[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


               EVOLVING THE U.S. APPROACH TO CYBERSECU-
                RITY: RAISING THE BAR TODAY TO MEET 
                THE THREATS OF TOMORROW

=======================================================================


                                 HEARING

                               BEFORE THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 3, 2021

                               __________

                           Serial No. 117-36

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 
                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________


                   U.S. GOVERNMENT PUBLISHING OFFICE                    
47-035 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------   
 
                  COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................     3
  Prepared Statement.............................................     5

                               Witnesses

Mr. J. Chris Inglis, National Cyber Director, Executive Office of 
  the President of the United States:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
Ms. Jen Easterly, Director, Cybersecurity and Infrastructure 
  Security Agency, U.S. Department of Homeland Security:
  Oral Statement.................................................    12
  Prepared Statement.............................................    14

                                Appendix

Question From Honorable Michael Guest for Jen Easterly...........    57

 
 EVOLVING THE U.S. APPROACH TO CYBERSECURITY: RAISING THE BAR TODAY TO 
                      MEET THE THREATS OF TOMORROW

                              ----------                              


                      Wednesday, November 3, 2021

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:03 a.m., via 
Webex, Hon. Bennie G. Thompson [Chairman of the committee] 
presiding.
    Present: Representatives Thompson, Jackson Lee, Langevin, 
Payne, Slotkin, Cleaver, Green, Clarke, Titus, Watson Coleman, 
Torres, Katko, Higgins, Guest, Van Drew, Norman, Miller-Meeks, 
Clyde, Gimenez, LaTurner, Meijer, Cammack, Pfluger, and 
Garbarino.
    Chairman Thompson. The Committee on Homeland Security will 
come to order.
    I would like to thank National Cyber Director Inglis and 
CISA Director Easterly for participating in today's hearing on 
how the Federal Government is maturing its approach to securing 
Federal networks and critical infrastructure. At the outset, I 
would like to commend the administration for its steadfast 
commitment to confronting the cybersecurity challenges facing 
the Nation, and I would like to thank both of you for the 
important role you play. This committee has a long history of 
bipartisan collaboration in support of advancing strong, sound 
cybersecurity policy, and we look forward to working with both 
of you in your respective roles.
    Last Congress, Members of the committee worked together to 
raise CISA's funding, expand CISA's authorities, and authorize 
the National cyber director. With the support of this 
committee, CISA worked tirelessly with State and local election 
officials to ensure the most secure election in history--during 
a global pandemic no less. But late last year, we learned that 
the Russian government conducted a sophisticated supply chain 
attack and gained access to our Government and private-sector 
networks. Only months later, Microsoft disclosed that Chinese 
hackers exploited multiple zero-day vulnerabilities in 
Microsoft Exchange Servers to gain access to emails and 
maintain persistent access to the networks. A series of high-
profile ransomware attacks threatening the fuel and food supply 
followed. Just yesterday, voters went to the polls to cast 
their ballots even as efforts to push the big lie and erode 
public confidence in democratic institutions persist.
    These events forced three important conversations: How do 
we activate resources and authorities quickly to modernize 
Federal network security programs? Does the Federal approach to 
securing critical infrastructure, which relies heavily on 
voluntary frameworks, serve the National security interests of 
the American people? How do we protect public confidence in our 
democratic institutions, particularly our elections?
    To its credit, the administration has confronted these 
challenges head-on, laid out a bold agenda, and put its money 
where its mouth is. From the ambitious Executive Order on 
Improving the Nation's Cybersecurity, to the National Security 
Memorandum on Improving Cybersecurity for Critical 
Infrastructure Control Systems, to the pipeline security 
directives, the administration is aggressively leveraging 
existing authorities to raise the Nation's cybersecurity 
posture. Last week, the White House asked Congress to expand 
the Environmental Protection Agency's ability to regulate 
cybersecurity for the water sector.
    Moving forward, I will be interested to know whether you 
expect the administration to leverage or seek similar 
authorities to impose mandatory cyber standards on other 
sectors, and if so, what you expect the role of your 
organizations to be in that process.
    Given my role on both this committee and the January 6th 
Select Committee, I am disturbed by how disinformation fosters 
conspiracy theories, divides us, and makes us doubt our 
democratic institutions. I will be interested to understand how 
CISA's maturing its election security activities, related to 
both the security of election infrastructure and its rumored 
control efforts.
    While I appreciate the administration doing what it can by 
leveraging the authorities it has, this committee is working 
hard to provide many of the additional authorities necessary 
for CISA to take on the challenges ahead. For example, 
bipartisan members of the committee offered amendments to the 
NDAA that would establish a mandatory cyber incident reporting 
framework, authorize the CyberSentry program, and establish the 
Joint Collaboration Environment. I am hopeful that today we can 
discuss how you will implement those measures when they are 
enacted into law, as I expect them to be.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                            November 3, 2021
    Good morning. I would like to thank National Cyber Director Inglis 
and CISA Director Easterly for participating in today's hearing on how 
the Federal Government is maturing its approach to securing Federal 
networks and critical infrastructure.
    At the outset, I would like to commend the administration for its 
steadfast commitment to confronting the cybersecurity challenges facing 
the Nation, and I would like to thank both of you for the important 
role you play.
    This committee has a long history of bipartisan collaboration in 
support of advancing strong, sound cybersecurity policy, and we look 
forward to working with both of you in your respective roles.
    Last Congress, Members of the committee worked together to raise 
CISA's funding, expand CISA's authorities, and authorize the National 
cyber director.
    With the support of this committee, CISA worked tirelessly with 
State and local election officials to ensure the most secure election 
in history--during a global pandemic no less.
    But late last year, we learned that the Russian government 
conducted a sophisticated supply chain attack and gained access to our 
Government and private-sector networks.
    Only months later, Microsoft disclosed that Chinese hackers 
exploited multiple zero-day vulnerabilities in Microsoft Exchange 
Servers to gain access to emails and maintain persistent access to the 
networks.
    A series of high-profile ransomware attacks threatening the fuel 
and food supply followed.
    And just yesterday, voters went to the polls to cast their ballots 
even as efforts to push the Big Lie and erode public confidence in 
democratic institutions persist.
    These events forced three important conversations.
   How do we activate resources and authorities quickly to 
        modernize Federal network security programs?
   Does the Federal approach to securing critical 
        infrastructure--which relies heavily on voluntary frameworks--
        serve the National security interests of the American people?;
   How do we protect public confidence in our democratic 
        institutions, particularly our elections?
    To its credit, the administration has confronted these challenges 
head-on, laid out a bold agenda, and put its money where its mouth is.
    From the ambitious Executive Order on Improving the Nation's 
Cybersecurity, to the National Security Memorandum on Improving 
Cybersecurity for Critical Infrastructure Control Systems, to the 
pipeline security directives, the administration is aggressively 
leveraging existing authorities to raise the Nation's cybersecurity 
posture.
    Last week, the White House asked Congress to expand the 
Environmental Protection Agency's ability to regulate cybersecurity for 
the water sector.
    Moving forward, I will be interested to know whether you expect the 
administration to leverage or seek similar authorities to impose 
mandatory cyber standards on other sectors, and if so, what you expect 
the role of your organizations to be in that process.
    Given my role on both this committee and the January 6th Select 
Committee, I am disturbed by how disinformation fosters conspiracy 
theories, divides us, and makes us doubt our democratic institutions.
    I will be interested to understand how CISA's maturing its election 
security activities, related to both the security of election 
infrastructure and its rumor control efforts.
    While I appreciate the administration doing what it can by 
leveraging the authorities it has, this committee is working hard to 
provide many of the additional authorities necessary for CISA to take 
on the challenges ahead.
    For example, bipartisan Members of the committee offered amendments 
to the NDAA that would establish a mandatory cyber incident reporting 
framework, authorize the CyberSentry program, and establish the Joint 
Collaboration Environment.
    I am hopeful that today we can discuss how you will implement those 
measures when they are enacted into law, as I expect them to be.
    With that, I look forward to the testimony from the witnesses and I 
yield back.

    Chairman Thompson. With that, I look forward to the 
testimony from the witnesses and I yield to the Ranking Member 
of the full committee, the gentleman from New York, Mr. Katko.
    Mr. Katko. Thank you, Chairman Thompson, for hosting this 
most important hearing today. Welcome to the witnesses, 
Director Inglis and Director Easterly. I am pleased to have 
both of you here.
    I am going to echo the Chairman's sentiments. This isn't 
partisan at all, these are damned good appointments to really 
important positions within the cybersecurity realm. I applaud 
the administration for doing that.
    I appreciate you all being here today to provide testimony 
on your strategic goals and discuss how Congress can work with 
the administration to secure the cyber threats of tomorrow.
    We started off 2021 by uncovering the impact of the 
devastating Solar Winds cyber espionage campaign. But, as we 
all know, the attacks did not stop there. While they may seem 
distant, the Microsoft exchange vulnerability, Pulse Connect, 
and other significant ransomware attacks, including the attacks 
on Colonial Pipeline, Kaseya, and JBS, happened this year 
alone. As a result, CISA has issued an unprecedented number of 
emergency directives, alerts, and advisories regarding serious 
vulnerabilities and cyber threats. Just this week, CISA 
announced it was issuing a binding operational directive to 
quickly remediate known vulnerabilities across the Federal 
enterprise, and I applaud that.
    The volume of our alerts, advisories, and directives goes 
to show the pervasiveness of vulnerabilities affecting owners 
and operators of critical infrastructure and Federal networks.
    CISA has performed commendable work given the daunting task 
it has faced over the past 20 years. This in part has been due 
to additional authorities from the Fiscal Year 2021 National 
Defense Authorization Act. This includes significant 
authorities, such as the ability to issue administrative 
subpoenas to notify critical infrastructure entities of 
vulnerable devices, as well as the authority to conduct threat 
hunting on Federal agency networks without advance notice.
    While new authorities are an important piece, CISA must 
also be fully funded. I have been a strong proponent of 
responsible growth at CISA and I am pleased the House 
Committee-passed appropriations bill puts the agency on that 
path.
    We must also move past bureaucratic turf battles and 
remember that cyber incidents are rarely sector-specific. We 
need to continue building on the resources within CISA as a 
central agency that can quickly connect the dots when a 
malicious cyber campaign spans multiple sectors and then share 
that information across a broader critical infrastructure 
community.
    Director Inglis, this is where I expect you to have an 
important role. Given your role as a principal advisor for 
cybersecurity, the ``head coach'', as I like to call it, or as 
the overseeing the entire Federal Government's cybersecurity 
mission, it is important that you are setting the tone that 
everyone has a role to play and must work together.
    I look forward to learning more about the various roles and 
responsibilities of your position, the National Security 
Council, and the CISA director.
    To ensure CISA can successfully carry out its mission, it 
needs a higher degree of visibility into cybersecurity threats 
and incidents impacting private-sector networks. Increased 
collaboration across governments and private industry is 
essential. I applaud new initiatives, such as CISA's stand-up 
of the Joint Cyber Defense Collaborative.
    We also need to ensure the information being shared with 
the private sector is timely, actionable, and meets the needs 
of a diverse set of cross-sector stakeholders. To be sure, we 
need to work on that and get better with that.
    It is important that there be a high-value proposition for 
entities to partner with CISA. It can't be a one-way street.
    I am pleased to have partnered with Chairman Thompson and 
Subcommittee Chairwoman Clarke on mandatory cyber incident 
reporting legislation, as it will be another important tool for 
CISA to have to protect the critical infrastructure community, 
but it won't be a silver bullet.
    We live in a world of an increasingly interdependent web of 
hardware, software services, and other connected 
infrastructure. Single points of failure in layers of systemic 
importance across this ecosystem leave the potential for 
cascading impact, which I have been focusing on legislation 
which would require that CISA designate and prioritize risks to 
key infrastructure sectors as they work to mitigate cyber risks 
across the various industry sectors and Government entities 
facing threats from nefarious cyber actors every day.
    As CISA nears its whopping third anniversary in a few 
weeks, it is incumbent upon Congress to ensure CISA is 
appropriately prioritizing its mission space and focusing on 
what it does best within its limited resources to address the 
most pressing challenges in the evolving threat environment.
    Between these two highly-capable witnesses here today, 
Director Easterly and Director Inglis, I am confident that our 
Federal Government is poised to tackle the growing litany of 
cyber threats facing our Nation.
    I want to just note from a personal standpoint before I 
end, this is the way Government is supposed to work. You all 
are getting along and you are working well together. I dare say 
you should stand as an example for other agencies to follow, 
just like I hope Chairman Thompson and I set an example for 
others in Congress, which we hope they would follow more than 
they do.
    Again, I want to thank you very much for being here today 
and I look forward to hearing testimony from both of you.
    I yield back.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
    Thank you, Chairman Thompson, for hosting this hearing today. Thank 
you to Directors Easterly and Inglis for joining us to provide 
testimony on your strategic goals and discuss how Congress can work 
with the administration to secure the cyber threats of tomorrow.
    We started off 2021 by uncovering the impact of the devastating 
SolarWinds cyber espionage campaign, but, as we all know, the attacks 
did not stop there.
    While they may seem distant, the Microsoft Exchange Vulnerability, 
Pulse Connect, and other several significant ransomware attacks, 
including the attacks on Colonial Pipeline, Kaseya, and JBS, happened 
this year alone.
    As a result, CISA has issued an unprecedented number of Emergency 
Directives, Alerts, and Advisories regarding serious vulnerabilities 
and cyber threats. Just this week, CISA announced it was issuing a 
Binding Operational Directive to quickly remediate known 
vulnerabilities across the Federal enterprise.
    The volume of alerts, advisories, and directives goes to show the 
pervasiveness of vulnerabilities affecting owners and operators of 
critical infrastructure, and Federal networks.
    CISA has performed commendable work given the daunting task it has 
faced over the past few years. This, in part, has been due to 
additional authorities from the Fiscal Year 2021 National Defense 
Authorization Act (NDAA).
    This includes significant authorities such as the ability to issue 
administrative subpoenas to notify critical infrastructure entities of 
vulnerable devices, as well as the authority to conduct threat hunting 
on Federal agency networks without advanced notice.
    While new authorities are an important piece, CISA must also be 
fully funded. I have been a strong proponent of responsible growth at 
CISA, and I'm pleased the House Committee-passed Appropriations bill 
puts the agency on that path.
    We must also move past bureaucratic turf battles and remember that 
cyber incidents are rarely sector-specific. We need to continue 
building on the resources within CISA as the central agency that can 
quickly connect the dots when a malicious cyber campaign spans multiple 
sectors, then share that information across the broader critical 
infrastructure community.
    Director Inglis, this is where I expect you to have an important 
role. Given your role as the principal advisor for cybersecurity, or as 
I like to call it, the head coach, the one overseeing the entire 
Federal Government's cybersecurity mission. It's important that you're 
setting the tone that everyone has a role to play and must work 
together. I look forward to learning more about the various roles and 
responsibilities of the NCD, the National Security Council, and the 
CISA director.
    To ensure CISA can successfully carry out its mission, it needs a 
high degree of visibility into cybersecurity threats and incidents 
impacting private-sector networks. Increased collaboration across 
governments and private industry is essential. I applaud new 
initiatives such as CISA's stand-up of the Joint Cyber Defense 
Collaborative (JCDC).
    We also need to ensure that information being shared with the 
private sector is timely, actionable, and meets the needs of a diverse 
set of cross-sector stakeholders. It's important that there be a high-
value proposition for entities to partner with CISA--it can't be a one-
way street.
    I am pleased to have partnered with Chairman Thompson and 
Subcommittee Chairwoman Clarke on mandatory cyber incident reporting 
legislation, as it will be another important tool for CISA to have to 
protect the critical infrastructure community. But it won't be a silver 
bullet.
    We live in a world of an increasingly interdependent web of 
hardware, software, services, and other connected infrastructure. 
Single points of failure and layers of systemic importance across this 
ecosystem leave the potential for cascading impact.
    Which is why I have been focusing on legislation which would 
require that CISA designate and prioritize risks to key infrastructure 
sectors as they work to mitigate cyber risks across the various 
industry sectors and Government entities facing threats from nefarious 
cyber actors every day.
    As CISA nears its third anniversary in a few weeks, it's incumbent 
on Congress to ensure CISA is appropriately prioritizing its mission 
space and focusing on what it does best within its limited resources to 
address the most pressing challenges in the evolving threat 
environment.
    Between the two highly-capable witnesses here today, Director 
Easterly and Director Inglis, I am confident that our Federal 
Government is poised to tackle the growing litany of cyber threats 
facing our Nation.
    Again, thank you for being here today, and I look forward to 
hearing your testimony.

    Chairman Thompson. The gentleman yields back.
    Other Members of the committee are reminded that under 
committee rules opening statements may be submitted for the 
record.
    I now welcome our panel of witnesses.
    Our first witness is National Cyber Director Chris Inglis. 
Director Inglis has over 40 years of Government service, 
including 30 years of service in the Air Force. Director Inglis 
held singular leadership assignments at the Department of 
Defense and the National Security Agency throughout his career, 
including deputy director and senior civilian leader.
    Our second witness is Cybersecurity Infrastructure Security 
Agency Director Jen Easterly. Director Easterly also has a 
strong record of Government service, including two tours of the 
White House during both the Obama and Bush Two administrations. 
An Army veteran of 20 years of service, she was responsible for 
standing up to Army's first cyber battalion and was 
instrumental in the design and creation of the United States 
Cyber Command.
    Before we begin receiving testimony, I would like to 
recognize the impressive military service records of both of 
our witnesses and thank them for all, and all the veterans, for 
their service in advance of Veterans Day next week.
    Thank you for your participation here today. I look forward 
to your testimony.
    Without objection, the witnesses' full statements will be 
inserted in the record.
    I now ask each witness to summarize their statement for 5 
minutes, or do the best you can, beginning with Director 
Inglis.

