[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                     THE EVOLVING CYBERSECURITY LANDSCAPE

=======================================================================

                                (117-32)

                            REMOTE HEARINGS

                               BEFORE THE

                              COMMITTEE ON
                   TRANSPORTATION AND INFRASTRUCTURE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

       THURSDAY, NOVEMBER 4, 2021 and THURSDAY, DECEMBER 2, 2021

                               __________

                       Printed for the use of the
             Committee on Transportation and Infrastructure
             
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]             


     Available online at: https://www.govinfo.gov/committee/house-
     transportation?path=/browsecommittee/chamber/house/committee/
                             transportation
                             
                                __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
47-568 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------   
                           
                             
             COMMITTEE ON TRANSPORTATION AND INFRASTRUCTURE

                    PETER A. DeFAZIO, Oregon, Chair
ELEANOR HOLMES NORTON,               SAM GRAVES, Missouri
  District of Columbia               DON YOUNG, Alaska
EDDIE BERNICE JOHNSON, Texas         ERIC A. ``RICK'' CRAWFORD, 
RICK LARSEN, Washington                  Arkansas
GRACE F. NAPOLITANO, California      BOB GIBBS, Ohio
STEVE COHEN, Tennessee               DANIEL WEBSTER, Florida
ALBIO SIRES, New Jersey              THOMAS MASSIE, Kentucky
JOHN GARAMENDI, California           SCOTT PERRY, Pennsylvania
HENRY C. ``HANK'' JOHNSON, Jr.,      RODNEY DAVIS, Illinois
    Georgia                          JOHN KATKO, New York
ANDRE CARSON, Indiana                BRIAN BABIN, Texas
DINA TITUS, Nevada                   GARRET GRAVES, Louisiana
SEAN PATRICK MALONEY, New York       DAVID ROUZER, North Carolina
JARED HUFFMAN, California            MIKE BOST, Illinois
JULIA BROWNLEY, California           RANDY K. WEBER, Sr., Texas
FREDERICA S. WILSON, Florida         DOUG LaMALFA, California
DONALD M. PAYNE, Jr., New Jersey     BRUCE WESTERMAN, Arkansas
ALAN S. LOWENTHAL, California        BRIAN J. MAST, Florida
MARK DeSAULNIER, California          MIKE GALLAGHER, Wisconsin
STEPHEN F. LYNCH, Massachusetts      BRIAN K. FITZPATRICK, Pennsylvania
SALUD O. CARBAJAL, California        JENNIFFER GONZALEZ-COLON,
ANTHONY G. BROWN, Maryland             Puerto Rico
TOM MALINOWSKI, New Jersey           TROY BALDERSON, Ohio
GREG STANTON, Arizona                PETE STAUBER, Minnesota
COLIN Z. ALLRED, Texas               TIM BURCHETT, Tennessee
SHARICE DAVIDS, Kansas, Vice Chair   DUSTY JOHNSON, South Dakota
JESUS G. ``CHUY'' GARCIA, Illinois   JEFFERSON VAN DREW, New Jersey
ANTONIO DELGADO, New York            MICHAEL GUEST, Mississippi
CHRIS PAPPAS, New Hampshire          TROY E. NEHLS, Texas
CONOR LAMB, Pennsylvania             NANCY MACE, South Carolina
SETH MOULTON, Massachusetts          NICOLE MALLIOTAKIS, New York
JAKE AUCHINCLOSS, Massachusetts      BETH VAN DUYNE, Texas
CAROLYN BOURDEAUX, Georgia           CARLOS A. GIMENEZ, Florida
KAIALI`I KAHELE, Hawaii              MICHELLE STEEL, California
MARILYN STRICKLAND, Washington
NIKEMA WILLIAMS, Georgia
MARIE NEWMAN, Illinois
TROY A. CARTER, Louisiana
                                CONTENTS

                                                                   Page

Hearing held on Thursday, November 4, 2021, ``The Evolving 
  Cybersecurity Landscape: Industry Perspectives on Securing the 
  Nation's Infrastructure''......................................     1

Summary of Subject Matter........................................     2

                 STATEMENTS OF MEMBERS OF THE COMMITTEE

Hon. Peter A. DeFazio, a Representative in Congress from the 
  State of Oregon, and Chair, Committee on Transportation and 
  Infrastructure, opening statement..............................    15
    Prepared statement...........................................    17
Hon. Eric A. ``Rick'' Crawford, a Representative in Congress from 
  the State of Arkansas, opening statement.......................    19
    Prepared statement...........................................    19
Hon. Frederica S. Wilson, a Representative in Congress from the 
  State of Florida, prepared statement...........................   105

                               WITNESSES

Scott Belcher, President and Chief Executive Officer, SFB 
  Consulting, LLC, on behalf of Mineta Transportation Institute, 
  oral statement.................................................    21
    Prepared statement...........................................    22
Megan Samford, Vice President, Chief Product Security Officer-
  Energy Management, Schneider Electric, on behalf of the 
  International Society of Automation Global Cybersecurity 
  Alliance, oral statement.......................................    29
    Prepared statement...........................................    30
Thomas L. Farmer, Assistant Vice President-Security, Association 
  of American Railroads, oral statement..........................    37
    Prepared statement...........................................    39
Michael A. Stephens, General Counsel and Executive Vice President 
  for Information Technology, Hillsborough County Aviation 
  Authority, Tampa International Airport, oral statement.........    44
    Prepared statement...........................................    45
John P. Sullivan, P.E., Chief Engineer, Boston Water and Sewer 
  Commission, on behalf of the Water Information Sharing and 
  Analysis Center, oral statement................................    48
    Prepared statement...........................................    50
Gary C. Kessler, Ph.D., Nonresident Senior Fellow, Atlantic 
  Council, oral statement........................................    54
    Prepared statement...........................................    55

                                APPENDIX

Questions to Scott Belcher, President and Chief Executive 
  Officer, SFB Consulting, LLC, on behalf of Mineta 
  Transportation Institute, from:
    Hon. Eddie Bernice Johnson...................................   107
    Hon. Frederica S. Wilson.....................................   107
    Hon. Colin Z. Allred.........................................   108
Questions to Megan Samford, Vice President, Chief Product 
  Security Officer-Energy Management, Schneider Electric, on 
  behalf of the International Society of Automation Global 
  Cybersecurity Alliance, from:
    Hon. Frederica S. Wilson.....................................   109
    Hon. Colin Z. Allred.........................................   110
Questions from Hon. Frederica S. Wilson to Thomas L. Farmer, 
  Assistant Vice President-Security, Association of American 
  Railroads......................................................   110
Questions to Michael A. Stephens, General Counsel and Executive 
  Vice President for Information Technology, Hillsborough County 
  Aviation Authority, Tampa International Airport, from:
    Hon. Frederica S. Wilson.....................................   111
    Hon. Colin Z. Allred.........................................   112
Questions to John P. Sullivan, P.E., Chief Engineer, Boston Water 
  and Sewer Commission, on behalf of the Water Information 
  Sharing and Analysis Center, from:
    Hon. Frederica S. Wilson.....................................   112
    Hon. Garret Graves...........................................   113
Questions from Hon. Frederica S. Wilson to Gary C. Kessler, 
  Ph.D., Nonresident Senior Fellow, Atlantic Council.............   113

                              ----------                              

Hearing held on Thursday, December 2, 2021, ``The Evolving 
  Cybersecurity Landscape: Federal Perspectives on Securing the 
  Nation's Infrastructure''......................................   115

Summary of Subject Matter........................................   116

                 STATEMENTS OF MEMBERS OF THE COMMITTEE

Hon. Peter A. DeFazio, a Representative in Congress from the 
  State of Oregon, and Chair, Committee on Transportation and 
  Infrastructure, opening statement..............................   128
    Prepared statement...........................................   129
Hon. Sam Graves, a Representative in Congress from the State of 
  Missouri, and Ranking Member, Committee on Transportation and 
  Infrastructure, opening statement..............................   131
    Prepared statement...........................................   131
Hon. Frederica S. Wilson, a Representative in Congress from the 
  State of Florida, prepared statement...........................   225

                               WITNESSES

Cordell Schachter, Chief Information Officer, U.S. Department of 
  Transportation, oral statement.................................   132
    Prepared statement...........................................   134
Larry Grossman, Chief Information Security Officer, Federal 
  Aviation Administration, oral statement........................   135
    Prepared statement...........................................   136
Victoria Newhouse, Deputy Assistant Administrator for Policy, 
  Plans, and Engagement, Transportation Security Administration, 
  U.S. Department of Homeland Security, oral statement...........   140
    Prepared statement...........................................   141
Rear Admiral John W. Mauger, Assistant Commandant for Prevention 
  Policy, U.S. Coast Guard, oral statement.......................   144
    Prepared statement...........................................   146
Kevin Dorsey, Assistant Inspector General for Information 
  Technology Audits, Office of Inspector General, U.S. Department 
  of Transportation, oral statement..............................   149
    Prepared statement...........................................   151
Nick Marinos, Director, Information Technology and Cybersecurity, 
  U.S. Government Accountability Office, oral statement..........   157
    Prepared statement...........................................   159

                       SUBMISSIONS FOR THE RECORD

Submissions for the Record by Hon. Eric A. ``Rick'' Crawford:
    Letter of November 12, 2021, to Hon. Joseph V. Cuffari, 
      Inspector General, Department of Homeland Security, from 
      Hon. Sam Graves, Ranking Member, Committee on 
      Transportation and Infrastructure and Hon. Eric A. ``Rick'' 
      Crawford, Ranking Member, Subcommittee on Railroads, 
      Pipelines, and Hazardous Materials.........................   170
    Letter of October 28, 2021, to Hon. Joseph V. Cuffari, 
      Inspector General, Department of Homeland Security, from 
      Senator Rob Portman, Ranking Member, Senate Committee on 
      Homeland Security and Governmental Affairs et al...........   172
    Letter of November 22, 2021, to Hon. David P. Pekoske, 
      Administrator, Transportation Security Administration, from 
      American Fuel and Petrochemical Manufacturers et al........   177
    Letter of November 4, 2021, to Hon. Peter A. DeFazio and Hon. 
      Sam Graves of the Committee on Transportation and 
      Infrastructure, from Paul P. Skoutelas, President and CEO, 
      American Public Transportation Association.................   179

                                APPENDIX

Questions to Cordell Schachter, Chief Information Officer, U.S. 
  Department of Transportation, from:
    Hon. Frederica S. Wilson.....................................   227
    Hon. Garret Graves...........................................   227
    Hon. Seth Moulton............................................   227
    Hon. Michael Guest...........................................   228
    Hon. Nikema Williams.........................................   230
Questions to Larry Grossman, Chief Information Security Officer, 
  Federal Aviation Administration, from:
    Hon. Frederica S. Wilson.....................................   230
    Hon. Garret Graves...........................................   231
    Hon. Michael Guest...........................................   231
    Hon. Nikema Williams.........................................   233
Questions to Victoria Newhouse, Deputy Assistant Administrator 
  for Policy, Plans, and Engagement, Transportation Security 
  Administration, U.S. Department of Homeland Security, from:
    Hon. Steve Cohen.............................................   233
    Hon. Sam Graves..............................................   234
    Hon. Eric A. ``Rick'' Crawford...............................   236
    Hon. Seth Moulton............................................   239
    Hon. Garret Graves...........................................   240
    Hon. Michael Guest...........................................   241
Questions to Rear Admiral John W. Mauger, Assistant Commandant 
  for Prevention Policy, U.S. Coast Guard, from:
    Hon. Frederica S. Wilson.....................................   242
    Hon. Garret Graves...........................................   242
    Hon. Michael Guest...........................................   244
Questions to Kevin Dorsey, Assistant Inspector General for 
  Information Technology Audits, Office of Inspector General, 
  U.S. Department of Transportation, from:
    Hon. Frederica S. Wilson.....................................   245
    Hon. Garret Graves...........................................   246
    Hon. Michael Guest...........................................   246
Questions to Nick Marinos, Director, Information Technology and 
  Cybersecurity, U.S. Government Accountability Office, from:
    Hon. Steve Cohen.............................................   247
    Hon. Garret Graves...........................................   248
    Hon. Michael Guest...........................................   249

 
THE EVOLVING CYBERSECURITY LANDSCAPE: INDUSTRY PERSPECTIVES ON SECURING 
                      THE NATION'S INFRASTRUCTURE

                              ----------                              


                       THURSDAY, NOVEMBER 4, 2021

                  House of Representatives,
    Committee on Transportation and Infrastructure,
                                            Washington, DC.
    The committee met, pursuant to call, at 10:05 in room 2167 
Rayburn House Office Building and via Zoom, Hon. Peter A. 
DeFazio (Chair of the committee) presiding.
    Members present in person: Mr. DeFazio, Ms. Norton, Mr. 
Larsen, Mr. Stanton, Mr. Auchincloss, Mr. Crawford, Mr. 
Webster, Mr. Perry, Mr. Rodney Davis, Dr. Babin, Mr. Rouzer, 
Mr. LaMalfa, Mr. Westerman, Mr. Mast, Mr. Stauber, and Mr. 
Burchett.
    Members present remotely: Ms. Johnson of Texas, Mrs. 
Napolitano, Mr. Johnson of Georgia, Mr. Carson, Mr. Payne, Mr. 
DeSaulnier, Mr. Lynch, Mr. Carbajal, Mr. Malinowski, Ms. Davids 
of Kansas, Mr. Garcia of Illinois, Mr. Delgado, Mr. Lamb, Ms. 
Bourdeaux, Mr. Kahele, Ms. Strickland, Ms. Williams of Georgia, 
Ms. Newman, Mr. Carter of Louisiana, Mr. Gibbs, Mr. Massie, Mr. 
Katko, Mr. Weber, Mr. Fitzpatrick, Mr. Balderson, Mr. Johnson 
of South Dakota, Mr. Guest, Mr. Nehls, Ms. Malliotakis, Ms. Van 
Duyne, and Mrs. Steel.



                            November 1, 2021
    SUMMARY OF SUBJECT MATTER

    TO:       Members, Committee on Transportation and Infrastructure
    FROM:   Staff, Committee on Transportation and Infrastructure
    RE:       Full Committee Hearing on ``The Evolving Cybersecurity 
Landscape: Industry Perspectives on Securing the Nation's 
Infrastructure''
_______________________________________________________________________

                                PURPOSE
    The Committee on Transportation and Infrastructure (T&I) will meet 
on Thursday, November 4, 2021, at 10:00 a.m. EDT in 2167 Rayburn House 
Office Building and via Zoom, to hold a hearing titled ``The Evolving 
Cybersecurity Landscape: Industry Perspectives on Securing the Nation's 
Infrastructure.'' The Committee will hear testimony from Scott Belcher 
on behalf of the Mineta Transportation Institute, Michael Stephens of 
the Tampa International Airport, Megan Samford of Schneider Electric, 
John Sullivan of the Boston Water and Sewer Commission on behalf of the 
Water Information Sharing and Analysis Center (WaterISAC), Gary Kessler 
of Gary Kessler Associates on behalf of The Atlantic Council, and Tom 
Farmer of the Association of American Railroads.
                               BACKGROUND

CYBERTHREATS TO U.S. INFRASTRUCTURE

    Cyberattacks are a serious and evolving risk that affect 
transportation and infrastructure matters across T&I's 
jurisdiction. This hearing will focus on the needs of T&I 
stakeholders and the gaps in the nation's ability to prevent, 
prepare for, respond to, and recover from cyberattacks against 
infrastructure.
    A common term that has sprung up for use within the 
government sector is ``critical infrastructure,'' which 
according to Presidential Policy Directive 21, Critical 
Infrastructure Security and Resilience, includes 16 sectors 
whose systems and networks, whether physical or virtual, ``are 
considered so vital to the United States that their 
incapacitation or destruction would have a debilitating effect 
on security, national economic security, national public health 
or safety, or any combination thereof.'' \1\ T&I's jurisdiction 
includes five of these sectors, including Transportation 
Systems, Government Facilities, Water and Wastewater Systems, 
Dams, and Emergency Services.\2\
---------------------------------------------------------------------------
    \1\ The White House, Presidential Policy Directive--Critical 
Infrastructure Security and Resilience, (February 12, 2013), available 
at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/
presidential-policy-directive-critical-infrastructure-security-and-
resil.
    \2\ U.S. House of Representatives Committee on Transportation and 
Infrastructure, Committee Rules 2021-2022, (Adopted February 4, 2021), 
available at https://www.govinfo.gov/content/pkg/CPRT-117HPRT43188/pdf/
CPRT-117HPRT43188.pdf.
---------------------------------------------------------------------------
    The nation's critical infrastructure is comprised of both 
public and private sector assets.\3\ However, within T&I's 
jurisdiction, cybersecurity requirements in the private sector 
are mainly voluntary. Like other industries and the federal 
government, the transportation sector is facing a critical 
shortage of cybersecurity personnel, which has impacted the 
ability to protect, detect, and respond to cyberattacks 
effectively.\4\ Simple steps regarding basic training, 
consistent cybersecurity hygiene, and periodic exercises could 
go a long way in protecting America's transportation 
infrastructure.\5\ As the technology that enables America's 
infrastructure becomes ever more complex and increasingly 
integrated, cybersecurity threats and vulnerabilities will 
continue to multiply.
---------------------------------------------------------------------------
    \3\ Cybersecurity and Infrastructure Security Agency (CISA), 
National Infrastructure Protection Plan (NIPP) 2013: Partnering for 
Critical Infrastructure Security and Resilience, (2013), available at 
https://www.cisa.gov/sites/default/files/publications/national-
infrastructure-protection-plan-2013-508.pdf.
    \4\ The Washington Post, The Cybersecurity 202: The government's 
facing a severe shortage of cyber workers when it needs them the most, 
(August 2, 2021), available at https://www.washingtonpost.com/politics/
2021/08/02/cybersecurity-202-governments-facing-severe-shortage-cyber-
workers-when-it-needs-them-most/.
    \5\ Endpoint, What is Cyber Hygiene and Why Does it Matter?, 
(August 5, 2021), available at https://endpoint.tanium.com/what-is-
cyber-hygiene-and-why-does-it-matter/.
---------------------------------------------------------------------------

IMPACT OF CYBERATTACKS

    Cyberattacks can result in tremendous financial damage, 
destruction of infrastructure assets, and even death. They 
impact governments, businesses, and individuals alike and have 
been growing in number and sophistication. Late last year, it 
was discovered that a Russian-backed cyber campaign had 
installed malware in software updates that were received by as 
many as 18,000 customers of an American firm, SolarWinds, which 
develops software for businesses and governments.\6\ The 
Department of Homeland Security (DHS) released an updated alert 
on the SolarWinds hack in April 2021, warning that DHS 
``determined that this threat poses a grave risk to the Federal 
Government and state, local, tribal, and territorial 
governments as well as critical infrastructure entities and 
other private sector organizations.'' \7\
---------------------------------------------------------------------------
    \6\ Bloomberg, SolarWinds Hack Leaves Critical Infrastructure in 
the Dark on Risks, (January 5, 2021), available at https://
www.bloomberg.com/news/newsletters/2021-01-05/solarwinds-hack-leaves-
critical-infrastructure-in-the-dark-on-risks.
    \7\ CISA, Advanced Persistent Threat Compromise of Government 
Agencies, Critical Infrastructure, and Private Sector Organizations, 
(released December 17, 2020, revised April 15, 2021), available at 
https://us-cert.cisa.gov/ncas/alerts/aa20-352a.
---------------------------------------------------------------------------
    Also, earlier this year, a ransomware attack on the 
Colonial Pipeline shut down the company's flow of fuel to the 
East Coast for nearly one week, causing fuel shortages and 
increasing fuel prices.\8\ In April 2021, Chinese hackers 
reportedly penetrated New York City's Metropolitan Transit 
Agency, although no damage was reported.\9\ In May 2021, the 
Washington Suburban Sanitary Commission, which provides water 
and wastewater service to 1.8 million people in two Maryland 
counties, was also the victim of a ransomware attack.\10\
---------------------------------------------------------------------------
    \8\ Washington Post, Panic buying strikes Southeastern United 
States as shuttered pipeline resumes operations, (May 12, 2021), 
available at https://www.washingtonpost.com/business/2021/05/12/gas-
shortage-colonial-pipeline-live-updates/.
    \9\ NBC 4 NYC, MTA Hacked in April Cyberattack; Employee, Customer 
Info Was Not Compromised, (June 2, 2021), available at https://
www.nbcnewyork.com/news/local/mta-hacked-in-april-cyberattack-employee-
customer-info-was-not-compromised/3086785/.
    \10\ WSSC Water, WSSC Water Investigating Ransomware Cyberattack, 
(June 25, 2021), available at https://www.wsscwater.com/news/2021/june/
wssc-water-investigating-ransomware-cyberattack.
---------------------------------------------------------------------------

COMPLEX JURISDICTIONAL LANDSCAPE

    Cybersecurity efforts for the transportation sector are led 
jointly by the Department of Transportation (DOT), the 
Transportation Security Administration (TSA), and the U.S. 
Coast Guard.\11\ In the water and wastewater sector, the 
Environmental Protection Agency (EPA) is designated as the lead 
agency, and its efforts are supported by the Cybersecurity and 
Infrastructure Security Agency (CISA).\12\
---------------------------------------------------------------------------
    \11\ CISA, Transportation Systems Sector, (accessed on October 22, 
2021), available at https://www.cisa.gov/transportation-systems-sector 
and CISA, Water and Wastewater Systems Sector, (accessed on October 22, 
2021), available at https://www.cisa.gov/water-and-wastewater-systems-
sector.
    \12\ The White House, PPD-21 Critical Infrastructure Security and 
Resilience (Feb 12, 2013), available at https://
obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-
policy-directive-critical-infrastructure-security-and-resil/.
---------------------------------------------------------------------------

INCREASING VULNERABILITIES

    Critical infrastructure sectors are facing more significant 
vulnerabilities for various reasons, including the 
proliferation of information technology and increasing digital 
access to computer networks.\13\ Previously, critical 
infrastructure equipment was only accessible at its physical 
site.\14\ To make any change to the system would require 
physically accessing the equipment.\15\ Today, progress in 
technology, especially the Internet, has changed the risk 
landscape entirely with new and evolving ways to access systems 
which have made infrastructure assets more financially 
efficient and operationally effective while at the same time 
making them more vulnerable to cyber threats.\16\ Demand for 
remote work, especially due to the COVID-19 pandemic, has 
dramatically increased vulnerabilities, with more employees 
needing remote access to systems.\17\ However, making remote 
access to systems easier introduces significant vulnerabilities 
that bad actors can take advantage of to access those systems 
remotely.\18\ Robust cybersecurity protocols can make remote 
access more secure. However, they can be time and work-
intensive and not always possible depending on a facility's 
staffing and cybersecurity experience.\19\ A vulnerability due 
to the use of a remote access program was how hackers were able 
to access a water treatment plant in Oldsmar, Florida earlier 
this year, for instance.\20\
---------------------------------------------------------------------------
    \13\ Government Accountability Office (GAO), Technology Assessment: 
Cybersecurity for Critical Infrastructure Protection, (May 28, 2004), 
available at https://www.gao.gov/products/gao-04-321.
    \14\ George Brown College, The Evolution of PLCs, (July 21, 2021), 
available at https://www.plctechnician.com/news-blog/evolution-plcs.
    \15\ Id.
    \16\ Coolfire Core, What Is the Difference Between IT and OT?, 
(April 12, 2019), available at https://www.coolfiresolutions.com/blog/
difference-between-it-ot/.
    \17\ McKinsey, Building cyber resilience in national critical 
infrastructure; U.S. News and World Report, Remote Working Fueled by 
COVID Pandemic Gaining Popularity, (September 25, 2021), available at 
https://www.usnews.com/news/best-states/minnesota/articles/2021-09-25/
remote-working-fueled-by-covid-pandemic-gaining-popularity.
    \18\ Securicon, The Difference Between IT and OT, and How They Are 
Converging.
    \19\ Verve, Securing OT Systems: Is Remote Access Here to Stay?, 
(April 18, 2020), available at https://verveindustrial.com/resources/
blog/securing-ot-systems-is-remote-access-here-to-stay/.
    \20\ Mass.gov, Cybersecurity Advisory for Public Water Suppliers, 
(accessed on October 13, 2021), available at https://www.mass.gov/
service-details/cybersecurity-advisory-for-public-water-suppliers.
---------------------------------------------------------------------------
    The vulnerability of transportation infrastructure to 
cyberattacks will increase in the future as bad actors make 
greater use of emerging technologies, which create new 
vulnerabilities to exploit.\21\ Cyberattacks that exploit an 
unknown vulnerability, known as a ``zero-day'' attack, provide 
no option or ``zero days,'' to fix the issue before it is 
successfully used as part of a hack since the attack takes 
advantage of a new and previously unknown security flaw.\22\ 
New technologies provide greater opportunities for zero-day 
attacks since they take advantage of technology that is new to 
cybersecurity professionals.\23\ In addition, many emerging 
technologies in the transportation and infrastructure space 
will have various interconnected digital channels, providing 
multiple pathways for potential attackers.\24\ Autonomous 
vehicles and unmanned aircraft systems are two key examples of 
emerging technologies that create multiple cybersecurity 
challenges for the future.\25\
---------------------------------------------------------------------------
    \21\ AT&T, Emerging Technologies and the Cyber Threat Landscape, 
(December 13, 2017), available at https://cybersecurity.att.com/blogs/
security-essentials/emerging-technologies-and-the-cyber-threat-
landscape
    \22\ FireEye, What is a Zero-Day Exploit? (accessed on October 20, 
2021), available at https://www.fireeye.com/current-threats/what-is-a-
zero-day-exploit.html.
    \23\ Id.
    \24\ Boston Consulting Group, Navigating Rising Cyber Risks in 
Transportation and Logistics, (August 30, 2021), available at https://
www.bcg.com/publications/2021/navigating-rising-cyber-risks-in-
transportation-and-logistics
    \25\ ScienceDaily, Need to safeguard drones and robotic cars 
against cyber attacks, (November 27, 2019), available at https://
www.sciencedaily.com/releases/2019/11/191127121302.htm
---------------------------------------------------------------------------

HIGH-PROFILE CYBERATTACKS ILLUSTRATE RANGE OF THREATS

    Threats to infrastructure systems are increasing, as seen 
through several recent high-profile attacks against 
transportation infrastructure. Three such attacks include the 
recent ransomware attack on the Colonial Pipeline in May 
2021,\26\ the 2017 NotPetya malware attack that affected the 
Maersk shipping company,\27\ and the February 2021 intrusion 
into the water treatment plant in Oldsmar, Florida.\28\ Each of 
these attacks were distinct and highlighted the risks facing 
vital infrastructure entities, as well as opportunities for 
improving both government and private sector coordination and 
oversight of these vulnerabilities.
---------------------------------------------------------------------------
    \26\ Matt Egan and Clare Duffy, CNN, Colonial Pipeline launches 
restart after six-day shutdown, (May 12, 2021), available at https://
www.cnn.com/2021/05/12/business/colonial-pipeline-restart/index.html.
    \27\ Jordan Novet, CNBC, Shipping company Maersk says June 
cyberattack could cost it up to $300 million (August 16, 2017) 
available at https://www.cnbc.com/2017/08/16/maersk-says-notpetya-
cyberattack-could-cost-300-million.html.
    \28\ Colonial Pipeline, Media Statement Update: Colonial Pipeline 
System Disruption, (May 17, 2021), available at https://
www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-
system-disruption; Wired, The Untold Story of NotPetya, the Most 
Devastating Cyberattack in History, (Aug 22, 2018), available at 
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-
crashed-the-world/; Pinellas County Sheriff Department YouTube channel, 
Treatment Plant Intrusion Press Conference, (February 8, 2021), 
available at https://www.youtube.com/watch?v=MkXDSOgLQ6M&t=1s.

---------------------------------------------------------------------------
Ransomware--Colonial Pipeline

    On May 7, 2021, Colonial Pipeline, one of the nation's 
largest oil and gas pipelines, was the victim of a ransomware 
attack by DarkSide, a cyber-criminal group believed to operate 
out of Russia.\29\ The attack was discovered when an employee 
found a digital ransom note on a system in the Colonial 
information technology (IT) network.\30\ DarkSide encrypted all 
of Colonial's IT systems and demanded a financial payment in 
exchange for a key to unlock the impacted systems.\31\ Though 
the attack did not directly affect Colonial's operational 
technology (OT) \32\ network, which is used to control the 
pipeline equipment, company officials immediately halted 
operations throughout the pipeline. They did so to isolate and 
contain the damage and ensure the malware did not spread to the 
OT network.\33\ The following day, Colonial made a $4.4 million 
ransom payment to DarkSide and received the information it 
needed to regain control of its IT systems.\34\ Colonial began 
work immediately to restore pipeline operations with the 
assistance of the Pipeline and Hazardous Materials Safety 
Administration (PHMSA) at DOT, which provided guidance on 
temporary manual operations of the pipeline and its subsequent 
return to service.\35\ On May 13, 2021, six days after the 
attack, it had fully restored service, though several more days 
passed before the fuel supply chain returned to normal.\36\
---------------------------------------------------------------------------
    \29\ Hearing before the House Committee on Homeland Security, Cyber 
Threats in the Pipeline: Using Lessons from the Colonial Ransomware 
Attack to Defend Critical Infrastructure, (June 9, 2021), available at 
https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/pdf/CHRG-
117hhrg45085.pdf; Federal Bureau of Investigation, FBI Deputy Director 
Paul M. Abbate's Remarks at Press Conference Regarding the Ransomware 
Attack on Colonial Pipeline, (June 7, 2021), available at https://
www.fbi.gov/news/pressrel/press-releases/fbi-deputy-director-paul-m-
abbates-remarks-at-press-conference-regarding-the-ransomware-attack-on-
colonial-pipeline.
    \30\ House Committee on Homeland Security, Cyber Threats in the 
Pipeline.
    \31\ Id.
    \32\ Operational technology (OT) is equipment that handles machines 
and their physical operation. OT includes hardware and software that 
interacts with the physical environment, including monitoring and 
controlling industrial equipment, assets, processes, and events. 
Historically, IT and OT networks were entirely isolated from one 
another since they developed separately, with OT predating IT. OT used 
relatively simple systems that completed specific functions that were 
only accessible on-site and in-person. This provided physical isolation 
for OT networks, and when IT and the Internet were developed, that 
isolation prevented OT from being accessed remotely. This segmentation 
was good for security. However, there were business demands for remote 
visibility into industrial operations, leading businesses to move 
towards a more integrated system. An integrated system has productivity 
benefits, including reducing administrative burdens, streamlining work, 
and improving data to inform better decision-making. Unfortunately, it 
also creates and greatly expands a network's cyber vulnerabilities. A 
connection to an IT network can serve as a path to access OT networks. 
The safest version of an OT network is one that is completely separated 
and has no external connectivity with IT networks or the Internet, 
known as an air gap. An air gap is a security measure where a system is 
not connected to any other network or device and can only be accessed 
physically.
    \33\ House Committee on Homeland Security, Cyber Threats in the 
Pipeline.
    \34\ Id.
    \35\ U.S. DOT, PHMSA, Remarks of Acting Administrator Tristan Brown 
at API's Midstream Committee Meeting, (May 26, 2021), available at 
https://www.phmsa.dot.gov/news/remarks-tristan-brown-before-api-
midstream-committee.
    \36\ Colonial Pipeline, Media Statement Update: Colonial Pipeline 
System Disruption, (May 17, 2021), available at https://
www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-
system-disruption.
---------------------------------------------------------------------------
    An investigation conducted by cybersecurity consulting firm 
FireEye-Mandiant (Mandiant) determined that the attackers used 
an employee's legacy username and password to log in to a 
virtual private network (VPN) device.\37\ Several missteps 
helped enable DarkSide to access Colonial's network in this 
manner.\38\ First, the employee's login information was no 
longer in use, but had not been deleted from the company's 
system.\39\ Second, the legacy VPN profile did not require 
multi-factor authentication, such as the use of a one-time 
passcode, which CISA and the Federal Bureau of Investigation 
(FBI) recommend as a best practice.\40\ Third, the employee had 
used the same password on a different website, from which the 
password had been stolen.\41\ CISA recommends using unique 
passwords for each device or account.\42\ The president and CEO 
of Colonial has said that his company has disabled the legacy 
VPN account, has instituted multi-factor authentication for 
network access, and is taking other steps to strengthen its 
cyber defenses.\43\
---------------------------------------------------------------------------
    \37\ House Committee on Homeland Security, Cyber Threats in the 
Pipeline.
    \38\ Id.
    \39\ Id.
    \40\ Id.; CISA, Alert (AA21-131A): DarkSide Ransomware: Best 
Practices for Preventing Business Disruption from Ransomware Attacks, 
(May 11, 2021), available at https://us-cert.cisa.gov/ncas/alerts/aa21-
131a and FBI, OPS Cyber Awareness Guide, (accessed on October 22, 
2021), available at https://www.fbi.gov/file-repository/cyber-
awareness-508.pdf/view.
    \41\ House Committee on Homeland Security, Cyber Threats in the 
Pipeline.
    \42\ CISA, Security Tip (ST04-003): Good Security Habits, (February 
21, 2021), available at https://www.cisa.gov/tips/st04-003.
    \43\ Hearing before the Senate Committee on Homeland Security and 
Governmental Affairs, Threats to Critical Infrastructure: Examining the 
Colonial Pipeline Cyber Attack, Testimony of Joseph Blount, President 
and Chief Executive Officer of the Colonial Pipeline Company, (June 8, 
2021), available at http://www.hsgac.senate.gov/download/testimony-
blount-2021-06-08.
---------------------------------------------------------------------------
    Colonial's pipelines transport nearly half of the East 
Coast's fuel, providing energy for more than 50 million 
Americans. The impact of the ransomware attack was felt 
throughout the eastern United States.\44\ The shutdown resulted 
in massive fuel shortages and gasoline panic-buying.\45\ At 
least 12,000 gas stations in 11 states reported being 
completely empty, and the price of gas surpassed $3 a 
gallon.\46\ The day before Colonial fully resumed operations, 
65 percent of gas stations in North Carolina reported being out 
of gas; in Georgia, South Carolina, and Virginia, more than 43 
percent of gas stations reported being out of gas.\47\ The 
governors of Florida, North Carolina, and Virginia all declared 
states of emergency to help alleviate the fuel shortages.\48\
---------------------------------------------------------------------------
    \44\ See: Senate Committee on Homeland Security and Governmental 
Affairs, Testimony of Joseph Blount and House Committee on Homeland 
Security, Cyber Threats in the Pipeline.
    \45\ Washington Post, New emergency cyber regulations lay out 
`urgently needed' rules for pipelines but draw mixed reviews, (October 
3, 2021), available at https://www.washingtonpost.com/national-
security/cybersecurity-energy-pipelines-ransomware/2021/10/03/6df9cab2-
2157-11ec-8200-5e3fd4c49f5e_story.html.
    \46\ Washington Post, Panic buying strikes Southeastern United 
States.
    \47\ Id.
    \48\ New York Times, Gas Pipeline Hack Leads to Panic Buying in the 
Southeast, (May 11, 2021), available at https://www.nytimes.com/2021/
05/11/business/colonial-pipeline-shutdown-latest-news.html.
---------------------------------------------------------------------------
    The Colonial attack illustrated how intrusions into 
pipeline computer networks have the potential to negatively 
affect the nation's security, economy, and well-being.\49\ The 
perpetrators of the attack also accessed personally 
identifiable information, such as names, birth dates, and 
Social Security numbers for more than 5,800 current and former 
Colonial employees, exposing these individuals to the risk of 
fraud and identity theft.\50\
---------------------------------------------------------------------------
    \49\ TSA, Written Testimony of David P. Pekoske, Administrator, 
Transportation Security Administration, U.S. Department of Homeland 
Security, Hearing on Pipeline Security, Before the Committee on 
Commerce, Science, and Transportation, (July 27, 2021), available at 
https://www.commerce.senate.gov/services/files/3DFD1053-A11E-4B1A-9818-
FE29C19AA06B.
    \50\ ZD Net, Colonial Pipeline sends breach letters.
---------------------------------------------------------------------------
    In response to the attack, TSA--which oversees pipeline 
security \51\--issued security directives that require, among 
other things, pipeline owners and operators to take measures to 
protect against cyberattacks to their IT and OT systems and to 
develop and implement a cybersecurity contingency and recovery 
plan.\52\ Although the Colonial attack was carried out on the 
company's IT network, it highlights the highly interconnected 
nature of OT operations that businesses must consider.\53\ 
Experts say that actions like applying security patches and 
updates promptly and using multi-factor authentication can help 
protect against ransomware and other cyberattacks.\54\
---------------------------------------------------------------------------
    \51\ TSA also coordinates with PHMSA on pipeline security under a 
Memorandum of Understanding, See: PHMSA, Annex to the Memorandum of 
Understanding Between the Department of Homeland Security and the 
Department of Transportation Concerning Transportation Security 
Administration and Pipeline and Hazardous Materials Safety 
Administration Cooperation on Pipeline Transportation Security and 
Safety, Feb. 26, 2020, available at: https://www.phmsa.dot.gov/sites/
phmsa.dot.gov/files/docs/regulatory-compliance/phmsa-guidance/73466/
phmsa-tsa-mou-annexexecuted.pdf.
    \52\ Id.
    \53\ Dragos, Recommendations Following the Colonial Pipeline Cyber 
Attack, (May 11, 2021), available at https://www.dragos.com/blog/
industry-news/recommendations-following-the-colonial-pipeline-cyber-
attack/.
    \54\ ZD Net, Ransomware is the biggest cyber threat to business. 
But most firms still aren't ready for it, (October 11, 2021), available 
at https://www.zdnet.com/article/ransomware-is-now-the-most-urgent-
cyber-threat-to-business-but-most-firms-arent-ready-for-it/.
---------------------------------------------------------------------------
Malware--NotPetya & Maersk Shipping

    In 2017 Russian linked individuals reportedly unleashed a 
malware attack in Ukraine named NotPetya.\55\ The malware 
affected virtually every federal agency in the country, 
crippling four hospitals in the capital, six power companies, 
two airports, more than 22 Ukrainian banks, as well as freezing 
ATMs and card payment systems in retail and transit 
sectors.\56\ Ukraine later estimated that NotPetya wiped 10 
percent of all computers in the country, and one government 
official said immediately after the attack, ``the government 
was dead.'' \57\
---------------------------------------------------------------------------
    \55\ Wired, The Untold Story of NotPetya, the Most Devastating 
Cyberattack in History, (Aug 22, 2018), available at https://
www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-
the-world/.
    \56\ Id.
    \57\ Id.
---------------------------------------------------------------------------
    Within hours, NotPetya had propagated far beyond Ukraine, 
affecting computer networks in companies in 65 countries around 
the world.\58\ Among the companies affected were the 
multinational shipping company Maersk ($300 million in damage), 
the pharmaceutical giant Merck ($800 million), the French 
construction company Saint-Gobain ($384 million), FedEx's 
European subsidiary ($400 million), as well as smaller victims 
such as a hospital in Pennsylvania and a chocolate company in 
Australia.\59\ The White House would later identify NotPetya as 
the most destructive and costly cyberattack in history, with 
overall damage above $10 billion.\60\ The malware even infected 
the Russian state oil company, Rosneft, demonstrating the 
runaway nature of NotPetya's harms.\61\ The U.S. issued 
sanctions against organizations involved in NotPetya's release 
and, in 2020, the Department of Justice indicted six Russian 
military officers for the cyberattack.\62\
---------------------------------------------------------------------------
    \58\ Jai Vijayan, 3 Years After NotPetya, Many Organizations Still 
in Danger of Similar Attacks, Dark Reading, (June 30, 2020), available 
at https://www.darkreading.com/threat-intelligence/3-years-after-
notpetya-many-organizations-still-in-danger-of-similar-attacks.
    \59\ Andy Greenberg, The Untold Story of NotPetya, the Most 
Devastating Cyberattack in History, (October 14, 2018), available at 
https://tech.industry-best-practice.com/2018/10/14/the-untold-story-of-
notpetya-the-most-devastating-cyberattack-in-history/.
    \60\ Id.; The White House, Statement from the Press Secretary, (Feb 
15, 2018), available at https://trumpwhitehouse.archives.gov/briefings-
statements/statement-press-secretary-25/.
    \61\ Wired, Petya Ransomware Hides State-Sponsored Attacks, Say 
Ukrainian Analysts, (June 28, 2017), available at https://
www.wired.com/story/petya-ransomware-ukraine/.
    \62\ U.S. Dept of Justice, Six Russian GRU Officers Charged in 
Connection with Worldwide Deployment of Destructive Malware and Other 
Disruptive Actions in Cyberspace, (Oct 19, 2020), available at https://
www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-
worldwide-deployment-destructive-malware-and.
---------------------------------------------------------------------------
    Maersk is the world's largest container shipping company, 
responsible for shipping an estimated 25 percent of the world's 
food supply.\63\ It is a $56 billion company present in 130 
nations with over 700 ships and 17 percent of the world's cargo 
shipping container capacity.\64\ The malware entered Maersk's 
IT network through a computer in the Ukrainian port of 
Odessa.\65\ There, a finance executive had earlier asked IT 
administrators to upload the Ukrainian accounting program on a 
single computer.\66\ From that computer, NotPetya propagated 
through the Maersk global IT system in seven minutes.\67\ 
Within an hour, all Maersk's end-user devices, including 49,000 
laptops and printers and 3,500 of 6,200 servers, were 
effectively destroyed.\68\ Maersk's fixed phoneline ceased 
functioning and, due to system integration, all Outlook and 
cell phone contacts were wiped, crippling initial response 
efforts.\69\ Though ships' computers were not affected, the 
software at Maersk terminals which received files from their 
ships, informing terminal operators of ships' content and how 
to direct cargo handling, had been wiped.\70\ Paralysis 
resulted at seventeen Maersk terminals worldwide for days, with 
no one able to receive cargo for ground transport and 
perishable and time-sensitive materials stuck in place.\71\
---------------------------------------------------------------------------
    \63\ Statista, The world's leading container ship operators as of 
September 30, 2021, based on number of owned and chartered ships, 
(accessed on October 22, 2021), available at https://www.statista.com/
statistics/197643/total-number-of-ships-of-worldwide-leading-container-
ship-operators-in-2011/.
    \64\ Statista, Number of APM-Maersk ships from February 2021 to 
September 2021, (September 30, 2021), available at https://
www.statista.com/statistics/199366/number-of-ships-of-apm-maersk-in-
december-2011/; Statista, Moeller-Maersk's assets from FY 2018 to FY 
2020, (February 24, 2021), available at https://www.statista.com/
statistics/325993/total-assets-of-moeller-maersk/; Maersk, A.P. 
Moller--Maersk enters strategic partnership with Danish Crown on global 
end-to-end logistics, (October 15, 2021), available at https://
www.maersk.com/news/articles/2021/10/15/maersk-enters-strategic-
partnership-with-danish-crown.
    \65\ Wired, The Untold Story of NotPetya, the Most Devastating 
Cyberattack in History.
    \66\ Id.
    \67\ Andy Powell, Implementing the Lessons Learned from a Major 
Cyberattack, (November 2019), available at https://www.youtube.com/
watch?v=wQ8HIjkEe9o.
    \68\ Rae Richie, Maersk: Springing back from a catastrophic 
cyberattack, (Aug 2019), available at https://www.i-cio.com/management/
insight/item/maersk-springing-back-from-a-catastrophic-cyber-attack.
    \69\ Id.
    \70\ Wired, The Untold Story of NotPetya, the Most Devastating 
Cyberattack in History.
    \71\ Id.
---------------------------------------------------------------------------
    Rebuilding Maersk's network began four days after the 
attack when the company recovered its domain controller, a 
detailed map of their network that controlled system users, 
from a Maersk office in Ghana where a coincidental power outage 
had protected the office's IT system.\72\ A Maersk official 
flew with a copy of the critical software to England, where 
over five days, hundreds of IT workers used the recovered 
domain controller to reconstruct Maersk's active directory for 
worldwide operations, build out 2,000 new laptops, and reenable 
core business processes and systems.\73\ It took several more 
days before Maersk could restart online shipment processes and 
more than a week before terminals around the world could 
function normally.\74\ Over two months passed before Maersk IT 
personnel fully restored its software setup.\75\
---------------------------------------------------------------------------
    \72\ Id.
    \73\ Id.
    \74\ Id.
    \75\ Wired, The Untold Story of NotPetya, the Most Devastating 
Cyberattack in History.
---------------------------------------------------------------------------
    Following the NotPetya attack, Maersk leadership shared 
their critical takeaways with the global community, which 
assisted many other NotPetya victims in recovery.\76\ These 
included transparency, open communication, crisis recovery and 
business continuity plans, regular cyber incident response 
exercises, and a network of consultancies and government 
actors, among others.\77\
---------------------------------------------------------------------------
    \76\ Andy Powell, Implementing the Lessons Learned from a Major 
Cyberattack; see also Jim Snabe, CyberSecurity Davos 2017--Maersk, 
(June 2017), available at https://www.youtube.com/watch?v=VaqIYlYmDbA.
    \77\ Id.

