[House Hearing, 117 Congress] [From the U.S. Government Publishing Office] HOMELAND CYBERSECURITY: ASSESSING CYBER THREATS AND BUILDING RESILIENCE ======================================================================= HEARING before the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTEENTH CONGRESS FIRST SESSION __________ FEBRUARY 10, 2021 __________ Serial No. 117-2 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 44-379 PDF WASHINGTON : 2021 COMMITTEE ON HOMELAND SECURITY Bennie G. Thompson, Mississippi, Chairman Sheila Jackson Lee, Texas John Katko, New York James R. Langevin, Rhode Island Michael T. McCaul, Texas Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana J. Luis Correa, California Michael Guest, Mississippi Elissa Slotkin, Michigan Dan Bishop, North Carolina Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey Al Green, Texas Ralph Norman, South Carolina Yvette D. Clarke, New York Mariannette Miller-Meeks, Iowa Eric Swalwell, California Diana Harshbarger, Tennessee Dina Titus, Nevada Andrew S. Clyde, Georgia Bonnie Watson Coleman, New Jersey Carlos A. Gimenez, Florida Kathleen M. Rice, New York Jake LaTurner, Kansas Val Butler Demings, Florida Peter Meijer, Michigan Nanette Diaz Barragan, California Kat Cammack, Florida Josh Gottheimer, New Jersey August Pfluger, Texas Elaine G. Luria, Virginia Andrew R. Garbarino, New York Tom Malinowski, New Jersey Ritchie Torres, New York Hope Goins, Staff Director Daniel Kroese, Minority Staff Director Natalie Nixon, Clerk C O N T E N T S ---------- Page Statements The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Chairman, Committee on Homeland Security: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable John Katko, a Representative in Congress From the State of New York, and Ranking Member, Committee on Homeland Security: Oral Statement................................................. 3 Prepared Statement............................................. 5 The Honorable Andrew R. Garbarino, a Representative in Congress From the State of New York: Prepared Statement............................................. 7 Witnesses Mr. Christopher C. Krebs, Former Director of the Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security: Oral Statement................................................. 8 Prepared Statement............................................. 10 Ms. Susan M. Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence: Oral Statement................................................. 18 Prepared Statement............................................. 20 Mr. Michael Daniel, President and CEO, Cyber Threat Alliance: Oral Statement................................................. 21 Prepared Statement............................................. 23 Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator: Oral Statement................................................. 29 Prepared Statement............................................. 31 Appendix Questions From Honorable Michael T. McCaul for Christopher C. Krebs.......................................................... 85 Question From Honorable Jake LaTurner for Christopher C. Krebs... 85 Question From Honorable Jake LaTurner for Susan M. Gordon........ 85 Question From Honorable Jake LaTurner for Michael Daniel......... 85 HOMELAND CYBERSECURITY: ASSESSING CYBER THREATS AND BUILDING RESILIENCE ---------- Wednesday, February 10, 2021 U.S. House of Representatives, Committee on Homeland Security, Washington, DC. The committee met, pursuant to notice, at 2:07 p.m., via Webex, Hon. Bennie G. Thompson (Chairman of the committee) presiding. Present: Representatives Thompson, Jackson Lee, Langevin, Payne, Correa, Slotkin, Cleaver, Green, Clarke, Titus, Watson Coleman, Rice, Demings, Barragan, Gottheimer, Luria, Malinowski, Torres, Katko, Higgins, Guest, Bishop, Van Drew, Miller-Meeks, Clyde, LaTurner, Meijer, Cammack, Pfluger, Garbarino. Chairman Thompson. The Committee on Homeland Security will come to order. The committee is meeting today to receive testimony on ``Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience.'' Without objection, the Chair is authorized to declare the committee in recess at any point. The gentlelady from New York, Ms. Clarke, shall assume the duties of the Chair in the event that I run into technical difficulty. Good afternoon. We are here today to begin what I hope will be a bipartisan endeavor in the 117th Congress, making cyber space more secure and networks more resilient. During the Trump administration, Federal efforts to raise the National cybersecurity posture were stunted by a lack of steady, constant leadership from the White House. In contrast, from Day 1, President Biden has treated cybersecurity as an urgent National and economic security issue. The President has started by surrounding himself with experts to spearhead sound cybersecurity policy. He has already confronted Vladimir Putin about Russian election meddling and the SolarWinds compromise and has publicly committed to an aggressive stance on China. Further, to bolster cybersecurity of Federal networks, the President included much-needed funding for cybersecurity and technology modernization in the American Rescue Plan proposal. Thankfully, Congress now has a willing and able cybersecurity partner in the White House, and I am optimistic about the progress we can make. We must work quickly to make up for lost time. Our witnesses today are a seasoned group of cyber experts, many of whom recently served in Government and made important contributions to our National cyber space posture. They are here to tell us about the challenges we face and how to chart a course toward cyber defense, deterrence, and resiliency. In the not-too-distant past, when our witnesses were serving in Government, most of us had never heard of SolarWinds, but now it dominates cybersecurity conversation. Late last year, we learned that Russian actors breached targeted Federal networks and critical infrastructure, in part through a sophisticated supply chain compromise of the SolarWinds Orion platform. For almost a year, Russian actors burrowed into networks, hiding their tracks and patiently stealing data. Although we are engaged in an in-depth investigation with other key House committees to learn more about this malicious Russian campaign, we know enough to begin asking difficult questions and start correcting course. For instance, we know that it will take months to fully understand the scope and impact of the compromise and eradicate bad actors from our network. We also know that, despite prior significant investment in Federal network security and active defense, the Russian campaign evaded detection. The task before us is to zero in on how we can mature our defenses to match the capabilities of our adversaries. The Russian SolarWinds campaign threatens our Nation and cannot be tolerated. It is evident that prior responses to cyber attack, such as naming and shaming, sanctions and indictments, have not deterred bad actors from engaging in malicious cyber behavior that threatens our National security. I am interested in hearing from our witnesses how we can deter this behavior or raise the cost of it. We must also be mindful that not every cyber attack is a sophisticated one carried out by a well-resourced nation-state actor. Cyber criminals ranging in sophistication continues to wreak havoc on State and local governments and private-sector critical infrastructure with less mature cybersecurity capabilities. Just this week, for example, a hacker breached a water treatment facility in Florida and attempted to poison the water supply. This follows a year when cyber criminals hacked schools, hospitals, and workplaces transitioning to remote work. According to McAfee, cyber crime cost the global economy $1 trillion in 2020. The Federal Government must work to raise the baseline cybersecurity posture across Government entities and the private sector to reduce avoidable, opportunistic attacks. This will free up talent and resources to focus on more sophisticated problems. We must also do as President Biden has done and treat cybersecurity as a central National security priority and not a boutique add-on. To be sure, today is just the first of several hearings this committee will hold on the cybersecurity threats facing the Nation and how the Government and private sector should work together to address them. I would like to thank our witnesses for their testimony and look forward to continuing the committee's work on this critical issue. [The statement of Chairman Thompson follows:] Statement of Chairman Bennie G. Thompson February 10, 2021 We are here today to begin what I hope will be a bipartisan endeavor in the 117th Congress--making cyber space more secure and networks more resilient. During the Trump administration, Federal efforts to raise the National cybersecurity posture were stunted by a lack of steady, consistent leadership from the White House. In contrast, from Day 1, President Biden has treated cybersecurity as an urgent National and economic security issue. The President has started by surrounding himself with experts to spearhead sound cybersecurity policy. He has already confronted Vladimir Putin about Russian election meddling and the SolarWinds compromise and has publicly committed to an aggressive stance on China. Further, to bolster the cybersecurity of Federal networks, the President included much-needed funding for cybersecurity and technology modernization in the American Rescue Plan proposal. Thankfully, Congress now has a willing and able cybersecurity partner in the White House, and I am optimistic about the progress we can make. We must work quickly to make up for lost time. Our witnesses today are a seasoned group of cybersecurity experts, many of whom recently served in Government and made important contributions to our National cybersecurity posture. They are here to tell us about the challenges we face and how to chart a course toward cyber defense, deterrence, and resiliency. In the not-too-distant past, when our witnesses were serving in Government--most of us had never heard of SolarWinds, but now it dominates cybersecurity conversations. Late last year, we learned that Russian actors breached targeted Federal networks and critical infrastructure, in part through sophisticated supply chain compromise of the SolarWinds Orion platform. For almost a year, Russian actors burrowed into networks, hiding their tracks and patiently stealing data. Although we are engaged in an in-depth investigation with other key House Committees to learn more about this malicious Russian campaign, we know enough to begin asking difficult questions and start correcting course. For instance, we know that it will take months to fully understand the scope and impact of the compromise and eradicate bad actors from our networks. We also know that despite prior significant investments in Federal network security and active defense, the Russian campaign evaded detection. The task before us is to zero in on how can we mature our defenses to match the capabilities of our adversaries. The Russian SolarWinds campaign threatens our Nation and cannot be tolerated. It is evident that prior responses to cyber attacks such as ``naming and shaming,'' sanctions, and indictments have not deterred bad actors from engaging in malicious cyber behavior that threatens our National security. I am interested in hearing from the witnesses how can we deter this behavior or raise the cost of it. We must also be mindful that not every cyber attack is a sophisticated one carried out by a well-resourced nation-state actor. Cyber criminals--ranging in sophistication--continue to wreak havoc on State and local governments and private-sector critical infrastructure with less mature cybersecurity capabilities. Just this week, for example, a hacker breached a water treatment facility in Florida and attempted to poison the water supply. This follows a year when cyber criminals hacked schools, hospitals, and workplaces transitioning to remote work. According to McAfee, cyber crime cost the global economy $1 trillion in 2020. The Federal Government must work to raise the baseline cybersecurity posture across Government entities and the private sector to reduce avoidable, opportunistic attacks. This will free up talent and resources to focus on more sophisticated problems. We must also do as President Biden has done and treat cybersecurity as a central National security priority and not a ``boutique add-on.'' To be sure, today is just the first of several hearings this committee will hold on the cybersecurity threats facing the Nation and how the Government and private sector should work together to address them. Chairman Thompson. With that, I recognize the Ranking Member, the gentleman from New York, Mr. Katko, for an opening statement. Mr. Katko. Thank you, Mr. Chairman. I appreciate your comments. Thank everyone for being here today, including the witnesses. Thank you for holding this important hearing. As you know, cybersecurity remains an area of great bipartisan cooperation in Congress, and for that we should be thankful. Because of it, it is also the preeminent National and homeland security threat of our time. Every action we have heard about the importance of cybersecurity is more true than ever before. It underpins almost every aspect of our way of life. It impacts resilience of every single critical infrastructure sector, and it stands between our most sensitive data being secure or being exploited by our enemies. While general awareness of cyber threats is becoming commonplace, the cybersecurity resilience of our great Nation leaves undeniable room for improvement. We are still living in the wake of the SolarWinds campaign, one of the most devastating cyber-espionage campaigns in history, with our State and local governments, businesses, and constituents being affected by malicious cyber campaigns every single day. Think about it: The past year, while we were indicting our operatives of the Chinese Ministry of State Security for actively trying to compromise COVID vaccine research, Russian actors were simultaneously sitting in Federal and non-Federal networks, quietly executing what is arguably the most sophisticated cyber-espionage campaign in our Nation's history. Both of those state-backed campaigns that were taking place via a weekly and often daily drumbeat of ransomware campaigns crippled city, State, hospital, and school networks already heavily impacted by the pandemic. In my district alone, the Syracuse City School District and Onondaga County Library System both fell victim to ransomware attacks that shut down their systems and halted the critical services they provide. Just days ago, a hacker reportedly gained access to a water treatment facility in Oldsmar, Florida, and attempted to adjust the water chemical levels through cyber means to poison thousands of residents. These cyber threats clearly have real-world consequences, and we must do everything we can to help bring these malicious actors to justice. The bottom line is that we are still struggling against both the highly sophisticated and the routine. We can do better, and we must do better. There is, luckily, some reason for optimism. The creation of CISA as the Nation's lead civilian cybersecurity agency was necessary and long overdue. The agency's work to harden election systems from 2016 to 2020 was nothing short of heroic. Like everyone in this hearing, I extend my heartfelt gratitude to Chris Krebs and his team for his service and leadership. The Cyberspace Solarium Commission created a venue for activists to voice bold ideas and a mechanism for those ideas to become law. I am very proud to have helped usher multiple new authorities for CISA as part of the fiscal year 2021 NDAA, which will bolster its visibility across Federal networks, among other important authorities. CISA should be doubling down on its implementation of these provisions, most importantly the authority to conduct threat hunting on agencies' networks. But the work does not stop there, not by a long shot. It is easy to sit here and become numb to what often feels like a ``breach of the week'' in cyber space. Complicating this landscape further is that cybersecurity risk management, supply chain risk management, third-party trust and assurance, and critical infrastructure protection are now inexorably linked. They are layers on top of one another, impossible to disaggregate. The sheer volume of the data that our connected systems must secure in transit and at rest is increasing exponentially, a reality only accelerated by the deployment of the 5G networks Nation-wide. Meanwhile, our nation-state cyber adversaries, like China, have sophisticated, multi-decade agendas to compromise data and leverage it for malicious purposes aimed at eroding America's dominance. We have a distinguished panel of witnesses who have all spent considerable time in the trenches working valiantly to keep America safe from cyber threats, and I welcome their guidance on how we can strengthen our Nation's cybersecurity posture. I want this to be a hearing about opportunity for action, not just admiration of the problem. We have already ceded critical ground to our global adversaries, and there is simply no time to waste. I remain deeply concerned that the Federal roles and responsibilities for dot-gov security are too confederated, too clunky, and ultimately inadequate. Giving CISA Federal hunt authorities was an incremental step in the right direction, but CISA simply does not have the centralized visibility or authority to nimbly respond. I look forward to hearing ideas from our witnesses about how we can remedy this situation. On the heels of SolarWinds, and with enough not- insignificant potential the Russian actors may still have access to some of our networks, I call on all my colleagues to work together in a bipartisan manner quickly to find a legislative vehicle to give CISA the resources it needs to fully respond and protect us. Cybersecurity is a team sport that is ultimately about partnership. We are all in this together, so let's get to work. I yield back, Mr. Chairman. [The statement of Ranking Member Katko follows:] Statement of Ranking Member John Katko February 10, 2021 Thank you, Mr. Chairman. Thank you for holding this important hearing. As you know, cybersecurity remains an area of great bipartisan cooperation in Congress. For that, we should be thankful, because it is also the pre-eminent National and homeland security threat of our time. Every axiom we've heard about the importance of cybersecurity is more true than ever before. It underpins almost every aspect of our way of life, it impacts the resilience of every single Critical Infrastructure sector, and it stands between our most sensitive data being secure--or being exploited--by our enemies. While general awareness of cyber threats is becoming commonplace, the cybersecurity resilience of our great Nation leaves undeniable room for improvement. We're still living in the wake of the SolarWinds campaign--one of the most devasting cyber espionage campaigns in history, with our State and local governments, businesses, and constituents being affected by malicious cyber campaigns every single day. Think about it, this past year, while we were indicting operatives of the Chinese Ministry of State Security for actively trying to compromise COVID vaccine research, Russian actors were simultaneously sitting in Federal, and non-Federal networks, quietly executing what is arguably the most sophisticated cyber espionage campaign in history. Both of those State-backed campaigns were taking place while a weekly, and often daily, drumbeat of ransomware campaigns crippled city, State, hospital, and school networks already heavily impacted by the pandemic. In my district, the Syracuse City School District and Onondaga County library system both fell victim to ransomware attacks that shut down their systems and halted the critical services they provide. Just days ago, a hacker reportedly gained access to a water treatment facility in Oldsmar, Florida, and attempted to adjust the water chemical levels through cyber means to poison thousands of residents. These cyber threats clearly have real-world consequences, and we must do everything we can to bring these malicious actors to justice. The bottom line is that we are still struggling against both the highly sophisticated and the routine. We can do better. We must do better. There is, luckily, some reason for optimism. The creation of CISA as the Nation's lead civilian cybersecurity agency was necessary and long overdue. The agency's work to harden election systems from the 2016 to 2020 elections was nothing short of heroic. Like everyone in this room, I extend my heartfelt gratitude to Chris Krebs for his service and leadership. The Cyberspace Solarium Commission created a venue for experts to voice bold ideas, and a mechanism for those ideas to become law. I am proud to have helped usher multiple new authorities for CISA as a part of the fiscal year NDAA, which will bolster its visibility across Federal networks, among other important authorities. CISA should be doubling down on its implementation of these provisions, most importantly, the authority to conduct threat hunting on agencies' networks. But the work doesn't stop there. It's easy to sit here and become numb to what often feels like a ``breach of the week'' in cyber space. Complicating this landscape further is that cybersecurity risk management, supply chain risk management, third-party trust and assurance, and critical infrastructure protection are now inexorably linked. They are layers on top of one another, impossible to disaggregate. The sheer volume of the data that our connected systems must secure in transit and at rest is increasing exponentially--a reality only accelerated by the deployment of 5G networks. Meanwhile, our nation-state cyber adversaries, like China, have sophisticated, multi-decade agendas to compromise this data and leverage it for malicious purposes aimed at eroding America's dominance. We have a distinguished panel of witnesses who have all spent considerable time in the trenches working valiantly to keep America safe from cyber threats and I welcome their guidance on how we can strengthen our Nation's cybersecurity posture. I want this to be a hearing about opportunity for action, not just admiration of the problem. We have already ceded critical ground to our global cyber adversaries, and there is simply no time to waste. I remain deeply concerned that the Federal roles and responsibilities for .gov security are too confederated, too clunky, and ultimately inadequate. Giving CISA Federal hunt authorities was an incremental step in the right direction, but CISA simply does not have the centralized visibility or authority to nimbly respond. I look forward to hearing ideas from our witnesses about how we can remedy this situation. On the heels of SolarWinds, and with the not insignificant potential that Russian actors may still have access to some of our networks, I call on all my colleagues to work together, quickly, to find a legislative vehicle to give CISA the resources it needs to fully respond. Cybersecurity is a team sport that is ultimately about partnership. We're all in this together, so let's get to work. Chairman Thompson. Other Members of the committee are reminded that, under the committee rules, opening statements may be submitted for the record. [The statement of Honorable Garbarino follows:] Statement of Honorable Andrew R. Garbarino February 10, 2021 I am honored to have been selected by Ranking Member Katko to serve as the Ranking Member of the Cybersecurity, Infrastructure Protection, and Innovation (CIPI) Subcommittee. I believe that cyber attacks are the most pressing threat to our National security today. Nation-state actors are growing more sophisticated and increasingly infiltrating our networks and stealing National security secrets, personal data, and intellectual property. I am eager to get to work to defend our Nation's most critical infrastructure from foreign adversaries like Russia, China, Iran, and North Korea. As the lead Federal agency tasked with helping stakeholders understand and manage risk across all 16 critical infrastructure sectors, the Cybersecurity and Infrastructure Security Agency (CISA) plays a key role in ensuring every aspect of our society is resilient to cyber threats. As such, CISA must operate as a strong, centralized authority to ensure the cyber resilience of all the lifeline services that Americans so heavily rely on--including the Nation's electric grid, telecommunications systems, health care institutions, and water facilities. In fact, just today it was reported that a water utility in Florida was the victim of a cyber attack that put the clean water supply of 15,000 Americans in jeopardy.\1\ We must do better to ensure underfunded and under-resourced utilities in every critical infrastructure sector have the security protections in place to provide reliable services to Americans. --------------------------------------------------------------------------- \1\ Hack exposes vulnerability of cash-strapped U.S. water plants: https://apnews.com/article/water-utilities-florida-coronavirus- pandemic-utilities-882ad1f6e9f80c053ef5f88a23b840f4. --------------------------------------------------------------------------- As my constituents on Long Island and all Americans across the country continue to adapt to working and learning remotely as a result of the COVID-19 pandemic, I believe it is now more important than ever to work with agencies like CISA combat malicious cyber actors from targeting COVID-19 relief programs for our struggling small businesses, as well nation-state actors such as China targeting pharmaceutical institutions involved in vaccine development. We must keep Chinese- owned technology and telecommunications companies, like Huawei, out of our data, infrastructure, and networks across all critical infrastructure sectors. I will be tough on all companies influenced by the Chinese Communist Party, as well as any other nefarious nation- state actors. The recent SolarWinds cyber espionage campaign launched by a sophisticated nation-state actor, likely Russia, is one of the worst intrusions of U.S. Government and private-sector networks in our Nation's history. We will be dealing with the impacts of this campaign for years to come. We must move forward by centralizing Federal network authority under CISA, understanding the current risk landscape, and holding cyber adversaries accountable. I look forward to continuing to address these complex issues with Ranking Member Katko and the CIPI subcommittee in the months ahead. As we begin the 117th Congress, I strive to improve our Nation's cybersecurity posture at every level of government, including preventing ransomware attacks at the State and local level. Throughout 2020, ransomware attacks increased significantly and targeted many health care organizations and schools that were already overwhelmed by the COVID-19 pandemic. In fact, just a few months ago, both the Bay Shore and Lindenhurst school districts on Long Island were hit with cyber attacks.\2\ I am determined to work with hospitals, schools, and small businesses in New York's 2d district and across the country to improve their cybersecurity posture in the wake of increasing threats. --------------------------------------------------------------------------- \2\ Cyber attack disrupts operations in Bay Shore school district: https://www.newsday.com/long-island/education/bay-shore-schools-hack- 1.50010940. --------------------------------------------------------------------------- I am ready to get to work with the Nation's leading cybersecurity experts from both the public and private sectors and I look forward to engaging with all these stakeholders in my new role on the subcommittee. I look forward to combating this threat as one Nation and finding bipartisan and innovative ways to protect our communities moving forward. Chairman Thompson. Members are also reminded that the committee will operate according to the guidelines laid out by the Chairman and Ranking Member in our February 3 colloquy regarding remote proceedings. I welcome our witnesses. Mr. Chris Krebs, who is no stranger to this committee, served as the director of the Cybersecurity and Infrastructure Security Agency, commonly referred to as CISA, until November 2020. Since leaving Government, he has founded the Krebs Stamos Group, and he is now serving as Newmark senior cyber fellow at the Aspen Institute. SolarWinds is one of Mr. Krebs' clients; however, he is testifying today in his personal capacity as a former CISA director. Ms. Sue Gordon served as the principal deputy director of national intelligence at the Office of the Director of National Intelligence from August 2017 to August 2019. Ms. Gordon has served in the intelligence community for over 3 decades in a variety of leadership roles spanning numerous intelligence organizations and disciplines. Mr. Michael Daniel is the president and CEO of Cyber Threat Alliance. Prior to joining CTA in February 2017, Michael served from June 2012 to January 2017 as special assistant to President Obama and cybersecurity coordinator on the National Security Council staff. Mr. Dmitri Alperovitch is executive chairman of Silverado Policy Accelerator, a nonprofit focusing on advancing solutions to critical geopolitical and cybersecurity policy challenges. He is cofounder and former chief technology officer of the cybersecurity firm CrowdStrike, Incorporated. Without objection, the witnesses' full statements will be inserted in the record. I now ask Mr. Krebs to summarize his statement for 5 minutes. STATEMENT OF CHRISTOPHER C. KREBS, FORMER DIRECTOR OF THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Krebs. Chairman Thompson, Ranking Member Katko, Members of the committee, good afternoon, and thank you for inviting me to appear today. As the director of the Cybersecurity and Infrastructure Security Agency, or CISA, leading CISA, I had the pleasure to work with many of you as Members of the primary oversight committee, and I have testified, as you pointed out, many times in front of this committee. To the new Members of the committee, congratulations on being given the honor to represent your constituents in the 117th Congress. I look forward to helping as I might, and thank you for holding this timely hearing. The cyber threat landscape is more complicated than ever, with foreign governments and criminal gangs alike using capabilities that enable everything from run-of-the-mill cyber crime, information operations, intellectual property theft, destructive attacks, and operations with kinetic effects. The bulk of the malicious cyber activity targeting the United States emanates from 4 countries: Russia, China, Iran, and North Korea. Even in those countries, the difference between State action and criminal activity is increasingly blurred as contracted or proxy cyber actors support or act on behalf of State-directed operations. As long as the tools are available, vulnerabilities exist, money and secrets are to be had, and a lack of meaningful consequences persist, there will be malicious cyber actors. Complicating matters further, oftentimes we make it far too easy for the bad guys. When an organization is struggling to make payroll and keep systems on a generation of technology created in the last decade, even the basics of cybersecurity can be out of reach. Even then, the purpose of IT is to make things easier to manage. So it is almost counterintuitive that managing a system over the internet might be a bad thing. So we have a dilemma on our hands. But all is not lost. In my written testimony, I provide a series of recommendations that can put us on a collective path toward a more secure and resilient economy. Are we going to stop every attack? No. But we can take care of the most common risks and make the bad guys work that much harder and limit their success. To get there, we must make 3 strategic shifts. First, we need stronger cybersecurity leadership in industry and more centralized oversight in Government. This includes building on the authorities provided to CISA in the National Defense Authorization Act, including the administrative subpoena authority and continuous hunt over Federal civilian agencies. Second, we must allocate more and smarter investments into private-sector capabilities and increase support to all levels of Government. This includes accelerating investment into Federal IT modernization, boosting CISA's ability to execute, and providing grant programs for State and local governments like the post-9/11 antiterrorism programs. Third, industry and Government must come together collectively to democratize cybersecurity, better understand where our real risk lies, increase capacity, and work in a meaningful way beyond information sharing. This includes coming together to counter the scourge of ransomware. The parts are in place for our Nation to dramatically improve our cybersecurity defenses. As a society, we need to accept that every organization in the country, whether in the private sector or in Government, can be targeted by a cyber actor. The Government cannot stop all attacks, but there is much that the industry can do on their end. Companies have a responsibility to their customers, their stakeholders, and, depending on where they sit in the economy, a responsibility to the country. Meaningful progress will take time, and we may never see a finish line, but change for the better is possible. To get there, we need to employ the courage and resolve that has driven American innovation throughout our National history. Before I conclude, I would once again like to thank the committee for your steadfast support of CISA in its cybersecurity mission. You deserve great credit for the agency's progress in the last few years. I firmly believe that we are on the right track and can accomplish much more together. Thank you again for the opportunity to testify today, and I look forward to your questions. [The prepared statement of Mr. Krebs follows:] Prepared Statement of Christopher C. Krebs February 10, 2021 introduction Chairman Thompson, Ranking Member Katko, Members of the committee, my name is Chris Krebs, and it is my pleasure to appear before you today to discuss ``Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience.'' As you know, I previously served as the first director of the Cybersecurity and Infrastructure Security Agency (CISA), leading CISA and its predecessor organization, the National Protection and Programs Directorate, from August 2017 until November 2020. Over the last several years, I have had the pleasure of working with many of you as Members of the primary oversight committee for CISA and have testified in front of this committee many times. To the new Members of the committee, congratulations on being given the honor to represent your constituents in the 117th Congress. I look forward to working with you. It is an honor to appear before this committee to testify about the current cybersecurity threat landscape and how it intersects with American businesses and Government agencies. Given my recent experience as CISA director, and now as founding partner of the Krebs Stamos Group, a cybersecurity risk management consultancy, as well as the Newmark senior cyber fellow at the Aspen Institute, I am continuing my efforts to improve the Nation's cybersecurity and resilience. My time at CISA most acutely helped shape my view of the effectiveness of our current approach and its shortcomings, particularly with a focus on critical infrastructure. Operating from an assumption that our adversaries are technically capable, both opportunistic and highly targeted, yet bound by the laws of physics and the realities of the Gregorian calendar, I firmly believe that we can make progress in defending our cybersecurity. In order to make progress, I believe there are several truisms that are useful to framing an organization's approach to cybersecurity and resilience: First, the Federal Government is not going to save you, but they are an essential partner. Second, cybersecurity competency requires leadership buy-in. Third, good guys and bad guys alike make mistakes, how fast you find both makes a difference. Fourth, your mistakes are likely going to get out anyway, the faster you protect your customers, the better off everyone will be. And fifth, everyone has bad days, preparation will determine how bad