    STATEMENT OF J. CHRIS INGLIS, NATIONAL CYBER DIRECTOR, 
     EXECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATES

    Mr. Inglis. Chairman Thompson, Ranking Member Katko, 
distinguished Members of the committee and staff, thank you for 
the privilege to appear before you today and the honor to 
appear alongside Director Easterly. I am eager to update you on 
the Biden/Harris administration's progress in standing up the 
new Office of the National Cyber Director and to discuss the 
administration's approach to cybersecurity.
    The President's commitment to cybersecurity is a matter of 
National security and is an issue of concern to all Americans, 
as evidenced by the positions he created, the appointments he 
made, as well as by the speed with which the administration 
continues to modernize defenses and bolster our security.
    I am of course appearing before you today as the inaugural 
National cyber director, a position this Congress created in 
January, confirmed for me in June after nomination by President 
Biden. I am grateful for the confidence that the President and 
the Congress have placed in this role, for the opportunity to 
bring it to life, and for the cybersecurity and critical 
infrastructure resilience investments you are endeavoring to 
make in the proposed infrastructure investment and Jobs Act, 
and elsewhere. I remain committed to engaging with you as we 
can on these critical and shared imperatives.
    To that end, I am pleased to tell you that the new office 
is making progress as full-fledged leader in these imperatives. 
On Thursday, October 28 we publicly released the National cyber 
director's first strategic intent statement, which outlines the 
strategic approach and the scope of the work that I intend the 
office to undertake. At the same time, we announced the 
designation of Chris DeRusha as the deputy National cyber 
director for Federal cyber security, a dual-headed title that 
he will hold along with his current role as the Federal chief 
information security officer. We will create unity of effort 
and unity of purpose in our shared mission to ensure the 
security of Federal networks. Both of these announcements lay 
the groundwork for the office's approach, but are certainly not 
the sum total of our intended endeavors. We continue to build 
out the National cyber director team and, equally important, 
relationships with key partners inside and outside of the 
Federal Government and will follow up in the very near future 
with a more concrete comprehensive description of our 
priorities and the strategic objectives that will guide our 
work for years to come.
    The Office of the National Cyber Director is of course 
currently constrained by the lack of an appropriated budget and 
we continue to work with Congress to secure the resources we 
need to bring on key staff. Beyond the constraint this places 
on our ability to hire key staff members, make necessary 
procurement and acquisitions, and find permanent office space 
for our future, the lack of appropriations inhibits our ability 
to plan and delays our ability to quickly and fully make the 
expected contributions of the National cyber director.
    That limitation notwithstanding, I am pleased to inform the 
committee that we have built a robust pipeline of talent and 
once appropriations are available expect to reach a total of 25 
personnel on board by the end of December and a full complement 
sometime later in fiscal year 2022.
    As I have testified previously to the Senate Homeland 
Security and Governmental Affairs Committee, the National cyber 
director looks to four key outcomes as its benchmark of 
success. Given the foundations that these priorities establish 
for accountability of the National cyber director, I will 
comment briefly on them here.
    First, the Office will drive coherence across the Federal 
enterprise, ensuring that we build, operate, and defend digital 
infrastructure under control of the Federal Government and 
support the private security with unity, purpose, effort, and 
messaging.
    Second, we will zero in on improving private-public 
collaboration, supporting and building on the work of CISA and 
others.
    Third, in close collaboration with the Office of Management 
and Budget, we will ensure that the U.S. Government is aligning 
its resources to its aspirations and accounting for the 
execution of cyber resources entrusted to its care.
    Finally, the Office will work to increase present and 
future resilience not only within the Federal Government, but 
across the American digital ecosystem, in technology, the 
skills of our people, and in roles and responsibilities. This 
is, of course, a big task which we have initiated by exercising 
incident response and planning processes and we will continue 
to evolve these processes so they are future-proved for 
tomorrow.
    None of this work occurs in a vacuum and much of the credit 
for progress in developing these themes and in the work of 
putting them into practice must go to my partners on the 
National Security Council, my colleague sitting alongside me, 
Director Easterly, and many others serving in the Federal cyber 
ecosystems. The challenges we face are daunting and overcoming 
them will require realizing a digital ecosystem that is 
resilient by design and robustly defended, a policy and 
commercial environment that aligns actions to consequences, and 
ensuring that public and private sectors proactively and 
decisively collaborate.
    Although the Office of the National Cyber Director is a 
young and still small office, we have made significant progress 
and are building robust relationship with our inter-agency 
partners. When funding is in place and with the continued 
leadership and support of this Congress, the ONCD will be in a 
strong position to lead in enhancing the security and 
resilience of our Nation's cyber ecosystem.
    I thank you for the opportunity to testify before you 
today. I look forward to your questions.
    [The prepared statement of Mr. Inglis follows:]
                 Prepared Statement of J. Chris Inglis
                            November 3, 2021
    Chairman Thompson, Ranking Member Katko, distinguished Members of 
the committee, and your staff--thank you for the privilege to appear 
before you today, and the honor to appear alongside Director Easterly. 
I am eager to update you on the Biden-Harris administration's progress 
in standing up the new Office of the National Cyber Director (ONCD) and 
to discuss the administration's approach to cybersecurity. The 
President's commitment to cybersecurity as a matter of National 
security is evident both by the positions he created and appointments 
he made, as well as the unmatched speed with which the administration 
continues to act to modernize our defenses and bolster our security in 
11 short months.
    But first, I wanted to recognize the history of this particular 
moment. I am appearing before you as the first National cyber director 
(NCD), a position the Congress created just last year, and then 
confirmed me for following my nomination by President Biden. I am 
grateful for the confidence that the President and Congress have placed 
in me in this role, as well as for the cybersecurity and critical 
infrastructure resilience investments that you are endeavoring to make 
in the proposed Infrastructure Investment and Jobs Act and elsewhere. I 
remain committed to engaging with you as we take on these critical, 
shared imperatives.
    To that end, I am pleased to tell you that our new office is making 
progress as a full-fledged leader in those imperatives. On Thursday, 
October 28, I released the NCD's first Strategic Intent Statement, 
which outlines at a high level the strategic approach and scope of work 
I expect my office to undertake. At the same time, I announced the 
designation of Chris DeRusha as a deputy National cyber director for 
Federal cybersecurity, a dual-hatted title he will hold along with his 
current role as Federal chief information security officer, creating 
unity of effort and unity of purpose in our shared mission to ensure 
the security of Federal networks. Both of these announcements lay the 
groundwork for the ONCD's approach but are certainly not the sum total 
of our endeavors. We will continue to build out our leadership team and 
our strategic intent will soon be followed by a more concrete, 
comprehensive description of our priorities and strategic objectives 
that will guide our work for years to come.
    While we will continue working with Congress to secure the 
resources we need to bring on key staff, I am pleased to inform the 
committee that we have built a robust pipeline of talent and expect to 
reach a total of 25 personnel on board by the end of December. 
Additionally, with limited funds from the President's Unanticipated 
Needs Fund, we have procured an office suite for the Office of the 
National Cyber Director at the 716 Jackson Place Townhome within the 
White House complex. I would emphasize, however, that without 
appropriations, we remain limited in our ability to hire key staff 
members, make necessary procurement and acquisitions, and find 
permanent office space for our future, full complement of staff. More 
fundamentally, the lack of appropriations inhibits our ability to plan 
and delays our ability to quickly and fully realize the role of the 
NCD.
    As I have testified previously to the Senate Homeland Security and 
Government Affairs Committee, the ONCD looks to four key outcomes as 
its benchmark of success. Given the foundations these priorities 
establish for ONCD accountability, I will comment on them here.
   First, the ONCD will drive coherence across the Federal 
        cyber enterprise--from coordinating with NIST in standards and 
        guideline development, harmonizing our approach to supply chain 
        risk management, supporting the Cybersecurity and 
        Infrastructure Security Agency (CISA) in providing operational 
        support to Federal agencies, and working in partnership with 
        OMB to resource these key cybersecurity initiatives. This means 
        ensuring that the Government is speaking with one voice, moving 
        in the same direction, and, to the greatest extent practicable, 
        sharing common priorities by which we can organize our 
        collective efforts for maximum possible effect. Acting with 
        unity of purpose and effort in the defense of our digital 
        infrastructure is an absolute imperative.
   Second, the ONCD will ensure the continued improvement of 
        public-private collaboration in cybersecurity. We will work 
        closely with Director Easterly, CISA, the National Institute of 
        Standards and Technology (NIST), and Sector Risk Management 
        Agencies and seek to expand engagement and partnership across 
        sectoral lines to new levels--because tackling the cyber 
        challenges we face demands nothing less. The new Joint Cyber 
        Defense Collaborative (JCDC), hosted by CISA and leveraging 
        authorities, capabilities, and talents of the Federal cyber 
        ecosystem in partnership with industry, will play an important 
        role in this effort, and I look forward to working with the 
        JCDC and other associated initiatives to ensure synergy across 
        the Federal Government.
   Third, we will ensure that the U.S. Government is aligning 
        our cyber resources to our aspirations and accounting for the 
        execution of cyber resources entrusted to our care. We are in 
        close discussions with OMB on how best to exercise the National 
        Cyber Director's budget review and recommendations authority to 
        identify investments that warrant an increase and those that 
        may not be having the intended impact or effect. The ONCD 
        intends to work with and through OMB in assessing and 
        evaluating the performance of these investments and advising 
        departments and agencies on recommended changes and updates in 
        alignment with administration priorities.
   Finally, the Office will work to increase present and future 
        resilience of technology, people, and doctrine, not only within 
        the Federal Government, but also across the American digital 
        ecosystem. We expect to do this by identifying common, emerging 
        priorities in partnership with relevant departments and 
        agencies and planning strategic, Government-wide initiatives to 
        address them. That is a big task for which we will start by 
        exercising our incident response and planning processes, and we 
        hope to soon be working to ensure our workforce, technologies, 
        and our structures and organizations are not only fit for 
        purpose today, but are prepared for the challenges of tomorrow.
    None of this work occurs in a vacuum, and much of the credit for 
progress in developing these themes and in the work of putting them 
into practice must go to my partners at the National Security Council, 
my colleague sitting alongside me--Director Easterly--and many others 
serving in the Federal cyber ecosystem.
    Attempting to subvert this cyber ecosystem is attractive to our 
adversaries and frustrating to our allies because of how difficult it 
is for any one country or entity to have the benefit of a complete 
picture of actions and actors across its shared spaces. Cyber space 
allows a reach and efficiency of scale unrivaled in any other domain, 
meaning that our geopolitical competitors can have global reach and 
strategic effect; criminals and malicious actors can wield an 
unprecedented level of influence, impact, and coercion.
    The general strategic imperatives emerging in response to these 
threats includes ensuring our digital infrastructure is resilient by 
design, proactively defended by collaborative coalitions, and 
backstopped by a doctrine that delivers benefits for good behavior and 
costs for bad. For the committee's consideration, I submit there are 
three categories of threat that are systemic, enduring, and globally 
diffuse in nature and warrant continued effort and attention.
   First is the vulnerability of our software supply chains. As 
        we saw with the SolarWinds intrusion, sophisticated malicious 
        actors are exploiting security and quality control seams among 
        software service providers and software development pipelines, 
        affording those actors the ability to rapidly ``scale up'' the 
        reach and depth of their malicious activities across our 
        digital ecosystem.
   Second is the pervasive vulnerability of the products and 
        devices that enable opportunistic cyber attacks typified by 
        ransomware actors and more sophisticated actors alike. Poor 
        security practices, insecure design, short-sighted approaches 
        to doctrine, and a lack of cyber talent among the workforce 
        remain wide-spread, even in the face of known flaws, 
        shortcomings, and vulnerabilities. Propagating best practices--
        including enforcing accountability for those who do not adhere 
        to those practices--will be critical to righting the ship.
   Finally, we must remain laser-focused on maintaining the 
        integrity of our information and telecommunications 
        infrastructure against high-risk actors. Large portions of the 
        hardware supply chain underpinning our most critical such 
        technologies are located in countries that could leverage it 
        for intelligence gathering or disruption at global scale.
    These threats are serious and are receiving urgent and aggressive 
attention from the Biden-Harris administration. The administration is 
also, however, looking beyond these immediate threats and toward how to 
shape the future of cyber space so that such threats are systemically 
blunted or mitigated. This requires not only a thorough understanding 
of the nature of the threats, but also a clear vision for our digital 
ecosystem and what we want that ecosystem to achieve. With such a 
vision, we can pursue the fundamental, systemic changes necessary to 
realize the digital future in which we want to live. Such changes 
require clarity of accountability and depth of collaboration.
    Accountability must flow in both positive and negative directions. 
It is rarely clear what it means to ``do the right thing'' when 
preparing or responding to a cyber incident, and harder yet to 
celebrate the benefits of an attack avoided. Conversely, the 
consequences for failing to take appropriate security steps are not 
always clear, even for those who knew (or should have known) how to 
secure their systems and who had the resources to do so, yet still 
chose not to do it. A key priority for the ONCD will be examining roles 
and responsibilities between the public and private sectors so as to 
make the required clarity of responsibility more actionable. It is an 
oft-cited statistic that 85 percent of our critical infrastructure is 
owned and operated by the private sector, and that privately-owned 
critical infrastructure is increasingly core to the Government's 
imperative to protect and provide for National security. Shared defense 
is not a choice, but an imperative.
    Incorporating these lessons into a modern social contract will also 
require us to consider which stakeholders in the digital ecosystem 
should be held accountable for what magnitude of responsibilities. As I 
articulated in our office's first Strategic Intent Statement, the 
complexity of our challenges in cyber space has too often resulted in 
responsibility for systemic cyber risk being devolved onto the 
smallest, least-sophisticated actors: Individuals, small businesses, 
and local governments. The potential consequences of one key 
individual's password being compromised are simply too grave; tools 
like multi-factor authentication are a critical means to staunch the 
bleeding, but are not in and of themselves a systemic remedy. It is 
unreasonable to ask everyday Americans to maintain constant digital 
vigilance without also looking to key stakeholders to shoulder a 
greater share of this ecosystem-wide burden, especially those firms 
charged with operating and securing our information and communications 
systems and networks. How and where this burden reallocation should 
happen will be one of our preeminent objectives.
    To achieve these and other objectives, it is clear that more 
routine and explicit statements of priorities and guidance on a year-
to-year basis will support Departments and agencies in their efforts to 
set their own planning and operational priorities. The Federal 
Government undertakes a vast array of actions and programs to support 
and defend the private sector in cyber space; ensuring coherence across 
these lines of effort will be key in ensuring these initiatives are 
always mutually supporting and never redundant. Realizing this unity of 
effort and unity of purpose will continue to be a core guiding 
principle in all that we do. We have the good fortune of having a 
number of capable agencies at the forefront of securing and defending 
cyber space--CISA, FBI, Department of Defense, the National Security 
Agency, Department of Energy, and NIST, among others--whose roles 
complement one another and who, working together, strengthen our 
defense of cyber space in ways that could not happen if they were in 
competition or isolation. The more we can support these agencies' 
synchronized efforts and partnerships, with each other and the private 
sector, the greater the return on our investment will be for the 
American people.
    The Biden-Harris administration has already made progress in 
addressing these issues and countering the threats we face in cyber 
space--most recently during last month's 30-nation summit on 
ransomware. On May 12, 2021, President Biden issued Executive Order 
14028, Improving the Nation's Cybersecurity, taking bold, aggressive 
action to transform Federal Government cybersecurity for the better, 
and through that, to improve the security of critical infrastructure 
for all Americans. Since the President signed the Order, OMB, CISA, 
NIST, and others in the interagency have worked tirelessly to ensure 
its successful implementation. This includes developing contracting 
requirements, implementation guidance, cybersecurity expectations, 
information-sharing improvements, and incident notification 
requirements. Our expectation is that the Federal Government's 
purchasing power is great enough that the requirements in the Executive 
Order will drive improvements throughout industry, even outside of 
direct contractual relationships with the Government.
    The President has also taken aggressive action to secure the 
Nation's critical infrastructure. His Industrial Control Systems 
Cybersecurity Initiative has already driven improvements in the 
electricity and pipeline subsectors and will soon expand to other 
areas. On July 28, he signed a National Security Memorandum on 
Improving Cybersecurity for Critical Infrastructure Control Systems, 
which among other things directed CISA and NIST to develop performance 
goals for critical infrastructure cybersecurity. Director Easterly can 
give you more details about the terrific progress CISA and NIST have 
made in this area.
    Steps like these are critical to ensuring that critical 
infrastructure owners, whether public or private sector, implement 
necessary security measures and become more accountable for their 
responsibility to the broader economic and digital ecosystem in which 
they reside. The importance of this dynamic has been reinforced by 
recent ransomware attacks against critical infrastructure entities. The 
Colonial Pipeline attack was a stark illustration of how the 
increasingly digitized nature of every part of our commercial ecosystem 
can create cascading, physical consequences. We hope that this real-
world example will catalyze stakeholders across the public and private 
sectors to implement security controls commensurate with the importance 
of their operations.
    These are daunting undertakings, and overcoming them will require 
realizing a digital ecosystem that is resilient by design, a policy and 
commercial environment that aligns actions to consequences, and 
ensuring public and private sectors are postured to proactively, 
decisively collaborate. Although the Office of the National Cyber 
Director is a young and still small office, we have made significant 
progress, and are building robust relationships with our interagency 
partners. When funding is in place, and with the continued confidence 
and support of this Congress, ONCD will be in a strong position to lead 
in enhancing the security and resilience of our Nation's cyber 
ecosystem. Thank you for the opportunity to testify before you today, 
and I look forward to your questions.

    Chairman Thompson. Thank you.
    Director Easterly.