---------------------------------------------------------------------------
Intrusions--Oldsmar Wastewater Treatment Plant

    On Friday, February 5, 2021, a hacker remotely accessed the 
computer system of the water treatment plant for the city of 
Oldsmar, Florida, which provides water to about 15,000 
people.\78\ The hacker changed chemical levels in the water, 
increasing the sodium hydroxide (otherwise known as lye) level 
from 100 parts per million to 11,100 parts per million.\79\ In 
small quantities, sodium hydroxide is used to control acidity 
in water, but at higher levels, it is dangerous to humans. If 
the affected water had made it to the city's residents, they 
could have become seriously ill.\80\ Ingesting as little as 10 
grams of sodium hydroxide can be fatal.\81\
---------------------------------------------------------------------------
    \78\ Pinellas County Sheriff Department YouTube channel, Treatment 
Plant Intrusion Press Conference, (February 8, 2021), available at 
https://www.youtube.com/watch?v=MkXDSOgLQ6M&t=1s and Tampa Bay Times, 
Someone tried to poison Oldsmar's water supply during hack, sheriff 
says, (February 8, 2021), available at https://www.tampabay.com/news/
pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-
during-hack-sheriff-says/.
    \79\ Pinellas County Sheriff Department YouTube channel, Treatment 
Plant Intrusion Press Conference.
    \80\ The New York Times, Dangerous Stuff: Hackers Tried to Poison 
Water Supply of Florida Town, (February 8, 2021), available at https://
www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html.
    \81\ Environmental Protection Agency (EPA), Sodium Hydroxide, 
(September 1992), available at https://www3.epa.gov/pesticides/
chem_search/reg_actions/reregistration/fs_PC-075603_1-Sep-92.pdf.
---------------------------------------------------------------------------
    The hack at Oldsmar was discovered immediately when an 
employee noticed programs being opened on his computer and that 
the level of sodium hydroxide in the water had changed.\82\ The 
employee first noticed his computer being accessed remotely 
earlier that day but had not reported it because it was common 
for supervisors or others to access the system to troubleshoot 
issues remotely.\83\ Upon noticing later that the system was 
being remotely accessed again and that chemical levels were 
being changed to dangerous levels, the employee changed the 
chemical levels back to a safe level and reported the 
intrusion.\84\ The plant disabled remote access to their system 
after the hack and reported the hack to federal 
authorities.\85\
---------------------------------------------------------------------------
    \82\ Pinellas County Sheriff Department YouTube channel, Treatment 
Plant Intrusion Press Conference.
    \83\ Reuters, Hackers try to contaminate Florida town's water 
supply through computer breach, (February 8, 2021), available at 
https://www.reuters.com/article/us-usa-cyber-florida-idUSKBN2A82FV.
    \84\ Pinellas County Sheriff Department YouTube channel, Treatment 
Plant Intrusion Press Conference.
    \85\ Vice, Hacker Tried to Poison Florida City's Water Supply, 
Police Say, (February 8, 2021), available at https://www.vice.com/en/
article/88ab33/hacker-poison-florida-water-pinellas-county.
---------------------------------------------------------------------------
    CISA and the FBI determined that the hackers gained access 
to the supervisory control and data acquisition (SCADA) system, 
likely exploiting cybersecurity weaknesses such as poor 
password security and an outdated operating system.\86\ They 
also determined that hackers were likely able to access the 
SCADA system through the remote access TeamViewer software, 
which used the same password across all computers and lacked 
any firewall protection.\87\ City officials have said that 
residents were never at risk because of the city's automated 
monitoring of the water's pH levels and its built-in alarms, 
which would have been triggered before the water made it to the 
public.\88\
---------------------------------------------------------------------------
    \86\ CISA, Alert (AA21-042A) Compromise of U.S. Water Treatment 
Facility, (February 12, 2021), available at https://us-cert.cisa.gov/
ncas/alerts/aa21-042a.
    \87\ ABC Action News WFTS Tampa Bay, FBI: Water system hack likely 
caused by remote access program, old software and poor password 
security, (February 10, 2021), available at https://
www.abcactionnews.com/news/local-news/i-team-investigates/fbi-water-
system-hack-likely-caused-by-remote-access-program-old-software-and-
poor-password-security; Mass.gov, Cybersecurity Advisory for Public 
Water Suppliers, (accessed on October 4, 2021), available at https://
www.mass.gov/service-details/cybersecurity-advisory-for-public-water-
suppliers and FBI, CISA, EPA, MS-ISAC, Joint Cybersecurity Advisory, 
(February 11, 2021), available at https://www.mass.gov/doc/joint-fbi-
cisa-cybersecurity-advisory-on-compromise-of-water-treatment-facility/
download.
    \88\ Pinellas County Sheriff Department YouTube channel, Treatment 
Plant Intrusion Press Conference.
---------------------------------------------------------------------------
    The Oldsmar hack provides an example of the vulnerability 
of water systems to cybersecurity threats, especially smaller 
systems that lack the security controls, IT staff, and funding 
of larger organizations. It also shows how remote management 
applications, though efficient, create opportunities for 
attacks.\89\ The water sector is well-protected from a large-
scale attack on the entire system due to its decentralized 
nature, but the existence of thousands of small utilities 
across the country makes it challenging to ensure compliance 
with best practices throughout the entire sector.\90\ The 
investigations from CISA, the FBI, and others, for example, 
show that the Oldsmar water treatment plant had poor password 
management, an outdated operating system, and an old remote 
access management system still on computers.\91\ Further, an 
analysis done by Nozomi Networks' Labs determined that the 
Oldsmar hack was not very sophisticated and that it was likely 
perpetrated by someone without specific background knowledge of 
the water treatment process.\92\
---------------------------------------------------------------------------
    \89\ FBI, CISA, EPA, MS-ISAC, Joint Cybersecurity Advisory.
    \90\ CISA, Water and Wastewater Systems Sector, (accessed on 
October 27, 2021), available at https://www.cisa.gov/water-and-
wastewater-systems-sector.
    \91\ FBI, CISA, EPA, MS-ISAC, Joint Cybersecurity Advisory.
    \92\ Nozomi Networks, Hard Lessons From the Oldsmar Water Facility 
Cyberattack Hack, (February 10. 2021), available at https://
www.nozominetworks.com/blog/hard-lessons-from-the-oldsmar-water-
facility-cyberattack-hack/.
---------------------------------------------------------------------------

POOR CYBERSECURITY HYGIENE CREATES WEAK LINKS

    As reliance on IT continues to dominate American lives and 
global competitiveness, the Colonial, Maersk, and Oldsmar 
attacks illustrate the cybersecurity vulnerabilities found in 
common items and the willingness of enemies, whether nation-
state or not, to target these gaps. Cybersecurity in both the 
public and private sector can be significantly enhanced by 
making easy fixes, such as ensuring known software patches are 
implemented quickly, providing regular cybersecurity awareness 
training to staff, and using effective passwords and other 
authentication systems.\93\ However, the federal government, 
organizations, and individuals often fail to take these ``cyber 
hygiene'' measures due to resource constraints or lack of 
awareness or will, creating easy targets for cybercriminals. 
These weak links may result in consequences that threaten the 
nation's transportation infrastructure and networks and 
potentially harm the public.
---------------------------------------------------------------------------
    \93\ Cybersecurity & Infrastructure Security Agency (CISA), Cyber 
Essentials Starter Kit: The Basics for Building a Culture of Cyber 
Readiness, (Spring 2021), available at https://www.cisa.gov/sites/
default/files/publications/Cyber%20Essentials%20Starter%20Kit_
03.12.2021_508_0.pdf
---------------------------------------------------------------------------
    Recent surveys of the public transit and water and 
wastewater utilities sectors confirm that some U.S. 
transportation infrastructure assets are not making some of the 
recommended adjustments.\94\ These surveys show gaps in the 
water and transit sectors' ability to detect, confront, and 
respond to cybersecurity incidents.\95\ Research into other 
relevant T&I industries, such as aviation and maritime, 
indicates similar security vulnerabilities.\96\
---------------------------------------------------------------------------
    \94\ Water Sector Coordinating Council, Water and Wastewater 
Systems--Cybersecurity: 2021 State of the Sector, (June 2021), 
available at https://www.waterisac.org/system/files/articles/
FINAL_2021_WaterSectorCoordinatingCouncil_Cybersecurity_State_of_the_Ind
ustry-17-JUN-2021.pdf and Scott Belcher, et. al., Is the Transit 
Industry Prepared for the Cyber Revolution? Policy Recommendations to 
Enhance Surface Transit Cyber Preparedness, San Jose State University 
and Mineta Transportation Institute, (September 2020), available at 
https://transweb.sjsu.edu/sites/default/files/1939-Belcher-Transit-
Industry-Cyber-Preparedness.pdf.
    \95\ Id.
    \96\ See, e.g., For Aviation Cybersecurity, Airways Magazine, The 
Current State of Cybersecurity in Civil Aviation (June 5, 2021), 
available at https://airwaysmag.com/industry/the-current-state-of-
cybersecurity-in-civil-aviation and for Maritime Cybersecurity, 
Atlantic Council, Raising the Colors: Signaling for Cooperation on 
Maritime Cybersecurity (Oct. 2021), pp 5-13, available at https://
www.atlanticcouncil.org/wp-content/uploads/2021/10/Cyber-Maritime-
Final-Report.pdf.
---------------------------------------------------------------------------
     LWater Sector Survey. In June 2021, water security 
stakeholders issued a report that included a survey of more 
than 600 water and wastewater utilities regarding cybersecurity 
gaps and needs.\97\ More than 57 percent of water utilities 
that responded to the survey have a risk management plan that 
addresses cybersecurity threats, while 42 percent do not.\98\ 
Further, 26 percent conduct cybersecurity risk assessments less 
than once per year.\99\ More than 37 percent of small water 
utilities said they don't share cybersecurity data because they 
don't know who to share this information with or how to do so, 
while 22 percent feared the data would not be kept 
confidential.\100\ While 75 percent of respondents have 
implemented or are in the process of implementing some ``cyber 
protection efforts,'' more than 25 percent of water utilities 
have no plans to conduct these efforts. Nearly 64 percent do 
not employ a chief information security officer (CISO), and 
while over 50 percent of water utilities conduct some 
cybersecurity-related drill or exercises, 42 percent do 
not.\101\ More than 68 percent do not participate in any 
cybersecurity-related drills or exercises, but 47 percent said 
they need cybersecurity technical assistance, advice, and other 
support, and 41 percent said they need federal grants or loans 
to improve cybersecurity.\102\
---------------------------------------------------------------------------
    \97\ Water Sector Coordinating Council, Water and Wastewater 
Systems--Cybersecurity: 2021 State of the Sector.
    \98\ Id.
    \99\ Id.
    \100\ Id.
    \101\ Id.
    \102\ Id.
---------------------------------------------------------------------------
     LTransit Sector Survey. The Mineta Transportation 
Institute and San Jose State University produced a recent 
report on transit-related cybersecurity issues that included a 
survey of 90 transit agencies serving more than 124 million 
people.\103\ Among the results, over 50 percent of those 
surveyed had up to four staff dedicated to cybersecurity while 
nearly 39 percent had no dedicated staff, three of which are 
considered ``extra-large'' agencies with more than $100 million 
in operating expenses.\104\ In addition, four of 20 agencies 
that reported having a cybersecurity incident still have no 
staff dedicated to cybersecurity.\105\ Over 60 percent of 
transit agencies surveyed provide cybersecurity training to 
staff, while more than 24 percent provide no training, and more 
than 58 percent of those that don't provide training said it 
was due to a lack of resources.\106\ In addition, 42 percent of 
the agencies don't have an incident response plan, and of those 
that had one, over half have not had an exercise in over a 
year.\107\ Nearly 78 percent of the 90 agencies surveyed said 
they had not had a cybersecurity ``incident.'' \108\ The 
authors found this troubling since given the frequency of 
cyberattacks, it suggests that many of these transit agencies 
may simply not be detecting successful cybersecurity 
penetrations against their networks.\109\ In addition, more 
than 30 percent of those that said they had been the victim of 
a cybersecurity incident also said they never reported the 
incident to anyone.\110\
---------------------------------------------------------------------------
    \103\ Scott Belcher, et. al., Is the Transit Industry Prepared for 
the Cyber Revolution? Policy Recommendations to Enhance Surface Transit 
Cyber Preparedness, San Jose State University and Mineta Transportation 
Institute, (September 2020), available at https://transweb.sjsu.edu/
sites/default/files/1939-Belcher-Transit-Industry-Cyber-
Preparedness.pdf.
    \104\ Id.
    \105\ Id.
    \106\ Id.
    \107\ Id.
    \108\ Id.
    \109\ Id. at 36-37.
    \110\ Id.
---------------------------------------------------------------------------

PRIVATE-PUBLIC COORDINATION

    In the United States, it is generally cited that 85 percent 
of critical infrastructure is in private hands, and much of the 
transportation sector is subject to some government 
oversight.\111\ As such, cooperation between the public and 
private sectors that fosters integrated, collaborative 
engagement and interaction is essential to maintaining 
transportation infrastructure cybersecurity, especially as 
technology makes transportation infrastructure increasingly 
vulnerable to cyberattacks.\112\ The annual cost of malicious 
cyber activity to the U.S. economy, estimated recently at 
between $57 billion and $109 billion, demonstrates the pressing 
need for action in both the private and public sectors.\113\
---------------------------------------------------------------------------
    \111\ Lawfare, Is It Really 85 Percent? (May 11, 2021), available 
at https://www.lawfareblog.com/it-really-85-percent.
    \112\ CISA, Critical Infrastructure Sector Partnerships, (accessed 
on Oct 22, 2021) available at https://www.cisa.gov/critical-
infrastructure-sector-partnerships.
    \113\ Council of Economic Advisors, The Cost of Malicious Cyber 
Activity to the U.S. Economy (2018), available at https://
trumpwhitehouse.archives.gov/articles/cea-report-cost-malicious-cyber-
activity-u-s-economy/
---------------------------------------------------------------------------
    As the federal government seeks to strengthen 
transportation infrastructure's cyber defenses, with an 
emphasis on cybersecurity preparedness, the perspective and 
experience of the private sector remains vital to create 
effective cyber resilience.\114\ Addressing the biggest gaps, 
including those discussed below, will require collaboration 
between public and private stakeholders.
---------------------------------------------------------------------------
    \114\ Lawfare, Is It Really 85 Percent?
---------------------------------------------------------------------------

CYBERSECURITY WORKFORCE SHORTAGES

    There is a dire shortage globally of workers with 
cybersecurity expertise. In the U.S., recent estimates show 
around 950,000 individuals currently employed in this field, 
with a need to fill an additional 464,000 cyber-related 
positions.\115\ In the public sector alone, there are about 
60,000 individuals employed in cyber jobs, with an additional 
36,000 unfilled positions across all levels of government.\116\
---------------------------------------------------------------------------
    \115\ CyberSeek, ``Cybersecurity Supply/Demand Heat Map,'' last 
accessed on October 22, 2021, at https://www.cyberseek.org/
heatmap.html; Washington Post, The Cybersecurity 202: The government's 
facing a severe shortage of cyber workers when it needs them the most, 
(August 2, 2021), available at https://www.washingtonpost.com/politics/
2021/08/02/cybersecurity-202-governments-facing-severe-shortage-cyber-
workers-when-it-needs-them-most/.
    \116\ Id.
---------------------------------------------------------------------------
    In addition, a Center for Strategic and International 
Studies survey of public and private sector organizations in 
eight countries, including the United States, found that 
eighty-two percent of responding organizations have a shortage 
of employees with cybersecurity skills.\117\ The survey results 
also show that the shortage of cybersecurity professionals can 
have real consequences. One-third of respondents said a 
shortage of skills makes their organizations more desirable 
hacking targets, and a quarter said insufficient cybersecurity 
staff strength has damaged their organization's reputation and 
led directly to the loss of proprietary data through a 
cyberattack.\118\
---------------------------------------------------------------------------
    \117\ Center for Strategic and International Studies, Hacking the 
Skills Shortage: A study of the international shortage in cybersecurity 
skills, (July 2016), available at https://www.mcafee.com/enterprise/en-
us/assets/reports/rp-hacking-skills-shortage.pdf.
    \118\ Id.
---------------------------------------------------------------------------
    Although a shortage of federal cybersecurity workers 
remains, the federal government has taken several steps to 
address this shortage.\119\
---------------------------------------------------------------------------
    \119\ Washington Post, The Cybersecurity 202.
---------------------------------------------------------------------------
     LThe Office of Management and Budget directed the 
Office of Personnel Management and other federal agencies to 
establish programs to assist federal agencies in using existing 
compensation flexibilities and explore opportunities for new or 
revised pay programs for cybersecurity positions to better 
enable them to compete with other employers.\120\
---------------------------------------------------------------------------
    \120\ Office of Management and Budget, ``Memorandum for Heads of 
Executive Departments and Agencies: Federal Cybersecurity Workforce 
Strategy,'' (July 12, 2016), available at https://www.chcoc.gov/
content/federal-cybersecurity-workforce-strategy.
---------------------------------------------------------------------------
     LCISA created the National Initiative for 
Cybersecurity Education framework for increasing the size and 
capability of the U.S. cyber workforce, and Girls Who Code, an 
effort to develop pathways for young women to pursue careers in 
cybersecurity and technology.\121\
---------------------------------------------------------------------------
    \121\ CISA, National Initiative for Cybersecurity Education (NICE) 
Cybersecurity Workforce Framework, (accessed on October 22, 2021), at 
https://www.cisa.gov/nice-cybersecurity-workforce-framework and CISA, 
Girls Who Code Announce Partnership to Create Career Pathways for Young 
Women in Cybersecurity and Technology, accessed on October 22, 2021, 
available at https://www.cisa.gov/news/2021/09/30/cisa-and-girls-who-
code-announce-partnership-create-career-pathways-young-women.
---------------------------------------------------------------------------
     LThe United States Digital Service allows 
technology specialists to apply and essentially take a ``tour 
of civic service'' to bring real-world private sector knowledge 
into the federal government.\122\
---------------------------------------------------------------------------
    \122\ U.S. Digital Service, ``Our Mission,'' accessed on https://
www.usds.gov/mission.
---------------------------------------------------------------------------

VOLUNTARY STANDARDS AND NEW FEDERAL LEADERSHIP

    In 2013, in response to an Executive Order, the National 
Institute of Standards and Technology (NIST) began developing 
the first national cybersecurity framework consistent with its 
mission to promote U.S. innovation and competitiveness.\123\ In 
May 2017, applying the framework, widely touted by 
cybersecurity experts, became mandatory for federal 
agencies.\124\ Compliance is still voluntary in the private 
sector, with NIST estimating a 50 percent adoption rate among 
private actors in 2020.\125\
---------------------------------------------------------------------------
    \123\ NIST, History and Creation of the Framework, (accessed on 
October 22, 2021), available at https://www.nist.gov/cyberframework/
online-learning/history-and-creation-framework.
    \124\ NIST, Questions and Answers, (accessed on October 22, 2021), 
available at https://www.nist.gov/cyberframework/frequently-asked-
questions/framework-basics; Brandon Vigliarolo, NIST Cyber Security 
Framework: A Cheat Sheet for Professionals (March 5, 2021), available 
at https://www.techrepublic.com/article/nist-cybersecurity-framework-
the-smart-persons-guide/.
    \125\ NIST, Cybersecurity Framework, available at https://
www.nist.gov/industry-impacts/cybersecurity-framework/ (last visited 
October 22, 2021).
---------------------------------------------------------------------------
    In May 2021, President Biden issued Executive Order (EO) 
14028 focused on improving the nation's cybersecurity and 
protecting federal government networks, building on past 
executive action, including executive orders issued in 2017 and 
2013.\126\ Although the primary aim of the EO is to strengthen 
federal systems, it also notes that much of the nation's 
infrastructure is owned and operated by the private sector and 
encourages these companies to ``follow the Federal government's 
lead and take ambitious measures to augment and align 
cybersecurity investments with the goal of minimizing future 
incidents.'' \127\ The EO also establishes a Cybersecurity 
Review Board, modeled after the National Transportation Safety 
Board, composed of private sector entities and federal 
officials to review significant cyberattacks and share lessons 
learned.\128\
---------------------------------------------------------------------------
    \126\ The White House, Executive Order on Improving the Nation's 
Cybersecurity, (May 12, 2021), available at https://www.whitehouse.gov/
briefing-room/presidential-actions/2021/05/12/executive-order-on-
improving-the-nations-cybersecurity/; see also The White House, 
Strengthening the Cybersecurity of Federal Networks and Critical 
Infrastructure, (May 11, 2017), available at https://www.govinfo.gov/
content/pkg/DCPD-201700327/pdf/DCPD-201700327.pdf; The White House, 
Improving Critical Infrastructure Cybersecurity, (Feb. 12, 2013), 
available at https://obamawhitehouse.archives.gov/issues/foreign-
policy/cybersecurity/eo-13636.
    \127\ The White House, FACT SHEET: President Signs Executive Order 
Charting New Course to Improve the Nation's Cyber Security and Protect 
Federal Government Networks, (May 12, 2021), available at https://
www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-
sheet-president-signs-executive-order-charting-new-course-to-improve-
the-nations-cybersecurity-and-protect-federal-government-networks/.
    \128\ Id.
---------------------------------------------------------------------------
    Following the EO, in June 2021, CISA issued guidance on 
Ransomware for Operators of Critical Infrastructure.\129\ 
CISA's guidance addresses increasingly complex IT and OT 
systems that play a pivotal role in critical infrastructure, 
where the attack surfaces have expanded well beyond once-
isolated systems.\130 \The guidance will assist in establishing 
standards for preparing, mitigating, and responding to 
cyberattacks targeting critical infrastructure.\131\
---------------------------------------------------------------------------
    \129\ CISA, Rising Ransomware Threat to Operational Technology 
Assets (June 9, 2021).
    \130\ CISA, FACT SHEET: Rising Operational Threat to Operating 
Technology Assets, available at https://www.cisa.gov/sites/default/
files/publications/CISA_Fact_Sheet-Rising_
Ransomware_Threat_to_OT_Assets_508C.pdf (last visited October 22, 
2021).
    \131\ Id.
---------------------------------------------------------------------------
    In July 2021, the Biden administration also issued the 
National Security Memorandum on Improving Cybersecurity for 
Critical Infrastructure Control Systems.\132\ The memorandum 
called for creating cyber-performance goals for critical 
infrastructure companies, including the establishment of 
baseline cybersecurity performance standards across all 
infrastructure sectors.\133\
---------------------------------------------------------------------------
    \132\ The White House, National Security Memorandum on Improving 
Cybersecurity for Critical Infrastructure Control Systems, (July 28, 
2021), available at https://www.whitehouse.gov/briefing-room/
statements-releases/2021/07/28/national-security-memorandum-on-
improving-cybersecurity-for-critical-infrastructure-control-systems/.
    \133\ Id., Sec. 4.
---------------------------------------------------------------------------
    The Biden administration has supplemented voluntary 
cooperative efforts with new mandatory standards to protect 
critical infrastructure in some sectors.\134\ At the end of 
July, TSA issued a security directive requiring owners and 
operators of TSA-designated critical pipelines to implement 
specific mitigation measures to protect against ransomware 
attacks and other known threats to IT and OT systems, develop 
and implement a cybersecurity contingency and recovery plan, 
and conduct a cybersecurity architecture design review to 
supplement mandatory cyber protocol requirements related to 
pipelines issued two months earlier.\135\ TSA is reportedly 
preparing similar directives for the rail and aviation sectors. 
The DHS Secretary reports the administration continues 
``coordinating and consulting with industry as we develop all 
of these plans.'' \136\ Given the Committee's role in the 
safety of transportation industries, as TSA issues directives, 
it will closely monitor these directives.
---------------------------------------------------------------------------
    \134\ CRS, Pipeline Cybersecurity: Federal Programs, (September 9, 
2021), pp 9-11, available at https://crsreports.congress.gov/product/
pdf/R/R46903.
    \135\ Id., p 10.
    \136\ DHS, Secretary Mayorkas Delivers Remarks at the 12th Annual 
Billington CyberSecurity Summit, (October 6, 2021), available at 
https://www.dhs.gov/news/2021/10/06/secretary-mayorkas-delivers-
remarks-12th-annual-billington-cybersecurity-summit.
---------------------------------------------------------------------------

VOLUNTARY REPORTING AND LACK OF GOVERNMENT DATA SHARING

    Reporting cybersecurity incidents--across the critical 
infrastructure spectrum--is also largely voluntary, a decades-
old legacy of the days before large-scale cyberattacks and 
networked critical infrastructure.\137\ Many actors responsible 
for critical infrastructure agree that what should be reported 
and to whom in the federal, state, and local governments 
regarding a cyber incident can be unclear.\138\ Further, 
requiring private entities to report cybersecurity-related data 
to the government has long been subject to debate, and the 
complexity of some proposed reporting models has raised 
concerns about the disproportionate burdens placed on smaller 
private actors.\139\ Therefore, a complete understanding of the 
cyber threats to the nation is likely underestimated in the 
face of these dynamics. In 2016, for example, the FBI estimated 
that only 15 percent of cybercrime victims reported the crime 
to law enforcement.\140\
---------------------------------------------------------------------------
    \137\ Tatiana Tropina, Public-Private Collaboration: Cybercrime, 
Cybersecurity and National Security, (May 7, 2015); Alan Raul and Vivek 
Mohan, The Privacy, Data Protection and Cybersecurity Law Review--
United States (Sept. 2018), 276-403, available at https://
datamatters.sidley.com/wp-content/uploads/2018/11/United-States.pdf.
    \138\ Sujit Ramen, Bloomberg Law, It's Time for National Cyber-
Incident Reporting Legislation, (July 12, 2021), available at https://
news.bloomberglaw.com/us-law-week/its-time-for-national-cyber-incident-
reporting-legislation.
    \139\ Coalfire, Compliance in the Era of Digital Transformation 
(May 24, 2021); Alan Raul and Vivek Mohan, The Privacy, Data Protection 
and Cybersecurity Law Review--United States (Sept. 2018), 276-403, 
available at https://datamatters.sidley.com/wp-content/uploads/2018/11/
United-States.pdf.
    \140\ FBI, 2016 Internet Crime Report, p. 4, (accessed on October 
22, 2021), available at https://www.ic3.gov/Media/PDF/AnnualReport/
2016_IC3Report.pdf.
---------------------------------------------------------------------------
    Recent EO 14028 also encourages sharing cyber-related 
threat data between the private sector and the federal 
government and requires federal IT contractors to report cyber 
incidents to the government, although reporting cyber incidents 
from privately-owned infrastructure assets or transportation 
systems remains voluntary.\141\ Obtaining a more holistic 
picture of the cyber threats our transportation systems and 
infrastructure assets face may help improve their own responses 
and the federal government's ability to identify these 
threats.\142\
---------------------------------------------------------------------------
    \141\ The White House, Executive Order on Improving the Nation's 
Cybersecurity, (May 12, 2021). Sec. 2, available at https://
www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/
executive-order-on-improving-the-nations-cybersecurity/.
    \142\ CISA, Information Sharing and Cyberawareness, available at 
https://www.cisa.gov/information-sharing-and-awareness (last visited 
October 22, 2021).
---------------------------------------------------------------------------
    While CISA leadership has recently expressed an interest in 
mandatory 24-hour reporting, potentially supported by fines for 
non-compliance, the private sector does not appear fully in 
favor of this approach.\143\ Some private actors responsible 
for critical infrastructure have concerns with reporting cyber 
incidents to the federal government.\144\ These concerns 
include bad press, regulatory reprisal, or minimal public 
consequences for cyber attackers.\145\ Further, private actors 
who proactively seek out information from the federal 
government on current threats or reported vulnerabilities 
report being frustrated by the information sharing practices of 
the federal government.\146\ Collaboration and coordination 
between the public and private sector in protecting the 
nation's critical infrastructure is critical, but still a work 
in progress.\147\
---------------------------------------------------------------------------
    \143\ Adam Mazmanian, FCW, CISA Seeks 24-Hour Timeline for Cyber 
Incident Reporting (Oct 19, 2021), available at https://fcw.com/
articles/2021/10/19/cisa-wales-reporting-timeline-cyber-incident.aspx.
    \144\ Amitai Etzioni, The Private Sector: A Reluctant Partner in 
Cyber Security (Dec 14, 2014), available at https://icps.gwu.edu/
private-sector-reluctant-partner-cybersecurity.
    \145\ Dan Swinhoe, CSO, Why businesses don't report cybercrimes to 
law enforcement (May 30, 2019), available at https://www.csoonline.com/
article/3398700/why-businesses-don-t-report-cybercrimes-to-law-
enforcement.html.
    \146\ Samantha Swartz, Cybersecurity Dive, What Happens if Threat 
Data Isn't Shared? (April 30, 2021), available at https://
www.cybersecuritydive.com/news/information-sharing-threat-intelligence-
analysis-cybersecurity/599319/; Jonathan Day and Michael Mahoney, 
Private Sector Wants More--and Better--Cybersecurity Cooperation with 
Government (Mar 9, 2020), available at https://morningconsult.com/
opinions/private-sector-wants-more-and-better-cybersecurity-
cooperation-with-government/.
    \147\ Jason Miller, Federal News Network, (CISA's still overcoming 
challenges 5 years after Cybersecurity Information Sharing Act became 
law, October 6, 2020), available at https://federalnewsnetwork.com/
reporters-notebook-jason-miller/2020/10/cisas-still-overcoming-
challenges-5-years-after-cybersecurity-information-sharing-act-became-
law/.
---------------------------------------------------------------------------

CONCLUSION

    As America seeks to remain globally competitive and provide 
Americans with safe and secure infrastructure, cybersecurity 
will remain a top priority. During this hearing, the Committee 
will hear from private sector witnesses, but it intends to hold 
a second cybersecurity hearing on these issues in the future 
that will focus on federal agencies and their efforts to close 
the current cybersecurity gaps that put industry and government 
at greater risk of attacks, actions to assist the private 
sector, and what steps they are taking to implement recent 
federal cybersecurity directives.

                              WITNESS LIST

     LScott Belcher, President and Chief Executive 
Officer, SFB Consulting, LLC, testifying on behalf of Mineta 
Transportation Institute
     LMegan Samford, Vice President and Chief Product 
Security Officer, Schneider Electric
     LThomas L. Farmer, Assistant Vice President, 
Security, Association of American Railroads
     LMichael Stephens, General Counsel and Executive 
Vice President, Tampa International Airport
     LJohn Sullivan, Chief Engineer, Boston Water and 
Sewer Commission, testifying on behalf of the Water Information 
Sharing and Analysis Center (WaterISAC)
     LGary Kessler, PhD, President, Gary Kessler 
Associates, testifying on behalf of The Atlantic Council
    Mr. DeFazio. The Committee on Transportation and 
Infrastructure will come to order.
    I ask unanimous consent that the chair be authorized to 
declare a recess at any time during today's hearing.
    Without objection, so ordered.
    As a reminder, please keep your microphone muted, unless 
speaking. Should I hear any inadvertent background noise, I 
will request the Member please mute their microphone, or I will 
yell at you.
    To insert a document into the record, please email it to 
[email protected].
    With that, I will yield myself such time as I may consume.
    Today, we are going to hear about the challenges and gaps 
in protecting our Nation's transportation systems and critical 
infrastructure from cyberattacks, and recommendations from 
private industry and cybersecurity experts on how to close 
those gaps.
    Notably, this hearing is largely being conducted online, 
demonstrating how much we all rely on cyber systems to carry 
out our basic day-to-day tasks, particularly in the era of 
COVID.
    And even with dedicated and superb IT support and lots of 
experience, getting everything right 100 percent of the time is 
tough. Well, with the House system it is not even close to 
that. But anyway, we won't go into that.
    But when it comes to the Nation's critical infrastructure 
and transportation networks--pipelines that fuel our economy, 
water and wastewater treatment plants, shipping, aviation, 
railroads, and highways that play a critical role in bringing 
vital supplies to all Americans--getting everything right every 
time must be the goal. Lives are on the line. And each day, 
when you turn on a faucet, flush your toilet, or when you board 
a plane, fill up your car with gas, you trust that these 
systems will work.
    But that trust has been shaken in recent years. We have 
seen headlines about blows to the Nation's economy from 
ransomware attacks by criminal networks on critical 
infrastructure, and close calls where individual hackers have 
tried to go after wastewater systems. By the way, they have, 
many of them, used massive amounts of chlorine. If they can 
valve that chlorine into the air, they are going to kill a lot 
of people. And otherwise infiltrate our drinking water systems.
    The cyber threats and vulnerabilities are diverse, 
expanding, and constantly evolving, and have the potential to 
impact everyone. Yet, an estimated 85 percent--85 percent--of 
the Nation's critical infrastructure is in private hands, owned 
and operated by private entities.
    Too often, leaders whose organizations are at risk from 
cyberattacks weigh the risks of an attack against the cost of 
increasing cybersecurity protections, and they decide to roll 
the dice. Hey, it might hurt the stock price if we actually 
spend a little money on an updated IT system, or better 
cybersecurity, and, hey, that will hurt my annual bonus. So, 
let's skate, and hope we get away with it. They are betting 
they won't get attacked.
    The good news is, even basic steps, like mandating strong 
passwords--pathetic--and multifactor authentication, 
cybersecurity awareness training, and regularly practicing 
simple cybersecurity exercises, things that cost virtually 
nothing, and are common sense, can significantly harden cyber 
defenses and dramatically diminish a company, utility, or 
Federal agency's chances that they will fall victim to a 
successful attack.
    Unfortunately, recent surveys have shown that too many 
public and private entities don't take these simple steps. In a 
recent survey of the transit sector, nearly 39 percent of those 
surveyed have no--none, zero--staff dedicated to cybersecurity, 
and more than 24 percent provide no cybersecurity training to 
their staff at all. Many of them are using the password on the 
device when they got it. They don't--you know, just crazy 
stuff. This doesn't cost anything.
    The water sector is even worse. In a survey published in 
June of this year, 42 percent of water and wastewater utilities 
surveyed said they conduct no--no, zero--cybersecurity training 
for their staff, and more than 68 percent of them said they do 
not participate in any cybersecurity-related drills or 
exercises.
    Many experts believe we don't have a full and transparent 
picture of the cybersecurity threats that confront us, impeding 
our ability to quantify the risks and to learn about lessons 
from past attacks. Reporting cyber breaches, yes, it can hurt 
your financial bottom line for a little bit, but overall, in 
the end, you are going to benefit, your stockholder is going to 
benefit, the American people are going to benefit if you put 
these protections in place.
    The FBI has estimated only 15 percent of cyber crimes are 
actually reported--15 percent--to the Government. In a recent 
survey of the transit sector, more than 30 percent of those 
surveyed said they had been the victim of a cybersecurity 
incident, but they never reported the incident to anybody.
    With the public's safety and national economic security of 
the United States at stake, it may be time for voluntary steps 
by the private sector to give way to mandatory Federal 
reporting requirements.
    In 2013, NIST, the National Institute of Standards and 
Technology, in consultation with industry, academia, and 
Government, created a cybersecurity risk management framework. 
Since 2017, the framework has been mandatory for Federal 
agencies, but it hasn't eliminated all the problems, something 
that we will explore more at a future hearing.
    In the private sector, however, use of the NIST framework 
remains voluntary and is used unevenly. NIST estimated that, in 
2020, only 50 percent of private companies were even trying to 
reach NIST cybersecurity minimum standards.
    The Biden administration has finally begun to change 
things. In May 2021, the President issued Executive Order 14028 
to encourage critical infrastructure companies to, quote: 
``follow the Federal Government's lead and take ambitious 
measures to augment and align cybersecurity investments with 
the goal of minimizing future incidents.''
    In June of this year, DHS's Cybersecurity and 
Infrastructure Security Agency issued guidance that addresses 
complex networked IT and operational technology, or OT systems, 
and helps to establish standards for preparing and responding 
to cyberattacks targeting critical infrastructure. The Biden 
administration also issued a National Security Memorandum that 
called for the creation of cyber performance goals, including 
establishing baseline cybersecurity performance standards 
consistent across all critical infrastructure sectors.
    Just this summer, in the wake of the Colonial Pipeline 
cyberattack, the Transportation Security Administration 
abandoned voluntary compliance. They had already offered to do 
a full audit of cybersecurity for Colonial Pipeline. Colonial 
Pipeline--it wouldn't have cost them anything--they didn't want 
to do that, because they didn't want to know what their 
problems were. Well, it cost them a lot of money, and they 
could have had an evaluation, and perhaps closed the door 
before the ransomware attack.
    So, the TSA has abandoned voluntary compliance for 
pipelines altogether, issuing a directive mandating specific 
protections to defend against ransomware, along with 
cybersecurity contingency and recovery plans. TSA is reportedly 
preparing similar directives for other critical infrastructure 
sectors, including rail and aviation.
    So, we have an administration that is moving in the right 
direction. We need to do more.
    No single technology, policy, or other action will 
completely eliminate all cyber threats. But every step can help 
close the gaps and make success for cyber criminals and cyber 
terrorists harder.
    I look forward to hearing our witnesses' ideas about how we 
can do that. You have been in the trenches of the silent cyber 
conflict that goes on every day in our critical infrastructure 
sectors. You all have ideas on how Government, private 
industry, or both, working together, can increase our Nation's 
cyber resilience to protect our critical infrastructure and 
public, and to recover from cyberattacks when they do occur, 
despite our best efforts.
    So, thanks to our witnesses for joining us, and I will turn 
now to the ranking member, Mr. Crawford, for his opening 
remarks.
    [Mr. DeFazio's prepared statement follows:]

                                 
   Prepared Statement of Hon. Peter A. DeFazio, a Representative in 
      Congress from the State of Oregon, and Chair, Committee on 
                   Transportation and Infrastructure
    Today we will hear about the challenges and gaps in protecting our 
nation's transportation systems and critical infrastructure from 
cyberattacks, and recommendations on how to close those gaps from 
private industry and cybersecurity experts. Notably, this hearing is 
largely being conducted online, demonstrating how much we all rely on 
cyber systems to carry out basic day-to-day tasks. Even with dedicated 
and superb IT support and lots of experience, getting everything right 
100 percent of the time, is tough.
    But when it comes to the nation's critical infrastructure and 
transportation networks--pipelines that fuel our economy, water and 
wastewater treatment plants, shipping, aviation, railroads, and 
highways that play critical roles in bringing vital supplies to all 
Americans--getting everything right, every time, must be the goal. 
Lives are on the line, and each day when you turn on a faucet or flush 
your toilet, when you board a plane, or fill up your car with gas, you 
trust that these systems will work.
    But that trust has been shaken in recent years. We have seen 
headlines about blows to the nation's economy from ransomware attacks 
by criminal networks on critical infrastructure, and close calls where 
disgruntled individual hackers have tried to turn water from our 
faucets into poison that would do us harm.
    These cyber threats and vulnerabilities are diverse, expanding, and 
constantly evolving, and have the potential to impact everyone. Yet, an 
estimated 85 percent of the nation's critical infrastructure is in 
private hands, owned and operated by private entities.
    Too often leaders whose organizations are at risk from cyberattacks 
weigh the risks of an attack against the cost of increasing 
cybersecurity protections and they decide to roll the dice, betting 
they won't get attacked. The good news is, even basic steps like 
mandating strong passwords and multi-factor authentication, 
cybersecurity awareness training, and regularly practicing simple 
cybersecurity exercises can significantly harden cyber defenses and 
dramatically diminish a company, utility, or federal agency's chances 
that they will fall victim to a successful attack.
    Unfortunately, recent surveys have shown that too many public and 
private entities don't take these simple steps. In a recent survey of 
the transit sector nearly 39 percent of those surveyed had no staff 
dedicated to cybersecurity and more than 24 percent provide no 
cybersecurity training to their staff at all. The water sector is even 
worse. In a survey published in June of this year, 42 percent of the 
water and wastewater utilities surveyed said they conduct no 
cybersecurity training for their staff and more than 68 percent of them 
said they do not participate in any cybersecurity-related drills or 
exercises.
    Many experts believe we don't have a full and transparent picture 
of the cybersecurity threats that confront us, impeding our ability to 
quantify the risks and to learn the lessons from past attacks. 
Reporting cyber breaches can be harmful to a company's financial bottom 
line, endangering a company's reputation and their stock price, for 
instance. Overall, the FBI has estimated only 15 percent of cyber-
crimes are actually reported to the government at all. In a recent 
survey of the transit sector, more than 30 percent of those surveyed 
who said they had been the victim of a cybersecurity incident said they 
never reported the incident to anyone.
    With the public's safety and the national and economic security of 
the United States at stake, it may be time for voluntary steps by the 
private sector to give way to mandatory federal reporting requirements.
    In 2013, the National Institute of Standards and Technology, or 
NIST, in consultation with industry, academia, and government, created 
a cybersecurity risk management framework. Since 2017, that framework 
has been mandatory for federal agencies, but it has not eliminated all 
problems, something we will explore more at a future hearing. In the 
private sector, however, use of the NIST framework remains voluntary, 
and it is used unevenly. NIST estimated that in 2020 only 50 percent of 
private companies were even trying to reach NIST cybersecurity minimum 
standards.
    The Biden administration has finally begun to change things. In May 
2021, the president issued Executive Order 14028 to encourage critical 
infrastructure companies to quote, ``follow the Federal government's 
lead and take ambitious measures to augment and align cybersecurity 
investments with the goal of minimizing future incidents.''
    In June of this year, DHS's Cybersecurity and Infrastructure 
Security Agency issued guidance that addresses complex, networked IT 
and Operating Technology, or OT, systems and helps to establish 
standards for preparing and responding to cyberattacks targeting 
critical infrastructure.
    The Biden administration also issued a national security memorandum 
that called for the creation of cyber-performance goals including 
establishing baseline cybersecurity performance standards consistent 
across all critical infrastructure sectors.
    In late summer, in the wake of the Colonial Pipeline cyberattack, 
the Transportation Security Administration abandoned voluntary 
compliance for pipelines altogether, issuing a directive mandating 
specific protections to defend against ransomware attacks, along with 
cybersecurity contingency and recovery plans. The TSA is reportedly 
preparing similar directives for other critical infrastructure sectors, 
including rail and aviation.
    So, we have an administration that is moving in the right 
direction. But we need to do more. No single technology, policy, or 
other action will completely eliminate all cyber threats. But each step 
can help close the gaps and make success for the cybercriminals and 
cyberterrorists harder.
    I look forward to hearing our witnesses' ideas about how we can do 
that. You all have been in the trenches of the silent cyber conflict 
that goes on each day in our critical infrastructure sectors. And you 
all have ideas on how government, private industry, or both working 
together can increase our nation's cyber resilience to protect our 
critical infrastructure and the public, and to recover when 
cyberattacks do occur, despite our best efforts.
    So, thank you to our witnesses for joining us. I look forward to 
your testimony. With that I recognize Ranking Member Graves for his 
opening statement.
    Mr. Crawford. Thank you, Mr. Chair. As we all know, the 
cyber threats facing our Nation's infrastructure have increased 
significantly as technology has become more essential and 
interwoven in our society, both in infrastructure and more 
broadly in our daily lives. While technology has allowed us to 
innovate and create efficiencies in infrastructure and 
transportation networks, it has also brought us new threats and 
vulnerabilities.
    Unfortunately, with recent high-profile cyberattacks like 
those conducted on Colonial Pipeline or various wastewater 
treatment plants, we have seen a very clear need to better 
protect our Nation's infrastructure through strong 
cybersecurity defense measures.
    Fortunately, many transportation and infrastructure 
operators are already taking action to protect their assets and 
the passengers and customers that rely on them.
    While the Federal Government is working to help the private 
sector prevent, mitigate, and respond to cyber threats, our 
cyber adversaries' technology is advancing more quickly than 
anything the Federal Government can mandate. In light of this 
reality, I look forward to hearing from our witnesses today 
about their best practices for cyber defense across varying 
transportation modes.
    I would also like to highlight a specific concern regarding 
the TSA's recent mandatory security directives on cybersecurity 
for pipelines, and forthcoming directives for rail, transit, 
and aviation. I am concerned that the TSA's recent security 
directives are overly prescriptive, rushed, and fail to take 
into account holistic feedback from diverse stakeholders. I 
would like to hear stakeholders' input on this issue today, but 
we must also hear from Government witnesses to get the full 
picture. So, I look forward to following up on this topic to 
ensure that we get every perspective, as well.
    We need to hear how the various agencies are working with 
the operators of our Nation's infrastructure as true partners 
in improving the standards and practices we are using to 
protect America's infrastructure and transportation networks 
from growing cyber threats.
    Thank you, and I yield back the balance of my time.
    [Mr. Crawford's prepared statement follows:]

                                 
Prepared Statement of Hon. Eric A. ``Rick'' Crawford, a Representative 
                 in Congress from the State of Arkansas
    Thank you, Chair DeFazio.
    As we all know, the cyber threats facing our Nation's 
infrastructure have increased significantly as technology has become 
more essential and interwoven in our society--both in infrastructure, 
and more broadly in our daily lives. While technology has allowed us to 
innovate and create efficiencies in infrastructure and transportation 
networks, it has also brought us new threats and vulnerabilities.
    Unfortunately, with recent high-profile cyberattacks, like those 
conducted on the Colonial Pipeline, or various wastewater treatment 
plants, we have seen a very clear need to better protect our Nation's 
infrastructure through strong cybersecurity defense measures.
    Fortunately, many transportation and infrastructure operators are 
already taking action to protect their assets, and the passengers and 
customers that rely on them.
    While the federal government is working to help the private sector 
prevent, mitigate, and respond to cyber threats, our cyber adversaries' 
technology is advancing more quickly than anything the federal 
government can mandate. In light of this reality, I look forward to 
hearing from our witnesses today about their best practices for cyber 
defense across varying transportation modes.
    I also want to highlight a specific concern regarding the 
Transportation Security Agency's (TSA) recent mandatory security 
directives on cybersecurity for pipelines and forthcoming directives 
for rail, transit, and aviation.
    I am concerned that TSA's recent security directives are overly 
prescriptive, rushed, and fail to take into account wholistic feedback 
from diverse stakeholders. I want to hear stakeholders' input on this 
issue today, but we must also hear from government witnesses to get the 
full picture. So, I look forward to following up on this topic to 
ensure we get that perspective as well.
    We need to hear how the various agencies are working with the 
operators of our Nation's infrastructure as true partners in improving 
the standards and practices we're using to protect America's 
infrastructure and transportation networks from growing cyber threats.
    Thank you and I yield back the balance of my time.

    Mr. DeFazio. I thank the gentleman. I will now like to 
welcome the witnesses on our panel: Scott Belcher, president 
and chief executive officer, SFB Consulting, LLC, testifying on 
behalf of the Mineta Transportation Institute; Megan Samford, 
vice president, chief product security officer-energy 
management, Schneider Electric, on behalf of the International 
Society of Automation Global Cybersecurity Alliance; Thomas L. 
Farmer, assistant vice president-security, Association of 
American Railroads; Michael Stephens, general counsel and 
executive vice president for information technology, Tampa 
International Airport; John Sullivan, chief engineer, Boston 
Water and Sewer Commission, testifying on behalf of the Water 
Information Sharing and Analysis Center; and Gary Kessler, 
nonresident senior fellow, Atlantic Council.
    Thanks for joining to us today and giving us some of your 
time. We look forward to your testimony.
    Without objection, all of your full statements will be 
included in the record, and I would ask you to summarize in 5 
minutes your most succinct and telling points.
    With that, I would now recognize Mr. Belcher for 5 minutes.
    [Pause.]
    Mr. Belcher. There we go.
    Mr. DeFazio. Mr. Belcher? Oh, there we go.
    Mr. Belcher. Chairman DeFazio, there we go.