that day is. These truisms represent a simple acknowledgement that 100 percent security is not the desired or realistic end-state, instead a resilient organization that is empowered, informed, humble, and agile cannot just survive in today's environment, but actually thrive. In my testimony today, I will provide a series of recommendations to improve our approach to making the internet a safer and more secure place for all Americans. These recommendations are rooted in the need to continually improve our understanding of our Nation's physical and digital infrastructure, introduce friction into the adversaries' activities, and increase investments and centralized services for Government and industry alike. My recommendations align with the more defensive actions associated with ``Deterrence by Denial.'' (1) Continue to invest in CISA's National Critical Functions (NCFs) Initiative, improve our understanding of the risk facing our Nation's infrastructure, and expand roll out to highest-risk functions. (2) Prioritize identification of systemically important enterprise software and services, update Federal contracting for greater transparency and sharing, and launch operational defensive partnerships called for in the 2021 National Defense Authorization Act. (3) Launch a National countering ransomware initiative to improve defenses, disrupt the ransomware business model, and use broader set of authorities against actors. (4) Proceed with Department of Commerce rulemaking on Executive Order 13984, ``Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities'' to counter adversary abuse of Virtual Private Servers. (5) Improve Federal cybersecurity posture through enhanced governance, increased funding, and centralized services offered by CISA. understanding cyber risk When thinking about the cybersecurity risks we face today, I find the traditional risk formula most useful to organize the various players on the field: r=t*v*c. Where r = risk, t = threat, v = vulnerability, and c = consequence. Likelihood of an attack is assumed within the t variable. Those 3 variables combined yield the risk we are constantly trying to manage. The 3 variables, however, are not static nor are they singular, and therefore a risk manager's job is never done. The cyber implications of COVID-19 are a useful case study. In the spring of 2020, our Nation's critical infrastructure risk shifted dramatically. The coronavirus spread across the country sickening many Americans and overwhelming hospitals, particularly in New York City. The consequences of a threat--non-state actor ransomware--hitting a hospital would lead to loss of life due to reduced capacity in patient care. To manage the risk in the calculation, through CISA's ``Project Taken'' we engaged to both minimize vulnerabilities in patient care facilities, but also by messaging threat actors to avoid attacking those facilities. There were also state actor threats from China and Russia conducting espionage on vaccine manufacturing research labs. Those intrusions, exploiting vulnerabilities in the networks and systems of the labs, if conducted recklessly, could result in disruptive consequences to vaccine development, where days and weeks delay in vaccine roll out meant real lives lost. In part, through Operation Warp Speed, CISA worked with vaccine developers to minimize vulnerabilities by sharing threat intelligence, investigate suspicious activity, and scanning for unpatched systems. We also worked to better understand supply chains and manage consequences by identifying and diversifying or hardening single points of failure in the chain from research and development to shots in the arm. Both real-life scenarios offer just a glimpse into the challenges facing information security teams and risk managers in general across the country. They also highlight the focus cannot solely be on understanding and stopping the threat actors--we must also invest in our ability to understand why we might be targeted by threat actors, how they might come at us, and if they do, how do we survive or minimize any attack. the t(hreat) variable The cyber threat landscape is more complicated than ever, with state and non-state actors investing in and building capabilities that enable everything from run-of-the-mill cyber crime, information operations, destructive attacks, and operations with kinetic affects. Over the last few years, the ``state actor cyber club'' has evolved from the traditional big 4 of cyber adversaries--China, Russia, Iran, and North Korea--to a more stratified set of actors. The sorting is based on capability, with China and Russia at the top of the pyramid, and Iran and North Korea, while still capable, a rung below. Non-state actors including cyber criminals are also gaining ground. Further complicating the ability to paint a clear picture of the cyber threat actor landscape is the increasingly blurring line between state and non-state actors. For example, contracted or proxy cyber actors support or act on behalf of state-directed operations. Conversely, state actors sometimes moonlight as cyber criminals after- hours to earn additional income. And in other cases, non-state cyber actors operate with the tacit approval of the home state, if the actors do not target their own domestic organizations, in other words ``anyone but us.'' New actors enter and leave the playing field daily. Agencies reorganize, break up, and consolidate. Criminal gangs are busted, go dark, or give up the life of crime. If the tools are available, money and secrets are to be had, vulnerabilities exist, and a lack of meaningful consequences persist, there will be malicious cyber actors. Unfortunately, across the full set of actors, there is no authoritative perfect picture or master list of the agencies and their tradecraft, tools, personnel, or targeting lists. Instead, we have a modern-day parable of the ``Blind Men and the Elephant,'' where different defenders have a unique perspective based on their viewpoint from where they sit across American infrastructure or from their incident response investigations. This leads to a confusing mashup of threat actor names, be they pandas, APTs, or Periodic Table elements. And that is just from the cybersecurity vendor community. Inside Government and across allied partners there are myriad codenames and jargon for the cyber actors knocking on our networks every day. Case Study: Same Nation, Different Tactics Cyber actors use various techniques, from opportunistic and commonly available, to highly sophisticated and only available to those with resources and time. We saw both play out last year. The Russian FSB, the main successor to the Soviet-era KGB, carried out a broad campaign scanning for unpatched network access points known as VPNs in a variety of sectors, from Federal, State, and local government, to the aviation sector and the defense industrial base. There was nothing particularly sophisticated about this activity, they simply looked for the out-of-date VPNs and exploited them with common techniques. At the same time, the Russian SVR, the main foreign intelligence service, launched a stealthy campaign in late 2019 that used a variety of techniques exploiting trust--the that keeps networks going the world round. They moved downstream from Texas-based information technology (IT) company SolarWinds into customer networks, while also exploiting authentication techniques to gain access to email systems. As we were chasing the noisy FSB (and other actors, like the Iranians and ransomware crews) around the country, the ghostlike SVR was lost in the noise, patiently moving through a select list of targets. And that is just 2 actor sets from 2 agencies within 1 foreign adversary. Each agency has multiple groups, each nation has multiple agencies. Each group, agency, and nation have different strategic objectives and tactics to achieve them. the challenge of securing domestic infrastructure Our critical infrastructure is what drives our economy, supports National security, and contributes to public health and safety. Most critical infrastructure in the United States, however, is owned and operated by the private sector with only a patchwork of security oversight in place. It is hard to overstate the massive scope of the critical infrastructure security and resilience challenge. The levers Government has at its disposal to change behaviors, on the other hand, is underwhelmingly small. This leads to 3 conditions limiting the ability of Government and industry to collectively improve critical infrastructure cybersecurity: (1) Lack of a deep understanding of what is truly systemically important across the economy, (2) a need for more meaningful methods for operational engagement with industry to address risk; and (3) insufficient funding and investment in security improvements. Understanding Risk The first challenge to overcome in enhancing the cybersecurity of our Nation's infrastructure is our understanding systemic importance must improve. Even within classic infrastructure sectors and systems that are generally easy to define--banking and finance, energy, and transportation--only now are we really identifying the highest-risk functions within those sectors. Fortunately, the effort to understand systemic importance of industry functions is a growing area of focus for the Federal Government, in part driven by CISA's National Risk Management Center through the National Critical Functions (NCF) initiative.\1\ By gaining a deeper understanding of the critical functions and systems that drive our Nation's economy the Government can bring together key players to operationalize risk management partnerships and make measurable progress toward a more resilient economy. --------------------------------------------------------------------------- \1\ National Critical Functions/CISA. --------------------------------------------------------------------------- One of the most critical aspects of the NCF work will be to support efforts to understand the prevalence of more intangible sectors like information technology and communications. The IT sector is a horizontal or enabling sector rather than a vertical sector. The products and services offered by the IT sector, like computer operating systems, network management software, and cloud computing, are core to nearly every aspect of the economy--even our Nation's agriculture sector increasingly relies on automated technology to improve efficiency and increase capacity. To more broadly understand systemic importance of enterprise software and platforms, Government and industry must work together to map the key components and players of our Nation's IT and communications infrastructure. Of particular focus should be those companies that have a dominant position in their market segment, and any disruption or compromise would have cascading and outsized impacts on the ecosystem. As a byproduct of enjoying economic success, those companies should recognize they have broader corporate citizenship responsibilities and must dedicate resources, personnel, and expertise to protect the very economy they so richly benefit from. At a minimum, companies should reexamine and ensure their approach to securing their products, processes, and customers. NCFs In Practice: Defending the 2020 Election The concept of organizing around a key NCF was central to the success of the protection of the 2020 election. Led by CISA, the election security community across Government and industry came together to understand the greatest risks to the administration of the election, developed strategies and plans to improve security of the key subfunctions and successfully defended the election. We must repeat that intensity of effort across the rest of the NCF set. The NCF initiative, as shown in the defense of the 2020 elections, has already laid the groundwork for the Continuity of the Economy recommendation in the 2020 Cyberspace Solarium Commission (CSC) report, subsequently included in the 2021 National Defense Authorization Act. Improving Engagement between Government and Industry In addition to improving our understanding of infrastructure, we must improve the methods by which we collectively engage on risk management efforts. CISA can lead this important endeavor. The agency supported the President's National Security Telecommunications Advisory Committee (NSTAC) in developing the 2014 Report to the President on Information and Communications Technology (ICT) Mobilization.\2\ The core concept of the report was to develop a working partnership between industry and Government that could be immediately activated in the event of a large-scale cyber attack approaching a National emergency, yet many of the lessons of the report equally apply to steady-state resilience building activities. Two recommendations emerged from the report that are even more important than they were just a half decade ago. --------------------------------------------------------------------------- \2\ NSTAC--Information and Communications Technology Mobilization Report 11-19-2014.pdf (cisa.gov), https://www.cisa.gov/sites/default/ files/publications/NSTAC%20-%20Information- %20and%20Communications%20Technology%20Mobilization%20Report%2011-19- 2014.pdf. --------------------------------------------------------------------------- (1) Conducting a Unified Risk Assessment.--The first is tighter integration between the collectors and analyzers from industry and Government of foreign cyber actor intelligence, in part through a Unified Risk Assessment Process for Mobilization. This fusion of private and public intelligence expertise can overcome the current imperfect nature of understanding, decision making, and response. A unified risk assessment process in both steady-state and response scenarios would bring together informed and experienced hands to determine means, intent, and ability to understand a potential or on-going threat actor campaign. Most importantly, the private sector and civilian agency experts can bring context and relevance to intelligence analysts that may not have a sufficient understanding of the domestic infrastructure landscape, which can lead to overlooking the relevance of collected intelligence. This risk assessment process and the contributing analysts should be a core function of the Integrated Cyber Center recommended by the Cyberspace Solarium Commission (Recommendation 5.3) and included in the 2021 NDAA, Section 1731 (Establishment of an Integrated Cybersecurity Center). The concept also echoes the recommendation of the President's National Infrastructure Advisory Council (NIAC) for the establishment of a Critical Infrastructure Command Center (CICC).\3\ --------------------------------------------------------------------------- \3\ https://www.cisa.gov/sites/default/files/cisa/ NIAC%20Actionable%20Cyber%20Intelli-gence_DRAFT- PREDECISONAL_508c%20(002).pdf. --------------------------------------------------------------------------- (2) Establishing a ICT Enablers Working Group.--The 2014 NSTAC report also ``developed a working model of the functional capabilities (in 6 categories) associated with the broader global ecosystem.''\4\ The companies that execute these capabilities are known as ``ICT Enablers.'' While the core functions of the ICT Enablers no doubt require a fresh look and update, the purpose is the same--we must understand the core functions and the companies that substantially make up those functions. This is the essence of systemic importance in the IT Sector, those companies that dominate or hold a lynchpin position in the ecosystem have an outsized responsibility to contribute to the National defense. We must know who these companies are and then establish meaningful partnerships between industry and Government. Not just to trade business cards, but to share information on emerging threats or observed attacks. --------------------------------------------------------------------------- \4\ NSTAC Report to the President on Information and Communications Technology Mobilization, pg 14. --------------------------------------------------------------------------- Through the knowledge transfer associated with trusted partnerships, combined with the commitment and support of corporate leadership, the baseline of security across the ICT enablers should improve. Prior models have fallen short principally due to a lack of specificity in tasks and the inability of Government to host industry representatives outside of a handful of Information Sharing and Center (ISAC) representatives. By adopting a risk management agenda with discrete tasks and skillsets required, and industry organizing itself with deliberate representation of the companies that truly matter, much like the United Kingdom's National Cyber Security Centre Industry 100 model, CISA can more effectively identify and work with industry partners. The entity resulting from the Integrated Cyber Center or CICC mentioned above, building on existing CISA coordination mechanisms, can bring Government and industry together to improve partnership models to operationalize intelligence and risk management efforts. Increasing Funding for States and Incentivizing Industry Investment Even by identifying our infrastructure of concern and creating the mechanisms for engagement, it requires resources to secure systems, hire and train personnel, and engage in collective efforts. For State and local government partners, even if awareness is not an issue, lack of funding is an ever-present inhibitor to improving security. 1. State and Local Cyber Grants.--Congress should identify grant programs, much like the Homeland Security Grant Program, to distribute funding to State and municipal infrastructure programs to help improve their security programs. Grant programs should incentivize regional collaboration and coordination, creating a mutually supporting culture and community of security. 2. Expanding Training to Government Infrastructure.--CISA should also be authorized and funded to provide entry and mid-level information security and operational security education and training programs. These programs should prioritize remote learning opportunities in order to engage more students, but where more advanced or hands-on learning is more effective, CISA should be funded for mobile training capabilities to bring training to the students where they are. 3. Industry Incentives.--Industry should similarly be encouraged to invest in security programs, ideally through sector self- organization and implementation. In the mean time, the Executive branch should conduct a meaningful review of existing regulatory programs for cybersecurity requirements or extant authorities that could be used to require additional security. We are also seeing a emerging class of corporate leaders that understand the importance of cybersecurity and the need to invest. Conversely, there will always be a set of executives that look to shave costs and minimize outlay until forced to spend, if even then. With the appropriate engagement and education, the former class--particularly when identified as systemically important and provided the opportunity to best improve the security of their operations--should outpace the latter. After a period of time, all executives may prefer a more prescriptive approach with certainty. 4. Government Contracting Requirements.--The Government should start with where it does business with industry, Government should require standardized security practices as a matter of contracting. The U.S. Government can immediately improve visibility and understanding across Federal networks (though there will be cascading benefits to industry) by amending the contracting process to require transparency about the software itself, the level of access the software requires to operate, and the security measures in place to ensure the software cannot be manipulated through development, build, installation, operation, or maintenance. In addition, CISA should be included in the contract as an authorized recipient of vulnerability and incident notifications. As of now, privity of contract and the bounds of Non-Disclosure Agreements (NDAs) limit the sharing of information on risks or incidents beyond the vendor and the customer. This puts the vendor in the position of not being able to share information with CISA for broader understanding of an emerging or on-going incident. the growing ransomware national emergency Today's cyber threat landscape is not monopolized by state actors, in fact, the threat that most immediately and measurably affects the average American is cyber crime. Ransomware, specifically, has been on a steady rise over the last several years, with ransomware gangs typically operating out of countries that turn a blind eye toward their crimes, as long as the victims are foreign, and the money comes back home. According to the 2020 Verizon Data Breach Report, ransomware accounts for 27 percent of malware incidents, with the highest rate of occurrence in the education, health care, and Government administration sectors.\5\ Ransomware crews have been propelled and professionalized by commodity malware and specialization across various hacking techniques, but also thanks to the availability of cryptocurrencies that allow for anonymous financial transactions. --------------------------------------------------------------------------- \5\ 2021 Verizon Data Breach Report, Figure 5., pg 7. Available for download here. --------------------------------------------------------------------------- The United States along with our allies need to take a new, more strategic and coordinated approach to overcoming the emerging National security emergency posed by ransomware. The counter ransomware ``triplet'' includes improving cyber defenses, disrupting the criminals' business model, and increased coordinated action against ransomware gangs and their enablers. This strategy will require Government and the private sector to contribute and commit to partnering together to break the ransomware cycle. Improving Defenses First, we must improve defenses of our businesses and agencies across all levels of Government. Ubiquitous use of multifactor authentication (MFA) for access to networks can limit credential abuse, updated and patched systems can prevent actors from exploiting known vulnerabilities, and a well-practiced incident response plan accompanied by backed up and off-line systems can enable rapid reaction and restoration. In many cases, even these straightforward steps are beyond the reach of many companies or State or local agencies. We need to rethink both our approach to technology deployment, including MFA by default, and the Federal Government should consider increasing technology upgrade grants to States and localities to retire legacy systems and join the digital transformation. The return on investment will extend beyond increased security and improve the efficiency of citizen services, support the U.S. technology sector, and open up more skilled technology jobs for a sluggish American workforce. Disrupting the Ransomware Business Model Second, we must break the business model of ransomware. Simply put, ransomware is a business, and business is good. The criminals do the crimes and their victims pay the ransom. Often it is easier to pay and get the decryption key than rebuild the network. There are 3 problems with this logic: (1) You are doing business with a criminal and expecting them to live up to their side of the bargain. It is not unusual for the decryption key to not work. (2) There is no honor amongst thieves and no guarantee that the actor will not remain embedded in the victim's network for a return visit later, after all the victim has already painted themselves an easy mark. (3) By paying the ransom, the victim is validating the business model and essentially making a capital contribution to the criminal, allowing them to hire more developers, more customer service, and upgrade delivery infrastructure. And, most worrisome, go on to the next victim. A useful law school exam question may be whether in a string of ransomed companies, if a victim of a subsequent ransomware attack might pursue legal action against a prior victim of the same crew that had paid off the criminal. There is likely no viable course of action here but continuing to allow for ransom payments is a net public policy negative. We must address the ransomware business model head-on and disrupt the ability of victims to pay ransom. First, cryptocurrencies should be either more heavily-regulated or provide for more transparency via Know Your Customer regimes for cryptocurrency exchanges. Second, we need a National policy conversation on whether payments should be lawful. The Office of Foreign Asset Control (OFAC) has already started this dialog, declaring ransom payments to identified entities may be a violation of economic sanctions laws. Because the identity of the ransomware actor is not always obvious, the OFAC advisory may have an overall chilling effect on ransom payments. More Aggressive Action Against Ransomware Actors Third, we need more coordinated action against ransomware actors using the range of authorities available to Federal agencies, as well as capabilities and rights resident in the private sector. To be perfectly clear, I am not suggesting extrajudicial kinetic actions against ransomware gangs. However, other authorities available to law enforcement and military should be on the table, with great care taken not to blur the lines between the two. Traditional approaches have clearly not been sufficient to prevent the outbreak of ransomware. More aggressive disruption of malware command and control infrastructure, like the recent action against Emotet, is a good start.\6\. Where there are clear ties between ransomware actors and state actors or a potential imminent threat to an event or infrastructure of significance like a National election, action should be on the table. The private sector also has options available, as demonstrated by Microsoft's aggressive policing the abuse of its trademark and source code, including last fall's operation against Trickbot.\7\ When coordinated and jointly conducted, private and public sector can make the internet an inhospitable place for cyber criminals. The recent establishment of the National Ransomware Task Force, hosted by the Institute of Security and Technology,\8\ is a promising private-sector collaboration to change the rules of the game, assuming strong engagement and coordinated action with the Federal Government. --------------------------------------------------------------------------- \6\ Emotet Botnet Disrupted in International Cyber Operation/OPA/ Department of Justice. https://www.justice.gov/opa/pr/emotet-botnet- disrupted-international-cyber-operation. \7\ New action to combat ransomware ahead of U.S. elections-- Microsoft On the Issues. https://blogs.microsoft.com/on-the-issues/ 2020/10/12/trickbot-ransomware-cyberthreat-us-elections/. \8\ Institute for Security and Technology (IST) Ransomware Task Force (RTF). https://securityandtechnology.org/ransomwaretaskforce/. --------------------------------------------------------------------------- adversary abuse of infrastructure as a service Much of the state and non-state actor cyber activity targeting U.S. businesses and agencies uses our very own technology against us. State and non-state actors alike are using cloud infrastructure services and the protections afforded by law and the Constitution to steal intellectual property and potentially position themselves for future attacks. According to Ambassador Robert O'Brien, President Trump's last National Security Advisor, ``(m)align actor abuse of United States (Infrastructure as a Service) products has played a role in every cyber incident during the last 4 years.''\9\ To stem the abuse of IaaS products, the last administration signed out Executive Order 13984, ``Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities.''\10\ The EO directs the Department of Commerce to release for notice and comment regulations within 180 days that describe a regime that would require cloud service providers to implement ``Know Your Customer'' and Suspicious Activity Reporting measures. --------------------------------------------------------------------------- \9\ Press Release--Statement from National Security Advisor Robert C. O'Brien/The American Presidency Project (ucsb.edu). https:// www.presidency.ucsb.edu/documents/press-release-statement-from- national-security-advisor-robert-c-obrien-9. \10\ 2021-01714.pdf (govinfo.gov). https://www.govinfo.gov/content/ pkg/FR-2021-01-25/pdf/2021-01714.pdf. --------------------------------------------------------------------------- While the new administration is obviously within its rights to review and revise or withdraw any pending rulemaking, this regulation, with adequate input from industry and cloud users, can limit abuse of cloud services through increased transparency. Even in the absence of the regulation, it would be wise for industry to consider adopting a voluntary set of transparent practices that would achieve the same outcome, absent Federal Government intervention. improving federal civilian agency cybersecurity As demonstrated by recent Russian intelligence activities, Federal agencies remain at the top of the targeting list for foreign cyber actors. Our Nation's 101 Departments and Agencies civilian agencies hold a wealth of unclassified information across a vast assortment of unevenly secured, monitored, and even mapped networks and systems. Despite an increased availability and deployment of cybersecurity tools via the National Cyber Protection System and the Continuous Diagnostics and Mitigation (CDM) program over the last 6 years, more must be done. Other shifts and gaps in the Federal Government IT space have hampered the ability of agencies to keep pace with the threat landscape. At the macrolevel, there are 3 general themes that hamper our ability to properly secure the .gov, even after several years and billions of dollars invested in security. First, there is still insufficient funding for modernization and new security tools. Second, there is a need for stronger governance across agencies. And third, visibility into network traffic is eroding due to increased use of encryption (a good thing!) and a shift to cloud-based services (also a good thing, if done properly). Accelerated Investment in CISA Security Programs Investing in Federal IT is not a one-shot deal, maintaining a modern and secure environment is simply the cost of doing business in today's world. This is particularly true as more and more services go digital and most of the Federal workforce remains remote due to COVID (and may remain remote for the foreseeable future). In the face of the these shifts and the attackers' relentless efforts to find seams in our defenses, Congress must not blink, even in the wake of the SolarWinds supply chain compromise. The CDM program remains the critical core of Federal cybersecurity, though it is not currently deployed broadly or deeply enough in part due to agency ability to deploy at scale quickly, underestimation of required services, and funding constraints. CDM focuses on who and what makes up the network, including assets, identity, and data. Recently, NDAA Section 1705 authorized CISA to conduct proactive threat hunting across civilian networks, a key development in improving visibility across the 101 agencies. For this advancement to be successful, CISA will need to deploy detection capabilities, hire analysts to conduct the activities, gain access to the appropriate data, and the buy-in and cooperation from the agencies CISA is hunting across. With accelerated capability coverage and additional Federal agency support through expanded financial resources, CDM will more effectively and efficiently serve Federal agencies to search for and where necessary remediate Russian actor intrusions. CDM can also serve as a force for change and modernization across the Federal Government. Last spring, as COVID sprung up and threat actors targeted Health and Human Services networks, the program rapidly responded to help HHS upgrade security and systems to protect pandemic response and research. [sic] can be a catalyst for continued IT and cyber modernization across the Federal enterprise. Stronger Governance Across Federal Civilian Agency Networks At the governance level, roles and responsibilities across the Federal Government are unclear, potentially further complicated by the newly-authorized National Cyber Director (NCD) created by Section 1752 of the NDAA. Regardless of the organizational structure, the Executive branch must establish a comprehensive strategy and vision for Federal network modernization and security, drawing in the Budget side of the Office of Management and Budget (OMB) to coordinate and consolidate budgetary oversight, the Federal CISO as the policy framer, CISA as the tool provider and enforcer of security policy. The respective roles and responsibilities of the Federal CISO and CISA should also be examined. In effect, CISA is serving as the operational CISO for the Federal Government, particularly with the recent NDAA authorities--this position should be strengthened. Federal agencies are of course a part of this effort, but as time and our adversaries have proven, there are currently not enough technical resources and personnel available at the individual agency level to meaningfully protect the .gov in 101 different instantiations. Therefore, the Federal Government must set very clear cybersecurity expectations and standards for agencies and Congress should fund those expectations. There should be two paths for agencies to choose: (1) You either meet the enhanced standards set out or (2) CISA can do it for you. The first option, while achievable and likely appealing to agencies mature and confident in their ability to manage their enterprise risk, will also require funding unavailable to most agencies. Even then, it is economically inefficient for even the most mature agencies if a comparable offering exists elsewhere. Increasing Visibility Through Centralized Services The second option plays into the third area for improvement, increased visibility through centrally-managed services. The NDAA threat-hunting authorities provided to CISA will provide increased visibility at the host level, however, there are additional visibility gaps that need to be addressed. For example, as agencies have shifted to cloud-based services--particularly during the pandemic--CISA lost visibility into network traffic. That decrease in visibility is in part due to increased encrypted traffic, but also because the entire point of modern cloud-based ``Workplace as a Service'' is for the user to interact directly with the cloud rather back to the agency's network via a trusted connection. To do this securely, however, requires consistency and discipline in implementing the appropriate security controls, as well as collecting and maintaining the forensic records to empower detection, analysis, and response. To ensure consistency and appropriate logging, CISA should work with OMB and GSA to create a customer-centric, security-first hardened cloud-based email environment. This approach would be economically sensible at the macro and micro levels and would be centrally defensible to adversary attacks. Even this may be too permissive of an arrangement and only a half- step toward the most logically defensible arrangement for civilian agencies--a centrally-managed and secured ``Govnet.'' Common services that touch the public internet, including email, should be consolidated as much as possible, ideally by CISA's Quality Service Management Office (QSMO).