    STATEMENT OF JEN EASTERLY, DIRECTOR, CYBERSECURITY AND 
  INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Ms. Easterly. Great. Thank you.
    Chairman Thompson, Ranking Member Katko, Members of the 
committee, thanks very much for the opportunity to testify 
today.
    I am really thrilled to be here as your partner in 
protecting the American people from cybersecurity threats. We 
know that cybersecurity is a team sport, so I am also honored 
to testify before our Nation's first cyber director, my 
teammate and friend, Chris Inglis.
    I want to start by also thanking this committee for your 
steadfast support in ensuring that CISA has the resources and 
authorities need to carry out the critical and substantial 
mission of the agency.
    As you know, CISA serves both as the operational lead for 
Federal cybersecurity and as the National coordinator for 
critical infrastructure security and resilience. Our goal is to 
lead the National effort to understand, manage, and reduce risk 
to the cyber and physical infrastructure that Americans rely on 
every hour of every day. The mission is challenging to execute 
and the stakes couldn't be higher if we fail.
    Our mission can only be accomplished through strong 
collaborative partnerships and collaboration is built into our 
DNA at CISA. Partnerships are our strength, our ability to 
share information broadly about threats and vulnerabilities to 
enable early warning and prevent other victims from getting 
attacked. This is what I consider one of CISA's most important 
superpowers, our authorities to share information broadly with 
a variety of key stakeholders.
    Now, as we evolve our approach to cybersecurity, my goal as 
director is to fundamentally shift the paradigm from public-
private partnership into public-private operational 
collaboration. From information sharing into information 
enabling. Timely, relevant, and most importantly, actionable 
data that network defenders can use to increase the security 
and resilience of their networks.
    Powering this shift is the new Joint Cyber Defense 
Collaborative, or JCDC, build off the concept of the Joint 
Cyber Planning Office. Authorized and resourced by Congress, 
the JCDC is driving two key changes. First, it is the only 
Federal cyber entity that by statute is required to bring 
together the capabilities across the Federal Government, State 
and local partners, and our Nation's critical infrastructure 
owners and operators. We are working closely with the largest 
cloud providers, internet providers, cybersecurity companies, 
and Federal partners, like FBI, NSA, and the National Cyber 
Director, to take collective action against urgent cyber risks.
    Second, it is the first effort to focus on creating, 
exercising, and executing cyber defense plans that proactively 
address risk before an incident occurs. This effort is a major 
step forward, leveraging unique capabilities of Government and 
the private sector to drive risk reduction at scale.
    We are already yielding positive results. We are validating 
and sharing information across broad swaths of partners in 
multiple sectors and producing measurable mission impact. Last 
month we utilized JCDC partner information with FBI and NSA to 
develop and issue joint guidance against BlackMatter ransomware 
that critical infrastructure entities are actively using to 
protect themselves.
    Going forward we are going to focus on defining a robust 
planning agenda and producing plans to adjust ransomware risks 
and threats to cloud infrastructure.
    We are also taking urgent steps to reduce National 
cybersecurity risks. This morning we issued a new Binding 
Operational Directive that fundamentally changes how the 
Federal civilian Government addresses vulnerabilities being 
actively exploited by our adversaries. Under this directive 
Federal agencies must now fix vulnerabilities identified by 
CISA within specified time frames and update their security 
programs to effectively account for these requirements. This 
directive will significantly improve the Federal Government's 
vulnerability management practices and degrade our adversaries' 
ability to exploit known vulnerability. While the BOD only 
covers Federal civilian agencies, we strongly recommend that 
every network defender review the known vulnerabilities posted 
publicly at CISA.gov and prioritize urgent remediation.
    I was gratified to see significant reports for this 
directive, to include from this committee.
    I also consider our partnership with Congress, and 
specifically this committee, as absolutely essential to CISA's 
mission success. Last year's NDAA included significant new 
authorities for CISA, to include the administrative subpoena. 
We have issued over 30 of these that have directly resulted in 
mitigation of numerous vulnerable devices. We are also 
positioning CISA to conduct persistent hunt across Federal 
civilian networks through deployment of end-point detection and 
response tools.
    Another factor critical is our people. I want to make CISA 
the place where the Nation's best cyber defenders and security 
professionals want to work. We are making positive strides on 
this front. Just last week we announced that Washington 
Secretary of State Kim Wyman will be joining CISA to lead our 
election security efforts. I am thrilled about welcoming her to 
the team at the end of this month.
    I am also pleased to finally leverage the Cyber Talent 
Management System later this month. CTMS will help CISA cut 
time to hire, reduce bias, and ensure that we are assessing the 
right skills while enhancing work force diversity. There are a 
number of areas where we must continue strengthening CISA and I 
am grateful for the committee's work to advance key legislative 
priorities, including cyber incident reporting, new State and 
local government cybersecurity grant opportunities, and 
codifying key CISA ICS authorities, like the CyberSentry 
Program.
    You have my commitment to continue working together as 
partners to advance these and other crucial legislative 
priorities.
    Thank you again for the opportunity to appear before the 
committee today. I look forward to your questions.
    [The prepared statement of Ms. Easterly follows:]
                   Prepared Statement of Jen Easterly
                            November 3, 2021
    Chairman Thompson, Ranking Member Katko, and Members of the 
committee, thank you for the opportunity to testify on how the 
Cybersecurity and Infrastructure Security Agency (CISA) is positioned 
to enhance the security and resilience of our Nation's Federal networks 
and critical infrastructure.
    I am truly honored to appear before this committee today to share 
my vision for CISA. Since being sworn in as director in July, I 
continue to be impressed with the talent, creativity, and enthusiasm of 
the dedicated CISA employees I am entrusted to lead. As I have shared 
with my team every day, I have the best job in Government.
    At CISA, our mission is to lead the National effort to understand, 
manage, and reduce cyber and physical risk to our critical 
infrastructure. Our vision is a secure and resilient critical 
infrastructure for the American people. At the heart of this mission is 
partnership and collaboration. Securing our Nation's cyber and critical 
infrastructure is a shared responsibility, and has never been more 
important than it is today. At CISA, we are challenging traditional 
ways of doing business and are actively working with our Government, 
industry, academic, and international partners to move from traditional 
public-private partnerships to public-private operational 
collaboration.
                               who we are
    Established by the CISA Act of 2018, CISA is the Nation's 
Cybersecurity and Infrastructure Security Agency.
    While our programmatic mission areas deal in cyber defense, 
infrastructure security, and secure and interoperable communications, 
holistically, as one CISA, the organization is comprised of teams of 
individuals with expertise across a wide spectrum of professional 
backgrounds and disciplines. Each and every one of them rely on each 
other to achieve our shared objectives. We recognize the connective 
tissue that binds us together and ensures we are able to be successful 
in our mission to lead the National effort to understand, manage, and 
reduce risk to the cyber and physical infrastructure Americans rely on 
every hour of every day. Our core values represent the fundamental 
tenets of our CISA organization: Collaboration, innovation, service, 
and accountability. Living these core values every day with a growth 
mindset are the pathways to our mission success.
    To achieve success in our cybersecurity mission, we build the 
National capacity to defend against cyber attacks and work with our 
Federal partners and provide them with cybersecurity tools, incident 
response services, and assessment capabilities to safeguard the Federal 
civilian Executive branch networks that support our Nation's essential 
operations. We strengthen our Nation's cyber defense by leading asset 
response for significant cyber incidents and ensuring that timely and 
actionable information about known cyber threats and incidents is 
shared with Federal and State, local, territorial, and Tribal (SLTT) 
officials, as well as our international and private-sector partners, to 
ensure the security and resilience of our critical infrastructure.
    Within our infrastructure security mission, we enhance the 
protection of critical infrastructure from physical threats through 
enabling risk-informed decision making by owners and operators of 
critical infrastructure. Our activities include conducting 
vulnerability assessments, facilitating exercises, and providing 
training and technical assistance Nation-wide. Our infrastructure 
security program leads and coordinates National efforts on critical 
infrastructure security. This includes reducing the risk of successful 
attacks against soft targets and crowded places, such as in our 
schools, and from emerging threats. CISA also leads efforts to secure 
our Nation's chemical sector infrastructure, enhancing security and 
resilience across the chemical industry to reduce the risk of hazardous 
chemicals being weaponized. To this end, CISA has developed voluntary 
and regulatory programs and resources to help stakeholders--private 
industry, public sector, and law enforcement--secure chemical 
facilities from many threats: Malicious cyber activity, biohazards, 
insider threats, and theft and diversion.
    Key to success in our cybersecurity and infrastructure security 
mission is identifying and understanding risk, especially risk that is 
systemic to our Nation's critical networks and infrastructure. CISA's 
National Risk Management Center leverages sector and stakeholder 
expertise to identify the most significant risks to the Nation, and to 
coordinate risk reduction activities to ensure critical infrastructure 
is secure and resilient both now and into the future. The goal of the 
NRMC is to create an environment where Government and industry can 
collaborate and share expertise to enhance critical infrastructure 
resilience by focusing on collective risk to National Critical 
Functions including through key initiatives such as election security, 
Fifth Generation Network technology, supply chain risk mitigation, and 
more.
    Our emergency communications mission works to ensure reliable and 
resilient, real-time information sharing among first responders during 
all threats and hazards. CISA enhances National security and public 
safety interoperable communications at all levels of government across 
the country through training, coordination, tools, and guidance. We 
lead the development and implementation of the National Emergency 
Communications Plan to maximize the use of all communications 
capabilities available to emergency responders--voice, video, and 
data--and ensure the security of data and information exchange. CISA 
assists emergency responders and relevant Government officials with 
communicating over commercial networks, using priority 
telecommunications services during natural disasters, acts of 
terrorism, and other man-made disasters.
    Underpinning our mission is CISA's commitment to preserving 
individual privacy, civil rights, and civil liberties protections in 
our operations and our engagements. We recognize that when Congress 
statutorily required CISA to have a privacy officer for the agency that 
we needed to--by default--fully integrate privacy, civil rights, and 
civil liberties protections into everything we do. We are proud of the 
fact that a number of our activities have the added benefit of 
enhancing privacy, civil rights, and civil liberties.
                            threat landscape
    In our globally interconnected world, our critical infrastructure 
and American way of life face a wide array of serious risks with 
significant real-world consequences. Today, the critical functions 
within our society are built as ``systems of systems,'' complex designs 
with numerous interdependencies and systemic risks that can have 
cascading effects. This is something we have known for years as nation-
state actors and criminals increasingly leverage both cyber space and 
traditional physical means in their attempts to subvert American power, 
American security, and the American way of life. Many of these 
challenges are exacerbated by the COVID-19 pandemic, which has led to 
an unprecedented number of Americans working from home, meaning the 
potential for malicious actors to exploit vulnerabilities has expanded 
exponentially. Additionally, we are realizing the impact of climate 
change on our National security and economic prosperity interests, and 
must work with the infrastructure security and resilience community to 
mitigate them--through planning efforts that include community 
resilience, and a whole-of-Government guidance and information-sharing 
effort.
    At the same time, ransomware has become a scourge on nearly every 
facet of our lives, and it's a prime example of the vulnerabilities 
that are emerging as our digital and our physical infrastructure 
increasingly converge. Earlier this year, we saw the Colonial Pipeline 
attack shutter gas stations along the East Coast and the JBS attack 
cause certain food prices to rise. We have also seen ransomware attacks 
on schools, police departments, hospitals, and small businesses around 
the country, and they are growing in number, scale, and sophistication. 
Disrupting this scourge requires a whole-of-Nation effort, and the 
Department of Homeland Security (DHS) helps lead that effort, and led 
the development of a whole-of-Government website, stopransomware.gov, 
which provides users with a central, authoritative source for guidance, 
toolkits, and other resources from across the Federal Government. 
CISA's mission focuses on raising awareness before disaster strikes, 
and supporting victims when it does. We help potential victims 
understand their risk, reduce vulnerabilities, and mitigate the impact 
if they are attacked. When attacks threaten our critical infrastructure 
or National critical functions, we offer on-site assistance to help 
victims get back on their feet and share operationally relevant 
information with our partners and the public to prevent the spread to 
other potential victims and sectors. Our partners can use these 
resources to reduce the risk and impact of ransomware attacks.
    While cyber intrusions and ransomware dominate the recent 
headlines, physical threats to our people and our critical 
infrastructure remain a top concern. Terrorism, mass shootings, and 
other forms of targeted violence continue to threaten our schools, 
places of business, houses of worship, and other soft targets and 
crowded places. In 2020 alone, there were more than 12,000 explosive-
related incidents and more than a 70 percent increase in domestic 
bombings, according to the Department of Justice's U.S. Bomb Data 
Center. These types of physical threats can cause mass casualties, lead 
to hundreds of millions of dollars in damage, and cause cascading 
damage across vital physical and cyber infrastructure. From a broader 
perspective, as modern threats become more sophisticated, it is 
important to stay vigilant and take proactive measures to enhance the 
security and resilience of our communities and critical infrastructure.
    The risks we face today are complex. They are dispersed both 
geographically and across a variety of stakeholders. They are 
challenging to understand, and even more difficult to address. But here 
at CISA we have an incredible team ready to execute our mission in 
collaboration with a diverse group of partners across all sectors. CISA 
will continue to support and empower our partners to secure and defend 
America's cyber ecosystem and critical infrastructure. While we face an 
array of cyber and physical threats, our adversaries continue to push 
mis- and disinformation in an attempt to divide Americans and cast 
doubts about the legitimacy of our elections and our democratic 
processes, among other issues. These are just a few of the threats we 
face, and tackling them is no easy feat. It will take teamwork and a 
relentless dedication to our mission. Fortunately, in my first 100+ 
days at CISA, it's become clear that we are up to the challenge.
                               priorities
    For me, it was clear from my first days as director that people are 
CISA's No. 1 asset. My goal is for CISA to be the place where our 
Nation's best cyber defenders and security professionals want to work. 
I am intently focused on building a culture of excellence that prizes 
teamwork and collaboration, innovation and inclusion, ownership and 
empowerment, transparency and trust. To that end, we are committed to 
attracting and retaining world-class talent by implementing a vibrant, 
and providing an end-to-end talent management ecosystem that spans from 
recruiting and hiring, to on-boarding and integration, mentorship and 
coaching, certification and training, recognition and promotion, and 
succession planning and retention.
    Even as we focus on cultivating our workforce of today, it is 
important to recognize that our efforts also play an important role in 
helping build the cyber workforce of tomorrow. On November 15, 2021, 
the Department will launch the Cybersecurity Talent Management System 
(CTMS) and begin hiring employees in the DHS Cybersecurity Service 
(DHS-CS). DHS, including CISA, will use this system to grow the future 
cybersecurity workforce with greater flexibility to attract and retain 
the best cyber talent.
    As one of the early women graduates of West Point, I have a deep 
appreciation for the importance of having diversity of background and 
experiences represented in the room when key decisions are made. That 
is why I am focused on keeping hiring centered around diversity by 
hosting specialized events, applying innovative sourcing techniques, 
and implementing branding campaigns as a means of attracting top 
talent. I will continue working to employ new and innovative 
recruitment and hiring strategies that cut the time to fill positions, 
reduce bias, and decrease unnecessary assessment while enhancing the 
diversity of our workforce. My vision is to make CISA a leader in 
diversity among both the Federal Government and the broader tech 
workforce.
    Collaboration to achieve these workforce and diversity goals is 
fundamental. So are our efforts to build relationships, trust, and 
connectivity with State and local officials, private sector, and our 
interagency partners. CISA is meant to be an agency that is agile, 
flexible, and able to respond quickly to changing threats through 
collaboration with both the public and private sectors. And, to this 
end, we sustain our trusted and effective partnerships between 
Government and the private sector, which are the foundation of our 
collective effort to protect the Nation's critical infrastructure. With 
large portions of critical infrastructure in our country owned and 
operated by the private sector and municipalities, those partnerships 
are vital to ensuring a safe and secure America. Our partners bring 
expertise and a unique ability to drive climate change impact and cyber 
defense activities in their jurisdictions, and it is precisely this 
assembly of knowledge that will allow us to be better prepared to 
achieve deep operational collaboration that ultimately reduces the 
greatest risks to our Nation.
                      updates and accomplishments
    There is a lot of good work being done at CISA. I am particularly 
proud of the agency's efforts to stand up a new initiative called the 
Joint Cyber Defense Collaborative or JCDC, meet important deadlines 
from President Biden's Executive Order on Improving the Nation's 
Cybersecurity, and expand and strengthen key partnerships during my 
first 100 days. Allow me to elaborate on each of these accomplishments.
    In August, CISA launched the JCDC, which unifies cyber defense 
capabilities currently spread out across multiple Federal agencies, 
many State and local governments, and countless private-sector 
entities. It also leads the development of our Nation's cyber defense 
plans by working across the public and private sectors to unify 
deliberate crisis and action planning, while coordinating an integrated 
execution of these plans. Our goal with the JCDC is to bring together 
key Federal partners with private sector and SLTT partners who have 
critical visibility and ability to understand the threat landscape by 
virtue of their businesses and responsibilities, and to plan and 
exercise against the most serious threats to our Nation.
    The JCDC's initial focus is on tackling ransomware and developing a 
planning framework to coordinate incidents affecting cloud service 
providers. Almost 2 months into this collaboration, we are already 
seeing good progress. Our relationships with our private-sector 
partners continue to grow as we share more information and collaborate 
around key operational issues. We are also validating and sharing 
information daily across broad swaths of partners in multiple sectors. 
For example, last month, CISA, the Federal Bureau of Investigation, and 
the National Security Agency issued guidance to help critical 
infrastructure entities protect themselves against BlackMatter 
ransomware as a service, using information provided by JCDC members.
    While it is early days, the JCDC is already leveraging the skill 
sets, expertise, capabilities, and visibility of its members to better 
protect critical assets against cyber threats. This shifting paradigm 
will enable us to transform public-private partnerships into public-
private joint action, and information sharing into information 
enabling--timely, relevant, and actionable. Together, Government at all 
levels, industry, and our international allies--because cybersecurity 
does not begin or end at our borders--will bring to bear our collective 
capabilities to sustainably shift the balance of power in favor of 
cyber defenders. We will plan together, exercise together, and act in 
unison to address both immediate threats and overcome longer-term 
strategic and systemic cybersecurity challenges. Ultimately, we 
envision that this integrated public-private collaboration will drive 
the collective defense of cyber space to create a secure and resilient 
cyber ecosystem for all Americans, and we look forward to expanding 
this operational collaboration going forward.
    Election security also remains a top priority for CISA. As you 
know, a number of elections concluded just yesterday as part of the 
2021 cycle, including prominent gubernatorial races in Virgina and New 
Jersey. In support of our election security efforts, CISA hosted an 
Election Operations Room at our Arlington Office, and virtually around 
the country, to present an integrated Federal coordination point for 
support to State and local election officials holding elections this 
cycle. Partners from the interagency and the election community 
collaborated in real time to share information about election risks and 
be prepared to respond as needed. In addition, I recently announced 
that secretary of state Kim Wyman will be joining CISA as our new 
election security lead. Kim has recently been the secretary of state in 
Washington, and she is joining to help ensure that we have a senior 
member of the election community guiding our efforts to address a range 
of threats to America's democratic process to include cyber and 
physical threats, as well as mis- and disinformation. I am extremely 
excited to welcome Kim to CISA.
    Another area I want to highlight is CISA's on-going work to 
implement the May 12, 2021, Executive Order 14028, Improving the 
Nation's Cybersecurity signed by President Biden. This Executive Order 
aims to directly address the persistent and increasingly sophisticated 
malicious cyber threats the Nation has faced over the past several 
months, and tasks Federal agencies to make bold changes to improve the 
Nation's cyber posture. The efforts outlined in the Order aim to 
improve Federal cybersecurity posture and incident response 
capabilities, limit supply chain risk to the Federal Government, and 
increase CISA's visibility across Federal and contractor networks. CISA 
has been tasked with leading or supporting over 35 unique efforts, many 
with short time lines highlighting the urgency of the work to be done. 
I am proud to say that CISA met all of our deadlines in support of the 
Executive Order, to include:
   Driving adoption of modern, secure, and resilient networks, 
        including through the Cloud Technical Reference Architecture, 
        released for public comment earlier this month and co-developed 
        with the U.S. Digital Service and GSA's FedRAMP program;
   Advancing the adoption of leading security practices 
        necessary to address highly adaptive adversaries in 
        collaboration with OMB and other Federal partners, including 
        publication of a Secure Cloud Technical Reference Architecture 
        and a Zero-Trust Maturity Model;
   Raising the bar for incident response by publishing a 
        Vulnerability and Incident Response Playbook to Federal 
        agencies, which will ensure that all agencies will operate from 
        the same sheet of music during incidents, and enable a 
        coordinated a whole-of-Government incident response effort, 
        building on lessons learned in recent incidents;
   Ensuring that CISA has access to all necessary information 
        about incidents affecting Federal agencies by providing 
        recommendations to the Federal Acquisition Regulatory Council 
        that require broader sharing of data by Government contractors, 
        in response to incidents. Such sharing will include the Federal 
        agency holding the contract, as well as with CISA. The 
        recommendations to the FAR also establish procedures for 
        sharing appropriate information with interagency partners to 
        aid in their collective, on-going cyber defense operations;
   Establishing a plan to dramatically expand our visibility 
        into cybersecurity risks affecting Federal networks through 
        deployment of endpoint detection and response (EDR) 
        capabilities and enabling ``persistent hunt'' activities as 
        authorized by Section 1705 of the fiscal year 2021 National 
        Defense Authorization Act; and
   Prioritizing Federal supply chain security by working with 
        OMB to direct a review of over 650 unique cybersecurity-related 
        contract clauses in place across the agencies and recommending 
        to the FAR Council a baseline for cybersecurity that Federal 
        contractors must meet to lower risk to the Federal systems they 
        support.
    The work outlined in the Executive Order is no small task; the 
administration asked CISA and agencies to rethink how we approach 
vulnerability and incident response, how we approach purchasing IT 
goods and services, how we design and secure our networks, and how we 
work together to share information. Our work applies not only to the 
Federal Government, but also to government at all levels, and the 
private sector, as we seek to work to ensure that we collectively drive 
adoption of strong security practices to materially reduce 
cybersecurity risks.
    Building on the Executive Order, this summer, the President also 
issued a National Security Memorandum on Improving Cybersecurity for 
Critical Infrastructure Control Systems. The reality is that 
cybersecurity needs vary among critical infrastructure sectors, but we 
cannot evolve our Nation's cybersecurity posture without baseline 
cybersecurity goals that are consistent across all sectors. 
Additionally, there is also a need for security controls for select 
critical infrastructure that is dependent on control systems. Working 
in partnership with the National Institute of Standards and Technology 
(NIST), at the end of last month, we issued the preliminary 
cybersecurity performance goals based on 9 categories of best 
practices. These goals are part of a whole-of-Government effort to meet 
the scale and severity of the cybersecurity threats facing our country. 
Our safety and security rely on the resilience of the companies that 
provide essential services such as power, water, and transportation and 
these performance goals should be the standard cybersecurity practices 
and postures that the American people can trust and should expect for 
such essential services. It takes all of us committed to action, and 
that requires harnessing the power of operational collaboration.
    Our successes would not be possible without the outstanding and 
dedicated CISA workforce. For me, it is all about the people--we will 
be successful because of our people. While I am committed to working to 
attract and retain world-class talent, one of my top priorities is also 
to build a workforce that looks like America and has the skills needed 
to meet the threats of the future. To that end, I am very proud that, 
in addition to DHS's collaboration with the Girl Scouts of the USA, 
CISA recently announced a partnership with Girls Who Code, with the 
intent of closing the gender gap in cybersecurity and developing 
pathways for young women to pursue careers in cybersecurity and 
technology. Partnering with Girls Who Code will provide real solutions 
to tackle diversity disparities and bring together a stronger community 
of women in technology and cyber. CISA and Girls Who Code will work 
hand-in-hand to improve the awareness of these careers in cyber, while 
building tangible pathways for young women, especially young women of 
color, to get hands-on experience and find opportunities--whether in 
the private sector, non-profit sector, or part of Government.
                               conclusion
    Our Nation faces unprecedented risk from cyber attacks undertaken 
by both nation-state adversaries and criminals, and CISA is at the 
center of our National call to action. In collaboration with our 
partners and with the support of Congress, we will make progress in 
addressing this risk and maintain the availability of services critical 
to the American people.
    Thank you again for the opportunity to appear before the committee. 
I look forward to answering your questions.