   TESTIMONY OF SCOTT BELCHER, PRESIDENT AND CHIEF EXECUTIVE 
       OFFICER, SFB CONSULTING, LLC, ON BEHALF OF MINETA 
TRANSPORTATION INSTITUTE; MEGAN SAMFORD, VICE PRESIDENT, CHIEF 
PRODUCT SECURITY OFFICER-ENERGY MANAGEMENT, SCHNEIDER ELECTRIC, 
  ON BEHALF OF THE INTERNATIONAL SOCIETY OF AUTOMATION GLOBAL 
   CYBERSECURITY ALLIANCE; THOMAS L. FARMER, ASSISTANT VICE 
PRESIDENT-SECURITY, ASSOCIATION OF AMERICAN RAILROADS; MICHAEL 
 A. STEPHENS, GENERAL COUNSEL AND EXECUTIVE VICE PRESIDENT FOR 
INFORMATION TECHNOLOGY, HILLSBOROUGH COUNTY AVIATION AUTHORITY, 
  TAMPA INTERNATIONAL AIRPORT; JOHN P. SULLIVAN, P.E., CHIEF 
 ENGINEER, BOSTON WATER AND SEWER COMMISSION, ON BEHALF OF THE 
  WATER INFORMATION SHARING AND ANALYSIS CENTER; AND GARY C. 
  KESSLER, Ph.D., NONRESIDENT SENIOR FELLOW, ATLANTIC COUNCIL

    Mr. Belcher. Chairman DeFazio, Ranking Member Crawford, and 
members of the committee, thank you for the opportunity to 
appear for you today and discuss the pressing need to 
strengthen cybersecurity capabilities of the U.S. public 
transit.
    Enterprise risk management in the U.S. public transit 
industry needs a 21st-century upgrade.
    Mr. DeFazio. Mr. Belcher, could you either perhaps speak up 
a little, turn up your volume, or maybe we can do it on our 
end? Just a little bit would be great.
    Mr. Belcher. OK, let me--enterprise risk management in the 
U.S. public transit industry needs a 21st-century upgrade, 
whereby specific attention is paid to strengthening cyber 
protection and preparedness across the industry.
    Is that better? Can you hear me better now?
    Mr. DeFazio. Yes, thank you.
    Mr. Belcher. OK. It is critical that transit agencies 
better understand how their risk profile is changing, and the 
threat landscape is evolving. Even the smallest and most 
conventional public transit agencies today rely on multiple 
digital technologies that expose them to cyber threats, whether 
it is through digital enabled hardware or systems that are 
managed in their yards.
    Last year, my colleagues and I released a report from the 
Mineta Transportation Institute entitled, ``Is the Transit 
Industry Prepared for the Cyber Revolution? Policy 
Recommendations to Enhance Surface Transit Cyber 
Preparedness.'' Our bottom line takeaway was that most transit 
operators have a lot of work to do to elevate their 
understanding of and preparedness for cyber-related risks to 
their operations, their data, and their business 
infrastructure. Our report concludes that, for many transit 
agencies, internal resources for cybersecurity are scarce, and 
even among those agencies that have resources, and that are 
aware, acquiring these resources are a long and laborious 
activity.
    In our view, there needs to be a collaborative effort 
between the Federal Government, the industry, and agency 
leadership to establish, maintain, refine, and support 
cybersecurity programs.
    Most transit agencies are unprepared to prevent or respond 
to the broad array of threat vectors, ranging from phishing and 
business email compromise to data breaches and ransomware 
attacks. In fact, a key finding from our report is that many 
agencies do not have an accurate sense of their cybersecurity 
preparedness.
    On the one hand, 81 percent of the responding agencies 
believe that they are prepared to manage and defend against 
cybersecurity threats. In fact, 73 percent of those respondents 
felt that they had adequate information to help implement their 
cybersecurity preparedness programs. Even so, only 60 percent 
of the respondents have a cybersecurity program in place; 43 
percent of the respondents do not believe they have the 
resources necessary for cybersecurity preparedness; and only 47 
percent of the respondents audit their cybersecurity programs 
on an annual basis. That is simply unacceptable.
    Despite the industry differences, cybersecurity maturity 
models exist, and assessment practices that are used across 
other industries are transferable, and can be transferred and 
utilized in the transit industry.
    The transit industry is experiencing an increasing number 
of high-profile attacks. We have seen the Metropolitan 
Transportation Authority in New York City, we have seen 
Martha's Vineyard Ferry in Massachusetts, we have seen the 
Southeastern Pennsylvania Transportation Authority, or SEPTA, 
in Philadelphia be hacked in the last year. And in fact, just 
last week we saw the Toronto Transit Commission be attacked by 
a malware attack, and that had a significant impact. And in 
fact, between June of 2020 and June of 2021, there has been a 
186-percent increase in weekly ransomware attacks in the 
transportation industry.
    Risk management priorities identified by transit executives 
identified that business continuity and data protection are the 
two areas most immediately at risk to cyber threats.
    So, with that, thank you for the opportunity, and for your 
continued leadership in this space. My written testimony has 
been submitted for the record, and I look forward to responding 
to your questions.
    [Mr. Belcher's prepared statement follows:]

                                 
 Scott Belcher, President and Chief Executive Officer, SFB Consulting, 
           LLC, on behalf of Mineta Transportation Institute
    Enterprise risk management in the U.S. public transit industry 
needs a twenty-first century upgrade, whereby specific attention is 
paid to strengthening cyber protections and preparedness across the 
industry. Risk as defined by most industry providers focuses primarily 
on the physical risks posed to the organization and its service 
delivery. Investments have been made for decades to reduce this risk, 
as it is understood that most threats that are likely to impair transit 
operations with regularity are physical (e.g., threats against 
operators and passengers, damage to vehicles, and theft). However, as 
digital technologies continue to be woven into the operations of even 
the most conventional public transit agency, any system, process, or 
function dedicated to reducing physical risk likely includes an array 
of digital vulnerabilities that need to be managed in concert with 
current security operations. The increasing frequency and magnitude of 
cyber threats also increases their potential to negatively impact 
existing systems designed to reduce physical risk. Risk governance 
decisions should prioritize potential physical threats, but the design 
and management of any comprehensive enterprise risk infrastructure in 
today's world must improve and integrate cybersecurity best practices 
alongside the physical security priorities.
    Based on the findings of the 2020 Mineta Transportation Institute 
(MTI) Report, Is the Transit Industry Prepared for the Cyber 
Revolution? Policy Recommendations to Enhance Surface Transit Cyber 
Preparedness \1\ (hereinafter, the 2020 MTI Report) and research to 
date, the authors believe transit operators need to elevate their 
understanding of and preparedness for cyber-related risks to their 
operations, data, and business infrastructure. Further, given the 
dependence transit agencies have on vendors, opportunities exist for 
the industry to enlist the help of the vendor community to support and 
in some cases lead the improvement of cyber risk management across the 
supply chain.
---------------------------------------------------------------------------
    \1\ https://transweb.sjsu.edu/research/1939-Transit-Industry-Cyber-
Preparedness

------------------------------------------------------------------------
 
-------------------------------------------------------------------------
Enterprise Risk Management: The methods and processes used by an
 enterprise to manage risks to its mission and to establish the trust
 necessary for the enterprise to support shared missions. It involves
 the identification of mission dependencies on enterprise capabilities,
 the identification and prioritization of risks due to defined threats,
 the implementation of countermeasures to provide both a static risk
 posture and an effective dynamic response to active threats; and it
 assesses enterprise performance against threats and adjusts
 countermeasures as necessary.\2\
------------------------------------------------------------------------


    The\\ 2020 MTI Report highlights that some agencies have taken 
action to protect themselves by seeking technical leadership from 
outside the transit industry, contracting out the management of 
personally identifiable information (PII), and seeking support from 
their supply chain partners. Some include cybersecurity requirements in 
their contracts with suppliers, one of the more basic and least 
expensive means to begin maturing an organization's cyber risk posture. 
And still others have operationalized cybersecurity requirements 
through actions in partnership with their supply chain, such as annual 
audits and ongoing monitoring and alerting that is closely coordinated 
between agency and vendor. Many agencies, however, have not yet 
embarked on such efforts.
---------------------------------------------------------------------------
    \2\ https://csrc.nist.gov/glossary/term/enterprise_risk_management
---------------------------------------------------------------------------
    The 2020 MTI Report concludes that for many transit agencies, 
internal resources for cybersecurity are scarce, as even among those 
agencies and individuals that recognize the growing threat, acquisition 
of necessary resources is a long, laborious activity. In the view of 
the authors, there needs to be a collaborative effort between the 
federal government, the industry, and transit agency leadership to 
establish, maintain, refine, and support cybersecurity programs. Both 
carrots and sticks are required to ensure the necessary resources are 
made available and utilized. The authors emphasize that the Federal 
Transit Administration (FTA) should require transit organizations to 
adopt and implement minimum cybersecurity standards prior to receiving 
federal funding. To date, the U.S. Department of Transportation, and 
the FTA has largely deferred to the Transportation Security 
Administration (TSA) in this space. This is about to change.
    Transportation infrastructure is a target for nefarious actors 
seeking to disrupt, be it for personal or political gain. The avenues 
to exploit this vital infrastructure will continue to evolve along with 
the technology that enables the industry's core operations and goals. 
As these technologies are further embedded in operations, new 
vulnerabilities will arise. Accounting for the risk today will foster 
greater resiliency and preparedness in the years to come.
    The mission of public transit is to move people as safely and 
efficiently as possible. Public transportation is a multi-faceted, 
complex, and expansive ecosystem that relies on people, processes, and 
associated technologies to ensure that it achieves its mission as 
seamlessly as possible. Security has always been a foundational aspect 
of public transit operations. Moving people at scale has inherent risk, 
and every transit agency takes deliberate steps to reduce physical risk 
wherever possible. An unsafe public transit system impairs the agency 
in executing its mission, as the public's sense of safety has a direct 
correlation to their willingness to use the public transit system to 
move about the community. Digital technologies are playing an 
increasingly important role in operations security. It is critical that 
transit agencies understand how their risk profile is changing, and 
ensure their systems, processes, and procedures engaged to address such 
risk are effectively resourced and adequately managed.
    The transit industry depends on a myriad of technologies, from the 
physical systems that manage access to the garage to the databases that 
house operational data or employee information. Technological 
advancements in general and their expanded application to the transit 
industry more specifically offer significant advantages for both 
providers and customers--improved service quality, operational 
efficiencies, and reduced costs. With each of these advancements, 
however, comes an additional level of risk that must be weighed and 
managed by transit providers and their suppliers. Cyber vulnerabilities 
attributable to the expanding digital ecosystem are prime among these 
growing risks.
    In the 2020 MTI Report, the authors described the unprecedented 
increase in the volume of data collected and maintained by modern 
transit operators, the addition of numerous vendors to help manage 
these growing technology demands on the industry, and the resulting 
need to spend more time and money securing newly exposed cybersecurity 
threats. Many transit agencies, the report found, were unprepared to 
prevent or respond to the broad array of identified threat vectors--
ranging from phishing and business email compromise to data breaches to 
ransomware attacks.

----------------------------------------------------------------------------------------------------------------
 
-----------------------------------------------------------------------------------------------------------------
A key finding from the 2020 MTI Report is that many agencies do not have an accurate sense of their
 cybersecurity preparedness.
 81% of responding agencies believe they are prepared to manage and defend against cybersecurity
 threats, and;
 73% feel they have access to information that helps them implement their cybersecurity preparedness
 program
 
Yet . . .
 
 Only 60% actually have a cybersecurity preparedness program;
 43% do not believe they have the resources necessary for cybersecurity preparedness; and
 Only 47% audit their cybersecurity program at least once per year.\3\
----------------------------------------------------------------------------------------------------------------


    It\\ is essential for transit agencies to develop and maintain 
mature enterprise risk management systems to mitigate threats to 
people, operations, and data. This need is neither new nor unique to 
the transit industry. Part of running any business is taking the 
necessary steps to protect critical assets. The added challenge 
organizations face today, however, is the increasing role of digital 
technologies in all areas of business operations. The resulting need is 
to have robust cyber risk management practices that span the 
organization to ensure the continued protection of critical assets.
---------------------------------------------------------------------------
    \3\ https://transweb.sjsu.edu/research/1939-Transit-Industry-Cyber-
Preparedness p. 32.
---------------------------------------------------------------------------
    Moreover, greater cybersecurity oversight is on its way. The Biden 
Administration has been vocal about the need for greater engagement in 
cybersecurity oversight by the federal government. The President on May 
12, 2021, issued an Executive Order stating:

        It is the policy of my Administration that the prevention, 
        detection, assessment, and remediation of cyber incidents is a 
        top priority and essential to national and economic security. 
        The Federal Government must lead by example. All Federal 
        Information Systems should meet or exceed the standards and 
        requirements for cybersecurity set forth in and issued pursuant 
        to this order.\4\
---------------------------------------------------------------------------
    \4\ https://www.whitehouse.gov/briefing-room/presidential-actions/
2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

    The Executive Order applies specifically to Federal agencies and 
their suppliers, but it is only a matter of time before the extensive 
set of requirements included in this Executive Order flow down to 
recipients of Federal funds.
    In a similar vein, the Department of Defense on November 20, 2020, 
began implementation of the Cybersecurity Maturity Model Certification 
(CMMC), which is a unifying standard for vendors to ensure they are 
implementing cybersecurity across the Defense Industrial Base (DIB).

        The CMMC framework includes a comprehensive and scalable 
        certification element to verify the implementation of processes 
        and practices associated with the achievement of a 
        cybersecurity maturity level. CMMC is designed to provide 
        increased assurance to the Department that a DIB company can 
        adequately protect sensitive unclassified information, 
        accounting for information flow down to subcontractors in a 
        multi-tier supply chain.\5\
---------------------------------------------------------------------------
    \5\ https://www.acq.osd.mil/cmmc/faq.html

    Again, while the CMMC currently only applies to contractors in the 
DIB, procurement practices that start in the defense arena regularly 
move into the non-defense arena and procurement and cybersecurity 
professionals both anticipate this transition.
    Finally, Congress has introduced several bills to address 
cyberattacks against private-sector targets and critical 
infrastructure, which includes the U.S. transportation sector. The U.S. 
House Energy and Commerce Committee on July 20, 2021, passed eight 
cybersecurity bills. The eight-bill package will increase requirements 
for private companies to report on cybersecurity incidents and provide 
funding for state and local governments to increase cybersecurity 
measures.\6\ Subsequently, Senator Mark Warner (D-VA) on July 22, 2021, 
introduced a bipartisan bill that would require the Cybersecurity and 
Infrastructure Security Agency (CISA) to identify and mitigate threats 
to the operational technology systems of pieces of critical 
infrastructure.\7\
---------------------------------------------------------------------------
    \6\ https://energycommerce.house.gov/newsroom/press-releases/
pallone-praises-committee-passage-of-eight-bipartisan-cybersecurity-
bills
    \7\ https://www.warner.senate.gov/public/_cache/files/4/2/422a0de2-
3c56-4e56-a4be-0e83af5b0065/
F90B3C493BA4FAB09E546FAF40E4B116.alb21b95.pdf
---------------------------------------------------------------------------
    Both the public and private sector have developed a great deal of 
cybersecurity guidance over the past two decades. Cybersecurity experts 
will tell you that the tools used to manage cybersecurity and 
associated threats do not vary greatly across industries but that some 
industries are more mature in their understanding when it comes to 
managing cyber risks. Industries such as the financial management 
industry where billions of dollars are moved digitally every minute 
have been forced to invest heavily in cybersecurity protection. Other 
industries such as the transit industry, which has traditionally been a 
hardware-based industry that relied largely on firmware and closed 
networks, have not faced the same urgency until recently.
    The 2020 MTI Report observes that ``[t]he existing cybersecurity 
guidance for public transit is spread across numerous government and 
industry entities . . . [and that] federal resources exist for agencies 
to improve their cybersecurity readiness.'' \8\ The same baseline 
documents are at the core of every industry cybersecurity program. 
Despite industry differences, cybersecurity maturity models and the 
assessment practices used to strengthen policies, procedures, and 
practices are transferable.
---------------------------------------------------------------------------
    \8\ https://transweb.sjsu.edu/research/1939-Transit-Industry-Cyber-
Preparedness MTI Report p. 35.
---------------------------------------------------------------------------
    One of the key foundations for cybersecurity programs across any 
industry comes from the National Institute of Standards and Technology 
(NIST). NIST is a non-regulatory agency that has no authority to 
dictate the use of any standard, but its standards carry significant 
weight. The work of NIST is defined by federal statutes, executive 
orders, and policies--including developing cybersecurity standards and 
guidelines for federal agencies. NIST's cybersecurity program supports 
its overall mission to promote U.S. innovation and industrial 
competitiveness by advancing measurement science, standards, and 
related technology through research and development.\9\
---------------------------------------------------------------------------
    \9\ https://www.nist.gov/cybersecurity
---------------------------------------------------------------------------
    In 2014, NIST released the ``Framework for Improving Critical 
Infrastructure Security'' in response to Presidential Executive Order 
13636, Improving Critical Infrastructure Cybersecurity,\10\ which 
called for a standardized security framework for critical 
infrastructure in the United States. This guidance is not intended to 
be a how-to guide for cybersecurity; rather, it is a framework designed 
to help a wide range of organizations assess risk and make sound 
decisions about prioritizing and allocating resources to reduce the 
risk of compromise or failure in their computer networks. For any 
organization to leverage the NIST Framework, customized implementation 
is required in ways that are not necessarily obvious from the document. 
The guidance is equally applicable to public and private industry.
---------------------------------------------------------------------------
    \10\ Barack Obama. Executive Order 13636, Improving Critical 
Infrastructure Cybersecurity, 78 FR 11737, February 19, 2013, https://
www.federalregister.gov/documents/2013/02/19/2013-03915/improving-
critical-infrastructure-cybersecurity.
---------------------------------------------------------------------------
    To further support organizations in the face of a growing cyber 
threat, Congress established the CISA at the U.S. Department of 
Homeland Security (DHS) through the Cybersecurity and Infrastructure 
Security Agency Act of 2018.\11\ According to DHS, ``CISA is the 
Nation's risk advisor, working with partners to defend against today's 
threats and collaborating to build more secure and resilient 
infrastructure for the future.'' \12\ CISA coordinates a collective 
defense to identify and vet procedures to manage and reduce the impact 
from disruption to critical infrastructure. In this role, the 
organization builds and coordinates relationships across industries 
working with sector specific agencies, such as the U.S. DOT, the FTA, 
the TSA, among others.
---------------------------------------------------------------------------
    \11\ https://www.congress.gov/bill/115th-congress/house-bill/3359
    \12\ https://www.cisa.gov/about-cisa
---------------------------------------------------------------------------
    CISA's role is to unite government and private sector partners, 
with a particular focus on 16 Critical Infrastructure Sectors:

        There are 16 critical infrastructure sectors whose assets, 
        systems, and networks, whether physical or virtual, are 
        considered so vital to the United States that their 
        incapacitation or destruction would have a debilitating effect 
        on security, national economic security, national public health 
        or safety, or any combination thereof.\13\
---------------------------------------------------------------------------
    \13\ https://www.cisa.gov/critical-infrastructure-sectors

    The public transit industry is part of the Transportation Security 
Sector (TSS), which is one of the 16 critical sectors. As such, the 
industry has direct access to CISA's capabilities and resources, such 
as intelligence analysis, data assessment, response methods 
development, and assistance to manage risks to critical infrastructure 
that often spike from emerging threats. CISA leads a systematic 
approach to manage and reduce cyber risk that includes providing 
services, cyber training, support to critical infrastructure operators, 
and risk analysis.
    The TSA is another critical cybersecurity player. TSA's origins 
date back to the days after September 11, 2001, when it was formed as 
part of the Aviation and Transportation Security Act. Its ``mission is 
to protect the nation's transportation systems to ensure freedom of 
movement for people and commerce.'' \14\ Given its provenance, TSA's 
original orientation centered on physical security, but the agency ``is 
responsible for securing the nation's transportation systems from all 
threats, including both physical and cyber.'' \15\ In this latter role, 
TSA overlaps with CISA. TSA explains the division of labor as follows:
---------------------------------------------------------------------------
    \14\ Transportation Security Administration (TSA), ``Mission,'' 
https://www.tsa.gov/about/tsa-mission (accessed March 13, 2020).
    \15\ TSA, ``TSA Releases Cybersecurity Roadmap,'' December 4, 2018, 
https://www.tsa.gov/news/releases/2018/12/04/tsa-releases-
cybersecurity-roadmap (accessed March 13, 2020).

        Although TSA has responsibility for oversight of both the 
        physical security and cybersecurity of the [TSS], TSA is not 
        directly responsible for the defense of the private sector 
        portion of TSS information technology infrastructure. Rather, 
        TSA serves a vital role in ensuring the cybersecurity 
        resilience of the TSS infrastructure and will work with the 
        Cybersecurity and Infrastructure Security Agency (CISA), with 
        its mission to protect the critical infrastructure of the 
        United States.\16\
---------------------------------------------------------------------------
    \16\ TSA, ``Cybersecurity Roadmap 2018,'' 4 November 2018, https://
www.tsa.gov/sites/default/files/documents/tsa_cybersecurity_roadmap.pdf 
(accessed March 13, 2020).

    DHS in 2015 built upon the NIST Framework and issued a document 
``to provide the TSS guidance, resource direction, and a directory of 
options to assist a TSS organization, [including public transit 
agencies], in adopting an industry-compatible version of the NIST 
Framework.'' \17\ This guidance was designed both for transit agencies 
that have an existing risk-management program and for agencies that do 
not yet have a formal cybersecurity program.\18\ The TSS Cybersecurity 
Framework Implementation Guidance and its companion workbook provide an 
approach for Transportation Systems Sector \19\ owners and operators to 
apply the tenets of the NIST Cybersecurity Framework to help reduce 
cyber risks.
---------------------------------------------------------------------------
    \17\ Department of Homeland Security (DHS), Transportation Systems 
Sector Cybersecurity Framework Implementation Guidance, 2 June 26, 
2015, https://www.cisa.gov/sites/default/files/publications/tss-
cybersecurity-framework-implementation-guide-2016-508v2_0.pdf (accessed 
February 24, 2020).
    \18\ DHS, Transportation Systems Sector Cybersecurity Framework 
Implementation Guidance, June 26, 2015, 3, https://www.cisa.gov/sites/
default/files/publications/tss-cybersecurity-framework-implementation-
guide-2016-508v2_0.pdf (accessed February 24, 2020).
    \19\ CISA, ``Transportation Systems Sector,'' https://www.cisa.gov/
transportation-systemssector (accessed March 13, 2020).
---------------------------------------------------------------------------
    Recent events have demonstrated the need to be proactive when it 
comes to cybersecurity. Major attacks such as SolarWinds, Colonial 
Pipeline, JBS Foods, and Acer have caused significant interruption and 
cost to the global economy. The transit industry has experienced a 
number of high-profile attacks as well. Cyber-attacks have involved the 
Metropolitan Transportation Authority (MTA) in New York City, the 
Martha's Vineyard Ferry in Massachusetts, and the Southeastern 
Pennsylvania Transportation Authority (SEPTA) in Philadelphia. Between 
June of 2020 and June of 2021, the global transportation industry 
witnessed a 186% increase in weekly ransomware attacks.\20\
---------------------------------------------------------------------------
    \20\ https://www.cybertalk.org/2021/07/28/ransomware-attacks-on-
the-transportation-industry-2021/
---------------------------------------------------------------------------
    This flood of activity and associated attention has raised a level 
of alarm throughout the government and the transit industry. Working 
with industry experts from other more mature fields such as financial 
management and defense, the researchers learned that the executives of 
these industries have come to treat cybersecurity threats as they treat 
the many other high-profile threats that the organizations' executive 
teams must evaluate, prioritize, and manage on an on-going basis.
    Of the risk management priorities identified by transit executives, 
business continuity and data protection are the two areas most 
immediately at risk to cyber threats. The good news is that there are 
steps that transit providers can take--with the participation and 
support of vendors--to mature existing risk management practices and 
implement industry-specific cyber defenses.
                             People Safety
    Creating and maintaining a safe environment for customers, 
employees, and the communities in which transit agencies provide 
services is essential for general risk mitigation and continuity of 
operations. Whether the safety incident involves a bus or train 
encountering another vehicle or an obstruction, or it involves a 
physical threat posed to a passenger, the transit operating system and 
its digital assets have rarely been directly involved. The increasing 
connectivity of vehicles both to other networked systems and to the 
internet is changing this dynamic.
    Until recently, the potential for digital tools to access physical 
operating systems among most public transit agencies was not feasible, 
as most systems were safely segregated from the internet. The advent 
and exponential growth of internet-enabled devices has stripped most 
systems of this protection. Applications enabling automatic vehicle 
locator (AVL) or global positioning systems (GPS) technologies to track 
vehicles in real time, for example, are also generally reliant on 
connected and networked operating systems. Even the transition to 
electric buses brings with it a whole new level of cyber exposure and 
other security risks not previously anticipated.
    Connected vehicle technologies that enable communication among 
vehicles on the road, infrastructure, and personal devices, can connect 
to the internet and vital operating systems--creating new access points 
for disruption. Transit operators have been piloting and, in some 
cases, deploying this new safety technology, which brings with it a new 
cybersecurity threat vulnerability that must be managed. Similarly, as 
transit operators test and deploy new levels of autonomy, whether it is 
for bus rapid transit or for first and last mile shuttles, they are 
exposing their operating systems and their passengers to new cyber 
risks. Fortunately, to date, there are no known recorded instances of 
malicious actors exploiting these vulnerabilities to remotely hijack or 
otherwise disrupt public transit vehicles. The access points to do so, 
however, are there and have been breached by researchers.
                          Business Continuity
    Interruptions to day-to-day business operations face the most 
pronounced cyber risk because an increasing amount of transit 
operations relies on digitally connected systems. Everything from when 
a bus is scheduled to depart a yard to which operator should be driving 
it are managed by internet-enabled devices and systems. Yard management 
and operator scheduling software are increasingly commonplace in public 
transit agencies. These systems, in turn, feed into public-facing 
route-planning services on which customers rely to complete their 
journeys. The public schedules also live on an increasing array of 
digital systems and services, from the agency's website and mobile 
applications to third-party services like Google Maps and Uber. A 
disruption to any one of these systems and the transmission of the data 
they produce can impair or halt service delivery. For example, SEPTA, 
suffered a ransomware attack resulting in severe network disruption in 
August 2020. Vancouver, Canada's TransLink transportation suffered a 
similar attack in December 2020. Like SEPTA, the services and systems 
on which TransLink relied to conduct day-to-day business operations 
were disrupted or sidelined. TransLink suffered from deactivated ticket 
kiosks and metro card readers, phone and internet outages, and offline 
GPS, tracking, and reporting services.

------------------------------------------------------------------------
 
-------------------------------------------------------------------------
Operational Technology (OT) is the hardware and software that detects or
 causes a change, through the direct monitoring and/or control of
 industrial equipment, assets, processes, and events.
 
Information Technology (IT) is the common term for the entire spectrum
 of technologies for information processing, including software,
 hardware, communications technologies, and related services. In
 general, IT does not include embedded technologies that do not generate
 data for enterprise use.\21\
------------------------------------------------------------------------

                     Personal\\ and Financial Data
---------------------------------------------------------------------------
    \21\ https://www.gartner.com/en/information-technology/glossary
---------------------------------------------------------------------------
    The acquisition and exploitation of personal and financial data is 
a common goal of cyber criminals because it can be easily monetized in 
forums where individuals and organizations are willing to trade or pay 
for the information. Transit agencies are in possession of employee and 
customer data, specifically personal and financial information, which 
can hold appeal to nefarious actors. The previously cited Vancouver 
TransLink ransomware attack resulted in a lawsuit against TransLink by 
employees who accused the company of not doing enough to protect their 
personal and banking information--much of which was compromised during 
the attack.
    As transit providers adopt new systems to augment and improve 
service--mobile pay, advanced trip planning, on-board Wi-Fi, etc.--they 
are increasingly likely to be in possession of more high-value customer 
data. Special services for older adults and paratransit services for 
individuals unable to use fixed route services may also require 
communication or documentation about sensitive health information--none 
of which the transit agency nor the customer wishes to have in the 
hands of a nefarious actor. Without implementing robust protection 
systems, the transit provider is likely to be risking the security of 
their passengers' data and may not even be in the position to know if 
or when a system is breached.
    Most transit operators outsource fare management and the associated 
passenger data to PCI compliant vendors, which helps them to manage one 
of their biggest cybersecurity risks. Operators are now becoming more 
sophisticated in the contractual requirements that they impose upon 
their fare management partners to ensure that these vendors have a 
mature and comprehensive cyber protection system in place.
    Transit operators are entering into a challenging new world where 
digital technology increases their cyber threat risks exponentially. 
Simultaneously, the Federal Government is increasing its focus on 
cybersecurity. As such, the transit industry will need to sharpen its 
focus, take advantage of available resources, and rely increasingly on 
its partners for support as it elevates its response to these dual 
pressures. It will have to address these challenges while it is also 
called upon to respond to growing pressure to address congestion, 
emissions, and social equity. No easy task.

    Mr. DeFazio. Thank you, Mr. Belcher.
    Ms. Samford?
    Ms. Samford. Chairman DeFazio, Ranking Member Crawford, and 
members of the Committee on Transportation and Infrastructure, 
on behalf of the International Society of Automation Global 
Cybersecurity Alliance, the ISAGCA, and its over 50 public- and 
private-sector automation and cybersecurity member 
organizations that cross all 16 critical infrastructure sectors 
and comprise over $1.5 trillion in aggregate revenue, thank you 
for the opportunity to testify on Incident Command System for 
Industrial Control Systems, ICS4ICS.
    My name is Megan Samford. As the Advisory Board chair of 
the ISAGCA, I am representing the member organizations that are 
all aligned around the ISA/IEC 62443 standard for 
cybersecurity, and that are strongly committed to securing the 
industrial control systems that are at the heart and lungs of 
American critical infrastructures.
    I am also the vice president of product cybersecurity and 
chief product security officer for Schneider Electric's energy 
management business. Schneider Electric was a founding member 
of the ISAGCA, and is committed to ensuring the efficiency, 
resiliency, sustainability, and cybersecurity of electric 
grids, globally.
    Lastly, I am cochair of the U.S. Department of Homeland 
Security's Control Systems Working Group.
    My background in emergency management dates back to 2007, 
when I graduated from Virginia Commonwealth University as one 
of the first 50 individuals in the United States with a 
bachelor of arts degree in homeland security and emergency 
preparedness. From there, I worked under Governors Tim Kaine 
and Bob McDonnell, lastly serving as Virginia's critical 
infrastructure protection coordinator. Most recently, and what 
I am happy to testify on today, I became one of four 
cybersecurity first responders to be formally credentialed as a 
type 1 cyber incident commander under the FEMA National 
Incident Management System Incident Command System.
    The private sector lacks a consistent, repeatable, and 
scalable framework to respond to day-to-day cyber incidents, as 
well as cyber incidents where the impact spans suppliers, 
customers, and coordination with local, State, and Federal 
Government. This is due to a lack of interoperability of 
individual company response plans. In the event of a large-
scale cyber incident, this deficiency can lead to poorly 
executed responses that have impacts on lives and property.
    The goal of ICS4ICS is to identify how the private sector 
can adopt portions of the FEMA Incident Command System to 
ensure coordinated, uniform, and more effective cyber incident 
response. Implementing ICS4ICS at scale will help the United 
States more effectively coordinate response and recovery 
efforts, especially for critical infrastructures.
    Together with members from DHS and the National Labs, the 
ISAGCA and its member organizations such as Schneider Electric, 
Honeywell, Johnson Controls, and Mandiant have established a 
fully volunteer public-private partnership to deliver the 
ICS4ICS framework. The success of the program thus far 
indicates that it provides value for both the private sector, 
as well as Government.
    In a little over a year from its standup, the program has 
proven that it is possible to apply the NIMS Incident Command 
System framework to cyber incident responses in the private 
sector, credential and type cyber incident response roles into 
a common response structure, similar to fire and emergency 
services, as well as create draft common response templates to 
speed up responses and reduce error. This is especially 
critical when responding to events like ransomware attacks, as 
was the case with Colonial Pipeline.
    Poorly managed cyber incident responses can be devastating 
to our national security, safety, and economy. Even after 20 
years, many of the same response challenges that faced 
emergency responders on 9/11 continue to be challenges for us 
now, except in cyber incident response--lack of common response 
frameworks and interoperability.
    With so much at stake, we must effectively manage cyber 
incidents together, with both the private sector and 
Government. The Incident Command System allows us to do so. The 
effort is ramping up quickly and deserves a home in the United 
States Government. On behalf of the ICS4ICS effort, I 
respectfully request your bipartisan support for this important 
program, in requesting that the Government investigate ways to 
expand the spirit of language captured in Homeland Security 
Presidential Directive 5, which directed public-sector adoption 
of Incident Command System, to now encourage adoption within 
the private sector.
    Additionally, we respectfully request that Congress make 
the necessary plans and investments for the private sector to 
become trained and credentialed in Incident Command System and, 
lastly, that ICS4ICS be operationalized as an official 
Government program residing in the U.S. Department of Homeland 
Security or another entity, if appropriate.
    Thank you so much for your time today and your 
consideration. I look forward to answering any questions you 
all may have.
    [Ms. Samford's prepared statement follows:]

                                 
 Megan Samford, Vice President, Chief Product Security Officer-Energy 
Management, Schneider Electric, on behalf of the International Society 
              of Automation Global Cybersecurity Alliance
                              Introduction
    Chairman DeFazio, Ranking Member Graves, and Members of the 
Committee on Transportation and Infrastructure, on behalf of the 
International Society of Automation Global Cybersecurity Alliance--the 
ISAGCA--and its over 50 public- and private-sector automation and 
cybersecurity member organizations that cross all 16 critical 
infrastructure sectors and comprise over $1.5 trillion in aggregate 
revenue, thank you for the opportunity to testify on ``Incident Command 
System for Industrial Control Systems'' (ICS4ICS).
                                Abstract
    The private sector lacks a consistent, repeatable, and scalable 
framework to respond to day to day cyber incidents as well as cyber 
incidents where the impact spans partners, suppliers, customers, and 
coordination with local, state, and federal government. In the event of 
a large-scale cyber incident, this deficiency can lead to poorly 
executed responses that have impacts on lives and property.
    The goal of ``Incident Command System for Industrial Control 
Systems,'' which we refer to as ICS4ICS, is to identify how the private 
sector can adopt portions of the National Incident Management System 
(NIMS) Incident Command System (ICS) to ensure coordinated, uniform and 
more effective cyber-incident response.\1\ Implementing ICS4ICS at 
scale will help the United States more effectively coordinate cyber 
incident response and recovery efforts within the private sector, 
especially for critical infrastructures.
---------------------------------------------------------------------------
    \1\ IS-100.C: Introduction to the incident command system, ICS 100. 
Federal Emergency Management Agency / Emergency Management Institute. 
(n.d.). Retrieved October 28, 2021, from https://training.fema.gov/is/
courseoverview.aspx?code=is-100.c.
---------------------------------------------------------------------------
    Together with the United States Department of Homeland Security 
Cyber and Infrastructure Security Agency (CISA), the ISAGCA and its 
member organizations such as Schneider Electric, Rockwell Automation, 
Johnson Controls International, Honeywell, Ford Motor Company, Pfizer, 
Exelon, Mandiant, Dragos, ClarOTy, Nozomi, and Idaho National Labs, 
have established a public-private partnership to deliver the ICS4ICS 
cyber-incident response framework.\2\
---------------------------------------------------------------------------
    \2\ Greig, J. (2021, July 13). Cybersecurity organizations announce 
New First Responder Credentialing program. ZDNet. Retrieved November 1, 
2021, from https://www.zdnet.com/article/cybersecurity-organizations-
announce-new-first-responder-credentialing-program/.
---------------------------------------------------------------------------
    The success of the program thus far indicates that it provides 
value for both the private sector as well as government. This is 
evidenced by the number of daily, active volunteers, contributed by 
both the private sector and government. In a little over a year from 
its creation, the program has proven that it is possible to apply the 
NIMS Incident Command System framework to cyber-incident responses in 
the private sector, credential and type cyber-incident response roles 
into a common response structure (similar to fire and emergency 
services), as well as create draft common response templates to speed 
up responses and reduce error. This is all being done on volunteer time 
because the membership of this understands how badly the lack of 
scalability in cyber-incident response is hurting industries both in 
the United States, as well as globally.
    While we are pleased with the rate at which the program is growing 
through the ISAGCA, we recognize that to make it adoptable at scale, we 
need the bi-partisan support of this Congress in developing a path for 
the program to be transitioned to operations within the United States 
government.
    My name is Megan Samford.
    As the Advisory Board Chair of the ISA Global Cybersecurity 
Alliance, I am representing the member organizations that are strongly 
committed to securing the industrial control systems that are the heart 
and lungs of not only American but global critical infrastructures. As 
a global organization, members of the ISAGCA are all aligned around the 
ISA/IEC 62443 standard for cybersecurity for industrial automation. I 
am also the Vice President of Product Cybersecurity and Chief Product 
Security Officer for Schneider Electric's Energy Management business. 
Schneider Electric was a founding member of the ISAGCA and is committed 
to ensuring the efficiency, resiliency, sustainability, and 
cybersecurity of electric grids globally. Lastly, I am Co-Chair of the 
US Department of Homeland Security's Control Systems Working Group 
within the Cybersecurity and Infrastructure Security Agency (CISA).
    My background in emergency and incident management dates back to 
2007, when I graduated from Virginia Commonwealth University as one of 
the first 50 individuals in the United States with a Bachelor of Art's 
degree in Homeland Security and Emergency Preparedness. From there, I 
worked under Governors Tim Kaine and Bob McDonnell, lastly serving as 
Virginia's Critical Infrastructure Protection (CIP) Coordinator. During 
this time, I had great exposure to traditional physical security and 
emergency management principles, to include the NIMS Incident Command 
System, which I will refer to as ``ICS'' moving forward. I saw 
firsthand by working in the Virginia Emergency Operations Center (VEOC) 
that ICS was a great way to efficiently coordinate responses and I 
began to adapt much of the work I was doing in Critical Infrastructure 
Protection planning to model ICS principles. My first attempt at more 
closely integrating private sector response capabilities was in an 
article I published in 2014 titled, ``Framework for the Integration of 
Emergency Support Function, Infrastructure Protection and Supply Chain 
Management Efforts'' which aimed to describe how the private sector 
could ``hook into'' local, state, and federal disaster response efforts 
through integration with state level Emergency Operation Center 
Emergency Support Functions (ESFs).\3\ As such, the effectiveness and 
efficiency of coordinated responses between the private and public 
sectors has been a focus area of my work for nearly the past decade.
---------------------------------------------------------------------------
    \3\ Samford, M. (2014). Framework for the Integration of Emergency 
Support Function, Infrastructure Protection and Supply Chain Management 
Efforts. Homeland Security Today.
---------------------------------------------------------------------------
    Because of my background in critical infrastructure protection and 
focus on government and private sector collaboration, I was recruited 
into the private sector to help companies build and implement product 
cybersecurity programs, of which response has always been a strong 
element. I've had roles at both the tactical and strategic levels of 
program design and implementation, I've worked for the top 
manufacturers of Industrial Control Systems products and systems, and 
now I'm working on my third product security program, at Schneider 
Electric's Energy Management Business.
    Most recently, and what I am happy to testify on today, I became 
one of four cybersecurity first responders to be formally credentialed 
under the United States National Incident Management System Incident 
Command System as a Type I Cyber Incident Commander. This role plays a 
critical function in leading and directing cyber-incident responses as 
well as ensuring proper span and control, and resourcing. I am one of 
only four the United States has, and one of only two within the private 
sector: The other two are within the United States Army Reserves 
Innovation Command the United States Department of Homeland Security, 
respectively.
      Mark Bristow, Branch Chief, United States Department of 
Homeland Security, Cybersecurity and Infrastructure Security Agency 
(CISA)
      Colonel Brian Wisniewski, US Army Reserves Innovation 
Command G2/G6
      Neal Gay, Senior Manager, Managed Defense, Mandiant
      Megan Samford, Vice President, Product Cybersecurity, 
Schneider Electric

    Today, I hope to tell you what the ICS4ICS program is, why the 
United States government and private sector needs it, and why this 
effort needs a home in the United States government to scale.
                            What is ICS4ICS?
    ICS is a standardized, repeatable, and scalable approach to 
managing both day-to-day and complex incidents. It was created here in 
the United States during the 1970s as a result of the California 
Wildfire responses, where multiple fire departments and state and 
federal agencies had come together to respond in a unified and 
coordinated way.\4\ ICS has been tested in more than 40 years of 
emergency and nonemergency applications by all levels of government and 
in the private sector. At its foundation, ICS recognizes a need for 
different organizations to work together toward common goals.
---------------------------------------------------------------------------
    \4\ ICS 100--Incident Command System--USDA. (n.d.). Retrieved 
October 28, 2021, from https://www.usda.gov/sites/default/files/
documents/ICS100.pdf.
---------------------------------------------------------------------------
    ICS addresses:
      Nonstandard terminology among responding entities
      Lack of capability to expand and contract as required
      Lack of an orderly, systemic planning processes
      Nonstandard & nonintegrated communications
      Lack of personnel accountability, including unclear 
chains of command and supervision
      No common, flexible, predesigned management structure 
that enables commanders to delegate responsibilities and manage 
workloads efficiently

    In preparing for this testimony, I found the below expert from the 
United States Department of Agriculture Incident Command System 101 
Course material to be very helpful in plainly explaining what Incident 
Command System is.

        ``The Incident Command System or ICS is a standardized, on-
        scene, all-risk incident management concept. ICS allows its 
        users to adopt an integrated organizational structure to match 
        the complexities and demands of single or multiple incidents 
        without being hindered by jurisdictional boundaries. ICS has 
        considerable internal flexibility. It can grow or shrink to 
        meet different needs. This flexibility makes it a very cost 
        effective and efficient management approach for both large and 
        small incidents. Designers of the system recognized early that 
        ICS must be interdisciplinary and organizationally flexible to 
        meet the following management challenges:
          Meet the needs of incidents of any kind or size
          Be useable or repeatable for routine or planned 
        events such as conferences, as well as large and complex 
        emergency incidents
          Allow personnel from a variety of agencies to meld 
        rapidly into a common management structure
          Provide logistical and administrative support to 
        ensure that operational staff, such as Forensic investigators 
        and malware reverse engineers, can meet tactical objectives
          Be cost effective by avoiding duplication of 
        efforts'' \4\
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        

    The above chart explains the five basic management functions within 
ICS: Command, Operations, Planning, Logistics, and Admin/Finance. As 
incidents expand, additional sub structures can be broken out to 
support scaling incidents. The functions apply in both small- and 
large-scale incidents.
    A key principle within the application of the management functions 
is span of control. No one leader can have more than seven people 
directly reporting to them to ensure span of control. This helps to 
ensure accountability and reduce confusion during responses.\4\ Of 
note, is that as incidents contract, the organization can scale down 
accordingly, until only a few responders remain to support the 
incident.\4\
    Since its early adoption in the 1970s, to its full adoption across 
the public sector today through the Federal Emergency Management Agency 
(FEMA), the Incident Command System has saved thousands of lives, 
businesses, and property; has been endorsed by the United Nations; and 
now, the most developed countries in the world follow this system for 
emergency management.\5\ Every local fire, EMS, state agency, and 
federal response entities in the US follow and know ICS by heart--it's 
simply how we respond.
---------------------------------------------------------------------------
    \5\ Millner, G. C., & Murta, T. L. (n.d.). Incident management. 
Incident Management--an overview / ScienceDirect Topics. Retrieved 
October 28, 2021, from https://www.sciencedirect.com/topics/nursing-
and-health-professions/incident-management.
---------------------------------------------------------------------------
    Additionally, many private sector organizations now use ICS to run 
day-to-day operations, planned events, as well as responses because of 
its proven effectiveness in safety critical environments. This is 
particularly common within electric utility companies. ICS has been a 
gift to the world and the United States should be proud of this proven 
response framework.
     The Private Sector Cyber-Incident Response Problem--Scaling & 
                            Interoperability
    Having worked in product security programs for nearly a decade, I 
speak from experience when I say that while individual companies may 
have a cyber response plan, or ``playbook'' as they are commonly 
referred, that is robust and effective, these plans often suffer during 
larger crisis because of a lack of coordination capacity that can scale 
outside of their organization, and their control.\6\ Each plan is 
unique to the organization and defines who does what within the 
organization, notification procedures, technical team capabilities, 
interaction with legal and communications, and regulatory 
requirements--the playbooks are comprehensive, but written on a 
company-by-company basis and lack interoperability. Existing 
cybersecurity standards do not specifically address a larger response 
framework concept like ICS.
---------------------------------------------------------------------------
    \6\ Singh, A. What are cyber incident response playbooks & why do 
you need them? APMG International. Retrieved October 28, 2021, from 
https://apmg-international.com/article/what-are-cyber-incident-
response-playbooks-why-do-you-need-them.
---------------------------------------------------------------------------
    The breakdown with this planning approach occurs when the response 
is larger than one organization. The individual plans cannot scale 
effectively into a collaborative response when multiple companies, 
jurisdictions, and government entities need to be brought to bear for a 
large-scale attack scenario. The Solar Winds supply chain attack 
highlights the trend that cross-company, cross-sector, multiple party 
responses are on the rise. Currently, there is no repeatable and 
consistent framework to support cyber-incident response 
interoperability among the stakeholders.
     What Are the Larger Impacts of not Having a Common Framework?
    The larger impacts for both the private sector and the government 
of not having a common framework are that disasters can become 
catastrophes when the responses cannot be contained. The consequences 
of not having a structure like ICS4ICS can lead to inefficient and 
costly responses, both for life and property due to a lack of a common 
response framework.
    From my observations, for the private sector:
      There lies an inability for responses to scale outside of 
one or two organizations. No larger structure exists for the private 
sector to share resources through mutual aid agreements.
      There is no standard terminology, ``common language'', or 
common response templates. Common language and templates help to speed 
up responses and lessen confusion. Lack of communications 
interoperability was cited in the Implementing Recommendations of the 
9/11 Commission Act of 2007.\7\
---------------------------------------------------------------------------
    \7\ Implementing recommendations of the 9/11 . . .-congress.gov. 
(n.d.). Retrieved October 28, 2021, from https://www.congress.gov/110/
plaws/publ53/PLAW-110publ53.pdf.
---------------------------------------------------------------------------
      There are no ``typed'' cyber-incident responder roles. 
Typing is a way of characterizing roles so that they are shared across 
a function. Example: A Type 1 Incident Management Team in Virginia has 
essentially the same training and experience as a Type 1 Incident 
Management Team in California. This creates baseline capability and 
understanding and is a foundational premise of Incident Command System.
      The private sector playbooks are based on traditional 
enterprise information technology and are focused on tactical actions 
needed to mitigate harm to the organization, gather evidence, and 
determine what internal and external escalations/notifications are 
needed.
      Time and resources are not well tracked or managed 
resulting in response fatigue, and hindered decision making over 
extended operational periods. Surge capacity is rarely available to 
provide relief, which also compounds response fatigue.

    From my observations, what this in turn means for the government 
is:
      Out of the many defined natural and man-made disaster 
types, cyber is the only disaster type that currently does not follow 
Incident Command System.
      If 85% of critical infrastructures are owned and operated 
within the private sector, the US government lacks a way to effectively 
coordinate under a common structure with a large percentage of its 
cyber response resources.
      There is a lack of understanding of the degree of cyber 
expertise and capability the private sector could bring to bear.