\11\ Such a configuration would clearly be an attractive target to attackers, and yet by consolidating security teams, visibility, and ability to act, a more resilient infrastructure is possible. --------------------------------------------------------------------------- \11\ Cyber QSMO Marketplace/CISA. --------------------------------------------------------------------------- conclusion The piece parts are in place for our Nation to dramatically improve our cybersecurity defenses. We need to as a society accept that that, yes, each and every organization in the country whether private sector or Government, can be targeted by a cyber actor. And no, the Government is not going to save you. And yes, there is something that you can do about it, in fact you have a responsibility to your customers, stakeholders, and depending on where you sit in the economy, a responsibility to the country. The key ingredients needed are leadership awareness and commitment in the private sector and a bolder vision from Government. That alone will not immediately solve the problem, but with those two pieces folded together, investment will follow, defenses will improve, and organizational and economic resilience will increase. It will take time and we will never reach or even see a finish line. Cybersecurity is an ever-evolving discipline, and the threat actors are motivated by a variety of incentives that we may never fully comprehend. But change for the better is possible, we just need to stop waiting for it to happen to us and instead, to quote Mahatma Ghandi, ``be the change we wish to see in the world.'' Thank you not only for this opportunity to testify before the committee today on this critical issue, but also for your partnership over the last several years. I have no doubt that my successor will enjoy a productive working relationship with the committee and that together we can continue to improve the Nation's cybersecurity and resilience. I look forward to answering any questions you might have. Chairman Thompson. Thank you very much. I now ask Ms. Gordon to summarize her statement for 5 minutes. STATEMENT OF SUSAN M. GORDON, FORMER PRINCIPAL DEPUTY DIRECTOR OF NATIONAL INTELLIGENCE, OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE Ms. Gordon. Good afternoon, Chairman Thompson, Ranking Member Katko, and distinguished Members of the committee. I am absolutely delighted to be here to testify on this issue of utmost National security interest. It is great to see you all again, even as a private citizen and not as your principal deputy director of national intelligence. There is little more important work we do as a Nation and as a free and open society than that which you are tackling here today and in the days to come. I am here today to discuss 3 aspects of the issue: The nature of the cyber threats we face and that are emerging, the domains in which those threats manifest, and the imperatives that must drive solutions. My colleagues will discuss the specifics of recent attacks and proffer specific next steps. I hope to put each of those in context. First, in terms of threat, offensive cyber capability is a global commodity, the means by which every interest of our adversaries and competitors is increasingly achieved. In a digitally-connected world, one need not travel great physical distance or expend great resource to achieve malign outcome. Fifteen years ago, offensive cyber was the tool only of the great powers, wielded in a largely unconstrained environment with very specific, narrow intention against Governmental targets. Today, while it is especially destructive in the hands of some, like Russia and China, it is a tool of anyone who wants to do harm. While some are more capable than others of achieving strategic impact, all are capable. In the hands of malign actors, cyber action can have physical, political, military, economic, and societal impact, as we have just witnessed this past year with ransomware attacks, intellectual property theft, theft of PII, disinformation campaigns, intelligence collection, and disruption of service. We need to stop acting like these attacks are special or rare or somehow beyond our ken or ability to respond because they are happening digitally. This digital activity has physical consequence, and the outcomes that cyber actors are producing threaten our National security, sometimes in isolation, sometimes in aggregate. In terms of domain, it used to be that governments held all the vital information, the secrets worth stealing, and wielded all the power and made all the decisions worth influencing. No longer. The engine of our great society also lies in our companies and our communities, and the decisions made in boardrooms and voting booths have global impact. As private companies and private citizens have become a threat surface, they, too, must receive National attention. Threat actors today target whatever and whomever serves their purpose: Government and non-Government, critical infrastructure and private citizens, academic institutions and research centers, huge multinational corporations, and small businesses. While in some cases the victim is the target, sometimes they are just the transportation and access to the intended quarry. Said differently, if you aren't the target, you may still be targeted. No one--no one--gets off free. But most of all what we are seeing today are attacks on the most important aspect of free and open societies: Trust, in all its instantiations. We cannot allow that to continue undeterred and unthwarted. Enough problem-identifying; I am with you. Your purpose, our collective purpose, and one that I know my fellow witnesses and I will commit ourselves to with you is to find a solution. Let me offer a few imperatives or first principles to guide your next steps. First, solutions cannot be exclusively Federal or exclusively Governmental or exclusively United States. The Cyber Solarium report is a remarkable, important document, and it produced outstanding recommendations, and yet they focused more on Government response than shared responsibility with the private sector or other partners. There is opening here for new. Second, solutions cannot be exclusively technical. For all our advances in network security, security is most effective when it addresses the entire operating ecosystem. There is no technology magic bullet. The best solutions address personal, physical, and operational security in combination. Solutions cannot be only for the resource-rich. Since we are all connected, the least of us can affect the whole of us. Solutions cannot focus solely on single entities. Every organization is part of the larger end-to-end system. Did SolarWinds understand the responsibility they carried when they sold their products to the Treasury Department? On a personal note, intelligence must also be more widely, more openly shared, especially about intent. I know that that is anathema to my former colleagues because knowing an adversary's intent is our most closely guarded advantage. But if we don't share it more broadly, how will a non-Governmental entity ever get ahead of their attackers? Finally, we need to bring the problem into the light, ruthlessly, because evil can't survive there. There is still too little sharing, for many reasons, none of which are sufficient in light of the exposure we face by not taking advantage of our shared knowledge. Security and trust disproportionately favor the good guys, and we need to press our advantage. To close out, I offer that we must approach today's rapidly-changing posture with continually-evolving practices. Where we have previously focused on tangible threats, we must now constantly face those that are intertwined and are part of the digital environment. I look forward to your questions more. I look forward to being a resource for you as we find our way forward and overcome this threat, as we have so many in the course of our history. I look forward to your questions. Thank you so much for the opportunity. [The prepared statement of Ms. Gordon follows:] Prepared Statement of Susan M. Gordon 10 February 2021 Good afternoon, Chairman Thompson, Ranking Member Katko, and distinguished Members of the committee. Thank you for the opportunity to testify on this issue of National security interest--cybersecurity and resilience. It's great to see you again, even as a private citizen not your principal deputy director of national intelligence. Though my colleagues and I sitting before you all come from different backgrounds and have different perspectives on the issue, I think we all believe there is little more important work we can do as a Nation and as a free and open society than that which you are tackling here today and in the coming days. I am here to discuss 3 aspects of the issue: The nature of the cyber threats we face and that are emerging, the domains in which those threat manifest, and the imperatives that must drive solution. My colleagues will discuss the specifics of recent attacks and proffer specific next steps, I hope to put those in context. First, in terms of threat, offensive cyber capability is a global commodity--the means by which every interest of our adversaries and competitors is increasingly achieved. In a digitally connected world, one need not travel great physical distance or expend great resource to achieve malign outcome. Fifteen years ago, offensive cyber was the tool of the great powers, wielded in a largely unconstrained environment, with very specific, narrow intention against governmental interests. Today, it is the tool of criminals, nation-states, and non-nation-state actors, and while some are more capable than others in achieving strategic impact, all are capable. In the hands of malign actors, it can have physical, political, military, economic, and societal impact, as we have witnessed just this past year with ransomware attacks intellectual property theft, and theft of PII, disinformation campaigns, intelligence collection activity, and disruption of service. We need to stop acting like it's special, or rare, or somehow beyond our ken or ability to respond because it's happening digitally. This digital activity has physical consequence. The outcomes that cyber actors are producing threaten our National security. Second, in terms of domain, it used to be that governments held all the vital information (kept the secrets worth stealing) and wielded all the power (made all the decisions worth influencing.) No longer. The engine of our great society lies in our companies and our communities, and the decisions made in board rooms and voting booths can have global impact, so the threat surface includes private companies and private citizens, and their decisions can have direct effect on National security as surely as it would if they held Government position. Threat actors today target Government and non-Government, critical infrastructure and private citizens, academic institutions and research centers, huge multi-national corporations and small businesses. While in some cases the victim is the target, sometimes they are just the transportation and access to the intended quarry. Said differently, if you aren't the target, you might be targeted--no one gets off free. But most of all, what we're seeing today are attacks on the most important aspect of free and open societies--trust--and we cannot allow that to continue. Success of the opportunistic predator often can be thwarted by the cyber equivalent of locking the front door and putting your valuables in a safe. But in the case of relentless pursuers--most likely nation- states with massive resources and strategic patience--success can only be thwarted by understanding the intention of the actor and committing to whole-of-organization, whole-of-Nation, whole-of-society persistent attention to risk management. Third, enough problem identifying. Your purpose--our collective purpose--is to find solution. Let me offer some imperatives or ``first principles'' to guide next steps.
Solutions cannot be exclusively Federal, or exclusively Governmental, or exclusively United States. Solutions cannot be exclusively technical. Solutions cannot be only for the resource-rich. Solutions cannot focus solely on single entities. Intelligence must be more widely, more openly shared, especially about intent. Bring the problem into the light, ruthlessly, because evil can't survive there. To close out with these principles in mind, and in the pursuit of solutions, I offer that we must approach today's rapidly-changing threat posture with continually-evolving defense practices. Where we previously focused on tangible threats, we must now constantly be adapting to the challenges presented by the digital world. To achieve this defensive agility, the intelligence community, Government, industry, and must work closer together. I look forward to your questions. Thank you. Chairman Thompson. Thank you very much. I now ask Mr. Daniel to summarize his statement for 5 minutes. STATEMENT OF MICHAEL DANIEL, PRESIDENT AND CEO, CYBER THREAT ALLIANCE Mr. Daniel. Thank you, Mr. Chairman and Ranking Member Katko and other distinguished Members of the committee, many of whom I have worked with before in various capacities, so it is a pleasure to be here before you today. I appreciate and applaud you for taking the time to actually have this hearing so early in the sequence for this Congress. It shows the importance that you place on this issue. As our previous 2 witnesses have said, the cyber threats facing this Nation are urgent and they are serious. So I am going to talk about 3 aspects, though, of the cybersecurity issue, of the cyber threats that we face, that should shape how this committee thinks about and how we as a Nation have to think about improving our ability to address this problem. The first one of which is that, just as important as the urgency and the seriousness of the threat, the threat is getting steadily worse. There are really 5 trends a that are driving this evolution. First is growth. Cyber space as an environment is literally getting bigger every second, because we keep hooking more and more devices up to the internet. No other domain--land, sea, or air--exhibits this behavior of steady and remarkably almost exponential growth. But also diversity. The kinds of devices that we are hooking up to the internet are wildly varying now. It is no longer just about wired desktops or laptops, but about watches and cars and industrial control systems like water plants. It is also about danger. It is no longer that we are talking about simple website defacement or even theft of information, but now effects, physical effects, through cyber space can cause harm and even death. It is also about numbers. As Sue was just talking about, everybody and their cousin, practically, is now involved in cyber space--terrorists, hacktivists, nation-states, criminals. The numbers are quite staggering. Everyone has discovered that cyber is a good way to carry out their interests and achieve their agenda. Finally, dependence. We, as a society, as Representative Katko pointed out, are highly digitally dependent. So things and disruptions that would have 25 years ago been minorly annoying are now organizationally catastrophic if they occur. Another aspect of the nature of cyber space and cybersecurity is how it crosses boundaries and how it crosses silos. There is no other issue that I have looked at in public policy that is as ``inter-'' anything you want to put in there. It is interagency. We cannot successfully simply take cyber and make it the responsibility of any one agency in the Federal Government. That simply will not work. Nor can we create an agency that can take all of those different aspects of cybersecurity and have that function either. So it is inherently an interagency issue. It is also an intergovernmental issue, meaning that it is a State and local issue just as much as it is a Federal issue, as the elections that we just had back in November amply demonstrate. It is an international issue because it crosses boundaries and borders. As Chris Krebs pointed out, you know, the majority of the malicious activity actually emanates from foreign places. It is inherently public and private at the same time, because the vast majority of cyber space is owned and operated by the private sector. Finally, there is also the issue of our mindset. We do not have the right mindset to actually think about cybersecurity correctly. In many ways, we suffer from problems that--of how we approach the problem that hinder our ability to tackle it well. First of all, as Sue said, it is not just a technical problem, and we want to make it that--one that we can simply buy a gadget to fix. But it is not. It is an economic, it is a business, it is a privacy issue, a National security, law enforcement, psychological problem all rolled into one. We also want to make it a problem that we can solve. But, as you will hear many of us talk about, you can never solve this problem. We will never achieve 100 percent security. So it is a risk, instead, that we have to manage. We also tend to think about keeping our adversaries out of networks, but that is not going to work either. We can never keep them out of a network. Instead, we need to think about how we thwart the goals that our adversaries are trying to achieve, rather than simply keeping them out. That will give us many more bites at the apple. We also tend to try to make cyber space work like the physical world, but it doesn't. The physics and math of cyber space are different. It is a nodal network that operates at light speed, and concepts like borders and distance and proximity all have different meanings. Finally, we tend to think of cyber space as if it were some sort of global commons, but that is not true. Every bit of cyber space is owned by somebody. Those boxes and computers and laptops and servers all exist on somebody's territory. There is no equivalent to international waters in cyber space. So, just to conclude this, you might think that, given all that I have laid out, that I am actually a pessimist, but I am not. I actually do believe, as Sue said, that we can make cyber space safer and we can reduce our risk. It will be hard, and it will require us to be innovative not just in technology but in our organizational structures and processes and laws and policies as well, but I believe we can do these things. I look forward to your questions and working with the committee on this topic. Thank you very much. [The prepared statement of Mr. Daniel follows:] Prepared Statement of Michael Daniel February 10, 2021 Thank you for the opportunity to appear before you today for this hearing on Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience. My name is Michael Daniel, and I am the president & CEO of the Cyber Threat Alliance (CTA)--an information-sharing organization that now includes 32 of the world's leading cybersecurity companies. Prior to CTA, I served for over 20 years in the U.S. Federal Government, including 4\1/2\ years as special assistant to President Obama and cybersecurity coordinator at the National Security Council. Let me begin my testimony by thanking the committee for holding a hearing on this important issue. The cybersecurity threats facing the United States are significant, urgent, and potentially life- threatening--and our Nation must improve its ability to counter them. This committee plays a key role in enabling the Federal Government to meet this challenge. This testimony will lay out the cyber threat landscape the United States faces, the types of adversaries conducting cyber operations, and some long-term goals and principles to address these threats. I will also touch on Federal Government organization, Federal agency cybersecurity, and how to think about cybersecurity in more productive manner. the cyber threat landscape We live in a digital age. Digital technologies increase efficiency and productivity, shrink distances, and enable news ways of working and connecting. However, digitization also brings challenges and potential vulnerabilities that--left unchecked--threaten to undermine our National security, economy, and public health and safety. Although the United States faces a myriad of cyber threats, 5 trends are making these threats worse over time: (1) Cyber space is expanding.--As we connect more devices to the internet, we are making cyber space bigger. It is the only human environment that is continually expanding at a meaningful pace. Land, sea, air, and near-earth orbit are not growing to any appreciable degree, but cyber space is different. While estimates vary, everyone agrees that the growth is enormous. For example, Cisco conservatively estimates that by the end of 2021, 27.1 billion devices will be connected to internet, an increase of 10 billion devices since 2016. That figure translates to 5.5 million devices per day or 60 devices every second. (2) Cyber space is becoming more heterogenous.--Beyond raw expansion, the variety of devices connected to the internet keeps increasing. These devices are not just desktops, laptops, or smartphones. They are light bulbs, refrigerators, cars, thermostats, sensors, machine tools, dams, water purification plants, oil rigs, toll collectors, and thousands of other ``things''--a huge array of different kinds of devices with different functions, protocols, and security features. The combined growth in volume and heterogeneity makes effective cyber defense extremely difficult. (3) Malicious cyber actors are becoming more numerous.--The number of malicious actors in cyber space continues to grow rapidly as hacktivists, criminals, and nation-states all learn that they can pursue their goals relatively cheaply and effectively through cyber space. The barriers to entry are low and the potential return on investment is high. As a result, the volume and frequency of malicious cyber activity is increasing dramatically. (4) Cyber threats are becoming more dangerous.--As recently as a decade ago, cyber actors generally limited their malicious activities to stealing money or information, temporary denial-of-service attacks, or website defacements (the digital equivalent of graffiti). But over the last 10 years, malicious actors have shifted to more destructive and disruptive activities. The physical disruption of the Ukrainian power grid, the use of cyber-enabled information operations to influence electoral processes, the release of the destructive NotPetya malware, and the scourge of ransomware are all examples of this trend. (5) Cyber incidents are becoming more disruptive: as we have become more and more digitally dependent, the potential impacts of a cyber incident have also increased.--It is becoming harder for us to operate without access to the internet; the need for a significant portion of the workforce to work remotely during the pandemic highlights that dependence. What would have been a nuisance a few years ago can now kill people if they cannot get access to timely medical care due to a network outage. Specific threats Within these broad trends, I would highlight 2 specific threats: Ransomware.--Over the last couple of years, one key threat that has emerged is ransomware. This malware encrypts data on a victim's system and in order to regain access to the data, the victim has to pay a ransom. In addition, adversaries are also stealing private information prior to encrypting it and threatens to release the data publicly or onto the dark web if the victim does not pay. This threat has grown to such a degree that it is no longer just an economic nuisance but a National security and public health and safety threat. Operational Technology malware.--for many years, the computers that run operational processes in manufacturing, power generation, water distribution, and other industrial activities were largely proprietary and difficult to access from the internet. However, these systems are becoming increasingly connected and more standardized. As a result, the ability for adversaries to target and disrupt these systems has increased. A cyber attack against one these systems would have a much higher impact across our digital ecosystem that the typical criminal activity. cyber adversaries While the number of malicious actors in cyber space can seem almost limitless, these adversaries are typically operating as 1 of 4 types. Each type has different goals, motivations, and resources, and while individuals can operate as different types at different times, this typology is useful for thinking about how to counter the activities of a specific type. Terrorists.--Many terrorist groups make extensive use of cyber space for recruiting and communication, but fortunately very few are able to undertake disruptive or destructive actions. However, these groups almost certainly have aspirations to conduct visible, spectacular attacks and if a nation-state decides that it is in their interest to train and equip a terrorist group, the result could be a destructive attack. Hacktivists.--This type of actor has decreased in importance over the last few years, but they can still cause problems. Their motivation is primarily to gain attention for their cause or embarrass their opponents. While they might be OK with harming a ``corporation'' or a Government agency, they generally are not interested in causing wide- spread, permanent harm. Criminals.--These actors are by far the most prevalent in cyber space. The motivation for these actors is simple: Money. They can be quite innovative and creative, but money is the driver. They are unlikely to spend time and resources trying to gain access to just one target; if their first few attempts fail, they will move on to the next target, just like in the physical world. Nation-states.--These actors are pursuing their National security or foreign policy interests through cyber actions. Such interests can include espionage, influence operations, theft of intellectual property and trade secrets, deterrence, low-grade conflict and disruption, or destruction. While some nation-states have less technical capability than some high-end criminal groups, nation-states generally have discipline, patience, personnel, and complementary capability (such as dedicated intelligence agencies) to bring to bear. long-term goals Given these trends and malicious actors, the U.S. Government should pursue 3 long-term goals to counter the cyber threats we face. It should seek to raise the level of cybersecurity and resilience across our digital ecosystem; disrupt adversaries at a faster pace and larger scale; and respond more effectively to cyber incidents when they occur. Raise the level of cybersecurity across the ecosystem.--Despite a growing recognition that cyber threats affect everyone, many organizations still have not implemented basic cybersecurity measures, such as two-factor authentication, and very few have reached a high level of maturity, even those that manage or perform critical National functions. They also have not developed sufficient resilience to cyber incidents. Given this situation, the Federal Government should aim to improve cybersecurity and resilience across the board. Setting such a goal does not require the Government to treat all organizations the same or not prioritize some functions over others; in fact, achieving this goal requires such prioritization. However, given the interconnected and interdependent nature of cyber space, the goal should be that all organizations reach a level of cybersecurity commensurate with their size, industry, and overall function. Disrupt adversaries at scale.--Since we cannot rely on defense alone, the U.S. Government also needs to increase the pace and scale of its disruption efforts, whether against nation-states, criminals, hacktivists, or terrorists. Disruption should involve all the elements of National power, including diplomatic, economic, law-enforcement, cyber-technical, military, and intelligence tools. It will also require working with private-sector cybersecurity providers and collaborating internationally. While we have made significant progress in these activities over the last decade, we need to impose greater costs on our adversaries. Respond more effectively to incidents.--No matter how much we improve our defense and offense, our adversaries will sometimes achieve their goals. They will succeed in stealing information or money, causing disruption, or holding a critical function at risk. To deal with those situations, the Federal Government needs to be able to deal with such incidents rapidly and efficiently, enabling private-sector owners and operators to restore functionality expeditiously. The U.S. Government could achieve these goals in different ways; indeed, whole books have been written on specific aspects of these 3 goals. However, based on my experience both in and out of Government, employing the following principles will increase the chance of success: 1. Focus on comparative advantage.--The Federal Government should not try to replicate the technical capabilities available in the private sector. The technical information available to the cybersecurity industry is extensive, and the Government is unlikely to have technical information the private sector does not. However, the Federal Government does have unique information in the form of attribution, context, and a strategic view point. It also has a comparative advantage in funding basic R&D into cybersecurity, such as how to reduce the exploitable error rate in computer code. While some private-sector entities can disrupt adversaries using a variety of means (such as Microsoft's legal actions), the Federal Government can impose costs on adversaries in ways that the private cannot and should not: Public attribution, law enforcement actions, economic sanctions, diplomatic actions, and other means. Focusing on each sector's comparative advantage will enable the collective whole to be greater than the sum of the parts. 2. Incentivize good cybersecurity behavior.--While at times the Government may need to compel certain actions, the Federal Government should increase the incentives for organizations to implement better cybersecurity: Strategic use of existing regulations.--The Federal Government should ensure that existing regulations promote good cybersecurity behavior, not inhibit it. Most of the time, new regulation is not required; instead, agencies should focus on implementing regulations that are already on the books. Support and encourage the use of best practices.--The Federal Government can be a neutral, reliable party in identifying good cybersecurity practices. Two good examples are the National Institute of Standards and Technology's Cybersecurity Framework and the Software Bill of Materials initiative. Drive industries to set standards of care.--Establishing the generally-accepted level of cybersecurity for organizations within a given industry would have a dramatic impact across the ecosystem. It would remove considerable uncertainty and enable businesses to plan investments. It would address concerns about liability and reduce barriers to collaboration and information sharing. Increase publicly-available information.--The Government can facilitate disclosure of information that can help customers, clients, shareholders, and other relevant parties take appropriate defensive actions, better assess risk, and advocate for improved security. Examples of such requirements could include data breach reporting, information about material cybersecurity risks on financial statements, and public acknowledgements about how a publicly-traded company is assessing and managing its cyber risk, particularly at the board of directors' level. Such disclosures do not assist criminals or other bad actors--they already know where the weaknesses are; instead, these requirements allow market forces to operate more efficiently. These requirements should be standardized as much as possible at the National level and harmonized at the international level to the extent possible, to reduce burdens on companies and simplify reporting for consumers. 3. Reinforce stability in cyber space.--Governments should strive to make cyber space a stable, reliable environment in which to conduct business. Some key tools include: Transparency.--The U.S. Government should set the standard for transparency about its offensive cyber capabilities. Not in terms of details about tradecraft or tactics, techniques, or procedures, any more than we are transparent about the technical specifications for military weapon systems. However, we are quite open about the fact that we have attack fighters, submarines, and tanks. We should apply a similar approach to our use of offensive cyber. For example, we should continue to evolve our doctrine, being clear about how and when we would use cyber capabilities as a tool of National power. We should also be transparent about the fact of offensive cyber capabilities, just as we are open about our kinetic capabilities. International norms of behavior.--Norms can put certain activities ``out of bounds.'' Not all nations will adhere to all the norms all of the time, but norms can help constrain behavior. Of course, we must adhere to the norms we promote--we cannot be ``do as we say, not as we do'' country. The United States has been effective in this area over the last decade, and we should continue to build on that success. Confidence-building measures.--Adapting these approaches from arms control and conflict resolution field has promise to reduce the risk of escalation due to accidents or unintended consequences. Coalitions of the willing.--Given the divergent views among nations regarding cyber space, privacy, and other issues, gaining global consensus on most topics is unlikely. However, this inability to reach consensus should not prevent the United States from assembling coalitions of the willing. Such groups will be far more effective than trying to go it alone or letting the perfect be the enemy of the good. 4. Increase resilience.--If we increase our ability to weather cyber attacks and maintain operations, then the value to our adversaries of conducting attacks decreases. Resilience also enables U.S. leaders to worry less about pre-empting foreign threats and escalating responses. 5. Increase operational collaboration between the public and private sectors.