takes an exceptional length of 
time. So, if we can take down the processes and the 
infrastructure by which they conduct these activities, that has 
to hold the ground until we can lock them up.
    Mr. LaTurner. Thank you, Mr. Krebs, Mr. Alperovitch, and 
all the conferees.
    Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentlelady from California for 5 
minutes, Ms. Barragan.
    Ms. Barragan. Thank you, Mr. Chairman.
    Thank you to our witnesses.
    In 2018, the maritime sector saw 2 massive ransomware and 
malware attacks on the maritime industry, impacting the ports 
of Barcelona, Spain, and San Diego, California.
    These attacks seem to be focused and potentially made 
increasingly easier as the convergence of information 
technology, or IT, and operational technology, OT, systems 
become more integrated. According to varying industry reports, 
the number of maritime-focused cyber threats and incidents have 
risen by as much as 900 percent.
    These cyber attacks have great economic impact to maritime 
ports, especially those that are integrated into our 
transportation networks. These attacks can cause reputational 
harm, financial loss, and even physical damage, especially in 
the cases of compromised dockside equipment or vessel.
    The Port of Los Angeles, in my district, has invested to 
create a cybersecurity operation center and has a dedicated 
cybersecurity team whose role is to protect the cyber aspects 
of the port. To create additional centers and resources will 
require investment by Federal, State, local, and private 
industry partners. Without such investments, this will greatly 
cripple and potentially hinder American supply chains and 
response efforts to catastrophic events like the COVID 
pandemic.
    Mr. Krebs, if I can come back to you on this, what can 
ports be doing right now to ensure their maritime cybersecurity 
preparedness?
    Mr. Krebs. Yes, ma'am. Thank you for that.
    So, partly, they can work with companies, like Dmitri 
mentioned, Dragos and some other vendors, that can help them 
understand what their environment looks like, the controls they 
need to put in place to secure their systems, to lock them 
down, to disconnect if at all possible. But that is not always 
possible, because you need, a lot of times, remote access.
    The bigger issue, though, here is that, you know, we have 
to have this balance of stopping the adversary as best we can 
alongside improving defenses. So it is not a, you know, just 
invest in defenses, and it is not just an invest in offense; it 
has to be a more equitable balance.
    I think, historically, we have over-invested or, at least, 
principally invested in offense, and we have to ramp up 
defensive investments going forward.
    Ms. Barragan. So, just to follow up on that, should 
operation centers like the one at the Port of Los Angeles be 
considered for Federal grant funding, such as, like, State 
homeland security grant programs, emergency preparedness grant 
programs?
    Mr. Krebs. Yes, ma'am. I know that L.A. city cyber fusion 
or cyber intelligence center was funded by Federal grant, and I 
thought the port center was as well. But I think that is a 
fantastic innovation, in terms of pulling all the stakeholders 
together enterprise-wide to be able to manage risk to 
environments.
    Ms. Barragan. Great. Thank you very much for that.
    It is clear from recent events that the United States must 
improve its ability to respond and recover from a significant 
cyber event. Part of that effort must focus on partnering with 
private-sector owners and operators of critical infrastructure. 
In the aftermath of a cyber event targeting the electric grid, 
for example, there is a real question about whether there are 
sufficient laws in place to allow a grid operator to cooperate 
with the Federal Government to prioritize power restoration to 
a critical facility such as a military base.
    Last year's U.S. Cyberspace Solarium Commission report 
recommends that, to address this concern, Congress should pass 
a law specifying that entities taking or refraining from taking 
action at the direction of any agency head should be insulated 
from legal liability.
    Mr. Krebs, would this type of Congressional action help 
reduce barriers to cooperation between the Federal Government 
and the private sector during a cyber event? Are there any 
steps that you recommend Congress should take?
    Mr. Krebs. So, as I recall, that recommendation was based 
on the Federal Government asking a company, for instance, to 
take certain action or allow an adversary to continue their 
activities for observation or for their monitoring purposes, 
and that could result in downstream damages to customers or 
people.
    So I think that is a balance of equities, of trying to 
understand and stop the adversary versus protection. So I think 
that is a nuanced approach. I think we have to be very careful 
with that approach. But I think, again, going forward, we have 
to have a better understanding of where the riskiest bits of 
our Nation's economy, our infrastructure are.
    One of the aspects of the Solarium that I really liked was 
the continuity-of-the-economy effort. That was built, in part, 
on the National critical function work out of the National Risk 
Management Center.
    We don't have an in-depth enough understanding of how our 
economy truly works. Until we get there, we are not going to be 
able to invest smartly enough in terms of how we are organizing 
collectively for security.
    Ms. Barragan. Great. Thank you for that.
    With that, Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentleman from Michigan, Mr. 
Meijer, for 5 minutes.
    Mr. Meijer. Thank you, Chairman and Ranking Member.
    Thank you to all our distinguished guests who are on the 
call right now.
    I want to touch upon briefly some of the conversations that 
we have been having around cyber hygiene and, specifically, an 
analogy that came up in some of the prepared statements and 
that I think is just broadly in the ether around a cyber Pearl 
Harbor.
    Now, I guess my specific question--and I would like if Mr. 
Krebs could look at this first. When I think of the analogy of 
cyber Pearl Harbor, you know, we think of just kind of, like, a 
massive attack. But, you know, if you are going to face an 
attack, you know, our military is able to prepare itself--you 
can have radar installations, you can send out advanced forces, 
you can figure out how to preempt.
    But I think it was Mr. Daniel who mentioned that we are 
really facing a panoply of problems, right? We have everything 
from nation-states to criminal enterprises, the line between 
which can oftentimes be blurred, to individuals, you know, who 
may be domestic and working in some capacity.