    Chairman Thompson. I thank the witnesses for their 
testimony.
    I remind each Member that he or she will have 5 minutes to 
question the witnesses.
    I now recognize myself for questions.
    This is a question to both of you. The recent surge of 
high-profile cyber attacks, from Colonial Pipeline to JBS, has 
called into question the Federal Government's voluntary 
framework for securing critical infrastructure. Certainly the 
security directives issued by TSA earlier this year marks a 
significant shift in the Federal Government's approach. Just 
last week, as I indicated in my opening statement, the 
administration urges Congress to give EPA more authority over 
cyber standards for water.
    With that in mind, do you envision the administration 
moving to impose security standards on additional critical 
infrastructure sectors? If so, and I guess my--do you envision 
it, yes or no?
    Mr. Inglis. Mr. Chairman, thank you very much for the 
question. It is an important question.
    I would say that the answer to the question is yes. I think 
the context matters greatly. This must be done in partnership 
and collaboration with the private sector insomuch as we work 
together to determine what the shape, the form, the function is 
of digital infrastructure to ensure that innovation, capacity, 
generation, continues to take place in the private sector. We 
allow market forces and the leadership of the private sector to 
take their proper role. Then, by exception, when necessary 
impose the further non-discretionary standards that are 
required. We have done that in other industries, like the 
aviation safety industry or the automobile industry. I think 
that this is an equally appropriate place to do that for the 
critical services that our Nation depends on.
    Chairman Thompson. Well, thank you. So you said yes and 
then you went on to define the role. So thank you very much.
    Director Easterly.
    Ms. Easterly. Thank you for question, Chairman.
    I would agree with everything that National Cyber Director 
Inglis said. I would add two points. As we know, 85 percent of 
critical infrastructure is in private hands. So this really is 
based on a voluntary regime, as you pointed out. We know that 
collaboration and trust is absolutely critical to the model of 
how CISA works with the private sector. So we are going to 
continue to build that trust and build that collaboration. 
Notwithstanding whatever regulations may come into place, we 
are going to focus on the collaboration piece.
    I would add though, in order to support any regulation that 
may come into force, we are doing a lot of work on articulating 
what are the cybersecurity baseline standards and goals. At the 
end of September we released those goals specific to industrial 
control systems and we are working on other goals that were 
tasked out by the White House National Security Memorandum.
    So we are at least at a minimum letting all of our critical 
infrastructure sectors know what is expected to ensure the 
security and resilience of their infrastructure.
    Chairman Thompson. Thank you very much.
    I think, Director Inglis, you kind-of addressed this 
question, but--in your opening statement--do you have the 
necessary authorities and resources to do your job?
    Mr. Inglis. Mr. Chairman, thank you very much for that 
question.
    I believe that I have sufficient authorities and resources, 
given the appropriations that we expect in the very near term, 
to make the difference that is expected. We will, based upon 
experience, come back and determine whether or not they need to 
be refined in some way, shape, or form. But for the moment I 
believe I have the authorities and expected resources to make 
the difference expected.
    Chairman Thompson. Director Easterly.
    Ms. Easterly. Well, first of all, thank you very much to 
this committee because you have done a lot to give us the 
authorities and resources. But we appreciate what is in 
potential upcoming legislation, to include cyber incident 
reporting, a recognition of grant programs for our State and 
local partners, the codification of CyberSentry and our role in 
ICS.
    To the resource question, we have gotten a lot of resources 
and I think it is great to get resources specifically for cyber 
defenders and infrastructure defenders. I would say though what 
is also very important to us are those mission enablers that 
will help us execute the resources and the funding that we are 
getting, human resources, our people, our chief human capital 
officer, our finance, our acquisition authorities. So we are 
going to need to bolster those mission enablers to enable us to 
actually execute everything that you have given us.
    Chairman Thompson. Thank you.
    So if I hear you correctly, with that you are going to 
still have to find some bodies, right, to carry that mission 
forward?
    Ms. Easterly. Say that again, Chairman.
    Chairman Thompson. I think you are going to have to have 
some people or bodies to carry the missions forward.
    Ms. Easterly. Absolutely.
    Chairman Thompson. As a committee we have heard quite often 
that somehow we don't have enough qualified individuals to 
staff our agency. Do you find the lack of staff is a potential 
problem for CISA?
    Ms. Easterly. We are working hard to build out our 
capability and capacity. We have a lot of vacancies that we are 
working very hard to fill. Two of the things that I am trying 
to do deal with this, first of all to really do an analysis of 
how we can accelerate our hiring. All of the steps that are 
required, how do we actually create some efficiencies on that 
because having just come from 4\1/2\ years in the private 
sector, I think it takes way too long to be able to bring 
people into the Federal Government. I think that is incredibly 
important to be able to streamline that process, sir.
    The second thing that we are doing is really leaning into 
cyber talent management system authorities, which come into 
force the 15th of November that will give us greater 
flexibility to be able to hire based on aptitude and attitude, 
not based on degrees or certifications. It will allow us to be 
able to pay closer to market. So that flexibility I think will 
really help us close the gap to enable us to bring on the 
talent that will make us the agency that the Nation deserves.
    Chairman Thompson. Thank you.
    I yield to the Ranking Member.
    Mr. Katko. Thank you, Mr. Chairman.
    Director Inglis, a quick question for you.
    It is pretty clear that the authorities that CISA has and a 
cyber director are pretty well laid out and I understand the 
interaction between you two. One of the ones I kind-of struggle 
with is what is the role of the National Security Council 
within the cyber realm? If there are some issues that we need 
to work on there, what are they?
    Mr. Inglis. Yes, thank you for that question. That is a 
question we are asked on a fairly frequent basis and one that I 
think deserves a solid crisp answer.
    I would say that as we look at it--I believe I am speaking 
for both Jen and myself--there actually is the need for a 
National Security Council leadership role in cyber for the 
following reasons: Typically in any domain of interest, cyber 
being one of those, we should consider bringing all instruments 
of power to bear, our intelligence assets, our diplomats, our 
financial abilities, our legal remedies. Typically bringing 
those instruments to bear in a coordinated fashion to achieve 
the appropriate desired conditions in the domain of interest, 
cyber being one of them, is traditionally the role of the 
National Security Council. We believe that that that remains 
appropriate in this space and therefore our colleague, deputy 
national security advisor for cyber emergency technology, Anne 
Neuberger, we think appropriately and fully fills that role as 
a complement to what Jen and I then do within the realm of 
cyber space.
    Mr. Katko. OK. I will leave it at that.
    Director Easterly, I mentioned in my opening statement, I 
mentioned it several times before, we are getting to the point 
now where we are going to start having more requirements on the 
private sector. We also ask them many times to get us more 
information. I think the more information they get on their 
cyber attacks the better you can understand the playing field. 
The better you can understand the playing field, the better you 
can help them going forward. A common refrain you heard from 
the private sector is a lot of stuff goes to CISA--and this is 
before you time, mind you--a lot of information goes to CISA 
and not a lot of operational information comes back.
    How are you doing trying to fix that issue and what do you 
plan to do going forward?
    Ms. Easterly. Thanks for the question, Ranking Member 
Katko.
    So it has been about 110 days. I think we are doing pretty 
good. But it is just a start.
    Mr. Katko. You don't have everything fixed in 110 days?
    Ms. Easterly. I know, I failed miserably.
    You know, I have a great appreciation for those comments 
because I spent the past 4\1/2\ years in the private sector and 
sometimes my observations were that the Government seemed 
disjointed, not coherent, and a black hole. So, frankly, I 
think we are doing a lot under Director Inglis' leadership and 
the leadership across the Federal Government to really ensure a 
coherent approach, that we are speaking with a coherent voice 
to the private sector. Frankly, it is one of the reasons why I 
am so excited about the Joint Cyber Defense Collaborative, the 
JCDC, because by statute it is the only cyber entity that 
brings together CISA and NSA and FBI and DoD and DoJ and ODNI 
and the Secret Service and the National Cyber Director. So that 
is a place where the private sector can come and expect 
accountability in one place and can go and say, we have given 
you this information, what are we getting back?
    So that real-time conversation is happening. I will tell 
you we are already leveraging those partnerships from cloud 
security providers, from cybersecurity companies, to take that 
information to enrich what the Federal Government has and then 
to get that back, both to those companies, but importantly to 
critical infrastructure owners and operators and the State and 
local. As I said in my statement, we are looking to do not just 
sharing, but truly enabling. Because if we can't get 
information to network defenders in a timely way that allows 
them to use that information and that it is relevant and 
actionable, there is really no point in sharing information.
    So we are looking to change that paradigm and I am very 
focused on ensuring that we are giving feedback and enriching 
what we get from the private sector.
    Mr. Katko. Thank you very much.
    Following up on the critical infrastructure. I appreciate 
our discussion last week at CSIS on the importance of CISA 
having the capability to identify the most critical of critical 
infrastructure. Because, as you know, if everything is critical 
infrastructure then nothing is, right.
    So while we may disagree on the best acronym for the 
effort, I think you said PSIES is a new one--Mr. Chairman we 
have got to learn now another one--it is clear we are seeking 
the same outcome here, right. It is paramount that we are 
understanding the single points of failure and layers of 
systemic importance across this ecosystem that have the 
potential for a cascading impact of compromise.
    So can you briefly just discuss with me the importance and 
current state of play with CISA's Systemically Important 
Critical Infrastructure effort?
    Ms. Easterly. Yes. Thanks very much for the question.
    I do think it is incredibly important that we are able to 
articulate that infrastructure that is absolutely critical to 
Americans' way of life. We look at the lifeline sectors, water, 
transportation, communications, energy, we look at all of the 
16 infrastructure sectors, but we also analyze them, sir, 
through the lens of National critical functions. Because, as we 
know, in today's society everything is connected, everything is 
interdependent, and therefore everything is potentially 
vulnerable as it rides on that technology backbone.
    So, you know, inspired by some of the good work that came 
out of the Cyberspace Solarium Commission, the Systemically 
Important Critical Infrastructure, SICI, we have done some work 
on what we are calling PSIES which does sound like a better 
acronym, the Primary Systemically Important Entities. Again, 
those that have economic centrality, network centrality, and 
have logical dominance in those National critical functions. So 
we think it will end up to be about 150-200 entities that we 
really focus in on to be able to provide information. It goes 
back to the benefits and burdens question, but I absolutely 
think that we need to codify this.
    So, to your point, sir, if everything is a priority, 
nothing is a priority. So I am a big proponent of the effort.
    Mr. Katko. Thank you very much.
    Before I yield back I just want to note it is very 
important that you continue your collaborative relationship. I 
think the way you have things set up, you should be very proud 
and, like I said, you are a symbol for other agencies to 
follow. Instead of having turf battles you are getting things 
done and that is important.
    Also know that with the Chairman and myself, don't wait for 
hearings, if you need something just pick up the phone and call 
us, OK.
    All right. I yield back, Mr. Chairman.
    Ms. Easterly. Thank you, sir.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentleman from Rhode Island, Mr. 
Langevin, for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank you 
for holding this hearing today and thank you and the Ranking 
Member for your bipartisan collaboration on cyber and many 
other issues.
    I could not be more pleased to have the two witnesses we 
have before us today, two outstanding appointments. Take great 
pride in seeing the Nation's first National Cyber Director 
before us after more than a decade of trying to establish that 
position. I am glad it is finally established and that Director 
Inglis is the first inaugural director.
    Five minutes is going to go by fast, so I am going to get 
right into my questions. But deeply appreciate the leadership 
you are both providing that are protecting the Nation's cyber 
space.
    Director Inglis, I will start with you. In your testimony 
you mentioned that we can expect the Office of the National 
Cyber Director to ``Issue more routine explicit statements of 
priorities and guidance on a year-to-year basis to support 
departments and agencies in their own planning and operational 
prioritization.'' I commend you for initiating this work. These 
year-to-year statements of priorities and guidance will address 
gaps in our medium-term planning that translate our cyber 
strategy into day-to-day work carried out by agencies.
    Incidentally, this kind of activity is exactly what 
Congress intended for the National cyber director.
    So on the subject of your Office's roles and 
responsibilities you testified before the Senate Homeland 
Security and Government Affairs Committee about a possible 
Executive Order in development that would delineate processes 
for your office, including around setting these yearly cyber 
priorities.
    Can you update the committee on any plans to issue such an 
order?
    Mr. Inglis. Yes, Congressman Langevin. Thank you very much 
for the question.
    I think that the statute has gone a long way and the 
policies that we have described have gone a further distance in 
describing what the roles and responsibilities are of the 
various players in this space. An Executive Order, we believe, 
is the essential capstone to that, to crisp up, at least for 
the moment, based upon the experience and the expectations we 
have, where we should then take this further. We are in 
discussion within the White House about when and how to effect 
an Executive Order that would bring additional clarity to these 
roles and responsibilities. I am confident that we will work 
our way through in weeks' to months' time to deliver such a 
thing.
    Mr. Langevin. Very good. Thank you. I do also want to 
commend you and thank you for your work on this Cyberspace 
Solarium Commission. It is a privilege to serve with you on 
that Commission.
    Director Easterly, first of all congratulations and I thank 
you for the BOD that was issued earlier today. It is exactly 
the type of thing we need to do to get out ahead of cyber 
vulnerabilities, so thank you and CISA for that leadership.
    We had a discussion a little bit earlier about the public-
private collaboration, JCDC. So I was very pleased when you 
announced the creation of the Joint Cyber Defense 
Collaborative, or JCDC, in August and I think the JCDC will 
significantly improve the ability of the public-private sectors 
to collaborate on cyber defense efforts.
    I would be curious on your further views on the importance 
of the public-private collaboration and I hope you can share--
and, again, any further updates on CISA's progress in standing 
up JCDC. Anything you would like to add.
    Ms. Easterly. No, sir. I mean we are really, really 
appreciative of those authorities. I know you championed the 
Joint Cyber Planning Office, which is a significant part of the 
Joint Cyber Defense Collaborative. I think it is really the 
thing that will make the difference, being able to be proactive 
as opposed to reactive in planning against the most serious 
threats to the Nation. I think it is something unique across 
the Federal Government from a cyber defense perspective. So I 
am really looking forward to putting that into action.
    Mr. Langevin. Very good. Thank you.
    Also, Director Easterly, one idea to further the public-
private collaboration developed by the Cyberspace Solarium 
Commission and adapted by Congressman Gallagher and into an 
amendment in this year's NDAA would create critical technology 
security centers to evaluate and test the security of devices 
and technologies underpinning our Nation's critical functions.
    I would be curious to hear about your thoughts on this 
measure and how it could complement JCDC?
    Ms. Easterly. I am very supportive of that measure, 
Congressman. I think it is incredibly important that we have an 
ability to understand. In particular, given everything that we 
have seen with respect to intrusions in our supply chains, that 
we understand the technology that is underpinning all of these 
infrastructures. So fully supportive. Would want to be able to 
leverage the JCDC and the partners within the JCDC to be able 
to understand some of the information that could be tested at 
some of those technology centers. So would look forward to 
that.
    Mr. Langevin. Last, very quickly, I took note of your 
comments that Aspen Cyber Summit on bureau cyber statistics and 
the need for better cyber metrics, your thoughts on potentially 
housing that at CISA?
    Ms. Easterly. I am a huge fan of that. I think it is hard 
to say that you have reduced risk unless you know how to 
measure it. So believe we should have that Bureau of Cyber 
Statistics and I think it would make sense to house it at CISA.
    Mr. Langevin. Very good.
    Thank you again for your answers, your outstanding 
leadership. I look forward to our future collaborations.
    Mr. Chairman, I yield back. Thank you.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes Mr. Garbarino for 5 minutes.
    Mr. Garbarino. Thank you, Mr. Chairman, thank you, Ranking 
Member Katko, for having this hearing and thank you, Directors 
Inglis and Easterly for both coming today.
    Director Easterly, I really enjoyed our conversation last 
week. We talked about a lot of different things, even with my 
babysitters I thought it was pretty productive. We talked 
about, and you brought it up in your opening testimony, about 
the cybersecurity pipeline and what you have been planning. You 
have talked now about--you know, and it is not all under your 
control, but it is a concern that you show that it is you show 
that you are fully staffed and now with the cyber talent 
management system coming on-line with the rules. What do you 
see as your job or the CISA's Office of the Chief Human Capital 
Officer, taking those rules and making sure that they work to 
make sure that CISA is fully staffed and properly staffed with 
the right people?
    Ms. Easterly. Yes. Thank you for that question, because you 
know I think it something we are both passionate about.
    I should first say we have fabulous people at CISA and this 
really is the best job in Government. But I believe that there 
is nothing more important than people. So we have actually 
spent a lot of the last 3\1/2\ months doing a couple of things. 
First, defining the core values and the core principles that 
underpin CISA's culture, identifying how we are going to build 
a talent management ecosystem that allows us not just to 
recruit the best people, but to ensure that we are training and 
certifying and mentoring and coaching and retaining those best 
people. That is incredibly important. We have done a careful 
analysis of all of the 20-plus steps that it takes to actually 
hire somebody into the Federal Government, which is way too 
onerous. You know, we were able to reduce by 13 percent the 
number of days that it takes to hire somebody, but it is still 
way too long. It is over 200. In the private sector I could 
bring somebody in like 60 days. So we need to fix all of that. 
But we are making progress on that. We have hired 500-some 
people, whereas last year it was just 200-some. So we are 
getting there, but not fast enough in my view.
    So we are going to figure out how to fix the current 
process. I may come back to you and ask for your help if I need 
it.
    Then we are going to aggressively implement CTMS, which 
allows me much greater flexibility, both to hire but also to 
figure out how to retain people and incentivize them. At the 
end of the day people want to come to CISA to defend their 
Nation, but given the competitive environment we also want to 
be able to pay closer to market.
    So these new authorities will allow us to do that, sir.
    Mr. Garbarino. I appreciate it. Sounds like it is easier to 
get elected to Congress than to hire someone at CISA.
    On a separate note, Ranking Member Katko and I have 
increasingly been concerned about the security of the Nation's 
information and communications technology. Specifically, we are 
concerned about the lack of progress from the Federal 
Acquisitions Security Council. We appreciate the transparency 
that CISA has provided to the committee regarding its role in 
FASC, but we understand that CISA is only one part of it.
    Director Inglis, can you speak to the lack of progress we 
have seen from FASC and why now 3 years in there isn't much to 
show for it?
    Mr. Inglis. Yes. So thank you for the question. It is an 
important question, especially given the role that the Federal 
Acquisition Management Supply Chain Committee plays on the 
acquisition of the material that underpins the digital 
infrastructure that underpins our critical missions.
    Having said all of that, 3 years is a long time, but I am 
pleased to report that in August of this year we concluded the 
rule-making process, gave CISA a leadership role on the FASC, 
have now charged the leader of that committee, who is one and 
the same as the deputy for Federal cybersecurity within the 
National cyber director, but at these same time the Federal 
chief information security officer, to move off in beginning to 
apply those rules, those processes, to determine how we manage 
the Federal supply chain.
    We have a solid agenda for fiscal year 2022, the year that 
we are in, and we have every expectation that we will make 
significant progress in the time ahead. I would be happy to 
come back to this committee or to deal personally with any 
committee Member who is interested as to what those specific 
plans are, but to demonstrate progress in the very near-term.
    Mr. Garbarino. Great.
    Well, and for either your or Director Easterly, with the 
authorization of FASC coming back in 2023, is there something 
that Congress should consider changing or--you know, you giving 
CISA a more essential role or is there something we should do 
differently in the re-authorization or change?
    Mr. Inglis. I think it is a very appropriate question. I 
think that you should hold us accountable for delivering value 
with the process and the authorities that we have at the 
moment. I do believe that it should be sustained past fiscal 
year 2023. We will come back to you to tell you what 
refinements we think are necessary.
    Mr. Garbarino. Director Easterly.
    Ms. Easterly. Nothing to add.
    Mr. Garbarino. Great. I appreciate that.
    I yield back. Thank you.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentleman from New Jersey, Mr. 
Payne, for 5 minutes.
    Mr. Payne. Thank you, Mr. Chairman and Ranking Member, for 
having this timely, timely hearing.
    Let us see. The Colonial Pipeline ransomware attack was a 
stark reminder that cyber attacks on critical infrastructure 
can have physical real-world consequences that ripple across 
sectors throughout the economy. The longer it takes to restore 
operations, the more of those downstream effects can snowball 
in ways that matter for the health, safety, and financial 
stability of individuals and families and communities.
    Director Easterly, what is CISA doing to promote not just 
the security but also the resiliency of critical infrastructure 
like pipelines to make sure they are able to get back up and 
running in the event of a cyber-related disruption?
    Ms. Easterly. Well, thanks very much for that question.
    You are absolutely right. What we have seen this year is 
cyber attacks that are manifesting against our critical 
infrastructure and having real effects on the American people, 
whether it is gas at the pump or food at the grocery store or 
money at the banks. So couldn't agree with you more that we 
really need to lean into CISA's statutory role as the National 
coordinator for critical infrastructure resilience and 
security.
    So a lot of this is--we have two main roles actually. We 
are what I call ``left of boom'', as a retired military 
officer. We are focused on resilience and prevention of 
attacks. Then we are there to be able to respond effectively to 
a victim to help them recover and to mitigate risk to their 
business and to also leverage the information that we get in an 
anonymized way so that we can warn other victims and prevent 
them from being hacked. But it comes down to our ability to 
work very closely with our partners at the State and local 
level and within critical infrastructure to ensure that they 
have the resources, the technical assistance, and the 
information that they need to be able to protect themselves. 
Because at the end of the day we know that over 90 percent of 
successful cyber attacks start with a phishing email and that 
you are 99 percent less likely to get hacked if you implement 
multi-factor authentication.
    So all of these standards and goals and information that we 
put out, working closely with the critical infrastructure 
owners and operators, incredibly important. That is why we work 
closely with TSA as they articulated new standards specifically 
to pipelines. That is why we are working with 20-plus pipeline 
CEOs twice a month to help them instantiate the technology that 
they need to protect their networks and systems and assets.
    Mr. Payne. Thank you. Thank you.
    How will the Joint Cyber Defense Collaborative help build 
our National resiliency by fostering collaboration, planning, 
and exercising to prepare for specific cyber attack scenarios?
    Ms. Easterly. Yes, great question.
    I am super excited about the JCDC. I really think this is a 
different and unique capability for the Nation. It is the place 
that by statute brings together the full power of the Federal 
Government with the innovation, imagination, and ingenuity of 
the private sector. The reason why we chose those plank-holder 
partners, the infrastructure companies, the cloud security 
providers, cloud service providers, and the cybersecurity 
vendors is because they afford global visibility into 
infrastructure that the Government doesn't have and shouldn't 
have. So that is how we see the dots, connect the dots, and 
then reduce risk at scale.
    So that is how that collaboration in near-real time, 
information being shared to enable security and resilience, and 
also to inform planning against the most serious threats to the 
Nation so we can drive down risk at scale. It is one of the 
things that I am most excited about and we are already seeing 
dividends form the JCDC, sir.