--Unlike in the physical realm, governments do not have a monopoly on cyber ``force,'' and they are not likely to obtain such dominance any time soon. Therefore, the most effective action in cyber space will involve public and private-sector actors working together. Such collaboration goes beyond information sharing to synchronizing activity and it already occurs in certain circumstances. However, we need to vastly expand the scope and scale of these collaborative activities if we want to have a meaningful impact on our adversaries. federal government organization Given the seriousness of the threats and the broad nature of the long-term goals I have outlined, reviewing the Federal Government's structure, agency roles and missions, and coordination capabilities makes sense. However, traditional policy solutions usually do not work for cybersecurity due to 4 unusual aspects about the issue. Cybersecurity is inherently interagency Bureaucracies prefer issues that fit neatly into one organization's mission. Cybersecurity is almost the exact opposite. It is a National security, military, intelligence, economic, public safety, privacy, diplomatic, law enforcement, business continuity, and internal management issue all rolled into one. It touches every Federal department and agency, and many Federal organizations have a legitimate, necessary role in cybersecurity. Thus, cybersecurity far exceeds any current agency's remit. Trying to stuff the whole issue inside one existing department or agency will fail. Creating a ``Department of Cybersecurity,'' will not work either-- in fact, it would be a disaster. Cybersecurity is too integral to too many agencies' missions to centralize those functions in one department. We cannot remove cyber investigations from the FBI, oversight of financial service companies' cybersecurity from Treasury, incident response from DHS, and offensive cyber operations from the Department of Defense and consolidate them inside one department. FBI, Treasury, DHS, and DOD would end up recreating those functions to support their core missions. We would end up with even more complexity. At the same time, cybersecurity's different aspects are not independent--they interact with each other constantly, sometimes in unexpected ways. Military cyber operations can disrupt intelligence activities or law enforcement investigations. Treasury sanctions could upset diplomatic negotiations. DHS's focus on mitigation could hinder DOJ's ability to prosecute a cyber crime--or vice versa. Network defenders want information from the private sector, but many in the private sector are worried about regulatory action if they share. As a result, we can employ neither of the standard government approaches to emergent issues--make it one agency's mission or create mutually-exclusive agency siloes for different aspects of the problem. Instead, we must weld these disparate activities together into a single whole through regular, intense, sustained interagency coordination. Such coordination does not occur naturally in any government or large bureaucracy: Personnel have limited incentives to coordinate activities across departmental and agency lines. That is not a moral failure or laziness, but a reality of human psychology. Instead, we must account for this facet of human nature and design our systems accordingly. Inherently intergovernmental Cybersecurity also affects governments at all levels, from municipalities to counties to State governments. It does not exclusively belong to the Federal Government. As cybersecurity has become a more pressing issue for organizations of all kinds and the threat of disruptive or destructive activity has grown, the need to incorporate State, local, territorial, and Tribal governments into our cybersecurity activities has grown. For example, State, local, territorial, and Tribal (SLTT) governments play a crucial role in a critical National function, elections. As a matter of democratic principle, we want to maintain SLTT control over elections; on the other hand, expecting an SLTT organization to defend itself against the Russians or Chinese without Federal help is foolish. Therefore, we need to enable the Federal Government to collaborate more effectively with SLTT entities. In particular, the Federal Government will likely need to allocate additional resources to improving SLTT cybersecurity. However, we cannot make cybersecurity exclusively a Federal or SLTT issue. Inherently international Cyber threats cross international boundaries quite fluidly. During my time at the White House, virtually no issue was exclusively domestic. If nothing else, much of the cyber crime that afflicts U.S. citizens and businesses has an international connection. On the flip side, what we do domestically has implications abroad. Therefore, countering the threats we face requires significant international collaboration and cooperation. Further, the international cyber environment is very complex, with many overlapping and intertwined issues. Internationally, cybersecurity involves diplomatic relations, law enforcement cooperation, financial interactions, trade issues, intelligence collaboration, and military operations, not to mention technology and competitiveness concerns. Trying to confine cybersecurity to a specific channel or type of interaction will not work. Inherently public and private Finally, cybersecurity forces the Government and the private sector into a different kind of relationship. Traditionally, the Government is either a regulator or a customer for the private sector. While the Government does have those relationships in cybersecurity, the Government and private sector can have a third type of relationship in this area, that of partner or peer. This peer relationship stems from the fact that the private sector owns and operates vast majority of cyber space, has equivalent (or better) technical insight and capability, and can take action that affects much of cyber space without the Government. This type of peer relationship is relatively new and we do not have the necessary laws, policy, procedures, or even vocabulary to fully manage it, other than the overused public-private partnership term. Thus, we need to fully develop the laws, policies, and procedures to govern this type of interaction, so that the relationships remain aligned with our overall sense of equity and appropriate roles for Government versus the private sector. federal agency cybersecurity In December, several private-sector companies identified malicious activity that enabled the Federal Government to unravel an incredibly broad cyber-enabled espionage campaign. This intrusion effectively gave the Russian government unfettered access to numerous unclassified U.S. Government networks for over 9 months. It is difficult to overstate the intelligence value the Russians gained from this access or the likely damage to our National security. That said, based on the publicly- available information, the activity associated with this intrusion appears to consist of espionage, something in which all States engage. As a result, although extremely damaging to our National security, this intrusion is not an ``attack.'' The fact that the intrusion does not constitute an attack necessarily constrains the U.S. response. ``Constrain'' does not mean ``prohibit.'' We should respond forcefully to this intrusion through diplomatic channels, such as by expelling Russian diplomats or exacting a cost in other venues. We should also signal that if the incident turns out to involve activities other than espionage, the United States reserves the right to escalate accordingly. But we should carefully calibrate our response with the knowledge that the United States also conducts cyber-enabled espionage. Regardless of the U.S. response, the intrusion revealed some on- going weaknesses in Federal cybersecurity structure, practices, and funding. While the 2021 National Defense Authorization Act included several provisions that directly address some of these weaknesses (for example, authorizing CISA to conduct threat hunting across Federal civilian agencies), the Federal Government still needs to aggressively reduce its cyber risk. First, it needs to continue consolidating cybersecurity services within a smaller number of agencies; just as with payroll services, only a small number of agencies should provide cybersecurity services to most Federal agencies. Second, Congress needs to enable agencies to retire their legacy IT systems at a much faster rate. Replacing legacy systems would reduce cyber risk, improve productivity, and enhance service delivery. The $9 billion for cybersecurity originally proposed in the Biden administration's American Rescue Plan would help achieve this goal, especially resources allocated to the Technology Modernization Fund. what we can expect from private-sector companies This topic is sensitive one. On the one hand, we do not want to re- victimize organizations that have suffered an intrusion, theft, disruption, or destructive attack; moreover, since no organization can prevent all intrusions all of the time, just because a company experiences a breach does not mean it has failed--it might have really excellent cybersecurity. On the other hand, companies have a responsibility to protect customer data or access to other organizations, which means implementing at least some cybersecurity measures, so it is also possible for a company to be negligent in this regard. The question lies in distinguishing which situation a company is in. Threading this needle is one of the key policy challenges for the United States right now. The solution lies in establishing standards of care for cybersecurity. These standards should vary, depending on factors such as size, industry, function, geography, etc. Standards of care exist in many industries for areas such as safety; sometimes the standards are entirely industry-driven and sometimes they backed up by regulation. These standards should not be static checklists and will need to be flexible enough to evolve as technologies and threats change. Despite developing and implementing standards of care, the resulting improvements to cybersecurity will still be insufficient to thwart dedicated nation-state intruders. In fact, no amount of cybersecurity investment will prevent a determined nation-state from gaining access all of the time. Therefore, we should not expect individual companies to defend themselves against highly-capable nation-states, such as Russia or China, by themselves. The Federal Government should be able to quickly come to the aid of an organization facing a nation-state threat, whether at the request of the targeted organization or based on its own knowledge. how to think about cybersecurity in the long-term This testimony has identified multiple challenges for improving cybersecurity in the United States. While cybersecurity may seem like an impossible task, the truth is that we can improve our cyber defenses. The answer is not purely technological, although technology is certainly required. The primary change we need to make is in our mindset. We need to change how we think about cybersecurity in several ways: Adopt a risk management approach.--Cyber threats are risks to be managed, not problems to be solved. We will never eliminate cyber threats entirely, nor will we reach a point of 100 percent security. Therefore, we need to think in terms of risk management. Just as a company can never eliminate the risk of bad weather disrupting operations, we need to treat cyber threats as a long-term risk management problem. Use more than technology to counter the threat.--Managing cyber risk effectively involves more than just employing technical solutions. Technology is necessary but insufficient for addressing cyber threats. Instead, we need to bring economic, psychological, organizational, process, policy, and legal tools to bear on the problem. Only by combining all these tools can organizations manage their cyber risk effectively. Prevent adversaries from achieving their goals.--If we think about cybersecurity from a ``castle and moat'' perspective, we will invariably fail. No organization can prevent all adversaries from gaining access to its networks all the time. Instead, if we think of cybersecurity as preventing the adversary from achieving their goals, then we get many more opportunities for success. If we define success as preventing the adversary from achieving their goal at any point along the way, then instead of defenders having to be ``right'' 100 percent of the time, the adversary has to make zero mistakes at every step. That mindset provides many more opportunities to thwart the adversary than the old castle-and-moat approach. Recognize that cyber space is not a global commons.--One key barrier to thinking about cybersecurity effectively is that because we cannot ``see'' cyber space directly, it feels divorced from the physical world. As a result, we often act as if cyber space is an amorphous domain that resembles the oceans or the atmosphere. In turn, this view leads us to act as if cyber space has large unclaimed, ``international'' zones equivalent to international waters or air space. But cyber space is intimately tied to territory. It exists due to computers, servers, and other devices that are all owned by a person or organization and residing on someone's territory. This recognition has significant implications for how we should view cyber operations in the international context, and the rules under which we want to conduct them. I want to be clear that in adopting a view that cyber space is tied to territory does not mean the United States has to accede to the Russian and Chinese governments' view that the state should completely dominate cyber space, controlling everything from access to content. This conceptual approach should, however, shape how the U.S. Government and other aligned nations act and operate in cyber space. conclusion Based on this testimony, many people might conclude that I am a pessimist when it comes to cybersecurity. It is easy to be overwhelmed by the volume of malicious activity and become fatalistic about cybersecurity threats. However, I reject such fatalism. While we will never eliminate cyber threats entirely as long as we live in a digital world, we can improve our cyber defenses and resilience, disrupt our adversaries, and respond to events when they occur. If we achieve these goals, then we can continue to reap the benefits and minimize the cost of an increasingly connected world. Fundamentally, cyber space is a human-created domain and that means humans can choose to make it safer. Thank you. Chairman Thompson. Thank you very much for your testimony. I now ask Mr. Alperovitch to summarize his statement for 5 minutes. I apologize if I butchered your name, but I did the best I could. STATEMENT OF DMITRI ALPEROVITCH, EXECUTIVE CHAIRMAN, SILVERADO POLICY ACCELERATOR Mr. Alperovitch. Thank you, Mr. Chairman. Chairman Thompson, Ranking Member Katko, distinguished Members of the committee, thank you for inviting me to testify today. I have spanned my 25-year career working in the cybersecurity industry, including as co-founder of CrowdStrike, now the world's largest cybersecurity firm. Now, as the founder of Silverado Policy Accelerator, a new bipartisan public policy organization focused on National security, foreign policy, and cybersecurity, I am exploring new ways to work with policy makers to strengthen our approach to the challenges that threaten American prosperity and National security. Almost half a decade ago, I coined the phrase that we do not have a cyber problem; we have a China, Russia, Iran, and North Korea problem. These countries are the 4 primary adversaries whose malignant activity we try to counter in cyber space on a daily basis, just as we do in the physical world. It is also no coincidence that some of the most sophisticated cyber criminal groups in the world operate with impunity from the safety of these very same countries. The latest supply chain attack, sometimes called the SolarWinds hack, already the most impactful in our history, has drawn attention to serious gaps in the U.S. cyber strategy. However, we now know that SolarWinds was only one of the many supply chain vectors used by the adversary and perhaps not even the largest one. As a result, I, along with other cybersecurity professionals, have begun referring to this hack as the ``Holiday Bear'' operation to indicate how wide-spread this activity truly is. This event highlights the need for a broader paradigm shift in our approach to cyber strategy. Both private and Government organizations should adopt what we in the cybersecurity industry call an ``assumption of breach'' mindset, where defenders actively hunt on their networks for any presence of an adversary, believing that they are already there. The only safe assumption in cyber is that networks are never safe. This approach to cybersecurity is not fundamentally different from what we do in the physical world, where we expect that foreign spies are already in our Government and have counterintelligence teams to identify them and mitigate the damage that they can do to our National security. We need to adopt the very same strategy in cyber space. Mr. Chairman and Ranking Member Katko, I have 5 specific recommendations for this committee that can move us forward toward this paradigm shift. No. 1, Congress should take steps to set CISA on a path to becoming the operational CISO, or chief informational security officer, of the civilian Federal Government. CISA should have the operational responsibility for defending civilian government networks, just as Cyber Command does for DOD networks. Congress could create incentives for Federal agencies to outsource their cybersecurity operations through CISA, such as exemptions for agency heads from FISMA compliance, and turn that responsibility over to CISA. No. 2, Congress should make agencies adopt speed-based metrics to measure their response to cyber threats. Under an assumption-of-breach approach, the question is not, can we prevent an initial compromise? The much better question is, how long does it take us to find an adversary on the network and eject them? In the private sector, I developed what I called the ``1- 10-60 rule'' to measure response times to perceived threats. One, detect an intrusion on average within 1 minute, investigate it within 10 minutes, and isolate and remediate the problem within 1 hour--1-10-60. Through legislation, Congress could require agencies to adopt speed-based metrics by mandating that they collect data on the average time it takes to perform these fundamental defensive actions and to report them to CISA, OMB, and the relevant oversight committees. No. 3, Congress should pass a comprehensive breach notification law to require certain companies to report technical indicators associated with breach attempts to CISA even when no personal information is actually compromised. No. 4, Congress should take steps to increase security standards for vendors supplying high-risk software via Government acquisition processes. Congress should compel all Government vendors of high-risk software to undergo annual independent third-party audits of their source code and conduct penetration exercises of their networks. Agencies should be provided the results of these on-going audits as part of their procurement process, increasing transparency and incentivizing companies to quickly patch vulnerabilities in their networks or source code. Finally, Congress should target the business model of ransomware criminals with stricter know-your-customer, or KYC, rules in cryptocurrency payment systems. Ransomware criminals rely on cryptocurrency, such as Bitcoin, to anonymously collect hundreds of millions of dollars in ransom payments. Congress should evaluate how stronger KYC requirements can be used to effectively stem ransomware threats and support Treasury Department action that achieves these objectives. Thank you for inviting me to testify before you here today. Silverado is committed to being a long-term partner and resource for this committee. I look forward to your questions. [The prepared statement of Mr. Alperovitch follows:] Prepared Statement of Dmitri Alperovitch February 10, 2021 Chairman Thompson, Ranking Member Katko, Members of the Committee: Thank you for inviting me to testify at today's hearing on cybersecurity. This is the policy arena I have spent my 25-year career in the technology industry exploring as a senior executive working with and advising some of the largest private-sector companies and most sensitive Government agencies in the country. Now, as the founder of the Silverado Policy Accelerator, a new bipartisan public policy organization focused on National security, foreign policy, and cybersecurity, I am looking at ways to build upon my experience in the private sector to work with policy makers and strengthen our approach to new challenges that threaten our critical infrastructure and the backbone of our economy. Most recently as the co-founder and chief technology officer of CrowdStrike, which I helped to grow from an idea into the world's largest cybersecurity firm, I witnessed the complexity and scope of the challenges that the U.S. Government and businesses face in the cyber domain. Our adversaries in cyber space are sophisticated and numerous, ranging from global criminal groups conducting ransomware attacks and stealing financial and personal data, to nation-states executing complex espionage campaigns, stealing intellectual property, and launching highly destructive and disruptive attacks. Throughout my years at CrowdStrike, I saw first-hand that cybersecurity represents a growing part of a broader geopolitical struggle between the United States and its adversaries and competitors. This inspired my decision to retire from CrowdStrike last February to launch Silverado to advance American prosperity and global competitiveness in a new era of great power competition. Silverado will use a venture capital approach to accelerate bipartisan policy solutions to pressing challenges in critical areas of economic, strategic, and technological competition. We are set to officially launch next week, and I hope this will just be the first of many occasions for Silverado to engage with this committee to support your important work for the Nation. As the United States enters a new era of competition, on battlefields old and new, modernizing and further resourcing America's cyber strategy is a necessary precondition for achieving any number of other critical Government objectives. In my testimony today, I will outline a conceptual framework for understanding cybersecurity. I offer 5 recommendations that I believe will meaningfully improve our ability to anticipate and prevent cyber threats and fortify our cyber defenses, building on the recommendations and critical work undertaken by the Cyberspace Solarium Commission: 1. Providing the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. Department of Homeland Security with the authorities and resources to one day become an operational Federal CISO, or chief information security officer, for the civilian Federal Government; 2. Adopting speed-based metrics to measure agencies' response to cyber threats; 3. Passing a comprehensive Federal breach notification law; 4. Increasing security standards for vendors supplying high-risk software through Government acquisition processes; and 5. Targeting the business model of ransomware criminals with mandatory ``Know Your Customers'' rules in cryptocurrency payment systems. threat landscape Almost half a decade ago, I coined the phrase: ``We do not have a cyber problem, we have a China, Russia, Iran, and North Korea problem.'' Cyber space is not a separate virtual world, immune from the forces that shape the broader geopolitical landscape. Instead, it is an extension of that landscape, and the threats we face in cyber space are not fundamentally different from the threats we face in the non-cyber realm. China, Russia, Iran, and North Korea are the 4 primary strategic adversaries whose malignant activities in cyber space we try to counter on a daily basis, as we do their more traditional tactics in the physical world. Oftentimes, these battle lines extend to non-state actors, such as the most well-organized cyber criminals. These actors inflict enormous damage on our economy by launching ransomware attacks and stealing financial data from our businesses and citizens, and it is no coincidence that they operate with impunity from the safety of their homes in these very same countries. These countries conduct a variety of cyber operations against us on a daily basis, ranging from cyber-enabled espionage against our Government to the theft of intellectual property from our companies to destructive attacks that shutdown business operations to the interference in the foundation of our democracy: Our elections. The challenges we face were highlighted just over a month ago, in December 2020, when we learned that multiple customers of SolarWinds, a network management company, had been compromised by a sophisticated supply chain attack by a nation-state adversary believed to be affiliated with one of Russia's intelligence services. The latest supply chain attack has drawn attention to serious gaps in the U.S. cybersecurity strategy. As a threshold matter, I believe that it is misleading to refer to this most recent breach as ``the SolarWinds hack.'' Although SolarWinds was a prominent attack vector that received early attention in the press, we now know that it was only one of many supply chain vectors that the adversary used to gain access to private networks. Because investigations into the scope of the attack are still on-going, we cannot even say with confidence that SolarWinds was one of the largest or most significant vectors. Continuing to refer to the breach as ``the SolarWinds attack'' distracts from the reality that the breach went far, far beyond a single company. As a result, I, along with other security practitioners, have begun referring to this hack as the ``Holiday Bear'' operation. Additionally, as we have learned more about the breach over the past 2 months, I've come to believe that it is also misleading to refer to this incident as a singular attack, or even as a coordinated campaign with a defined end date. Simply put, the sort of sophisticated, long-term cyber-espionage enabled by supply chain vulnerabilities that came to light through this breach is not a discrete or self-contained occurrence; it is the new normal. It is clear to me that the Russians have learned from their past operations. Throughout 2014-2015, SVR, the Russian foreign intelligence agency believed to be responsible for this most recent activity, launched a broad campaign which gave them access to the networks of the White House, the Joint Chiefs of Staff and the State Department, among others. The success, however, was short-lived, as U.S. defenders quickly detected the noisy campaign and ejected the adversary within weeks. I believe that those original mistakes led the SVR to reevaluate how they conduct new cyber operations and focus on compromising software supply chains in order to gain access to target networks in a much stealthier fashion and to remain in them for weeks, if not years. In some ways, this tradecraft is the cyber equivalent of the Russian illegals program, long practiced in human espionage operations: An extremely patient and long-term effort to gain maximum access to high- value U.S. targets. Since the 1930's, Russia has been sending covert sleeper operatives into our countries under non-official cover to live and work amongst Americans and over years get close to powerful officials in order to steal our secrets. Unlike the illegals program, however, supply chain-based cyber intrusions are much easier and cheaper to scale to hundreds of high-profile victims, all without putting their human intelligence officers at risk. I believe that this is the Russians' new way of doing business in cyber operations, and I suspect we will continue to see this new approach for years to come. We have also seen China's intelligence services leverage supply chain attacks in the past, and we can expect them to incorporate valuable lessons from this latest Russian action into their own operations. recommendations This Holiday Bear operation further highlights the need for a broader paradigm shift in both the private sector's and the Government's approach to cyber strategy. Across the board, organizations should adopt what we in the cybersecurity industry call an ``assumption of breach'' approach, where defenders operate on the basis that an adversary has already gained access to their sensitive networks. The premise is simple: No cyberdefense system is 100-percent effective at preventing breaches; Even with the best training, human error will inevitably foil the smartest defense strategies; and Adversaries are constantly adapting to existing defense mechanisms and designing new ways to circumvent them without being detected. The only safe assumption in the cyber battlespace is to assume that networks are never safe. The assumption of breach approach is the only appropriate paradigm to govern cybersecurity strategy in this new era of great power competition. Our competitors in this contest are highly sophisticated, well-resourced nation-state actors. We underestimate their capabilities at our own peril. Incidentally, this is not any different from the approach we already take in the physical world. As a matter of practice, we assume that at any given moment there are people inside our sensitive Government agencies who have been recruited by foreign intelligence services. Our counterintelligence approach is not merely focused on preventing such recruitment. Instead, we explicitly undertake significant efforts to identify spies and limit the damage they may be able to do to our National security. We need to adopt this same approach in cyber space. This shift in strategic paradigm necessitates a shift in practice. This committee should be commended for its strong leadership in pushing for new and significant resources to support the Federal Government's cyber strategy, most notably by creating CISA in 2018 and strengthening CISA's authorities under the fiscal year 2021 National Defense Authorization Act (NDAA). But, more needs to happen to capitalize on this momentum and deepen these commitments, and in particular, I have 5 recommendations for this committee's consideration: 1. Congress should take steps to set CISA on a path to becoming the operational CISO, or chief information security officer, of the civilian Federal Government.--The majority of the 137 Executive agencies lack the personnel, the knowhow, and the resources to execute a comprehensive cybersecurity strategy. Congress took an important step toward centralizing Federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission. Ultimately, CISA should have the operational responsibility for defending civilian government networks, just as Cyber Command does for DoD networks. The recent NDAA, which vested CISA with the authority to hunt on agencies' networks without the explicit permission of those agencies, was a critical move in that direction. CISA will now need additional funding to build a 24/7 threat hunting operations center to fulfill the requirements of that mission. Another important step would be to create incentives for Federal agencies to outsource their cybersecurity operations to CISA, turning it into a cybersecurity Shared Service Provider. Such incentives may include exceptions for agency heads from FISMA compliance and turning that responsibility over to CISA, if it is actually being given the authority to secure that agency's network. 2. Congress should make agencies adopt speed-based metrics to measure their response to cyber threats.--In cyber space, the only way to reliably defeat an adversary is to be faster than they are. Under an assumption of breach approach, the question is not, ``Can we prevent an initial compromise?'' The much better question is, ``How long does it take us to find and eject them?'' Central to detecting adversaries is the speed with which they leverage the initial resource they have established as their beachhead within the network, move laterally across the environment, and gain access to other sensitive resources. Once adversaries are able to do that, what would have been a minor security event turns into a full breach that requires a lengthy and complex incident response process and that puts defenders' data and operations at risk. Stop the adversary quickly, and you have prevented them from accomplishing their objectives. With this in mind, Congress should require Federal agencies to adopt speed-metrics that evaluate agencies' response to cyber threats based on the time it takes to begin and complete fundamental defensive tasks. In the private sector, I developed what I called the ``1-10-60 rule'' to measure response times to perceived threats: Detect an intrusion on average within 1 minute, investigate it within 10 minutes, and isolate or remediate the problem within 1 hour. Through legislation, Congress could require agencies to adopt speed-based metrics by mandating that they collect data on the average time it takes to perform 4 fundamental defensive actions: (1) Detecting an incident; (2) investigating an incident; (3) responding to an incident; and (4) fully mitigating the risk of high-impact vulnerabilities. Over time, these metrics would provide objective and diachronic measurement of an agencies' threat response capabilities that they could report to CISA, OMB, and the relevant oversight committees in Congress. If the metrics prove effective in decreasing agencies' response time to cyber threats, Congress should also consider models to extend their adoption by the private sector. 3. Congress should pass a comprehensive breach notification law.-- Such a law would require major private companies, such as those in critical infrastructure, to report technical indicators associated with breach attempts to CISA, including for breaches where no personal information is actually compromised. If there is a single overriding lesson from the recent supply chain attacks, it is that the information sharing between Government and industry remains a serious challenge. Some victims have shared very little information about what took place inside their networks; others have not even publicly acknowledged that they were targeted. At present, there is no comprehensive Federal breach notification law, and State-level laws are too decentralized, too focused on personal information instead of risk to systemically important critical infrastructure, and sometimes create a perverse incentive for companies not to investigate attacks. In the case of complex supply chain attacks like ``Holiday Bear,'' one company's failure to publicly report a breach can have wide-reaching implications. For example, if cybersecurity company FireEye had not voluntarily and publicly shared evidence of their own compromise and that SolarWinds was the attack vector, the public and the Government may not have known about this highly impactful attack for many months to come. Yet, FireEye had no legal obligation to report this breach under existing law. They should be praised for their courageous decision, but unfortunately, not all other victims have followed their lead in transparency. 4. Congress should take steps to increase security standards for vendors supplying high-risk software via Government acquisition processes.--Government agencies and private-sector businesses currently rely on a number of companies such as SolarWinds whose software runs with high levels of privilege on their networks. Yet these agencies and businesses have little to no sense of the security levels of that software. Borrowing from a widely-used private-sector practice, Congress should compel these vendors to undergo annual, independent third-party audits of their source code and penetration exercises of their networks. The Government could require that companies provide the results of these stress tests as part of the Federal procurement process, or even require companies to publish the results of those audits publicly on their website. Not only would this process increase transparency for their customers, but it would also incentivize companies to quickly and efficiently patch vulnerabilities in their networks or source code and get a clean bill of health, as no one would want to publish a failed audit. 5. Congress should support stricter ``Know Your Customer'' (KYC) requirements for world-wide cryptocurrency exchanges to target the business model of ransomware criminals.