    I guess the analogy that I have just been working with and 
I would love to get some reactions on is more of, how do we 
preempt a cyber Chicago fire? You know, after the Chicago fire, 
you had changes in building codes, you had, you know, 
investments in fire departments, everything from the 
installation of sprinkler systems to, later, smoke detectors.
    You know, although a cyber attack is obviously much more 
intentional, you know, we saw with the breach at the Oldsmar 
water facility, you know, that it was an outdated version of 
TeamViewer that was left on the computers--you know, obviously 
an example of just very poor cyber hygiene and a failure to 
have basic defenses.
    You know, how can we change our thinking on the resiliency 
side to not just be focused on the catastrophic but all of the 
ways in which, short of catastrophe, we can incrementally be 
increasing our overall resiliency?
    I don't know, Mr. Krebs, I would love for you to touch upon 
that and just within the idea of CISA as running point within 
all of those nodes.
    Mr. Krebs. So I think this is an interesting question, and 
it is one that I think has probably been asked in hearings like 
this now for going on 10 years-plus, you know, when are we 
going to see the cyber Pearl Harbor. I am not sure we are ever 
going to see it.
    I think what has happened to date has been sufficient to 
reinforce, you know, the perilous nature of where we are right 
now. I am hoping that, to quote Dmitri, that the Holiday Bear 
campaign, the Russian espionage campaign, is enough for 
Congress to take bold action and change the way that the 
Federal Government does business to secure its own networks--
centralize authorities, provide capabilities that are hardened 
and more defensible, rather than leaving it up to the 101 
different agencies. We have to change the way we act.
    I also hope that the private sector now has had its 
awakening, that there are software companies, enterprise 
software and enterprise services, out there that have all of a 
sudden realized that, ``Oh, my goodness, I am systemically 
important. I have a significant part of whatever segment or 
market that I am in, and if I am going to have a bad day, there 
are hundreds and thousands of people that are going to have bad 
days too. So what do I need to do about that?''
    You need to implement better internal controls and 
transparency on what you are doing to secure your products. But 
you also have to engage in a meaningful way, to Dmitri and 
Michael's point, on operational partnerships, getting together 
to study a discrete, specific problem, contribute your 
resources, alongside your peers, in an open information-sharing 
environment where you can actually take real action.
    Again, this is what we did for elections. We brought a 
range of stakeholders in, we were very open about the problems 
that were out there, and then we put collective action against 
that problem and dramatically improved security.
    Mr. Meijer. Mr. Krebs, just as a follow-on, you know, you 
mentioned CISA's budget. I mean, where do you think it needs to 
go to be able to provide that adequate level of security?
    Mr. Krebs. So I think that is in part what I hope we can 
figure out through the NDAA's, kind of, force structure 
analysis. The Department of Defense does this exceptionally 
well. They can tell you exactly what return on investment you 
get from a single unit, and you can do unit-type costing from 
there. This is how DOD works.
    The civilian agencies, DHS in particular, do not take that 
approach. We have to adopt that mindset. That will get us to a 
spot where, whether the budget should be $2 billion, it should 
be $4 billion or $8 billion, we will get there through that 
process.
    But we need more resources, more modern infrastructure. We 
need to implement more modern security controls, like 
protective domain name system, a recursive system that is out 
for bid right now. Those are the sorts of things that we have 
to continue pushing forward.
    I will tell you this right now: We are only going to have 
to spend more. We are only going to have to do more and more 
and more. It is not a one-shot deal. This is going to be the 
rest of our lifetimes.
    Mr. Meijer. Thank you, Mr. Krebs.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the gentlelady from Florida, Mrs. 
Demings, for 5 minutes.
    Mrs. Demings. Mr. Chairman, thank you so very much. I hope 
you can hear me. My connection has not been that great.
    Chairman Thompson. We can hear you right now.
    Mrs. Demings. OK. Thank you so very much.
    Thank you to our witnesses for joining us today. I also 
want to thank each of you for your just absolutely outstanding 
service.
    Several of my colleagues have talked a bit about the attack 
on the water system in my home State of Florida. I know there 
are going to be investigations into that. There are a lot of 
unanswered questions for that because there are multiple 
independent systems that could be a part of the issue.
    But what I would like to ask--and Mr. Krebs or anyone who 
would want to answer this question--do you feel like--I do 
believe this is just the beginning. I think we have been quite 
lucky. Do you think, like, that this attack was more of a--we 
liken it to a burglar trying a doorknob to see how easy it was, 
how quickly they could do it, in preparation for greater 
attacks?
    Anyone who--Ms. Gordon or Mr. Krebs or anyone who would 
like to answer. Thank you.
    Mr. Krebs. Yes, ma'am. Thank you. Yes, I touched on this 
briefly before. I will maybe clarify my earlier comment.
    I think it is possible that this was an insider or a 
disgruntled employee. It is also possible that it was a foreign 
actor. This is why we do investigations. But we should not 
immediately jump to a conclusion that it is a sophisticated 
foreign adversary. The nature of the technology deployment in 
Florida, it is, frankly, not--certainly not where anybody, I 
think, any information security or operational technology 
security professional would like for that security posture to 
be.
    I will also say that Oldsmar is probably the rule rather 
than the exception. That is not their fault. That is absolutely 
not their fault. These are municipal utilities that do not have 
sufficient resources to have robust security programs. That is 
just the way it goes. They don't have the ability to collect 
revenue at a rate enough to secure their deployments.
    As I mentioned earlier, you know, when you have the 
internet, it is supposed to make things easier, it is supposed 
to make things more manageable. So, now that all of a sudden it 
is a security threat, it is almost counterintuitive.
    Also, look, you have to be able to manage this stuff 
efficiently, so we need to have more security controls in 
place. I think there are at least 3 things that we need to do.