    If you take the example of the Colonial Pipeline ransomware attack, 
the asset owner and operator had detected ransomware on the enterprise 
network and made the decision to safely shut down pipeline operations 
to prevent the potential spread of the ransomware into that safety 
critical environment. For all intents and purposes, this was a 
responsible decision given the information available to decision makers 
at that time. What we see in this scenario is that the major impacts of 
the attack occurred not from the inherent ransomware attack, but from 
the cascading impacts of proactively shutting down the pipeline. Again, 
``disasters become catastrophes when responses cannot be contained''.
    While shutting down pipeline operations was the appropriate and 
safe decision, the cascading impacts of that decision meant the 
response became less centralized because other impacted organizations, 
such as the United States Department of Homeland Security, were brought 
in to support the response. While I was not personally involved in the 
response and remediation efforts, it can be inferred from the aftermath 
that a unified public and private coordination structure could have 
resulted in increased public confidence over the response. The lack of 
public confidence and trust contributed to reactionary demand for gas, 
resulting in shortages.
    While the Colonial Pipeline example demonstrates how large 
responses can scale, even for mature and well-resourced organizations, 
in many cases, smaller organizations face even larger resource 
constraints. A system like ICS4ICS can help companies provide mutual 
aid to one another. This is not unlike how electric utility companies 
share lineman during power restoration efforts following hurricanes. 
You frequently see lineman from Dominion Energy based in Virginia 
support hurricane recovery efforts in Florida. As such, the electric 
utilities are also investigating the use of ICS4ICS: Sharing resources 
is a well understood concept for that industry.
                          The Idea of ICS4ICS
    Given these critical gaps and my past experience as an emergency 
manager, I had the idea to apply the NIMS Incident Command System 
framework and train cyber-incident responders in the same way we train 
every other first responder in the United States. I put pen to paper 
and drafted a cyber-incident coordination framework that could be 
applied to cyber-incident responses based on Incident Command System.
    After I introduced the ICS4ICS idea at one of the largest 
Industrial Control Systems Cybersecurity conference in the world, the 
ISAGCA agreed to pick up the effort and it has grown: We now have 
training programs on ICS4ICS, have updated response templates, and we 
are educating cybersecurity experts on the framework.
  Approach of ICS4ICS in Delivering Cyber Response Capability to the 
                             Private Sector
    Through ICS4ICS we are encouraging member organizations to start 
adoption by overlaying this organizational structure over their current 
response playbooks. We are not suggesting that ICS4ICS become a 
replacement for existing response playbooks; instead, the Incident 
Command System should be applied as a higher-level way of structuring 
command and control as well as management of resources. The typing of 
resources is also significant as it enforces common terminology and 
expectations for each typed role.
    Currently ICS4ICS has over 350 cyber volunteers registered to 
become credentialed--most within the United States but there has been 
increasing interest from cyber security experts in Europe, Canada, 
Latin America, Asia, Australia, and New Zealand. These international 
groups will likely stand up their own local implementation and 
credentialing processes. To become credentialed, a cyber-incident 
responder must:
      Submit an application to ICS4ICS
      Create an account through FEMA's One Responder system
      Complete 18 hours of online FEMA ICS training (the 
courses may be able to be shortened at a later date)
      Complete the Position Task Book application clearly 
demonstrating where the applicant has obtained experience working 
cyber-incidents (a third-party verification is required to be filled 
out by a former supervisor or person in an authority role for the 
described cyber-incident)

    Once the application is completed, the applicant will receive 
notice of the opportunity to appear before the ICS4ICS adjudication 
committee (includes a representative from DHS CISA) to discuss their 
application and answer any questions the adjudication committee may 
have. Once approved, the credential is assigned and documented within 
the FEMA One Responder portal.
    Below is an example template that can be used by the private sector 
when organizing a response in an Operational Technology (OT) 
environment:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    The next phase of the program will include continued creation of 
response plan templates, hazard specific annexes to support events like 
ransomware, Incident Action Plan templates, and needed credentialing. 
DHS will also need to decide if private sector companies with trained 
cyber-incident responders should integrate into the current NIMS, state 
multi-agency coordination center (MACC) model, or if a centralized 
office should be created within DHS.
                                Closing
    Poorly managed cyber-incident responses can be devastating to our 
national security, health and safety, and economy. Even after twenty 
years, many of the same response challenges that faced emergency 
responders on 9/11 continue to be challenges for us now, except in 
cyber-incident response--lack of common response frameworks and 
interoperability. With so much at stake, we must effectively manage 
cyber-incidents, together, with both the private sector and government. 
The Incident Command System allows us to do so.\4\
    This effort is ramping up quickly and deserves a home in the United 
States government. On behalf of the ICS4ICS effort, I respectfully 
request your bi-partisan support for this important program in 
requesting the government investigate ways to expand and enhance the 
spirit of language captured in Homeland Security Presidential 
Directive-5 to encourage adoption of Incident Command System within the 
private sector for cyber-incident response:

        ``The Federal Government recognizes the role that the private 
        and nongovernmental sectors play in preventing, preparing for, 
        responding to, and recovering from terrorist attacks, major 
        disasters, and other emergencies. The Secretary will coordinate 
        with the private and nongovernmental sectors to ensure adequate 
        planning, equipment, training, and exercise activities and to 
        promote partnerships to address incident management 
        capabilities.'' \8\
---------------------------------------------------------------------------
    \8\ Homeland Security Presidential Directive 5. (n.d.). Retrieved 
October 28, 2021, from https://www.dhs.gov/sites/default/files/
publications/Homeland%20Security%20Presidential
%20Directive%205.pdf.

    Additionally, we respectfully request that Congress make the 
necessary plans and investments for the private sector to become 
trained and credentialed in Incident Command System in the same way 
that fire and emergency services are trained today, and lastly, ICS4ICS 
be operationalized as an official government program, residing in the 
United States Department of Homeland Security, or another entity, if 
---------------------------------------------------------------------------
appropriate.

    Mr. DeFazio. Thank you, Ms. Samford.
    Mr. Farmer?
    Mr. Farmer. Thank you, sir.
    Mr. DeFazio. You are recognized for 5 minutes.
    Mr. Farmer. Thank you, sir. Chairman DeFazio, Ranking 
Member Crawford, members of the committee, thank you all for 
the opportunity to address such an important subject on behalf 
of America's railroads.
    Across the industry, railroads and the organizations that 
support them take their role as critical infrastructure 
underpinning the U.S. economy very seriously. In all efforts, 
the commitment to safety is paramount. This commitment applies 
with equal strength to our comprehensive and collaborative 
effort in cybersecurity.
    The key point we hope you take away today is this: 
railroads have a proven and longstanding commitment to 
collaboration within our industry, across sectors, and with 
Government to protect against cyberattacks. The underlying 
premise is that prevention is attainable with the right 
structures supporting the right people armed with timely and 
actionable cyber threat intelligence and security information. 
We can prevent attacks and mitigate their effects, should they 
occur.
    The right people with the experience--cybersecurity 
professionals and railroads, deeply familiar with their 
networks and operations, who bring expertise and judgment to 
bear in planning, protective measures, and collaborative 
efforts. They ensure those fundamental measures outlined by the 
chairman earlier are taken consistently and effectively.
    Serving as a focal point for the industry's unified effort 
is the Rail Information Security Committee, the right structure 
formed by major freight, railroads, and Amtrak more than two 
decades ago. Comprised of chief information security officers 
and cybersecurity leads for railroads and industry 
organizations, the committee focuses continuously on addressing 
cyber threats, incidents, and significant security concerns.
    What are we seeing?
    Sharing effective practices and protective measures, what 
we are doing about it.
    Coordinated cyber incident response planning, how we work 
together, effectively.
    Benchmarking cybersecurity posture against the NIST 
cybersecurity framework, continuous attention to how we can get 
better.
    Working with key industry suppliers in a dedicated joint 
coordination and information-sharing group, how we strive to 
detect and act upon vulnerabilities and concerns before they 
can be exploited.
    And engaging proactively with Government departments and 
agencies of the United States and Canada, how we support 
informed vigilance and effective action across sectors.
    The industry, as a whole, benefits from the expertise and 
shared experience, accomplishments, and priorities of network 
protection for safety and operational resilience.
    In support of this vital work, a top priority for our 
industry is maximizing effectiveness through information 
sharing. Reports by railroads and industry organizations is a 
linchpin for this effort. These reports are made to the Railway 
Alert Network, which works with the reporting railroad to 
produce a cybersecurity advisory on the activity of concern, 
describing how it manifested, what the indicators are, and what 
measures should be taken to narrow risk profile. Through this 
network we disseminate these advisories widely, among freight 
and passenger railroads in the United States and Canada, and to 
hundreds of recipients and fellow Government organizations, 
including CISA, TSA, the FBI, DOT, the Department of Defense 
commands, and Transport Canada.
    Further, meeting a commitment we made at the inaugural 
Transportation Sector Cybersecurity Tabletop Exercise held by 
TSA in August 2015, we shared with the advisors and 
representatives of each of the transportation modes and other 
critical infrastructure sectors, and we have done so 
consistently for more than 6 years now.
    Unfortunately, what we have not seen is consistency in 
analyses of the reports we have submitted to Government 
organizations. And we believe these efforts can and should be 
enhanced, and are committed to working with Government for this 
purpose.
    The overall aim remains consistent: get the right 
information through the right structures to the right people to 
make a difference. Government action should foster these proven 
collaborative efforts in order to expand them and enhance them, 
not override or disrupt them.
    The President specifically urged this caliber of 
collaborative effort in his National Security Memorandum on 
Improving Cybersecurity, issued in late July of this year. The 
railroad industry supports the President's approach and desired 
outcomes. We sought to attain them in a third proposal 
submitted to TSA in mid-August on enhancing cybersecurity 
posture across the transportation sector.
    However, in early October, the Secretary of Homeland 
Security announced that TSA will issue security directives to 
mandate cybersecurity actions by railroads and rail transit 
agencies. These mandates are not only unnecessary, but also 
could prove counterproductive, disrupting well-established and 
proven practices. Railroads are meeting the main mandates the 
planned directives will impose, but the prescriptive elements 
for each raise serious concerns that what we have done so well 
and for so long, in partnership with Government, will be 
undermined. We must avoid a command-and-control approach, and 
instead build upon an impressive track record of collaboration.
    My written statement to the committee outlines 
considerations for legislative action on cybersecurity, on 
which I am happy to address questions this morning. But two 
points merit emphasis here.
    First, Congress has already acted effectively through the 
Cybersecurity Information Sharing Act of 2015. This statute is 
vastly underutilized by security agencies and Government. It 
should not be, for it expressly authorizes sharing of cyber 
threat intelligence and related security information within 
industries, across sectors, and between industry and 
Government. It also provides essential protections that build 
and alleviate impediments to the flow of timely and actionable 
information. Had this statute been effectively implemented, it 
would not be even a perceived need for new legislation or 
security directives on cyber incident reporting.
    And second, the gap in analysis of reporting of significant 
cybersecurity concerns should be resolved, closed, by expanding 
the analytical capabilities of systems workforce before any 
more mandates requiring more reporting are made. CISA Director 
Jen Easterly testified earlier this week, emphasizing her view 
that her agency's most effective role is in support and 
collaboration for sustained enhancements across sectors of 
cybersecurity posture. Legislation should enable accomplishment 
of this admirable purpose.
    In closing, we are proud that we have been proactive, 
effective, and collaborative for so long in this challenging 
arena. Policymakers here and executive agencies play an 
important role alongside private enterprise. Creating nimble 
and effective--without concerns for liability or enforcement 
action and financial penalties for business is vital.
    As Congress considers new measures, please look to build 
upon the collaborative approach that has largely succeeded to 
date. Thank you, and I am very happy to address any questions 
you may have this morning.
    [Mr. Farmer's prepared statement follows:]

                                 
  Thomas L. Farmer, Assistant Vice President-Security, Association of 
                           American Railroads
    On behalf of the members of the Association of American Railroads 
(AAR), thank you for the opportunity to offer this testimony. AAR's 
freight railroad members account for the vast majority of North 
American freight railroad mileage, employees, and traffic. Passenger 
railroad members include Amtrak and several major commuter carriers as 
well.
    Railroads are indispensable to our nation. They connect producers 
and consumers of goods across the country and the world, expanding 
existing markets and opening new ones. Whenever Americans grow 
something, mine something, or make something; when they send goods 
overseas or import them from abroad; when they eat their meals or take 
a drive in the country, there's an excellent chance freight railroads 
helped make it possible. Passenger railroads enhance mobility and 
connectivity, alleviate highway and airport congestion, reduce 
pollution, promote local and regional economic development, and improve 
transportation safety.
Unified Commitment to Security Preparedness, and Continuous Improvement
    Railroads and rail industry organizations address both cyber and 
physical security through unified efforts under a longstanding 
comprehensive security plan. Applying a risk-based and intelligence-
driven approach to rail security, this plan has four alert levels that 
call for increasingly stringent security measures.
    Responsibility for managing the security plan and assuring its 
sustained effectiveness to meet evolving threats is vested in two 
dedicated industry coordinating committees: the Rail Security Working 
Committee, which is comprised of senior law enforcement and security 
officials focused on domestic and international terrorism; and the Rail 
Information Security Committee (RISC), which consists of the chief 
information security officers and information assurance officials of 
major North American railroads, with support from security experts at 
AAR and the American Short Line and Regional Railroad Association 
(ASLRRA). The rail industry, through RISC, has maintained a dedicated 
and effective coordinating forum for cybersecurity protection and risk 
mitigation for more than two decades. Together, the two committees 
constitute the Rail Sector Coordinating Council (RSCC), which serves as 
the rail industry's main channel of communication and coordination with 
government agencies on cyber and physical security and preparedness.
    Because of the devoted work of these committees, the rail 
industry's security plan does not just sit on a shelf, occasionally 
taken down and dusted off. Rather, it is a living document, evaluated 
and enhanced continuously through recurring exercises, integration of 
effective practices, and frequent consultations with government and 
private-sector security experts to ensure maximum sustained 
effectiveness in the face of evolving security threats. Early in 2020, 
the two industry committees completed the most substantial review and 
update of the plan since its inception some 20 years ago. This update 
highlighted the substantial progress the industry has made in terms of 
capabilities, monitoring and analysis of threats, coordination with 
government agencies, electronic reporting, and joint decision-making on 
alert levels, measures, and actions.
                Railroads Address Cybersecurity Head On
    Railroads of all kinds rely on advanced software and information 
technology in every aspect of their operations. These technologies run 
the gamut from advanced train dispatching software to smart sensors 
along tracks that identify equipment in need of repairs, and from real-
time shipment tracking tools to sophisticated train control technology.
    Railroads recognize their critical importance to our nation, as 
well as the risks associated with their extensive reliance on 
information technology, which is why they are continuously on guard 
against cyberattacks and working diligently to enhance their 
capabilities to guard against them. Railroads' cybersecurity efforts 
are comprehensive, multi-faceted, and supported by specialized, highly 
skilled cybersecurity staff.
    A recent report by the Congressional Research Service rightly 
concludes, ``Cybersecurity is a risk management process rather than an 
end-state. It involves continuous work to (1) identify and (2) protect 
against potential cybersecurity incidents; and to (3) detect; (4) 
respond to; and (5) recover from actual cybersecurity incidents.'' 
Entities ``may choose to evaluate their information technology (IT) 
risks by understanding the threats they are susceptible to, the 
vulnerabilities they have, and the consequences a successful attack 
might have for their mission and their customers.'' \1\ The rail 
industry consistently focuses on these priorities through unified, 
multifaceted, and proactive cybersecurity efforts.
---------------------------------------------------------------------------
    \1\ Congressional Research Service, ``Federal Cybersecurity: 
Background and Issues for Congress,'' September 29, 2021. Available at 
https://crsreports.congress.gov/product/pdf/R/R46926.
---------------------------------------------------------------------------
          Rail Industry Cybersecurity Efforts Span Two Decades
    For railroads, cyber awareness is a fundamental component of their 
day-to-day operations, but even the best cybersecurity plans and 
practices will falter if useful information on cyber threats is not 
shared. Information sharing allows organizations to learn from one 
another, reduce their vulnerabilities, and quickly adapt to changing 
conditions. For this reason, railroads and industry organizations 
prioritize proactive engagement with government partners to share 
information on cyber threats and effective countermeasures. Insights 
gained from risk assessments and threat advisories, along with 
experience gained in drills, enable railroads and industry 
organizations to incorporate effective safeguards and protective 
measures into their own systems.
    The rail industry focuses on analyzing four categories of 
protective measures: the tactics most commonly employed to gain illicit 
access to computer systems; vulnerabilities most commonly exploited; 
indicators of illicit activities most often noted in post-incident 
analyses that were missed or disregarded; and protective measures that 
could have made a difference if they had been implemented. We use these 
four categories based on experience best demonstrated by the Australian 
Cyber Emergency Response Team (CERT), which found that the vast 
majority of the cyberattacks against private entities in which CERT 
provided aid would not have been successful if the targeted entity had 
paid sufficient attention to these four protective measures.
    Further steps that the rail industry has taken to enhance timely 
information sharing, in coordination with partners at DHS, FBI, TSA, 
and DOT, include:
      Deploying secure telephone equipment to connect major 
railroads, the AAR, and government officials.
      Sharing classified information with authorized Canadian 
railroad officials who hold security clearances issued by the 
government of Canada.
      Establishing a classified information sharing network 
with TSA, which enables authorized rail industry personnel to review 
relevant materials in dozens of metropolitan areas nationwide.
      Participating in a multi-industry initiative with DHS to 
establish a secure video teleconference network that simultaneously 
links more than 40 U.S. metropolitan areas.

    As a result of these cooperative efforts between industry and 
government, what had often required weeks, or even months, of effort 
can often now be accomplished in hours. This progress greatly enhances 
the ability of those in the private and public sector to identify and 
effectively respond to cyberthreats in a collaborative manner.
 The President Urges Government-Industry Collaboration on Cybersecurity
    The rail industry supports the President's emphasis on government-
industry collaboration to enhance cybersecurity as laid out in the 
National Security Memorandum on Improving Cybersecurity for Critical 
Infrastructure Control Systems, issued on July 28, 2021.
    In response to the memorandum, the rail industry developed a 
detailed proposal on how government and industry can work 
collaboratively to elevate cybersecurity posture in all transportation 
modes. We submitted this to TSA just three weeks after the memorandum 
was issued and more than a month before TSA's initial outreach to 
stakeholders regarding Security Directives to mandate cybersecurity 
measures by railroads and rail transit agencies.
    Work on this initiative began over two months earlier in the wake 
of the Colonial Pipeline cyberattack. In early June 2021, AAR's 
security lead joined his colleague at the American Public 
Transportation Association (APTA) to propose a ``strategic concept'' 
for enhancing cybersecurity in the transportation sector. Over the next 
couple of months, the rail industry took the lead in drafting this 
strategic concept.
    Submitted in mid-August, the industry proposal delineates 13 areas 
of emphasis that outline actions for transportation organizations and 
federal government organizations to take to implement TSA's 
Cybersecurity Roadmap. TSA Administrator David Pekoske has frequently 
cited the Roadmap as defining ``clear pathways'' for enhancing 
cybersecurity posture and mitigating cyber risk in the transportation 
sector. Additionally, the rail industry's August proposal covers 
recommend conduct of cybersecurity self-assessments, something on which 
TSA plans to issue a non-compulsory information circular.
    Unfortunately, although the rail industry's strategic concept 
proposal was submitted in August and meets the President's repeated 
emphasis on collaboration to enhance critical infrastructure 
cybersecurity, we have received no official response.
                TSA Security Directives Are Unnecessary
    As members of this committee know, in public remarks about a month 
ago, Secretary of Homeland Security Alejandro Mayorkas announced that 
TSA will issue Security Directives laying out cybersecurity actions and 
measures that must be implemented by ``higher-risk railroad and rail 
transit entities.'' In making this announcement, Secretary Mayorkas 
said, ``There is no better example of how the cybersecurity threat can 
impact our lives than in the transportation sector and how people 
commute, see one another, engage with one another.''
    Railroads and industry organizations certainly agree that the 
cybersecurity threat merits priority attention--as demonstrated by the 
rail industry's rigorous attention to this issue for more than 20 
years. Significantly, each of the actions the Secretary said will be 
covered by TSA security directives for railroads and rail transit 
agencies is already covered by the rail industry's August 2021 proposal 
noted above. Put another way, railroads are already doing what they 
should be doing in terms of cybersecurity.
    Moreover, issuing a Security Directive is an exercise of emergency 
authority by the TSA Administrator that allows imposition of 
requirements ``immediately in order to protect transportation 
security.'' \2\ Railroads and rail industry organizations have not been 
advised by federal officials of any prevailing emergency conditions 
that justify use of this authority, despite the many opportunities 
available. TSA officials have indicated that work to produce and 
provide a current cyber threat briefing is ongoing, but to our 
knowledge no briefing has been proposed or scheduled for this purpose.
---------------------------------------------------------------------------
    \2\ 49 U.S.C. Sec.  114(l).
---------------------------------------------------------------------------
    In addition, the Security Directives could undermine the 20-year 
effort of the industry to develop and share cybersecurity information 
among railroads and government agencies, as explained above. If reports 
are required to be made to government and are deemed security-sensitive 
information, then private industry stakeholders may be reluctant to 
share the information through our established network. This outcome 
will ultimately have a deleterious effect on the security of the 
industry and the purported goal of these proposed Security Directives.
    Lastly, the announcement of the Security Directives has produced 
erroneous perceptions that railroads, and rail transit agencies, have 
not been rigorously and effectively engaged for many years in defending 
against cyber threats. This false impression could have negative ripple 
effects if rail customers and the communities in which railroads 
operate lose confidence in railroads' ability to operate safely and 
securely.
    Railroads' cybersecurity efforts are far more likely to be 
effective if they involve continued collaborative efforts with 
government than if they are mandated through top-down security 
directives or rulemakings. To that end, our concerns are as follows:
      The requirement that the appointed primary and alternate 
cybersecurity coordinators be U.S. citizens will make compliance by two 
major Canadian railroads (CN and Canadian Pacific) that also have 
substantial U.S. operations extremely difficult. Given that TSA and the 
rail industry have long successfully shared classified information with 
Canadian nationals who hold security clearances issued by the 
government of Canada, this prescriptive measure is unwarranted.
      The mandate to report a ``cybersecurity incident'' is 
overly broad and, if left unchanged, will result in high volumes of 
reports on matters that are not significant from a cybersecurity 
perspective. The directive should focus instead on ``significant'' 
cybersecurity incidents so that developing threats and effective 
preventive measures can be more readily identified.
      The inflexibility of an overriding government mandate of 
risk-based determinations on preparedness and response planning, 
protective measures, and implementing capabilities.
          What Future Cybersecurity Legislation Should Include
    As noted above, information sharing is crucial to the success of 
all cybersecurity plans. The Cybersecurity Information Sharing Act of 
2015 (CISA 2015) expressly authorized sharing of cyber threat 
intelligence and related security information and created a framework 
of protection to facilitate and encourage such exchanges within 
industries, across critical infrastructure sectors, and with federal 
government entities. Unfortunately, many of the authorizations and 
protections Congress established in CISA 2015 have either been 
inconsistently utilized or left unimplemented.
    Policymakers should build upon the collaborative approach described 
in this testimony and that has worked effectively for years, rather 
than implementing mandates that would needlessly disrupt existing 
organizational structures and practices that prove their value daily. 
In this regard, freight railroads respectfully suggest that the 
following elements should be included in future cybersecurity 
legislation:
1. Include the reasonable protections provided in CISA 2015.
      Antitrust exemptions, civil liability protections, and 
other protections (Division N-CISA 2015; Secs. 104(e), 105(d));
      Disclosure law exemptions, such as freedom of information 
statutes, open meetings laws, or similar enactments requiring the 
disclosure of information or records at the state, federal, and tribal 
or territorial levels (Division N-CISA 2015; Sec. 104(d)(4)(B)(ii)); 
and
      Certain regulatory use exemptions, which prevent any 
federal, state, tribal, or territorial government from bringing an 
enforcement action based on the sharing, but not the development or 
implementation, of a regulation (Division N-CISA 2015; Sec. 
104(d)(4)(C)(ii)).

    Together, these provisions provide reporting entities with the 
protections and confidence needed to sustain the unencumbered flow of 
cybersecurity information with government authorities. Including these 
protections in all future cybersecurity legislation will build upon the 
successful partnerships CISA 2015 has formed.
2. Expand the analytical capabilities of the Cybersecurity and 
        Infrastructure Security Agency's (CISA) workforce.
    Private sector entities, including railroads, already report 
significant cybersecurity incidents and security concerns to CISA and 
other federal government agencies. A persistent challenge, raised often 
by private sector entities with federal partners, is the lack of 
analysis of the reports by the government. Given the breadth of the 
reporting mandate in the planned Security Directives for railroads and 
rail transit agencies, the volume of reporting to CISA will increase 
substantially. CISA must have the capacity to review, evaluate, and 
analyze reports received from railroads and rail transit agencies. 
Feedback should focus on why the reported activity matters to those 
transportation organizations and what can be pragmatically done in 
order to narrow future susceptibility. The lack of this focused 
analysis and feedback to transportation sector entities indicates that 
CISA may lack staffing and resources to meet this need.
3. Direct CISA to regularly update a cyber threat profile based on 
        analyses of attacks, failed attempts, and successful 
        disruptions.
    This profile should focus on the following parameters:
      Tactics most commonly used to perpetrate breaches;
      Vulnerabilities most frequently targeted and exploited;
      Protective measures most often found lacking or 
inadequately implemented that could have prevented incidents; and
      Indicators of developing threats that are often missed or 
misunderstood.

    The aim is to build understanding of how prevailing cyber threats 
materialize and the measures most effective to prevent them or 
seriously mitigate their adverse effects. The profile should undergo 
constant review to enable updates on a quarterly basis. Organizations 
across sectors and industries would contribute to the development of 
this profile through reporting on significant cyber threats, incidents, 
and indicators of concern and on measures or actions taken for risk 
mitigation.
4. Direct CISA and Sector Risk Management Agencies (SRMAs) to work with 
        private entities to establish early notification networks.
    The importance of cyber-attack analyses rests in what they yield, 
which are discernible indicators that assist in identifying the illicit 
activity that took place. Consistency in identifying and sharing these 
indicators in a timely and efficient manner is crucial to prevent and 
mitigate future attacks. Early notification networks provide an 
effective means for proactive, streamlined, and continuous sharing by 
governmental and private entities of these types of indicators based on 
trust and shared interests.
5. Define and publicize procedures for stakeholders to submit requests 
        for information (RFIs) and requests for assistance (RFAs) to 
        enhance cooperative cybersecurity efforts.
    As part of cyber preparedness plans, as well as in the wake of a 
cyber-attack that affects a particular entity or industries, 
organizations across sectors use RFIs and RFAs to gain insights based 
on federal analyses of cyber threats and risk mitigation measures. 
Timely responses can make prevention attainable. Unfortunately, CISA, 
Sector Risk Management Agencies (SRMAs), and other federal components 
lack consistency regarding submission, review and consideration, and 
responses to RFIs, RFAs, and proposals for action to enhance 
cybersecurity. Ad hoc processes are applied. These can vary 
substantially with the type of incident, the information or action 
sought, and the federal government organization that takes 
responsibility for acting on the request or proposal. The result is a 
lack of response or an action that fails to meet the stated needs or 
reasonable expectations.
6. Direct CISA to establish consistent standards for software bills of 
        materials (SBOM) from vendors and suppliers
    A recurring theme in the evaluation by CISA of cyber-attack 
campaigns over the past year is the exploitation of vulnerabilities in 
software that end users could not detect. To redress this gap in 
cybersecurity awareness, CISA has repeatedly urged end users to ask 
their suppliers to provide a software bill of materials that provides 
an inventory list of all open source/third-party components present in 
the source code used to build a particular software system, 
application, or software or component. Legislation should transition 
CISA's recommended measure and define consistent and effective 
practices for vendors and suppliers of information technology. Proven 
supported equipment, devices, and components need to produce sturdy 
software bills of materials and make them available or accessible to 
their buyers and end users.
    The railroad industry, TSA, and CISA share a common purpose: 
ensuring that effective and sustainable measures are in place, and 
regularly reviewed for continuous improvement, to mitigate risk in the 
face of evolving cyber threats. Railroads have a proven track record of 
cooperative engagement with federal agencies, and we firmly believe 
that collaborative effort is the best way to achieve this aim. We 
should be afforded the opportunity to do what the President so rightly 
urges in his National Security Memorandum.
    Thank you again for the opportunity to present this testimony. When 
it comes to cybersecurity, railroads have been proactive, effective, 
and collaborative for many years. They will continue to work 
cooperatively with private and public entities to ensure that our 
nation's rail network and the people, firms, and communities it serves, 
remain protected.

    Mr. DeFazio. OK, thank you, Mr. Farmer.
    Mr. Stephens?
    Mr. Stephens. Chairman DeFazio, Ranking Member Crawford, 
and distinguished members of the committee, good morning. My 
name is Michael Stephens. I am the general counsel and 
executive vice president for information technology at Tampa 
International Airport. We thank you for the opportunity to 
participate in today's hearing, and to offer the aviation 
perspective.
    More than 2.9 million passengers travel through America's 
airports each and every day. The five largest U.S. airports 
alone have more passengers flowing through them than the entire 
population of the United States.
    U.S. commercial airports are connected, critical 
infrastructure ecosystems that are essential not only to our 
Nation's economic prosperity, but to our national security.
    The aviation industry accounts for more than 5.2 percent of 
our national GDP and supports nearly 11 million jobs.
    The aviation sector, like other sectors represented here 
today, faces significant challenges from persistent and 
increasingly pernicious cyber threats. In short, digital code, 
computers, and keyboards have become the newest tools of 
criminals, and the preferred weapons of war for nation states 
and other U.S. adversaries.
    It is my opinion that cybersecurity threats, without 
question, represent the most persistent danger to the safe, 
secure, and efficient operations of U.S. airports in the global 
aviation system. And while there is no silver bullet or perfect 
defense against cybersecurity threats, there are numerous 
critical activities that can be undertaken by key stakeholders 
to increase our overall cybersecurity preparedness and 
resilience.
    For the purpose of this hearing, I have distilled my 
remarks down to four key areas.
    First, the mandatory adoption of minimum cyber standards. 
Although aviation and airports and other sector stakeholders 
have engaged in building and achieving various levels of cyber 
maturity, there are currently no significant requirements for 
adherence to minimum baseline standards or preparedness 
frameworks. Given the growing threat environment, the aviation 
sector has approached an inflection point, where voluntary 
cyber compliance is simply no longer adequate. I believe 
significant consideration should be given by aviation sector 
regulatory agencies to mandating the adoption and periodic 
testing of established cybersecurity standards and resiliency 
frameworks.
    Second, the timely and effective sharing of information and 
threat intelligence is essential to assessing and mitigating 
cyber vulnerabilities. Consideration should be given to 
mandatory disclosure of critical and actionable cyber incidents 
that meet an agreed-upon threat threshold, irrespective of 
whether or not the incident resulted in an actual data breach 
or system compromise.
    Third, we must close the human factors gap. Notwithstanding 
the most effective standards, technological defenses, and 
threat sharing efforts, the human factor remains the most 
highly exploited vector for penetrating cyber defenses.
    The aviation sector has taken cybersecurity seriously and 
continues to implement processes to enhance cyber awareness and 
security. However, the depth and the quality of training can 
vary significantly, depending upon the entity. Requiring the 
adoption of baseline standards, which establish minimum 
training requirements for critical aviation sector employees 
should be given significant consideration.
    And finally, we must dramatically increase our national 
focus on workforce development in order to build our cyber 
defense capacity. In short, we are losing the race for talent. 
In the U.S., we have a critical shortage of cybersecurity 
talent with essential skills, such as security and network 
engineers and software developers. These types of skills are 
absolutely necessary in order to increase our cyber resilience 
capabilities. The scarcity of these types of skills represents 
a significant risk to U.S. competitiveness and security.
    As the use of current and future technologies increases to 
support airports, airlines, and other critical aviation 
systems, the threat of disruptive cyberattacks will undoubtedly 
increase, as well. The need for additional Federal assistance, 
information sharing, workforce training, and the adoption of 
baseline standards are all essential to our national security 
and long-term economic prosperity.
    Again, we thank you for the opportunity to testify before 
you today, and I look forward to answering any questions that 
you may have.
    [Mr. Stephens's prepared statement follows:]

                                 
 Michael A. Stephens, General Counsel and Executive Vice President for 
 Information Technology, Hillsborough County Aviation Authority, Tampa 
                         International Airport
    Chairman DeFazio, Ranking Member Graves, and distinguished members 
of the Committee thank you for the opportunity to participate in 
today's hearing on the critically important topic of understanding and 
mitigating cybersecurity threats to our nation's critical 
infrastructure.
    According to the Federal Aviation Administration (FAA), more than 
2.9 million passengers travel through America's airports each and every 
day. Based on some of the most recent available data, US airports 
facilitated the shipment of more than 44 billion pounds of cargo. In 
total, our nation's airports, along with our airline partners and all 
other aspects of the US aviation industry, account for more than 5.2% 
of our national GDP, contribute $1.6 trillion in total economic 
activity and support nearly 11 million jobs. By any standard, airports, 
particularly our commercial airports, are incredibly complex, connected 
critical infrastructure ecosystems that are essential not only to our 
nation's economic prosperity but to our national security as well.
    The size and scope of operations, as well as the passenger volume 
activity in our nation's airports, are vast. The FAA classifies the 
nation's 30 largest airports by passenger volume as large hub airports, 
of which Tampa International is in that category. Out of those 30 
airports designated as large hubs, the largest five have more 
passengers flowing through them on an annual basis than the entire 
population of the United States.
    As with most industries in order to meet the increasing demand and 
needs of global commerce and the traveling public, airports, along with 
our airline partners, have increasingly relied on technology both out 
of operational necessity and to enhance passenger safety, security and 
convenience. The ubiquitous use of technology has made airports, 
airlines, and aviation more efficient and has undergirded and 
facilitated the tremendous growth of global mobility, commerce, and 
connectivity.
    In today's modern and technologically advanced airports, there are 
virtually no areas or functions that do not interface with or rely on 
some level on a digital network, data transfer, computer application, 
or internet interface. Virtually all functions essential to airport 
operations and aviation safety and security, such as access controls, 
navigation, airfield lighting, communications, industrial system 
controls, and emergency response systems, rely heavily on a multitude 
of technology applications and platforms. Moreover, airport information 
systems contain or process tremendous amounts of sensitive data such as 
passenger manifests, security plans, and data containing financial and 
personally identifiable information (PII).
    The operational importance of these systems, coupled with the fact 
that they are increasingly supported and connected through networks 
that rely on global technology supply chains, makes airports immensely 
appealing targets and increasingly vulnerable to criminal organizations 
and state-sponsored bad actors.
    Airports, airlines, and the aviation sector, like other industries, 
face significant challenges from a persistent and increasingly 
pernicious cyber threat environment. Imagine, if you will, the 
potentially dire consequences of a successfully coordinated major 
cyber-attack on any one or more of our large hub airports, airlines, or 
the Air Traffic Management System. The potential resulting national and 
international disruption, economic harm, erosion of safety, and 
degradation of vital aspects of our national defense capability would 
be enormous.
    In short, computers, keyboards, and digital code have become the 
newest tools of criminals and some of the preferred weapons of war for 
nation-states and other US adversaries. That is why it is of paramount 
importance that we exercise increased urgency and vigilance to 
anticipate, identify and mitigate cyber threats to our nation's 
airports, airlines, and other critical aviation infrastructure. Given 
the nature of these existing and growing threats, proactively 
implementing standards, protocols, and countermeasures to protect 
ourselves against potential catastrophic system disruption must become 
one of our highest priorities.
    While there is no silver bullet or perfect defense against 
cybersecurity threats within the aviation industry or any industry for 
that matter, there are critical activities that we must undertake to 
increase our cyber resilience and mitigate as much risk as possible. 
For the purposes of this hearing, I have distilled my remarks down to a 
few critical areas that I believe present the best opportunity for 
airports along with our airline partners and aviation sector 
stakeholders to achieve greater preparedness, responsiveness, and 
resilience.
                      Mandatory Minimum Standards
    Under the Federal Information Security Management Act (FISMA), 
which defines a comprehensive framework to protect government 
information, operations, and assets against natural or man-made 
threats, Federal agencies are required to adopt and implement a 
national baseline standard for cybersecurity preparedness. In 2013, 
President Obama issued Executive Order (EO) 13636, Improving Critical 
Infrastructure Cybersecurity, which called for the development of a 
voluntary risk-based cybersecurity framework that is ``prioritized, 
flexible, repeatable, performance-based, and cost-effective.'' 
Subsequent executive orders and recent Presidential Directives have 
also been issued to address and respond to the ever-changing 
cybersecurity threat landscape and strengthen the requirements by 
Federal agencies for ensuring and maintaining a baseline level of 
preparedness.
    Although airports, airlines, and other aviation stakeholders have 
engaged in building and achieving various levels of cybersecurity 
capability, maturity and resilience, there are currently no significant 
requirements for adherence to a minimum baseline set of standards for 
preparedness. According to a 2015 survey of airports in the United 
States by the Airport Cooperative Research Program (ACRP) in its 
Guidebook on Best Practices for Airport Cybersecurity, only nine out of 
twenty-four (34%) airport respondents indicated that they had 
implemented a cybersecurity standard or framework. Even assuming that 
the percentage has increased, given the voluntary nature of 
implementing a standard within the industry, there is no meaningful way 
to assess adoption, adequacy, or consistency.
    Moreover, according to a 2018 SITA Air Transport Cybersecurity 
Insights report of aviation industry participants, only 41% of 
respondents identified cybersecurity as part of their top 
organizational risks. Only 42% of respondents planned to include cyber 
risk in their organizational critical risk assessments in 2021. Fewer 
than 35% of the responding organizations had a dedicated Chief 
Information Security Officer (CISO), which is essential to raising 
cybersecurity resilience as a priority to most executive and governance 
levels.
    Given these numbers, I believe that the aviation sector is at an 
inflection point in the growing threat environment where voluntary 
compliance is no longer adequate. This position is clearly evidenced by 
the increasing sophistication and adverse impact on our economic and 
national security from attacks such as SolarWinds and Colonial 
Pipeline. It is my opinion that strong consideration should be given by 
Congress and regulatory agencies such as the FAA and TSA to mandate the 
adoption and implementation of minimum baseline cyber security 
standards and frameworks throughout the aviation sector. The National 
Institute of Standards and Technology (NIST) Framework for Improving 
Critical Infrastructure for Cybersecurity, for example, provides 
substantial guidance for establishing a minimum cyber resilience 
framework for the aviation sector and other critical infrastructure 
sectors.
    Such a baseline cybersecurity framework would not replace an 
existing cybersecurity program that an organization already has in 
place. The framework would be used to augment, enhance and strengthen 
any existing program and align it with best practices for greater 
coordination and effectiveness throughout the aviation industry. For 
airports, airlines, and key stakeholders that do not have a baseline 
cybersecurity program, such a requirement would ensure a minimum level 
of readiness and facilitate the development of more effective sector 
cyber preparedness and maturity.
           Cyber Security Information Sharing & Communication
    While one of the stated objectives of EO 13636 focused on 
increasing information sharing between the government and the private 
sector, it has not been as effective as it could be due to the 
program's voluntary nature. The sharing of information and threat 
intelligence is a critical component to assessing airport and aviation 
sector vulnerabilities, enhancing our preparedness posture, as well as 
giving airports and our airline partners the ability to respond more 
effectively and recover in the event of a cybersecurity incident.
    Often information sharing practices within the aviation sector have 
been reactive versus proactive. Voluntary information-sharing programs 
have demonstrated utility when reacting to and recovering from a cyber-
incident when shared in a timely manner. However, the exponentially 
growing threat landscape will require significantly more investment by 
the public and private sectors both nationally and internationally.
    In order to strengthen information sharing, consideration should be 
given to requiring mandatory disclosure of cyber incidents that meet an 
agreed-upon threat threshold irrespective of whether or not the 
incident resulted in an actual data breach or system compromise. The 
information reporting and sharing requirement should focus on 
actionable threats and risks in order to minimize the data and 
information overload, or the creation of information ``white noise''.
    Laws such as the Cybersecurity Information Sharing Act (CISA) and 
related programs such as the DHS Cyber Information Sharing and 
Collaboration Program (CISCP), if coupled with the implementation of 
mandatory minimum standards within the aviation sector, may help to 
accelerate the progress of information sharing and collaboration. 
However, mandating a minimum baseline common standard and enhancing 
opportunities to share critical cybersecurity threat intelligence in a 
timely manner within the aviation and across other critical 
infrastructure sectors will ultimately result in the greater national 
capability to combat cyber security risks.
   Information Security Awareness Training and Workforce Development
    Closing the human factors gap is a critical and integral part of a 
successful and effective cyber resilience strategy within all critical 
infrastructure sectors. Notwithstanding the most effective program 
standards, technological cybersecurity defenses, and threat 
intelligence information-sharing efforts, the human factor remains the 
most highly exploited vector for penetrating cybersecurity defenses 
within the aviation sector. In a recent study by Airports Council 
International (ACI) of key aviation leaders and stakeholders, 87% of 
the respondents reported that social engineering attacks were the 
leading vector of cyberattacks.
    Cybersecurity threat awareness and information security training 
programs for all airport, airlines, and aviation industry employees is 
perhaps one of the most efficient and cost-effective ways of increasing 
cybersecurity preparedness in the aviation sector. The NIST ``Framework 
for Improving Critical Infrastructure Cybersecurity'' (NIST 2014) 
specifically indicates that cybersecurity awareness and training is a 
critical and indispensable component to an entity's overall 
cybersecurity program.
    Airports, airlines, and the aviation sector take cybersecurity 
seriously and have implemented creative processes to educate staff and 
tenants to further enhance cyber awareness, hygiene and security. 
Numerous resources are increasingly being made available for 
cybersecurity training at the federal, department, and state level. 
According to the survey of airports in the United States by the Airport 
Cooperative Research Program (ACRP), 20 of 27 (74%) of the responding 
airports indicated that they engage in some form of employee 
information security training.
    However, due to the multitude of differences within airport 
governance and organizational structures, the scope, depth, and quality 
of training may vary significantly from airport to airport. Numerous 
additional factors may also adversely impact the quality and breadth of 
training, such as availability of budgets particularly in a post COVID 
environment, lack of available subject matter expertise and adequate 
buy-in from senior management in prioritizing spending on resiliency 
efforts.
    To combat the exponential growth of cyberattacks, we must make 
significant investments to develop cyber literacy and equip people with 
the necessary tools to detect and defend against bad actors. This will 
require efforts beyond typical awareness training and would ideally 
build on aviation's physical safety-and-security culture to develop a 
cybersecurity culture across all industry stakeholders.
    Adopting and requiring a uniform standard which establishes a 
minimum baseline training requirement for airport, airlines and other 
aviation sector employees on a defined and reoccurring basis should be 
given significant consideration by the appropriate aviation sector 
regulatory agencies such as the FAA and TSA.
                         Workforce Development
    We are losing the race for talent. Professionals, specifically 
within the aviation industry, with critical cybersecurity skills and 
competencies are in scarce supply. In the US, we have a critical 
shortage of cybersecuritylent such as software engineers, software 
developers and network engineers. By some industry estimates, the US 
currently has a shortage of more than one million security experts, and 
that number is expected to grow significantly over the next decade. 
These essential skills are necessary to increase our cyber resilience 
and response capabilitiesd represent a significant risk to US 
national security and competitiveness.
    We must invest in building future cyber capacity by identifying and 
recruiting highly sought-after talent and developing and retaining our 
current cyber workforce. In order to close the cybersecurity skills 
gap, substantial national public and private efforts should be 
undertaken to develop and expand the capabilities of current and future 
workforces. Particular focus should be placed on developing cyber 
competencies through high school and university education programs 
promoting science, technology, engineering, mathematics, and foreign 
language (STEM-L).
                               Conclusion
    Our nation's airports, airlines, and other critical aviation 
infrastructure rely heavily on information technology and complex data 
networks to support the growing demands of our economic, strategic, and 
national security interests. As the adoption of current and future 
technologies increases to support the aviation sector both here and 
abroad, the threat of disruptive cyber-attacks on airports, airlines, 
and critical aviation information systems and data will undoubtedly 
increase as well. Evolution towards a more effective, non-voluntary 
cyber risk mitigation strategy against this pernicious and imminent 
threat must be undertaken proactively and with a renewed sense of 
urgency. The need for increased assistance, improved regulatory 
oversight, and the urgent adoption and implementation of a baseline 
cybersecurity protection framework and standard for information sharing 
and workforce training are essential to the nation's security and long-
term economic prosperity.