--Dangerous ransomware attacks pose an existential threat to critical infrastructure and many small and medium businesses in this country. For example, criminal attacks on hospital systems--a favorite target of ransomware attacks--put the lives of American citizens in danger, especially during the pandemic, when hospital beds are already in short supply. Ransomware criminals rely on widely available and largely anonymous cryptocurrency, such as Bitcoin, to collect hundreds of millions of dollars in ransom payments without risk of disclosing their identities to victims or law enforcement. It is no coincidence that the explosion of ransomware attacks occurred only after the invention of cryptocurrency platforms, which are the oxygen that fuels the fire of these criminal operations. And while it remains very difficult to purchase goods and services, such as real-estate, cars, and other luxury items that these criminals may want, with cryptocurrency, it is currently easy to anonymously use cryptocurrency exchanges to convert ransom payments into reserve currency like dollars or euros. The bottom line is that we need stronger tools to undermine the ability of criminals and nation-states to use cryptocurrency to receive and convert ransom payments and purchase illicit goods. The international community has already taken some steps to strengthen KYC requirements. In June 2019, the intergovernmental Financial Action Task Force (FATC) issued guidance recommending that virtual asset service providers, including crypto exchanges, share information about their customers with one another when transferring funds between firms. In December 2020, the U.S. Treasury Department published an advance notice of proposed rulemaking that would require cryptocurrency exchanges to perform and store KYC information on their customers, just like we require banks and other players in the global financial system to do. If designed and implemented properly, these types of tools can starve ransomware threat actors of the oxygen they need to operate. Congress should undertake an evaluation of how stronger KYC requirements and other safeguards can be used to effectively stem ransomware threats and then propose legislation and support agency action that achieves those objectives. conclusion I am grateful for this committee's leadership on cybersecurity issues, and I believe that these recommendations would further advance America's defense by bringing its cybersecurity strategy in line with an assumption of breach approach. As the recent supply chain breach has made abundantly clear, we cannot afford to delay these actions any longer. Every day we fail to act on them is another day that we leave the American government and our people vulnerable to cyber attacks, intellectual property theft, and espionage. These new steps would also serve to preserve America's competitiveness in this new era of competition between the United States and its adversaries. This contest has reached an inflection point: The nations that present bold, long-term strategies to advance their economic, technological, and strategic interests will shape the future for decades to come, and the Nations that fail to act will fall behind. Modernizing America's cyber strategy is a linchpin that makes all other efforts to ensure continued American leadership possible. Thank you for inviting me to testify before you here today. Silverado is committed to being a long-term partner and resource for this committee in our shared missions to address these critical challenges facing our Nation. I look forward to your questions. Chairman Thompson. I thank the witness for his testimony. I remind each Member that he or she will have 5 minutes to question the witnesses. I now recognize myself for questions. This is based on the order of the witnesses' presentation. All of us are Members of Congress, and although our last witness did a masterful job at the 5 suggestions, I would like to hear from the other 3 witnesses: What do you see as the role of the Federal Government in protecting cyber space from intrusion? I will start off with Mr. Krebs. Mr. Krebs. Yes, sir. Thank you for that question. So there are obviously a range of different authorities within the Federal Government. I would start with the Department of Defense. They have the ability through Cyber Command and the persistent engagement/defend forward philosophy to go out there and figure out what the bad guys are doing and stop them, ideally, so to speak, catch the arrow before it gets here. There are some side benefits of that, where they can identify targeting lists, like they did in Ukraine and elsewhere, against their elections, that we could bring that back and help inform domestic elections. You have the intelligence community that also tries to figure out what the incentives are, what the targets are, where the adversary is going, and provide that information to defenders so that they can protect their systems. The law enforcement community has the ability to go out overseas, work with foreign partners, disrupt both state-actor and non-state- actor activities through indictments and other legal actions. Then, finally, you bring it back home to the domestic civilian agencies that need to broadly work with the private sector, State and local governments, and the Federal Government to help raise awareness, drive smart investment in cybersecurity solutions, and, overall, you know, as you have mentioned in your opening statement, increase the baseline of security. There is no single approach, though. It does take a team effort of disrupting the adversary, getting inside their head, knowing our risks, and then closing out our risks as aggressively as we can. Chairman Thompson. Thank you. Ms. Gordon. Ms. Gordon. I will give you 3, one that Chris touched on, and that is, you can't find a single agency that has all the responsibility. I actually think CISA's blueprint of attacking election security, to participate with law enforcement, intelligence, and go all the way from the Federal to the State to the local, is a really good model that needs to be codified. Importantly, you ought to look at the authorities to make sure that that joint participation in sharing is easy to effect and that there is someone who's got the con but not all the authority. No. 2, after the stock market crash in 1929, you saw the rise of the SEC shared responsibility and the introduction of generally accepted accounting principles. They did that because they recognized what was happening in private companies, in public companies, affected our Nation's security. In 2021, is it time for us to consider a bipartisan Government and private- sector approach to looking at generally accepted security principles? It just isn't satisfying to me that it is up to people's choice of basic-level security, particularly if it is a publicly-traded company and particularly if it is a Government organization. So I think we ought to look at something like that. The last is, I think in this interconnected world, where the boundaries that we created in the past that were physical between Government and private sector, Federal and State and local have just been obliterated, we are in a place now where the threat surface is disproportionately not in Governmental control. We almost have to change the incentive structure in terms of who is responsible and who is supporting. So I think what you could do is create incentives both for private companies who accept responsibility to get some benefit, and the Government has an obligation to share more of its information more usefully. Thank you. Chairman Thompson. Thank you very much. Mr. Daniel. Mr. Daniel. Thank you, Mr. Chairman. I would identify 4 roles for the Federal Government. One is enabler. It should be enabling other elements in the economy, other levels of government, to do a better job at their cybersecurity, whether that is through providing resources or by, you know, providing information or, you know, supporting them in a variety of ways. The Federal Government is also a disrupter, meaning that it should be carrying out actions to disrupt what our adversaries are doing, whether they are criminals or nation-states. That is through using all the tools of National power, whether you are talking economic sanctions, arresting individuals, carrying out technical operations, or even military or intelligence operations. It is also a regulator and an enforcer, because it should be, you know, in some cases, setting the rules and enforcing those rules, even including in cyber space. Those 3 are very traditional roles for the Federal Government, but the Federal Government has a fourth one in cyber space that is unusual, which is partner. Because the private sector has much of the technical capability and a lot of the expertise, and, as Sue pointed out, the Government does not have a monopoly on the use of force or technical capability in cyber space. So, therefore, the Federal Government needs to be operating collaboratively, as a partner, as a peer with many organizations in the private sector, such as cybersecurity vendors, telcos, and platform providers, in order to actually disrupt and carry out those other missions that I was talking about the Federal Government having. Chairman Thompson. Thank you very much. Mr. Alperovitch, you talked about those 5 items, and it looks like everybody is kind-of on the same page. Do you have some comments you would like to make on that, in terms of the role of the Federal Government? Mr. Alperovitch. Yes, absolutely, especially focusing on the defense of the networks themselves. I believe that CISA should be in charge of defending the civilian government networks and Cyber Command should defend the DOD networks. Mr. Chairman, I also believe that, as the other speakers have said, we need to go on offense. We need to make it harder for the adversaries to conduct these operations. Law enforcement, in particular, and Cyber Command need to take further actions to disrupt infrastructure of threat actors, both criminal groups and nation-states, and raise the bar. We need to look at using all the tools of our power to really focus on the 4 primary nation-states--Russia, China, Iran, and North Korea--and what we can do to deter their malignant activity in cyber space. Chairman Thompson. Thank you very much. The Chair yields to the Ranking Member for questioning. Mr. Katko. Thank you, Mr. Chairman. I appreciate the comments that I have heard so far. As I said in my opening statement, it seems, at least in a dot-gov domain, that our efforts for dot-gov security are too confederated and too clunky and ultimately inadequate. You know, Mr. Alperovitch, what you said with respect to CISA being the quarterback, if you will, that you think it should be designated as such, that is 1 of the 5 recommendations I had. I wanted to drill down a little bit more on that and see what you envision CISA's role to be as that quarterback in the dot-gov domain. Mr. Alperovitch. Absolutely. Thank you very much for that question, Mr. Katko, and thank you for your leadership on this issue. I believe that CISA needs to become a shared service provider for cybersecurity for agencies. The fact of the matter is, when you look at over 130 different Executive branch agencies, the vast majority of them will never have the talent, the expertise, the resources to defend themselves against the most sophisticated nation-states out there, such as Russia and China, that are trying to break into their networks. Certainly, you have the large agencies, the intelligence community, the DOD, law enforcement agencies like the FBI, that do have that capacity, but many small ones will never do that. As a result, I think that they need to start thinking about outsourcing certain cybersecurity tasks to CISA. Chris Krebs, when he was director, set up a great set of shared services, such as shared email services that are secure, that CISA can deliver to agencies. They need to start adopting those. We need to start thinking about incentives to encourage agency heads to start outsourcing that capacity. I think looking at FISMA and reducing the overhead of FISMA compliance for agencies that turn over that capability to CISA is one way that can encourage them to do so. Mr. Katko. OK. With respect to OMB's role in this, do you believe that CISA should, over OMB, play more of a role in that area? Mr. Alperovitch. Absolutely. I think it is important to set standards so that agencies can look at what works and what doesn't work in individual agencies when it comes to cybersecurity. And OMB has a role to play to share the standards across the Government and try to get agencies to adopt similar types of technologies and approaches that have already been proven to work. That is why I also believe that metrics, particularly speed-based metrics, are really effective at getting visibility for both CISA and OMB into what agencies are doing to be faster than the adversaries, to detect them, investigate, and remediate breaches as quickly as possible. Then you can learn from, sort-of, the best of the best in Government and try to make sure that everyone else adopts the same strategies. Mr. Katko. All right. Thank you very much. Mr. Krebs, it is nice to see you again, and I appreciate your service during your time at CISA. Obviously, you have some expertise there, and I am going to kind-of ask you a similar question as I did Mr. Alperovitch. Do you believe CISA should be playing that centralized authority as he described it? If so, what would you do if you were king and could shape that for them? Mr. Krebs. Yes, sir. Thank you. I agree with pretty much everything Dmitri said. I can't take exception with anything, in fact. Look, the approach we have taken over the last decade-plus due to some of the oversight mechanisms that are in place, in part by Congress, has taken us a half-step forward. We need to take that full step. The 101 Federal civilian agencies are simply not in a position to secure themselves all by themselves. The reason for that is the lack of resources, the lack of personnel, and the lack of follow-through. So, you know, I have thought for some time now that, No. 1, we need a comprehensive Federal civilian agency cybersecurity strategy. We have to pull that together. We need the requirements to put in place for the agencies to meet. Those requirements will likely be very onerous and very expensive, and I can think of maybe a handful of agencies that would be able to comply. So give them the opportunity to comply, or give them an option, as Dmitri said, an incentive, where the CIO in the CISO shop can just turn the keys over the CISA, and CISA can build those services through the quality service management office, like a hardened, secure, cloud-based email instance, and pull everyone in. As of now, there are 101 different instances of email across the civilian agencies. That is just not a defensive posture. We have to bring it all into one hardened, single ring, so to speak, to make it most defensible. That is going to require authorities to compel, and it is going to require resources, but it is also going to take some time to implement. Mr. Katko. Well, I appreciate it. Basically, what we are asking is to do on the dot-gov side what they have already done on the dot-mil side with DOD. I dearly hope we can get that moving. Now, Mr. Alperovitch, quickly, with respect to SolarWinds, from your perspective in the private sector, cyber espionage campaigns, where does CISA need to be focusing its attention going forward? Mr. Alperovitch. So I actually believe, Congressman Katko, that SolarWinds really represents a new normal for Russian intelligence. If you look at what they were doing prior to SolarWinds, they were trying to be very noisy when they were breaking in and to be detected very, very quickly. I believe that they reevaluated post-their original compromises of the White House, State Department, and the Joint Chiefs of Staff back in 2014 and 2015 and realized that the supply chain vector, being able to compromise, sort-of, these high-risk software, enterprise software, like SolarWinds, and using that to gain access to high-value networks is really the way to go if you want to have long-term access to these networks and remain undetected for months, if not years. In some ways, this mirrors exactly what they are doing in human intelligence with their illegals program, where they are sending spies over to this country to implant themselves for decades in our society and get close to people in power so that they can steal secrets. They are now trying to do the very same thing in cyber through the supply chain compromises, and I think this is going to continue on for many years to come. China, I am sure, is looking at this very carefully and trying to adopt the same practices. So I think the Government, CISA in particular, needs to take a really hard look at supply chain vulnerabilities. As I suggested in my testimony, we need to start looking at elevating standards for providers of this high-risk software to the Government. Requiring them to perform annual audits of their source code and of their networks, I think, is one way to do so. Mr. Katko. OK. Thank you very much. I have so much more I could ask, Mr. Chairman, but I am out of time, and I yield back. Chairman Thompson. The Chair will now recognize other Members for questions they may wish to ask the witnesses. I will recognize Members in order of seniority, alternating between Majority and Minority. Members are reminded to unmute themselves when recognized for questioning and to then mute themselves once they have finished speaking and to leave their camera on so they may be visible to the Chair. The Chair now recognizes for 5 minutes the gentlelady from Texas, Ms. Jackson Lee. It appears we have a technical issue. We will fix that. We will go to---- Ms. Jackson Lee. I am here, Mr. Chairman. Mr. Chairman. Chairman Thompson. OK. Ms. Jackson Lee. Can you hear me? Chairman Thompson. Yes. Ms. Jackson Lee. All right. Thank you so very much. First of all, thank you for this hearing. Thank you to the witnesses. Let me go with Mr. Alperovitch. I believe you gave the 5-point agenda, if I am not mistaken? Mr. Alperovitch. Mr. Alperovitch. Yes, I did. Ms. Jackson Lee. Yes. Could you give a little bit more of substance to the idea, I am going to call it the cyber czar, and the extent of that individual's authority? Would they be able to interface with agencies across the landscape, Federal agencies? Would they be able to cite them for their failings, or would they be instructed in what they need to do? Would they provide oversight internally? Obviously, Congress has the other part of oversight. What would that individual be responsible for doing? Mr. Alperovitch. Thank you for that question, Congresswoman Lee. I think it is a great question. In some ways, I think the Biden administration has already resolved part of that issue by appointing an incredible individual, Anne Neuberger, as Deputy National Security Advisor for Cyber. I have known Ms. Neuberger for many years. She has done tremendous work at NSA and Department of Defense for over a decade on this issue, so there is literally no better expert in Government to work these issues. I think, within the National Security Council, she will have the authority to coordinate strategy and policy for the U.S. Government, working together with the director of CISA. So I think we are on the path to getting the Government organized for success here. Ms. Jackson Lee. Thank you very much. Let me move to Ms. Gordon. Obviously, we are in a different climate where cyber may even be the tool for bad actors--Proud Boys, Boogaloo Bois, the Oath Keepers. How, in your capacity dealing with intelligence, would you see a new group of domestic terrorists being able to utilize cyber to interfere with the Government workings? Let me just follow up with a question to Director Krebs. Thank you for your service, as I do all. The issue with SolarWinds, we had this problem with Mr. Snowden--a contractor, unvetted, and had a great deal of--how should I say it?--confidence and comfort. I would be interested in you following up on Ms. Gordon on how do you put the firewall up for these third-party contracts that we seem to be completely immersed in in the Federal Government. Ms. Gordon, on the idea of cyber being a tool of destructiveness and bad acts. Ms. Gordon. Yes. Thank you so much for the question. It is a great one. I think that our domestic extremists and terrorists got a pretty good look at the playbook. No. 1 is, disinformation is incredibly powerful, the ability to overwhelm airwaves with any sort of messaging. We haven't talked much about disinformation as a part of the cyber threat, but it surely is and we learned it. They learned a lot of the tool kits that have been reused over the past 2 or 3 years. So I think that is No. 1, is how can they use their voice. Then second is, I think you would expect them to use tools to disrupt normal business processes, the normal functioning of society, the normal ability of people to carry out functions that are much more even in order to be able to shape activities. I think both of those are well within their ken. There are tools available to do it. It will take the kinds of things we have talked about from a Governmental level to be able to attack those. We are going to have to look at how intelligence can support that. Because it is a little bit of a slippery slope with intelligence on domestic, but I think there is some craft that the intelligence community has, particularly born of their time in the counterterrorism fight, that can be applied to this problem. Thank you so much. Ms. Jackson Lee. Thank you. I would like to work with this committee and you on these issues. Let me quickly ask Mr. Krebs--and, Mr. Daniel, maybe you will be able to follow up in my short time and respond to this issue of the water systems being violated and what kind of cyber weaknesses do we have when that happens. Mr. Krebs on the SolarWinds? Maybe there will be a second or so for Mr. Daniel. Mr. Krebs. Mr. Krebs. Yes, ma'am. I will try to do this quickly. I actually think Dmitri did a pretty good job of laying out a few of the requirements that need to be in place, particularly for Federal Government contractors. That includes increased transparency and attestations to the security, not in a compliance-based way, which is just a checklist, but actually demonstrated security improvements. But to get there, we have to have a better understanding of what enterprise software and services are systemically important. That is a lot of the work that I think CISA and the National Risk Management Center should be doing. Ms. Jackson Lee. Mr. Daniel, on the violation of the water system and the cyber impact? Mr. Daniel. Mr. Daniel. Sure. So I think what that shows is that our adversaries are willing to go beyond simply stealing information or even holding systems at ransom, but are willing to move toward destructive acts--acts that could cause physical harm. I think what it also shows is that, you know, it is--you know, water systems are not something that, sort-of, immediately spring to a lot of people's minds. People have thought about the power grid or the financial system, but it is almost any system that is connected to the internet, which is essentially almost anything today, can be a target. So we need to be thinking very broadly in terms of our cyber defenses. Ms. Jackson Lee. Thank you, Mr. Chairman. I yield back. Mr. Bishop. Well, I may have lost--Mr. Chairman, did you just speak? I lost audio, I think, or couldn't hear you, sir. Chairman Thompson. Well, we are recognizing you for 5 minutes. Mr. Bishop. I thought so, sir, but I just couldn't hear. Thank you very much, Mr. Chair. As I was taking notes over the testimony--Mr. Daniel, I think I would come to you first--I noticed both you and Mr. Alperovitch focused on something that seemed instinctively accurate to me as a layperson that--you said it, I think--that we can't keep the adversary out of networks, and that instead, we need to thwart their objectives. It does seem to me that Government and private enterprise have spent inordinate resources to keep people out of networks, and so it makes sense to me to finally come to the conclusion that you can't. But what does that mean--Mr. Alperovitch, I will come to him in a minute, because he talked about maybe substituting speed metrics, I believe, to find and eject intruders. I think there might be problems with that idea too, but how do you thwart their objectives, Mr. Daniel? Mr. Daniel. Well, so what I mean by that is that the adversary is gaining access to networks for a purpose. They are not simply gaining access to gain access. They are looking to steal information. They are looking to steal money. They are looking to---- Mr. Bishop. Do damage. Mr. Daniel [continuing]. Cause--yes, do damage. They are looking to cause disruption. They are looking to achieve some objective. So if you change your mind-set to one of, I want to look at all of the different actions that the adversary has to do to achieve that objective, look at all of the different steps that they have got to get through to achieve that end goal and focus on where do I have the greatest comparative advantage to break that chain, to disrupt their operations, then suddenly, instead of the defender having to be right all of the time because you are trying to keep the adversary out, the adversary has to be right a hundred percent of the way through their efforts. So you get many more bites at the apple to try to disrupt them. So if we start thinking about it in terms of, we succeed if they don't get to their end objective. To my mind, that is a much more effective way to think about cybersecurity. Mr. Bishop. So, again, as a layperson, it seems to me, that, for example, when we are worried about avoiding information theft, maybe we ought to think in terms of making a lot more information public so that we are not worried about it being stolen, particularly if it is lower sensitivity. Would that be a possible way to think? Mr. Daniel. That is certainly one way to think about it. You could also think about storing more of that data in encrypted form, so that even if the adversary gets it, they can't do anything with it. Mr. Bishop. If you are concerned about damage being done to data, then you can build in redundancy and have multiple copies of stuff to avoid damage. Would that be another way to go? Mr. Daniel. That would be another way to go. You try to think of all the different ways that you could thwart what the adversary is doing. Mr. Bishop. Speaking--Ms. Jackson Lee just made reference to the water system thing, I saw that story, and I wonder, is it necessary that things like that, where you can do damage, why is that connected to the internet? Why can somebody change the way a chemical is put into the water supply over the internet? Wouldn't there be a way to defend against the possibility of intrusion if you say networks are not impenetrable, period? Mr. Daniel. Well, certainly, Representative, it is certainly one of the principles in industrial control systems that you should minimize the number of systems that are connected to the internet, and there are best practices for how to do that in a way that is more secure. But, certainly, you also want to build in multiple layers of defenses. Like in the case of the water system, they do have them. There are other alarms and things that might have detected that change that was made even after it was made. But I think you raise a good point about really looking at and understanding your network and understanding why you are connecting what you are connecting and not just assuming that connecting it is a good thing. Mr. Bishop. Thank you, sir. Mr. Alperovitch, you talked about this same issue and said that we need to adopt speed metrics in detecting and ejecting intruders. Doesn't the SolarWinds experience suggest that we might not be really able to do that either? Mr. Alperovitch. Well, I think--and thank you for that question, Congressman Bishop. I think SolarWinds' operation actually highlights some of the failures but also some of the successes. I know of a number of major companies that actually detected the intrusion quickly--Palo Alto Networks was one of them--and contained it before any damage was done. So it was certainly possible. Not everyone was successful at doing so, but you do have time. When I was in the private sector, I coined this concept of break-out time, the time that it takes for an attacker once they get in, once they establish a beachhead within the network, to actually accomplish their objective, to get off that beachhead, to get to other resources within the network, elevate their privileges, get access to valuable data, ultimately steal that data or destroy it, whatever their objective may have been. What I found is that, on average, it took adversaries from nation-state criminal groups over 4 hours to accomplish that objective. That may not seem like a lot, but actually, if the defenders are quick enough to detect, investigate, and remediate breaches within 1 hour, then you can stop them dead in their tracks, they can't get off that beachhead, and you eject them before they are able to be successful. So if we start measuring every agency on their ability to detect, investigate, and remediate breaches quickly, we can start holding them to account and make sure that they are focusing on what truly matters, which is how they become faster than the adversary. Mr. Bishop. Mr. Alperovitch, I mean, isn't--and I don't think we have had a full accounting of the SolarWinds thing, but weren't they undetected for months? Chairman Thompson. His time has expired. Mr. Bishop. All right. Chairman Thompson. The Chair recognizes the gentleman from Rhode Island, Mr. Langevin, for 5 minutes. Mr. Langevin. Thank you, Mr. Chairman. I want to thank you for holding this hearing. I want to thank our witnesses for your testimony today and thank you for all you have done to better protect the country on a whole host of National security fronts and issues, especially on cyber. I think almost all of you have referenced the Solarium Commission and its findings at one point or another. Thank you for recognizing that. As a commissioner on the Cyber Solarium Commission, I was very pleased with our final report and the findings in it, and hopefully it is going to be a great blueprint going forward for better protecting the country in cyber space. Mr. Krebs, let me start with you, if I could. In the fiscal year 2021 NDAA, we codified the roles and responsibilities of sector risk management agencies with respect to their sectors and to CISA. The Solarium Commission recommends tying this to a 5-year National risk management cycle to get a holistic sense of where key investments need to be made across the National critical functions. Do you agree with the Solarium Commission's recommendations or assessments? Mr. Krebs. Thank you for that question, sir. Yes, I do, in fact, agree with the evolved approach to risk management across the National critical functions and the fact that it does take--it takes all the agencies that have relationships and expertise in a specific sector or subsector to play along with CISA and the intelligence community. Mr. Langevin. Thanks for that insight. I appreciate the feedback. By the way, thank you for the integrity you showed when you were director at CISA in securing elections and doing everything you can to make sure, as you said, they were the most secure in U.S. history. Mr. Daniel, in one of your--and I have learned a lot from you over the years in our discussions, both when you were at the White House as cyber coordinator and since you left now to be in the private sector. In one of your valedictions as cybersecurity coordinator just before the end of the Obama administration, you spoke of the need to go beyond information sharing and do operational collaboration. I have to tell you, I think about that phrase all the time. The Solarium Commission recommends creating a common toolset for joint collaborative environment for interagency and public-private joint analysis of cyber threat data. Do you agree with this recommendation? Any comments you have in that respect? Mr. Daniel. Yes, Congressman. Thank you very much for that. I agree that the Solarium Commission did just some tremendous work in this area to really highlight some key efforts that will really improve the cybersecurity of the Nation as a whole. I think that this idea of operational collaboration in a collaborative environment is absolutely critical. Information sharing is important. I mean, I run an information-sharing organization, but you share information with a purpose, and that is to take action. As Dmitri was saying, we actually need to be able to go on the offensive with all of our capabilities, and the only way to do that is to do that in a collaborative fashion. So when I use the term ``operational collaboration,'' what I mean is that we need to move beyond just sharing information back and forth between the Government and the private sector, but actually enable multiple elements of the Government--law enforcement, intelligence, CISA, diplomatic, economic--to be lined up and synchronized in time with actions that the private sector can take, so that the actions of the Government and the actions of the private sector are mutually reinforcing and have a strategic impact on the adversary. So that is what I mean by ``operational collaboration.'' Mr. Langevin. Well said. Thank you. Mr. Krebs, let me go back to you. The fiscal year 2021 NDAA also contains a force-structure assessment for CISA to determine personnel and facilities needed going forward. How would you describe CISA's resourcing versus its mission? Let me ask you this also, in your time at CISA, were there times that you had to forego important projects due to resource constraints? Mr. Krebs. Yes, sir. Thank you for that question. So at the top line, the budget at CISA, at least as I was director, was about $2.2 billion, which seems to be a pretty significant and it is, in fact, a significant amount. About $1.2 billion of that was focused on cybersecurity investments, cybersecurity programs. However, of that $1.2 billion, about $800 million is focused on 2 programs--the National Cyber Protection System and the Continuous Diagnostics and Mitigation Program. So that leaves, you know, several hundred million dollars on the end for incident response, and actually very little, frankly, for broader engagement with the critical infrastructure community. That was my biggest concern. My biggest regret was that we were not able to plow additional resources into the ability to get out there into the field and engage more critical infrastructure and State and local partners. However, the State-wide Cybersecurity Coordinator Act that was passed as well in the NDAA and some of the additional funding has given us more capability to get out in the field. That is the one distinctive advantage of CISA, is that they operate primarily in the unclassified space. In COVID, when you can work remotely, you can follow the trends that the cybersecurity industry have done as well and actually employ people, not in the National capital region, but out in the field where you don't actually have to be tied to a Secure Compartmented Information Facility. Mr. Langevin. Right. I definitely agree that for CISA to effectively do its job, it is going to have to be properly resourced, and we are not quite there yet. But thank you for the work that you did there at CISA, and I look forward to staying in contact. Thank you, Mr. Chairman. I yield back. Chairman Thompson. [Inaudible.] Mr. Langevin. I don't know if we can hear you, Mr. Chairman. Voice. You are muted, Mr. Chairman, I think. Mr. Langevin. Mr. Chairman, we didn't hear you. I think you were muted. Something is wrong on that communication side. Chairman Thompson. OK. Mr. Higgins, the gentleman from Louisiana, for 5 minutes. Mr. Higgins. Thank you, Mr. Chairman. I think you are doing just fine with the technology we are dealing with right now. It is a challenge for all of us. Mr. Alperovitch, we know that foreign actors are continuously looking for flaws in our Nation's cybersecurity programs with efforts to threaten our data integrity, our public health, our safety. China is our biggest global competitor, actively engaged in horrible things in their own country, stealing our Nation's economic and National security secrets, and vacuuming up large swaths of American data for nefarious purposes or for their own design. China works overtime to get themselves embedded into our information and communications technology supply chain. Russia had and may still have total access to our unclassified Federal networks. It has been reported Iran was heavily involved in a misinformation campaign surrounding the 2020 election. Congress is constantly talking about a deterrent strategy regarding cyber campaigns. It is critical that the United States imposes real costs on these cyber adversaries to attempt to defer future attacks. Personally, I think we should strike back in the cyber realm. I would like your opinion on that, good sir. In your professional opinion, what is the best way to respond to foreign cyber attacks? Mr. Alperovitch. Thank you, Congressman Higgins. I think you hit the nail on the head in terms of the threat environment. All of the threat actors--and I would also add North Korea--are constantly hitting our networks, they are stealing our intellectual property, they are performing disruptive attacks, and in some cases, harboring criminal groups that are engaged in ransomware operations against our hospital networks and small businesses all over this country. So we absolutely have to respond. I think we absolutely have to strike back, but I think we need to look at the full toolkit of our power. Sometimes cyber may be the right tool. Sometimes it may be something we do in the physical world, whether it be sanctions, diplomatic efforts, or sometimes even supporting with military capabilities opponents of those regimes, such as, for example, providing military aid to Ukraine that we have done to confront what Vladimir Putin is doing in that country. So I think what we need to do is step back and try to figure out what is the best way we can influence the particular adversary, and the strategy will be different for each of the 4 countries that we are dealing with. Sometimes cyber will play a role. Sometimes it will be something else, but we shouldn't necessarily jump at the tool. We should focus on the overall strategy and then figure out which tool works best for it. Mr. Higgins. OK. Let me ask you to clarify. How would we-- if we are going to respond in the cyber realm, let's say, if we identify a cyber actor, we don't know who that sponsor is, how can we tell if it is a nation-state? Do you have confidence that with our current technologies and cyber infrastructure and the American men and women that are in charge of knowing these things, do you have confidence that we can tell the difference between a criminal actor operating from within a nation-state versus a nation-state-sponsored cyber attack? Do you have confidence we can tell the difference? If so, why would a solution like a responding cyber attack--I have heard it referred to as a cyber bullet--if it is going to hit the bad guy, then it hits the bad guy, whether it is a nation-state or not, whereas if it is a criminal actor and