    The first is we need to have more Federal funding available 
to get these tens of thousands of water facilities and other 
municipal operational technology systems up to speed with 
better security, more updated systems. Windows 7, if that is 
what they had, we should be on Windows 10. It is those sorts of 
things that we have to do.
    The second is we need more training available. We have to 
bring the training to the systems where they are. So whether it 
is working with private sector or CISA working with the EPA, we 
can't expect these vendors to go to Idaho National Labs or 
travel. We have to bring the training to them.
    Third, to Ms. Gordon's point, we have to have regional 
approaches to better IT technology. We have to have consortia 
that allow for upgrades and maintenance that are available with 
better price, with better cost efficiencies and economies of 
scale. You can pull that together at a State or regional level. 
I think that is going to have to be the future of IT 
deployments for systems like this.
    Mr. Daniel. Just to build on what Chris said, I would say 
that we very much need to keep an open mind until the 
investigation gets further down the road as to who the 
perpetrators behind this might be.
    It could be a nation-state. Iran has shown itself very 
interested in water systems in other countries like Israel and 
even in the United States in former situations. It could be a 
lone actor. It could be a disgruntled employee.
    There is just a wide array of possibilities at this point, 
and we really need to keep an open mind until the investigation 
concludes.
    Mrs. Demings. Right. I appreciate you saying that, because 
relaxing too soon, we know the consequences of that.
    My last question, and I would like to address it to Mr. 
Daniel: You know, cyber attacks, we all know now, is the new 
weapon of choice, whether it is to rob you blind from your bank 
account or to have a major attack. But it does not seem to me 
that we are really prepared for this new weapon of choice.
    Could you just talk a little bit about, you know, 
historically where we are, where we need to go, and did it just 
kind-of sneak up on us, this new weapon of choice, cyber 
attack?
    Mr. Daniel. Thank you, Representative. That is a very good 
question.
    You know, if you actually look at how the internet 
developed and the way that people thought about the internet, 
Chris is absolutely right; it was supposed to be this new 
utopia. It was supposed to bring all these benefits. We didn't 
really think through how it made us more vulnerable.
    We have seen this over and over again, of how the tools 
that were originally built to do good things also turned out to 
enable the bad guys to do malicious things. I think that it has 
taken us a while to sort-of shed that sort-of initial sort-of 
purely optimistic view of everything about the internet being 
good and start to realize that it can also be used for harm.
    In many ways, though, this technology has developed 
incredibly rapidly. You know, it has only really existed in its 
current form for about 25 to 30 years. In policy terms and in 
legal terms and in, you know, sort-of, sociological terms, that 
is actually a very short amount of time. So it shouldn't really 
be a surprise to anyone that we are still trying to figure out 
how to organize and prepare to defend ourselves against the 
threats in this new environment that doesn't act like most of 
the rest of the physical world that we are used to.
    So, yes, in some ways it did sneak up on us, but I think 
the good news is that now we are very much aware of the 
problem. We have committees like this that are focusing on it, 
and we have had a good policy foundation built over the last 
10, 15 years. Now I think we can really start to do a much 
better job of getting our arms around the problem.
    Mrs. Demings. Thank you so much.
    Ms. Gordon. I would add just one more thing----
    Mrs. Demings. Oh, go ahead.
    Ms. Gordon. Yes, I would just add one thing----
    Mrs. Demings. Do I have time?
    OK. Go ahead, Ms. Gordon.
    Chairman Thompson. Go ahead.
    Ms. Gordon. Yes, just one sentence, is that I also think 
that, for too long, we left it to be part of the support 
function and support functions infrastructure. We tend to make 
organizational choices about where we spend our resources, and 
when mission needs dominate, we take money away from those they 
support.
    I think, with these recent events, we have the chance to 
make it a leadership issue. I think the Congress has a chance 
to put this in the forefront of the leadership, not have it be 
a second- and third-order effect that happens in local choice 
about implementation.
    Thank you.
    Mrs. Demings. Again, thank you all so much.
    Mr. Chairman, thank you for your leadership on this. Thank 
you for your patience, and yield back.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the next gentlelady from Florida, Mrs. 
Cammack, for 5 minutes.
    Mrs. Cammack. Thank you, Mr. Chairman.
    Good afternoon to everybody. I would like to thank the 
witnesses for appearing here today before the committee.
    I know that, in a lot of ways, we are beating a dead horse 
here. I think we can all agree on the importance of 
cybersecurity and what lies ahead and the challenges we have. I 
know that our witnesses have explicitly stated or alluded to 
the fact that the interests of the United States, from National 
and homeland security all the way to economic prosperity, rely 
on our cyber capabilities, coordination, and resilience, 
particularly with our critical infrastructure.
    As we have discussed in the hearing here today, 
cybersecurity threats are not only present for large 
corporations or Federal agencies, but these threats exist for 
both large and small businesses; Federal, State, and local 
governments; academic institutions; U.S. critical 
infrastructure; and private citizens across the country.
    I am particularly excited about the hearing today, as I 
have spent 3 years getting my master's at the United States 
Naval War College on this very subject and have been 
identifying and looking for ways that Congress can more 
efficiently address these challenges. So I am very grateful for 
everyone's testimony here today.
    Our witnesses and some of my colleagues on the committee 
have already touched on the recent discovery of the SolarWinds 
intrusion, which officials have confirmed is likely of Russian 
origin and may possibly be the worst intrusion in U.S. 
Government and private networks in our history. I am deeply 
concerned about this attack and plan to work with my colleagues 
on both sides of the aisle of this committee to better 
understand the full scope of this cyber espionage campaign.