    Mr. DeFazio. Thank you for your testimony, Mr. Stephens, 
and now we would move to John Sullivan.
    Mr. Sullivan, you are recognized for 5 minutes.
    Mr. Sullivan. Chairman DeFazio, Ranking Member Crawford, 
and members of the committee, thank you for the opportunity to 
testify on cybersecurity challenges facing the Nation's water 
and wastewater infrastructure. I am John Sullivan, chief 
engineer of the Boston Water and Sewer Commission. I am also 
chair of the Water Information Sharing and Analysis Center, or 
WaterISAC, and deliver my testimony today in that capacity.
    WaterISAC is a nonprofit organization established in 2002 
by the national water and wastewater associations at the urging 
of EPA and the FBI to provide utilities with critical 
information on physical and cybersecurity threats, and best 
practices for prevention and response. WaterISAC member 
utilities currently serve 206 million people across the United 
States, about 60 percent of the U.S. population. While EPA and 
Congress provided some funding to get the service up and 
running in the early 2000s, today member dues payments support 
100 percent of the WaterISAC's budget.
    We know that water and wastewater utilities pose attractive 
targets for cyberattackers. My written testimony references 
several recent cyber intrusions against water and wastewater 
systems that occurred last year, targeting utilities across the 
country. Perhaps best known is the attack early this year 
against the water utility serving Oldsmar, Florida. While 
utility staff immediately observed the breach and took 
corrective action that prevented any impacts to water quality 
or public health, it is easy to imagine how the outcome could 
have been much worse.
    For example, consider an attack that infiltrates the 
industrial control systems of a wastewater system, and disables 
the treatment train or the pumps that move sewage from one part 
to another. This could result in the release of large amounts 
of sewage into rivers and streams, harming the natural ecology 
of the receiving waters, creating a public health nuisance, and 
potentially contaminating sources of drinking water.
    The Boston Water and Sewer Commission had its own 
experience with a cybersecurity incident last year in the form 
of a ransomware attack. While it complicated the day-to-day 
business and was costly to recover from, there was never any 
threat to public or environmental health, due to precautions 
such as our business network being segregated from our control 
systems. This is a best practice in any sector that uses 
industrial control systems, but this approach is not consistent 
across the Nation's 16,000 wastewater systems and 50,000 
drinking water systems.
    With such a large universe of water systems across the 
country, many are bound to have a lack of understanding of 
these cyber best practices, or a lack of expertise and 
equipment to implement them. This is where the WaterISAC can 
help. In Boston's case, the center was instrumental in our 
recovery from our incident, as it referred us to a firm 
specializing in ransomware incident response, which helped us 
navigate our way through the events.
    More broadly, WaterISAC offers resources such as 15 
security fundamentals for water and wastewater utilities, a set 
of best practices for the protection of information technology 
and industrial control systems. The 15 fundamentals provide 
straightforward, but sometimes overlooked, tasks like enforcing 
user access controls, performing asset inventories, addressing 
vulnerability management, and creating a cybersecurity culture.
    As the committee conducts oversight of cybersecurity at 
wastewater utilities and other critical infrastructure 
entities, we recommend an approach that provides more resources 
to both wastewater systems themselves and to the EPA in its 
capacity as the sector risk management agency for the water and 
wastewater sector. These resources could come in the form of 
technical assistance programs to help medium and small 
wastewater systems implement technology upgrades and secure 
external services; initiatives to expand the reach of the Water 
Rights Act to all wastewater systems nationwide; and assessment 
assistance and training to help wastewater systems comply with 
best practices.
    One promising approach can be found in the Infrastructure 
Investment and Jobs Act. One provision in this bill would 
encourage electric utilities to bolster their cyber 
preparations and would seek to increase participation in the 
electricity information sharing and analysis setup, WaterISAC's 
counterpart from the electric sector.
    A similar direction for EPA to take steps to bolster water 
sector participation in the Water Rights Act, especially among 
the wastewater systems serving fewer than 100,000 people, would 
help get threat information and best practices into more hands 
across the country.
    We would be happy to work with you on this effort. Thank 
you for the chance to testify today, and I am happy to answer 
any questions.
    [Mr. Sullivan's prepared statement follows:]

                                 
    John P. Sullivan, P.E., Chief Engineer, Boston Water and Sewer 
  Commission, on behalf of the Water Information Sharing and Analysis 
                                 Center
    Chairman DeFazio, Ranking Member Graves, and members of the 
committee: I appreciate the opportunity to appear at today's hearing on 
``The Evolving Cybersecurity Landscape: Industry Perspectives on 
Securing the Nation's Infrastructure.''
    I am John P. Sullivan, and for many years I have served as the 
Chief Engineer of the Boston Water and Sewer Commission. The Commission 
is the largest and oldest water system of its kind in New England and 
provides drinking water and sewer services to more than one million 
people daily. In addition, I currently chair the Water Information 
Sharing and Analysis Center, better known as WaterISAC, and serve on 
the Water Sector Coordinating Council, comprising the national water 
and wastewater associations,\1\ which advises the U.S. Environmental 
Protection Agency and the Cybersecurity and Infrastructure Security 
Agency (CISA) on their security programs. I am also a member of the 
board of directors of the Association of Metropolitan Water Agencies 
and the National Association of Clean Water Agencies, and serve on the 
Water Utility Council of the American Water Works Association.
---------------------------------------------------------------------------
    \1\ The Water Sector Coordinating Council consists of the American 
Water Works Association, the Association of Metropolitan Water 
Agencies, the National Association of Clean Water Agencies, the 
National Association of Water Companies, the National Rural Water 
Association, WaterISAC, the Water Environment Federation, and the Water 
Research Foundation.
---------------------------------------------------------------------------
    I testify today on behalf of WaterISAC, a non-profit organization 
established in 2002 by the national water and wastewater associations, 
at the urging of EPA and the FBI, to provide utilities with critical 
information on physical and cybersecurity threats and best practices 
for prevention and response. The designated information-sharing arm of 
the Water Sector Coordinating Council, WaterISAC is the most 
comprehensive and targeted single point source for data, facts, case 
studies, and analysis on water security and threats from intentional 
contamination, terrorism, and malicious cyber actors. WaterISAC member 
utilities currently serve 206 million people across the United States--
about 60% of the U.S. population.
    We commend the committee for holding today's hearing because 
protecting the nation's critical infrastructure against a growing range 
of cyber threats is an issue of increasing urgency. My testimony will 
provide an overview of the cyber risks faced by water and wastewater 
systems, the sector's response thus far, and what we can do looking 
forward.
               Water and Wastewater Systems' Cyber Risks
    Water and wastewater systems are an attractive target for cyber 
attackers, and the implications of an attack could be significant. This 
is why water, along with transportation, energy, and communications, 
are the four ``lifeline functions'' designated by the Department of 
Homeland Security. This means that the operations of these sectors are 
so critical that any disruption or loss will directly affect the 
security of other critical infrastructure sectors as well.
    However, it is important to distinguish between different types of 
cyber-attacks that could target water and wastewater systems. The first 
are attacks against utilities' information technology systems, also 
known as business or enterprise systems. These include email systems, 
websites, and billing databases. In recent years water and wastewater 
systems have reported a variety of such attacks, which include 
ransomware incidents, email compromise scams, and social engineering 
and phishing attempts. And while these attacks, if successful, can 
disrupt day-to-day business and compromise sensitive data, they, alone, 
would not have any impact on the treatment or management of drinking 
water or wastewater.
    A more concerning type of cyber-attack would target a utility's 
industrial control system. Industrial control systems operate treatment 
processes, valves, pumps, and other utility infrastructure.
    Last month EPA published a joint cyber advisory along with the FBI, 
Cybersecurity and Infrastructure Security Agency, and NSA outlining 
``Ongoing Cyber Threats to U.S. Water and Wastewater Systems.'' \2\ The 
advisory featured input from WaterISAC and summarized some common cyber 
threats to water and wastewater systems, recommended mitigation 
actions, and resources for systems to access. It also cited several 
cyber intrusions against U.S. water and wastewater systems since last 
year, including incidents affecting utilities in California, Maine, 
Nevada, New Jersey, and Kansas. While none ultimately affected public 
health or environmental quality, the growing number of incidents makes 
clear that utilities must be prepared to defend against and respond to 
these attacks.
---------------------------------------------------------------------------
    \2\ https://us-cert.cisa.gov/sites/default/files/publications/AA21-
287A-Ongoing_Cyber_Threats_
to_U.S._Water_and_Wastewater_Systems.pdf
---------------------------------------------------------------------------
    One of the most-publicized recent cyber intrusions against a U.S. 
water utility played out this past February at the drinking water 
system serving the city of Oldsmar, Florida. In this case, an unknown 
malicious actor infiltrated the city's water treatment plant and made 
changes to chemical levels in the treatment process. According to the 
Pinellas County sheriff, the attacker accessed a computer in the 
treatment plant's control system using an application called 
TeamViewer. A plant operator observed two intrusions that were hours 
apart. In the second intrusion, which lasted about five minutes, the 
operator saw the mouse moving around as the malicious actor accessed 
various functions. One of these functions controls the amount of sodium 
hydroxide in the water, which the actor changed from about 100 parts 
per million to 11,100 parts per million. The operator in Oldsmar 
observed this change and immediately reversed it.
    If the intrusion had not been detected in real time, reports say 
that it would have taken between 24 and 36 hours for the affected water 
to reach the distribution system, and prior to that point it most 
likely would have been detected by redundancies that are in place to 
check water quality before release. But this incident is emblematic of 
how bad actors can take advantage of cyber vulnerabilities that may be 
present in many of the nation's roughly 50,000 drinking water systems 
and 16,000 wastewater systems, and it is easy to imagine how the 
outcome might have been far worse. What if, for example, the intruder 
was not immediately detected, and was able to manipulate pumps to drain 
a water tower or restrict distribution to certain areas? Such an 
outcome not only would have undermined the public's confidence in their 
water service but would have carried severe impacts on the community's 
environmental, fire protection, and public health.
    With wastewater systems, one danger is that an attack can disable 
the treatment train or the pumps that move treated and untreated 
sewerage from one point in the process to another. A successful attack 
could release large amounts of sewerage into rivers and streams, 
harming the natural ecology of the receiving waters, creating a direct 
public health risk and also contaminating sources of drinking water.
    It is important to recognize that organizations--from federal 
agencies to large and small businesses--can implement every best 
practice in the book and still suffer a cybersecurity attack. 
Notwithstanding that nation states have sophisticated methods of 
gaining unauthorized access to even the most secure systems, 
compromises can also be caused simply by one employee clicking on a 
malicious link in an email. So not only is it critical to implement the 
best technologies, but it is also critical to educate employees and to 
have incident response plans in place should attacks occur.
    The Boston Water and Sewer Commission had its own experience with a 
cybersecurity incident in the form of an Egregor ransomware attack last 
year. While it complicated day-to-day business for many weeks and was 
costly to recover from, there was never any threat to public or 
environmental health, due to our business network being segregated from 
our control system, among other precautions. This saved the utility 
from suffering much greater impacts and is a best practice in any 
sector that uses industrial control systems, but this approach is not 
consistent across water and wastewater systems. This is likely due to a 
lack of understanding, among many utilities, of its importance and a 
lack of expertise and budget to implement it.
    WaterISAC was instrumental in helping Boston Water and Sewer 
recover from this incident. The center referred the utility to a firm 
specializing in ransomware incident response, which helped us navigate 
our way through the event. In situations such as these, WaterISAC has 
access to a field of subject matter experts at other utilities and at 
private firms that it can tap in support of its members.
    Water and Wastewater Systems Cybersecurity: State of the Sector
    We know there is more the water and wastewater sector could be 
doing to prepare for cyber-attacks. According to a cybersecurity survey 
on water and wastewater systems--2021 State of the Sector \3\--released 
in June by the Water Sector Coordinating Council, adoption of cyber 
best practices varies across the sector. For instance, the Council 
found that while cybersecurity is an element of most utility risk 
management plans, that is not the case for nearly 40% of respondents, 
which included many systems serving less than 500 people, but in some 
cases those serving hundreds of thousands. On the whole we found that 
larger utilities--with more resources--have fewer challenges to 
implementing cybersecurity practices, while many smaller utilities lack 
funding and expertise.
---------------------------------------------------------------------------
    \3\ waterisac.org/2021survey
---------------------------------------------------------------------------
                Sector Efforts to Improve Cybersecurity
    One resource available to the sector is WaterISAC, established in 
2002 with seed money from EPA and subsequent congressional 
appropriations. A critical component of cybersecurity preparedness is 
having access to the latest cyber threat and vulnerability information 
and to best practices from subject matter experts. One of two dozen 
other ISACs across critical infrastructure sectors, WaterISAC annually 
issues hundreds of advisories, maintains a portal for members and hosts 
webinars and threat briefings. The center also receives incident 
reports and conducts threat analyses to help water and wastewater 
utilities stay ahead of the threat curve.
    In more recent years, in collaboration with EPA, through the 
Government Coordinating Council, the water sector as a whole has 
recommended that utilities implement best practices and has offered 
resources to that end.
    Among these is WaterISAC's free 15 Cybersecurity Fundamentals for 
Water and Wastewater Utilities, a set of best practices for the 
protection of information technology and industrial control systems. 
First published in 2012 and most recently updated in 2019, the 15 
Fundamentals provide straightforward but sometimes overlooked tasks 
like enforcing user access controls and performing asset inventories. 
Other recommendations in the guide address vulnerability management and 
creating a cybersecurity culture.\4\
---------------------------------------------------------------------------
    \4\ The complete list of 15 water sector cybersecurity 
fundamentals, available at waterisac.org/fundamentals, consists of:
    1.  Performing Asset Inventories
    2.  Assessing Risks
    3.  Minimizing Control System Exposure
    4.  Enforcing User Access Controls
    5.  Safeguarding from Unauthorized Physical Access
    6.  Installing Independent Cyber-Physical Safety Systems
    7.  Embracing Vulnerability Management
    8.  Creating a Cybersecurity Culture
    9.  Developing and Enforce Cybersecurity Policies and Procedures
    10.  Implementing Threat Detection and Monitoring
    11.  Planning for Incidents, Emergencies, and Disasters
    12.  Tackling Insider Threats
    13.  Securing the Supply Chain
    14.  Addressing All Smart Devices
    15.  Participating in Information Sharing and Collaboration 
Communities
---------------------------------------------------------------------------
    Another key sector resource is the American Water Works 
Association's Cybersecurity Guidance & Tool, which is based on the NIST 
Cyber Security Framework. The AWWA guidance offers a sector-specific 
approach for implementing applicable cybersecurity controls and 
recommendations and is widely used.
    WaterISAC and the sector associations also promote EPA tools and 
those offered by CISA, as well as small-system resources through AWWA 
and the Department of Agriculture.
    In terms of federal oversight of the sector's cybersecurity 
drinking water and wastewater systems are not subject to the same 
requirements. On the drinking water side, America's Water 
Infrastructure Act of 2018 (P.L. 115-270) requires drinking water 
utilities, under the oversight of EPA, to periodically take an ``all-
hazards'' look at potential threats, including risks to ``electronic, 
computer, or other automated systems.'' This provides an opportunity to 
evaluate potential threats and develop response measures. However, 
there is no statutory requirement for wastewater systems to take 
similar actions.
              A New Approach to Water Sector Cybersecurity
    Despite these differences, both water and wastewater systems are 
implementing best practices to safeguard their information systems and 
industrial control systems from attacks and fulfilling their missions 
to protect public health and the environment. However, the water and 
wastewater sector is large and diverse, and we see room for 
improvement, as demonstrated by the State of the Sector report noted 
above. The current approach could leave utilities vulnerable to 
cybersecurity attacks that could endanger health and the environment.
    One of the most effective ways for Congress to help the nation's 
wastewater systems withstand cyber threats is to provide more resources 
to both the systems themselves and to EPA in its capacity as the Sector 
Risk Management Agency (Sector-Specific Agency) for the water and 
wastewater sector. These resources could come in the form of technical 
assistance programs to help medium and small wastewater systems, 
additional grant funding to help individual wastewater systems 
implement technology upgrades and secure external services, initiatives 
to expand the reach of WaterISAC to all wastewater systems nationwide, 
assessment assistance, and training to help wastewater systems comply 
with best practices. Indeed, the State of the Sector survey cited 
resources such as these among utilities' top needs.
    One promising model could be based on provisions included in 
Section 40125(c) of the Infrastructure Investment and Jobs Act. This 
proposal aims to improve the cybersecurity of bulk power systems and 
would authorize $250 million over five years to support a new Energy 
Sector Operational Support for Cyberresilience Program at the 
Department of Energy. Among the objectives of this program would be 
supporting efforts ``to expand industry participation in [Electricity]-
ISAC,'' the Electricity Information Sharing and Analysis Center, 
WaterISAC's counterpart for the electricity sector. Should the 
Transportation and Infrastructure Committee develop legislation related 
to cybersecurity in the wastewater sector, a similar EPA program aimed 
at increasing participation in WaterISAC should be considered.
    As previously mentioned, WaterISAC currently counts among its 
members water and wastewater utilities that serve about 60% of the U.S. 
population. Some members serve as few as 2,000 people, but most members 
serve larger populations. However, only about 400 of the nation's 
nearly 50,000 community water systems and 16,000 wastewater systems are 
paying WaterISAC members that enjoy full access to all of the 
nonprofit's threat and vulnerability alerts, subject matter expertise, 
and other information.
    Congress provided funding to get the center up and running in the 
first decade of the 2000s, but since that time the center has been 
funded exclusively through member dues. These dues are structured on a 
sliding scale--beginning at $100 per year--so as to be affordable for 
smaller utilities, but nevertheless many utilities are not able to take 
advantage of the resources available. At the same time, many thousands 
of utilities are simply unaware of WaterISAC. Unless more utilities are 
part of WaterISAC, then lack of awareness of threats will prevail.
    WaterISAC member utilities have more and better information with 
which to build a security and resilience program than those that don't 
belong to the center.
    Therefore, federal assistance to underwrite membership fees for 
small and medium-sized water and wastewater systems and a federal 
program to increase awareness of the center would help get threat 
information and best practices into more hands across the country. As 
noted in the State of the Sector report, the greatest challenge for 
smaller systems is awareness of threats and best practices.
    We estimate that federal assistance at a level of just $6 million 
over three years would enable WaterISAC to provide a broader array of 
services to water and wastewater systems nationwide. Specifically, this 
level of funding would be used to cover the cost of membership for 
thousands of small and medium systems, expand our threat analysis 
capabilities, conduct exercises and training, and offer technical 
support to utilities.
                               Conclusion
    WaterISAC appreciates the opportunity to share our views on the 
cyber threat landscape facing the nation's water and wastewater 
systems, and effective strategies to help utilities respond to these 
challenges. I am proud of the work the water and wastewater sector has 
done on its own to spread awareness of sound cyber practices, but 
additional resources and assistance from the federal government would 
go a long way toward ensuring the greatest number of water and 
wastewater utilities are as prepared as they can be. We stand ready to 
work with you to make this a reality.

    Mr. DeFazio. Thank you, Mr. Sullivan. And our last witness 
will be Gary Kessler.
    Mr. Kessler, 5 minutes.
    Mr. Kessler. Thank you. Chairman DeFazio, Ranking Member 
Crawford, and members and staff of the committee, thank you for 
the invitation and opportunity to speak today. I am Gary 
Kessler, a nonresident senior fellow at the Atlantic Council, 
and one of the coauthors of the Council's report, ``Raising the 
Colors: Signaling for Cooperation on Maritime Cybersecurity.''
    I have spent my professional career since the 1970s in the 
information technology and information security field. I am a 
retired professor of cybersecurity, coauthor of a book on 
maritime cybersecurity, and a principal consultant at Fathom5 
working on cyber issues related to maritime operational 
technology testbeds. I also hold a national office in the U.S. 
Coast Guard Auxiliary Cybersecurity Division, and I am a 
visiting faculty member at the U.S. Coast Guard Academy.
    Most people in the United States do not think of our 
country as a maritime nation. They don't understand and 
appreciate our Nation's reliance upon the maritime 
transportation system, or MTS, for our very way of life. Our 
report addresses that dependence in some very tangible ways, 
from the $5.4 trillion contribution to the U.S. economy, 
representing about 25 percent of our country's gross domestic 
product, to the 30 million jobs.
    Roughly 80 percent of global trade and nearly two-thirds of 
the world's total petroleum and other liquid energy supply is 
carried by ship. In the United States, approximately 90 percent 
of our imports/exports move by sea, emphasizing the fact that 
most global supply chains are existentially dependent upon 
maritime.
    Consider the disruption to the global supply chain caused 
earlier this year, when Ever Given became stuck in the Suez 
Canal, costing the global trading community nearly $9 billion 
each day. Much closer to home, note the current disruption to 
U.S. supply chains because of the backlog of the Ports of Long 
Beach and Los Angeles, the entry for nearly 40 percent of U.S. 
imports.
    The ability to move military personnel and materiel by sea, 
combined with the global presence of U.S. Navy warships and the 
U.S. Coast Guard, are fundamental to U.S. military power 
projection around the world.
    The maritime transportation system is critical and poses 
significant challenges to policymakers. The MTS is composed of 
many independent, yet co-dependent and inextricably intertwined 
systems representing ships, ports, shipping lines, inland 
waterways, and intermodal transfers.
    The system of systems metaphor speaks to the fact that the 
maritime sector is not monolithic, where a single set of rules 
or regulations can manage the industry. This provides a 
particular challenge to legislators, regulators, and those with 
administrative responsibility alike. Like the rest of the 
industrial world, MTS stakeholders take advantage of new 
technology, and this goes to the very heart of why we are here 
today.
    The modern computer age dates back only about 75 years. 
Commercialization of the internet began a mere 30 years ago. 
The acceleration of change in computing and communication 
technologies is now almost beyond comprehension, and includes 
advances in processors, sensors, embedded computers, 
operational technology, cyber physical systems, navigation, big 
data, machine learning, and artificial intelligence. These 
advances have led to the Internet of Things, smart ships and 
ports, the Ocean of Things, automation and maritime systems, 
and fully autonomous vessels.
    Computer attacks that were almost unheard of 30 years ago 
are commonplace today. Ships that barely had a computer on 
board 25 years ago are now susceptible to cyberattack, even in 
the middle of the ocean. Multiple sources report a sharp uptick 
in the number of cyberattacks directed toward the MTS since 
2019, including more than a dozen ransomware events in the last 
18 months.
    Cybersecurity has risen to become a significant threat to 
the maritime sector, no less than the food security, energy 
security, economic security, homeland security, and national 
security of the United States are dependent upon the seas. The 
maritime transportation sector is broad, diverse, and global, 
so that, while international cooperation is essential, central 
management is impossible. Cyber vulnerabilities are as 
plentiful in the maritime sector as in the nonmaritime world 
and provide unique threats to the industry.
    The National Maritime Cybersecurity Plan was a clarion call 
about a significant threat facing this country. Our report, 
``Raising the Colors,'' was a first step at trying to provide a 
tactical approach to addressing that threat. We have to 
continue pushing forward to address this critical issue.
    Thank you, and I look forward to your questions and further 
discussion.
    [Mr. Kessler's prepared statement follows:]

                                 
  Gary C. Kessler, Ph.D., Nonresident Senior Fellow, Atlantic Council
    Chairman DeFazio, Ranking Member Graves, and members and staff of 
the committee--thank you for the invitation to provide testimony to the 
committee. I am a Non-Resident Senior Fellow at the Atlantic Council 
and one of the authors of the Council's report, Raising the Colors: 
Signaling for Cooperation on Maritime Cybersecurity.\1\ I have spent my 
professional career since the 1970s in the information technology and 
information security fields, am a retired professor of cybersecurity, 
and the co-author of a book on maritime cybersecurity.\2\ I am also a 
Principal Consultant at Fathom5 working on cyber issues related to 
maritime operational technology (OT) testbeds, am a visiting faculty 
member at the U.S. Coast Guard Academy, and hold a national office in 
the U.S. Coast Guard Auxiliary's Cybersecurity Division.
---------------------------------------------------------------------------
    \1\ Loomis, W., Singh, V.V., Kessler, G.C., & Bellekens, X. (2021, 
October). RAISING THE COLORS: Signaling for Cooperation on Maritime 
Cybersecurity. Cyber Statecraft Initiative, Scowcroft Center for 
Strategy and Security, Atlantic Council. https://
www.atlanticcouncil.org/wp-content/uploads/2021/10/Raising-the-colors-
Signaling-for-cooperation-on-maritime-cybersecurity.pdf
    \2\ Kessler, G.C. and Shepard, S.D. (2020, September). Maritime 
Cybersecurity: A Guide for Leaders and Managers. Amazon Kindle Direct 
Publishing, http://www.maritimecybersecuritybook.com
---------------------------------------------------------------------------
         United States Dependence Upon Maritime Transportation
    Most people in the United States do not think of our country as a 
maritime nation. They view our nation's waterways as a venue for 
recreation or a vacation get-away, a source of food, or the home of 12 
million recreational boats and pleasure craft. Our citizens, in large 
part, neither know about nor appreciate our reliance upon the maritime 
transportation system for our very way of life.
    Our report addresses that dependence in some very tangible ways--
the maritime transportation system (MTS) contributes $5.4 trillion to 
the U.S. economy, representing about 25% of our country's gross 
domestic product, as well as 30 million jobs.\3\ Roughly 80% of global 
trade and nearly two-thirds of the world's total petroleum and other 
liquid energy supply is carried by ship. In the U.S., approximately 90% 
of our imports/exports are by ship, emphasizing the point that no 
global supply chain is independent of maritime transport, and most, in 
fact, are existentially dependent upon it.
---------------------------------------------------------------------------
    \3\ United States Coast Guard (USCG). (2021, August). Cyber 
Strategic Outlook: The United States Coast Guard's Vision To Protect 
and Operate in Cyberspace. https://www.uscg.mil/Portals/0/Images/cyber/
2021-Cyber-Strategic-Outlook.pdf
---------------------------------------------------------------------------
    Consider the disruption to the global supply chain caused when the 
cargo ship EVER GIVEN was stuck in the Suez Canal in March of this 
year, costing the global trading community nearly $9 billion each day. 
Although the blockage only lasted for six days, the 20,000-container 
vessel did not leave the Canal area for nearly four months pending a 
dispute with the Suez Canal Authority.\4\ Much closer to home, consider 
the current disruption to the U.S. supply chain due to the backlog at 
the Ports of Long Beach and Los Angeles, the entry way for nearly 40% 
of U.S. imports. There are myriad causes for the backlog but the 
bottom-line impact is higher costs, delays in getting goods to market, 
and global disruption of many product supply chains.\5\
---------------------------------------------------------------------------
    \4\ Chellel, K., Campbell, M., & Ha, K.O. (2021, June 24). Six Days 
in Suez: The Inside Story of the Ship That Broke Global Trade. 
Bloomberg Businessweek. https://www.bloomberg.com/news/features/2021-
06-24/how-the-billion-dollar-ever-given-cargo-ship-got-stuck-in-the-
suez-canal
    \5\ Caplan, J. (2021, October 14). Port of Long Beach Director 
Warns Cargo Backlog is `National Crisis.' Breitbart. https://
www.breitbart.com/politics/2021/10/14/port-of-long-beach-director-
warns-cargo-backlog-is-national-crisis/; Meeks, A., Isidore, C., & 
Yurkevich, V. (2021, October 19). North America's Biggest Container 
Port Faces Record Backlog. CNN Business. https://www.cnn.com/2021/10/
18/business/container-port-record-backlog/
---------------------------------------------------------------------------
    In addition, the ability to move military personnel and materiel--a 
capability known as sealift--combined with the global presence of U.S. 
Navy warships and U.S. Coast Guard cutters are the basis of U.S. 
military power projection around the world. These latter capabilities 
have served the nation in time of war, provided a capability to protect 
shipping routes, and acted as a deterrence to ensure peace.\6\
---------------------------------------------------------------------------
    \6\ Harris, S., & Fasching, Sr., J. (2020, May 21). Sealift: The 
Foundation of U.S. Military Power Projection. LMI blog. https://
www.lmi.org/blog/sealift-foundation-us-military-power-projection; 
Masters, J. (2019, August 19). Sea Power: The U.S. Navy and Foreign 
Policy. Council on Foreign Relations. https://www.cfr.org/backgrounder/
sea-power-us-navy-and-foreign-policy; Schuler, M. (2021, October 21). 
New USTRANSCOM Commander is `Laser-Focused' on Buying Secondhand Ships 
to Boost Military's Surge Sealift. gCaptain. https://gcaptain.com/new-
ustranscom-commander-is-laser-focused-on-buying-secondhand-ships-to-
boost-militarys-surge-sealift/
---------------------------------------------------------------------------
                       The MTS is not Monolithic
    While we often talk about the MTS as if it was a single, monolithic 
entity, it is actually a system of systems, representing ships, ports, 
shipping lines, inland waterways, and intermodal transfers.\7\ All of 
these systems operate independently, yet are co-dependent and 
inextricably intertwined. The life cycle of a ship, for example, 
intersects with the lifecycle of a port and is only a part of the life 
cycle of a shipping line. The life cycle of people and cargo within the 
MTS intersect with a ship's voyage and transit through ports, 
intermodal transfers, and inland waterways. The cybersecurity threats 
to the MTS are similar to threats everywhere else in information space, 
but are unique to our industry and way of life.
---------------------------------------------------------------------------
    \7\ Kessler & Shepard, 2020; Mansouri, M., Gorod, A., Wakeman, 
T.H., & Sauser, B. (2009). A Systems Approach to Governance in Maritime 
Transportation System of Systems. Proceedings of the IEEE International 
Conference on System of Systems Engineering (SoSE). Albuquerque, NM.
---------------------------------------------------------------------------
    Ports are one of the primary focus points of our report. 
Intellectual property (IP) theft related to port operations and 
construction can yield very valuable information to competitors and 
adversaries, alike. The deliberate installation of a Stuxnet-type of 
vulnerability \8\--i.e., software that can attack and destroy 
hardware--into a vessel or vessel component during construction could 
provide the basis for a ransomware or other cyber attack years later.
---------------------------------------------------------------------------
    \8\ Kushner, D. (2013, February 26). The Real Story of Stuxnet. 
IEEE Spectrum. https://spectrum.ieee.org/the-real-story-of-stuxnet
---------------------------------------------------------------------------
    The adage, ``If you've seen one port, you've seen one port'' \9\ is 
well-known in the maritime industry. All ports are unique in terms of 
their ownership and management, the mix of civilian and military 
vessels and operations, the interconnection of information and 
communication technology (ICT) systems by port operators and tenants, 
personnel management, intermodal connections, volume of traffic, cargo, 
passengers, etc. While all ports have the same general functions, each 
is unique.\10\
---------------------------------------------------------------------------
    \9\ Keefe, J. (2019, March 6). Port Security: If You've Seen One 
Port, You've Seen One Port. Maritime Logistics Professional. https://
www.maritimeprofessional.com/news/port-security-seen-port-seen-343481
    \10\ Polemi, N. (2018). Port Cybersecurity: Securing Critical 
Information Infrastructures and Supply Chains. Amsterdam: Elsevier.
---------------------------------------------------------------------------
    Ships, another focus point of the report, are floating networks. 
There are multiple operational networks onboard a vessel, including 
passenger/entertainment networks, navigation systems, satellite 
communications, ballast control, engineering control, propulsion and 
steering, cargo management, and more. Global Positioning System (GPS) 
and Automatic Identification System (AIS) communications are essential 
to positioning, navigation, timing, and situational awareness, and are 
both susceptible to jamming and spoofing.
    Shipping lines are a business like any other business; they just 
happen to own and operate ships. Thus, they have the same potential 
information security vulnerabilities that any business does, from 
finance and logistics to communications and cargo/passenger management. 
There is a significant amount of third-party software and systems 
employed by shipping lines, so the business is not even in charge of 
all of their own computers and networks. Remember the havoc in 
companies and governmental agencies around the world with the attack on 
SolarWinds less than a year ago.\11\
---------------------------------------------------------------------------
    \11\ Herr, T., Loomis, W., Schroeder, E., Scott, S., Handler, S., & 
Zuo, T. (2021, March). Broken Trust: Lessons from Sunburst. Cyber 
Statecraft Initiative, Scowcroft Center for Strategy and Security, 
Atlantic Council. https://www.atlanticcouncil.org/wp-content/uploads/
2021/03/BROKEN-TRUST.pdf
---------------------------------------------------------------------------
    Intermodal transfers are where the MTS touch every other form of 
transportation, including trucking, rail, and aviation. Even if the 
port, ship, and shipping line have outstanding security, a cyberfraud 
or cyberattack might still be perpetuated via a compromised trading 
partner.
    People are often the largest security attack vector, both in 
physical space and cyberspace. People are our passengers, our workers, 
our adversaries, our clients, and our colleagues. We need to vet the 
people that are engaged in any way with the MTS, obviously at different 
levels of access to information and systems. Cyberattacks on the 
personnel or passport control systems, for example, can render the 
ordinary security checks worthless, not to mention the enormous amount 
of personally identifiable information (PII) and financial information 
in the personnel and passenger databases.
    Cyber security in the maritime sector is a very broad endeavor. 
Regulation and administrative controls apply very differently to each 
of the sector's sub-systems.
                     Technology Advances in the MTS
    Technology in the MTS and cyber attacks go to the heart of why we 
at the Atlantic Council issued our report. The beginning of the modern 
computer age dates back only about 75 years. Modern digital 
communications technologies date back to the 1960s. The beginning of 
the global Internet started slowly just more than 50 years ago but, 
once commercialized a mere 30 years ago, was adopted more rapidly than 
any other technology in human history--at least up until that time.\12\
---------------------------------------------------------------------------
    \12\ Kleinrock, L. (2010, August). An Early History of the 
Internet. IEEE Communications Magazine, 48(8), 26-36. https://
www.lk.cs.ucla.edu/data/files/Kleinrock/An%20Early%20History
%20Of%20The%20Internet.pdf
---------------------------------------------------------------------------
    The acceleration of change affecting information and computing 
technologies is now almost beyond comprehension and includes advances 
in processors, sensors, embedded computers, OT, cyber-physical systems. 
Digitization--the conversion of all forms of information into a binary 
format--has provided the ability to store, process, analyze, and 
integrate all sorts of information. This has led to the huge data sets 
commonly known as big data, providing significant advances in machine 
learning and artificial intelligence (AI).
    Indeed, digitization of information and full integration of many 
data streams has led to digitalization, the transformation that offers 
an incredibly broad understanding of systems that heretofore was 
impossible.\13\ As an example, the concept of a smart ship allows the 
master of a vessel to be aware of almost every aspect about the state 
of the vessel, from the speed, course, bearing, water temperature, and 
salinity level to the stress on the hull, instantaneous fuel 
consumption, cargo container status, and power generation levels. Smart 
ports, the Internet of Things, the Ocean of Things,\14\ increased 
automation in maritime systems, and fully autonomous vessels are a 
direct result of this transformation within our knowledge base and AI 
software. Taken all together, the combination of advanced ICT and smart 
systems is driving Industry 4.0, or what is recognized as the fourth 
industrial revolution.\15\
---------------------------------------------------------------------------
    \13\ Sanchez-Gonzalez, P.-L., Diaz-Gutierrez, D., Leo, T.J., & 
Nunez-Rivas, L.R. (2019, February 22). Toward Digitalization of 
Maritime Transport? Sensors, 19(4), 926. https://doi.org/10.3390/
s19040926; United Nations Conference on Trade and Development (UNCTAD). 
(2019, June). Digitalization in Maritime Transport: Ensuring 
Opportunities for Development. Policy Brief No. 75. https://unctad.org/
system/files/official-document/presspb2019d4_en.pdf
    \14\ See the Defense Advanced Research Projects Agency OoT Web page 
at https://oceanofthings.darpa.mil/
    \15\ Marr, B. (2018, September 2). What is Industry 4.0? Here's a 
Super Easy Explanation for Anyone. Forbes. https://www.forbes.com/
sites/bernardmarr/2018/09/02/what-is-industry-4-0-heres-a-super-easy-
explanation-for-anyone/; Reni, A., Hidayat, S., Bhawika, G.W., 
Ratnawati, E, & Nguyen, P.T. (2020, February 20). Maritime Technology 
and the Industrial Revolution. Journal of Environmental Treatment 
Techniques, 8(1), 210-213.
---------------------------------------------------------------------------
    The drivers for this rapidly increasing level of intelligence 
include safety and efficiency in operation. The majority of maritime 
accidents are caused by human error, often due to fatigue; automated 
systems can respond more quickly to unexpected events and a smart ship 
is better able to anticipate events. In addition, more complete 
knowledge of the state of the vessel can allow the officers to provide 
more efficient operation and routing, which can lead to a lowering of 
operation and fuel costs.\16\
---------------------------------------------------------------------------
    \16\ Kosowatz, J. (2019, September 2). Sailing Towards Autonomy: 
Future of Self-Driving Cargo Ships. The American Society of Mechanical 
Engineers. https://www.asme.org/topics-resources/content/sailing-
toward-autonomy-future-of-self-driving-cargo-ships
---------------------------------------------------------------------------
    These data-driven systems, however, offer a larger cyberattack 
surface than ever before. Computer attacks that were almost unheard of 
30 years ago are commonplace today; ships that barely had a computer 
onboard 25 years ago are now susceptible to cyberattack even in the 
middle of the ocean. There has been a significant uptick in 
cyberattacks targeting the MTS since 2019,\17\ including more than a 
dozen ransomware attacks since early 2020. Cybersecurity has risen to 
become a significant threat to the smooth operation within the maritime 
sector.
---------------------------------------------------------------------------
    \17\ Maritime Cyber Attacks Increase by 900% in Three Years. (2020, 
July 29). Vanguard. https://www.vanguardngr.com/2020/07/maritime-cyber-
attacks-increase-by-900-in-three-years/; Report: Maritime Cyberattacks 
Up by 400 Percent. (2020, June 4). The Maritime Executive. https://
maritime-executive.com/article/report-maritime-cyberattacks-up-by-400-
percent
---------------------------------------------------------------------------
                 Additional Thoughts and Considerations
    The cyberthreat landscape to the MTS raises the question about the 
role of government in helping improve the state of maritime 
cybersecurity. The government's response to a physical attack is very 
different than that of a cyber attack. If a foreign country were to 
fire a missile at a private company within the U.S., for example, the 
government would take the lead to track down the source and, 
undoubtedly, respond militarily. Conversely, when foreign entities 
launch cyberattacks against American companies, the government response 
is essentially that the target is on their own.\18\
---------------------------------------------------------------------------
    \18\ Why Do We Call it Cyber CRIME? Gary Warner at TEDxBirmingham 
2014. (2014, March 1). https://www.youtube.com/watch?v=MPMr5jPwA7I
---------------------------------------------------------------------------
    The MTS represents a concentration of cyber risk. In this context, 
risk is a function of system vulnerabilities, exploits that can take 
advantage of these vulnerabilities, and threat actors willing to use 
these exploits to cause harm. The Vulnerabilities Trump Threats maxim 
says that a cyberdefender needs to concentrate on vulnerabilities in 
their systems because these are internal and manageable, rather than 
focusing on threats because those are external and largely unknown.\19\
---------------------------------------------------------------------------
    \19\ Johnston, R.G. (2020, July). Security Maxims. Right Brain 
Sekurity. http://rbsekurity.com/Papers/Johnston_Security_Maxims.pdf
---------------------------------------------------------------------------
    One example of a significant vulnerability to the MTS are the 
systems used for positioning, navigation, and timing (PNT), and 
situational awareness at sea. The primary source for PNT in maritime--
in fact, the primary timing source for all U.S. critical 
infrastructures--is the Global Positioning System (GPS). GPS has been a 
victim of jamming (i.e., blocking of the signal) and spoofing (i.e., 
sending false timing and location information) for some years.\20\ The 
Automatic Identification System (AIS) is used for maritime situational 
awareness. AIS information will be incorrect when bogus GPS information 
has been received by a ship or an attacker can insert false information 
into the system. Although it is of some value to know the Threat Actors 
that might employ GPS or AIS spoofing, it is more important to fix or 
augment the systems to be more resistant to the attacks in the first 
place. This is an important role for government to play.
---------------------------------------------------------------------------
    \20\ Balduzzi, M., Wilhoit, K., & Pasta, A. (2014, December). A 
Security Evaluation of AIS. Trend Micro Research Paper. https://
www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-
papers/wp-a-security-evaluation-of-ais.pdf; Center for Advanced Defense 
Studies (C4ADS). (2019). Above Us Only Stars: Exposing GPS Spoofing in 
Russia and Syria. https://www.c4reports.org/aboveusonlystars; U.S. 
Coast Guard (USCG). (2021, April 22). Worldwide Navigational Warnings 
Service. Marine Safety Information Bulletin (MSIB 05-21). https://
www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2021/MSIB_21-
05_Worldwide
NavigationalWarningsService.pdf
---------------------------------------------------------------------------
    Unfortunately, regulators, administrators, and managers usually 
respond to threats rather than vulnerabilities. New laws and funding 
sources do not appear merely because a new vulnerability is discovered 
but rather once a new threat is identified. This is a mindset that 
needs to be re-examined.
    We need the federal government to take a more active role in the 
cyberdefense not only of the MTS, but of transportation as a whole. 
Industry self-inspection has been cited as partial causes for the 
Boeing 737 Max \21\ and EL FARO \22\ disasters. While neither of those 
were cybersecurity incidents, both speak to the reduced involvement in 
the inspection and compliance process by responsible government 
agencies. This is not a question of big government versus small 
government, but a close examination of the issues in order to determine 
the appropriate level of government. In general, the level of an 
agency's authority should match the level of its responsibility. The 
USCG has the regulatory responsibility to protect the MTS from all 
forms of threat, in both real space and cyberspace. They must be 
provided with the necessary resources to carry out this vital mission.
---------------------------------------------------------------------------
    \21\ Schwellenbach, N. & Stodder, E. (2019, March 28). How the FAA 
Ceded Aviation Safety Oversight to Boeing. Project on Government 
Oversight (POGO). https://www.pogo.org/analysis/2019/03/how-the-faa-
ceded-aviation-safety-oversight-to-boeing/; U.S. Department of 
Transportation. (2015, October 15). FAA Lacks an Effective Staffing 
Model and Risk-Based Oversight Process for Organization Designation 
Authorization. Office of the Inspector General, Audit Report No. AV-
2016-001. https://www.oig.dot.gov/sites/default/files/
FAA%20Oversight%20of
%20ODA%20Final%20Report%5E10-15-15.pdf
    \22\ National Transportation Safety Board. (2017,December 12). 
Sinking of US Cargo Vessel SS El Faro--Atlantic Ocean, Northeast of 
Acklins and Crooked Island, Bahamas, October 1, 2015. NTSB Marine 
Accident Report (MAR)-17/01, PB2018-100342, Notation 57238. https://
www.nhc.noaa.gov/pdf/ElFaro-NTSB-full.pdf; United States Government 
Accountability Office (GAO). (2020, April). VESSEL SAFETY: The Coast 
Guard Conducts Recurrent Inspections and Has Issued Guidance to Address 
Emergency Preparedness. Report to Congressional Committees, GAO-20-459. 
https://www.gao.gov/assets/710/705785.pdf
---------------------------------------------------------------------------
    Another critical defensive tactic is related to intelligence 
sharing. Cyber-related incidents, reports, and analysis must not only 
be freely shared amongst all of the government regulatory agencies, but 
between all MTS stakeholders that wish to participate. The maritime 
entities most at risk are the small shipping lines, ports, cargo 
handlers, and manufacturers that do not have the financial assets to 
have a large information security team or join one of the industry 
information sharing organizations. A central maritime security 
information sharing center--such as Singapore's Information Fusion 
Centre \23\--would go a long way to assisting the MTS in protecting 
itself against new and emerging threats in both real space and 
cyberspace.\24\
---------------------------------------------------------------------------
    \23\ https://www.ifc.org.sg
    \24\ U.S. Coast Guard. (2021, August). CYBER STRATEGIC OUTLOOK: The 
United States Coast Guard's Vision To Protect and Operate in 
Cyberspace. https://www.uscg.mil/Portals/0/Images/cyber/2021-Cyber-
Strategic-Outlook.pdf; U.S. Department of Homeland Security (DHS). 
(2016, October). Critical Infrastructure Threat Information Sharing 
Framework: A Reference Guide for the Critical Infrastructure Community. 
https://www.cisa.gov/sites/default/files/publications/ci-threat-
information-sharing-framework-508.pdf
---------------------------------------------------------------------------
    Maritime regulators also need to prepare better reporting 
requirements about cyber-related events for information flow to the 
Department of Homeland Security (DHS), the Cyber and Infrastructure 
Security Agency (CISA), and/or USCG, as well as a central location for 
such reporting, and clearinghouse and reporting distribution center for 
the industry.
    Additionally, we have to recognize cybersecurity as a safety issue 
in the maritime environment. The maritime industry prides itself on it 
focus--and relatively strong record--on safety. But cyber safe 
environments require excellent cybersecurity hygiene on the part of the 
users and that requires regular training for all members of the 
MTS.\25\
---------------------------------------------------------------------------
    \25\ Canepa, M., Ballini, FD. Dalaklis, D., & Vakili, S. (2021, 
March). Assessing the Effectiveness of Cybersecurity Training and 
Raising Awareness Within the Maritime Domain. In Proceedings of the 
15th International Technology, Education and Development (INTED) 
Conference. http://dx.doi.org/10.21125/inted.2021.0726; Tam, K., & 
Jones, K. (2019). Factors Affecting Cyber Risk in Maritime. In 
Proceedings of 2019 International Conference on Cyber Situational 
Awareness, Data Analytics And Assessment (Cyber SA), Oxford, UK, 2019, 
1-8. https://www.researchgate.net/profile/Kimberly-Tam/publication/
334051022_Factors_Affecting_
Cyber_Risk_in_Maritime/links/5e60e9cb299bf182deea63a6/Factors-
Affecting-Cyber-Risk-in-Maritime.pdf
---------------------------------------------------------------------------
    Finally, the designers and builders of maritime systems that depend 
upon any ICT or OT equipment need to have a mindset of security by 
design. All too often, systems are protected by layering security on 
during implementation rather than designing security into every device. 
Indeed, a vessel network composed of a collection of secure devices 
might itself not be secure; the network must be designed with security 
in mind.
                               Conclusion
    The United States is very much a maritime nation where our food 
security, energy security, economic security, homeland security, and 
national security are dependent upon the seas. The maritime 
transportation sector is broad, diverse, and global so that, while 
international cooperation is essential, central management is 
impossible. Cyber vulnerabilities are as plentiful in the maritime 
sector as in the non-maritime world and provide unique threats to the 
industry. Both the commercial maritime industry and our military 
maritime interests demand our proactive response to this ongoing 
threat.\26\
---------------------------------------------------------------------------
    \26\ Demchak, C.C., and Thomas, M.L. (2021, October 15). Can't Sail 
Away from Cyber Attacks: `Sea-Hacking' from Land. War on the Rocks. 
https://warontherocks.com/2021/10/cant-sail-away-from-cyber-attacks-
sea-hacking-from-land/; Zorri, D.M., & Kessler, G.C. (2021, September 
8). Cyber Threats and Choke Points: How Adversaries are Leveraging 
Maritime Cyber Vulnerabilities for Advantage in Irregular Warfare. 
Modern War Institute at West Point. https://mwi.usma.edu/cyber-threats-
and-choke-points-how-adversaries-are-leveraging-maritime-cyber-
vulnerabilities-for-advantage-in-irregular-warfare/
---------------------------------------------------------------------------
    The National Maritime Cybersecurity Plan was a clarion call about a 
significant threat facing this country. Our report, Raising the Colors, 
was a first step at trying to provide a tactical approach to addressing 
that threat. We have to continue pushing forward to address this 
critical issue.
    Thank you again for the opportunity to provide testimony and 
information for the committee. I look forward to your questions and 
further discussion.