you put sanctions on the entire nation-state, that unnecessarily injures our diplomatic relationship with some nation-states. In my remaining time, would you respond to that, please? Mr. Alperovitch. Absolutely, sir. On the first question, I do have confidence in the capability of our intelligence community. I have worked with them closely over many years, and the fact of the matter is, we have better capabilities to attribute cyber attack than we have ever had in our Nation's history. Over the last 10 years, I can't think of a single major consequential cyber attack that was not attributed. Many of them have been attributed publicly, and the Justice Department, the last 4 years in particular, have indicted all of the 4 major countries--Russia, China, Iran, and North Korea--for their malicious cyber activity. But even when we don't attribute things publicly, the U.S. intelligence community usually knows very, very rapidly, within days if not hours, who is responsible, because of the phenomenal capabilities we have on tracking cyber adversaries and infiltrating their own networks to understand what they may be planning to do. So I think we do know who they are very well in most of these cases, and I think we can craft the right strategies to influence their behavior, including in cyber. Mr. Higgins. All right. Listen, it is a very important subject. I thank the Chairman for holding this meeting, and Ranking Member, my colleagues on the committee. We are dedicated to addressing this in a bipartisan manner. Mr. Chairman, I yield. Chairman Thompson. Thank you very much. The Chair recognizes the gentleman from New Jersey for 5 minutes, Mr. Payne. Mr. Payne. Thank you, Mr. Chairman. Thank you, for once again being on top of these issues for a decade prior to it coming to fruition here. Mr. Krebs, during your time at CISA, you launched the Rumor Control program. Could you discuss why CISA began the Rumor Control program and why it is important? Mr. Krebs. Yes, sir. Thank you for that question. So the predicate for Rumor Control actually goes back 3\1/2\ years or so. In the preparation for the 2020 election, the CISA team, the Election Security Initiative, working with our State and local partners, spent a significant amount of time threat modeling how any actor, whether state actor or non-state actor, like a ransomware crew, could target and disrupt an election. So we had dozens of scenarios that we subsequently deconstructed into their component pieces and were able to develop defensive strategies, where we could invest, where we could increase awareness and training and capacity. Toward the end, though, it became clear that in many ways, an actual hack was not the greatest concern. Instead, we were thinking about perception hacks, where an adversary could claim that they had either access to a machine or a minor cybersecurity event could be blown out of proportion. Rumor Control was intended to provide factual information to the public on how elections actually work and the controls that are in place, and that software or hardware is not a single point of failure in any election and that there are controls, like paper-based ballots, in place to ensure the security of the election. Mr. Payne. Thank you. During the 2020 cycle, we saw a significant increase in lies and conspiracy theories during the following election. What are the risk of political leaders amplifying election misinformation? Mr. Krebs. Well, of course any time you have election- related misinformation, it can undermine the public's confidence in the election itself, the democratic process, regardless of the source, whether it is domestic or foreign interference. Again, that was the concept behind Rumor Control in the rapid, real-time debunking of some of these themes, like the hammer and scorecard machine algorithm that was being manipulated by a foreign deceased dictator. The point is, we have to get out in front of these rumors, this disinformation and misinformation, as quickly as possible and inform the American people on how these processes, these machines, elections themselves, actually work. Mr. Payne. OK, thank you. Ms. Gordon, we are still trying to understand the long-term damage that Trump's false, incendiary rhetoric around the election, coupled with the physical attack he incited at the Capitol, will have on the public's faith in our democratic processes. Ms. Gordon, was there a noticeable spike in chatter to echo and amplify ex-President Trump's disinformation narratives? Ms. Gordon. Thank you for the question, Congressman Payne. So I have been out of the intelligence community since 2019. So I am not tracking the information, but let me give you a little bit of perspective. We know that our adversaries, particularly Russia, but not exclusively Russia, have as their strategic imperative to undermine democracy, to use any means that they can since the Cold War to be able to insinuate themselves into any rift that they see to exacerbate that problem. So there will be--our adversaries will use that moment to do 2 things. No. 1, amplify messages that are destructive. Then the second is to take those images and hold them up globally to suggest that what we have long said we were is, in fact, not as good as what they have. So the global impact is also present in addition to their using those events to try and further create risk. That is why this notion of protecting the digital space has to include disinformation, because what we saw was that---- Mr. Payne. Yes. Ms. Gordon [continuing]. Is as dangerous as anything else. Thank you for your question. Mr. Payne. Thank you. So, basically, the treasonous insurrection that we saw on the 6th plays right into our opponents' hands, correct? Ms. Gordon. The activities that we have seen where we turn on ourselves are very useful to our adversaries. Mr. Payne. Thank you, Mr. Chairman. I yield back. Chairman Thompson. Thank you. The gentleman yields back. The Chair recognizes the gentleman from Mississippi for 5 minutes, Mr. Guest. The Chair will recognize the gentleman from California, Mr. Correa, for 5 minutes. Mr. Correa. Thank you, Mr. Chairman. Can you hear me OK? Chairman Thompson. Yes, we can. Mr. Correa. I wanted to thank you and Mr. Katko for holding this most important hearing. I wanted to essentially say that just listening to our witnesses speak today, I ask myself, how did these folks acquire the weapons, the tools to such, with ease, penetrate our defenses in terms of cyber? You know, as I think back at the history of this country, as we dealt with the Soviet Union, we used to have this concept called mutually assured destruction, which is, you attack us-- you won't attack us because we can attack you back, and the cost is just too expensive. Today, like Mr. Alperovitch said, you got China, Russia, Iran, North Korea, that essentially attack us, and essentially their folks in their area attack us with impunity. So my question is, what is it that we can do to essentially establish a policy of deterrence? Because, in my opinion, these attacks should, in all sense and purposes, constitute a declaration of war on the United States. What are we doing? What can we do to stop these attacks? What is the deterrence that we can develop, can use, to have these folks that are essentially operating out of countries like Russia from attacking us? I will start out by asking Ms. Gordon to answer that question or any comments you may have. Ms. Gordon. I think it is the perfect question. Thank you for asking. I will give a start, and I will let my colleagues add on. I think we have already given you some of the groundwork. No. 1, you can't stop all activity. You can't. So here is what you can do. You can increase the cost of attack by doing the simple things to make yourselves more secure, so you don't get nuisance activity. The second is, you can understand--I hate the use of the word ``red line,'' but you can understand what the impacts are to our society that we cannot tolerate and build policy around if those lines are crossed, we will respond. Then the third is--and I think everyone has said the same thing--don't think of cyber action requiring exclusively cyber response. Once you have said what your National interests are and that those must be protected, you can find a whole range of solution. Cyber may be one of them, but that can't be the only one. I yield to my friends. Mr. Correa. Mr. Krebs. Mr. Krebs. Yes, sir. Well, just to build on a little bit of what Ms. Gordon said, you know, particularly emanating from those 4 countries--China, Russia, Iran, North Korea--the behavior will continue until the leadership has decided that it cannot tolerate further behavior. I think there are still options on the table for more destructive attacks and more brazen attacks, particularly for Russia. I don't think we have hit the upper limit of their pain threshold. For instance, working, I think, with our allies, with the United Kingdom and elsewhere, where there are Russian ex-pats, Russian oligarchs, that have a significant amount of money, you start turning the screws on those individuals, and they will go back to the Kremlin and you may see some behaviors change. Mr. Correa. Mr. Krebs, we have heard this suggestion a number of years ago in this committee. You go after their pocketbook, you go after the oligarchs. Yet this has not been used. What has been deterring our country from using those kinds of weapons, which is, you hit them at the pocketbook? Excellent solution. Why do you think we haven't used that? Mr. Krebs. I think that we have used some significant amount of sanctions, penalties against Russian actors, but this is not a single country effort. We have many allies and many friends that we need to partner with. I already mentioned the United Kingdom and the significant amount of Russian capital that has flowed into London and elsewhere. We have got to go shoulder-to-shoulder with our adversaries, but at the same time, recognize that there are certain behaviors that, unfortunately, are within the realm of acceptable cyber behavior, and to a certain extent, that is going to continue to be espionage targeting, for instance, Federal agencies, not that it is OK, but those are the rules of the road right now. Mr. Correa. Thank you. Mr. Daniel. Mr. Daniel. Well, I would say that to some degree, we actually have achieved some degree of deterrence, meaning that we have not seen wide-spread destructive attacks carried out against the U.S. power grid and other systems. So we have achieved a level of deterrence. But I think what you are referring to, Congressman, is that we--the level of activity that we have not been able to deter is still too high. So I think that the way that I would frame it up is that we have to continue both increasing the costs from deterrence by denial, meaning that--and this was something the Solarium Commission talked a lot about--of, you know, making our systems harder, but also in figuring out creative ways to disrupt what the adversaries are doing. Maybe that is, you know--in the criminal networks, that may be going after the money flows, particularly going after cryptocurrencies, like Dmitri was talking about. Or in the nation-state context, we have to put it into that geostrategic context that Dmitri was talking about and figure out how to raise the cost on our adversaries in a way that causes them to change their behavior. Mr. Correa. Mr. Daniel, excuse me. You talked about cryptocurrencies---- Chairman Thompson. Mr. Correa, your 5 minutes are up. I am sorry. Mr. Correa. Thank you very much, Mr. Chairman. I yield. Chairman Thompson. The Chair recognizes the gentleman from New Jersey, Mr. Van Drew, for 5 minutes. Mr. Van Drew. Thank you, Chairman and Ranking Member. I think it is good that you put this meeting and discussion together. Cyber threats pose a great risk to our Nation, whether attacks on State and Federal Governments, businesses, or even our hospitals. America is the focal point of the attacks. Our adversaries are more capable than ever to cause damage to our country. This poses a significant threat to our critical infrastructure, supply chains, and even elections. Every day we face attacks from Russia, China, Iran, and North Korea. In our last election, we were victims of cyber attacks from some of the world's most dangerous adversaries. Just a few days ago, hackers infiltrated a water treatment plant in Florida and temporarily increased lye ratios to lethal levels. In the third quarter of 2020, the world saw a 50 percent increase in the average daily number of ransomware attacks compared to the first half of the year. That is unacceptable. As it relates to election security, the cybersecurity and infrastructure of CISA has become increasingly important in protecting our institutions. As the many bad actors in the global landscape continue to adapt in their attacks, we need to evolve in our response. We must remain one step ahead of our enemies, especially as it relates to election security. If we do not have faith in our process, we cannot have faith in our country. CISA's role, working with State and localities, must continue to grow, so that Americans can have confidence in our democracy and assurance that the Federal Government is doing all that it possibly can do to protect its citizens. So I have some questions. One is for Christopher Krebs, and you know I always talk about the Coast Guard because we have the only training center. Every single individual that is in the Coast Guard at some point goes through my district in Cape May. How does CISA coordinate with the Coast Guard to promote cybersecurity of maritime critical infrastructure? That is for Christopher Krebs. Mr. Krebs. Yes, sir. Thank you for that question. The last administration issued a National maritime cybersecurity strategy last year. CISA coordinates very closely with the Coast Guard. In fact, Coast Guard service members actually sit with CISA and actually support our Hunt and Incident Response mission. It is a very collaborative relationship between CISA and the Coast Guard. The relationship in terms of going out and working in the maritime sector at ports, on facilities, and then coastwise is a budding relationship that I would suggest, again, we need to put more resources against. Mr. Van Drew. OK. Which makes sense. But it has been fruitful to this point. Mr. Krebs. Yes, sir, I think so. If I could just make one example based on what Sue Gordon, Ms. Gordon, mentioned earlier about our election security efforts. What worked so well there is that we brought all of the relevant stakeholders together and created almost, as I called it, a mini CISA. So we had all elements of CISA, with our stakeholders, really intensely focused on the mission. But elections is just one of the National critical functions. We have to identify that top slice, 15 to 20 top National critical functions, highest risk, and create little mini CISAs around each and every one of those functions. We can make rapid, rapid progress in securing those sectors and functions if we take that approach. Mr. Van Drew. Good. Thank you. For Michael Daniel, the recent incident at the Florida water treatment facility shows how vulnerable we are to attacks from hackers. What can and should be done to prepare for and combat the cyber threat to critical infrastructure? Mr. Daniel. Well, thank you, Congressman. I think that when you really think about it, there is kind-of, I would say, 3 things that we need to be doing, one of which is very much hardening those systems and raising the level of cybersecurity across the ecosystem. That is everything from really thinking about cybersecurity in different ways that I was talking about, but also employing things like the NIST Cybersecurity Framework to do that risk management to those systems. But then also going on the offense to find those adversaries and to disrupt them and to prevent them from doing what they are trying to do. Then also being able to know that sometimes both of those things will fail and know that we need to be ready to respond and recover. This is where what Dmitri was talking about, those time-based metrics of how we need to get better at responding rapidly, identifying the malicious activity, containing it, and then removing it from those networks, so that we can minimize the amount of damage that we take. I think--and we need to be doing that, as Chris was just saying, across, thinking about that from a National, critical function perspective about what is important to our economy and to the functioning of this country as a whole. Sometimes that will not be obvious from the outside, and it requires thought and analysis to arrive at some of those critical functions and where they are vulnerable. Mr. Van Drew. Thank you. I appreciate all, and I thank you for your work. I yield back. Chairman Thompson. Thank you. The Chair recognizes the gentlelady from Michigan, Ms. Slotkin, for 5 minutes. The Chair will recognize the gentleman from Missouri for 5 minutes, Mr. Cleaver. Mr. Cleaver. Thank you, Mr. Chairman. You know, I am going to express appreciation, first of all, for you doing this hearing because I think it is right on time. I thank all of our very knowledgeable witnesses and articulate witnesses. I want to thank you, Mr. Krebs, for your integrity. It is good for the whole country to see what integrity looks like. You know, my concern right now is global versus domestic terrorism. You know, we are told by the FBI that the greatest threats to our country are coming from within, which one of the witnesses has already talked about being one of the goals of Russia. So I am concerned, frankly, about whether or not there is enough intelligence or data that would allow us to know whether the domestic threats coming from various groups around the country--around the country are also a cyber threat to the country. So, Mr. Krebs--I would like to hear all of our witnesses just briefly hit on that, the domestic threat and whether I am overthinking it to believe that that could eventually become one of the greatest threats to us, if not already the greatest threat. Mr. Krebs. Thank you, sir, for that question. It is not in the top, you know, 5, probably, of cyber threats that I am concerned about right now. I would actually put at the top of my list ransomware, targeting State and local and small and medium businesses. Part of the reason why domestic cyber threats, from a pure sophistication perspective, is that they are not given time to root. That is because law enforcement, the FBI, has greater authorities here to actually go and grab the bad guy and do a perp walk, which is different from how some of those ransomware gangs that operate in Russia and Eastern Europe and elsewhere. The law enforcement community cannot always reach out and touch them. So that is a distinct deterrence advantage that we have here at home to push back on larger-scale cyber activity. Yes, there is always going to be identity fraud and, you know, lower-level criminal activity, but really truly National security- and economic security impact-level of cyber threat domestic, I don't believe that is an immediate threat. Mr. Cleaver. Do the other witnesses pretty much agree with that or do you have anything to add? Ms. Gordon. Congressman Cleaver, I will just add a little too. I think Chris is right, but I do think in terms of National security threats to the Nation, our own extremism is problematic. They may not have any particular advantage in cyber right now, but the tools they would need are not elusive. As I mentioned before, there are foreign actors who may be very willing to provide either their expertise or their resources. I absolutely believe that there is hope in what Chris said about our natural advantages dealing with our problems domestically, but this is a concerning threat and it can use cyber capabilities in the same way some of our other adversaries can. Mr. Cleaver. Well, I don't want my time to run out, so I will do this very quickly. I have read that 95 percent of cybersecurity breaches are the result of human error, and so-- and this may be horrible-sounding. I genuinely don't mean for it to sound this way--but in hearing many of the individuals who have been arrested for the January 6 attempted coup d'etat, you know, and maybe they were good at science and just not good at other things, because none of them have come across, you know, like, you know, brain surgeons. I don't know what else to say. So I am just wondering, if we got 95 percent from human error, which is not very much, frankly, you know, in terms of how far it could go, I am assuming we only have--it is close to zero--zero from them. Mr. Chairman, I will listen to the answer and I am out. Thank you for the indulgence. Mr. Krebs. Sir, I think that is a fair point that I would expand upon my earlier answers, that, yes, there is the potential for insider threat, disgruntled employees. When you think about what happened down in Florida earlier this week, it is very likely that that was, in fact, a disgruntled employee that conducted that operation. I think we would leave the investigation to finalize that. That is why it is so important to have visibility over the network, controls in place. To Dmitri's point, you know, if you are planning for a broader, you know, assumption of breach perspective, you will be able to defend against a range of different actors. Mr. Cleaver. Thank you, Mr. Chairman. Mr. Krebs. But that is a good clarifying point, sir. Chairman Thompson. Thank you very much. The Chair recognizes the gentlelady from Iowa, Mrs. Miller- Meeks, for 5 minutes. Mrs. Miller-Meeks. Thank you so much, Mr. Chair, Ranking Member Katko, and all of the witnesses who are presenting here today. Extraordinarily important topic, and I appreciate the ability to both listen and learn. Before coming to Washington at the beginning of this year, I served as a State senator in my home State of Iowa. Last year, the Iowa legislature recognized the importance of cybersecurity, and we voted to increase funding for cybersecurity initiatives to our DCI. All of you in your testimony today have recognized and brought up and addressed the importance of a combined effort, not solely a Government effort, but also State and private. Ms. Gordon, in your testimony, you discussed the importance of cybersecurity at the State and the private industry level, and I am wondering what Federal resources currently exist to help States that want to strengthen their cybersecurity. Ms. Gordon. So I think what CISA has done and what Chris has done in the context of election security has given a great blueprint for State and local to be able to use their resources but the wisdom of the Federal to put those 2 things together. I think there is probably more we can do. One of the thoughts that I have is, as the intelligence community got more and more securing itself against this, one of the great advantages we had was when we went to cloud computing and away from all the small infrastructure that is really hard to keep up with and patch. I think there is an interesting question to be said with whether there is some ability to provide for less advantaged localities, some sort of access to broader cloud computing that could offer that advantage in the same way. Thank you very much. Mrs. Miller-Meeks. Thank you so much. You all had mentioned seeing boundaries and silos, and, Mr. Krebs, you had mentioned--talking about ransomware. We certainly have had ransomware attacks in Iowa and, again, put legislation to deal with that. So if a State is working to prevent ransomware attacks or if they are currently experiencing a ransomware attack, what assistance or guidance is the State able to receive from the Federal Government, should the Federal Government provide assistance, and what does the process look like for a State seeking guidance? Mr. Krebs. Yes, ma'am. Thank you for that. Ransomware is a--I think we are on the verge of a global emergency. The rate at which we are seeing State and local governments get hit is truly frightening. CISA, over the last 2 years, working with the FBI and other law enforcement partners, has kicked off a ransomware awareness campaign. I think we actually need to do more, though. I think we need to have a joint public-private sector initiative, like the Institute of Security and Technology's Ransomware Task Force, where everyone comes together across technology sector and Government to make things better. But to start, we have to improve defenses. State and local governments simply cannot protect themselves. There is too much legacy infrastructure out there, still too much reliance on single-factor authentication like passwords. We have to make that generational leap in technology. The Federal Government has to help here. I think we have to either match what the Homeland Security grant programs have done for counterterrorism or we have to go even further. I think with COVID, remote work force, digital transformation, in a subsequent funding stimulus bill, I think we have an opportunity to put a lot of really meaningful, impactful resources into the hands of State and locals, to upgrade their systems, to improve citizen services, and ultimately secure against this on-going scourge of ransomware. Mrs. Miller-Meeks. Mr. Daniel, would you have anything to add to that? Mr. Daniel. I think it is absolutely right that State and local governments, not only in dealing with ransomware, which I completely agree with Chris, that we--I think, you know, that has moved into the realm of National security and public health and safety threat, that we very much have to deal with. We need to provide a lot more resources to State and local governments for them to both defend themselves and to remediate and have options other than paying the ransom if they do get hit with ransomware. They really need to have that option. But I also think we need to be looking at how we work with State and local governments to be ready to respond to other kinds of disruptive and potentially destructive attacks to our critical infrastructure. There is some work being done by a group called the New York Cyber Task Force that will be coming out later this spring that will look exactly at that topic. Mrs. Miller-Meeks. Great. Thank you so much. I appreciate all of the testimony from the witnesses, and again, very important topic and very timely. Thank you, Mr. Chair. I yield back my time. Chairman Thompson. Thank you very much. The Chair recognizes the gentlelady from New York for 5 minutes, Ms. Clarke. Ms. Clarke. Thank you very much, Mr. Chairman. Let me thank our witnesses for their expert testimony here today. Let me just say that the Federal Government is really making up for lost time. I am sorry, Mr. Chairman, my--somehow I--my technology just failed on me. Would you give me 1 minute? Chairman Thompson. We can hear you loud and clear. Ms. Clarke. OK. One moment, sir. Chairman Thompson. We can actually hear and see you. Ms. Clarke. OK, very well. Just I am trying to actually return to my questions. I am sorry, Mr. Chairman. I just--my technology is failing me today. Chairman Thompson. Well, I tell you, if the gentlelady from Nevada will step in, we will come back to you. Ms. Clarke. That will be fine, Mr. Chairman. Chairman Thompson. The Chair recognizes the gentlelady from Nevada for 5 minutes, Ms. Titus. Ms. Titus. Thank you, Mr. Chairman. I could never fill the shoes of my predecessor there, but thank you for letting me go ahead. I would just like to shift the attention a little to work force needs. If you covered this when I was in T&I markup, I apologize, but I don't think so. You know, this is one of those areas where the need outraces the supply in the case of people who are qualified to do this work. There was a study that was released last fall that showed that 880,000 professionals work in cybersecurity, but there is a work force gap of about 350,000. I know here in Nevada, we have approximately 2,700 unfilled cybersecurity jobs. We are seeing more colleges and universities get involved in this kind of training. In fact, UNLV has a new partnership with what they call HackerU to start training some of these folks and fill in this skills gap. I wonder if our panelists, starting with Mr. Krebs, could address this shortage and what we might be able to do to help fill it at the Federal Government assistance or encouragement or information that will help us find the people who can do these very important jobs that y'all have been discussing. Mr. Krebs. Yes, ma'am. Thank you for the question. I think about that as a today problem as well as a tomorrow problem. Starting with the tomorrow problem, we have to continue increasing digital literacy and supporting K-12 education, STEM education, including thinking in security principles. You know, I have 5 kids. I have talked about this in numerous hearings before. In the public school system, I see that they need more science, technology, engineering, mathematics education. To the today problem, though, I think the people are there, the potential work force is there. We just need to make it more accessible. I do think, though, that the pandemic and the remote work force has actually given us--or at least a glimmer of hope. Traditionally, in the information security community, there are annual conferences all over the place, all over the country. They cost money to attend, to fly to, all those things. Most of them have gone on-line, and many of them have been free and open to the public. That has been a significant barrier reduction to opening up access to education, training, and awareness. So we need to keep that going. We also need to, through the Federal Government, provide pathways to cybersecurity positions. I know at CISA, we were trying to expand our recent graduates and current students internships and hiring. That is a--working with the Scholarship for Service Program, we can actually help augment tuition assistance. That, to me, is a great opportunity to bring people in to the government, train them up for 3 or 4 years, and then give them the opportunity to go back out into the private sector. That actually gives us a couple advantages. One is that we have a degree of standardized training, but we also now at CISA, we have an alumni network. So if they go out into the critical infrastructure community, they know how to work with CISA, and they have actually a preference to work with CISA. Those are just a couple examples right now that I think that we can do more of. Ms. Titus. I would think this would be an area where veterans might play a role, that we might take advantage of some of their skills and knowledge. Mr. Krebs. Yes, ma'am. In fact, CISA hired a significant number of veterans, but also there are private-sector programs. There is the Cyber Talent Initiative, the CTI, that a number of private-sector corporations have participated in, as well as Microsoft has a dedicated military veteran program, where they train up over a course of weeks and offer interview for positions those that finish the program. Ms. Titus. Well, thank you. Anybody else want to add to that? Ms. Gordon. Yes. Representative Titus, great question. To add on 2 ends of what Chris shared, totally agree with the educational aspect, starting in K-12. I also think we need to add to that just the realities of operating in a digital world. So remember the D.A.R.E. Program we had countering drugs in the schools? Where is that, to have people understand what is happening to them in a connected world and the social responsibility? So I think there is a piece of that education of--kind-of like ethics of being in and protecting yourself in a digital environment that would be a good add. The sec is, I think we are missing at the top end of organization, so not just the workers but the top end, a digital literacy that allows leaders and decision makers to understand what is at risk and what their responsibility to devote resources. So instead of just leaving it to their technical teams, I think we need an educational effort focused at leaders. So I can bracket the education. Then I think there is a real opportunity, as the Federal Government doesn't just throw knowledge and requirements of the transom to localities, if we start engaging with local and regional activities to bring capability in and spawn regional capability, that is going to be an attractant for developing the jobs that will keep people locally, not just suck them all in to a Federal, centralized thing. So I think there are some really good opportunities for us to incentivize those sets of things. Ms. Titus. Well, thank you. I would like to work with you on that, and I appreciate it. Thank you, Mr. Chairman, and I will yield back. Chairman Thompson. Thank you very much. The Chair recognizes the gentleman from Georgia for 5 minutes, Mr. Clyde. Mr. Clyde. Thank you, Mr. Chairman, for having this very important hearing. You know, we discussed already about the attempt on the water supply facility in Florida, and then also in March 2018, the Trump administration accused Russia of orchestrating a series of cyber attacks that targeted the U.S. power grid. My question for Mr. Krebs is, could you estimate how many times a day or estimate the scope of how many attempts bad actors try when they attempt to breach U.S. critical infrastructure networks? Mr. Krebs. My dog upstairs is trying to answer the question right now. I apologize for that. Mr. Clyde. Would you like me to repeat it? Mr. Krebs. Would you mind coming back to me? Mr. Clyde. Sure, sure, sure, no problem. Could you estimate how many times a day a bad actor attempts to breach a U.S. critical infrastructure network in our country? Could you give us an idea of the scope? Mr. Krebs. I will try over the dog's barking. Clearly, somebody that is walking dogs on the street. It is--when I say try, it is actually really hard to make any sort of meaningful quantification. There are both automated tools that run on a regular basis looking for vulnerable systems connected to the internet, and then there are focused, human-powered initiatives or efforts. We are talking--I would even, I would hesitate, millions and millions and millions. I mean, we are talking just massive numbers of scanning attempts on a regular basis. That is just the noise of the internet. The more sophisticated, capable efforts are going to be fewer in number, going after the bigger fish to catch. Mr. Clyde. OK. Thank you very much. I appreciate that. My next question is to Mr. Alperovitch. You mentioned in your opening statement ransomware. So the best way to reduce the threat of an adversary, in my opinion, is to remove the incentive. You know, as a small businessman, I called it the economic sword. I understand that bitcoin is a primary way that many ransomware bad actors want to get paid. So could you tell me, is there a way to minimize or eliminate simply the ransomware bad actors' ability to get paid? Mr. Alperovitch. Congressman, that is an excellent question. It is no coincidence that the explosion of these ransomware attacks occurred about 10 years ago when we saw the emergence of these cryptocurrency platforms like Bitcoin, which enabled these criminal actors to collect ransom anonymously. So, previously, before the emergence of cryptocurrency, to get a ransom, you literally had to provide the wire instructions for your bank to get the ransom or a place where someone could send you a check. As you can imagine, law enforcement could easily track that down and get that criminal arrested. Mr. Clyde. Exactly. Mr. Alperovitch. With cryptocurrency, they could do it anonymously. So I believe that de-anonymizing these types of transactions through know-your-customer regulations that the Treasury Department can implement can absolutely take the oxygen out of this ransomware fire and totally disrupt their business ecosystem. I think Congress should absolutely be looking at that. I know Treasury has put out regulations back in December, proposed regulations, in this sphere. I think Congress should be supportive of that. Mr. Clyde. So you think that would be a very important aspect of the cybersecurity solution. Mr. Alperovitch. I think that can totally disrupt the business ecosystem for these criminal operations and can significantly dampen the number of attacks we are seeing against our small businesses and hospitals and the like. Mr. Clyde. Right. OK. Thank you very much. I appreciate that. Mr. Chairman, with that, I yield back. Chairman Thompson. Thank you very much. The gentleman yields back. The Chair recognizes the gentlelady from New York, Ms. Clarke, for 5 