    So thanks for the question.
    Mr. Payne. Well, thank you for those responses.
    With that, Mr. Chairman, I yield back 20 seconds.
    Chairman Thompson. The gentleman is so kind.
    The Chair recognizes the gentleman from Louisiana, Mr. 
Higgins, for 5 minutes.
    Mr. Higgins. Thank you, Mr. Chairman. I thank the Ranking 
Member and our witnesses for being here today.
    Everyday importance of our cybersecurity systems grows as a 
matter of National security. The number of publicly-reported 
cyber attacks and breaches for 2021 unfortunately on track to 
be the highest and most impactful in history. The cost of 
ransomware damage is expected to reach $265 billion by 2031--
and personally I think that is a light number.
    Our foreign adversaries are rapidly increasing their cyber 
skills and stealth. We are also currently seeing the disastrous 
consequences involved with supply chain vulnerability. Supply 
chain cyber attacks have risen by 42 percent just in the first 
quarter of this year. According to BlueVoyant, a third-party 
cyber risk management company, 97 percent--97 percent of firms 
have been negatively impacted by cybersecurity breach in their 
supply chain. Further, 1 out of 5 small businesses fall victim 
to a cyber attack in the United States, and of those 60 percent 
go out of business within 6 months. This is a serious problem. 
Our adversaries should have a clear understanding that the 
United States can and will execute effective and timely 
consequences if they attack our National critical cyber 
infrastructure.
    Deterrence and response, in my opinion, are critical 
aspects to our mission to address the cyber threats that we are 
currently experiencing and the threats of tomorrow.
    Director Inglis, non-state criminal actors are responsible 
for many cyber attacks in the United States, including last 
year's ransomware attacks on our hospital systems and the 
Colonial Pipeline attack. The United States has had difficulty, 
however, in the past to executing counter attack strikes 
against cyber terrorists. For example, in 2016 the U.S. Cyber 
Command worked to destroy ISIS communications and remove pro-
ISIS propaganda which only worked for a couple of days. They 
were right back up. Certainly wasn't an effective counter 
strike.
    So, in your professional opinion, is the United States 
capable of launching an effective cyber counter strike against 
cyber criminals world-wide? Because this is the question that 
Americans want to know, can we strike back? Do we have the 
will, do we have the capability? If we do have the will and the 
capability, then why are we not lighting these criminals up 
with counter strike cyber attacks?
    I ask you for your response.
    Mr. Inglis. Congressman, thanks very much for the question. 
I am sure that is the question on the mind of many people who 
are aware and watching the growing threat in cyber space.
    I agree with your characterization of the growing 
seriousness of these threats and the perception that we are 
falling further behind.
    I would offer that it is important to bring transgressors 
to justice. I would offer that the set of tools we should bring 
to bear is considerably larger than simply finding and shooting 
at them using cyber activities in and through cyber space. So 
that is an important part of the solution, but equally 
important is a campaign that covers all the ways that we can 
thwart their efforts. We need to begin with increased 
resilience and robustness in the technology, in the skills of 
our people, in the doctrine, in the roles and responsibilities. 
We are talking a lot today about how do we collaborate as 
opposed to achieve simply a division of effort such that these 
transgressors have to beat all of us to beat one of us. Having 
established a defensible enterprise, we then need to actually 
defend it. That is a very proactive set of endeavors. Jen 
Easterly at CISA and other sector risk management agencies are 
leading the collaboration of the Federal enterprise with the 
critical information and critical sector to do just that.
    Finally, we need to align actions to consequences. An 
important piece of that, as you suggest, is finding and 
bringing to justice these transgressors, stopping their further 
efforts. But we need to use all the instruments of power at our 
disposal. We need to be able to----
    Mr. Higgins. Thank--sir, in the interest of time--I have 10 
seconds remaining. Let me just close. Thank you for your 
answer.
    In my opinion we need to have a lightening-fast cyber 
counterstrike. There needs to be immediate consequences. Then 
we still bring them to justice. That takes a long time.
    Mr. Chairman, I yield and I encourage my colleagues to 
support a very proactive and aggressive cyber counterstrike as 
we face these on-going attacks.
    Thank you for holding this hearing today.
    Mr. Inglis. Mr. Chair, I would be happy to follow up----
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentleman from Missouri, Mr. 
Cleaver, for 5 minutes.
    Mr. Cleaver. Thank you, Mr. Chairman, for the hearing, for 
a variety of reasons.
    I am on the Homeland Security, but I am also on Financial 
Services and we also have a great deal of interest in and 
ability to work with CISA.
    Director Easterly, thank you. You know, since CISA was 
created back a couple of years ago, you know, the agency now 
has a recognizable name. I think when CISA first was created, a 
lot of people, who you said CISA and they thought it was a hip 
hop band. But, you know, now I think it is recognizable. You 
know, you are serving a great purpose with security, public and 
private.
    You know, but you have a far-flung and almost cryptic kind 
of a mission. You know, I am wondering, you know, what would 
you want your grandchildren to brag about when they become 
adults as it relates to what you were able to do at CISA? I 
mean what do you envision down the road as something that is 
significant that you really want to do and may even need the 
help of the Chair, the Ranking Member, and this entire 
committee in getting it done?
    Ms. Easterly. Thank you for that great question, sir.
    My son is 17 and I often tell him how excited I am to 
someday be a grandmother, which I think it is a little off-
putting to him since he is a junior in high school, but I am 
excited for that day because I like babies.
    But it is a great question. You know, I have thought about 
this through my career, through 21 years in the military, 
several combat tours, working at the White House, working in 
the intelligence community. Much of what I am doing is 
motivated so that my parents and my brothers and sisters and my 
son and my husband are proud of me. I would hope that my 
grandkids could say she helped make America safer. So that is 
my goal, to ensure the security and resilience of the 
infrastructure that Americans rely on every hour of every day, 
to get power, to get water, to get food at the grocery store, 
to get money at the bank, to get gas at the pump. These are the 
networks that underpin our lives and my mission is to ensure 
that they are secure and resilient.
    Mr. Cleaver. Is there a priority? Is there something that 
is so critically important to the agency that you want a direct 
as much attention to it as possible? The No. 1 thing. Or is the 
mission so massive that it is difficult to set anything aside?
    Ms. Easterly. Well, I don't think it is--I mean it is a big 
mission and I think it is a critically important issue, sir.
    Mr. Cleaver. It is.
    Ms. Easterly. But I think it is pretty simple. You know, 
our mission is to lead the National effort to understand, 
manage, and reduce risk to cyber and physical critical 
infrastructure. We do that in two main ways. We are the 
operational lead for Federal cybersecurity and we are the 
National coordinator for critical infrastructure security and 
resilience.
    My top priority to ensure that this agency is successful is 
to make sure that we have the talent we need to be able to 
operationalize our various missions. But my goal, again, is to 
really ensure that infrastructure, whether it is owned by--
critical infrastructure owners at the State and local level or 
with the Federal Government is secure and resilient to cyber 
attacks from nation-state actors and cyber criminals.
    Mr. Cleaver. Thank you very much.
    Mr. Chairman, I would like to beat Mr. Payne and I will 
yield back 50 seconds.
    Chairman Thompson. The gentleman is real kind.
    The Chair recognizes the gentleman from South Carolina, Mr. 
Norman, for 5 minutes.
    Mr. Norman. Thank you, Chairman Thompson.
    I want to thank our guests for testifying and for being 
here. From reading your backgrounds for both of you, you all 
really have the background to do a great job with what I 
consider the threat that this country is facing every day. You 
know, we have got so many that we know about, but the ones we 
don't know about--and I am from small business and know a lot 
of businesses that would not report the attacks on their 
particular company because of loss of stock value. You know, 
the fact that they just do not want it publicized. But with--
and I know you all have not been on the job but, you know, 6-8 
months, but if what you put in place, and since you have been 
there for the time that you have, would the Colonial attack be 
able to occur now or do you have the mechanisms in place to 
stop that?
    Mr. Inglis. Mr. Congressman, thank you very much for the 
question. It is an excellent question.
    I can't say for certain whether we would prevent the next 
Colonial Pipeline attack. I believe that we are in a much 
better position to detect it, if not deter it. The things we 
have done ensure that to the extent that any one of us has a 
small piece of understanding about what might be transpiring in 
the share domain of cyber space, we are now in a better 
position to share that richly, quickly, and a granularity that 
it is then useful, it is actionable intelligence.
    We are also able at this point to better respond to those 
activities, such that we can surge support to the point of need 
and restore not simply resilience and robustness to the system 
quickly, but confidence that the systems will work on our 
behalf. But I have to be quite clear, quite honest about saying 
the technical debt--the lack of investment for so many years is 
long in the making. It won't be turned around in a fortnight. 
We need to make sure at this moment we are making best use of 
the components, the authorities, and that we apply those in an 
integrated and collaborative fashion, such that increasingly an 
adversary needs to beat all of us to beat one of us. That 
should be a daunting proposition for them.
    Mr. Norman. What about--you know, we have got an open 
border. This country is petrified of what is going on with the 
border. Anybody and everybody from any country is coming in. We 
don't know who they are, we don't what country they represent. 
All we know is we are not doing any background, we just--they 
basically are coming across the border unfettered. How you--and 
this is for either one of you--how are you all dealing with 
that and what threat is this that we face known or unknown that 
you see?
    Mr. Inglis. Mr. Congressman, I will start with a question. 
I assume that you are extending that analogy into cyber space. 
I think it is quite apt. You know, cyber is essentially a set 
of open borders which we might confer some degree of 
jurisdiction based upon geography. But in cyber space geography 
means very little absent the authorities that are bound within 
the United States, based upon that geography. So we have to 
make sure that we understand what is happening across those 
borders, that we can better identify the transgressors who come 
at us from across those borders, and that we can better deal 
with the sum of the authorities we bring to bear based upon 
both domestic and National security authorities. All of that is 
a very daunting proposition, the borderless space of cyber 
space. I believe we have the means to do that, but we have to 
better identify those threats, better security the 
infrastructure that we mean to defend, and collaborate on top 
of that to bring all our resources to bear.
    Ms. Easterly. Would only add, absolutely. I mean some of 
the complexity--a large part of the complexity of our job, sir, 
is that we are dealing with cyber space, which is borderless.
    But just to add to Director Inglis' comments from earlier, 
I think we are making progress in ensuring that there are fewer 
Colonial Pipeline-type hacks, but at the end of the day, the 
Government can only do so much. A lot of this is the private 
sector making sure that they are implementing the standards and 
the cyber hygiene that they need to protect their systems and 
networks. We are here as a trusted partner to provide 
assistance, to provide standards, to provide information, but a 
lot of this has to be the basics of cyber hygiene.
    So I look forward to continuing to work with small 
businesses, the private sector so that they have the 
information that they need to be able to protect themselves.
    Mr. Norman. Yes. You all play a vital role with that and I 
hope you--I realize cybersecurity doesn't have a border, but 
what we are doing is letting people in that are embedded in our 
communities that are coming to our country. We have got Duke 
Power in my district and EMP attacks, which is--an attack on 
this country is of great concern to all of us.
    Thank you so much. I think my time is up.
    I yield back, Mr. Chairman.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentlelady from New York, Ms. 
Clarke, for 5 minutes.
    Ms. Clarke. Thank you, Mr. Chairman. I thank our Ranking 
Member and our witnesses for appearing today and lending their 
expertise to the subject matter.
    Let me start with Director Inglis. As you know, Congress 
established the Office of National Cyber Director in part to 
address the long-standing inter-agency coordination challenges 
and turf wars that existed between CISA, sector risk management 
agencies, and other Federal agencies with cyber missions. Can 
you distinguish between the role ONCD plays as opposed to the 
role played by the National Security Council and CISA's role as 
the lead Federal coordinator for critical infrastructure 
protection?
    Mr. Inglis. Yes, Congresswoman. That is I think an 
important question and so I think the answer would be that 
those roles are complementary, they are applied concurrently. 
They are not necessarily hierarchical. At the same time that 
CISA is the on-field quarterback equipped with resources and 
authorities to coordinate the defense within the Federal 
enterprise and the support of the Federal Government to the 
critical infrastructure, the National cyber director has to 
make sure that the roles and responsibilities, as you indicate, 
of CISA and the sector risk management agencies is clear, that 
they are prepared to act in a complementary fashion, and that 
their performance is up to par in terms of our expectations. At 
the same time, the National Security Council, and in the form 
of Anne Neuberger, who is the deputy National security advisor 
for cyber and emerging technology, applies instruments of power 
that are outside of cyber space to bring about desired 
conditions inside cyber space, our intelligence assets, our 
military assets, our diplomatic assets, our legal assets, our 
financial assets. All of that is traditionally the role of the 
National Security Council.
    If we do those three roles concurrently they can complement 
one another such that the sum of the parts is greater than the 
arithmetic sum.
    Ms. Clarke. Wonderful.
    So in your experience thus far as the first-ever U.S. 
National cyber director, how confident are you that ONCD will 
be able to unify Federal cyber efforts around a common vision 
and shared purpose?
    Mr. Inglis. I think I am not in a position to ultimately 
judge my own performance, but I think that we can make a 
difference. I think that that is the point of accountability 
that should be imposed on me. Did the system perform better, 
are we in fact more coherent, cohesive in the application of 
these very impressive pieces at the end of the day? I think we 
can and will make a difference.
    Ms. Clarke. Awesome.
    Director Easterly, would you care to weigh in on the 
dynamics between ONCD and CISA and whether you see these roles 
as complementary of each other and any areas for improvement?
    Ms. Easterly. Thanks so much for the question, 
Congresswoman.
    As Chris and I have talked about--and we go back about 15 
years, so we have known each other for a while--and I think--
you know, I often say technology is easy, people are hard. So 
you have to have that trust to build that collaborative 
partnership. Fortunately Chris and I have been friends for a 
long time. We talk about our relationship as he being the 
coach, me being the quarterback, but we know that there are all 
players on the field. I think even in just the last 3\1/2\ 
months we have forged a highly collaborative, highly cohesive 
relationship with our teammates across the Federal Government.
    You know, this is about one team, one fight, cyber is a 
team sport, no drama, no ego, no tribalism, no turf. It is 
about getting the job done. So it is not Cobra Kai versus 
Miyagi-Do, it is Cobra Kai and Myagi-Do against all the bad 
guys.
    Ms. Clarke. Wonderful. It is so refreshing to hear that 
response. We are maturing as an agency.
    Director Inglis, in the wake of the Colonial Pipeline 
ransomware attack we saw what I would describe as a breakdown 
of the PPD-41 framework and a failure to execute the National 
Cyber Incident Response Plan. Specifically, the Department of 
Energy was given the lead role in the Federal Incident Response 
efforts despite being neither the lead for asset response under 
PPD-41 nor the sector risk management agency for the pipeline 
sub-sector.
    What guardrails have been put in place since then to ensure 
that the next time the United States has to respond to a 
significant cyber attack on our Nation's critical 
infrastructure the lines of effort articulated under PPD-41 
will be observed?
    Mr. Inglis. Thank you for the question.
    As you indicate, PPD-41 remains a quite useful and 
appropriate document to guide our efforts in the moment of 
contingency or crisis, say a repeat, god forbid, of the 
Colonial Pipeline. I think that what we have done since then, 
and certainly in the last 3\1/2\ months now that Director 
Easterly and I have assumed these roles, is to double down on 
our efforts to understand what the role of CISA is--it is 
increasingly clear what the role is, it is the coordinator--to 
double down on how then that relates to the sector risk 
management agencies to understand what the lanes of effort are, 
how they complement one another such that in the heat of the 
next contingency or crisis we will be based upon not simply 
what the rules are laid out in PPD-41, but tested and exercised 
roles and relationships based upon not simply professional 
trust but the personal relationships that we have established 
to know how we would respond in that crisis.
    Ms. Clarke. I thank you, Mr. Chairman. Thank you for your 
indulgence.
    I yield back.
    Chairman Thompson. So, Mr. Inglis, so let me understand 
what you just said. You said personal relationships. Are you 
saying those personal relationships override the policy?
    Mr. Inglis. I do not, sir. So thank you for your question 
and the opportunity to clarify.
    I think those professional relationships are well described 
in law, in policy, and ultimately in the administrative roles 
that are established. The personal relationships can complement 
those and ensure that you affect those not simply as a division 
of effort, but in a collaborative fashion.
    I spend quite a lot of time trying to understand what the 
challenges and the authorities are of Jen Easterly or the 
sector risk management agencies so that I can put myself in 
their stead and understand what I need to do to support them. 
That is based upon personal trust as much or more as executing 
fully and faithfully the authorities and the rules that are 
inculcated in statute and policy.
    Chairman Thompson. But you do recognize that the policies 
at the end of the day----
    Mr. Inglis. I do, sir, without equivocation----
    Chairman Thompson [continuing]. Should be the driving force 
behind what you do.
    Mr. Inglis. Without equivocation.
    If I might, I would just say that I think that a 
transformative feature of what we are proposing is that we can 
fully and faithfully execute the law and the policies in a way 
that might equate to a division of effort, that we then meet at 
seams that are defined by those laws and policies, which are 
very important. But we also need to go further to try to 
understand what more we can do to aid and abet the activities 
to the left of us, to the right of us, to achieve a degree of 
collaboration, which means that we have to work harder and 
essentially have a degree of personal addition to those as 
opposed to subtraction from those.
    Chairman Thompson. But somebody has to be in charge.
    Mr. Inglis. At any moment in time we need to know who is is 
accountable for what, yes, sir.
    Chairman Thompson. Absolutely.
    The Chair recognizes the gentleman from Georgia, Mr. Clyde, 
for 5 minutes.
    Mr. Clyde. Thank you, Mr. Chairman.
    Our Nation's safety and security are being challenged by 
our enemies through cyber space. As we have seen over the last 
year, these attacks can lie dormant for many months before 
being detected and can have devastating consequences on our 
economy and our way of life.
    Further complicating these threats is the fact that cyber 
attacks can be carried out by both state and non-state actors 
and can be relatively inexpensive to execute. There seems to be 
limited tools at our disposal that enable us to immediately 
respond to a cyber attack and hold perpetrators accountable. In 
many ways cyber attacks have emerged as a near-perfect weapon 
against our Nation--especially the civilians in our Nation.
    So both of you, thank you for continuing to provide 
valuable insight into what steps are needed to strengthen our 
cybersecurity and to respond appropriately when the attacks are 
successful.
    As my colleague from Louisiana, Mr. Higgins, highlighted, I 
think the best defense is a good offense, but we definitely 
need both. The civilian sector needs a stronger defense, but 
they have got to know what resources are there to help them 
too.
    So my first question is for CISA Director Easterly. 
Director Easterly, this past month was cybersecurity awareness 
month and CISA launched their annual effort to educate the 
public on good cyber hygiene practices and the resources that 
CISA offers. Numerous Members in Congress, including myself, 
did what we could to amplify your agency's message with our 
constituents. Things like public service announcements, 
speaking on the House floor directing people to your CISA 
website for further education, speaking to local clubs, 
including Rotaries and that sort of thing, but what other steps 
can Members take to support CISA's mission in each of our 
district? Because, you know, honestly, when I spoke to a local 
Rotary, there was only one person in that room--and there was a 
number of folks there that actually knew what CISA was. You 
know, you bring tremendous resources to the table. How can we 
make America more aware of what you have got?
    Ms. Easterly. Yes. So first of all, thank you very much for 
your leadership and your support. It is great to have Members 
weighing in on this important issue. So thanks for that.
    You know, we are the newest agency in the Federal 
Government. We are going to have our third birthday here on 
November 16. so it is probably not terribly surprising that 
some folks don't know who CISA, what CISA is, how to correctly 
pronounce CISA. But at the end of the day, I do think, sir, we 
are making progress. Part of that is the help of Congress, but 
also we have a fantastic field force. We have over 500 people, 
cybersecurity advisors, protected security advisors out there 
working with State and local, your constituents, other 
constituents, and critical infrastructure owners and operators 
to render assistance, to ensure they have the information they 
need to be able to protect themselves. So we are going to 
continue with this campaign, but I agree with you, we need a 
campaign like ``Click It or Ticket'', or ``Smokey the Bear'', 
or ``This is your brain on drugs'', something that really makes 
an impact on the American people so they know exactly what they 
need to do to protect themselves and to implement multi-factor 
authentication.
    Mr. Clyde. Thank you.
    Follow up on that, you recently discussed CISA's initial 
work to map out our Nation's primary systemically important 
entities. As you know, there are legislative proposals that 
would require CISA to accomplish this goal, including one 
authored by Ranking Member Katko and Mr. Garbarino. I applaud 
your agency for taking the initiative without Congress having 
to get involved. However, could you tell me, has CISA run into 
any obstacles in identifying these entities that are critical 
to our Nation's security and do you believe legislation would 
help CISA overcome these obstacles? Is there any way that we 
can help in that regard?
    Ms. Easterly. You know, as I have said, I think it would be 
very useful to codify systemically important critical 
infrastructure, or what we call PSIES, Primary Systemically 
Important Entities, but we are going to do that work 
notwithstanding. We have not hit any obstacles, but I will tell 
you, I mean we want to do this right. So ensuring we have the 
rigorous methodology to be able to identify these systemically 
important entities based on network centrality, economic 
centrality, logical dominance, and National critical functions. 
That is a tough effort. It is an important effort. But we have 
to be able to identify them and then we have to measure how we 
reduce risk. This can't just be about advising on risk or 
managing risk, it has to be about reducing risk. We have to 
measure what matters, and part of that is being able to 
articulate those SICIs or PSIES in the first principles.
    Mr. Clyde. All right. Thank you.
    In just a couple of seconds left, Director Inglis, you 
know, as I said, I am very interested in and support a great 
offense.
    Chairman Thompson. The gentleman's seconds have expired.
    Mr. Clyde. OK. Thank you.
    I yield back.
    Chairman Thompson. The Chair recognizes the gentleman from 
Texas, Mr. Green, for 5 minutes.
    Mr. Green. Thank you very much, Mr. Chairman. I thank the 
Ranking Member. I think this has been a very informative 
hearing and I regret that I have been in another hearing and 
have not been able to follow all of what has been--and I am 
still being in two places at once, it is difficult to achieve.
    Let us start with what I believe the public perceives as an 
issue. Just the mere notion that the Federal Government cannot 
protect its networks. It is probably hard for the typical 
consumer to understand how the Federal Government can't protect 
its networks and if it can't, then there is probably a belief 
that it is going to be difficult for the private sector to 
secure its networks.
    Perhaps this has been answered, but do we have--in 
collaborating with the private sector, have we identified the 
private-sector networks that are so important to our country 
that we the Federal Government should have a greater hand in 
protecting them?
    Whoever would like to respond.
    Mr. Inglis. Congressman, if I could start with that and 
then defer to my counterpart, Jen Easterly, to complete the 
answer.
    I think first and foremost you properly point to the 
public's expectation that Federal networks will be properly 
built, properly defended to deliver the functions, the services 
that they expect. We have taken aggressive effort to that. The 
Executive Order in May, the finding operational directive that 
Ms. Easterly talked about earlier in this hearing are both 
aimed at doing just that. But we have further work to do.
    As to whether we should take then further effort to define 
the critical functions that serve the public, both within and 
without, within the private sector, there is further work to be 
done in that regard. We call that systemically critical 
infrastructure. It is a challenge to define what that is, given 
there are so many possibilities and therefore so many 
components that underpin those possibilities. But CISA has 
taken that work on. With the support of this Congress and this 
committee in particular, I think that we can make progress.
    Mr. Green. Does the lady desire to have a comment?