    So, turning now, as we look toward cybersecurity challenges 
in the Government and private sector, I believe that our future 
work force development should be a top priority as we reinforce 
and harden our critical infrastructure.
    So, to Mr. Krebs, one of my first and primary concerns is 
our Nation's cybersecurity work force and this shortage that 
exists. In fact, it is what I wrote my master's thesis on. 
Think tanks, publications that all track our cybersecurity work 
force have been discussing this issue for years, yet we have a 
major shortage that remains today.
    I would like to throw this idea out to you and get your 
input on establishing an academy of sorts, much like how we 
have our traditional service academies, like the Naval Academy, 
West Point, something like a U.S. Cyber Academy Corps, which 
would be dedicated and devoted to educating and training future 
cybersecurity professionals to defend our homeland and National 
security.
    I would like to personally see an emphasis on joint 
operability not just among services but across Federal 
agencies, and would open up doors for non-traditional students 
who may have accessibility or disability challenges that would 
prohibit them from entering a traditional service academy like 
West Point or the Naval Academy or the Air Force Academy.
    So do you see this being a feasible undertaking, something 
that is much needed, something that Congress should look to 
incorporate in future NDAA language? I would love to get your 
input on that.
    Then I have a follow-up question to the remaining 
panelists.
    So I will let you take it away.
    Mr. Krebs. Thank you. First off, I would like to read your 
thesis. It sounds like you have a lot of really good ideas that 
could be implemented.
    To your point of an academy, a cyber academy, I think that 
is certainly an option. But, ultimately, to your closing point, 
it takes all kinds.
    Congress has previously appropriated for CISA--I forget at 
this point the amount, but to set up a network of institutes 
and training academies and college and university programs that 
would range all the way from post-grad to 4-year colleges to 2-
year colleges to technical institutes, you know, trades. We 
have to make it more accessible to everyone to get technology-
based education to put them in a position to enter the work 
force.
    The last thing I will mention on this was, you know, I am a 
firm believer that we have the opportunity and the inherent 
advantages in the United States of America, because of our 
diversity, to bring the fight back to--the defensive fight, 
certainly--back to the adversary that tend to be monocultural 
and homogenous. I think that, based on our diversity of 
opinions, backgrounds, experiences, thought processes, that 
this gives us a distinct advantage.
    We have to harness that. We have to work through all sorts 
of different educational platforms to bring more people into 
the work force. So we would love to work with you and think 
more about this.
    Mrs. Cammack. Mr. Krebs, I know I am short on time. I did 
want to pose a question, if the Chairman would allow me, for 
the panelists, Mr. Daniel, Ms. Gordon.
    If you could maybe touch on the ``Tallinn Manual'' and----
    Chairman Thompson. One question. One question.
    Mrs. Cammack. I appreciate it. Thanks for giving a little 
bit of grace to a freshman. I appreciate that.
    I would like to get some input from our experts here on the 
``Tallinn Manual'' that has really kind-of been the guide 
internationally as we have looked to address and respond to 
cyber attacks, both from lone-wolf-type actors to state-on-
state attacks.
    Do you see the ``Tallinn Manual'' as something that has 
been effective? Do we need to really subscribe to some of the 
guidelines and framework that they have outlined particularly 
in the second edition?
    I will kick it to Ms. Gordon first.
    Ms. Gordon. I am sorry. I made it through the whole hearing 
without staying on mute.
    I don't think there is any one--I am with Chris. I think we 
ought to look at your thesis and see what we have.
    I think there is nothing perfect. I do think we are going 
to have to explore standards and standards beyond our borders. 
So I think it is a fine place to begin. I don't think it is a 
panacea. I think we always have to look at it to make sure it 
doesn't disproportionately limit our freedoms, but I think it 
is a fine place to begin.
    Mrs. Cammack. Thank you.
    Mr. Daniel. I would concur with Sue's point. I think the 
level of thought and the degree of, sort-of, analysis that went 
into creating the ``Tallinn Manual'' is really an excellent 
foundation in the international space.
    You know, clearly, just given the amount of fussing that 
the Russians and the Chinese do about the ``Tallinn Manual,'' 
anything that they dislike that much says that I probably ought 
to really like it. So I will also use that as a benchmark as 
well.
    Mrs. Cammack. Excellent. Thank you.
    Thank you, Mr. Chairman.
    Mr. Katko. Mr. Chairman, just a point of privilege just for 
one moment?
    Chairman Thompson. The Ranking Member is recognized.
    Mr. Katko. Thank you.
    I have a hard stop at 5 that I cannot get out of, and I 
just wanted to thank you for having this hearing and bringing 
such a critical issue to light.
    I want to commend all of the witnesses, and I want to 
commend all of my fellow members. Excellent questions, 
excellent preparation. I am proud to be a part of this, and I 
know we are going to have a lot more hearings on cybersecurity 
going forward. But I appreciate your leadership, Mr. Chairman.
    I yield back. Thank you.
    Chairman Thompson. Thank you.
    The Chair recognizes the patient gentlelady from Virginia 
for 5 minutes, Mrs. Luria.
    Mrs. Luria. Thank you, Mr. Chair.
    Thank you again to all the witnesses who have joined us 
today for this very informative discussion.
    You know, I wanted to just bring up a couple incidents that 
have happened recently in my district here in southeastern 
Virginia.
    In November 2020, malware infected the Hampton Roads 
Sanitation District, and that led to delays in billing. This 
was basically caught and stopped before, you know, it spread 
throughout their whole network, and the damage could have been 
much worse. The perpetrator has not been identified.
    But, you know, I think that these instances of attacks on, 
you know, local or regional utilities are perhaps more common 
than we recognize.