    Mr. DeFazio. Thank you. With that, I will begin with 
questions to the panel.
    A major point of contention is--I guess there are two, it 
is two issues.
    One is reporting. And, for instance, Mr. Belcher, you 
talked about 30 percent of transit systems you surveyed had 
been the victim of cybersecurity, but they never reported the 
incident. So, that is one issue, is reporting, whether or not 
reporting should be mandatory. And what is the value of people 
reporting? I would assume that there are many things to be 
learned when someone reports, and we properly analyze, and they 
report what the attack was. It may well benefit others in their 
same sector of industry, whichever one of these sectors we are 
talking about.
    And secondly is the idea of whether or not there should be 
a mandate. Now, I understand concerns about a very prescriptive 
mandate. But a mandate that all critical sector organizations 
have some sort of cybersecurity officer, or at least designee, 
if they have very few employees among their staff, and that 
they are sort of bird-dogging the people within their 
organization.
    So, I guess I would like briefly, if we could, each member 
of the panel to just quickly opine on the value of mandatory 
reporting, and a requirement that doesn't have to be totally 
prescriptive, but you have to have someone designated for 
cybersecurity within your organization if you are involved in 
critical infrastructure.
    So, any member of the panel who wishes to respond briefly 
would be appreciated.
    Mr. Belcher. I am happy to start. I am very comfortable 
with mandatory reporting, and very comfortable with a 
designated cybersecurity official. I recognize that--I mean, I 
work with a large number of very small and mid-sized transit 
organizations that do not have cybersecurity professionals. In 
fact, they are lucky to have IT professionals.
    Nevertheless, this is an important issue that is part of 
something that they have to do. It is part of an enterprise 
management issue. And I think one of the things that we have to 
do, as we look at managing organizations, is to make 
cybersecurity just part of the enterprise management, the 
management of risk, and the management of security of the 
organization.
    And so, identifying somebody, whether it is an employee or 
a consultant that is there and that can engage with TSA on a 
24-hour basis, I think, is absolutely essential.
    Mr. DeFazio. OK, thank you. Thank you, Mr. Belcher.
    Anyone from any of the other sectors who wish to respond?
    Mr. Stephens. Chairman, this is Michael Stephens from Tampa 
International. I would echo that sentiment.
    While I don't think that there is a problem with mandates, 
we are not unfamiliar with mandates for reporting in the 
aviation sector. For example, if you have an airfield incursion 
that is not authorized, we have to report that. If you have an 
[inaudible] airside incursion, we have to report that. So, 
there is not a problem with reporting and mandates for 
reporting.
    The problem becomes, though, what are we reporting? Part of 
the TSA proposed guidance that we have been providing comments 
to is very, very broad-based, in terms of what is being 
required to be reported. And information just for the sake of 
information is not necessarily a good thing, because it leads 
to information overload, and white noise, and a lot of times 
gets ignored. So, I think, while reporting mandates are 
appropriate, we have to tailor those to make sure that they are 
actionable, as I said in my opening comment.
    And then, secondly, I do believe that, if we have mandatory 
minimum standards, baseline standards for cyber resilience, a 
lot of those types of things that are falling through the 
cracks--reporting, identification, mitigation strategies--will 
start to be resolved.
    So, I think that both of those things are things that we 
need to do, but we need to do them in the right way.
    Mr. DeFazio. Thank you, that was very valuable comment on 
too much reporting of things that would not be of value.
    And just----
    Mr. Farmer. And Mr. Chairman, may I add to that, please?
    Mr. DeFazio. Sure, quickly, yes.
    Mr. Farmer. Thank you, sir. The key challenge here with the 
reporting mandate that has been presented to us by TSA is just 
what Mr. Stephens highlighted.
    And CISA Director Jen Easterly, she has made a point to 
emphasize that her agency is interested in signals, not noise. 
And that is what we have been providing in the rail sector for 
several years, dating back at least to the 2014-2015 timeframe. 
We are providing them with information products that delineate 
what happened, what a railroad observed, what the indicators 
were, and what they did about it, in terms of a security 
response, with recommendations that we share widely on measures 
that other railroads can take.
    And additionally, as I indicated in the opening statement, 
we provide thoroughly to our partners, and other transportation 
modes and sectors, and to Government.
    And on the appointment of the coordinator, again, we don't 
object to that. We have had [inaudible] coordinators for an 
extended period of time. But the draft TSA directive has a 
significant limitation. It requires U.S. citizenship. And the 
challenge there is we have two major operations, railroads that 
operate from Canada into the United States, CN and Canadian 
Pacific. And they are going to have an extremely difficult time 
meeting that standard, because their network operations, their 
expertise, is in Canada.
    What is really disconcerting here is we have put a lot of 
effort in with TSA in working collaboratively to overcome 
objections to a sharing of classified information with those 
cleared staff in Canada, with clearances from Canadian 
Government. And so, we just don't understand the basis for that 
restriction, because it is really setting up two major freight 
railroads for failure in meeting the future directive. Thank 
you.
    Mr. DeFazio. OK, thank you. That was very helpful. My time 
is expired, and now I recognize Mr. Crawford.
    Mr. Crawford. Thank you, Mr. Chairman. This month it was 
reported that TSA will soon issue mandatory security directives 
for rail transit and, potentially, aviation.
    Mr. Farmer, how much stakeholder engagement has TSA 
conducted in advance of their release?
    Mr. Farmer. So, there have been two outreaches from TSA, 
where we have been provided drafts of the directives to provide 
comments. In each case, they were done on a 72-hour response 
timeline.
    Mr. Crawford. Is that typical for TSA?
    Mr. Farmer. When the decision is taken to issue a security 
directive, the timelines are narrow.
    We believe that there is a clear opportunity here, 
consistent with the President's National Security Memorandum, 
to collaborate on the content of the directives, so that the 
disruptive effects that we see can be alleviated and avoided.
    Mr. Crawford. The previous mandatory directives for 
pipelines followed the Colonial Pipeline ransomware attack, if 
you recall. What incident or security threats are necessitating 
a mandatory security directive for freight, rail, or transit?
    Mr. Farmer. Sir, we have not been apprised of any imminent 
or elevated threat to railroads or rail transit agencies as a 
justification for this emergency action. Nor are railroads 
seeing the sort of activity that would be indicative of an 
elevated, specific, persistent threat to rail.
    Mr. Crawford. If you were apprised of such a threat, how 
would that be communicated to you?
    Mr. Farmer. We have well-established procedures with TSA 
for sharing information. We have quarterly teleconferences with 
their surface division. There is a group called the Surface 
Transportation Security Advisory Committee that meets 
quarterly. We have our Industry Cybersecurity Committee. The 
Rail Information Security Committee convenes twice a month. So, 
there are ample opportunities to communicate with us on an 
unclassified level.
    But we have taken it a step further. We have worked with 
the agency to establish a secure video teleconference network, 
so that they can deliver classified presentations up to the 
secret level nationally, so that railroad cyber leads can 
participate from locations in their headquarters' areas, and--
--
    Mr. Crawford. So, there is a robust exchange protocol 
already in place?
    Mr. Farmer. Yes, sir, we have devoted extensive efforts to 
creating a range of options to communicate information, both 
unclassified and classified, up to the secret level.
    Mr. Crawford. So, you are confident that, if there were 
some threats to rail, you would be warned in a timely manner, 
you would be aware of it, and that those communications 
channels are open and available?
    Mr. Farmer. Yes, sir.
    Mr. Crawford. And you don't see any threat, or have not 
been apprised of any threat that, to your mind, would warrant 
the mandatory security directive that is being proposed by TSA 
right now?
    Mr. Farmer. Yes, sir. We have not been apprised of the 
threat that is the justification for this emergency action 
through any of those communications channels I have referenced. 
I am based in Washington, DC. My colleague at the American 
Public Transportation Association, as well. We can be read in 
at the top-secret level. That initiative has not been taken.
    In fairness to TSA, they have referenced that there is a 
briefing being developed, and that it will be given. It has not 
yet been scheduled.
    But our concern is we have cybersecurity leads who, as part 
of our industry protocol, our emphasis on cybersecurity, every 
quarter, at board of directors meetings, cybersecurity is a 
recurring subject, and they are being asked questions about 
these directives, what the driving impetus is, and they can't 
answer them because we have not been provided that detail.
    Mr. Crawford. Let me ask you how you think the security 
directive might interact with what you already have in place, 
your current rail cybersecurity measures or reporting systems.
    Mr. Farmer. On the reporting systems, sir, the key 
challenge is the breadth of the definition of ``cybersecurity 
incident'' is such that it is going to overwhelm what Director 
Easterly at CISA wants to accomplish, and that is to get 
signals that are indications of potential cybersecurity 
concerns, significant cybersecurity concerns, as opposed to a 
lot of noise.
    Mr. Crawford. And you are afraid that this might just, 
basically, create more noise, and it might be more difficult to 
catch those signals.
    Mr. Farmer. Yes, sir. And I think the challenge is--and it 
is twofold--it is the breadth of the reporting protocol; 
``cybersecurity incident'' is widely defined.
    Secondly, the timeline. Initially, it was 12 hours, based 
on input we provided. It has been extended to 24, and I think 
many cybersecurity experts would tell you that it is very 
difficult in that first 24-hour period to have insight into 
whether what is taking place is actually significant, from a 
cybersecurity perspective.
    We have got the right experts in place, and they can 
provide the right information.
    Mr. Crawford. Yes, just real quick in the time I have 
remaining, can you give us some ideas of some of the 
cybersecurity practices that you have already adopted and 
implemented in rail recently?
    Mr. Farmer. Yes, sir. And the efforts in this area go back 
more than two decades. That is how long we have had a 
cybersecurity focus committee. And it is a continuous analysis 
process of what the prevailing threats are, and what we can be 
doing effectively to address them.
    The committee provides a collaborative approach. We share 
information on cybersecurity concerns. We share information on 
effective practices. The chairman, in his opening remarks, 
outlined a series of actions: multifactor authentication, the 
conduct of assessments, action on those assessments, strong 
passwords. Those fundamental measures are being taken.
    I think, most importantly, no one is resting on laurels. We 
take the NIST cybersecurity framework, and we assess our 
cybersecurity posture against that framework at least every 2 
years. And, based on the lessons learned, we focus on enhancing 
our practices. And all the effort we are devoting to 
information sharing is designed to make sure the right people 
have what they need and can take the right measures to narrow 
their risk profile and prevent harm from happening.
    Mr. Crawford. Thank you, Mr. Farmer. My time has expired.
    Ms. Norton [presiding]. Thank you very much. I now 
recognize myself for 5 minutes.
    Cybersecurity presents a fairly unique challenge to Members 
of Congress: we're supposed to do something about problems, 
recognizing, however, that there is no cure-all for 
cybersecurity.
    But Mr. Belcher, you discussed the need for carrots and 
sticks to ensure the necessary resources are utilized by 
transit and their agencies. You also mentioned the need for the 
Federal Transit Administration to require organizations to 
adopt and implement minimum cybersecurity standards prior to 
receiving Federal funding.
    I would like you to briefly explain the specific carrots 
and sticks you would recommend the Federal Government use to 
get transit organizations to the minimum cybersecurity 
standards you see as urgently needed, Mr. Belcher.
    Mr. Belcher. Sure. I would be happy to. So, Mr. Farmer 
described a situation in the rail industry that is a little bit 
different from the situation in the transit industry.
    The transit industry has over 3,000 transit operators, 
public transit operators, that range in size and 
sophistication. And my experience with them is that they are 
desperate for regulation, and they are desperate to be told 
what to do. This is really an area where they don't know what 
to do. And in fact, just yesterday I was speaking, and I had a 
transit CEO ask me what they needed to do to secure their Zoom 
calls. So that was the level of sophistication that they have 
when it comes to cybersecurity. And this was a CEO. So, they 
get the same briefings that Mr. Farmer talked about, but they 
don't have the resources to do it.
    So, you have a couple of things. You have a series of 
agencies that are underresourced, and that have to manage, and 
then, through the pandemic, have found their resources have 
been stretched further. And so, they have a whole new series of 
challenges facing them.
    So, the carrots are to provide funds to support them, and 
to provide them with tools to support them. And those tools are 
contractual language, the tools are to provide them with 
cybersecurity assessments. The large transit operators do get 
resources, do get Federal funding, do get support from TSA to 
do assessments, to do audits, to do cybersecurity plans, but 
the vast unwashed do not. The small to midsized transit 
agencies do not get funds for that, do not get that level of 
support. So, those are the ones who really need it desperately. 
They need that help.
    And as it relates to what you can do with respect to the 
agencies, I think you need to have the--before a transit agency 
receives Federal money from the FTA, they need to certify that 
they have a cybersecurity plan in place, because we found that 
almost 50 percent of the agencies do not have a basic 
cybersecurity plan in place.
    Ms. Norton. Yes, well, that is really helpful, Mr. Belcher. 
I am really interested in this issue.
    You spoke about cyberattacks that already have involved 
transit agencies in cities like New York, and places like 
Massachusetts, Pennsylvania, Vancouver. Now, I represent the 
District of Columbia. Many Members of Congress and their staff 
use transit agencies here, so these cyber effects could have 
very specific and harmful effects on Congress itself.
    Can you discuss how the attacks have impacted average 
citizens?
    Mr. Belcher. Sure.
    Ms. Norton. For example, have these disruptions, and the 
huge increase, a 186-percent increase in ransomware attacks on 
the transportation sector, generally, shown us the attack on 
the average person using transportation?
    Mr. Belcher. Yes, in a number of ways. One example is at 
SEPTA, which had a major ransomware attack last year, or 
earlier this year. SEPTA was forced to shut down its public 
communication system, so it was not able to communicate with 
its customers for almost 2 months, digitally.
    A large percentage of its customers utilize mobile 
applications to determine when their bus or their train was 
going to arrive, and how to access it, and they pay for it with 
a mobile application. They couldn't do that any longer. Many 
customers go and look on a digital screen to see when their bus 
is going to arrive. They couldn't do that any longer. They had 
to go back to paper schedules, and so they were forced to do 
that. So that is one example.
    A second example is that, when a transit agency has to pay 
out a ransom, which many of them do, first of all, they may be 
insured once. Once they pay out a ransomware, the likelihood 
that they are going to get insurance a second time is highly 
unlikely. So, that is going to increase the cost of operations. 
So, there are a variety of ways that people are impacted.
    And then, third, it can impact the operations. The main 
things we are concerned about right now are not the things that 
you would think about, in terms of, like, the movie, ``Speed.'' 
That is what we all think about, is something is going to take 
over, and take over a bus, or take over a train autonomously. 
That is not why CEOs stay up at night--they are worried about 
somebody taking over PII, the customers' or the employees' 
personal information, or the operating system. And those are 
the things that hackers are getting a hold of and that impact 
passengers.
    Ms. Norton. Well, thank you very much, Mr. Belcher.
    I next call on Mr. Gibbs.
    Mr. Gibbs. Thank you, Madam Chair.
    Mr. Kessler, I want to ask some questions here about the 
maritime industry. Is it inherently more difficult protecting 
IT communications systems that are both worldwide and require 
ship-to-shore communications?
    Mr. Kessler. Are you asking if it is harder to secure 
those?
    Mr. Gibbs. Well, I am trying to understand the 
complications of when you have got a shipping company that is 
worldwide, that has ship-to-shore communications, do they 
establish firewalls in their land base to the ships and just 
how does all that relate, and how vulnerable are they to 
cyberattacks, I guess.
    Mr. Kessler. Well, they are as vulnerable as any other 
remote communications.
    One of the mechanisms that are used widely to talk to ships 
is by VSAT, very small aperture terminals. And there have been 
any number of studies and demonstrations, particularly at the 
hacker conferences, about the fact that, when the communication 
is coming back down, it is not directed at a ship, or even a 
place on Earth. It is going to a total footprint on Earth, and 
that makes it very easy for people to intercept those 
communications, which are, in a large way, unencrypted.
    And so again, the demonstrations at the hacker conferences 
have shown all sorts of very interesting communications coming 
between ships and back to shipping headquarters, or just in 
internet access for passengers that are just sending emails 
that are also invariably unencrypted. So that is one of the 
unique communications problems we have on ships.
    Certainly, the ships themselves are using firewalls. What I 
believe we are going to see ongoing, as we get more and more 
autonomous vessels and remote-controlled vessels, is the fact 
that, if I am able to remotely access a vessel in order to 
provide control, it is naive to believe that nobody else could 
somehow also take over that communication.
    Furthermore, when I get fully autonomous vessels, that 
means we are going to have to change the collision regulations 
or the maritime rules of the road. For example, you are 
required to have a lookout on board a vessel. Well, if I have a 
fully autonomous vessel, I can't have a lookout. So instead, 
what I am going to do is have a whole bunch of cameras, and 
they are going to be remotely monitored. That will suffice for 
my lookout.
    Well, again, if I can remotely access the cameras, then it 
would be naive to believe that nobody else could break in and 
look at the cameras, possibly change the contrast setting on a 
camera so that the camera is now blind.
    Mr. Gibbs. OK, let me----
    Mr. Kessler. So those are some of the issues----
    Mr. Gibbs. Let me--yes, let me just interrupt you, I am 
running out of time. Autonomous vessels, that is more in the 
future a little bit.
    But I also was concerned--we had the malware attack on 
Maersk in 2017. Can you tell us what specific steps maybe have 
been taken by the shipping industry to mitigate future attacks?
    And have we been more vulnerable with the crisis of the 
supply chain, with all the ships being idled and backlogged?
    Mr. Kessler. Well, very quickly, Maersk, of course, was 
whacked quite hard by a ransomware attack for which they were 
not a target. They were merely susceptible. And I believe that 
that was, though, a wakeup alarm for the maritime industry.
    However, as I said in my testimony, there were at least a 
dozen well-known attacks in 2020 and 2021 that were directed at 
the maritime industry. There have been at least two maritime 
entities that have been hit by two ransomware campaigns during 
that period of time. So, while the awareness has gone up, and 
there has been positive responses, it seems that it continues 
to be an ongoing problem.
    Mr. Gibbs. So, we haven't really gotten any satisfactory 
solutions to address it? Still kind of really vulnerable, is 
that what----
    Mr. Kessler. I think that the satisfactory solutions have 
not been implemented, and some of those things have been 
actually mentioned with some of the other sector speakers, as 
well.
    A lot of it is awareness training for everybody in the MTS, 
because so many of these attacks occur because humans are 
socially engineered.
    Mr. Gibbs. OK.
    Mr. Kessler. But at the same time, I would like to say we 
have to stop throwing our hands up in the air and saying, ``oh 
my goodness, it is the users,'' because that implies that we 
are giving the users secure systems, to begin with, that the 
people are somehow screwing up.
    The fact is we are using operating systems that are not 
secure. We have applications that are not secure. And you only 
have to look at the number of patches that are coming out 
constantly to demonstrate that we are working with systems that 
are not as secure as they should be, which gives the users not 
really a chance.
    Mr. Gibbs. Thank you very much. I yield back my time. Thank 
you.
    Ms. Norton. I now recognize Mr. Larsen for 5 minutes.
    Mr. Larsen. Thank you, Madam Chair.
    My first question is for Mr. Stephens, if you could 
prepare, Mr. Stephens.
    The U.S. aviation sector is very complex. It is made up of 
various entities and stakeholders responsible for different 
aspects of it. Have you considered how the complexity of the 
U.S. aviation system, though, then makes that system more 
vulnerable to cyberattacks, or less vulnerable because of the 
complexity?
    How do you approach that?
    Mr. Stephens. Oh, that is an excellent question, 
Congressman. In a way, I think it makes it more vulnerable, and 
here is why. I will give you an example.
    The MTA attack that was mentioned earlier, it affects New 
York, it could create delays. It can create some safety risks. 
But it doesn't impact, maybe, the metropolitan transportation 
system in San Francisco. However, a cyberattack in New York at 
JFK, or one of the other major airports in that area, would 
very well not only impact, because of the connectivity, the 
airport in San Francisco, but across the globe, potentially. 
So, it is much more global, I think, in scope and approach.
    Also, I think you have so many interdependent pieces. You 
have air traffic control systems, particularly the shift from 
terrestrial-based air traffic control management to satellite-
based air traffic control management with NextGen. There are 
significant issues with the interference and cyber hacking, 
potentially, of signals and satellites that create the position 
awareness for those aircrafts and for controllers to be able to 
control those aircraft.
    In my previous life I was an air traffic controller in the 
Air Force, and I will tell you being able to have positive 
control in everything in your airspace is of paramount 
importance, for obvious reasons. So, for those reasons I do 
believe that there is greater complexity because there are more 
interoperating systems, and there is a much broader landscape 
to cover, geographically speaking.
    Mr. Larsen. Does the FCC's decision on 5G, where the 
aviation sector expressed concerns about the size of the buffer 
between mid-band wasn't wide enough to protect aviation, do you 
see that as an additional vulnerability, or is that a separate 
issue for the aviation sector?
    Mr. Stephens. I see that as an additional vulnerability. 
Anything that potentially impacts the safe navigation in our 
airspace, whether it is from 5G, or whether it is interference 
with global positioning satellites, or any other type of 
malicious intrusion or unintentional intrusion becomes a huge 
issue. It is a force multiplier.
    And our colleagues from the maritime space and the surface 
transportation, they are all dealing with the same things. 
However, it is a little bit different when you are cruising at 
500 miles per hour and 40,000 feet. You don't have that much 
room for error. And that isn't being said to minimize the 
situation with any of the other represented sectors. However, 
the consequences of error in aviation, potentially, are 
significantly greater. So, anything that impedes the safe flow 
in that airspace is a huge issue that we all have to make sure 
that we are coordinating on.
    Mr. Larsen. Yes, thank you. I want to shift to Ms. Samford, 
please, if you could prepare, just to ask you about the 
Incident Command System for Industrial Control Systems, and the 
model for the National Incident Management System. You 
discussed applying that in private-sector response, mainly.
    But is that system adaptable to all industries? Is it a 
template you can just pick up and put down? Or do you 
anticipate, within the transportation sector, it would have to 
be modified industry by industry?
    Ms. Samford. That is a wonderful question, and thank you 
for it, Congressman Larsen.
    Incident Command System is used globally. It was recently 
endorsed by the United Nations, so it is really a model. It is 
a framework that sits on top of existing plans. So, it is 
really industry or sector agnostic.
    Mr. Larsen. Yes, OK. I am not sure the U.N. endorsement 
would please some of the Members in the U.S. House, but that is 
fine.
    Back to Mr. Stephens briefly, then. I have got 30 seconds, 
total. How can Congress incentivize the aviation sector to 
address cybersecurity issues? Are there specific points that we 
ought to do, other than what you have mentioned in your 
testimony?
    Mr. Stephens. I think there are some specific things, 
Congressman. Very quickly, in the interest of time, I think 
there needs to be more investment, first of all. If you look at 
the TSA proposed guidance out there that requires all of these 
different things, they are good things. They are headed, 
notionally, in the right direction. But without investment, 
without developing the capacity and capability and workforce, 
they are just prescriptions that can't really be met.
    When you see one airport, you have only seen one airport. 
They are different in size and scope and resources. So, every 
airport that is a commercial airport wouldn't be able to 
achieve that. So, if I had to give you one thing, it would be 
more focused investment, and talent development, as well as 
resources to meet any prescriptions that are set down from 
Congress or TSA.
    Mr. Larsen. Thank you very much.
    Ms. Norton. Next, I call on Mr. Webster for 5 minutes.
    Mr. Webster. Thank you, Madam Chair.
    Dr. Kessler, my first question is to you. You mentioned the 
unique--maybe the unique--problems with autonomous shipping. 
You mentioned one example, and that was a lookout. Are there 
other things that would be unique--and maybe bring on new 
hazards and so forth, as far as cybersecurity--to the area of 
autonomous shipping?
    Mr. Kessler. There are some things with the autonomous 
vessels, but that also actually impact the nonautonomous 
vessels.
    Autonomous vessels, of course, are going to be highly 
reliant on position navigation and timing systems, which is to 
say GPS. They are also highly reliant on situational awareness 
systems, such as the automatic ID system that allows vessels 
that are in proximity to identify themselves to other vessels 
in terms, not just of location, but also, of course, heading, 
rate of turn, destination, and speed, all that kind of stuff. I 
mean much more than, for example, radar would give you. Those 
systems are also highly unsecure.
    Mr. Stephens referred to a little bit about the importance 
that aviation has for GPS. Maritime also has the same reliance, 
and that reliance, once we get into the near-coastal waters, is 
particularly important. As an example, if I can somehow spoof 
your GPS signal, and make you go off course by 100 meters or so 
in the open ocean, well, that is not good, but it is not 
terrible. If I cause you to go 100 meters off course in Kill 
Van Kull, as you are going into the Port of New York and New 
Jersey, that is a big problem, because I can now block the 
entire port. So that is one of the issues that we have.
    The situational awareness system that I mentioned, AIS, 
also is not terribly secure, and can be easily spoofed. And we 
have seen some--you know, the more egregious demonstrations of 
that in the Black Sea during the NATO exercises last June.
    But again, going back to the autonomous vessels, it is not 
just the lookouts, it is also the entire--being able to control 
the vessel. And if I can get something to go off course, 
obviously, that is, I think, a big potential problem with those 
vessels.
    Mr. Webster. Thank you very much.
    Mr. Stephens, can you tell me, at Tampa International 
Airport, I guess you had mentioned that there have been great 
strides made, as far as cybersecurity. But on the other hand, 
you picked up some strides on the other side, from attacks and 
so forth. Can you elaborate on that any more?
    Mr. Stephens. Congressman, yes. What I will tell you is 
that most airports, particularly your large hub airports, which 
are your 30 largest by traffic, passenger traffic airports, are 
under attack constantly. We at Tampa International probably 
defend about 3 million malicious cybersecurity attempts at our 
network every year.
    And while we, here at Tampa International, have done a 
pretty good job by most standards, we have adopted the NIST 
standard, and we also have adopted aspects of another standard 
called COBIT. We still are looking at making sure--how can we 
harden our network? How can we train our employees to recognize 
these threats and attacks?
    And the problem with cybersecurity defense: we have to be 
right almost 100 percent of the time. The bad guys don't have 
to be right all the time. They have to be able to get at us one 
good time, and you can really disrupt some things.
    So, in summary, it is just an enormous, enormous challenge 
out there. The good thing is, though, that we don't do it 
alone. Everything, from CISA to TSA to the FBI and all of our 
partners, there is great information sharing and exchange, as 
Mr. Farmer alluded to in the rail industry. And we do the same 
thing in aviation by mandate.
    So, we are not strangers to mandatory information sharing. 
Again, as I stated before, it is the nature and the quality of 
what we share that is really going to make the difference.
    Mr. Webster. USF has--out of the university system, the 
University of South Florida has been one of the designated 
cybersecurity hotspots. Are they part of your team, too?
    Mr. Stephens. That is a great question. We do a lot of work 
with the cybersecurity groups around here, particularly coming 
out of USF. They hold a fantastic conference. We send some of 
our folks to that conference to participate. But again, I think 
we can do even more, maybe getting them involved in more 
tabletop exercises, and things of that nature. But we do 
participate with those local groups such as USF.
    Mr. Webster. Thank you very much. I yield back.
    Ms. Norton. I now recognize Mr. Carson for 5 minutes.
    Mr. Carson. Thank you, Madam Chair. I really appreciate it.
    As a former law enforcement officer who worked at our 
Indiana Intelligence Fusion Center, I am always concerned about 
making sure that information sharing is strong, and I know how 
critical it is for Federal officers to share timely and 
detailed information with local and State partners.
    Tell us, what is working well? What needs to be improved? 
And what do you recommend to improve the flow of information to 
strengthen cybersecurity for transportation, and even 
infrastructure?
    Mr. Kessler. Well, if I can say a few words about 
maritime--and I will keep this short--there is a very strong 
reporting requirement, at least within U.S. waters, and 
possibly even with all U.S.-flagged vessels, the few that we 
have, that they report on any safety issue to the U.S. Coast 
Guard.
    We are only now really beginning to view cybersecurity as a 
safety issue. And so, while the mechanism in place--at least, 
again, in maritime and U.S. waters--to provide information to 
the Coast Guard, we need to have some better reporting 
structure and requirements for those cybersecurity issues to 
get reported up. There is a lot of work being done that all of 
the ports in the United States need to have a facility security 
plan, and now they have to have a cybersecurity amendment to 
that plan. So, the process is moving, albeit a little bit 
slowly.
    Mr. Belcher. I would say, from the transit perspective, 
there is a lot of communication that comes from the major 
transit associations, particularly APTA. They have a number of 
committees that communicate with their members, both large and 
small, a lot of standard development.
    AASHTO also has a committee that works largely with the 
smaller and rural transit associations. So, there is a lot of 
communication in that regard.
    And then TSA works closely with those associations.
    And I think what you are starting to see is greater 
engagement by this administration in cybersecurity. And as a 
result, you are starting to see greater and greater engagement 
by the administration, both--obviously, from DHS, but now even 
at the Department of Transportation level with the industry. 
And that is something that is new.
    Mr. Carson. Thank you----
    Mr. Farmer. Tom Farmer, if I could, sir.
    Mr. Carson. Oh.
    Mr. Farmer. On the point of information sharing, what is 
working well among sectors in transportation is cross-sector 
sharing through the different information sharing and analysis 
centers for aviation, oil and natural gas, for public 
transportation, the railway network that we manage. And that 
has been very helpful in organizations understanding what 
others are seeing in transportation, from a cybersecurity 
perspective, and that gives insight.
    If you are considering attackers, they likely haven't gone 
after one transportation entity. They are likely going among 
several to try to find opportunities. And so that sharing of 
indicators of cybersecurity concern can be very valuable for 
our awareness.
    I think, importantly for the Cybersecurity and 
Infrastructure Security Agency, it is those sorts of signals 
that can help them determine whether what is happening is 
indicative of a pattern, of trends of a potential developing 
threat that merits attention. So that [inaudible] is working 
very well.
    And there is a group that the TSA Administrator has 
appointed called the Surface Transportation Security Advisory 
Committee. It is a direction that Congress gave in the TSA 
Modernization Act of 2018, and it comprises representatives of 
each of the surface transportation modes: security support 
experts, State and local government representatives. And that 
committee earlier this year made 18 unanimous recommendations 
to the TSA Administrator, all of which he has accepted. Four of 
them focus on cybersecurity information sharing, with the aim 
of building this early notification network of sharing among 
sectors of what they are seeing, so that their colleagues can 
understand what the potential threats are. Thank you.
    Mr. Carson. Thank you. I yield back, Madam Chair.
    Ms. Norton. The gentleman yields back. I call on Mr. Massie 
for 5 minutes.
    Mr. Massie. Thank you, Madam Chairwoman. I find this 
hearing somewhat terrifying. It is based on the premise that 
Federal involvement in ensuring cybersecurity in the private 
sector is either necessary or sufficient. It is not either of 
those things. And so, I am worried.
    I mean, asking this committee to come up with standards for 
platforms in cybersecurity is a little bit like asking my 
cattle to write a term paper on one of Shakespeare's works. I 
mean, we are just not qualified to do it, and I am going to 
include myself in that. I have an undergraduate degree in 
electrical engineering and computer science from MIT. All that 
qualifies me to do is to know what I don't know. And I am 
terrified at what we don't know.
    If some legislation comes out of this--and maybe it is 
already written, probably already written--if it is going to be 
written, it is going to be written by the vendors, who 
continuously fail to protect the assets of the Federal 
Government and the private sector.
    And so, with that, I want to ask Mr. Kessler, can you tell 
us what a zero trust architecture solution is, and why that 
might have advantages over some of the other architectures in 
the context of cybersecurity?
    Mr. Kessler. Well, actually, there were a number of things 
that you said that--since your background--well, I didn't go to 
MIT, but--matches mine.
    So, the zero trust architecture, it is basically, in my 
view, a relatively recent buzzword for trying to put together 
the idea that I start out with not trusting any entity with 
whom I communicate. And so, trust has to be designated. And it 
is a way of controlling access, not only to the fact that you 
and I can communicate, but, in fact, what we are going to 
communicate about, what you have access to. And again, I don't 
give you access to anything except that which I have 
specifically given you access.
    However, you mention a point that I would like to say a few 
words about.
    Mr. Massie. What--OK. If I have time at the end, I will 
allow you to do that.
    Mr. Kessler. OK, all right.
    Mr. Massie. The zero trust architecture, is it possible to 
build that on top of, say, a Microsoft operating system?
    Mr. Kessler. I believe you can, at the application level. I 
will keep it there. Yes, I believe you could.
    Mr. Massie. OK. I believe you can't, because if you are 
using the Microsoft operating system, you are getting updates 
from a vendor that you implicitly have to trust, or else the 
operating system does not work.
    You are also getting an operating system that you can't 
audit. No audit is possible. Microsoft would not give you that 
level of access to know that--if you have a platform.
    But I will allow you the application itself might be zero 
trust, and I think that was your answer. You are, obviously, 
more knowledgeable in this than me. I am just trying to point 
out to everybody else that everything underneath of that 
application cannot be trusted, because you can't audit it.
    And so, I want to go on and just say, Mr. Belcher, you 
talked about the vast unwashed, and you were shocked that a CEO 
of a transit company didn't know how to secure a Zoom meeting. 
Would you be willing to put $1 million in bond, and we hire a 
hacker, and see if you can protect a Zoom meeting?
    Mr. Belcher. No.
    Mr. Massie. OK, I wouldn't, either, because, from a 
directed, focused attack, it is really not even possible to 
guarantee that.
    Ms. Samford, you use the words ``consistency,'' 
``interoperability,'' ``uniform,'' and ``coordinated.'' Every 
hacker is getting excited when they hear that. It is like every 
castle has the same defense. And by the way, you have to trust 
the vendor, so it is like every castle's guard at the gate 
doesn't work for the people inside the castle, it works for 
somebody else, and they all use the same secret knock. And so, 
you could get in the door by trusting this vendor. And so, the 
hackers love these words ``consistency,'' ``interoperability,'' 
``uniform,'' and ``coordinated.'' This is what allows them to 
hack not just 1 person on any given day, but 10,000 companies 
on any given day.
    I am running out of time. I would suggest that, if Congress 
has any role here in mandating anything, it would be to have 
audits, and audits that are not written by the vendors, audits 
that are third-party audits that test--penetration testing of 
these systems. Otherwise, if you let vendors audit themselves, 
it is not going to work.
    And with that I will yield back, and if somebody gives me 
more time I would love to go on.
    [Laughter.]
    Ms. Norton. The gentleman's time has expired. I now 
recognize Mr. Payne for 5 minutes.
    Mr. Payne. Thank you, Madam Chair.
    Mr. Belcher, under the Rail Safety Improvement Act of 2008, 
Congress mandated that all Class I railroads and commuter and 
intercity passenger rail providers install Positive Train 
Control systems. Positive Train Control systems work to prevent 
unsafe movements and accidents by using an information network 
to regulate trains' positions. However, information networks 
can be vulnerable to bad actors, and must have adequate 
cybersecurity protections.
    How should freight railroads and commuter and intercity 
passenger rail providers best protect these critical systems, 
and what consequences could result from a cyber incident of PTC 
systems?
    Mr. Belcher. Well, I think Mr. Farmer is probably better 
qualified to respond to that question than I am----
    Mr. Payne. OK.
    Mr. Belcher [continuing]. Given his background.
    Mr. Payne. All right. Mr. Farmer?
    Mr. Farmer. Yes, sir, excellent question. Positive Train 
Control is a safety overlay to our operations. And I think what 
is significant here is, as opposed to many of the industrial 
control systems that we have seen hacked, a lot of them are 
older systems, not designed with cyber threats in mind. PTC has 
been specifically designed with cyber threats in mind.
    And in particular, through the Rail Information Security 
Committee, which I referenced earlier in testimony, a concerted 
effort was devoted to coordinating with the National 
Laboratory, Lawrence Livermore National Laboratory, to do the 
sort of work that has been referenced a number of times in this 
hearing, to look at how the system was designed, to take the 
view of an adversary, to conduct penetration-type activity, to 
determine where potential vulnerabilities might be, and enable, 
as the development process proceeded, those matters to be 
addressed with effective cybersecurity measures.
    Built into PTC you have, in particular, network 
segmentation, advanced encryption, short-term access 
authorizations for moving trains, all of which are designed to 
narrow the possibility that, one, a breach can happen; or 
secondly, if it does, that it can spread beyond the limited 
site in the network.
    So that has been a concerted effort, and developed with 
cyber threats in mind, with support of Government through the 
National Laboratory, and through the proactive information-
sharing work we do with CISA and TSA. Thank you.
    Mr. Payne. Thank you.
    And Mr. Farmer, good cyber hygiene is very important to 
protect against potential consequences that you just 
articulated. As chairman of the Railroads, Pipelines, and 
Hazardous Materials Subcommittee, I have a responsibility to 
ensure that freight railroads meet the evolving threat of 
cyberattacks.
    Your testimony makes it clear that AAR opposes TSA's 
security directives. What assurances can you give this 
committee that freight railroads have taken the steps necessary 
to deal with a cyberattack targeting these critical systems?
    Mr. Farmer. Well, the assurance is demonstrated in the 
experience of what we do in the industry, experience that is 
well-known to our partners in Government.
    I mentioned earlier the committee that we have focused on 
cybersecurity more than two decades in duration. That group 
convenes twice monthly. It is an effective forum for sharing 
information on cybersecurity concerns, and on effective 
practices to mitigate risk.
    The sorts of sound, fundamental measures that are taken 
across our industry include training for users on networks, 
drills of that training to make sure that the learning is 
tested and evaluated, exercises conducted within the railroad, 
conducted with TSA through its intermodal security training 
exercise program, and a national-level industry exercise we 
hold every year, where we take actual cyber incidents that have 
happened in other industries, and posit what would we do in the 
railroad industry if faced with similar situations.
    And that gets into the key measure here, which is the well-
developed preparedness and incident response plans that 
railroads maintain and constantly exercise, constantly refine, 
based on the assessments we do, based on what we learn, in 
particular from our interaction with Government on the nature 
of the evolving threat. Thank you.
    Mr. Payne. Thank you.
    And Madam Chair, I yield back the balance of my time.
    Ms. Norton. The gentleman yields back. I now recognize Mr. 
Perry for 5 minutes.
    Mr. Perry. Thank you, Madam Chair.
    Mr. Belcher, your testimony explains that even the 
transition to electric buses brings with it a whole new level 
of cyber exposure and other security risks not previously 
anticipated. Given the majority's push to electrify everything 
without regard to the consequences, this statement may fall on 
deaf ears. But I think it is important to ensure everyone here 
knows what you mean by that statement.
    Can you tell us how much greater is the cyber exposure in 
an electric bus fleet, relative to a diesel bus fleet?
    Mr. Belcher. Well, it simply creates a new threat vector in 
the sense that any time you add a new opportunity, a new 
digital connection, you create a new opportunity for an 
adversary to access your network.
    Mr. Perry. So, are you talking about things like the 
ability to degrade batteries remotely, cause fires, manually 
take over controls of the vehicle, that kind of thing?
    Mr. Belcher. Yes, you have created an opportunity to access 
the network. But----
    Mr. Perry. So----
    Mr. Belcher. But you are talking about sophisticated 
companies that are far more sophisticated, and that are 
building in protections into their bus systems and into their 
networks.
    So, I think, while there are risks that come with that, new 
risks that we never thought about, these are sophisticated 
companies that are building in cybersecurity protections, as 
they develop these new technologies.
    Mr. Perry. But would you also say, then, I mean, based on 
that, yes, they are building in protections, but haven't 
computer companies and automation companies built in security 
protocols all along, but yet they have still been breached over 
and over and over again?
    Mr. Belcher. One hundred percent. We would be far safer if 
we were still running diesel buses that were not connected to 
anything, and that had no digital connections to anything.
    Mr. Perry. Right, OK. So, your testimony cites the 2020 
Mineta Transportation Institute report on cybersecurity in the 
transit sector extensively. This report presents some pretty 
damning conclusions. As you noted, the 2020 MTI report 
concludes that, for many transit agencies, internal resources 
for cybersecurity are scarce. And you go on to cite reports 
finding that 43 percent of the agencies do not believe they 
have the resources necessary for cybersecurity preparedness.
    To me, this raises a legitimate question about what exactly 
the taxpayer is getting back for the tens of billions of 
dollars per year that the FTA provides to transit agencies, and 
the nearly $90 billion we have given them in the past 2 fiscal 
years.
    I mean, if transit agencies have failed to invest in 
protecting their cybersecurity systems, and have failed to do 
regular maintenance and upkeep, leaving more than $100 billion 
in state-of-good-repair backlog, both allegedly due to lack of 
resources, what in the hell are they spending their money on?
    Mr. Belcher. You know, that is----
    Mr. Perry. Yes, I guess that is probably not a fair 
question. Let me ask you this----
    Mr. Belcher. It really isn't a fair--yes, OK.
    Mr. Perry. I think the answer to that question might be a 
result of section 13(c) of the Urban Mass Transportation Act 
providing for employee protective arrangements, or agreements 
that effectively provide labor union leadership veto power over 
any potential Federal grants to their employer, which gives 
union leadership unparalleled negotiating leverage to force 
transit agencies to cave in to their demands.
    This requirement is largely, in my opinion, responsible for 
the steep decline in transit worker productivity after it was 
enacted in 1964, despite the fact that nearly every other 
industry saw significant productivity increases.
    It is also a significant contributing factor to the 
sector's uniquely high labor cost, as a percentage of operating 
cost, and massive, unfunded pension liabilities.
    Given this background, would you agree that section 13(c) 
needs to be either repealed or, at the very least, 
significantly reformed so that transit operators are able to 
invest necessary resources to protect from physical and cyber 
threats?
    Mr. Belcher. I have no opinion on that.
    Mr. Perry. All right. How about the authors of the report 
emphasize the FTA should require transit organizations adopt 
and implement minimum cybersecurity standards prior to 
receiving Federal funding, where do you stand on that?
    Mr. Belcher. I agree.
    Mr. Perry. There you go. Thank you, Madam Chair, I yield 
the balance.
    Ms. Norton. The gentleman yields. I now call on Mr. 
Carbajal for 5 minutes.
    Mr. Carbajal. Thank you. Thank you, Madam Chair.
    Mr. Stephens, you highlight the importance of cybersecurity 
information sharing and communication. You also highlight how 
information sharing between the Government and the private 
sector has not been as effective as it could be, because it is 
voluntary.
    What should be considered when thinking of legislation 
regarding mandatory cybersecurity information sharing and 
communication between the Government and the private sector?
    Mr. Stephens. Thank you, Congressman, for that question.
    One of the things--I would start from this perspective. 
Before legislation is struck, I think there has to be robust 
dialogue with the entities or the sectors that are going to be 
regulated. Sometimes moving too quickly to get something out 
significantly creates more obstacles, and more bureaucratic 
redtape, and impairs the cybersecurity preparedness of certain 
agencies, as many of us have spoken about.
    To that end, though, a voluntary structure where there is 
no enforcement is relatively meaningless. You have to have some 
mechanism for enforcement. So, it is not a one-size-kind-of-
fits-all approach. It is a holistic approach that, I think, our 
Federal Government has to take towards cybersecurity.
    I will give you a primary example. Under FISMA, which--CISA 
is responsible for reviewing all of the Federal agencies, 
right? The vast majority of them have received D's. So the 
question becomes, if we can't--under FISMA, which has been 
struck some time ago--police the cyber hygiene of our own 
Federal agencies, it is a very difficult hurdle to then create 
mandates that are not attainable for other covered sectors. So, 
involvement with those covered sectors and getting really solid 
advice and perspective before those things come out is 
important.
    And I will finish with this. Again, going back to the TSA 
proposal, for example, there was a 24-hour time reporting 
requirement under that proposed guidance. Most entities who 
have cyber incidents cannot begin to even do analysis on 
anything with respect to a cyber incursion in order to be able 
to meet that requirement, versus what is happening in the 
Department of Defense under the National Defense Authorization 
Act is a 72-hour requirement.
    So, in short, I think that, while mandatory reporting 
requirements are great, it is what do we report and how do we 
report those things.
    Mr. Carbajal. Thank you very much.
    Dr. Kessler, you are an educator on the topic of 
cybersecurity at the U.S. Coast Guard Academy, and I am 
interested in your insight into the importance of cybersecurity 
training programs to strengthen our defenses.
    Your recent report, ``Raising the Colors,'' highlighted the 
need for industry-recognized certification in both information 
technology and operational technology fields, and the creation 
of cybersecurity training programs by the Coast Guard and the 
Department of Transportation.
    With the support of the Department of Energy, the 
Department of Homeland Security, as well as the State 
Department and international organizations as vital to 
cybersecurity improvements, could you discuss the need for 
standardized training and certification in the Nation's cyber 
defenses?
    Mr. Kessler. Thank you very much for the question. I think 
we need to have certain standardization, so that everybody is 
at least getting the same baseline understanding and is on the 
same page of what it is we are trying to protect. I think it is 
incredibly important to recognize through this, and 
particularly as you are all considering legislation.
    I agree, again, with what Mr. Stephens just said about 
working closely with stakeholders. The solution to cyber is not 
solely a technology solution. I will pull out an old quote that 
says anyone who thinks their technology can solve their 
problems doesn't understand technology and doesn't understand 
their problems.
    If people are a big part of the problem, then people have 
to be a big part of the solution, and technology can't save 
them. Because people who don't know what they are doing can 
always get around the technology. So that is why the training 
is so incredibly important.
    And there does need to be a certain global aspect to it, 
since the ships are going everywhere, and coming from 
everywhere, and can carry malicious software and viruses from 
port to port.
    And so, again, the training has to be on the technology 
level, so that we have the appropriate number of technologists 
in the field, as it has already been discussed, that we are way 
short on the number of cybersecurity practitioners. But 
essentially, today everybody has become a cybersecurity 
practitioner, since we are all carrying around multiple devices 
that we need to secure.
    Mr. Carbajal. Thank you. I am out of time.
    I yield back, Madam Chair.
    Ms. Norton. The gentleman yields back. I now recognize Mr. 
Davis for 5 minutes.
    Mr. Rodney Davis. Thank you, Madam Chair, and thank you to 
all of the witnesses today. I would like to start my 
questioning with Mr. Farmer.
    Mr. Farmer, do your members usually subscribe to more of a 
centralized cybersecurity operation at their specific 
railroads, or is it more decentralized?
    Mr. Farmer. What you have with railroads is, through the 
headquarters elements you have cybersecurity expertise through 
chief information security officers, specialists in 
cybersecurity, well-trained personnel on the cybersecurity 
staff who, notably, participate in a training program hosted by 
Idaho National Laboratory, which looks at networks from a red-
team perspective, and allows them to conduct penetration 
operations and learn what the adversary is looking to 
accomplish.
    So, in that sense, what you have is probably something akin 
to my experience in the Air Force: centralized control, but 
decentralized execution, in terms of allowing the experts to 
apply their skills in ensuring network cybersecurity posture is 
maintained.
    Mr. Rodney Davis. So, the decentralized portion of your 
response there is indicative of--do you believe it is easier 
for a cybersecurity criminal to hack a more centralized system 
that is just in one location, versus a system you just 
described, that many of your members use?
    Mr. Farmer. I think the key on what is easier for an 
adversary to hack comes down to the network architecture, and 
that is where the emphasis placed by railroads on ensuring 
network segmentation and on strong controls for access, those 
efforts, are vital. So, it is not so much whether it is a 
single point versus multiple points, it is more along the lines 
of how are you designing the network architecture, and putting 
in your layered cyber defenses in a way that creates 
opportunities to detect, disrupt, and prevent adversaries from 
inflicting harm.
    Mr. Rodney Davis. It just seems to me that it would be 
easier for our adversaries to go after systems that are 
uniquely intertwined at all levels, rather than decentralized, 
which I seem to--I guess I am understanding your response to 
say that you do have somewhat of a decentralized approach for 
possible redundancy issues and security issues.
    What would you recommend we do, when it comes to 
transportation systems at the Federal level, when we certainly 
rely upon much more of a top-down approach when it comes to 
other systems in place?
    What can we do to copy this more decentralized approach, 
and thus make it more secure?
    Mr. Farmer. Well, I think your point on redundancy is 
exceptionally well taken. A lot of effort devoted in the 
industry to establishing backups, backups for programs and 
files, backups for operational control systems. And so, you 
have multiple options, should one component be adversely 
impacted, for the operation to continue.
    I think what we have seen, particularly over the past 
several months, in terms of cyber intrusions, as you see in the 
CISA advisories on these events, this reference to highly 
sophisticated threat actors employing very well-developed 
tactics that reflect a great deal of understanding of networks, 
and I think there are two challenges that come into play there.
    One is, in many cases, these are referred to as ``supply 
chain vulnerabilities,'' where the adversary has determined, 
has identified the vulnerability present in a particular 
software application, and done the necessary surveillance of a 
network to exploit it. And CISA frequently recommends that 
railroads, other critical infrastructure organizations engage 
with their suppliers, and we do that in the industry through a 
dedicated group with our key suppliers.
    But there is a key element, in terms of what Congress can 
do, I think, that merits attention, and that is one of the CISA 
recommendations is you should be getting from your supplier is 
a software bill of materials. And essentially, that is the 
delineation of all the software elements in the vehicle, 
equipment, device that you have procured, so that you, as the 
end user, know what software is included, and what versions are 
present. So, when these issues come up with these supply chain 
vulnerabilities and you need to know quickly, am I affected, 
the software bill of materials gives you the means to do that 
sort of reference.
    And the second question that comes up is, are we doing 
enough, in terms of deterrence? We have talked a great deal in 
this hearing about network defense, and that is vital. But the 
concern that we have in the private sector is, in contrast to 
mitigating terrorism risk, which entailed a great deal of 
effort internationally in intelligence and military operations, 
the adversary's boldness, particularly of these past several 
months, with these highly sophisticated attacks, indicates they 
are not getting a deterrent message. And that is part of an 
effective strategy. Thank you.
    Mr. Rodney Davis. OK, I thank you. I would like to yield my 
remaining time to Mr. Burchett.
    Thank you, Madam Chair.
    Mr. Burchett. Thank you, Chairlady, and I yield the time 
that Representative Davis gave me to Thomas ``The Hitman'' 
Massie.
    Mr. Massie. If there is any time remaining, I would like to 
allow Mr. Kessler----
    Ms. Norton. There really isn't.
    [Laughter.]
    Ms. Norton. You will have to wait for someone else to 
yield, because all of that time has now expired.
    Mr. Massie. Yes, Madam Chairwoman.
    Ms. Norton. And I am forced to----
    Mr. Burchett. I am sorry, Chairlady, for that disruption. I 
have not had my Mountain Dew this morning. I apologize.
    [Laughter.]
    Ms. Norton. All right. I now recognize Mr. Stanton for 5 
minutes.
    Mr. Stanton. Madam Chair, thank you so much for recognizing 
me. I want to thank Chairman DeFazio for holding this important 
hearing, I want to thank each of the witnesses here today for 
providing important testimony on this critically important 
issue that is growing in concern.
    Cyberattacks against our water systems have become more 
frequent, sophisticated, and dangerous. Back in February a 
hacker gained access to the Oldsmar water treatment facility in 
Florida. Their goal was to increase the level of sodium 
hydroxide, otherwise known as lye, in the drinking water. While 
Oldsmar was lucky that the facility's operator was at his 
computer, and watching the hacker's attempts in realtime, the 
results, if they had been successful, could have been seriously 
harmful to residents and businesses who rely on that water for 
drinking water.
    Approximately 90 percent of our country's public water 
supplies, and 80 percent of the wastewater utilities are small, 
and serve fewer than 10,000 people. The hack at Oldsmar 
demonstrates the vulnerability of small systems, and the 
challenges they face in preparing for and responding to these 
threats, compared to larger water systems. These systems have 
smaller budgets, limited resources, sometimes only a small 
number of employees to handle a significant amount of work. A 
cyberattack is just one more challenge they confront, so they 
must be strategic in how they approach this constantly evolving 
threat.
    Mr. Sullivan, you mentioned in your testimony that Boston 
Water and Sewer Commission, where you are the chief engineer, 
you suffered from a ransomware attack last year. What do you 
believe are the lessons learned from that attack, and one that 
I described in Oldsmar, for other water and wastewater 
utilities, particularly small, rural, and Tribal systems, where 
they might not have as much access to staff with cyber 
expertise or financial resources?
    Mr. Sullivan. Well, thank you, Congressman. We have been 
working many years to build up our cyber preparedness, along 
with most of your large water systems and wastewater systems.
    The problem we had was this, it was the human element. One 
of our staffers allowed an email, a phishing email, and he 
opened it up, and he did not report that there was nothing 
there when he opened it up. What happened there is some malware 
got into our system [inaudible] and it sat, and--it sat for 
over a month, because we were able to trace it back later. The 
human element here is our biggest weakness. And we know that. 
We have got all kinds of systems. Our firewalls are secure. We 
are stopping things every day. We are getting attacked every 
day.
    The cybersecurity awareness, a culture of awareness in 
every system, is the most important thing we need to do. And 
that is, we need to get to training. Many of these small 
systems are recognizing, they are struggling with making sure 
we get pure water out there, we are struggling with the new 
regulations of contaminants. The wastewater group, same thing. 
We struggle with producing the product that we are required to 
do, and many of the small ones may have IT systems that they 
don't even know how they run. They hired someone, they came in, 
a miracle occurred, all of a sudden you could operate from 
home, and life was good.
    They don't have the awareness, and that is what we are 
trying to do through the ISAC, is continually remind people, 
``Pay attention, read these''--we work with CISA, et cetera--
``Read all these reports, make sure you are doing this.'' But 
they don't have the resources to hire people to check 
everything else, and that is one of the major hurdles we have--
--
    Mr. Stanton. Yes.
    Mr. Sullivan [continuing]. Because we do have 50,000 water 
systems and 16,000 wastewater systems.
    Mr. Stanton. You mentioned ISAC, the Water Information 
Sharing and Analysis Center, which was established, of course, 
10 years ago to provide water utilities with critical 
information on threats, both physical and cyber-related, along 
with best practices for preventing and responding to those 
attacks.
    I mentioned earlier Tribal communities, and challenges that 
the water systems in Tribal communities face. I want you to 
address that. What specific outreach or work has ISAC done with 
our Tribal communities? And if not, do you have plans to reach 
out to our Tribal communities to make it a part of its work?
    Mr. Sullivan. The ISAC is a subscription service. We have 
over 400 members that cover much of the Nation. But we also 
have the States. The States are part of the ISAC. They get all 
our information, so that the States, through their resources, 
can reach out to smaller systems, the Tribals, et cetera.
    We are asking for additional resources to have the 
subscriptions for everyone, every water and wastewater systems 
paid for so, that we can reach everyone, and give them the help 
they need to--we want to be able to take these threats, and 
boil them down to what it means for each size system, so that 
they can look at them, and they don't have to read these----
    Mr. Stanton. All right.
    Mr. Sullivan [continuing]. Lengthy documents.
    Mr. Stanton. I am out of time, but my polite request is 
that maybe ISAC will reach out to those Tribal communities and 
the water systems there. It is so critically important that we 
provide clean water to our Tribal members, and often they don't 
have the same resources as others, but they have the same needs 
for their community. So, my request is that ISAC see what they 
can do to better reach out to our Tribal communities in 
Arizona, and around the country.
    Thank you, I yield back.
    Ms. Norton. I now recognize Mr. Babin for 5 minutes.
    Dr. Babin. Thank you, Madam Chair. I am so glad we are 
having this hearing today for this committee to weigh in on the 
issue of cybersecurity in the transportation and critical 
infrastructure space. It is a great responsibility, and one 
that we should all take very seriously.
    It is also very timely. Just yesterday the Director of CISA 
told the House Homeland Security Committee that ``ransomware 
has become a scourge in nearly every facet of our lives, and it 
is a prime example of the vulnerabilities that are emerging, as 
our digital and our physical infrastructure increasingly 
converge.'' She went on to say that, ``The American way of life 
faces serious risks.'' She is right.
    Internet attacks are a full-fledged standard feature of our 
modern life. Hardly even a day passes anymore without a media 
story coming out about a cyber threat or an attack. These 
threats are disruptive, they are costly, potentially life-
threatening. All of us saw what happened with the Colonial 
Pipeline breach last May, and how that attack led to gas 
shortages and interrupted supply chains.
    There is certainly a legitimate and appropriate role for 
the Federal Government to play in protecting the American 
people in our companies and businesses against theft, 
espionage, and cyberattacks. No question. This is a fight for 
our national security. However, cyber intrusions are very hard 
to track. We have got to be extraordinarily careful, as 
lawmakers, that we don't meddle in something that we don't 
properly understand, and unintentionally cause bloated 
regulation, or stifle innovation with overly burdensome 
requirements that don't truly secure our infrastructure.