    Ms. Easterly. Sir, is that for me?
    Mr. Green. Yes, ma'am. Sorry. Did you have a response?
    Ms. Easterly. Yes, thank you.
    You know, I would just add to Director Inglis' points, we 
are in fact moving out on identifying that primary systemically 
important entities. It is a serious and complex effort. We are 
working through it and so I am hopeful that we will have a 
preliminary view on that in the coming months.
    I would absolutely agree with you that the Federal 
Government has to lead by example. The private sector can't 
look at us and expect us to not be able to defend our own 
networks. So all of the work we are doing pursuant to the 
President's EO to modernize our Federal civilian Executive 
branch networks to create visibility to ensure that we can 
actually manage that enterprise as an enterprise, not as 102 
separate little tribes, we are working very aggressively to do 
that and I am optimistic that we are going to make a real 
difference. Because I think we all know that the status quo is 
unacceptable.
    Mr. Green. Thank you.
    With my 1 minute and 10 or so seconds left, let us talk 
quickly about diversity, work force diversity. It is my 
understanding that CISA recently announced a $2 million grant 
or grants to bring cybersecurity training to rural and diverse 
communities. What are the processes that we are putting in 
place to make sure that we do this in an efficacious way? My 
concern is that rural and minority communities too often are 
left behind and this is a great opportunity to make sure that 
they are brought into the fold.
    Can you give me some sense of what the process will be to 
make sure that we are doing this appropriately from past 
attempts?
    Thank you.
    Ms. Easterly. Yes, thanks for asking that question. I am 
hugely passionate about this. I am a big believer that you have 
to build a talent management ecosystem that allows you to tap 
into diverse pipeline because that diversity that looks like 
America will enable us to solve the toughest problems. I have 
always believe that since my early days as one of the few women 
at West Point and in my time in the private sector where I 
built an organization that was 50 percent women, 25 percent 
black and Hispanic. So the kind of things that we are moving 
out on are lessons that I have drawn from previous aspects in 
my career.
    You point to the GREAT grants--$1 million for N Power, $1 
million for the Cyber Warrior Foundation focused on developing 
unrealized talent in under-served communities. That is just the 
beginning. We are also working to create a pipeline with things 
like the Girl Scouts. We just created a collaborative 
relationship with Girls Who Code. I am looking forward to 
working with folks on this committee to be able to tap in to 
historically black colleges and universities to create a 
vibrant pipeline there. I am open to all great ideas.
    So I would love to work with you, Congressman, if this is a 
passion of yours as well.
    Mr. Green. It is a passion.
    Mr. Chairman, thank you so much for the time.
    That is one of the better answers that I have heard. I look 
forward to working with you, ma'am. If you will contact my 
office.
    Thank you so much.
    Ms. Easterly. Thank you, sir.
    Chairman Thompson. The gentleman's time has expired.
    The Chair recognizes the gentleman from Mississippi, Mr. 
Guest, for 5 minutes.
    Mr. Guest. Thank you, Mr. Chairman.
    Director Inglis, in your written testimony on page 4 you 
talk about 3 categories of threat that warrant continued effort 
and attention. I want to specifically talk about the third 
category. You say that we must remain laser-focused on 
maintaining the integrity of our information and 
telecommunications infrastructure against high-risk actors. 
Large portions of the hardware supply chain underpinning our 
most critical--such technologies are located in countries that 
could leverage it for intelligence gathering or disruption at 
global scale.
    So can you talk a little bit about the supply chain 
challenges that we are seeing today?
    Mr. Inglis. Thank you very much for that question.
    I think that there is a growing awareness that the digital 
infrastructure that supports critical functions, or for that 
matter, personal functions broadly across our society is at 
risk. It is at risk because it has not been built to be by 
design resilient and robust. It is at risk because we don't 
collaborate and integrate in the defense of that. Essentially 
the stove pipes that sit side-by-side-by-side add primary value 
to those supply chains without understanding what the 
resilience and robustness is from start to finish across those 
supply chains. As you have indicated, many of those lie outside 
our physical boundaries, our borders, such that we have to then 
depend upon the collaboration of others, other nations to 
effect the resilience, robust, and assume the defense of same.
    Approaching that then means that we have to reconsider how 
do we build those supply chains, invest resilience and 
robustness in those supply chains, how do we defend those 
supply chains? An important piece of that will be collaboration 
between the private sector and the public sector. Some of that 
might mean that we have to re-shore some of those supply chains 
to find places where we can build the key components, 
manufacture, and add value to those components with like-minded 
nations or within this Nation. All of that work before us I 
think transcends both cyber and the physical space. So it is in 
fact a strategy that is under way and it is a collaborative 
activity between the private and the public sector.
    Mr. Guest. Yes, outside of Congress incentivizing companies 
to return and manufacture many of these critical components in 
the United States, is there anything else that we can do as a 
Congress to try to bring those supply chains back here 
domestically so we are not depending upon countries, 
particularly countries in the Far East? I think of China and 
the growing threat of China, how many of the components that we 
need for things that we do on a regular basis are manufactured 
in China. We have seen the CCP continue to grow. You even list 
here in your testimony that countries can use some of the 
hardware manufactured in other countries for intelligence 
gathering.
    So I guess my first question is outside of incentivizing 
companies, giving tax relief, tax breaks for companies to bring 
production back to the United States, is there anything that we 
can do as a Congress to continue to encourage that?
    Mr. Inglis. I think there are three broad points of 
influence that we can bring to bear. You mentioned one of 
those, incentives. Trying to create market forces that will 
essentially push, right, these supply chains, these supply 
lines in the right direction for resilience and robustness and 
the confidence that pertains.
    Another is simply awareness. There is insufficient 
awareness about what the true challenge is, where these supply 
chains lie. We then find ourselves surprised, right, in a Solar 
Winds escapade to understand where this comes from and how 
perhaps adversaries might insinuate themselves into that. The 
Congress can be very helpful and this committee has been 
specifically and particularly helpful in that regard.
    Finally, some degree of accountability. When market forces 
fail, when incentives fail, we need to understand what are the 
truly critical functions that our Nation depends upon and 
ensure that those parties who are responsible for delivering 
that and defending that are specifically held accountable.
    Director Easterly and I sit before you as accountable 
parties to kind-of make sure that the Federal Government is 
doing its part. The private sector also has a part to play. By 
exception we need to understand what those roles and 
responsibilities are and affect accountability.
    Mr. Guest. Have you seen specific instances where countries 
have used their supply chain being a critical component for 
intelligence gathering? I know you list that here in your 
written testimony. First, have you seen examples of that and 
then, No. 2, are there any that you could share with this 
committee? I know there may be things which you have awareness 
of that you are not able to share in this type of setting. But 
just specifically if there are any that you could share, I 
would appreciate that.
    Mr. Inglis. I would be pleased in the appropriate setting 
to speak to intelligence matters that would kind-of point to 
the opportunities that various nations might have given the 
current disposition of supply chains. Unfortunately, for the 
purposes of this discussion, those are matters that are likely 
Classified in terms of those opportunities.
    Mr. Guest. Yes, sir. Thank you very much.
    Mr. Chairman, I yield back.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentlelady from Michigan, Ms. 
Slotkin, for 5 minutes.
    Ms. Slotkin. Great. Thank you, Mr. Chairman. A warm welcome 
to our witnesses. Really glad to have excellent experts. I echo 
Ranking Member Katko's comment that I feel like we have the 
best team in place and we are working in a really positive 
bipartisan way on something that is an issue that really 
connects high policy in Washington to every family back home in 
our districts. It is rare that that happens. But after the 
attacks on Colonial Pipeline and JBS, I find myself 
increasingly in front of communities, often in rural 
communities, where I am, you know, there to talk about 
something very different and the first question they ask me, 
from farmers to school teachers and superintendents is, what 
are we doing to protect ourselves from this onslaught of 
attacks. I would note, I had a big group of superintendents in 
my office yesterday and every single one of them had had 
ransomware attacks and many had paid the ransom to get the 
school data back.
    But what I want to know I think echoes some of my 
colleagues. I want to be able to tell people back home that we 
are doing everything we can to defend them. I understand that a 
lot of our offensive things are Classified and we don't talk 
about them in public, but I am interested in the defensive 
side. In particular what the President laid down on the 16 
different categories of infrastructure that he told Vladimir 
Putin were off-limits.
    Can you lay out for us, since the summit between the 
President and Putin and the President laying down that marker, 
have we seen attacks from Russian-based groups, particularly 
those groups that were responsible for some of our biggest, you 
know, disruptions, have you seen a decrease, an increase, or no 
change in their level of attempts to attack us?
    Mr. Inglis. I will start with that.
    Thank you very much for that excellent question. I am sure 
on the minds of most, if not all, of our citizens.
    I think that, answering the question head-on, we have seen 
a discernible decrease. It is too soon to tell whether that is 
because of the material efforts undertaken by the Russians or 
the Russian leadership. It may well be that the transgressors 
in this space have simply kind-of lain low understanding that 
this is for the moment a very hot time for them. We need to 
make sure that that continues to be the case, that we continue 
to build resilience and robustness in our infrastructure, we 
continue to work hard to understand who is transgressing across 
that infrastructure and use all of the resources at our 
disposal to bring them to justice.
    I think in the longer term we will be able to measure in a 
qualitative and a quantitative fashion what the diminishment of 
those efforts are. For the moment, I think it is too soon to 
tell. We therefore need to ensure that our strategy is 
solidified and brought to bear.
    Ms. Slotkin. OK. So I would just ask for your commitment. 
Since we know that some of these groups sometimes go dark for a 
short time while the media's attention is on them and then they 
come back to life. I would offer we should have that 
conversation again iteratively in this committee to make sure 
that the Russians are living up to a basic commitment to stop 
what is going on based out of their territory.
    I think the other issue I think Ms. Easterly is--I think 
one of my colleagues mentioned--you know, I don't think the 
American public knows the 9-1-1 number to call when their 
school, when their farm, when their processing plant, when 
their local government is attacked. Of course there are State 
offices that handle some of these things, but is it appropriate 
to think of CISA as the Federal 9-1-1 that we call when we see 
one of our infrastructure nodes being attacked?
    Ms. Easterly. Certainly. We welcome first of all the cyber 
incident reporting legislation where if there is an attack of 
some sort people would come to us and let us know because we 
are there to render assistance, but we can also use that 
information to prevent others from being hacked. So I would 
want people to recognize CISA both as those people that you 
call to get help, but really those people who are helping to 
raise the whole cybersecurity baseline and creating goodness 
for the entire defense of the Nation. So I hope to get to that 
point, Congresswoman, and I would love to partner with you on 
that.
    Ms. Slotkin. Yes. Then last I would say, you know, the 
best, you know, offense is a good defense. We know that our 
private sector has an important role to play. Do the companies 
you engage with get that they are part of our National security 
apparatus, that they have a role to play, particularly in 
infrastructure, in protecting the United States, and therefore 
have to maintain the highest standards, unlike some of our 
pipelines and others that we have seen recently?
    Ms. Easterly. Yes. I would certainly say that I have been 
incredibly encouraged, both from my time in the private sector 
within finance, but since then I arrived at CISA and have been 
working directly with private-sector companies, to include ISP, 
CSP, cybersecurity vendors, infrastructure providers, who get 
that this is a National security imperative. So have been 
encouraged, am optimistic, but we are going to continue to 
collaborate and strengthen those partnerships to make sure that 
this is really a National endeavor to protect the country.
    Ms. Slotkin. Thank you very much.
    I yield back.
    Chairman Thompson. The gentlelady yields back.
    The Chair recognizes the gentlelady from Iowa, Ms. Miller-
Meeks, for 5 minutes.
    Ms. Miller-Meeks. Thank you, Chairman Thompson, Ranking 
Member Katko. I appreciated the questions by all of my 
colleagues and Representative Slotkin, who just spoke, 
especially in reference to cyber attacks and ransomware.
    So JBS is in my district and it was affected--less so the 
plant within my district than, you know, the entire 
infrastructure of JBS. I have also, as a State senator, worked 
on legislation for ransomware attacks that our local government 
had experienced when they had been hacked. Interestingly 
enough, when people communicated to me in my district about the 
provision in the reconciliation bill with the increase in IRS 
agents and looking into accounts where there was a $600 
transaction, often I was asked about hacking and did this make 
us less secure.
    So I think this is an extraordinarily important topic and I 
appreciate Chairman Thompson bringing this forward today.
    Director Easterly, on the topic of the new CISA authorities 
provided in last year's NDAA, one of the more important 
provisions authorizes CISA to subpoena internet service 
providers to obtain contact information for critical 
infrastructure operators where CISA has identified vulnerable 
devices on the internet and so that these devices can be 
secured before they are attacked.
    Can you provide the committee a status update on the 
implementation, how many subpoenas has CISA issued to date?
    Ms. Easterly. Yes. Thanks for the question.
    It is a really, really important authority. We have issued 
over I believe 35 administrative subpoenas to date and we have 
seen--because we go back and we re-scan the infrastructure 
where we saw those vulnerabilities--we have re-scanned that and 
we saw those vulnerabilities actually get closed. So we believe 
this tool is enabling us to mitigate and remediate 
vulnerabilities and to make folks aware of vulnerabilities that 
they probably were not tracking.
    So we have used that aggressively since we have gotten it 
and I am really pleased to say that we have operationalized it 
in a way that is helping us reduce risk.
    Ms. Miller-Meeks. So you answered one of my follow-up 
questions, so I am going to go to the next one.
    Have you identified any shortcomings of the program that 
you think need to be addressed?
    Ms. Easterly. Well, since we are just in the--I guess about 
6 months, 9 months of operationalization, I have not yet seen 
specific shortcomings, but I will absolutely come back to you 
and let you know if we need something different or more from 
this authority.
    Ms. Miller-Meeks. I think with the recent attacks, you 
know, people are much more aware of this now, so it is a topic 
of conversation.
    So thank you. We would appreciate the feedback.
    I also think that we are--all of us are in agreement that 
we need to double-down on our efforts to provide proactive 
vulnerability identification to critical infrastructure 
entities, particularly those that identify as being 
particularly critical for economic and National security. I 
think we have heard this from several Members.
    We don't want a single point of failure resulting in 
cascading impact for the country at large. Do we have the 
processes and technology in place to execute on this proactive 
vulnerability identification and notification at scale? Are we 
effectively looking at vulnerabilities across critical 
infrastructure community through the eyes of an attacker?
    Ms. Easterly. I will start and happy for Director Inglis to 
weigh in.
    I think it is exactly the right question. As we know, 
everything is connected, everything is interdependent these 
days. Everything sits on that technology baseline and therefore 
everything is potentially vulnerable. So we work very hard to 
make sure that business owners, small and large, critical 
infrastructure owners and operators, State and local, the 
American people have a good understanding of what they need to 
do to ensure that their software is patched, to ensure that we 
are taking care of vulnerabilities, and to have the basics that 
we need.
    I would also commend the incredible research community, 
those researchers, those academics, those hackers out there who 
were doing yeoman's work in being able to help identify these 
vulnerabilities, bring them to us through the coordination 
vulnerability disclosure platform, because that helps make us 
all safer and more secure.
    I would point to the Binding Operational Directive, ma'am, 
that we issued today that I think is really groundbreaking in 
that for the first time this is really giving time lines to 
remediate those specific vulnerabilities that we know have been 
actively exploited by adversaries, not just all 
vulnerabilities, but the ones that we think are most dangerous. 
I think that can make a real difference, not just for Federal 
agencies, but from a signaling perspective for our critical 
infrastructure owners and operators and for businesses, large 
and small around the country.
    Ms. Miller-Meeks. Thank you so much.
    Director Inglis, I apologize. I have run out of time so I 
won't be able to get your answer to this. But thank you so much 
and thank you, Chairman Thompson.
    I yield back.
    Chairman Thompson. The gentlelady yields back.
    The Chair recognizes the gentlelady from Texas, Ms. Jackson 
Lee, for 5 minutes.
    Ms. Jackson Lee. Mr. Chairman, if I could, I have to run to 
vote in another committee. I would like to delay my 5 minutes.
    Thank you very much. I will come back to the committee when 
I finish voting. Thank you.
    Chairman Thompson. The Chair recognizes the gentlelady from 
Nevada, Ms. Titus, for 5 minutes.
    Ms. Titus. Thank you, Mr. Chairman. I didn't realize I was 
going to be next, but I appreciate it.
    I would like to ask Mr. Inglis and Ms. Easterly both a 
couple of questions.
    One is in our Subcommittee on Transportation and Marine 
Policy, last week we learned that there are many cybersecurity 
vulnerabilities in our travel hubs, including airports. I 
represent McCarran Airport and we know that as people travel we 
want them to be safe physically, but we also want their data to 
be safe. You see everybody plugging in their computers 
everywhere and working on them. Then when they get on the plane 
they continue to use wifi from the airlines for in-flight 
services. I wonder if you two could address what we might be 
doing to make that more secure?
    Mr. Inglis. Thank you very much for the question. I will 
start and Director Easterly, I am sure, will complement that.
    I think there are at least two dimensions to this. One is, 
as per some earlier conversations we have had, there are in 
these locations systemically critical infrastructure upon which 
the public depends. How do we coordinate the flow of air 
traffic, how do we ensure that flight plans are securely 
communicated, how do we make sure that the data flows that 
underpin the safety of that industry is properly defended? The 
work that CISA and others are doing to determine what those 
systemically critical components are and the entities 
responsible for those will allow us to focus the very precious 
resources we have in a prioritized way to increase resilience 
and robustness in the defense of safe.
    To the extent that individuals make use of individual 
services for their personal and perhaps their business 
activities, we need to make sure that as a matter of the 
commodities provided to them that security is built in. We also 
need to make sure that they are aware of what their 
alternatives are and that in the case where there is a risk 
that we haven't found a way to buy down, that they understand 
that that is a risk that they can choose to take or not take.
    So some degree of cyber education, training, and awareness 
is also essential and we need to kind-of get that into our 
people skills at the earliest possible moment.
    Ms. Easterly. Yes. I would only add--I completely agree 
with that. A lot of this, clearly from a standards perspective, 
we work closely with TSA as they are the sector risk management 
agency for aviation, for rail, but this also comes down to 
public awareness, making sure people understand the basics of 
password hygiene, updating their software, implementing multi-
factor authentication, making sure that if you are a business 
you are patching those vulnerabilities.
    So we have got to come at it from both angles, from a 
personal angle but also from a Government Federal agency angle. 
It has got to be a team sport.
    Ms. Titus. Thank you.
    Speaking of Government agencies working with others, I 
would ask you about the relationship with universities and how 
we can strengthen that. I represent the University of Nevada, 
Las Vegas and they have a cyber center that has been recognized 
by DHS and the NSA as the National--it is a National center of 
academic excellence in cyber defense education. They are 
working to create a clinic where students can help small 
businesses if they get hacked because we know if a small 
business is hacked, 60 percent of them go out of business as a 
result of that.
    So could you talk about maybe how we could strengthen the 
relationship between the Federal Government and the 
universities to do things like help small businesses?
    Ms. Easterly. Sure, absolutely.
    First of all, I love that clinic idea. I would love to come 
visit, if that is cool.
    Ms. Titus. You are welcome any time.
    Ms. Easterly. Awesome. So you mentioned the centers of 
academic excellence that is sponsored by both DHS and NSA. It 
is a fantastic program and it is really part of our strategy to 
be able to tap into these schools, as well as community 
colleges, historically Black universities and colleges to 
create that pipeline for the next generation of cyber talent. 
So the kind of things that you are doing are exactly what we 
want to amplify. We want to tap into some of those students 
that are already cyber superstars. Our cyber talent management 
system will allow us to hire these folks based on their 
aptitude and their collaborative attitude as opposed to 
somebody having to get a Ph.D. or a Master's degree.
    Mr. Inglis. If could double down on that and commend the 
clinic in a particular and specific way, which is the clinic 
idea actually has many, many beneficiaries. Of course it 
benefits the local businesses that are serviced by those 
clinics, of course it is a component of those students, but 
importantly, it bridges the gap between education and practice 
in ways that so many institutions have been challenged. When a 
student arrives with a degree or a certificate that the front 
door of a business that they want to work for, they often lack 
the experience necessary to prove that they can do the job at 
the very first moment. So I think you have solved a number of 
challenges in one fell swoop. So I would commend that for 
others to follow.
    Ms. Titus. Well, thank you. I am glad to hear that. I will 
let UNLV know your comments.
    Thank you, Mr. Chairman, I yield back.
    Chairman Thompson. The gentlelady yields back.
    The Chair recognizes the gentleman from Kansas, Mr. 
LaTurner, for 5 minutes.
    Mr. LaTurner. Thank you, Mr. Chairman. Good afternoon.
    I was on the phone conversation yesterday--phone call 
yesterday with a constituent of mine who owns a small business 
in Kansas. He had a ransomware attack and they asked for 
$900,000, which is a lot for this business--it is a lot for any 
business, but certainly a lot for this one. I asked the 
question, I said did your insurers or did the lawyers or the 
technical experts at any stage tell you you need to report this 
to a Federal agency, that you need to make this known. He said, 
no, to the contrary, they said it is a waste of time.
    Now, I don't think you would agree that it is a waste of 
time and I would like you to address that. Assuming that you 
don't think it is a waste of time, how do we begin to change 
this narrative across the country?
    Ms. Easterly. I am happy to start. Or you go ahead, please.
    Mr. Inglis. Go ahead.
    Ms. Easterly. So first of all, I have great empathy for 
these small businesses that are getting hacked. They are put in 
a terrible position and I think they often do pay. Now, we say 
as a Government, you should not pay because it incentivizes 
that criminal ecosystem, but a lot of these folks----
    Mr. LaTurner. They got it down to $600,000, but they were 
losing $2 million a day, you know.
    Ms. Easterly. Yes, it is an incredibly tough decision.
    Mr. LaTurner. So it is a tough spot.
    Ms. Easterly. I totally hear you.
    So part of this is making sure that businesses have 
everything that they need to prevent getting hacked. Frankly 
the resources and assistance and information we provide can 
help with that. But at the end of the day we have a field force 
that can actually render assistance to help folks understand if 
they get hacked what they can do about it, how they can recover 
and mitigate risk. If they do report to us, I think very 
importantly--which is why I am a fan of this legislation--we 
can use that information to prevent others from being hacked. 
But I would tell you, you should tell your constituent go to 
stopransomware.gov, which has been looked at uniquely almost 
500,000 times. There is a huge amount of information, what 
ransomware is, how do you deal with it, how do you prevent 
yourself from getting hacked.
    Mr. Inglis. It is hard for me to add value to that answer. 
I think it is a complete and fulsome answer. I think that they 
should call such that then we can better support them in the 
time of need, that we can take the information necessary and 
invest in the future. But it our job as the Federal Government 
working in collaboration with the private sector to prevent 
these events in the future. Stopransomware.gov in an excellent 
kind of body of information to allow individuals, businesses to 
kind of act in their own defense, but there is more that we can 
do to get ahead of this to make sure that we are left of that 
event.
    Mr. LaTurner. But you are both certainly aware of that 
attitude being very prevalent throughout the country in the 
business sector?
    Mr. Inglis. We are. The Government needs to actually--it 
needs to lead with the practice such that when you call the 
Government, the Government actually responds with meaningful 