    So I wanted to know, you know, from the Federal level, what 
level of coordination, of establishing of trends, identifying 
these vulnerabilities, and, you know, how we can help, you 
know, across the board from them being replicated, you know, 
kind-of just that coordination effort between Federal or State 
and local governments relative to these public utilities. Like, 
what more should we do?
    I know Mr. Krebs brought up, you know, this coordination 
between different levels of government. If you could comment on 
that, from the Federal level, what other resources could help 
these local utilities?
    Mr. Krebs. Yes, ma'am.
    So, to your point of vulnerability disclosure, 
vulnerability discovery, CISA sits at a point where they manage 
the National Vulnerability Database, or at least they support 
it for NIST. That is a process by which I think 13,000 or so 
vulnerabilities were disclosed and managed by CISA last year.
    So CISA certainly sits in a trend analysis position. I 
think what CISA needs to do more of is that over-the-top 
analysis of where things are going, where is the most effective 
investment of that last dollar.
    This is a conversation that Dmitri and I have had several 
times, of the value of investing in patching and the value of 
investing in hunting. There is a balance you have to strike. 
You don't want to over-rotate one way, or you are going to 
throw the entire approach out of balance.
    But I think we have to do more trend analysis on, you know, 
for instance, the top 5 areas that you can make the most 
meaningful vulnerability management investment in your 
operational technology. That is something I have talked with a 
number of different OT security companies about.
    So where I am really going with this is, we need more 
insight. We can do the technical coordination piece, but we 
need more insight. That requires people, and it requires 
communication, and it requires engagement with the community. 
At that point, leadership will understand. If you give them the 
resources to smartly invest, then you will actually see, at the 
endpoint, improved security behaviors.
    Mrs. Luria. Well, thank you. I would love to continue this 
conversation separately about, you know, how we are allocating 
resources and what resources have been allocated; you know, can 
they meet that improved goal of analyzing the data writ large.
    Another thing that came up in my district--and I am sure 
any Member of Congress who, you know, would speak on these 
issues would have examples from at home--is that we had a 
ransomware attack at one of our local universities, at Virginia 
Wesleyan University in my district. They were affected by a 
ransomware attack in 2019.
    So I was wondering, for, you know, the institutions of 
higher learning--this is, you know, a private higher 
educational institution--are there any resources from the 
Federal Government or could we do more to protect them?
    Then, also, to follow on to that, are there requirements 
for reporting of these types of attacks by institutions of 
higher learning and specifically private institutions of higher 
learning?
    Either Mr. Krebs or maybe Mr. Daniel could respond to this 
one.
    Mr. Krebs. So I mentioned earlier the CISA ransomware 
awareness campaign. Institutes of higher learning, K-12 
education are actually in the top 3 of ransomware attacks, 
along with public health as well as Government agencies. So we 
have to do more, but, again, you know, some of these 
institutions just don't have the resources to secure. So we 
have to push more resources out there to them.
    CISA, as I understand it, is working now with the 
Department of Education to have a more targeted approach to K-
12 and college and post-grad.
    I will defer to Mr. Daniel on anything else he wants to add 
there.
    Mr. Daniel. Well, thanks.
    It is a good question, Representative. I think, there are 
no general reporting requirements for most private institutions 
with respect to [inaudible] ransomware.
    Now, there are resources available from various places, in 
terms of expertise to--you know, how you want to make that 
decision about whether or not to pay and then how to remediate 
your systems. But it is often very difficult to access, and it 
is not typically in one centralized location.
    I think one of the efforts that is on-going--Chris made a 
reference to the ransomware task force that has been put 
together. That is one of the issues that very much that task 
force is looking at, is how to make those resources more easily 
accessible to, you know, things like private universities and 
others that don't have the resources to call in, you know, an 
incident responder in the same way that, you know, a big 
private-sector company might.
    Mrs. Luria. Well, thank you for that.
    I am sorry, I think my time has expired.
    I yield back, Mr. Chairman.
    Chairman Thompson. Thank you very much.
    The gentlelady's time has expired.
    The Chair recognizes the gentleman from Mississippi, Mr. 
Guest, for 5 minutes.
    Mr. Guest. Thank you, Mr. Chairman.
    Since the creation of the internet, we have been battling 
cyber attacks. New cyber attacks, as we know, have been 
highlighted by the recent actions involving SolarWinds. We have 
discussed that in great detail.
    You mentioned that particularly, Mr. Daniel, in your 
report. On page 9 of your written testimony, you say, ``In 
December, several private-sector companies identified malicious 
activity that enabled the Federal Government to unravel an 
incredibly broad cyber-enabled espionage campaign. This 
intrusion effectively gave the Russian Government unfettered 
access to numerous unclassified U.S. Government networks for 
over 9 months. It is difficult to overstate the intelligence 
value the Russians gained from this access or the likely damage 
to our National security.''
    So my question--and I will start with you, Mr. Daniel--is, 
what should the response be?
    I see that you come down in the following paragraph and you 
say, ``We should respond forcibly to this intrusion through 
diplomatic channels, such as by expelling Russian diplomats or 
exacting a cost in other venues.''
    I want to see if you can expand on that answer, 
particularly what you are talking about when you say ``exacting 
a cost in other venues.''
    Mr. Daniel. Sure. Thank you, Representative. So I think 
that, you know, this actually--this kind of intrusion poses an 
interesting problem for the U.S. Government in responding, and 
we absolutely should respond.
    But, so far, all of the information that is available about 
this intrusion indicates that it is espionage, and espionage is 
something that the United States carries out itself against our 
foreign adversaries. So that has to shape and constrain how we 
think about our response.
    Now, during the Cold War, we very much had, you know, an 
understanding with the Russians that, occasionally, espionage 
operations went beyond the bounds and they got too big and they 
got out of hand. So when that happened, there was a response, 
and that often involved expelling diplomats, for example, sort-
of the typical term for that is PNG-ing, persona non grata, you 
know, so you remove those diplomats and suspected Russian 
agents from the country.