    Any policy we push forward has got to be aggressive, but 
consistent with our Nation's founding principles, meaning that 
we provide for the common defense, while at the same time 
protecting civil liberties and the free economic economy. A 
former Director of National Intelligence, and my former Texas 
colleague and friend, John Ratcliffe, said that we need to 
attribute these attacks, and either to overtly or covertly 
retaliate against those responsible, creating deterrence for 
the future.
    I could not agree more. There has to be a downside for 
these enemies. And inflicting appropriate pain for their 
attacks is not only justified, but I think absolutely 
necessary. And if our long-term strategy to cyber criminals is 
to just pay the ransom and hope for the best with cyber 
insurance, we will certainly lose to our foes in this new 
battlefront.
    So, my question to all of you--and I will open this up to 
anyone who would like to answer this--what are commonsense 
steps that we, as lawmakers, can take to help the private 
sector better protect themselves, and better report cyber 
threats to the proper Government entities without infringing on 
people's civil liberties or the free market?
    I would open that up, please.
    Mr. Belcher. Well, I will jump in. I think one of the key 
things that organizations can and should do to protect against 
ransomware is to make sure that they keep adequate logs, data 
logs. And that is one of the things you see, particularly with 
small, smaller, or less sophisticated organizations. And if you 
are keeping adequate data logs, you can go back and recreate 
everything that happened prior to the hack. And that way you 
can avoid having to pay a ransom. And that is the best way that 
you can manage against ransom attacks.
    And so anything that Congress can do to encourage that--I 
am not saying that you mandate data logs. It is good hygiene, 
it is something that trade associations should be encouraging, 
and should be providing guidance on, and it is something that 
we should all be pushing for, because it is the best thing that 
you can do to mitigate against ransomware, because it is 
happening every day.
    Dr. Babin. Thank you. Anyone else?
    Ms. Samford. Yes, sir, thank you. And I think that it is an 
excellent question. Thank you, Congressman Babin.
    I always tell owners and operators there are a few top 
things that they can do. Number one is to have a complete asset 
inventory. You can't protect what you don't know about.
    The second is to understand if you have direct exposure to 
the internet. I think that Congress would be very frightened if 
they were to examine the number of critical infrastructures 
that have industrial control systems that remain directly 
connected to the internet. That is an immediate and direct 
source.
    If I were Congress, if I were in that position, I would 
direct all designated critical infrastructures within the 
United States to ensure that they do not have any devices 
directly connected. That would immediately eliminate tons of 
exposure and risk.
    And lastly, I would like to redirect and go back to the 
point on ICS4ICS in that every single local fire department, 
every emergency services, even our military, it is the way that 
we mobilize to respond to events.
    Out of all of the nationally declared disaster types, cyber 
is the only one that is not mandated currently to follow 
Incident Command System. I can tell you that being prepared and 
being able to mobilize the private sector, which is where 85 
percent of your response resources will come from in the event 
of a nationwide attack, you will want a system like ICS to 
integrate. By no means does having a common framework for a 
response increase our risk or our threat. Those threats and 
risk are already there. All it does is give us an advantage 
over the enemy in effectively bouncing back from those attacks.
    Dr. Babin. Thank you very much, and my time is out, and so 
I will yield back.
    Mr. Stanton [presiding]. Thank you so much. The next 
Congressmember will be Congressmember Carter.
    Mr. Carter of Louisiana. Thank you, Mr. Chairman. My 
district recently suffered through one of the most intense 
hurricanes to ever make landfall in the United States. Hearing 
about the dangers threatening our systems through cyberattacks, 
I can't help but be concerned about what would happen if bad 
actors took advantage of a natural disaster to launch a 
cyberattack.
    According to a recent article on the topic, natural 
disasters can set the stage for cyberattacks. Security experts 
say that they are not aware of any major cyberattacks against a 
State or local government during a natural disaster, but that 
is only a matter of time, if we are not careful to prepare for 
these things. And if a hacker launched a disruption to coincide 
with a natural disaster, that could greatly hamper first 
responders, hospitals, utilities, Government agencies. 
According to the National Association of State Chief 
Information Officers, this is a real threat.
    So, I ask this question of you, Mr. Sullivan. Municipal 
water systems in many areas have to cope with threats of 
physical damage from natural disasters. I shudder to think what 
would happen if a cyberattack occurred in the near proximity to 
a natural disaster. Can you share your thoughts with me on 
that, and do you think that any local systems should train and 
practice for responding to a dual-threat scenario like this?
    Mr. Sullivan. Certainly. First, the ISAC was formed because 
of the events of 9/11. And for the first 10 years, we spent all 
of our time talking about physical threats and natural hazards, 
and how to make sure you can get your systems up and running. 
And cyber wasn't really in the forefront at that time, because 
there were no major threats for us on cyber.
    So we have been training people on natural hazards all 
along, how to do it, how to get yourself back up and running. 
We all have emergency response plans. The AWIA that Congress 
passed a couple of years ago required all systems serving 3,300 
and more services to look at our natural hazards plan and our 
cybersecurity plans. And we have to self-certify that we looked 
at them and we have an emergency response plan.
    So, I would say that most of your systems are definitely 
capable of getting up and running. Now, they can't run with the 
cyber. A lot of times communications are down, et cetera. They 
will place people at the plants, and they can manually run 
them. Most of our plants, although they are highly 
technologically run, can be run manually. We are able to run 
them that way. So, we are----
    Mr. Carter of Louisiana. Let me ask you, what do you think 
Congress could do to make these types of trainings possible and 
accessible to local governments?
    Mr. Sullivan. Well, there is a lot of training going on. 
EPA just ran some yesterday with CISA. We are working--American 
Water Works Association has put out much training. And all your 
water and wastewater national organizations have the training 
available.
    The problem is a lot of the smaller systems don't know 
about it. We haven't been able to reach them to come in and get 
the training, and that is where the ISAC is trying to expand 
its reach, so that we can give them informed messages, informed 
information of training for them, their size, and how they can 
get available. So----
    Mr. Carter of Louisiana. And maybe this is something that, 
through this committee, Mr. Chair, we could utilize our 
resources to enhance the availability or knowledge to local 
governments of this resource. Obviously, it is a threat that 
could be devastating. And having the preparation and training 
could really go a very long way.
    Do any of the other panelists have any thoughts on how 
Congress could better help industries protect against 
cyberattacks occurring around or during or after natural 
disasters?
    Mr. Farmer. Representative Carter, if I could, please?
    Mr. Carter of Louisiana. Yes, please.
    Mr. Farmer. Thank you. One of the important areas to 
emphasize, in terms of the emergency preparedness, is the level 
of deployment of resources in advance of the storm, so that the 
response and recovery effort happens immediately, as soon as 
safe conditions allow.
    I think a good point was made earlier about the ability to 
maintain the capability to conduct manual operations. That is 
part of how we operate in the railroad industry. In the event 
there is an electrically or cyber debilitating environment, 
trains can continue to move under manual procedures. We can 
also relocate dispatch centers from impacted areas to others. 
And as I mentioned earlier, a key facet of our cyber defense 
and depth is having backup capabilities and backup files.
    I think the point that you are getting to, though, gets to 
a broader question of how does private sector across sectors 
cooperate with Government, and what can we be focusing 
attention on? I think there are two elements there.
    One is, what are the sorts of cyberattacks that would be 
most impactful, whether they are actually happening now or not, 
looking forward to that potential. What we deal with now are 
people looking to exploit the fact that there is a response 
going on, and that there is going to be businesses trying to 
come into an area, and you have a lot of fraud attempts. But 
what could be done, positing a potential scenario?
    And then, secondly, then working through the Critical 
Infrastructure Cross-Sector Council, through CISA, through FEMA 
in developing a collective approach to try to address that 
problem.
    I think the last aspect gets to a point that was raised in 
an earlier question. And that is, there has to be some 
deterrent aspect to our cybersecurity strategy. Adversaries 
need to understand there are limits.
    Mr. Stanton. Thank you very much.
    Mr. Carter of Louisiana. I think I am out of time. I yield 
back. Thank you.
    Mr. Stanton. All right. Thank you very much, Representative 
Carter. Next up will be Congressmember Weber.
    [Pause.]
    Mr. Stanton. Congressman Weber, are you there?
    If not, we will move to Congressman LaMalfa.
    Mr. LaMalfa. Thank you, Mr. Chair. I appreciate the 
opportunity here today, and for witnesses that have gathered 
online for our information here.
    So, when we look at the--yes, I know, a lot has been 
covered so far in the hearing today. But with the issue of 
cybersecurity and, I guess, my more acute interest in how that 
would be on small water systems and rural water systems. And 
you know, in California, we do have several water districts 
that distribute water to agriculture, but also they do have 
hydroelectric power as part of their system, as well.
    So, the smaller districts have a bigger struggle probably 
coming up with the resources to compete, and have the best 
cybersecurity capabilities that might come against them from 
China or other terrorism activities.
    Let me pose to Mr. Sullivan.
    The Water Information Sharing and Analysis Center serves 
districts of all types, all sizes. You had noted some that were 
quite small, with 2,000 residents, or we can shift to 
agriculture that aren't necessarily residents, but also indeed 
very important in water delivery for what they do.
    Could you touch on--if you have already, my apologies, but 
what are some of the simplest, fastest, lowest cost protections 
we could be emphasizing and starting with to help secure those 
districts, especially in a time we have so much unrest and 
potential for mayhem like that, and in an already stressed 
economy and stretched water situation like we see in 
California?
    What are some of the things that they could be doing very 
cost effectively, and quickly, and efficiently to tighten up 
their cybersecurity?
    Mr. Sullivan. Well, right off the bat, EPA has a great site 
that will list all the things they need to do.
    But what is really important is make sure they don't have 
their operational technology, their SCADA control systems tied 
into their information systems. It is so easy to get into an 
information system, either through the human nature, or they 
can just hack into it through an email, et cetera. But if you 
can separate those two right off the bat, you----
    Mr. LaMalfa. Separation, sir, a better separation, not 
having--we heard stories about having the same access codes and 
everything for the--so you want to have just a greater 
separation between the two?
    Mr. Sullivan. Yes, I want to separate all the pumps and 
everything else that are run by technology, separate them from 
your information systems, where--your email, your--all your 
other systems. That is a very basic tenet. And if you can do 
that, you really secure the ability for someone to control your 
pumping stations, shutting yourself down, overloading your 
stations, adding chemical where it shouldn't be added. That is 
critically important, because many of the small systems have 
embraced technology so that they can go home at night, and 
these systems self-operate. And it is so important that they 
separate those.
    But the data available, it is out there. EPA has done an 
incredible job. We work with the Water Sector Coordinating 
Council, DHS, EPA, our sector leader. All this information is 
out there. They just don't know where to go to get to it. And 
that is the key that we need to get more of.
    The rural water has riders, they go out and they educate 
everyone, but keeping updated is important. If everyone thinks 
that 5 years ago they took a review of their systems and life 
was good, and they haven't looked at it again, they have got to 
look at it again. It is ever changing. This whole security 
issue is ever changing.
    Mr. LaMalfa. Five years is a very long time, yes, yes.
    Mr. Sullivan. An extremely long time. And we did that, we 
had a big emphasis, we pushed it, and everyone thought they 
were all taken care of. And now we have these additional 
threats daily.
    Mr. LaMalfa. So, when we are talking small districts with, 
you know, not huge budgets with--if it is rural delivery or 
agricultural delivery, do you see that it is going to be 
affordable? Is it going to require a lot of staff, or a lot of 
upgrades and technology and equipment? Or is it something that 
can be piggybacked onto existing systems, if they are halfway 
modern?
    Mr. Sullivan. I think it could be piggybacked. It is $100 
to join the WaterISAC if you are a system below 3,300, $100 a 
year. There are 40,000 of them, though, and that is one of the 
problems. They just don't have that $100, or they don't know 
that they need this----
    Mr. LaMalfa. Do you have confidence, sir, that the larger 
entities like--well, the State of California, for example, 
right in my backyard is the Orville Dam and the spillway that 
broke apart, you remember that story from a few years ago. Do 
you think the large ones, like States, are doing what they need 
to do on 1960s technology to upgrade those, so that they can 
keep control of their spillway gates and other aspects of their 
water control systems?
    Mr. Sullivan. I think the larger systems are in very good 
shape. They are quite aware, because of the association of the 
CIOs talking to each other. So, I think there has been a lot of 
that going on.
    What happens is the medium and small, and they have so many 
other things tearing apart. Most of your water and sewer 
operators in the country aren't computer literate. They hire 
people to come in and set up the systems for them. So, they are 
not quite aware of what we are all talking about all the time. 
The big ones are. We have whole departments dedicated to that.
    Mr. LaMalfa. Thank you. Thank you, I appreciate it. I yield 
back.
    Mr. Stanton. Thank you very much. Next up will be 
Congressmember Lynch.
    [Pause.]
    Mr. Stanton. Congressman Lynch, are you on?
    If not, next will be Congressmember Malinowski.
    [Pause.]
    Mr. Stanton. Congressman Malinowski?
    How about Congressmember Kahele?
    [Pause.]
    Mr. Stanton. Congressmember Williams?
    Ms. Williams of Georgia. I am here.
    Mr. Stanton. Thank you so much. It is your turn.
    Ms. Williams of Georgia. Thank you, Mr. Chairman. The topic 
of today's hearing is one that is personal to me and my 
constituents.
    I know how critical it is to invest in cybersecurity, 
because my district learned the hard way just 3 years ago. In 
2018, a vicious cyber ransom attack devastated the city of 
Atlanta. Residents of the Fifth Congressional District couldn't 
pay their water bills, police departments lost investigation 
files, the courts lost legal documents, and it took millions 
for the city to recover. Our Atlanta airport is owned by the 
city of Atlanta, and luckily we only had to shut down our Wi-Fi 
for the duration.
    What happened in Atlanta is a lesson to be learned from. We 
need to ensure that we are prepared for any future 
cyberattacks. And as a Member of Congress, I am dedicated to 
ensuring what happened to Atlanta won't happen again.
    Ms. Samford, what are the contemporary challenges that 
State and local governments face today in confronting 
cybersecurity challenges?
    And what more can Congress do to assist them, and ensure 
information sharing between the private sector and Government, 
so we can prepare for and mitigate cyber threats?
    Ms. Samford. Great. Thank you, Congresswoman Williams, and 
that is an excellent question.
    I think the main thing, honing in on the private sector, I 
think, coordination and response aspect, is that specifically 
what you would like me to touch on, is that private-sector 
interaction?
    Ms. Williams of Georgia. Yes.
    Ms. Samford. Thank you. In particular, for the private 
sector, there is no real way for the private sector currently 
to hook into existing emergency management practices. So, I am 
sure that you are very familiar with Atlanta. You probably have 
an Atlanta emergency operations center. And your emergency 
responders come in there, the different groups from the city of 
Atlanta, water, wastewater, your energy companies, your 
electric utilities, they all come in there, and support through 
what are called emergency support functions, ESFs. This is part 
of the Incident Command System structure that I was speaking of 
earlier.
    There needs to be a better mechanism for the private sector 
to be trained on what Incident Command System is, what their 
role would be in a disaster, in terms of integrating with the 
Government, and then they can actually have representatives 
that are sitting there in that EOC, ready to integrate into 
your response efforts and reporting up through your incident 
commanders through the city of Atlanta.
    So that would be one recommendation: training of the 
private sector, right? We can start on a voluntary basis and 
see where that gets us. And secondly, have them take their 
existing response plans--no one is telling them to get rid of 
what they have. We don't want them to do that. We just want 
them to learn the overarching Government framework that every 
other first responder is using, so that cyber can stop treating 
itself as something special and get with the program with the 
rest of the way that the emergency response communities behave. 
And that way we can begin to form coordinated responses 
together.
    Ms. Williams of Georgia. Thank you, Ms. Samford.
    And Mr. Belcher, in your testimony you highlighted that 
only 60 percent of transportation agencies have a cybersecurity 
preparedness program in place. What are the most critical 
additional resources that Congress can provide to ensure that 
all transportation agencies are in a strong position to protect 
themselves from cyberattacks?
    From agencies that have programs currently in place, what 
are some of the best practices that agencies should be sure to 
adopt?
    Mr. Belcher. So, I think the first thing that agencies need 
to do is that they need to do an assessment of their cyber 
maturity. Every agency has some level of cybersecurity 
protection, whether they know it or not. Cybersecurity 
protection comes with your Microsoft 360 system. You have got 
some level of cybersecurity protection. And then many of your 
more sophisticated systems also have protections in them.
    But many of the operators really don't understand what they 
have. So, you have to understand what you have to understand 
what you need.
    So, the first thing you need to do is to do an assessment, 
and then you need--as Ms. Samford was talking about, is to 
understand--is to then--to bring that into an enterprise 
system, and to treat cybersecurity as just another--it becomes 
another risk. It is another--you know, and you need to manage 
it as a risk, as one of the many risks that you manage, so that 
it becomes a way of doing business, and it becomes part of the 
culture of the business.
    Most of the threats are coming--or most of the hacks are 
coming not at the IT level, but they are coming through the 
users, and through phishing, through--and like--and I think I 
keep hearing that I am about to be----
    Ms. Williams of Georgia. Yes, Mr. Belcher----
    Mr. Belcher. Got you.
    Ms. Williams of Georgia [continuing]. We are running out of 
time.
    Mr. Belcher. OK.
    Ms. Williams of Georgia. And before I yield back, Mr. 
Stephens, I would like to just get some better ideas on how we 
can address the unique cybersecurity challenges of major 
airports, with Atlanta being the busiest airport in the 
country, soon to be in the Nation. We are coming back, you all. 
But I would love to get some written comments on how we can 
better prepare in Atlanta, as you discussed what was happening 
down in Tampa.
    Mr. Stanton. Thank you very much for----
    Ms. Williams of Georgia. Thank you, Mr. Chairman, and I 
yield back.
    Mr. Stanton. Thank you. We will ask for a written response 
to that question.
    Next up will be Congressmember Van Duyne.
    Ms. Van Duyne. Yes. Thank you very much, Mr. Chairman. I 
would like to relinquish my time to Congressman Thomas Massie.
    Mr. Massie. I thank the gentlelady from Texas.
    Ms. Samford, I wanted to give you a chance to answer my 
concerns about consistency, interoperability, uniformity, and 
coordinated systems.
    But before that I want to highlight something really 
important you said to one of my other colleagues. You talked 
about the microcontrollers and embedded processors that are 
connected to the internet that a lot of users don't even know 
present security vulnerabilities.
    Just for my colleagues, this is like if you bought a 
coffeemaker, or an icemaker, or a dishwasher, and it is 
connected to the internet when you get it home for your 
convenience. Those things can be security vulnerabilities. But 
within a sewer system, for instance, or a pipeline, they might 
have things connected to the internet for remote monitoring.
    So, can you talk about that, Ms. Samford, about how you 
advise your clients, and what to do with those things?
    Ms. Samford. Sure, and thank you, Congressman Massie. It is 
a really good question. And what we see a lot of--and I don't 
know that it is specifically with the programmable logic 
controllers that PLCs--in many cases, those lack the ability to 
directly communicate out to the internet, but they certainly 
could talk through something else. What we see a lot of are 
what are called human-machine interfaces, HMIs. To your point 
about someone remote accessing in, they would be remoting in to 
that engineering workstation, or HMI, to see what is going on 
on that plant floor.
    In many cases, if you go to a website right now called 
Shodan.io, you can see tens of thousands of HMIs directly 
connected in the United States and the U.K. and Australia, 
globally. They are everywhere. And this main point of exposure 
is that right now I could go to the login screen of this HMI, 
and, if I am successfully able to log in--say, if the user name 
is ``admin'' and then the password is ``admin,'' or if I am 
just using a password cracker, I can get into that system 
within a matter of minutes or hours. And once I am there, I can 
see other devices that are on that network, because it is the 
HMI, and it tells me that. And I can move laterally to do 
whatever I need to do.
    So, I always tell people, please have an up-to-date asset 
inventory, know what you have so that you can protect it. And 
secondly, make sure that nothing is talking out directly to the 
internet.
    Mr. Massie. Thank you very much. And did you--I didn't give 
you a chance earlier to respond to my concerns about 
consistency, interoperability, uniformity, and coordination. I 
am worried that that--and sometimes that makes it easier for 
the hackers to hack multiple systems at once.
    Ms. Samford. I definitely understand and respect your 
concerns. I think that it is a credit to you to understand the 
nature of how hackers can work.
    Sometimes--I can tell you that the system that I am talking 
about, they have already gotten in, they have already performed 
the attack. So, the response structure, the only thing it gives 
us, is the ability to more effectively work with our local, 
State, and Government officials. And I am not asking that this 
be mandated at this point, but I am saying that it is really 
good training. It is how every single fire department responds. 
It is how, if someone was injured, the ambulance would show up. 
It is using the same system.
    So, I would liken it to--I wouldn't say that we would 
suggest that having all firefighters trained in the country to 
be able to work together and respond somehow contributes to 
terrorist attacks. We don't see that correlation. So, we are 
not seeing that data to suggest that risk at this time. But I 
understand your point.
    Mr. Massie. Yes, I was more concerned about, like, the 
updates that happen, and such as that.
    Mr. Kessler, you had a couple of things you wanted to talk 
about, and we ran out of time. And also, if you could throw 
into that group--you talked about the pros and cons of having a 
human in the loop. It is not always a bad thing to have a human 
in the loop, I would say. And could you talk about--I will give 
you the remaining time.
    Mr. Kessler. Well, I mean, humans are in the loop, one way 
or another, either the human user with the hands at the 
keyboard, or the designer of the system.
    So, I wish more of my grad students had been like you, 
Congressman Massie.
    So, I used the ICS for decades. I was 25 years on the 
ambulance in my hometown in Vermont, as a volunteer ambulance. 
And so, cyber differs in this way. So, I need an organized 
structure to do my defense. But, as an EMT, I would walk into 
somebody's house, and I was always reminiscent of the saying 
``No battle plan survives first contact with the enemy.'' I 
know how I am going to respond.
    The problem in cyber with having any static response, or 
automated response to an attack is, if I can figure out what 
your static response is going to be, I own you because I can 
make you respond when I want you to respond, and I know how you 
will respond, because too many of the cyber systems are not 
built defensively to take into account that there is an 
intelligent actor causing the problem.
    Mr. Stanton. Thank you----
    Mr. Kessler. Too many of our systems by engineers, of which 
I am one, are designed to fail, thinking nature is our enemy. 
And I understand [inaudible] what is going to happen, but I am 
not building a system----
    Mr. Stanton. All right----
    Mr. Kessler [continuing]. [Inaudible] other people.
    Mr. Massie. Thank you.
    Mr. Stanton. Thank you.
    Mr. Massie. I yield back.
    Mr. Stanton. Thank you. Next up will be Congressmember 
Johnson of Texas.
    Ms. Johnson of Texas. Thank you very much. Let me express 
my appreciation for this hearing, and the urgency of dealing 
with the issue.
    Five years ago, in my Dallas-based congressional district, 
cyber hackers breached the Dallas Area Rapid Transit computer 
system, targeting customer communication and business 
processing tools. Just last year, hackers stole Trinity Metro's 
data in Fort Worth, knocking out the Metro's phone lines and 
entire booking system. And although not specific to the 
transportation industry, electronic records were hacked at the 
Dallas Independent School District in September, allowing the 
hackers to gain access to the names, addresses, telephone 
numbers, Social Security numbers, and medical information. 
While just last month, the Dallas-based company of Neiman 
Marcus notified 4.6 million customers that information 
associated with their online accounts had been stolen. 
Disheartening stories like this play out week after week in the 
United States and across the globe.
    So first I want to ask Mr. Belcher.
    Mr. Belcher, much of the Nation's infrastructure is owned 
and operated by the private sector. What controls and 
procedures do you recommend synthesizing and strengthening 
regarding cybersecurity in the private sector and the 
Government partnership?
    Mr. Belcher. Well, the good news is, many of the hacks that 
you talked about in the public sector in the Dallas-Fort Worth 
area have been moved to private-sector vendors.
    Transit agencies now, for the most part, do not handle the 
records of private riders, the financial records. Those are 
typically handled by financial institutions now, because those 
financial institutions are far better able and capable to 
handle those records under a specific regime that has been 
established, and they are able to protect those records far 
better than public transit agencies are.
    And really, at this point, only the largest public transit 
agencies do it on their own, because of that. And so, I think 
we have gotten a lot smarter. And I think, in the public 
transit arena, public transit agencies are continuing to try to 
push off as much as they can into the private sector, which 
itself is becoming much more sophisticated than the public 
agencies are.
    Ms. Johnson of Texas. How do we transition to all-inclusive 
security monitoring and tracking of information technology and 
operational technology systems to protect against these 
cyberattacks and breaches, and the alertness to enact immediate 
incidence response?
    Mr. Belcher. Well, you are never going to be able to track 
everything, and that is the challenge. You have to try to stay 
ahead, and you have to be able to be responsive. But you are 
never going to be able to catch everything.
    We now have systems that you can employ at the various 
levels of your stack that can track what is going on, and that 
can identify breaches. And every major system, whether it is an 
OT, an operational technology system, or an IT system, an 
information technology system, do have those systems in place.
    And again, we pick up the vast majority of the hacks that 
occur. It is the ones that slip through which are the ones that 
we read about. So, we are getting better at discovering, and at 
preventing them from occurring, and we have to continue to up 
our game, and continue to get better.
    I think what we are seeing, though, and I think what you 
have highlighted, is that, especially in the public sector, we 
are just not very sophisticated, and we are underresourced, and 
we need all the help we can get. And so, we need to work with 
Congress, with the Federal Government, and with the private 
sector to elevate the game at all levels. Because if we don't 
work together, we are going to continue to see the kinds of 
breaches that you have talked about.
    Ms. Johnson of Texas. You touched on my last question. What 
amount of funding do you believe Congress should provide----
    Mr. Stanton. Well, I think we are out of time, 
Congressmember.
    Ms. Johnson of Texas [continuing]. To assist individual 
transit agencies like the Dallas Area Rapid Transit with 
increasing their cybersecurity programs?
    Mr. Stanton. Maybe we can get that answer in writing. We 
are out of time, Congressmember Johnson.
    Ms. Johnson of Texas. Thank you, I yield back.
    Mr. Stanton. Thank you so much. Next up will be 
Congressmember Balderson.
    Mr. Balderson. Thank you, Mr. Chairman. Thank you all for 
being on today. My first question is directed to Mr. Farmer.
    Mr. Farmer, you noted in your testimony that the rail 
industry security plan does not just sit on a shelf, 
occasionally taken down, and dusted off. Rather, it is a living 
document elevated and enhanced continuously. It is great to 
hear how importantly the rail industry takes cybersecurity.
    It has also become obvious over the last several months 
just how delicate our supply chain is. Mr. Farmer, can you 
discuss the impact that a breach or a hack on just one Class I 
railroad could have on our supply chain?
    And then a followup to that would be what ripple effects 
would we see if a Class I railroad had to shut down operations, 
even if just for a few days?
    Mr. Farmer. So, the question posits that the impact is one 
for which the response capability would not be adequate to 
sustain operations.
    I think the key point to make there is the entire basis of 
our cybersecurity program is to ensure the protection of the 
operations from breaches, to contain any breaches that occur, 
so that we are not facing a situation where the entire railroad 
network has to be shut down.
    And the key point here that came up in an exercise we held 
at the Naval War College--the Naval War College invited 
representatives of numerous critical infrastructure sectors to 
an exercise in July 2016, and it focused on operating a 
debilitated cyber environment. And we had participation by one 
of our major freight railroads. And a key point made by its 
chief information officer was, so long as I can communicate, I 
can continue to move trains.
    I think, for us, we have the ability to fall back onto 
manual operations, if necessary, backup systems. So, the whole 
thrust of what we are doing is to ensure we don't find 
ourselves in a situation where that sort of shutdown happens, 
by keeping in the layered defenses and the depth of operational 
capabilities, even down to manual, and continuing to move 
trains as safe conditions allow.
    Mr. Balderson. Thank you. A followup to that, Mr. Farmer, 
you recommended future cybersecurity legislation should direct 
the CISA to establish consistent standards for software bills 
of materials from vendors and suppliers. Can you expand on why 
this is important in preventing cyberattacks?
    Mr. Farmer. Yes, sir. So, a common theme, a recurring theme 
in the high-profile attacks that have garnered such attention, 
particularly in the first portion of this year, first several 
months, was the supply chain vulnerability type attack. Again, 
that is where an adversary has identified what is called a 
zero-day vulnerability and exploits it.
    And so, some of the major attacks that have been 
perpetrated with alleged involvement by nation-state actors 
have followed this model. SolarWinds is one example.
    The software bill of materials gives the end user an 
ability to understand fully what software applications and what 
versions are on any of the vehicles, equipment, devices, 
systems they employ. CISA strongly recommends that end users 
have these bills of materials.
    The challenge is there is no consistency in their being 
provided. And when they are provided, there is no consistency 
to ensure they are fully thorough and accurate. And there is an 
opportunity here for CISA to define standards so that end users 
can quickly act upon reported vulnerabilities, scan their 
networks using these software bills of materials as a reference 
point, and make any security patches to preclude the potential 
for exploitation.
    Mr. Balderson. Thank you very much. Great answer. My next 
question is for Mr. Stephens.
    Mr. Stephens, thank you for being here today. I understand 
that Tampa International Airport is designated as a large hub. 
But can you speak on the differences between the threats or 
vulnerabilities faced at large hubs and the cybersecurity 
issues facing small or medium hubs?
    Mr. Stephens. Congressman, thank you for that question. The 
threats are, at their very basic nature, the same. The impacts 
are different. So, when you are talking about large hub 
airports, particularly airports where there are a lot of 
connections, we are more of an O&D, so, we don't do a lot of 
connecting activity.
    But the Dallas-Fort Worth Airport, Los Angeles, all those 
types of airports have a different threat profile, because 
attacking them becomes a much more preferred target if you are 
trying to create injury, if you are trying to create 
disruption. Smaller airport systems here in Florida like, say, 
Gainesville or some of the other smaller airport systems, the 
primary driving factor or interest there would perhaps be data 
or information from employees or other vendors.
    So those are the major distinctions. It is the desirability 
from a bad actor of the target, based on the scope and the size 
and the damage that they want to do.
    Mr. Balderson. All right. Thank you very much.
    Mr. Chairman, I will yield back my remaining--well, I am 
almost done. Thank you, Mr. Chairman.
    Mr. Stanton. Thank you. Next up will be Congressmember 
Johnson of Georgia.
    [Pause.]
    Mr. Stanton. Congressmember, I think you are muted right 
now.
    [Pause.]
    Mr. Stanton. Congressmember Johnson of Georgia?
    [No response.]
    Mr. Stanton. Congressmember, I think you are muted right 
now. Can you unmute?
    [Pause.]
    Mr. Stanton. All right. We will come back to you, 
Congressmember Johnson. Next up will be Congressmember 
Auchincloss.
    [Pause.]
    Mr. Stanton. Congressman Malinowski?
    Mr. Johnson of Georgia. Mr. Chairman, I am ready to go. 
It's Hank Johnson.
    Mr. Stanton. Thank you very much, Congressman Johnson.
    Mr. Johnson of Georgia. Thank you, Mr. Chairman, for 
holding this hearing, and thank you to the witnesses for your 
time and testimony.
    The information age has radically changed our critical 
infrastructure landscape. Earlier this year, cyberattacks on 
SolarWinds and Colonial Pipeline demonstrated the emerging 
threat of cyber warfare from state and nonstate actors. 
However, the cybersecurity field is beset by a dire shortage of 
specialists, especially among Americans of color and women.
    We, as a Congress, must act now to provide young Americans 
equitable access to cybersecurity training. The future of our 
national security depends on it.
    Mr. Belcher, this fall I introduced H.R. 5593, the 
Cybersecurity Opportunity Act, with Senator Ossoff, a bill 
which aims to create a pipeline of diverse cybersecurity 
workers by investing in research and training at historically 
Black colleges and universities and minority-serving 
institutions.
    You have served as the CEO of the Telecommunications 
Industry Association, and president and the CEO of the 
Intelligent Transportation Society of America. So, I assume you 
have encountered issues regarding cybersecurity, workforce 
shortages, and diversity.
    A 2021 study estimates that the national cybersecurity 
workforce is made up of 14 percent women, 9 percent Black 
Americans, and 4 percent Latino Americans. Can you discuss the 
importance of diversity goals, as they apply to cybersecurity-
related positions in transportation and other critical 
infrastructure?
    Mr. Belcher. Yes. I think it is a much bigger issue than 
just cybersecurity. It is an issue that is playing out in all 
of transportation and all of engineering.
    Shawn Wilson, the secretary of transportation from 
Louisiana, who is now the new AASHTO chair, has made that one 
of his preeminent goals. He is also the incoming vice chair of 
TRB. And so, there are leaders in the transportation community 
who have made that a significant priority.
    The interesting thing about--the only thing that I can add 
is it has--finding women and people of color for technology 
positions has been a significant issue in the industry for a 
long time. It is becoming harder, but it is becoming even 
harder because it is becoming difficult to find people, in 
general, for these positions.
    And so, what we are seeing now is--I am seeing my clients 
contracting those positions out. Where they would normally have 
hired in-house, they are now no longer able to find higher in-
house positions. So, transportation organizations now are going 
to contractors and filling the positions with contractors. And 
it becomes even harder, then, to fill those positions, to try 
to fill them with STEM-type individuals. It has become even 
more challenging, not less challenging.
    Mr. Johnson of Georgia. Thank you.
    Mr. Belcher. So, I applaud you for your legislation.
    Mr. Johnson of Georgia. Well, thank you, and we hope it 
will make a difference.
    Dr. Kessler, you have had extensive academic experience 
teaching computer technology education at some of the top 
engineering programs in America. Can you address how a more 
diverse cybersecurity workforce would benefit your specific 
infrastructure sector, and what steps you might advise private 
industry in your sector to consider to improve diversity in 
regard to cybersecurity positions?
    Mr. Kessler. Well, I have a couple of comments. First of 
all, I, too, applaud your legislation.
    I would observe that one of the problems keeping an 
appropriate number of all of our citizenry, but particular 
people of color and women, is not at the college level. It is 
at the K through 12 level. I believe that too many 
individuals--and again, particularly women and particularly 
people of color--are socialized out of STEM by sixth grade. So, 
it is laudable, but late, in 12th grade to say, ``You should go 
study STEM at college,'' because they haven't been prepared.
    I have found that diversity of background gives me 
diversity of thought, and that is what I need to build a cyber 
defense. Because to build a cyber defense, I need to think like 
my attacker. The same thought leadership, if you will, that got 
me my problems are not going to get me my solutions, so I need 
to have that diversity of thought.
    So, is that addressing, I think, what you are asking?
    Mr. Johnson of Georgia. Yes, it does. And I thank you for 
your comments.
    Mr. Belcher, according to the 2020 MTI report presented in 
your testimony, 81 percent of responding transit agencies felt 
they were prepared to manage and defend themselves against 
cybersecurity threats. However, only 60 percent had an actual 
preparedness program, while 47 percent failed to audit their 
cybersecurity program at least once a year. What requirements 
should the Federal Government enforce, so that cybersecurity 
safety is adhered to at these transit agencies?
    Mr. Belcher. Well, if you look at the conclusions of the 
study, I think that the conclusions kind of lay them out. I 
think there are some basic requirements.
    I think that agencies should be required to have a 
cybersecurity response plan in place.
    Mr. Johnson of Georgia. Thank you. I believe my time has 
expired, and I yield back.
    Mr. Stanton. Next up will be Congressmember Stauber.
    Mr. Stauber. Thank you, Mr. Chair. Cyberattacks are a 
serious and evolving risk that affect transportation and 
infrastructure matters across this committee's jurisdiction. 
The Committee on Transportation and Infrastructure's 
jurisdiction includes 5 of the 16 sectors of cybersecurity 
which include our transportation systems, Government 
facilities, water and wastewater systems, dams, and emergency 
services.
    The Nation's critical infrastructure is comprised of both 
public and private-sector assets. However, within this 
committee's jurisdiction, cybersecurity requirements in the 
private sector are mainly voluntary. Like other industries and 
the Federal Government, the transportation sector is facing a 
critical shortage of cybersecurity personnel, which has 
impacted the ability to protect, detect, and respond to 
cyberattacks effectively.
    Simple steps regarding basic training, consistent 
cybersecurity hygiene, and periodic exercises could go a long 
way in protecting America's transportation infrastructure. As 
the technology that enables America's infrastructure becomes 
even more complex and increasingly integrated, cybersecurity 
threats and vulnerabilities will continue to multiply.
    My question is for Mr. Farmer.
    Mr. Farmer, we have heard from several industries 
expressing concern over potentially duplicative and conflicting 
cyber reporting requirements to various Government agencies. Is 
this a concern for railroads? And if so, what steps could 
Congress consider to better harmonize such reporting across the 
Government?
    Mr. Farmer. So, that is an excellent question, and it gets 
into two applications. One is what is being imposed by 
requirements, and then what is being done under cooperative 
efforts initiated by industries with partners in Government.
    For requirements, a railroad with a cybersecurity incident 
could find itself having to meet a TSA regulation from 2009 
under the rail transportation security rule that requires 
reporting of significant security concerns of requirements to 
report to the Department of Transportation. If the transport 
involves DoD supplies, requirements to report the DoD 
components. And then, with the planned security directives, a 
separate reporting requirement to the Cybersecurity and 
Infrastructure Security Agency.
    The concern there, obviously, is multiple reports on the 
same matter going to different organizations, and the confusion 
that can result.
    Another key concern in this area, as has been noted 
previously, is the short timeline envisioned by both of the 
TSA--the current regulation and the pending security directive. 
And that is a 24-hour period. And as has been detailed, it is 
often very difficult in that short time window to complete the 
analysis that helps an organization understand whether they are 
dealing with a significant cybersecurity concern.
    So we have--our view is this area can be readily addressed 
through a collaborative process, based on what we have heard a 
lot about today, in terms of the reporting that is already 
taking place by our industry, in the water sector, the transit 
sector, oil and natural gas sector, all of these industries 
have created information-sharing analysis centers or, in our 
case, the Railway Alert Network.
    And the focus is on taking what we are experiencing, what 
we are seeing, conducting analysis, and getting reports that--
again, using the standard that Jen Easterly has set, as 
Director of cybersecurity at the Cybersecurity and 
Infrastructure Security Agency, provides the Government with 
signals, not noise, to aid their analytical efforts.
    And I think, if there is an area where Congress' action is 
vitally important, it comes down to two points.
    One, the Cybersecurity Information Sharing Act of 2015 
should be fully implemented, and it is not. That will create 
the conditions--it specifically authorizes the kind of 
information sharing we are talking about within sectors, across 
industries, between industry and Government. It also provides 
protections that remove impediments to timely flow of useful 
information.
    And the second element is we have got to close the gap on 
analysis. A lot of reporting goes into Government, but it 
doesn't often come back in terms of the sort of cybersecurity 
information products transportation organizations need. It has 
to be focused on transportation. What does this activity mean 
to transportation organizations? What should they do about it, 
in terms of some of the measures you laid out on cybersecurity 
actions to narrow their risk profile?
    Thank you.
    Mr. Stauber. Well stated. That was a very defined answer.
    And my time is running short here. Mr. Chair, I yield back.
    Mr. Stanton. Thank you. Next up will be Congressmember 
Malinowski.
    Mr. Malinowski. Thank you, Mr. Chair. I wanted to address 
some questions to Mr. Sullivan, and because I am, in 
particular, very concerned about the water sector's 
vulnerability to cyberattacks.
    Most of us here are familiar with what happened in Oldsmar, 
Florida. I think other Members raised that case, when an 
intruder took control of an engineer's screen at a waterplant, 
and dialed up the levels of sodium hydroxide. And thankfully, 
it was noticed. The disaster was averted. But as former CISA 
Director Chris Krebs has noted, after the attack, that the 
vulnerabilities in the Oldsmar plant, as he said, are probably 
more the rule than the exception.
    There are a lot of things that need fixing here, and we 
have heard about a number of them throughout the hearing today. 
Municipalities need more funding, more in-house technical 
expertise, better cyber hygiene practices, and more. And the 
Federal Government can and should help with these things.
    But it is also my view, at least, that the Federal 
Government should also have a bit more visibility into these 
breaches when they are discovered, that we shouldn't be 
relying, as we do today, on voluntary reporting.
    So, Mr. Sullivan, you noted in your testimony that your 
organization, WaterISAC, created a step-by-step, 15-point 
document to help water and wastewater utilities with 
cybersecurity challenges. We took a look at that document, and 
there is some very useful, actionable information in there. I 
am grateful to the help you are providing to utilities.
    But the language on reporting of incidents particularly 
caught my eye. In the document you urge utilities and other 
sector stakeholders to report incidents and suspicious activity 
to your analysts at WaterISAC, and you further note that, as a 
private nonprofit, WaterISAC is not subject to public records 
law, further preserving the security of your report. Again, 
sort of emphasizing the privacy of this information.
    So, I wanted to ask your views. And I think the chairman of 
the committee asked a number of others on the panel this 
question before. What are your views on creating mandatory 
reporting requirements for municipalities for certain types of 
cyber incidents?
    Mr. Sullivan. Well, mandatory can work. First of all, what 
we have seen is that it was way too short a time. We struggled, 
and we are pretty good at our IT. We struggled over the first 
24 hours to find out what we were dealing with. So, if we do go 
to mandatory, we have got to go 72 hours, and maybe not the 
full report in 72, but reporting in 72 and then being able to 
follow up a couple of weeks later, because it took us 3 weeks 
to figure out exactly what happened.
    Mr. Malinowski. Right.
    Mr. Sullivan. As far as the mandatory, we then have to 
explain to everyone what is an incident. And as I described 
earlier, we have so many water systems that, although they have 
cybersecurity protocols, et cetera, I am not sure everyone 
understands an incident.
    So, we have to be very careful. The water sector would 
definitely work with Congress to help identify what triggers an 
incident, or else every time something goes wrong, we are just 
going to be flooding a market under the mandatory, because we 
are so used to standards in the water and wastewater. You will 
get a lot of information, much of which may be useless. So, we 
need to be very careful what we call mandatory.
    But that is the only way we are going to get it. WaterISAC 
struggles to get people to report to us what is going on out 
there, so that we can share that information and others can 
learn from it. We constantly ask our members what went on, what 
happened, so that we can take that information--take your name 
out of it, and we will call it a utility in the Northeast, we 
will call it a utility in America--and to share the information 
so we can all learn. It is the only way we are going to figure 
out what is happening in our sector.
    Mr. Malinowski. That makes sense. And, I mean, it would--it 
is fair to assume that there probably have been other Oldsmar-
like intrusions that we just don't know about, right, because 
we don't have mandatory reporting.
    Mr. Sullivan. I would say there definitely were other 
problems that have occurred that weren't reported, because they 
really didn't need to be, or they didn't realize they were a 
cyber intrusion.
    Mr. Malinowski. Got it, good. Thank you so, so much. I look 
forward to working with you on this, and I yield back my time.
    Mr. Auchincloss [presiding]. The gentleman yields. The 
Chair recognizes the gentlelady from Puerto Rico, Miss 
Gonzalez-Colon.
    [Pause.]
    Mr. Auchincloss. Miss Gonzalez-Colon?
    [No response.]
    Mr. Auchincloss. The Chair recognizes Mr. Burchett.
    Mr. Burchett. Thank you, Mr. Chairman. I yield time 
sufficient to Thomas Massie.
    Mr. Massie. I thank the gentleman from Tennessee for 
yielding me more than zero seconds this time.
    Mr. Farmer, you spoke about something, a best practice, 
what should be a best practice--but I think it is underutilized 
and underappreciated--that you learned from consulting with the 
Naval War College about operating in a degraded or debilitated 
digital communications environment. It is my hope--and you 
mentioned that you looked at how you could go to manual systems 
in those times.
    Also, I think a lot of people need to be doing that as a 
best practice at waterplants, or pipelines, or sewer plants. I 
think that is something that they should follow, and look to, 
and even look at possible parallel analog systems. It is very 
hard to hack an analog system, but everything has gone to 
digital now.
    And could you just tell us a little bit more about that 
part of your process, or what you learned from the Naval War 
College?
    Mr. Farmer. The Naval War College exercise, sir, brought 
together representatives of numerous critical infrastructure 
sectors, including some represented in the work of the 
committee in this hearing. It was an initiative where the 
military wanted to do a focused exercise on a scenario 
involving an activity by China that necessitated naval 
deployment, and looking at, logistically, what would it take to 
get all the resources to deploy a naval task force, and how 
would that work in a debilitated cyber environment.
    And a key question that came up over and over again is, 
well, just how much operations could be retained if the 
information technology systems were not as available as we are 
used to them being prevalent. And for the rail industry, there 
were repeated points made along the lines I referenced earlier. 
Essentially, as long as communication could be made in some way 
to get the train crews engaged, to get the trains organized, 
typically for the military deployments is that priority, we 
could continue to operate. It would not be as efficient as 
normal, but we could continue to get trains to destination and, 
with a priority to the military shipments, get the items from 
forts to ports for deployment.
    Beyond that exercise, we had a--during the 2017-2018 
period, where we participated with Transportation Command and 
Northern Command in a forts-to-ports analysis, where they were 
looking at how the military deploys from its installations to 
ports and coastal areas, and what are the logistics there. And 
that work involved a great deal of sharing of information by 
our industry on both our physical security, planning and 
preparedness, and response measures, and on the cyber side, as 
well, and so a very good partnership with military components, 
in terms of ensuring we are able to support their operations in 
situations where they need to get equipment and people--sorry, 
mostly equipment--to ports for transport overseas.
    Mr. Massie. Well, I surely hope that any legislation that 
comes out of Congress doesn't force you into a system that 
assumes that you will always be operating in a secure cyber 
environment. And so, I am glad to hear that you have at least 
tested what would happen in that instance, and you are going to 
look like a prophet later, if they go back and look at this 
hearing, if they have somehow forced you into a completely 
digital solution that is not segmented. That was another thing 
that you mentioned that I think is a really smart thing that 
you--that one hack on your system wouldn't imply the whole 
system was hacked. I think that is also a good best practice 
that I hope will come out of this.
    Part of the problem we have--and this is ironic--is our 
Federal procurement standards sort of bake in vulnerabilities. 
I don't know exactly what is available in the executive branch, 
but in the legislative branch, if you wanted to buy a zero-
trust system that ran on Linux, you couldn't do it, because 
there is interoperability requirements with the Microsoft 
systems, which have--by the way, a lot of these commercially 
available, widely deployed systems have the requirement that 
the end user is not at the root level.
    The end user is not the root user, the actual root user is 
the vendor. And they have convinced the end user that it is in 
their best interest to let them send real-time updates. ``We 
can make you more secure if we can identify a threat somewhere 
else, and then update your system without you hitting yes or no 
on the screen. Just let us go ahead, at the root level, and 
update your system, and we can make you safer if you allow us 
to do that.'' Well, that is not always the case, and that is 
the vulnerability that oftentimes makes a small exploit turn 
into a giant one.
    So, Mr. Kessler, I think you are wise to encourage and 
solicit diversity of solutions from your students, and I wish 
we had more diversity of solutions allowed into procurement 
policies.
    And I yield back.
    Mr. Burchett. Mr. Chairman, my intellect is so much 
superior to Thomas Massie's, that is why I had him deliver 
those questions, so that the average citizen could understand 
them. And I yield back the remainder of my time.
    Mr. Auchincloss. The gentleman yields. The Chair recognizes 
himself for 5 minutes.
    I want to continue to pull on the thread of water 
infrastructure. We know that our water infrastructure in the 
country needs serious improvement. In Massachusetts alone, we 
have got between $10 to $15 billion of a maintenance backlog 
for water potability and riverine and littoral resilience.
    I submitted four projects to the House Appropriations 
Committee requesting funding for critical water projects in 
Massachusetts. And, unlike Boston, which has the scale and the 
scope to have a sophisticated IT component to its water and 
sewer public works, these towns are small, and they don't 
necessarily have those kinds of resources, and have the ability 
to have that type of expertise on standby.
    So, in addition to making investments in water potability 
itself, we need to be making investments in securing that 
critical infrastructure from cyberattacks.
    Mr. Sullivan, the Boston Water and Sewer Commission, where 
you are the chief engineer, as you said, has suffered from a 
ransomware attack last year. And in your testimony you noted 
that, because the business network was segregated from the 
control system, there was never any threat to public or 
environmental health.
    And just to give you a sense of the divergence, in terms of 
Boston's scale and some of the towns in my district, Norton, 
which is a town that recently launched a new, $11 million water 
treatment plant in February 2020 that has been exceptionally 
effective, that has a base of about 20,000 residents. Boston 
has a base of about 675,000 residents, so two orders of 
magnitude here, almost.
    Has the Boston Water and Sewer Commission been able to 
communicate with these smaller Massachusetts entities about 
best practices, should they be attacked, or even been able to 
form a collaborative regional working group, so that there is 
some sort of umbrella protection from the bigger cities?
    Mr. Sullivan. Well, we work with all the Massachusetts--
through the Mass WARN system, should something come up. But we 
recommend to them that they actually join the WaterISAC, 
because you get national exposure.
    It is difficult sometimes, when an entity as large as ours 
is talking, and we talk about, ``You should buy this, buy 
that,'' and the smaller towns go, ``How are we going to afford 
it, and who is going to run it?'' So, it is better that they go 
to a national one, who has like-size utilities, where we can 
put them in touch with them, and they can communicate on the 
same level how they took care of it, because we do operate in 
different levels of scope.
    The treatment systems are all the same. It is the size of 
the system, and whether it is fully automated, or whether you 
have a 24/7 operator watching the screen, as Oldsmar did. I 
mean, they happened to be lucky. They watched the screen, and 
it was moving because someone got in on their system.
    The other problem we have with some of the smaller systems 
is they want to tie into the internet, so they can use things 
like TeamViewer, which was at Oldsmar, so that they can operate 
these remotely. During COVID, it was one of the biggest things: 
How can I run my automated plant remotely?
    So, we have got to get away from that. We have got to get 
them down to a much securer system that is run where the OT is 
totally separate from the IT. And we do talk to the different 
communities, and we are always open. But again, we try to refer 
them to someone of like size who has had the same problems.
    Mr. Auchincloss. So, if I could recapitulate what you are 
saying here, it is--you would encourage them to join WaterISAC, 
you would encourage them to separate--or to not permit a remote 
operation, to require onsite operation.
    Any further recommendations that you would give to smaller 
towns, IT departments in particular?
    Mr. Sullivan. Well, one of the other problems is, in small 
towns, the IT department may reside at the townhall, and not 
necessarily with the water or wastewater department. And so, 
they communicate occasionally, but they don't really live the 
IT issues. And that we see in many of the small towns, it is 
part of city government, town government.
    And I am not aware exactly how the Norton system is set up, 
if there is even an IT expert working for the water department. 
Many times, it is someone released to them from the town. So, I 
would need to look into it.
    Mr. Auchincloss. Mr. Sullivan, I appreciate the answers and 
the work that you are doing to ensure the resilience of our 
water infrastructure in Massachusetts.
    The Chair yields the balance of his time, and the Chair 
recognizes the gentlelady from Puerto Rico, Miss Gonzalez-
Colon.
    [Pause.]
    Mr. Auchincloss. The Chair recognizes Mr. Guest.
    Mr. Guest. Thank you, Mr. Chairman.
    To our panel, Congress has tasked CISA, the Cybersecurity 
and Infrastructure Security Agency, as the lead agency in both 
protecting our cyber and defending against any cyber threats 
and cyberattacks. I would like, if the panel would, to please 
provide any information, any insight with your interaction with 
CISA, the benefits that they have provided, and any 
shortcomings that you see that may exist between CISA's 
interaction and the interaction with your industry or your 
particular company.
    [Pause.]
    Mr. Kessler. Since nobody else is jumping in, I will jump 
in.
    The interactions that I have had with CISA actually have 
been primarily through Coast Guard colleagues who are doing 
tours at CISA. I think CISA has started to take a lead role 
with Coast Guard in some of the protections in ports. I think 
they have done a really good job at trying to get the word out 
and take that role.
    I have also some colleagues in the energy field, who are 
doing some work with CISA.
    The work that I have seen from CISA and the output from the 
agency seems to be appropriate. You know, there is always more 
that we can do. I think that is one of the recurring themes 
here. But I think they have done an excellent job, and I don't 
really have anything I would point to right now and say that 
they are deficient.
    Ms. Samford. This is Megan Samford. I am happy to comment 
on that, as well.
    I applaud Department of Homeland Security and CISA, 
actually. I think that they have a tremendous mission. I think 
that their scope is one of the largest that the Federal 
Government has.
    It has been my experience that, especially when dealing 
with vulnerability handling and coordination, the entity--I 
think the name has changed now, but it used to be known as ICS-
CERT out in Idaho. Despite any company I have worked with over 
the past decade, I have been able to call that team, and we 
have been able to work through issues. They have always been at 
the ready.
    Mark Bristow, who currently leads their hunting team there, 
he is also an advocate. He is one of the other four people that 
are currently credentialed as an incident commander for cyber 
under the FEMA system.
    They believe the construct can work. They do a really good 
job at templating exercise material response plans. In many 
cases, I think that these materials are underutilized, or the 
private sector simply isn't educated on. If the private sector 
were more educated on the resources available through CISA, I 
think that we would see greater utilization of that agency. But 
I hold them in very high regard.
    Can agencies improve? Yes, of course. But my interactions 
with that entity have been very good.
    Mr. Guest. And Ms. Samford, let me follow up on it just a 
little bit. You talked a little bit about the raising 
awareness, the education of CISA. What can Congress do to make 
sure that we are educating our businesses, educating our key 
industries on, first, the existence of CISA, because I think 
many people have never heard of CISA. If you are not in the 
homeland security realm, CISA is just another acronym, and you 
have no idea what it stands for.
    But with the recent cyberattacks that we have seen, and the 
threats of growing cyberattacks, whether that be criminal 
elements, rogue nations who are using cyberattacks to--either 
espionage, ransomware--what can we, as Congress, do to better 
educate?
    Because what we want people to do is we want them to be 
aware of CISA, of what the benefits CISA has to offer when 
there is an attack. We would like for them then to report that 
to CISA, so that we can investigate and try to go forward.
    And so, do you have any thoughts on what we can do to, 
again, improve that awareness of this agency?
    Ms. Samford. Sure, thank you. Thank you, and that is a 
great question.
    I believe that any public show of support for CISA and its 
efforts, I think that that is a tremendous deal.
    I can tell you there was one program in particular that I 
think CISA and Department of Homeland Security have been 
especially successful at since the Department was stood up, and 
that is the Protective Security Adviser program.
    The Commonwealth of Virginia--I was actually working in the 
Governor's office of Tim Kaine at the time, but Virginia was 
the first State to have a pilot program for protective security 
advisers, and now every State has at least one protective 
security adviser.
    But this individual, that is exactly what their job is, is 
they go out to the designated critical infrastructures, and 
they do physical security site assessments. And now I 
understand that CISA has cybersecurity advisers that accompany 
the protective security advisers. And so, they are kind of two 
in a box, visiting these infrastructures, wastewater treatment 
facilities, you name it, and they are talking about the 
different programs that CISA can offer to them.
    So, I think any public show of endorsement for these 
programs and CISA and the direct interaction with the private 
sector is definitely appreciated at all levels.
    Mr. Guest. Thank you, Mr. Chairman----
    Mr. Auchincloss. The gentleman's time has expired.
    Mr. Guest [continuing]. I am over time, I yield back.
    Mr. Auchincloss. Thank you, the gentleman yields, and that 
concludes our hearing.
    I would like to thank each of our witnesses for your 
testimony today. Your comments were informative and helpful.
    I ask unanimous consent that the record of today's hearing 
remain open until such time as our witnesses have provided 
answers to any questions that may be submitted to them in 
writing.
    I also ask unanimous consent that the record remain open 
for 15 days for any additional comments and information 
submitted by Members or witnesses to be included in the record 
of today's hearing.
    Without objection so ordered.
    The committee stands adjourned.
    [Whereupon, at 1:19 p.m., the committee was adjourned.]