minutes. Ms. Clarke. Thank you, Mr. Chairman. I think I have got it this time. I want to once again thank our expert witnesses. I think what we have heard today is that in the 21st Century the line between the physical world and the digital world just keeps growing slimmer. When it comes to homeland security, malware can disrupt our critical infrastructure as effectively as a bomb, and hacked data can be a more effective tool of espionage than a human source. There is a reason that this is one of the very first hearings that we have held this Congress. It is because cyber threats are no longer a risk for tomorrow. Our day of reckoning has arrived. The SolarWinds breach was far from an isolated incident. From the OPM hack to relentless attacks against the private sector, IP networks are the new battlefields and have been for some time. As Chairwoman of the Cybersecurity Subcommittee, I believe we are overdue to reimagine DHS and make it reflect this reality. It is time to stop spending money on walls that divide us and more money on firewalls that protect us. Fortunately, President Biden has made it clear from the start that he is taking a different approach, nominating seasoned experts to National security positions across the Federal Government and the White House who recognize the need for a whole-of-Government approach to cybersecurity. I look forward to working with him to defend American networks and not just at the Federal level but also, as has been stated by numerous of my colleagues, at the State and local level and in the private sector. Nothing less than our National security depends on it. With that, I want to turn to my questions. As a Nation, we have no way of knowing how much of our critical infrastructure has been compromised by hostile nation- states like Russia through cyber hacks like SolarWinds unless individual companies decide to come forward voluntarily. As Chairwoman of the Cybersecurity Committee, I have been following the conversation about requiring critical infrastructure owners and operators to report when they experience major cybersecurity incidents, as the Cyber Solarium Commission recommended last year. So, Mr. Krebs, would you have been better equipped to carry out our mission as CISA director if you had access to detailed, thorough data on successful cyber intrusions targeting critical infrastructure? Mr. Krebs. Yes, ma'am. Thank you for that question. I certainly think it would be helpful to have, or at least in terms of significant cyber compromises, an after-action process that is, you know, almost a no-fault exercise and not constrained by litigation concerns and things of that nature, where you could actually get to the root cause of what happened and then share findings, even maybe in an unattributed way, with the rest of the private sector. We have to learn from our past mistakes, or we are going to keep repeating them. We also have to really, really emphasize knowledge transfer from the haves that have invested to the have-nots that are either yet to invest or, you know, beginning to realize where they fit in the ecosystem and they want to be better corporate citizens and understand their responsibilities to the economy. Ms. Clarke. Thank you. Mr. Daniel, you mentioned the need to create standards of care for private-sector critical infrastructure. Can you elaborate upon what those standards should look like? Mr. Daniel. Yes. Thank you, Representative Clarke. I think those standards are going to vary depending on the industry, depending on the size of the company, depending on what functions it performs and their criticality to the overall infrastructure. But we have these standards in many other kinds of areas, like safety and how you treat customer data and things like that in other areas. What we need to start doing is extending that into cybersecurity so that companies know what their responsibilities are. That will also help cut down on that litigation that Chris just referenced. Because if they know that they are reaching that level of standard of care and they are exercising that as due diligence, then they won't be as worried about reporting and communicating with the Government. Ms. Clarke. Thank you. Mr. Krebs, I just want to take the opportunity to thank you for doing the right thing during your tenure at CISA and refuting Donald Trump's lies and disinformation about the 2020 election. Do you believe you were fired because you created the ``Rumor Control'' blog and made public statements affirming the integrity of the election? Mr. Krebs. Thank you for the question, ma'am, and thank you for your kind words. I, you know, can't attribute any specific motivation to my firing other than what was in the 2 tweets and the fact that the President seemed to believe that the statement that it was a secure election was, in fact, inaccurate. Ms. Clarke. Well, thank you, Mr. Krebs. Mr. Chairman, I yield back. Thank you very much. Chairman Thompson. Thank you very much. The Chair recognizes the gentleman from Texas for 5 minutes, Mr. Pfluger. Mr. Pfluger. Mr. Chairman, thank you very much for this hearing, and Mr. Ranking Member. I appreciate the opportunity. For the witnesses, thank you for taking the time in a very important time. You know, cybersecurity and the cyber world affect every single American. As somebody who spent 20 years in the military flying the most advanced piece of weaponry, we don't fight our wars without cyber help, without, as has been mentioned, the comparative advantage. What I would like to kind-of focus on right now is the word ``competitive'' advantage. Ms. Gordon, I appreciated hearing your thoughts on how there is not just one solution, you know, for us as a country to remain secure in the cyber world, and it is going to take State and local, international partners, our Federal Government, private industry. These partnerships are extremely important. In my district, Angelo State University is seeking to become a cyber center of excellence. This is a Hispanic-serving institution, in academic year 2021 and 2022 should be a minority-serving institution. We are in a rural area. So the uniqueness of Angelo State University in the seeking of being a cyber center of excellence is one of those pieces of the solution and that layered defense, that model. When it comes to competitive advantages, just like the gentlelady from Nevada, I am worried about our education system and the lack of preparing. As somebody who graduated from a military academy, studying military tactics is extremely important. Ms. Gordon, I would like to hear your thoughts on what can be done at the university level to really empower these universities and higher education to focus on STEM. As one report shows, our students in math and science are ranked in the bottom 50 percentile, you know, for STEM education. I know this has been mentioned, but what can we do to empower these universities to continue to improve the quality of education? Ms. Gordon, to you. Ms. Gordon. Well, thank you, Congressman. That is a great question. I love hearing what is going on at your university. A good friend of mine is Dr. Heather Wilson at UTEP, and she makes the exact same point about the remarkable opportunity we have at several institutions if we put our focus, give them some resources, inspire them with need. I think we have the raw material; we just have to apply it to the problem. So I think there are 3 things you need to do--we need to do. No. 1, I think we are already starting to do it, and that is to talk about these things as Nationally important, not just a question of economics, not just something elusive, but actually how important this is to our Nation. So, be expansive about the threats we have, the threats to and through information, and what can be done. Let's get people wanting to participate in that. No. 2, I think we see a whole bunch of private-sector companies who are recognizing their social responsibility. Let's do some things to inspire them to continue to invest not only in products and services but in the humans that are going to make them run. No. 3, I think that, as the Federal Government, as you all consider what can be done to couple National wherewithal to local action--and with what we have learned about COVID, about distance learning, I think we have the opportunity to not have to have everyone move to one place to participate but you can participate where you are. I think the United States has tremendous advantage. Open systems, competitiveness, innovation--those are all watchwords. Get it applied to this problem, and I think we will be all right. Mr. Pfluger. Thank you, Ms. Gordon. Mr. Alperovitch, quickly in the remaining time, when it comes to critical infrastructure, critical vulnerabilities, I am very worried about not only the water system, as we have heard, but also the delivery of our energy--in my case, oil and natural gas and the delivery systems. How do we harden those systems? How do we protect those systems? Mr. Alperovitch. I think we absolutely have to focus on this. I am actually on the board of a company called Dragos that focuses on these very issues. I think that, when you look at the oil sector, you look at our manufacturing sector, frankly, industrial control systems are very vulnerable. We have not focused on protecting those systems. We need a different approach to the one that protects the enterprise networks, sort of our laptops and servers, to the way we protect our systems that interact with the physical world, and this absolutely needs to be a Government focus, sir. Mr. Pfluger. Thank you. Again, to all of you, thank you for thinking outside of the box. This is a huge issue. Mr. Chairman, Ranking Member, thanks for the time to focus on something that will keep all Americans safe, especially those things that are providing services and educating our children. With that, I yield back. Chairman Thompson. Thank you very much. The Chair recognizes the gentlelady from Nevada--I am sorry--New Jersey for 5 minutes, Mrs. Watson Coleman. Mrs. Watson Coleman. Thank you, Mr. Chairman. Thank you for having this hearing. To each of the individuals who have participated, thank you for the information you shared. I am learning a lot. I have a lot to digest. This is really quite extensive, quite concerning on so many different levels, and quite new to me, actually. Mr. Krebs, let me just say to you also, I thank you for your integrity as well. Mr. Krebs, let me ask you the first question. There was a proposal that was offered today to make the CISA director the chief information officer or the chief of the information sharing for all of the agencies. Do you think that that is a good idea? Mr. Krebs. Yes, ma'am. There is a Federal chief information security officer that resides within the Office of Management and Budget. That function really is a policy-setting role, and then CISA is in a policy-enforcement role. I think if we can expand the resources, capabilities, and ability to actually--well, frankly, get agencies to improve their security through resources and capabilities, then I think we are going to be in a much better place. Mrs. Watson Coleman. So do we still have an issue with agencies feeling very proprietary over information in their jurisdiction and not sharing it in an interagency capacity? Mr. Krebs. I think there are a couple issues here. One is that privity of contract between agencies and their vendors prohibit CISA, for instance, from getting information on incidents. In some cases, particularly in some of the recent hacks, I had heard--because they happened after I left--that when CISA tried to ask a vendor for information, the vendor would say, ``I am sorry, I can't give you that, that is up to the agency to give you that,'' and then the agencies don't always turn that over. So we need to change that and put CISA as a part of the contractual relationship. But any way you cut it, when an agency is responsible for their networks, they are always going to have a sense of ownership and proprietary responsibility. We have to change that model. We have to make it easier for them, where they don't have to hire, where they don't have to invest their own, where it is already provided for and it is a turnkey solution. That should free up the chief information officers to focus more on citizen services and actually delivering value to the American people. Mrs. Watson Coleman. OK. Thank you. I think this is to Mr. Alperovitch. You talk about accelerating the detection, investigation, and mitigation by increasing the metrics. Is anything needed in that regard other than additional resources? Is the capability for the agencies to do that already in existence? Is that a resource issue? Mr. Alperovitch. I think it is a resource issue, but it is also policy issue. I think Congress should absolutely require agencies to start tracking those metrics every single year, report them to CISA, report them to OMB, report them to oversight committees, so that you actually would have the information needed to understand how well are agencies doing in detecting and investigating and responding to sophisticated adversaries and what more needs to be done. Also borrow from examples of agencies that are doing really well and trying to make sure that everyone else adopts those types of strategies broadly. Mrs. Watson Coleman. Uh-huh. Thank you very much. Mr. Daniel, can you walk the committee through the problems with the security patches? Those are the updates that you see from time to time. Can you talk to us about the frequency of them and whether or not this is the best way to have this take place? Mr. Daniel. Well, certainly. So all software comes with vulnerabilities and bugs and errors in it. It is just the nature of writing software code. So companies that manufacture and write that code are going to have to update it. So we certainly want the ability to update and manage that code, and we want to do that in a fashion that is as easy for the customers to do that as possible. One of the problems that we have, though, is that there are hundreds of these patches that come out very frequently. Different companies and different providers are providing these patches on a very regular basis. So the challenge for a company is to actually figure out how to implement those patches and do so in a way that does not disrupt their business operations. So patch management and managing those updates to your software is actually a very critical problem for many enterprises. We need to work toward making that patch management and software management as easy and as transparent as possible. Mrs. Watson Coleman. Can a trickster encourage you to do something that will have a negative impact on your device, and you are thinking that is the company telling you to update it? Can a hackster or a trickster or whatever do that to you? If so, is there something that we should be doing, looking at it from a Government perspective, as a standard, as a modus operandi? Mr. Daniel. Well, certainly, Representative, there is always a possibility that an actor will try to trick you, to try to scam you into clicking a link that takes you to someplace that is not legitimate--that is called phishing--that will try to misdirect you and get you to download malicious software. But what I would say is that, you know, relying on trusted vendors that you know and are relying on the normal update process, that is the best way to go. Even though we know that there are opportunities, like what happened to SolarWinds, for that to be compromised, that is far from the most common route, and it is much more common for a scammer to try to phish you or trick you in that manner. So I still think it is critically important that companies and individuals and organizations regularly patch and update their software. Mrs. Watson Coleman. Thank you. Thank you, Mr. Chairman. I have a lot of other questions. I know my time is up. I yield back. You are muted, Mr. Chairman. Chairman Thompson. That is technology for you. It said I was not. But, Mr. LaTurner, if you can hear me---- Mr. LaTurner. I can. Chairman Thompson [continuing]. I will recognize you for 5 minutes. Thank you. Mr. LaTurner. Thank you, Mr. Chairman. I appreciate it. I appreciate you putting this panel together. I have appreciated all of your testimony. I want to focus primarily on ransomware and specifically on its impact on small and medium-size businesses. This is a major issue that people are struggling with. I could name several just in recent history of businesses that have been dealing with this. The ransom was huge sums of money. They felt like there were almost no resources, no response, no help--a very powerless feeling about how to deal with this. So, clearly, we have so much work to do at the Federal, State, and local level with governmental institutions. But, specifically, Mr. Alperovitch, you talk about passing breach notification laws, which make some sense. What else can we do to partner with and be a better resource to these small and medium-size businesses that don't have the resources and really feel helpless in the environment that we are in right now? Mr. Alperovitch. Thank you, Congressman LaTurner. I think this is a great question, because we really have the haves and the have-nots in cyber today, where the big organizations, the Fortune 500 companies, are doing just fine, spending resources and trying to defend themselves against the sophisticated attacks, but the same criminals, the same nation-state actors that are going after them are also going after the small and medium businesses that really have no capacity, no talent to defend themselves against these sorts of issues. We need to look very seriously at this problem. I think the right way to think about this for small and medium business is to try to outsource that capability to a cloud provider or another manner of service provider that can be responsible for their defense. But, as I mentioned previously in my testimony, I think in ransomware in particular, which is the No. 1 plague that is hitting small businesses, as you mentioned, sir, every single day, we need to go after these criminals, we need to shut down the ways that they can collect these payments anonymously, and prosecute them to the full extent of the law. That is the only way that we can get a handle on this problem. Mr. LaTurner. I appreciate that answer. Mr. Krebs, you talk in your testimony--talk about disrupting the business model, which clearly we need to do. So if you would talk about that just a little bit. But then focus more, if you could, on the section where you talk about more aggressive action against ransomware actors. You say you are not suggesting extrajudicial kinetic actions against ransomware gangs, but authorities available to law enforcement and military should be on the table. So talk a little bit about the business model disruption and then about that, if you don't mind. Mr. Krebs. Yes, sir. Thank you. On the disrupting the business model, I mean, the simple fact right now is that ransomware is a business, and business is good. I have said that before; I said it in my testimony. Mr. LaTurner. Yes. Mr. Krebs. It is simply too easy for criminals to extract value. As Dmitri mentioned, it is primarily driven by the ubiquity of cryptocurrencies and the ability to anonymously transact illicit activities. So I think, in part, what Treasury did last year with the OFAC notice that it is, in fact, a possible sanctions violation to pay ransom to a sanctioned entity, like Ryuk, the Ryuk gang, that should have a chilling effect. I think there are other mechanisms that we can take a harder look at. If I said--I meant--I think I said last year. So there are some other things--you know, how we facilitate the payment beyond cryptocurrency. Should it be legal to pay ransoms? When you think about terrorism and ransom of terrorists, that is typically unlawful. So I think we need to have a policy conversation about whether it is in fact legal to pay criminal gangs a ransom. So, to your last point of additional action, we have already seen a couple cases over the last year, most recently in the last month or so, targeted action by law enforcement against the Emotet malware infrastructure. Last year, we saw Microsoft go after Trickbot and their infrastructure. We need to have coordinated activities--law enforcement, informed by the intelligence community--to go after the actual infrastructure and the people that are conducting these activities. Again, to the extent we can put hands on them and arrest them, that is a good thing. That takes an exceptional length of time. So, if we can take down the processes and the infrastructure by which they conduct these activities, that has to hold the ground until we can lock them up. Mr. LaTurner. Thank you, Mr. Krebs, Mr. Alperovitch, and all the conferees. Thank you, Mr. Chairman. I yield back. Chairman Thompson. Thank you very much. The Chair recognizes the gentlelady from California for 5 minutes, Ms. Barragan. Ms. Barragan. Thank you, Mr. Chairman. Thank you to our witnesses. In 2018, the maritime sector saw 2 massive ransomware and malware attacks on the maritime industry, impacting the ports of Barcelona, Spain, and San Diego, California. These attacks seem to be focused and potentially made increasingly easier as the convergence of information technology, or IT, and operational technology, OT, systems become more integrated. According to varying industry reports, the number of maritime-focused cyber threats and incidents have risen by as much as 900 percent. These cyber attacks have great economic impact to maritime ports, especially those that are integrated into our transportation networks. These attacks can cause reputational harm, financial loss, and even physical damage, especially in the cases of compromised dockside equipment or vessel. The Port of Los Angeles, in my district, has invested to create a cybersecurity operation center and has a dedicated cybersecurity team whose role is to protect the cyber aspects of the port. To create additional centers and resources will require investment by Federal, State, local, and private industry partners. Without such investments, this will greatly cripple and potentially hinder American supply chains and response efforts to catastrophic events like the COVID pandemic. Mr. Krebs, if I can come back to you on this, what can ports be doing right now to ensure their maritime cybersecurity preparedness? Mr. Krebs. Yes, ma'am. Thank you for that. So, partly, they can work with companies, like Dmitri mentioned, Dragos and some other vendors, that can help them understand what their environment looks like, the controls they need to put in place to secure their systems, to lock them down, to disconnect if at all possible. But that is not always possible, because you need, a lot of times, remote access. The bigger issue, though, here is that, you know, we have to have this balance of stopping the adversary as best we can alongside improving defenses. So it is not a, you know, just invest in defenses, and it is not just an invest in offense; it has to be a more equitable balance. I think, historically, we have over-invested or, at least, principally invested in offense, and we have to ramp up defensive investments going forward. Ms. Barragan. So, just to follow up on that, should operation centers like the one at the Port of Los Angeles be considered for Federal grant funding, such as, like, State homeland security grant programs, emergency preparedness grant programs? Mr. Krebs. Yes, ma'am. I know that L.A. city cyber fusion or cyber intelligence center was funded by Federal grant, and I thought the port center was as well. But I think that is a fantastic innovation, in terms of pulling all the stakeholders together enterprise-wide to be able to manage risk to environments. Ms. Barragan. Great. Thank you very much for that. It is clear from recent events that the United States must improve its ability to respond and recover from a significant cyber event. Part of that effort must focus on partnering with private-sector owners and operators of critical infrastructure. In the aftermath of a cyber event targeting the electric grid, for example, there is a real question about whether there are sufficient laws in place to allow a grid operator to cooperate with the Federal Government to prioritize power restoration to a critical facility such as a military base. Last year's U.S. Cyberspace Solarium Commission report recommends that, to address this concern, Congress should pass a law specifying that entities taking or refraining from taking action at the direction of any agency head should be insulated from legal liability. Mr. Krebs, would this type of Congressional action help reduce barriers to cooperation between the Federal Government and the private sector during a cyber event? Are there any steps that you recommend Congress should take? Mr. Krebs. So, as I recall, that recommendation was based on the Federal Government asking a company, for instance, to take certain action or allow an adversary to continue their activities for observation or for their monitoring purposes, and that could result in downstream damages to customers or people. So I think that is a balance of equities, of trying to understand and stop the adversary versus protection. So I think that is a nuanced approach. I think we have to be very careful with that approach. But I think, again, going forward, we have to have a better understanding of where the riskiest bits of our Nation's economy, our infrastructure are. One of the aspects of the Solarium that I really liked was the continuity-of-the-economy effort. That was built, in part, on the National critical function work out of the National Risk Management Center. We don't have an in-depth enough understanding of how our economy truly works. Until we get there, we are not going to be able to invest smartly enough in terms of how we are organizing collectively for security. Ms. Barragan. Great. Thank you for that. With that, Mr. Chairman, I yield back. Chairman Thompson. Thank you very much. The Chair recognizes the gentleman from Michigan, Mr. Meijer, for 5 minutes. Mr. Meijer. Thank you, Chairman and Ranking Member. Thank you to all our distinguished guests who are on the call right now. I want to touch upon briefly some of the conversations that we have been having around cyber hygiene and, specifically, an analogy that came up in some of the prepared statements and that I think is just broadly in the ether around a cyber Pearl Harbor. Now, I guess my specific question--and I would like if Mr. Krebs could look at this first. When I think of the analogy of cyber Pearl Harbor, you know, we think of just kind of, like, a massive attack. But, you know, if you are going to face an attack, you know, our military is able to prepare itself--you can have radar installations, you can send out advanced forces, you can figure out how to preempt. But I think it was Mr. Daniel who mentioned that we are really facing a panoply of problems, right? We have everything from nation-states to criminal enterprises, the line between which can oftentimes be blurred, to individuals, you know, who may be domestic and working in some capacity. I guess the analogy that I have just been working with and I would love to get some reactions on is more of, how do we preempt a cyber Chicago fire? You know, after the Chicago fire, you had changes in building codes, you had, you know, investments in fire departments, everything from the installation of sprinkler systems to, later, smoke detectors. You know, although a cyber attack is obviously much more intentional, you know, we saw with the breach at the Oldsmar water facility, you know, that it was an outdated version of TeamViewer that was left on the computers--you know, obviously an example of just very poor cyber hygiene and a failure to have basic defenses. You know, how can we change our thinking on the resiliency side to not just be focused on the catastrophic but all of the ways in which, short of catastrophe, we can incrementally be increasing our overall resiliency? I don't know, Mr. Krebs, I would love for you to touch upon that and just within the idea of CISA as running point within all of those nodes. Mr. Krebs. So I think this is an interesting question, and it is one that I think has probably been asked in hearings like this now for going on 10 years-plus, you know, when are we going to see the cyber Pearl Harbor. I am not sure we are ever going to see it. I think what has happened to date has been sufficient to reinforce, you know, the perilous nature of where we are right now. I am hoping that, to quote Dmitri, that the Holiday Bear campaign, the Russian espionage campaign, is enough for Congress to take bold action and change the way that the Federal Government does business to secure its own networks-- centralize authorities, provide capabilities that are hardened and more defensible, rather than leaving it up to the 101 different agencies. We have to change the way we act. I also hope that the private sector now has had its awakening, that there are software companies, enterprise software and enterprise services, out there that have all of a sudden realized that, ``Oh, my goodness, I am systemically important. I have a significant part of whatever segment or market that I am in, and if I am going to have a bad day, there are hundreds and thousands of people that are going to have bad days too. So what do I need to do about that?'' You need to implement better internal controls and transparency on what you are doing to secure your products. But you also have to engage in a meaningful way, to Dmitri and Michael's point, on operational partnerships, getting together to study a discrete, specific problem, contribute your resources, alongside your peers, in an open information-sharing environment where you can actually take real action. Again, this is what we did for elections. We brought a range of stakeholders in, we were very open about the problems that were out there, and then we put collective action against that problem and dramatically improved security. Mr. Meijer. Mr. Krebs, just as a follow-on, you know, you mentioned CISA's budget. I mean, where do you think it needs to go to be able to provide that adequate level of security? Mr. Krebs. So I think that is in part what I hope we can figure out through the NDAA's, kind of, force structure analysis. The Department of Defense does this exceptionally well. They can tell you exactly what return on investment you get from a single unit, and you can do unit-type costing from there. This is how DOD works. The civilian agencies, DHS in particular, do not take that approach. We have to adopt that mindset. That will get us to a spot where, whether the budget should be $2 billion, it should be $4 billion or $8 billion, we will get there through that process. But we need more resources, more modern infrastructure. We need to implement more modern security controls, like protective domain name system, a recursive system that is out for bid right now. Those are the sorts of things that we have to continue pushing forward. I will tell you this right now: We are only going to have to spend more. We are only going to have to do more and more and more. It is not a one-shot deal. This is going to be the rest of our lifetimes. Mr. Meijer. Thank you, Mr. Krebs. Mr. Chairman, I yield back. Chairman Thompson. Thank you very much. The Chair recognizes the gentlelady from Florida, Mrs. Demings, for 5 minutes. Mrs. Demings. Mr. Chairman, thank you so very much. I hope you can hear me. My connection has not been that great. Chairman Thompson. We can hear you right now. Mrs. Demings. OK. Thank you so very much. Thank you to our witnesses for joining us today. I also want to thank each of you for your just absolutely outstanding service. Several of my colleagues have talked a bit about the attack on the water system in my home State of Florida. I know there are going to be investigations into that. There are a lot of unanswered questions for that because there are multiple independent systems that could be a part of the issue. But what I would like to ask--and Mr. Krebs or anyone who would want to answer this question--do you feel like--I do believe this is just the beginning. I think we have been quite lucky. Do you think, like, that this attack was more of a--we liken it to a burglar trying a doorknob to see how easy it was, how quickly they could do it, in preparation for greater attacks? Anyone who--Ms. Gordon or Mr. Krebs or anyone who would like to answer. Thank you. Mr. Krebs. Yes, ma'am. Thank you. Yes, I touched on this briefly before. I will maybe clarify my earlier comment. I think it is possible that this was an insider or a disgruntled employee. It is also possible that it was a foreign actor. This is why we do investigations. But we should not immediately jump to a conclusion that it is a sophisticated foreign adversary. The nature of the technology deployment in Florida, it is, frankly, not--certainly not where anybody, I think, any information security or operational technology security professional would like for that security posture to be. I will also say that Oldsmar is probably the rule rather than the exception. That is not their fault. That is absolutely not their fault. These are municipal utilities that do not have sufficient resources to have robust security programs. That is just the way it goes. They don't have the ability to collect revenue at a rate enough to secure their deployments. As I mentioned earlier, you know, when you have the internet, it is supposed to make things easier, it is supposed to make things more manageable. So, now that all of a sudden it is a security threat, it is almost counterintuitive. Also, look, you have to be able to manage this stuff efficiently, so we need to have more security controls in place. I think there are at least 3 things that we need to do. The first is we need to have more Federal funding available to get these tens of thousands of water facilities and other municipal operational technology systems up to speed with better security, more updated systems. Windows 7, if that is what they had, we should be on Windows 10. It is those sorts of things that we have to do. The second is we need more training available. We have to bring the training to the systems where they are. So whether it is working with private sector or CISA working with the EPA, we can't expect these vendors to go to Idaho National Labs or travel. We have to bring the training to them. Third, to Ms. Gordon's point, we have to have regional approaches to better IT technology. We have to have consortia that allow for upgrades and maintenance that are available with better price, with better cost efficiencies and economies of scale. You can pull that together at a State or regional level. I think that is going to have to be the future of IT deployments for systems like this. Mr. Daniel. Just to build on what Chris said, I would say that we very much need to keep an open mind until the investigation gets further down the road as to who the perpetrators behind this might be. It could be a nation-state. Iran has shown itself very interested in water systems in other countries like Israel and even in the United States in former situations. It could be a lone actor. It could be a disgruntled employee. There is just a wide array of possibilities at this point, and we really need to keep an open mind until the investigation concludes. Mrs. Demings. Right. I appreciate you saying that, because relaxing too soon, we know the consequences of that. My last question, and I would like to address it to Mr. Daniel: You know, cyber attacks, we all know now, is the new weapon of choice, whether it is to rob you blind from your bank account or to have a major attack. But it does not seem to me that we are really prepared for this new weapon of choice. Could you just talk a little bit about, you know, historically where we are, where we need to go, and did it just kind-of sneak up on us, this new weapon of choice, cyber attack? Mr. Daniel. Thank you, Representative. That is a very good question. You know, if you actually look at how the internet developed and the way that people thought about the internet, Chris is absolutely right; it was supposed to be this new utopia. It was supposed to bring all these benefits. We didn't really think through how it made us more vulnerable. We have seen this over and over again, of how the tools that were originally built to do good things also turned out to enable the bad