    But what I mean by the other options are, there are things 
that the Russians want in the United Nations and in other 
diplomatic areas. We can slow that down. We can use our 
influence with our--you know, both ourselves and with our 
allies to cause them problems in the diplomatic realm. There 
are things that the Russians want that we can say no to or that 
we can slow-roll for a while to make it clear our displeasure 
at the scope and scale of this operation.
    So while I think that the options for retaliation for us 
have to be constrained by the fact that we also carry out 
espionage, that does not mean we have to simply, you know, 
accept this behavior sort-of meekly and not express our 
concerns with it.
    Mr. Guest. Let me change gears with the panel just very 
quickly. What efforts are being made to leverage technical 
expertise that exists in many of our universities across the 
country?
    Both myself and Chairman Thompson have universities, major 
universities, here in Mississippi that are both doing great 
work in the area of cyber research. So my question to the 
entire panel is, how can we incorporate this work being done at 
our academic institutions into our National strategy to combat 
cyber attacks?
    Ms. Gordon. I will start and be brief and so we can see the 
whole perspective. No. 1, I think in many instances, the 
Government does and has relied on the work going in our 
academic universities, particularly in the research that is 
going to allow us to be prepared in the future.
    But what we really need is what you all are talking about 
here. We need some sort of quest, some problem that is clear, 
to unleash and put Government money behind it, to really drive 
people both to those programs and those programs to drive the 
solutions that we need.
    So I think we already do tactically. I think we have used 
it historically, but I think you all are on the threshold of 
being able to set a flag in the ground and say we have got to 
go there, and universities are a great place to be driving that 
forward.
    Mr. Guest. Any other Members care to comment on the use of 
the universities to incorporate them into our National 
strategy?
    Mr. Krebs. I will simply add that student--current students 
and recent graduates are going to be key to building out any 
program. I know at CISA, we use the Scholarship for Service I 
already mentioned. We had a number, you know, I think 2 dozen 
interns, paid interns in place that were able to help. In fact, 
a number of interns were actually on our Election Security 
Initiative. So, you know, this is a great way to help boost the 
work force now and in the future.
    Mr. Guest. To all our witnesses today, I want to thank you.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much.
    I would like to recognize the vice chair of the Homeland 
Security Committee, Mr. Torres of New York, for 5 minutes.
    Mr. Torres. I thank you, Mr. Chair.
    I read recently in The New York Times that a man by the 
name of David Evenden, a former hacker for the National 
Security Agency, essentially went on to become a cyber 
mercenary, for CyberPoint, an American contractor that had 
business with the United Arab Emirates and has an office in 
Dubai, where Mr. Evenden was stationed.
    According to this report, on behalf of his client, the 
United Arab Emirates, Mr. Evenden was tasked with hacking into 
Qatar, and in the process of doing so, he eventually 
eavesdropped on the private communications between the 
Government of Qatar and the then First Lady, Michelle Obama.
    So when I read this anecdote, I was horrified, and I asked 
myself, how could an American contractor and how could a hacker 
from our National Security Agency be allowed to eavesdrop on 
the private communications of the First Lady and be allowed to 
engage in cyber operations against either the United States or 
an ally of the United States like Qatar?
    So 2 questions: How can this be allowed to happen, and how 
do we ensure that this never happens again? This question can 
either go to Mr. Daniel or Ms. Gordon.
    Ms. Gordon. Mike, I will take it to start.
    It is a horrifying scenario. It is a slippery slope. People 
with expertise developed at Government, in Government 
institutions, will leave periodically, and we don't want their 
knowledge to not be used. So, you know, prohibiting them from 
doing anything or from advancing the state-of-the-art is not 
something that would be in our interest.
    But I also believe that when you engage in something that 
would be antithetical to the laws of this country, to the 
standard that you had lived under before, you are still bound 
to that, and you are smart enough to know what you are engaged 
in.
    We have lots of sorts of nondisclosure protection of 
Classified information, ethical restrictions. I think it is 
worth considering applying those, but we will have to be very 
mindful, because that expertise is also the expertise that 
keeps the United States ahead in being a global leader.
    Mike.
    Mr. Torres. Well, to be clear, I am not proposing to 
prohibit the use of the expertise. I am proposing prohibiting 
cyber mercenaries from engaging in cyber operations against 
their own country or against an ally of the United States. That 
is a----
    Ms. Gordon. Yes, you and I see it the same way. I am just 
saying that as we figure out how to prohibit that, we are going 
to have to be really mindful of the other side.
    Mr. Torres. In the interest of time, I want to move on to 
SolarWinds. You know, well before the breach of the U.S. 
Government, there were early warning signs that SolarWinds was 
complacent about its own cybersecurity.
    According to Reuters in 2017, Mark Arena, the chief 
executive of a cyber crime intelligence firm, informed the U.S. 
Government that there was an FBI-wanted cyber criminal offering 
to sell access to SolarWinds' computers on underground forums.
    In 2019, Vinoth Kumar, a security expert, warned SolarWinds 
that anyone could access the company's update server with the 
password SolarWinds123. Even though SolarWinds broadly serves 
both the U.S. Government and corporate America, SolarWinds did 
not even have a chief information security officer.
    I am curious to know, why would the Government, the Federal 
Government, do business with a vendor that was so glaringly 
complacent about its own cybersecurity? The sloppiness of one 
supply chain vendor like SolarWinds can create systemic risk 
for the rest of us.
    So the question is: Do we have a process in place for 
ensuring that the supply chain vendors with which we do 
business have sufficient cybersecurity protection? This 
question, Mr. Krebs.