support. What Director Easterly has laid out is an initiative, 
a set of initiatives across the Federal Government that had 
begun to do that. But we need to demonstrate that value such 
that the first thinking of an individual business or citizen is 
I need to call the Government because they have shown 
themselves willing and able to assist me in this time of need.
    Mr. LaTurner. Let us talk about the JCDC. So I know it just 
launched in August officially. Talk about the promise of that 
and how you think that is going to help the coordination. 
Because that is one of the big concerns that I have is that 
there is so many different departments that have a piece of 
this. You know, for example, the White House chose the 
Department of Energy to deal with the Colonial attacks. So what 
is the promise of that and how are you going to make sure that 
we are actually coordinating and that Congress in our oversight 
function can actually hold someone accountable? Because it is 
incredibly frustrating when it is so spread out.
    Ms. Easterly. Yes, absolutely. It is a great question.
    I am incredibly motivated on this one, sir. I will come 
back and ask this committee for help if I need it. You can hold 
me accountable if the JCDC fails, but I will tell you, I am 
motivated because even though I spent 27 years in Government 
before I went to the private sector, when I showed up in the 
private sector it felt like you needed a Ph.D. in Government to 
deal with the U.S. Government, right. You were getting 
different signal, different information from different 
agencies, it was totally unhelpful and incoherent, even as good 
as Government agencies and well-meaning as they are. So the 
beauty of the JCDC is by law it brings together the power of 
the Federal Government, not just CISA, but NSA and FBI and DoD 
and DoJ and ODNI and Secret Service and the National Cyber 
Director as one entity to collaborate with State and local, 
with critical infrastructure owners and operators and with 
those cybersecurity companies, ISPs and CSPs that have the 
global visibility to allow us to illuminate those dots so we 
can connect them and drive down risk at scale.
    This is not about just weekly meetings on partnership, hey, 
how are you, let us have coffee together. It is really about 
how do we operationally collaborate in a professional intimate, 
shoulder-to-shoulder--whether that is virtual or physical--way 
to make a difference for this defense of our Nation.
    Mr. LaTurner. I appreciate that. I want you both to succeed 
and am happy to do anything that I can to help along the way.
    Mr. Inglis. Thank you, sir.
    If I could, at the risk of 10 more seconds, simply add that 
I think that the JCDC is different in kind than what we have 
done before. This essentially is an agreement to collaborate 
essentially to find dots, to co-discover threats that no one 
can find alone. That is different. Authorized by the Congress, 
substantiated in law, we are now beginning to effect that.
    Mr. LaTurner. Thank you both for your time.
    I yield back, Mr. Chairman.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentleman from New York, Mr. 
Torres, for 5 minutes.
    Mr. Torres. Thank you, Mr. Chair.
    I must admit I continue to have a lack of clarity about 
cyber jurisdiction. I know you have been asked this question a 
few times, but the National Security Council exists to play a 
coordinating role on matters of National security, which 
increasingly include cybersecurity. What is the central 
difference between the coordinating role of the National cyber 
director and the coordinating role of the National security 
advisor for cybersecurity? Earlier, in response to 
Congressmember Clarke you said the two roles are complementary. 
But I am interested in knowing what makes them distinct, not 
complementary.
    Mr. Inglis. At the end of the day if there is an event that 
requires the application of instruments of power outside of 
cyber space, the various instruments kind-of in the hands of 
Government, like intelligence or military or diplomacy, that is 
the traditional and sustained role of the National Security 
Council. My job is to ensure that the resources inside of cyber 
space are prepared, complementary, and effected for the purpose 
intended such that chief information security officers, CISA, 
sector risk management agencies, all of whom operate inside 
cyber space, that they do the job that is required.
    Mr. Torres. I want to revisit a point that Congressmember 
LaTurner made. So there are 16 critical infrastructure sectors 
and each sector has a sector risk management agency. The role 
of CISA is to partner with those sector risk management 
agencies to secure critical infrastructure. Even though the TSA 
is the sector risk management agency for pipelines, the Federal 
Government designed the Department of Energy as the lead agency 
on response to the Colonial incident.
    Do you worry, as I do, that the designation of the 
Department of Energy as the lead agency perpetuates confusion 
about who exactly is in charge, about cyber jurisdiction?
    Mr. Inglis. Congressman, I think is an excellent question. 
Neither Director Easterly nor I were here at the time and 
therefore are unable to illuminate that choice. I would say 
that from this day forward, from the moment we got here, we 
strongly relayed that the playbook should be followed. That 
when we allocate roles and responsibilities, to the question 
asked earlier, policy matters. It must be effected as intended. 
Therefore in the future we intend to exercise, allocate, and 
essentially respond according to those policies and laws.
    Mr. Torres. To be clear, who in the administration decides 
which agency takes the lead on a cyber incident response?
    Mr. Inglis. I think that we define that ahead of the time, 
such that that agency knows at the moment that that occurs that 
that is in fact what they should do. Again, within cyber space 
my responsibility is to ensure that those agencies understand 
those roles, they are prepared, and that they then execute 
those roles. As the on-the-field quarterback Jen Easterly would 
then ensure that that is actually being effected.
    Mr. Torres. Director Easterly, I appreciated your allusion 
earlier to Cobra Kai.
    Ms. Easterly. Thank you.
    Mr. Torres. I am a fan of the show. You said earlier there 
is a limit to what we can do in Government, that there is no 
substitute for cyber hygiene from the private sector. I agree 
with your assessment. It seems to me the breach of both 
Colonial Pipeline and JBS demonstrates that the laissez-faire 
approach to cybersecurity that the Federal Government has long 
taken has been a profound failure. A voluntary framework will 
only take you so far. There is no substitute for mandates.
    So I have a few questions. Should every owner and operator 
of critical infrastructure report major cyber incidents to the 
Federal Government? Yes or no?
    Ms. Easterly. Yes.
    Mr. Torres. Should every owner and operator of critical 
infrastructure have a chief information security officer?
    Ms. Easterly. Yes.
    Mr. Torres. Should every said owner and operator have 
multi-factor authentication?
    Ms. Easterly. Yes.
    Mr. Torres. Should every owner and operator have password 
updates and software updates and third-party assessments?
    Ms. Easterly. Yes.
    Mr. Torres. So if you agree that every owner and operator 
of critical infrastructure should adopt these cross-sector 
standards of cyber hygiene, as you describe them, then when is 
the administration going to mandate them universally?
    Ms. Easterly. Well, we have begun a lot of that work with 
mandating it within the Federal Government. That is the work 
that we are doing with the EEO. All of those things are part of 
on-going efforts and that is signaling to our private-sector 
partners, who own that infrastructure and--you know, as you 
know, it is not owned by the Federal Government, but we are 
doing everything we can to ensure that we are signaling by 
leading by example and then by articulating the goals and 
standards that private infrastructure needs to implement to 
make themselves safe----
    Mr. Torres. With respect, signaling is different from 
mandating. Like the only reason we have mandates for pipeline 
cybersecurity is Colonial Pipeline. There is a sense in which I 
feel like we are reacting to events rather than governing. I 
want to govern proactively.
    Ms. Easterly. Yes. I think there is--I agree with you, 
bottom line. I think there is a role for insuring that we are 
holding those who own and operate critical infrastructure 
accountable for ensuring that their systems and networks are 
secure and resilient. I think you are starting to see some of 
that being implemented here by the Government.
    Mr. Torres. I want to quickly squeeze in a question. I am 
curious, Director Inglis, what is your opinion on General 
Nakasone's cyber strategy of defense forward and what impact, 
if any, has Solar Winds had on your opinion on that strategy?
    Mr. Inglis. I think the strategy, which has now been in 
place for 3\1/2\ years is an appropriate strategy. It follows 
on the heels of what we have done in other domains of interest. 
NATO is defend-forward, the pre-positioning of U.S. Forces in 
South Korea is defend-forward. It should be followed by the 
application of all instruments of power in a similar fashion 
such that we have an early discernment of threats against us 
and early action to engage those threats such that we no longer 
wait on shore to receive those threats as they arrive in a 
distributed fashion.
    Chairman Thompson. Thank you very much. You see why he is 
Vice Chair of the Committee, right?
    The Chair recognizes the gentleman from Michigan, Mr. 
Meijer, for 5 minutes.
    Mr. Meijer. Thank you, Mr. Chairman, and thank you to our 
Ranking Member and our witnesses for being here today.
    I actually want to follow up on what the subcommittee Vice 
Chair was asking about regarding that strategy, and 
specifically, you know, there have been prior question around 
the concept of deterrence, so I don't want to go back and 
rehash that ground, but I serve on both Homeland Security and 
Foreign Affairs and a lot of these issues really--cybersecurity 
issues are at that nexus when it comes to foreign adversaries, 
you know. I know we have been working on a broader multilateral 
strategy deterrence on the diplomatic side, but there are also 
unique vulnerabilities--or I should say unique protections 
within the United States and the way that our intelligence 
community is structured that I think can be--are very well-
intended, but could have negative consequences.
    So I guess for both witnesses, are our foreign adversaries 
exploiting restrictions of our intelligence community by using 
U.S.-based tech firms in order to launch attacks using virtual 
private servers?
    Ms. Easterly. I think we saw that pretty clearly in both 
Solar Winds, as well as Microsoft Exchange. It is not a 
surprise. These adversaries are sophisticated, they are going 
to do everything they can. They are entrepreneurial. So it is 
one of the reasons why we have put together the Joint Cyber 
Defense Collaborative with those companies that have the 
visibility into domestic and global infrastructure that we 
don't want the intelligence community or the U.S. Government to 
have. These companies are able to provide this information in 
an anonymized way so the privacy is protected, but that we 
understand those vulnerabilities and then we can do something 
about it as rapidly as possible.
    Mr. Meijer. Would you say that would level out the benefit 
to our adversaries of using U.S.-based platforms rather than 
using foreign platforms that may fall under a different set of 
guidelines for IC?
    Ms. Easterly. Well, certainly it will help increase our 
visibility as we know we have better visibility overseas given 
some of our intel capabilities. But I think actors have shown 
themselves to try and take advantage of the blind spots. So we 
need to use creative ways to be able to create those dots, 
connect the dots to drive down risk at scale.
    Mr. Meijer. Are there legislative solutions that may help 
to further drive down that risk at scale and connect those dots 
further?
    Ms. Easterly. At this point in time I really don't know. I 
don't think so. We need to get this model right and ensure that 
the information is shared in a way that is enabling and 
collaborative. But I will definitely come back to you, sir, if 
I think we need more authorities to instantiate this visibility 
that we need to defend the Nation.
    Mr. Meijer. Thank you. I would welcome that conversation. I 
think, you know, as you saw we are passionately committed to 
doing what we can on talent, recruitment, and retention, on 
making sure that authorities are in place on recognizing that 
this is a critical and pressing vulnerability for our country. 
So I think there is strong bipartisan support to do what we can 
to shore it up, but some of that may trip into other areas that 
I think we are happy to discuss on-line or off-line.
    Then, Director Inglis, in your testimony you identified 
burden reallocation across the cyber ecosystem as a major key 
objective. In order to take those unfair responsibilities off 
of the most vulnerable entities in cyber space, such as 
individuals or small businesses, you know, local governments 
that may have the least amount of resources are least well-
equipped to deal with the magnitude of the threat--I guess, to 
put it briefly, how are you approaching this problem, which 
stakeholders in this space do you feel should bear the largest 
share of responsibility for systemic cyber risk in the digital 
ecosystem?
    Mr. Inglis. Thank you very much for the question.
    I think that if you are an individual consumer of cyber 
services far too often you have to provide for your own 
security in a way that a consumer of an automobile does not. A 
consumer of an automobile does not have to go out and negotiate 
for an airbag or anti-lock breaks, they are built in. So we 
need to start with that. The systems that we provide to our 
citizens, to users, have to actually be resilient and robust by 
design, at scale, commodity scale.
    No. 2, we need to make sure that those who would 
transgress, who would essentially hold them at risk all the 
same, that we understand who they are, how they operate, and 
that we find them and bring them to justice using all the 
instruments at our disposal, legal means, financial sanctions, 
diplomacy. This is an international threat.
    We also need to make sure that in a time of extremis, 
contingency, or crisis, that the Government provides resources 
as appropriate to help those individuals or businesses at that 
moment in time. All of those combined I think can make a 
determinative difference in the life and the progress of our 
individual citizens and businesses in using this, and increase 
confidence that those systems will be used for the purposes 
intended and not for transgressors.
    Mr. Meijer. Thank you.
    Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. The gentleman yields back.
    The Chair recognizes the gentlelady from Texas for 5 
minutes, Ms. Jackson Lee.
    Ms. Jackson Lee. Thank you very much, Mr. Chairman, and to 
the Ranking Member for holding this important hearing. 
Congratulations to Director Easterly and Director Inglis for 
their ascending to important responsibilities.
    I believe that we are in an era that Dr. King wrote about 
as relates to civil rights. I think that era has raised its 
head again as relates to civil rights, why we can't wait. I 
think as it relates to the whole issue of cybersecurity, we are 
at a time and place in America and around the world that we 
cannot wait to be aggressive in addressing the questions that 
are going to come at us or the issues that we are going to 
confront rapidly.
    So, Director Easterly, you mentioned key stats from 2020 
about attacks against America. In 2020 alone there were more 
than 12,000 explosive-related incidents and more than a 70 
percent increase in domestic bombings, according to the 
Department of Justice and U.S. Bomb Data Center. My question to 
you would be where CISA is in the role of prevention but also 
aggressiveness as relates to the cyber engagement in that. Do 
you believe that the mindset of CISA should be aggressive in 
its protection and engagement with the entities around the 
Nation, but more importantly in its collaboration of the 
incidents that may come from outside of the United States? 
Director Easterly.
    Ms. Easterly. Yes, ma'am. It is a really important 
question. Thank you for asking it.
    You know, one thing that I didn't realize before I came to 
CISA was the power of our field force. We actually have over 
500 folks and based on the force structure analysis that we are 
doing I suspect that number should grow. But these are our 
front-line defenders for both infrastructure and cyber. Our 
cybersecurity advisors, our State coordinators, our protective 
security advisors that are there working to ensure that at the 
State and local level, at the small business level, at a 
critical infrastructure owner and operator level, that all of 
these individuals have the guidance, the information, the 
resources that they need to be able to protect themselves. So I 
think those field forces are a very important part of what 
gives the magic to CISA to allow us to reduce risk to the 
Nation's cyber and physical infrastructure.
    Ms. Jackson Lee. Thank you.
    Director, do you sense with the administration--and you are 
obviously a voice for the policy of the administration and 
actions--sense the urgency of creative policies and the why we 
can't wait concept? Are you all creatively meeting and looking 
at ways to meet this aggression in addition to the able staff 
that comes under CISA?
    Ms. Easterly. Yes, ma'am. I believe we really have that 
sense of urgency, that sense of aggressiveness. Director Inglis 
and I are on the phone regularly. We are in contact with all of 
our partners across the Federal Government, and importantly, 
our partners at State and local and at private sector. I think 
everybody--you can't look at Solar Winds and Microsoft Exchange 
and Pulse Secure and Kaseya and JBS and Colonial Pipeline and 
get anything but a sense of urgency. So we are powerfully 
motivated to defend the Nation and we are working at it every 
minute of every day.
    Ms. Jackson Lee. Thank you.
    This question will go to both, but I would like Director 
Inglis--and congratulations on your position. The pace of 
innovation and integration of new technologies are posing new 
challenges to cybersecurity. So how are you, the 
administration, and working with CISA integrating emerging 
threats and risks into the strategy for keeping security 
measures currently and focused on nimbleness? 5G, deep 
learning, artificial intelligence, and quantum computing 
advancements are just a few of the challenges.
    I have been steady on the issue of zero-day occurrences. 
Obviously we are sort-of advanced beyond that, but you 
understand the concept, which is when all things go awry.
    Director Inglis.
    Mr. Inglis. Thank you very much for that question, 
Congresswoman. I think that that is a very, very important 
dynamic.
    In the earlier question you I think suggested that as 
opposed to simply responding to the transgressions, the 
initiatives of others who would hold us at risk, we need to 
establish our own initiative, we need to make sure that we 
reacquire the sense as to what we want this domain to do for 
us, not to us, and to achieve that. Technology, innovation, and 
best practices are a place where the United States--and like-
minded nations, but the United States in particular can and 
must lead. The technologies you have addressed will play a 
critical role in that and American innovation will play a 
critical role in understanding how those might make a 
difference. We need to do that and therefore our investments 
need to be made accordingly, such that we build in resilience 
and robustness and this domain then can achieve our 
aspirations, not our worst dreams.
    Chairman Thompson. The gentlelady's time has expired.
    The Chair recognizes----
    Ms. Jackson Lee. I thank you, Mr. Chairman.
    Chairman Thompson [continuing]. The gentlelady from 
Florida, Ms. Cammack, for 5 minutes.
    Ms. Cammack. Well, thank you, Mr. Chairman. Thank you to 
all my colleagues for this very important discussion here 
today.
    I would be remiss if I didn't mention that the work that I 
did as a student at the United States Naval War College was 
centered around cyber, so this topic is very exciting to me.
    I would love to just use my time to talk about an 
initiative that is very near and dear to my heart. I would love 
for Director Inglis as well as Director Easterly to weigh in on 
the concept, logistics, challenges of potentially the creation 
of the next service academy of the United States, the United 
States Cyber Academy. We have worked to create a framework that 
would address more of our cyber work force challenges and I 
would love to hear from you about what something like that 
might look like that would be beneficial in meeting the needs 
from both a military standpoint, but also Federal service, as 
well as the public-private partnership that we need with our 
private partners in this space. How we might be able to better 
develop this and take advantage of the incredible talent that 
we have amongst our youth.
    I think it is very exciting about next generation of cyber 
warriors that we can foster, educate, and deploy into this 
space through the creation of a next generation Cyber Academy a 
la West Point or the Naval Academy.
    So I am just going to start with Director Inglis first and 
then, Director Easterly, if you want to weigh in. I am all 
ears.
    Mr. Inglis. Well, thank you, Congresswoman for the 
question. You are probably aware that both of us are service 
academy graduates. I am sure you meant to say the Air Force 
Academy first, but that being said--so we are both clearly 
aware of the value that a deep and sharp education in a 
disciplined domain of interest holds. I think we are also aware 
that the proponency that is provided by the parent service is 
essential. So if we were to define a service academy construct 
for cyber, we would have to attend not simply to the work that 
would take place there that would inculcate the sense of what 
the technology, the doctrine, the practices, would bring to 
bear, but we would have to make sure that we attended to the 
generation of what is the mandate that should be taught and 
inculcated there and who would then receive the proceeds from 
that.
    Now, in the case of cyber, you probably have many claimants 
on the graduate of those institutions such that they could then 
take that forward. You would then have to determine whether you 
are going to physically instantiate this in a single place or 
whether you broadly would separate or spread this across, you 
know, many institutions that have already shown themselves able 
to do it.
    But I think your idea is very solid insomuch as we need to 
dedicate time and attention to understanding the domain of 
cyber space and the practices that best work inside of it such 
that we can then avail ourselves of a cadre of people who have 
thought their way through this. I would tell you that cyber was 
declared a domain by the United States Department of Defense 
not because the intention was to militarize it, but because it 
was sufficiently different, it was sufficiently new and novel, 
that unless we study it and understand how it works and how it 
behaves, we will continue to be befuddled by it.
    I think that there are a number of institutions who have 
done yeoman's work in helping us get to that place, but there 
is further work to be done.
    Ms. Cammack. I appreciate your comments.
    Ms. Easterly. Yes, I would only add first, beat Air Force, 
because it is that time of year.
    But also I think it is incredibly important to explore 
creative solutions. You know, I stood at the Army Cyber 
Battalion in 2008. We helped--Chris and I helped to build 
United States Cyber Command. I think there is a lot of 
creativity in the services that we can benefit from and some 
really good ideas out there.
    I am very proud to say that CISA is 42 percent veterans. 
Particularly proud to say that during Veterans Appreciation 
Month. But I think there is so much innovation and creativity 
in the military that we should figure out how we can create 
connectivity with that community and really amplify and 
emphasize it.
    Ms. Cammack. I appreciate both of your comments. As the 
sister to a career airman, I appreciate the nod and hat tip to 
the Air Force.
    Of course, one of the things that we have always struggled 
with I believe is that joint operability across the services. 
Then, of course, as the space has gotten bigger, how do we 
navigate that divide between Federal service and the various 
intelligence agencies, as well as the military and then beyond.
    So I think there is something really here and you will 
definitely be hearing from my office as we continue to build up 
a framework for this.
    Thank you again for your time and testimony today. Much 
appreciated.
    With that, I yield back.
    Mr. Inglis. We will look forward to working with you on 
that.
    Ms. Easterly. Thank you.
    Chairman Thompson. The gentlelady yields back.
    The Chair recognizes the Ranking Member.
    Mr. Katko. Thank you, Mr. Chairman, for indulging me for a 
moment.
    Before we close, I just wanted to say thank you again for 
the great conversation and testimony today. I think it is very 
helpful. It is very encouraging to see everyone on the same 
page and trying to do the right thing here.
    As you may know, I issued in the past what I consider the 
five pillars of how we fight the cyber intrusions in this 
country. The last one has to do with offensive capabilities, or 
clapping back against bad guys. I don't want to talk about them 
in this setting, but, Director Inglis, I am asking you 
specifically on behalf of my colleagues, many of whom have 
asked me this very question, if we could get a briefing in a 
secure setting on where we stand with respect to our offensive 
cyber capabilities so we can have a better understanding of the 
entire playing field. Obviously I don't want to do it here, but 
I want to ask you a commitment to set something up soon to 
brief all of us on the committee.
    Mr. Inglis. We will commit to doing that in the appropriate 
venue.
    Mr. Katko. Thank you very much.
    I yield back.
    Chairman Thompson. The gentleman yields back.
    One of the things I would like to thank both witnesses for 
is your frankness and your willingness to address the known and 
unknown challenges. I think the Academy prepared both of you 
for the ability to make adjustments.
    Part of what the Vice Chair talked about is some of the 
going-forward challenges that I think we will have to meet. The 
fact that if we have a policy, we need to follow it. That is 
it. If not, change the policy.
    So what we saw with the Colonial Pipeline situation is a 
concern, but from both of you we have heard a commitment to 
follow the policy and to try to get other partners to do 
likewise so that they understand it. That is important.
    The other part is to the extent--piggybacking on the 
Ranking Member's comment--some of the countries who give us the 
most heartburn we have to continue to engage with. The public 
is somewhat befuddled that here we know nation-states are doing 
things to us, but yet we are still engaging them on a daily 
basis. We go into space together, we do a lot of other things 
together, and sometimes we have to be clearer with our 
messaging so the public is not confused.
    Last, this notion of work force, it is an absolute concern. 
Congressman Green left the confines of his office to come to 
the end of the hearing because he is not going to let you get 
away without closing that deal today. But that is the point, 
that we are all interested in helping building the work force 
because we are in this together. To the extent that we can make 
that work force look like America, the better off we are.
    So I join Mr. Green in that effort also.
    But just let me thank you for your testimony and the 
Members for their excellent questions today.
    The Members of the committee may have additional questions 
for the witnesses and we ask that you respond expeditiously in 
writing to those questions.
    The Chair reminds Members that the committee record will 
remain open for 10 business days.
    Without objection, the committee stands adjourned.
    [Whereupon, at 12:22 p.m., the committee was adjourned.]