guys to do malicious things. I think that it has taken us a while to sort-of shed that sort-of initial sort-of purely optimistic view of everything about the internet being good and start to realize that it can also be used for harm. In many ways, though, this technology has developed incredibly rapidly. You know, it has only really existed in its current form for about 25 to 30 years. In policy terms and in legal terms and in, you know, sort-of, sociological terms, that is actually a very short amount of time. So it shouldn't really be a surprise to anyone that we are still trying to figure out how to organize and prepare to defend ourselves against the threats in this new environment that doesn't act like most of the rest of the physical world that we are used to. So, yes, in some ways it did sneak up on us, but I think the good news is that now we are very much aware of the problem. We have committees like this that are focusing on it, and we have had a good policy foundation built over the last 10, 15 years. Now I think we can really start to do a much better job of getting our arms around the problem. Mrs. Demings. Thank you so much. Ms. Gordon. I would add just one more thing---- Mrs. Demings. Oh, go ahead. Ms. Gordon. Yes, I would just add one thing---- Mrs. Demings. Do I have time? OK. Go ahead, Ms. Gordon. Chairman Thompson. Go ahead. Ms. Gordon. Yes, just one sentence, is that I also think that, for too long, we left it to be part of the support function and support functions infrastructure. We tend to make organizational choices about where we spend our resources, and when mission needs dominate, we take money away from those they support. I think, with these recent events, we have the chance to make it a leadership issue. I think the Congress has a chance to put this in the forefront of the leadership, not have it be a second- and third-order effect that happens in local choice about implementation. Thank you. Mrs. Demings. Again, thank you all so much. Mr. Chairman, thank you for your leadership on this. Thank you for your patience, and yield back. Chairman Thompson. Thank you very much. The Chair recognizes the next gentlelady from Florida, Mrs. Cammack, for 5 minutes. Mrs. Cammack. Thank you, Mr. Chairman. Good afternoon to everybody. I would like to thank the witnesses for appearing here today before the committee. I know that, in a lot of ways, we are beating a dead horse here. I think we can all agree on the importance of cybersecurity and what lies ahead and the challenges we have. I know that our witnesses have explicitly stated or alluded to the fact that the interests of the United States, from National and homeland security all the way to economic prosperity, rely on our cyber capabilities, coordination, and resilience, particularly with our critical infrastructure. As we have discussed in the hearing here today, cybersecurity threats are not only present for large corporations or Federal agencies, but these threats exist for both large and small businesses; Federal, State, and local governments; academic institutions; U.S. critical infrastructure; and private citizens across the country. I am particularly excited about the hearing today, as I have spent 3 years getting my master's at the United States Naval War College on this very subject and have been identifying and looking for ways that Congress can more efficiently address these challenges. So I am very grateful for everyone's testimony here today. Our witnesses and some of my colleagues on the committee have already touched on the recent discovery of the SolarWinds intrusion, which officials have confirmed is likely of Russian origin and may possibly be the worst intrusion in U.S. Government and private networks in our history. I am deeply concerned about this attack and plan to work with my colleagues on both sides of the aisle of this committee to better understand the full scope of this cyber espionage campaign. So, turning now, as we look toward cybersecurity challenges in the Government and private sector, I believe that our future work force development should be a top priority as we reinforce and harden our critical infrastructure. So, to Mr. Krebs, one of my first and primary concerns is our Nation's cybersecurity work force and this shortage that exists. In fact, it is what I wrote my master's thesis on. Think tanks, publications that all track our cybersecurity work force have been discussing this issue for years, yet we have a major shortage that remains today. I would like to throw this idea out to you and get your input on establishing an academy of sorts, much like how we have our traditional service academies, like the Naval Academy, West Point, something like a U.S. Cyber Academy Corps, which would be dedicated and devoted to educating and training future cybersecurity professionals to defend our homeland and National security. I would like to personally see an emphasis on joint operability not just among services but across Federal agencies, and would open up doors for non-traditional students who may have accessibility or disability challenges that would prohibit them from entering a traditional service academy like West Point or the Naval Academy or the Air Force Academy. So do you see this being a feasible undertaking, something that is much needed, something that Congress should look to incorporate in future NDAA language? I would love to get your input on that. Then I have a follow-up question to the remaining panelists. So I will let you take it away. Mr. Krebs. Thank you. First off, I would like to read your thesis. It sounds like you have a lot of really good ideas that could be implemented. To your point of an academy, a cyber academy, I think that is certainly an option. But, ultimately, to your closing point, it takes all kinds. Congress has previously appropriated for CISA--I forget at this point the amount, but to set up a network of institutes and training academies and college and university programs that would range all the way from post-grad to 4-year colleges to 2- year colleges to technical institutes, you know, trades. We have to make it more accessible to everyone to get technology- based education to put them in a position to enter the work force. The last thing I will mention on this was, you know, I am a firm believer that we have the opportunity and the inherent advantages in the United States of America, because of our diversity, to bring the fight back to--the defensive fight, certainly--back to the adversary that tend to be monocultural and homogenous. I think that, based on our diversity of opinions, backgrounds, experiences, thought processes, that this gives us a distinct advantage. We have to harness that. We have to work through all sorts of different educational platforms to bring more people into the work force. So we would love to work with you and think more about this. Mrs. Cammack. Mr. Krebs, I know I am short on time. I did want to pose a question, if the Chairman would allow me, for the panelists, Mr. Daniel, Ms. Gordon. If you could maybe touch on the ``Tallinn Manual'' and---- Chairman Thompson. One question. One question. Mrs. Cammack. I appreciate it. Thanks for giving a little bit of grace to a freshman. I appreciate that. I would like to get some input from our experts here on the ``Tallinn Manual'' that has really kind-of been the guide internationally as we have looked to address and respond to cyber attacks, both from lone-wolf-type actors to state-on- state attacks. Do you see the ``Tallinn Manual'' as something that has been effective? Do we need to really subscribe to some of the guidelines and framework that they have outlined particularly in the second edition? I will kick it to Ms. Gordon first. Ms. Gordon. I am sorry. I made it through the whole hearing without staying on mute. I don't think there is any one--I am with Chris. I think we ought to look at your thesis and see what we have. I think there is nothing perfect. I do think we are going to have to explore standards and standards beyond our borders. So I think it is a fine place to begin. I don't think it is a panacea. I think we always have to look at it to make sure it doesn't disproportionately limit our freedoms, but I think it is a fine place to begin. Mrs. Cammack. Thank you. Mr. Daniel. I would concur with Sue's point. I think the level of thought and the degree of, sort-of, analysis that went into creating the ``Tallinn Manual'' is really an excellent foundation in the international space. You know, clearly, just given the amount of fussing that the Russians and the Chinese do about the ``Tallinn Manual,'' anything that they dislike that much says that I probably ought to really like it. So I will also use that as a benchmark as well. Mrs. Cammack. Excellent. Thank you. Thank you, Mr. Chairman. Mr. Katko. Mr. Chairman, just a point of privilege just for one moment? Chairman Thompson. The Ranking Member is recognized. Mr. Katko. Thank you. I have a hard stop at 5 that I cannot get out of, and I just wanted to thank you for having this hearing and bringing such a critical issue to light. I want to commend all of the witnesses, and I want to commend all of my fellow members. Excellent questions, excellent preparation. I am proud to be a part of this, and I know we are going to have a lot more hearings on cybersecurity going forward. But I appreciate your leadership, Mr. Chairman. I yield back. Thank you. Chairman Thompson. Thank you. The Chair recognizes the patient gentlelady from Virginia for 5 minutes, Mrs. Luria. Mrs. Luria. Thank you, Mr. Chair. Thank you again to all the witnesses who have joined us today for this very informative discussion. You know, I wanted to just bring up a couple incidents that have happened recently in my district here in southeastern Virginia. In November 2020, malware infected the Hampton Roads Sanitation District, and that led to delays in billing. This was basically caught and stopped before, you know, it spread throughout their whole network, and the damage could have been much worse. The perpetrator has not been identified. But, you know, I think that these instances of attacks on, you know, local or regional utilities are perhaps more common than we recognize. So I wanted to know, you know, from the Federal level, what level of coordination, of establishing of trends, identifying these vulnerabilities, and, you know, how we can help, you know, across the board from them being replicated, you know, kind-of just that coordination effort between Federal or State and local governments relative to these public utilities. Like, what more should we do? I know Mr. Krebs brought up, you know, this coordination between different levels of government. If you could comment on that, from the Federal level, what other resources could help these local utilities? Mr. Krebs. Yes, ma'am. So, to your point of vulnerability disclosure, vulnerability discovery, CISA sits at a point where they manage the National Vulnerability Database, or at least they support it for NIST. That is a process by which I think 13,000 or so vulnerabilities were disclosed and managed by CISA last year. So CISA certainly sits in a trend analysis position. I think what CISA needs to do more of is that over-the-top analysis of where things are going, where is the most effective investment of that last dollar. This is a conversation that Dmitri and I have had several times, of the value of investing in patching and the value of investing in hunting. There is a balance you have to strike. You don't want to over-rotate one way, or you are going to throw the entire approach out of balance. But I think we have to do more trend analysis on, you know, for instance, the top 5 areas that you can make the most meaningful vulnerability management investment in your operational technology. That is something I have talked with a number of different OT security companies about. So where I am really going with this is, we need more insight. We can do the technical coordination piece, but we need more insight. That requires people, and it requires communication, and it requires engagement with the community. At that point, leadership will understand. If you give them the resources to smartly invest, then you will actually see, at the endpoint, improved security behaviors. Mrs. Luria. Well, thank you. I would love to continue this conversation separately about, you know, how we are allocating resources and what resources have been allocated; you know, can they meet that improved goal of analyzing the data writ large. Another thing that came up in my district--and I am sure any Member of Congress who, you know, would speak on these issues would have examples from at home--is that we had a ransomware attack at one of our local universities, at Virginia Wesleyan University in my district. They were affected by a ransomware attack in 2019. So I was wondering, for, you know, the institutions of higher learning--this is, you know, a private higher educational institution--are there any resources from the Federal Government or could we do more to protect them? Then, also, to follow on to that, are there requirements for reporting of these types of attacks by institutions of higher learning and specifically private institutions of higher learning? Either Mr. Krebs or maybe Mr. Daniel could respond to this one. Mr. Krebs. So I mentioned earlier the CISA ransomware awareness campaign. Institutes of higher learning, K-12 education are actually in the top 3 of ransomware attacks, along with public health as well as Government agencies. So we have to do more, but, again, you know, some of these institutions just don't have the resources to secure. So we have to push more resources out there to them. CISA, as I understand it, is working now with the Department of Education to have a more targeted approach to K- 12 and college and post-grad. I will defer to Mr. Daniel on anything else he wants to add there. Mr. Daniel. Well, thanks. It is a good question, Representative. I think, there are no general reporting requirements for most private institutions with respect to [inaudible] ransomware. Now, there are resources available from various places, in terms of expertise to--you know, how you want to make that decision about whether or not to pay and then how to remediate your systems. But it is often very difficult to access, and it is not typically in one centralized location. I think one of the efforts that is on-going--Chris made a reference to the ransomware task force that has been put together. That is one of the issues that very much that task force is looking at, is how to make those resources more easily accessible to, you know, things like private universities and others that don't have the resources to call in, you know, an incident responder in the same way that, you know, a big private-sector company might. Mrs. Luria. Well, thank you for that. I am sorry, I think my time has expired. I yield back, Mr. Chairman. Chairman Thompson. Thank you very much. The gentlelady's time has expired. The Chair recognizes the gentleman from Mississippi, Mr. Guest, for 5 minutes. Mr. Guest. Thank you, Mr. Chairman. Since the creation of the internet, we have been battling cyber attacks. New cyber attacks, as we know, have been highlighted by the recent actions involving SolarWinds. We have discussed that in great detail. You mentioned that particularly, Mr. Daniel, in your report. On page 9 of your written testimony, you say, ``In December, several private-sector companies identified malicious activity that enabled the Federal Government to unravel an incredibly broad cyber-enabled espionage campaign. This intrusion effectively gave the Russian Government unfettered access to numerous unclassified U.S. Government networks for over 9 months. It is difficult to overstate the intelligence value the Russians gained from this access or the likely damage to our National security.'' So my question--and I will start with you, Mr. Daniel--is, what should the response be? I see that you come down in the following paragraph and you say, ``We should respond forcibly to this intrusion through diplomatic channels, such as by expelling Russian diplomats or exacting a cost in other venues.'' I want to see if you can expand on that answer, particularly what you are talking about when you say ``exacting a cost in other venues.'' Mr. Daniel. Sure. Thank you, Representative. So I think that, you know, this actually--this kind of intrusion poses an interesting problem for the U.S. Government in responding, and we absolutely should respond. But, so far, all of the information that is available about this intrusion indicates that it is espionage, and espionage is something that the United States carries out itself against our foreign adversaries. So that has to shape and constrain how we think about our response. Now, during the Cold War, we very much had, you know, an understanding with the Russians that, occasionally, espionage operations went beyond the bounds and they got too big and they got out of hand. So when that happened, there was a response, and that often involved expelling diplomats, for example, sort- of the typical term for that is PNG-ing, persona non grata, you know, so you remove those diplomats and suspected Russian agents from the country. But what I mean by the other options are, there are things that the Russians want in the United Nations and in other diplomatic areas. We can slow that down. We can use our influence with our--you know, both ourselves and with our allies to cause them problems in the diplomatic realm. There are things that the Russians want that we can say no to or that we can slow-roll for a while to make it clear our displeasure at the scope and scale of this operation. So while I think that the options for retaliation for us have to be constrained by the fact that we also carry out espionage, that does not mean we have to simply, you know, accept this behavior sort-of meekly and not express our concerns with it. Mr. Guest. Let me change gears with the panel just very quickly. What efforts are being made to leverage technical expertise that exists in many of our universities across the country? Both myself and Chairman Thompson have universities, major universities, here in Mississippi that are both doing great work in the area of cyber research. So my question to the entire panel is, how can we incorporate this work being done at our academic institutions into our National strategy to combat cyber attacks? Ms. Gordon. I will start and be brief and so we can see the whole perspective. No. 1, I think in many instances, the Government does and has relied on the work going in our academic universities, particularly in the research that is going to allow us to be prepared in the future. But what we really need is what you all are talking about here. We need some sort of quest, some problem that is clear, to unleash and put Government money behind it, to really drive people both to those programs and those programs to drive the solutions that we need. So I think we already do tactically. I think we have used it historically, but I think you all are on the threshold of being able to set a flag in the ground and say we have got to go there, and universities are a great place to be driving that forward. Mr. Guest. Any other Members care to comment on the use of the universities to incorporate them into our National strategy? Mr. Krebs. I will simply add that student--current students and recent graduates are going to be key to building out any program. I know at CISA, we use the Scholarship for Service I already mentioned. We had a number, you know, I think 2 dozen interns, paid interns in place that were able to help. In fact, a number of interns were actually on our Election Security Initiative. So, you know, this is a great way to help boost the work force now and in the future. Mr. Guest. To all our witnesses today, I want to thank you. Mr. Chairman, I yield back. Chairman Thompson. Thank you very much. I would like to recognize the vice chair of the Homeland Security Committee, Mr. Torres of New York, for 5 minutes. Mr. Torres. I thank you, Mr. Chair. I read recently in The New York Times that a man by the name of David Evenden, a former hacker for the National Security Agency, essentially went on to become a cyber mercenary, for CyberPoint, an American contractor that had business with the United Arab Emirates and has an office in Dubai, where Mr. Evenden was stationed. According to this report, on behalf of his client, the United Arab Emirates, Mr. Evenden was tasked with hacking into Qatar, and in the process of doing so, he eventually eavesdropped on the private communications between the Government of Qatar and the then First Lady, Michelle Obama. So when I read this anecdote, I was horrified, and I asked myself, how could an American contractor and how could a hacker from our National Security Agency be allowed to eavesdrop on the private communications of the First Lady and be allowed to engage in cyber operations against either the United States or an ally of the United States like Qatar? So 2 questions: How can this be allowed to happen, and how do we ensure that this never happens again? This question can either go to Mr. Daniel or Ms. Gordon. Ms. Gordon. Mike, I will take it to start. It is a horrifying scenario. It is a slippery slope. People with expertise developed at Government, in Government institutions, will leave periodically, and we don't want their knowledge to not be used. So, you know, prohibiting them from doing anything or from advancing the state-of-the-art is not something that would be in our interest. But I also believe that when you engage in something that would be antithetical to the laws of this country, to the standard that you had lived under before, you are still bound to that, and you are smart enough to know what you are engaged in. We have lots of sorts of nondisclosure protection of Classified information, ethical restrictions. I think it is worth considering applying those, but we will have to be very mindful, because that expertise is also the expertise that keeps the United States ahead in being a global leader. Mike. Mr. Torres. Well, to be clear, I am not proposing to prohibit the use of the expertise. I am proposing prohibiting cyber mercenaries from engaging in cyber operations against their own country or against an ally of the United States. That is a---- Ms. Gordon. Yes, you and I see it the same way. I am just saying that as we figure out how to prohibit that, we are going to have to be really mindful of the other side. Mr. Torres. In the interest of time, I want to move on to SolarWinds. You know, well before the breach of the U.S. Government, there were early warning signs that SolarWinds was complacent about its own cybersecurity. According to Reuters in 2017, Mark Arena, the chief executive of a cyber crime intelligence firm, informed the U.S. Government that there was an FBI-wanted cyber criminal offering to sell access to SolarWinds' computers on underground forums. In 2019, Vinoth Kumar, a security expert, warned SolarWinds that anyone could access the company's update server with the password SolarWinds123. Even though SolarWinds broadly serves both the U.S. Government and corporate America, SolarWinds did not even have a chief information security officer. I am curious to know, why would the Government, the Federal Government, do business with a vendor that was so glaringly complacent about its own cybersecurity? The sloppiness of one supply chain vendor like SolarWinds can create systemic risk for the rest of us. So the question is: Do we have a process in place for ensuring that the supply chain vendors with which we do business have sufficient cybersecurity protection? This question, Mr. Krebs. Mr. Krebs. So I think I will pick up where Dmitri opened up in his opening remarks about some of the measures we need to put in place with Federal Government contracting. I have already talked about adding CISA as a--with some degree of privity of contract, or at least information sharing based on individual contracts. But we also have to know where the systemically important software is in the Federal Government, what has elevated privileges, you know, what sort of data is being touched in the cloud environment, you know, who is touching source code, what are the controls in place. Dmitri has a range of recommendations that I think are important. They are just not there yet. So we need to update the Federal acquisition regulation and we need to get deeper into contracts. I think in part what the Department of Defense has done with the CMMC program is a good start. Mr. Torres. Mr. Chair, how much time do I have left? I don't actually see the timer. Chairman Thompson. Well, Mr. Chair, I will be gracious to you. Take as much time as you need. Mr. Torres. OK. I will end on this note. I have a question about cyber strategy. You know, suppose the United States, our cybersecurity apparatus finds a vulnerability, it seems to me we have 2 options. We can either correct the vulnerability and thereby strengthen our cyber defensive capabilities or we can exploit the vulnerability and thereby strengthen our cyber offensive capabilities. It seems to me historically the United States has chosen to prioritize playing defense rather than playing offense, has chosen to exploit vulnerabilities rather than correct them. In light of the SolarWinds breach, did we as a country make a strategic miscalculation in prioritizing cyber offense at the expense of cyber defense? That will be my last question, and I will direct that toward Ms. Gordon. Ms. Gordon. Boy, it has been a continuum, and I think we have moved in the direction that you so clearly articulated, that on the early days, we were looking for advantage in terms of offense. In the days we have seen since, we recognize that advantage is the ability to withstand the kinds of attacks we see. So I think it is always a choice, but I think that the pendulum has swung more in the direction that you articulate, and SolarWinds certainly hammered that home in terms of how to achieve it. Thank you. Mr. Torres. Thank you so much, Mr. Chair. I appreciate your courtesy extended toward me. Chairman Thompson. Thank you very much. The Chair recognizes the other gentleman from New York, Mr. Garbarino. Mr. Garbarino. Garbarino, Mr. Chairman. Chairman Thompson. All right. Mr. Garbarino. Garbarino. Chairman Thompson. Thank you. Mr. Garbarino. Thank you very much, Mr. Chairman, Ranking Member Katko, for putting this hearing together, as well as for the witnesses for their testimony. As Ranking Member for the Subcommittee of Cybersecurity, Infrastructure Protection, and Innovation, I am looking forward to working with Chairwoman Clarke to implement some of the recommendations that we heard today. I have just, like, 1 or 2 questions. You know, we heard about SolarWind and how it was the largest cyber attack on the country up to date. It exposed that we were unprepared, that we were underresourced to deal with the attack. President Biden has recommended a multibillion-dollar infusion for Federal IT modernization and cybersecurity to respond to the SolarWinds breach. I will start with Mr. Krebs, and maybe if somebody else wants to jump in and answer as well. Mr. Krebs, what is your opinion of CISA's Continuous Diagnostics and Mitigation Program? What do we ultimately want it to do? Is it a lot more funding, or is it, you know, better to force aggregate visibility from CDM deployment or a combination of both? Mr. Krebs. So I think we need to invest more in CDM. I think we need to invest more aggressively, and we need to get more organizations onboarded through the various levels of the program. Ultimately, CDM is about knowing what is on the network, who is on the network, and what data is transiting the network. We are still, based on some of the investments to date, taking too slow of an approach, and we need to accelerate that investment. We need to add additional investment for the proactive hunt capabilities, and that is what is going to, as Dmitri mentioned, give us the ability to take that assumption of breach mentality. But as I see it, CDM is going to be the future of the program. Mr. Garbarino. OK. Mr. Krebs. Of Federal cybersecurity. Mr. Garbarino. Any other witnesses want to touch on that? Or I am going to move on. Mr. Alperovitch. Yes, Congressman. I would just like to echo what Chris has said, but the assumption of breach mentality, I think, is most steep. We need to stop pretending that we can stop adversaries from getting to our networks. They will always be able to get in, sometimes through insiders, sometimes through spies that they will be able to insert into our Government. But we need to assume that they are there, we need to hunt for them actively, 24/7, on all of our networks, and kick them out as quickly as possible. That is the winning strategy. I have seen it work in the private sector. I believe it absolutely can work in the Government. Mr. Krebs. This is--if I can just add one little coda on top of that. I have been asked the question a couple times, you know, when are we going to know if the Russians are finally out of the network. You should have always assumed they were there the whole time. That is not the mentality that you want to take. It is continuous hunting. Assume that they are there. Mr. Daniel. Yes. I will just add on top of that, I think the proposals also need to retire a vast amount of the technological debt that the Federal Government has incurred, that there are systems out there that we can't even get continuous diagnostics monitoring on because they are so old. So we need to retire those--we need to retire those systems and modernize much of the Federal Government's IT. Mr. Garbarino. That was actually my follow-up question, Mr. Daniel, about whether or not everybody should be required to update, every Federal agency. So I imagine everybody here feels the same way. Mr. Krebs. So I would--one of the things I think a missed opportunity we had, both through earlier steps of CARES Act but also the more recent COVID-related package of that $10 billion, that $9 billion for Federal agencies to upgrade and modernize their systems is absolutely critical. It is really, really tough right now to secure, as Michael pointed out. We have to upgrade these systems. So whatever the next opportunity is, whether it is some Capitol Police-related legislative package, I really encourage Congress to think hard about what additional funding is required to secure the Executive branch. Mr. Garbarino. Mr. Chairman, I have to run to another hearing. I did have another question, but I do have to go to another hearing, so I yield back. I definitely thank the Chairman and the witnesses for their testimony today. Chairman Thompson. Thank you very much. Let me also thank the witnesses for their testimony. The accolades you have already received from my coworkers on the committee speaks volumes for their appreciation for your response to their questions. The Members of the committee may have additional questions---- Ms. Jackson Lee. Mr. Chairman? Mr. Chairman, if I might be yielded to for just a moment? This is Sheila Jackson Lee. Chairman Thompson. The lady from Texas is recognized. Ms. Jackson Lee. Thank you very much, Mr. Chairman. What an enriching and very powerful discussion. One of the agencies that has been on the forefront of cybersecurity is obviously our Defense Department--and when I say on the forefront, they have a infrastructure dealing with this. I think what we have gleaned from this meeting, that there needs to be a coming together on the domestic security and the vulnerabilities that we experience. I think this committee hearing, Mr. Chairman, has been singular in highlighting those issues. I join with my colleagues--I have heard a number of ideas-- I join with my colleagues that we should be on the offensive and not the defensive. I have just heard Director Krebs talk about shoring up the Executive. So I am hoping that our leadership will recognize that we probably, as swiftly as you are, Mr. Chairman, by having this hearing, that we need to move swiftly. I will conclude by saying, even before SolarWinds, we wrote legislation dealing with a zero-day event, which now sets enormous panic for me, because it is more than a viable possibility, and that is when all of our systems are at a level of--a diminishing level. So I hope that what we have gotten out of this hearing is a sense of urgency and the ability to work with you, Mr. Chairman, and all the Chairs on the number of committees. I am glad to be on one of the subcommittees to really say to the administration and say to the Nation that cybersecurity has to be, from the domestic security perspective, a heightened and enlightened defense effort, if you will. I can see that we can do it in this committee. So thank you very much. I just wanted to thank you for the hearing and thank the witnesses for the hearing as well. I have been through this a lot, and to hear your representation gives us a great road map for us to proceed on. So thank you each and every one of you. Chairman Thompson. Thank you very much. The Members of the committee may have additional questions for the witnesses and we ask you respond expeditiously in writing to those questions. Without objection, the committee's record shall be kept open for 10 days. Hearing no further business, the committee stands adjourned. [Whereupon, at 5:22 p.m., the committee was adjourned.] A P P E N D I X ---------- Questions From Honorable Michael T. McCaul for Christopher C. Krebs Question 1. What role do State and local government IT infrastructures play in ensuring the security of our Nation? What specific steps can State/local entities take to improve their IT infrastructure, what resources can we provide them, and can you speak to the increased funding that you proposed in your testimony? Answer. Response was not received at the time of publication. Question 2. Are there any gaps where you think the Legislative branch might step in to protect the United States against cybersecurity threats, including misinformation? Moving forward, how can Congress help CISA in their efforts? Answer. Response was not received at the time of publication. Question 3. What are some common misconceptions about the security of our elections? What can we do to promote transparency regarding the administration of our elections? Answer. Response was not received at the time of publication. Question From Honorable Jake LaTurner for Christopher C. Krebs Question. With the perpetrators of the Solarwinds hack likely still lurking in our systems, monitoring unencrypted communications, gathering valuable information on how we respond, would you agree the Federal Government needs to prioritize operational security by leveraging secure communications as a critical first line of defense? Answer. Response was not received at the time of publication. Question From Honorable Jake LaTurner for Susan M. Gordon Question. With the perpetrators of the Solarwinds hack likely still lurking in our systems, monitoring unencrypted communications, gathering valuable information on how we respond, would you agree the Federal Government needs to prioritize operational security by leveraging secure communications as a critical first line of defense? Answer. Response was not received at the time of publication. Question From Honorable Jake LaTurner for Michael Daniel Question. Now that there are unified communications capabilities available in establishing a strong, resilient crisis response plans to prevent and mitigate future intrusions, what role does end-to-end encryption play and should the Government place priority on communications that allows for global federation so that Government agencies are able to communicate securely with external parties? Answer. Secure communications are critical to almost all Government activities, including policy development, service provision, cybersecurity, and crisis response, and these activities must involve interactions between the Government and the private sector to be effective. Given the capabilities of our adversaries, making communications secure requires strong end-to-end encryption, but such encryption also poses a challenge to law enforcement in preventing or disrupting crimes. As a result, the encryption debate is a security- versus-security debate. There is no single ``right'' answer to this debate. Societies must decide how much security of the first kind they are willing to trade for the second and vice-versa.