    Mr. Krebs. So I think I will pick up where Dmitri opened up 
in his opening remarks about some of the measures we need to 
put in place with Federal Government contracting. I have 
already talked about adding CISA as a--with some degree of 
privity of contract, or at least information sharing based on 
individual contracts. But we also have to know where the 
systemically important software is in the Federal Government, 
what has elevated privileges, you know, what sort of data is 
being touched in the cloud environment, you know, who is 
touching source code, what are the controls in place. Dmitri 
has a range of recommendations that I think are important.
    They are just not there yet. So we need to update the 
Federal acquisition regulation and we need to get deeper into 
contracts. I think in part what the Department of Defense has 
done with the CMMC program is a good start.
    Mr. Torres. Mr. Chair, how much time do I have left? I 
don't actually see the timer.
    Chairman Thompson. Well, Mr. Chair, I will be gracious to 
you. Take as much time as you need.
    Mr. Torres. OK. I will end on this note. I have a question 
about cyber strategy. You know, suppose the United States, our 
cybersecurity apparatus finds a vulnerability, it seems to me 
we have 2 options. We can either correct the vulnerability and 
thereby strengthen our cyber defensive capabilities or we can 
exploit the vulnerability and thereby strengthen our cyber 
offensive capabilities.
    It seems to me historically the United States has chosen to 
prioritize playing defense rather than playing offense, has 
chosen to exploit vulnerabilities rather than correct them.
    In light of the SolarWinds breach, did we as a country make 
a strategic miscalculation in prioritizing cyber offense at the 
expense of cyber defense? That will be my last question, and I 
will direct that toward Ms. Gordon.
    Ms. Gordon. Boy, it has been a continuum, and I think we 
have moved in the direction that you so clearly articulated, 
that on the early days, we were looking for advantage in terms 
of offense.
    In the days we have seen since, we recognize that advantage 
is the ability to withstand the kinds of attacks we see. So I 
think it is always a choice, but I think that the pendulum has 
swung more in the direction that you articulate, and SolarWinds 
certainly hammered that home in terms of how to achieve it. 
Thank you.
    Mr. Torres. Thank you so much, Mr. Chair. I appreciate your 
courtesy extended toward me.
    Chairman Thompson. Thank you very much.
    The Chair recognizes the other gentleman from New York, Mr. 
Garbarino.
    Mr. Garbarino. Garbarino, Mr. Chairman.
    Chairman Thompson. All right.
    Mr. Garbarino. Garbarino.
    Chairman Thompson. Thank you.
    Mr. Garbarino. Thank you very much, Mr. Chairman, Ranking 
Member Katko, for putting this hearing together, as well as for 
the witnesses for their testimony.
    As Ranking Member for the Subcommittee of Cybersecurity, 
Infrastructure Protection, and Innovation, I am looking forward 
to working with Chairwoman Clarke to implement some of the 
recommendations that we heard today.
    I have just, like, 1 or 2 questions. You know, we heard 
about SolarWind and how it was the largest cyber attack on the 
country up to date. It exposed that we were unprepared, that we 
were underresourced to deal with the attack.
    President Biden has recommended a multibillion-dollar 
infusion for Federal IT modernization and cybersecurity to 
respond to the SolarWinds breach.
    I will start with Mr. Krebs, and maybe if somebody else 
wants to jump in and answer as well. Mr. Krebs, what is your 
opinion of CISA's Continuous Diagnostics and Mitigation 
Program? What do we ultimately want it to do? Is it a lot more 
funding, or is it, you know, better to force aggregate 
visibility from CDM deployment or a combination of both?
    Mr. Krebs. So I think we need to invest more in CDM. I 
think we need to invest more aggressively, and we need to get 
more organizations onboarded through the various levels of the 
program.
    Ultimately, CDM is about knowing what is on the network, 
who is on the network, and what data is transiting the network. 
We are still, based on some of the investments to date, taking 
too slow of an approach, and we need to accelerate that 
investment. We need to add additional investment for the 
proactive hunt capabilities, and that is what is going to, as 
Dmitri mentioned, give us the ability to take that assumption 
of breach mentality.
    But as I see it, CDM is going to be the future of the 
program.
    Mr. Garbarino. OK.
    Mr. Krebs. Of Federal cybersecurity.
    Mr. Garbarino. Any other witnesses want to touch on that? 
Or I am going to move on.
    Mr. Alperovitch. Yes, Congressman. I would just like to 
echo what Chris has said, but the assumption of breach 
mentality, I think, is most steep. We need to stop pretending 
that we can stop adversaries from getting to our networks. They 
will always be able to get in, sometimes through insiders, 
sometimes through spies that they will be able to insert into 
our Government.
    But we need to assume that they are there, we need to hunt 
for them actively, 24/7, on all of our networks, and kick them 
out as quickly as possible. That is the winning strategy. I 
have seen it work in the private sector. I believe it 
absolutely can work in the Government.
    Mr. Krebs. This is--if I can just add one little coda on 
top of that. I have been asked the question a couple times, you 
know, when are we going to know if the Russians are finally out 
of the network. You should have always assumed they were there 
the whole time. That is not the mentality that you want to 
take. It is continuous hunting. Assume that they are there.
    Mr. Daniel. Yes. I will just add on top of that, I think 
the proposals also need to retire a vast amount of the 
technological debt that the Federal Government has incurred, 
that there are systems out there that we can't even get 
continuous diagnostics monitoring on because they are so old. 
So we need to retire those--we need to retire those systems and 
modernize much of the Federal Government's IT.
    Mr. Garbarino. That was actually my follow-up question, Mr. 
Daniel, about whether or not everybody should be required to 
update, every Federal agency. So I imagine everybody here feels 
the same way.