                            A P P E N D I X

                              ----------                              

         Question From Honorable Michael Guest for Jen Easterly
    Question. Director Easterly, the time line for entities to report 
has been a significant point of contention during the debate on 
mandatory cyber incident reporting legislation. As you know, both the 
House and Senate Homeland bills have a 72-hour time line. You have 
served a significant amount of your career in Government, but also 
recently in the private sector. How do we strike the right balance here 
of not overburdening industry, but still getting CISA the information 
it needs to protect others?
    Answer. The private sector, which owns and operates most of the 
Nation's critical infrastructure, plays a vital role in working with 
CISA to improve our Nation's cybersecurity. A mandatory incident 
reporting law would increase visibility into the cybersecurity threat 
environment, which in turn would inform and augment the U.S. 
Government's ability to develop and disseminate actionable information 
to help protect our Government and private-sector partners. CISA, in 
concert with other Federal agencies responsible for responding to 
cybersecurity incidents, look forward to working with both Congress and 
industry to make cyber incident reporting legislation a reality.
    CISA's goal is to avoid overwhelming companies and our own Federal 
team. The balance should be between getting meaningful and relevant 
information in a timely manner that can then be analyzed and provided 
to industry in an actionable format while avoiding undue burden on a 
company trying to manage a live cyber incident. Timely information can 
be the difference between containing an incident and seeing its effects 
cascade across sectors and the economy impacting thousands of other 
companies. Without timely notification to CISA, critical analysis, 
mitigation guidance, and information sharing is severely delayed, 
leaving our Nation and our critical infrastructure vulnerable.
    For example, CISA estimates that hundreds of millions of devices in 
use around the world were potentially susceptible to the Log4j 
vulnerability. We know malicious actors are actively exploiting this 
vulnerability in the wild. However, the Federal Government simply does 
not have the level of information it needs to definitively understand 
the breadth or nature of intrusions occurring as a result of this 
severe vulnerability. A cybersecurity incident reporting law would help 
the Government and our partners receive timely information about 
successful exploitation of critical infrastructure networks quickly 
after they are discovered, enabling us to help victims mitigate the 
effects, stop the spread to additional victims, and better track the 
size, scope, and scale of any adversary campaigns to exploit wide-
spread vulnerabilities like Log4j.
    Hearing from all stakeholders, through a formal and consultative 
rule-making process with publicly-sought input, will achieve balance by 
accounting for the concerns of industry and the benefits to the whole 
Nation. We recognize that Government agencies across critical 
infrastructure sectors have a need for cyber incident reporting for 
regulatory and other purposes. We believe that it is important that 
Congress support CISA's role in coordinating a National incident 
reporting system so that a thoughtful and consistent approach can be 
applied across the entire economy. CISA is built on a partnership model 
and we are committed to working with Congress and with industry to 
strike the right balance with these principles in mind.

                                 [all]