    Mr. Krebs. So I would--one of the things I think a missed 
opportunity we had, both through earlier steps of CARES Act but 
also the more recent COVID-related package of that $10 billion, 
that $9 billion for Federal agencies to upgrade and modernize 
their systems is absolutely critical. It is really, really 
tough right now to secure, as Michael pointed out.
    We have to upgrade these systems. So whatever the next 
opportunity is, whether it is some Capitol Police-related 
legislative package, I really encourage Congress to think hard 
about what additional funding is required to secure the 
Executive branch.
    Mr. Garbarino. Mr. Chairman, I have to run to another 
hearing. I did have another question, but I do have to go to 
another hearing, so I yield back. I definitely thank the 
Chairman and the witnesses for their testimony today.
    Chairman Thompson. Thank you very much.
    Let me also thank the witnesses for their testimony. The 
accolades you have already received from my coworkers on the 
committee speaks volumes for their appreciation for your 
response to their questions.
    The Members of the committee may have additional 
questions----
    Ms. Jackson Lee. Mr. Chairman? Mr. Chairman, if I might be 
yielded to for just a moment? This is Sheila Jackson Lee.
    Chairman Thompson. The lady from Texas is recognized.
    Ms. Jackson Lee. Thank you very much, Mr. Chairman.
    What an enriching and very powerful discussion. One of the 
agencies that has been on the forefront of cybersecurity is 
obviously our Defense Department--and when I say on the 
forefront, they have a infrastructure dealing with this.
    I think what we have gleaned from this meeting, that there 
needs to be a coming together on the domestic security and the 
vulnerabilities that we experience. I think this committee 
hearing, Mr. Chairman, has been singular in highlighting those 
issues.
    I join with my colleagues--I have heard a number of ideas--
I join with my colleagues that we should be on the offensive 
and not the defensive. I have just heard Director Krebs talk 
about shoring up the Executive. So I am hoping that our 
leadership will recognize that we probably, as swiftly as you 
are, Mr. Chairman, by having this hearing, that we need to move 
swiftly.
    I will conclude by saying, even before SolarWinds, we wrote 
legislation dealing with a zero-day event, which now sets 
enormous panic for me, because it is more than a viable 
possibility, and that is when all of our systems are at a level 
of--a diminishing level.
    So I hope that what we have gotten out of this hearing is a 
sense of urgency and the ability to work with you, Mr. 
Chairman, and all the Chairs on the number of committees. I am 
glad to be on one of the subcommittees to really say to the 
administration and say to the Nation that cybersecurity has to 
be, from the domestic security perspective, a heightened and 
enlightened defense effort, if you will. I can see that we can 
do it in this committee.
    So thank you very much. I just wanted to thank you for the 
hearing and thank the witnesses for the hearing as well. I have 
been through this a lot, and to hear your representation gives 
us a great road map for us to proceed on. So thank you each and 
every one of you.
    Chairman Thompson. Thank you very much.
    The Members of the committee may have additional questions 
for the witnesses and we ask you respond expeditiously in 
writing to those questions.
    Without objection, the committee's record shall be kept 
open for 10 days.
    Hearing no further business, the committee stands 
adjourned.
    [Whereupon, at 5:22 p.m., the committee was adjourned.]



                            A P P E N D I X

                              ----------                              

  Questions From Honorable Michael T. McCaul for Christopher C. Krebs
    Question 1. What role do State and local government IT 
infrastructures play in ensuring the security of our Nation? What 
specific steps can State/local entities take to improve their IT 
infrastructure, what resources can we provide them, and can you speak 
to the increased funding that you proposed in your testimony?
    Answer. Response was not received at the time of publication.
    Question 2. Are there any gaps where you think the Legislative 
branch might step in to protect the United States against cybersecurity 
threats, including misinformation? Moving forward, how can Congress 
help CISA in their efforts?
    Answer. Response was not received at the time of publication.
    Question 3. What are some common misconceptions about the security 
of our elections? What can we do to promote transparency regarding the 
administration of our elections?
    Answer. Response was not received at the time of publication.
     Question From Honorable Jake LaTurner for Christopher C. Krebs
    Question. With the perpetrators of the Solarwinds hack likely still 
lurking in our systems, monitoring unencrypted communications, 
gathering valuable information on how we respond, would you agree the 
Federal Government needs to prioritize operational security by 
leveraging secure communications as a critical first line of defense?
    Answer. Response was not received at the time of publication.
       Question From Honorable Jake LaTurner for Susan M. Gordon
    Question. With the perpetrators of the Solarwinds hack likely still 
lurking in our systems, monitoring unencrypted communications, 
gathering valuable information on how we respond, would you agree the 
Federal Government needs to prioritize operational security by 
leveraging secure communications as a critical first line of defense?
    Answer. Response was not received at the time of publication.
        Question From Honorable Jake LaTurner for Michael Daniel
    Question. Now that there are unified communications capabilities 
available in establishing a strong, resilient crisis response plans to 
prevent and mitigate future intrusions, what role does end-to-end 
encryption play and should the Government place priority on 
communications that allows for global federation so that Government 
agencies are able to communicate securely with external parties?
    Answer. Secure communications are critical to almost all Government 
activities, including policy development, service provision, 
cybersecurity, and crisis response, and these activities must involve 
interactions between the Government and the private sector to be 
effective. Given the capabilities of our adversaries, making 
communications secure requires strong end-to-end encryption, but such 
encryption also poses a challenge to law enforcement in preventing or 
disrupting crimes. As a result, the encryption debate is a security-
versus-security debate. There is no single ``right'' answer to this 
debate.
    Societies must decide how much security of the first kind they are 
willing to trade for the second and vice-versa.