                       Submissions for the Record

                              ----------                              

  Prepared Statement of Hon. Frederica S. Wilson, a Representative in 
                   Congress from the State of Florida
    Thank you, Chairman DeFazio for today's hearing.
    Gaps in the transportation sector's ability to defend, detect, and 
respond to cybersecurity incidents threaten residents of Florida and 
the nation at large.
    For example, the cyberattack on the Oldsmar water treatment 
facility had the potential to contaminate drinking water for 15,000 
Florida residents.
    Improving cybersecurity needs to be a top priority through strong 
industry and governmental partnerships and effective standards to avert 
attacks on facilities and systems, such as the Turkey Point Nuclear 
Generating Station located in South Florida.
    In addition, we must take actionable steps to increase our 
cybersecurity workforce and work to make these jobs accessible for all 
communities.
    I look forward to working with my colleagues and the private sector 
to enhance our nation's cybersecurity preparedness, increase the 
cybersecurity workforce, and protect citizens.
    With that, I have a few questions.


                                Appendix

                              ----------                              


 Question from Hon. Eddie Bernice Johnson to Scott Belcher, President 
 and Chief Executive Officer, SFB Consulting, LLC, on behalf of Mineta 
                        Transportation Institute

    Question 1. Mr. Belcher: What amount of funding do you believe 
Congress should provide to assist individual transit agencies, like 
Dallas Area Rapid Transit, with increasing their cybersecurity 
programs?
    Answer. Most transit agencies do not currently have the necessary 
funding to effectively begin addressing their cybersecurity needs. 
Unfortunately, there is not a specific amount that each transit agency 
should receive because each transit agency is unique and is at a 
different level of cyber maturity. Factors that should be considered 
when determining how much an individual agency should invest in 
cybersecurity preparedness include the risk and threats posed to the 
organization and the risk tolerance of the organization. At a minimum, 
transit agencies should have an understanding of the cyber risk and 
threats posed to their organization, and have assessed their current 
cyber risk program based on their risk tolerance. This resulting 
understanding of cyber risk should be factored into the agency's 
business continuity planning and incident response plans. If a transit 
agency has not taken these steps, then funding should be provided to 
help with these fundamentals. The understanding of cyber risk will also 
inform an estimate of the agency's immediate and long-term capital 
needs. As a start, Congress should provide funding for each agency to 
conduct a cyber risk assessment and integrate its assessment into its 
business continuity planning and incident response plans. These basics 
would then enable each agency to effectively convey their needs for 
additional resources for an ongoing cyber risk program to effectively 
mitigate and manage their identified cyber risk.

Question from Hon. Frederica S. Wilson to Scott Belcher, President and 
   Chief Executive Officer, SFB Consulting, LLC, on behalf of Mineta 
                        Transportation Institute

    Question 2. Mr. Belcher: In your testimony, you mentioned that 
``one of the key foundations for cybersecurity programs across any 
industry comes from the National Institute of Standards and 
Technology.''
    a.  Why is this agency's cybersecurity framework important and how 
can it be improved?
    Answer. The foundation for much of the United States' cybersecurity 
efforts, including those of the Department of Homeland Security (DHS) 
and U.S. Department of Transportation (U.S. DOT), is the National 
Institute of Standards and Technology (NIST) Cybersecurity Framework 
(NIST Framework). NIST is a non-regulatory agency: it has no authority 
to dictate the use of any particular standard. However, when there is a 
matter of public good that depends on establishing a standard, NIST 
convenes relevant public and private stakeholders to develop a 
standard, as they have done in the face of cybersecurity threats.
    In February 2014, NIST released the NIST Framework for Improving 
Critical Infrastructure Security in response to Presidential Executive 
Order 13636, Improving Critical Infrastructure Cybersecurity,\1\ which 
called for a standardized security framework for critical 
infrastructure in the United States. It is not a how-to guide for 
cybersecurity; rather, it is a framework designed to help a wide range 
of organizations assess risk and make sound decisions about 
prioritizing and allocating resources to reduce the risk of compromise 
or failure among their systems.
---------------------------------------------------------------------------
    \1\ Barack Obama. Executive Order 13636, Improving Critical 
Infrastructure Cybersecurity, 78 FR 11737, February 19, 2013, https://
www.federalregister.gov/documents/2013/02/19/2013-03915/improving-
critical-infrastructure-cybersecurity.
---------------------------------------------------------------------------
    For any industry or organization to leverage the NIST Framework, 
customized implementation is required in ways that are not necessarily 
obvious from the document. An entire industry has emerged of 
cybersecurity practitioners, software tools, consultants and advisors 
that leverages the NIST Framework as its basis for delivering services 
to its customers. For the transportation sector to effectively leverage 
the wares of this growing industry, it too must support the use of the 
NIST Framework.

  Questions from Hon. Colin Z. Allred to Scott Belcher, President and 
   Chief Executive Officer, SFB Consulting, LLC, on behalf of Mineta 
                        Transportation Institute

    Question 3. Mr. Belcher, in your testimony you mentioned the 
importance of cybersecurity preparedness and support for cybersecurity 
programs, as well as possibly using both a carrot and stick approach to 
ensure that public and private entities are using the necessary 
resources. What carrots and sticks do you recommend? And what minimum 
cybersecurity standards do you believe every transit company, both 
public and private, should adopt?
    Answer. In the Mineta Transportation Institute (MTI) study entitled 
``Is the Transit Industry Prepared for the Cyber Revolution? Policy 
Recommendations to Enhance Surface Transit Cyber Preparedness,'' \2\ my 
colleagues and I provide a number of recommendations that fall into 
each category. In the ``carrot'' category, we recommended that:
---------------------------------------------------------------------------
    \2\ Mineta Transportation Institute, Is the Transit Industry 
Prepared for the Cyber Revolution? Policy Recommendations to Enhance 
Surface Transit Cyber Preparedness, https://transweb.sjsu.edu/sites/
default/files/1939-Belcher-Transit-Industry-Cyber-Preparedness.pdf
---------------------------------------------------------------------------
      Congress should increase formula grant funding to transit 
agencies to ensure that they have sufficient resources to meet the 
minimal cybersecurity standards established above
      Congress should increase funding to DHS and U.S. DOT to 
develop and promulgate a set of minimal cybersecurity standards and 
tools and to help with their promotion
      DHS and U.S. DOT should provide technical guidance to 
transit agencies on the collection, retention, and assessment of system 
logs
      The American Public Transportation Association (APTA), 
working with other stakeholders, should develop a clearinghouse for 
cybersecurity best practices, in particular for small and medium 
transit operations
      APTA, working with other stakeholders, should create 
minimum guidelines for cybersecurity audits
      APTA, working with other stakeholders, should develop 
model cybersecurity contract language for agencies to integrate into 
their vendor contracts
      APTA, working with other stakeholders, should develop a 
model incident response plan, business continuity plan, continuity of 
operations plan, crisis communications plan, and disaster recovery plan 
that can be tailored to meet the needs of public transit organizations 
of varying sizes and needs
      APTA, working with other stakeholders, should continue to 
develop cybersecurity training modules and certificates

    In the ``stick'' category, we recommend that:
      Congress should ensure through its oversight powers that 
U.S. DOT and DHS work together to improve cybersecurity preparedness 
within the Transportation Systems Sector (TSS)
      DHS and U.S. DOT, the TSS co-sector specific agencies for 
transit, working with input from APTA and other industry organizations, 
should promulgate a set of minimum cybersecurity standards
      The Federal Transportation Administration (FTA), working 
with DHS, should create an attestation program, whereby transit CEOs 
are required to attest that their organization has met the minimum 
cybersecurity standards established above prior to receiving federal 
funds
      FTA, working with DHS and other relevant federal 
agencies, should require that transit agencies either outsource 
management of payment data to Payment Card Industry (PCI)-compliant 
vendors, or require that their CEO attest that they are PCI-compliant 
prior to receiving federal funds

    Question 4. Mr. Belcher, in your testimony you also mentioned the 
different agencies that provide cybersecurity preparedness support or 
guidance. In the transportation space, these agencies include the 
National Institute of Standards and Technology (NIST), Cybersecurity 
and Infrastructure Security Agency (CISA), DOT, Homeland Security and 
TSA as critical cybersecurity players. While some of these agencies do 
not have regulatory authority, are there any concerns with having so 
many different agencies responsible for leading different cybersecurity 
efforts?
    Answer. On February 12, 2013, the White House released Presidential 
Policy Directive 21 outlining the federal government's responsibility 
to strengthen the security and resilience of U.S. critical 
infrastructure against both physical and cyber threats.\3\ The 
Directive established that DHS and U.S. DOT share responsibility for 
the TSS. In sharing this role, the DHS's and U.S. DOT's 
responsibilities include:
---------------------------------------------------------------------------
    \3\ Barack Obama, Presidential Policy Directive-21, Washington, 
D.C.: The White House, February 12, 2013, https://
obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-
policy-directive-critical-infrastructure-security-and-resil
---------------------------------------------------------------------------
      Collaborating with critical infrastructure owners and 
operators
      Coordinating with state, local, tribal, and territorial 
entities to implement the directive
      Providing, supporting, or facilitating technical 
assistance and consultations to identify vulnerabilities and help 
mitigate incidents in the sector

    While there are multiple agencies providing guidance in this space, 
it was not until December 2021, that TSA issued Transportation Security 
Directive 1582-21-01, ``Enhancing Public Transportation and Railroad 
Cybersecurity'' \4\ applying to Public Transport/Public Rail owners and 
operators and required that they:
---------------------------------------------------------------------------
    \4\ Transportation Security Agency, Transportation Security 
Directive 1582-21-1, Washington, D.C., Enhancing Public Transportation 
and Railroad Cybersecurity, effective December 31, 2021, https://
www.tsa.gov/sites/default/files/sd-1582-21-01_signed.pdf.
---------------------------------------------------------------------------
      Designate a cybersecurity coordinator
      Report cyber incidents to CISA within 24 hours of 
detection
      Complete a vulnerability assessments of their networks; 
and
      Develop a cybersecurity incident response plan based on 
security issues discovered

    The FTA was part of the deliberations that led to the release of 
this Transportation Security Directive. I believe that this is the 
beginning of the new Administration's approach to cybersecurity and is 
likely to be the first of a series of Security Directives and/or 
regulations. I believe that working together, the TSA and the U.S. DOT 
as co-leads for this TSS, are the appropriate bodies to issue any 
mandatory requirements for the transit industry. Combined, they have a 
thorough understanding of appropriate cybersecurity protective measures 
and an in-depth understanding of the industry.

    Question 5. If so, which of these agencies should take the lead and 
what kind of restructuring should occur?
    Answer. See answer above.

     Question from Hon. Frederica S. Wilson to Megan Samford, Vice 
President, Chief Product Security Officer-Energy Management, Schneider 
 Electric, on behalf of the International Society of Automation Global 
                         Cybersecurity Alliance

    Question 1. Ms. Samford: Thank you so much for your testimony. I 
agree with your position that a bipartisan effort is necessary to 
effectively implement the Incident Command System for Industrial 
Control Systems at scale.
    a.  Please explain the importance of private and public sectors 
working together to effectively manage cyber incidents.
    Answer. The ICS4ICS program is creating Incident Command System 
capabilities that will enable private companies of various sizes to 
improve their response to cybersecurity incidents, especially those 
with Operational Technology and Industrial Control Systems. It will 
also create a consistent process for the US Department of Homeland 
Security to interface with, and support responses in the private 
sector. Today, no such process exists to ensure common terms, 
processes, and tools. The following critical infrastructure sectors 
heavily depend on Industrial Control Systems for their operations: 
chemical, energy, and pipelines; water and wastewater; critical 
manufacturing; dams; transportation including streetlights, aviation, 
and public transportation; and buildings that support hospitals, 
government agencies, and private companies. 85% of the critical 
infrastructure of the United States is owned and operated by private 
companies. The remaining 15% are owned and operated by local, state, 
tribal, and federal government agencies. ICS4ICS is based on an 
informal public-private partnership with FEMA and DHS who have 
contributed significant capabilities and resources to the ICS4ICS 
program.
    ICS4ICS membership is continuing to expand rapidly with 700 
individuals currently on our distribution list. ISAGCA has funded this 
private sector effort to develop ICS4ICS but will not be able to meet 
the funding needs as the program expands. ICS4ICS was developed by 
leveraging FEMA and DHS capabilities, processes, and tools. Currently, 
ICS4ICS is focused on Type 3 (single-company, single-site/asset) 
incidents. The program will be expanded in 2022 to address Type 2 
(single-company, multiple sites/assets) incidents. ICS4ICS will not be 
able to address nation-wide incident (Type 1) without a formal public-
private partnership. DHS CISA currently provides information about 
cyber-attacks and will need to expand their coordination role in a 
nation-wide attack impacting an entire critical infrastructure sector 
or possibly multiple sectors. ICS4ICS will enable public and private 
parties to work together more easily because they will have common 
terms, processes, and tools. ICS4ICS will also enable public and 
private companies to establish mutual aid agreements through 
credentialling of ICS4ICS staff based on roles and by having a common 
methodology.

 Question from Hon. Colin Z. Allred to Megan Samford, Vice President, 
 Chief Product Security Officer-Energy Management, Schneider Electric, 
      on behalf of the International Society of Automation Global 
                         Cybersecurity Alliance

    Question 2. We often only hear or see reporting on the most well-
known attacks against larger companies like Colonial Pipeline, but 
smaller businesses and companies are potentially more vulnerable to 
attacks than larger companies. Ms. Samford, what additional resources 
should the federal government provide to smaller businesses?
    Answer. The federal government should recommend the use of the FEMA 
Incident Command System to the private sector, and in particular, 
smaller businesses because it will greatly aid in helping them create 
incident response plans, common terminology, as well as a framework for 
working with the federal government when they need support. FEMA has 
numerous Incident Command Systems tools, templates, and training that 
can be leveraged by public and private sector small or large. The 
ICS4ICS tools and templates could be added to the FEMA site and 
customized for small businesses. The DHS Control System Exercise 
Package could be leveraged as a model to create an ICS4ICS Exercise 
Package for small businesses. Some of the ICS4ICS tools and templates 
should be updated to address the needs of small businesses and align 
with the DHS Exercise Package for small businesses. A registry could be 
established for parties willing to provide mutual aid which would 
likely significantly benefit small businesses who don't have the 
procurement staff to create these types of agreements. FEMA classroom 
training course information could be widely shared with small 
businesses which would allow them to participate for free when extra 
seats are available.

 Question from Hon. Frederica S. Wilson to Thomas L. Farmer, Assistant 
       Vice President-Security, Association of American Railroads

    Question 1. Mr. Farmer: Thank you for your testimony. I want to 
applaud the collaboration of railroads in their efforts to strengthen 
cybersecurity. I am the current sponsor of a rail safety resolution 
that is introduced every year. And even though it focuses on 
collisions, in 2022, a cybersecurity element may be needed. In your 
testimony, you mention that TSA directives are unnecessary and can 
undermine the work the rail industry has done over the last 20 years.
    a.  You indicate the benefit of a collaboration between government 
and the rail industry. How would government mandates erode the benefit 
of this collaboration, especially if these mandates would protect this 
critical industry?
    Answer. Representative Wilson: Thank you very much for your 
commendation of the collaborative efforts that railroads maintain, and 
strive continuously to enhance, to protect networks and assure safe and 
resilient operations. As your question indicates, the railroads value 
collaboration not only among freight and passenger railroads, but also 
with other transportation modes, other industries, and government 
agencies.
    Our unwavering focus is on assuring timely access to assessments, 
analyses, and reporting on cyber threats and incidents to inform 
vigilance; and on having the capability to detect cyber-attacks and 
prevent breaches. It is vital that railroads be flexible and nimble to 
counter an ever-evolving threat.
    AAR's general concern with government mandates is that they 
potentially undercut the railroads' efforts to be prepared for cyber-
attacks. Government mandates inevitably alter the nature and quality of 
the interaction between government and industry. The priority shifts 
from what can be attained collaboratively for cybersecurity enhancement 
to complying with the terms of the mandates--what actions are expressly 
required and whether the covered organization has implemented all 
mandated measures.
    Regarding the recent security directives, AAR's cyber team worked 
tirelessly with the TSA and other federal stakeholders to make 
significant revisions to shape the directives into what they are today:
    1.  designate a cybersecurity coordinator;
    2.  report cybersecurity incidents to CISA within 24 hours;
    3.  develop and implement a cybersecurity incident response plan to 
reduce the risk of an operational disruption; and,
    4.  complete a cybersecurity vulnerability assessment to identify 
potential gaps or vulnerabilities in their systems.

    AAR does not object to the substance of these mandates. As a matter 
of fact, the railroads are already substantially in compliance. 
However, the process by which the mandates was issued was not ideal. 
The public notice and comment period used to promulgate federal 
regulations would have afforded ample time and opportunity to address 
these matters and produced a stronger outcome overall. Railroads take 
cyber threats seriously. We value our productive work with government 
partners to keep the rail network safe from cyber and physical 
threats--as we have done for decades and will continue to do for many 
more.

Questions from Hon. Frederica S. Wilson to Michael A. Stephens, General 
   Counsel and Executive Vice President for Information Technology, 
  Hillsborough County Aviation Authority, Tampa International Airport

    Question 1. Mr. Stephens: Thank you for your testimony. Adopting a 
non-voluntary cybersecurity mitigation strategy can be effective in 
preventing attacks on airports, airlines, and critical aviation 
information systems.
    a.  Please explain the significance and need for implementing a 
non-voluntary, baseline cybersecurity standard to best protect the 
aviation industry.
    Answer. As attacks and threats become more prevalent and damaging, 
we cannot afford as a nation for our critical infrastructure sectors to 
experience a catastrophic event before we
    The current posture for many critical infrastructure entities is to 
be often reactive rather than proactive when mitigating cyber risks--
for example, delaying essential mitigation activities such as patching 
and updates. This reactive posture is usually not because of lack of 
willingness but is often due to low prioritization or financial 
constraints. The reactive post, in my opinion, also occurs because 
there is often no oversight or requirement to do so. However, I believe 
that we are at an inflection point where this is no longer acceptable. 
The most apparent benefit of mandatory standards is that they 
incentivize entities to actively implement the necessary measures, 
processes, and policies for an improved security posture, thereby 
reducing the risk of an entity getting breached. If a breach occurs, it 
significantly increases the chances that the entity will be better 
prepared with incident responses and continuity plans to minimize 
damage and mitigate risks.

    Question 2. Mr. Stephens: You state that ``closing the human 
factors gap is a critical and integral part of a successful and 
effective cyber resilience strategy,'' and suggest a uniform standard 
that establishes a minimum baseline training requirement.
    a.  What would an ideal baseline standard look like from your 
perspective?
    Answer. It is my opinion that standards currently exist that 
airports and key aviation sector stakeholders can easily adopt that to 
enhance their cybersecurity preparedness and resiliency. These 
standards include guidance that focuses on ``human factors,'' such a 
reoccurring awareness and preparedness training related to cyber 
threats. As discussed during the hearing, the NIST standard and the 
COBIT 5 standard offer excellent opportunities for airports to build 
robust threat mitigation and cybersecurity programs.
    It is important to note that airports are very different with 
respect to their organization and operations. Therefore, a one-size-
fits-all approach would be highly inadvisable, and I believe, 
ineffective. The TSA and the FAA can begin to more actively encourage 
airports to adopt and implement a standard of the airport or 
stakeholders' choice as a component of their System Security Plan. 
Airport stakeholders should be given the flexibility to adopt standards 
and mitigation measures that best fit their unique structures and 
risks.

  Question from Hon. Colin Z. Allred to Michael A. Stephens, General 
   Counsel and Executive Vice President for Information Technology, 
  Hillsborough County Aviation Authority, Tampa International Airport

    Question 3. Mr. Stephens, as the government puts more focus on 
cybersecurity preparedness measures, how do you suggest that we 
incentivize private companies to address cybersecurity issues in the 
aviation sector?
    Answer. I believe that, where appropriate, incentives are often the 
preferable path to adopting and accepting cyber security standards as 
opposed to mandates in the aviation sector. A few areas where I believe 
there is an opportunity are the Federal grants process. Entities that 
have demonstrated greater preparedness, whether through the adoption or 
implementation of cyber standards, could potentially be given more 
significant consideration. Grant programs such as the FAA's programs on 
workforce development, AIP program, or other grant programs for safety 
and security enhancements are potential starting points.
    Moreover, cyber requirements should be embedded into the 
procurement process where Federal funds are involved over a certain 
dollar threshold. This would potentially incentivize private sector 
entities who wish to do business with airports to focus on 
cybersecurity preparedness measures. Another incentive could come in 
the form of limiting liability for cybersecurity breaches under current 
law in exchange for implementing certain baseline standards.

  Questions from Hon. Frederica S. Wilson to John P. Sullivan, P.E., 
  Chief Engineer, Boston Water and Sewer Commission, on behalf of the 
             Water Information Sharing and Analysis Center

    Question 1. Mr. Sullivan: Thank you for your testimony. You 
highlight that there is no statutory requirement for wastewater systems 
to take an ``all-hazards'' look at potential threats, including cyber 
risk. Furthermore, you discuss the development of a wastewater sector 
program, like the EPA's oversight of drinking water.
    a.  What legislative approach to federal oversight of wastewater 
systems would you recommend, and how would it incorporate 
cybersecurity?
    Answer. While WaterISAC takes no position on the federal regulation 
of the cybersecurity practices of wastewater systems, my testimony 
notes that America's Water Infrastructure Act of 2018 (P.L. 115-270) 
requires drinking water utilities, under the oversight of EPA, to 
periodically take an ``all-hazards'' look at potential threats, 
including risks to ``electronic, computer, or other automated 
systems.'' Subject matter experts have noted that Congress could 
consider extending this same requirement to the nation's wastewater 
systems, directing them to similarly make periodic evaluations of their 
cybersecurity posture. While some assistance may be necessary to help 
small wastewater systems complete this task, other wastewater systems--
such as those that are part of joint utilities with drinking water 
systems--could likely fulfill this requirement fairly easily. This 
would also serve to put both drinking water and wastewater systems on 
equal regulatory footing, in terms of physical and cybersecurity 
requirements, thus providing the entire water sector with a consistent 
baseline on which to build any future security policies.

    Question 2. Mr. Sullivan: A Water Sector Coordinating Council 
survey found that nearly 40 percent of respondents did not have 
cybersecurity as part of their risk management plans; many of them were 
smaller water and wastewater systems that lack the funding and 
expertise.
    a.  What can be done to provide these smaller systems with 
resources and technical assistance to make cybersecurity a meaningful 
part of their operations?
    Answer. One of the most effective things the federal government can 
do to help small water and wastewater systems improve their 
cybersecurity posture is to offer voluntary technical assistance and 
financial aid to connect these small systems with best practices and 
information sharing resources that are available in the water sector. 
For example, my testimony notes that the recently enacted 
Infrastructure Investment and Jobs Act authorizes a new Department of 
Energy program that aims to improve the cyber resilience of utilities 
in the bulk power sector. Specifically, the new program will facilitate 
the delivery of technical assistance and work to expand participation 
in the Electricity Information Sharing and Analysis Center, which is 
WaterISAC's counterpart in the electricity sector. I believe a similar 
EPA program, focused on offering cybersecurity technical assistance to 
small water and wastewater systems, while also supporting the 
membership of these systems in WaterISAC, could greatly increase the 
cyber awareness of water systems from coast to coast. This, in turn, 
will help the operators of these systems become aware of the threat 
landscape, protect themselves against cyber attacks, and implement 
measures that make their water systems less vulnerable.

   Question from Hon. Garret Graves to John P. Sullivan, P.E., Chief 
  Engineer, Boston Water and Sewer Commission, on behalf of the Water 
                Information Sharing and Analysis Center

    Question 3. Earlier this year we saw that impact of a hack into a 
water system in Oldsmar Florida (near Tampa), with the hacker 
increasing the amount of sodium hydroxide (lye) in the water by a 
factor of more than 100 (FYI sodium hydroxide is the main ingredient in 
liquid drain cleaners like Drano , in smaller quantities it tempers 
the water's acidity).
    During the first reconciliation markup and on the floor, I offered 
an amendment which would have authorized $50 million for an EPA grant 
program to help municipalities keep their systems secure. This 
amendment was not adopted by the committee or by the full House.
    Do you think that this amendment would have been helpful to 
safeguard drinking water from hackers?
    Answer. While I am not familiar with the specific details of that 
amendment, water and wastewater systems would certainly benefit from 
additional EPA aid to keep their systems secure against threats from 
cyberspace and elsewhere. In fact, two provisions included in the 
recently enacted Infrastructure Investment and Jobs Act would make 
progress toward this goal. Sections 50107 and 50205 of that new law 
authorize respective drinking water and wastewater utility resilience 
and sustainability programs at EPA to help utilities undertake projects 
to protect against cyber threats, extreme weather events, and other 
natural hazards. Funding these and similar programs to increase water 
and wastewater system preparedness to a range of threats would 
certainly help all utilities become more secure.

   Question from Hon. Frederica S. Wilson to Gary C. Kessler, Ph.D., 
              Nonresident Senior Fellow, Atlantic Council

    Question 1. Dr. Kessler: Thank you so much for your testimony. You 
highlighted the significant uptick in cyberattacks targeting the 
Maritime Transportation System. This is a very important issue to me 
because PortMiami is located in South Florida. I agree that a focus on 
mitigating cyber risks should not only target threats, but also 
vulnerabilities.
    a.  You stated that a critical defensive tactic is related to 
intelligence sharing. Why is information sharing so important for 
defending against cyberattacks and ensuring that all organizations, 
regardless of size, can safeguard themselves?
    Answer. Thank you, Congresswoman Wilson, for this question. We 
address this issue in the Atlantic Council report, as Recommendation 
#3, one of the high priority responses that we believe will elevate the 
effectiveness of cybersecurity practices. It is an issue near and dear 
to my heart.
    Information and intelligence sharing works on at least a couple of 
levels. First, the Maritime Transportation System (MTS) has at least 
the same cyber issues as all other users of computers and technology. 
Given all of the cyber issues that are common to everyone, then it just 
makes sense to openly share known vulnerabilities in software and 
hardware. These efforts are already largely in place with programs such 
as MITRE's Common Vulnerabilities and Exposures (CVE) database, NIST's 
National Vulnerability Database (NVD), and periodic cybersecurity 
warnings from CISA and vendors.
    Within the MTS, we can be more open in sharing particular threats 
against our industry and computer systems specific to maritime. Indeed, 
sharing actual case studies of attacks that have occurred and the 
lessons learned would be very valuable to the entire community.
    There are those who opine that openly sharing vulnerabilities 
informs the Bad Guys and does not give vendors enough time to fix the 
problems. I would observe that historically, for at least the last 30 
years on the public Internet, the attacker community has always been 
better informed than the target community. Keeping vulnerabilities 
secret from potential victims while waiting for vendors to create a 
patch leaves a lot of systems unaware, unarmed, at risk, and unable to 
take any potential protective measures on their own.
    Secondly, while I believe that we need to focus on cyber 
vulnerabilities, we also need to be cognizant of all threats directed 
at us. By way of example, if I was the Port of Miami, I would be 
interested in any and all threat intelligence directed at anything 
related to my organization's operation, including threats against:
      The MTS, in general;
      Ports, in general, or my port, in particular;
      Any ship or shipping line doing business in my port;
      Any inter-modal carrier with a presence at my port;
      The U.S., Florida, Miami-Dade County, or the City of 
Miami;
      Any port personnel, officers of the Miami-Dade Seaport 
Department, or any other officials or officers associated with 
PortMiami (all identified, by the way, in the port's Annual Report, 
available online); or
      Industry meetings, particularly those related to port 
operations.

    The community of attackers--and the attackers do communicate and 
share information--is very informed and have bad intentions. Potential 
victims need to be armed with as much information as possible in as 
timely a fashion as possible.
    Please let me know if I can provide any other information or 
clarification.


THE EVOLVING CYBERSECURITY LANDSCAPE: FEDERAL PERSPECTIVES ON SECURING 
                      THE NATION'S INFRASTRUCTURE

                              ----------                              


                       THURSDAY, DECEMBER 2, 2021

                  House of Representatives,
    Committee on Transportation and Infrastructure,
                                            Washington, DC.
    The committee met, pursuant to call, at 10:04 a.m. in room 
2167 Rayburn House Office Building and via Zoom, Hon. Peter A. 
DeFazio (Chair of the committee) presiding.
    Members present in person: Mr. Larsen, Mr. Carson, Mr. 
DeSaulnier, Mr. Carbajal, Mr. Stanton, Ms. Davids of Kansas, 
Mr. Auchincloss, Ms. Strickland, Ms. Newman, Mr. Graves of 
Missouri, Mr. Crawford, Mr. Perry, Mr. Rodney Davis, Dr. Babin, 
Mr. Bost, Miss Gonzalez-Colon, Mr. Balderson, Mr. Stauber, and 
Mr. Burchett.
    Members present remotely: Mr. DeFazio, Ms. Norton, Ms. 
Johnson of Texas, Mrs. Napolitano, Mr. Cohen, Ms. Titus, Ms. 
Brownley, Mr. Payne, Mr. Lynch, Mr. Malinowski, Mr. Allred, Mr. 
Garcia of Illinois, Mr. Delgado, Mr. Lamb, Ms. Bourdeaux, Ms. 
Williams of Georgia, Mr. Carter of Louisiana, Mr. Gibbs, Mr. 
Massie, Mr. Katko, Mr. Graves of Louisiana, Mr. Rouzer, Mr. 
Weber, Mr. Mast, Mr. Fitzpatrick, Mr. Johnson of South Dakota, 
Dr. Van Drew, Mr. Guest, Mr. Nehls, Ms. Van Duyne, and Mrs. 
Steel.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                           November 29, 2021
    SUMMARY OF SUBJECT MATTER

    TO:       Members, Committee on Transportation and Infrastructure
    FROM:   Staff, Committee on Transportation and Infrastructure
    RE:       Full Committee Hearing on ``The Evolving Cybersecurity 
Landscape: Federal Perspectives on Securing the Nation's 
Infrastructure''
_______________________________________________________________________

                                PURPOSE
    The Committee on Transportation and Infrastructure will meet on 
Thursday, December 2, 2021, at 10:00 a.m. EST in 2167 Rayburn House 
Office Building and via Zoom, to hold a hearing titled ``The Evolving 
Cybersecurity Landscape: Federal Perspectives on Securing the Nation's 
Infrastructure.'' The Committee will hear testimony from Mr. Cordell 
Schachter, Chief Information Officer (CIO), Department of 
Transportation (DOT); Mr. Larry Grossman, Chief Information Security 
Officer (CISO), Federal Aviation Administration (FAA); Ms. Victoria 
Newhouse, Deputy Assistant Administrator for Policy, Plans, and 
Engagement, Transportation Security Administration (TSA); Rear Admiral 
John W. Mauger, Assistant Commandant for Prevention Policy, U.S. Coast 
Guard (USCG); Mr. Kevin Dorsey, Assistant Inspector General for 
Information Technology Audits, DOT Office of Inspector General (DOT 
OIG); and Mr. Nick Marinos, Director of Information Technology and 
Cybersecurity, Government Accountability Office (GAO).
                               BACKGROUND

CYBERTHREATS TO THE U.S. TRANSPORTATION AND INFRASTRUCTURE SECTORS

    Cyberattacks are a serious and evolving risk that affect 
transportation and infrastructure matters across T&I's 
jurisdiction. Cyberattacks can result in tremendous financial 
damage, destruction of infrastructure assets, and even 
death.\1\ They impact governments, businesses, and individuals 
alike and have been growing in number and sophistication.\2\ 
This hearing is the second of two full committee hearings on 
cybersecurity of the nation's infrastructure.\3\ The first 
hearing was held in November 2021 and featured testimony from 
industry stakeholders and cybersecurity experts.\4\ As 
discussed in the November hearing, cyberattacks on the nation's 
critical infrastructure--about 85 percent of which is owned and 
operated by private entities \5\--can cause significant harm to 
the public. However, many private entities, as well as federal 
agencies, have not taken the necessary steps to prevent, 
prepare for, respond to, and recover from cyberattacks.\6\ 
During the Committee's November hearing, witnesses discussed 
challenges that hamper infrastructure operators' preparedness 
and resilience, such as a shortage of qualified information 
technology staff, a lack of appropriate cybersecurity awareness 
training, and insufficient technical expertise.\7\ 
Responsibility for cybersecurity of the nation's infrastructure 
is shared among many entities, including the federal 
government, state and local entities, and public and private 
infrastructure owners and operators.\8\
---------------------------------------------------------------------------
    \1\ Council of Economic Advisors, ``The Cost of Malicious Cyber 
Activity to the U.S. Economy,'' (February 2018), available at https://
trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-
Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf; Andy Greenberg, The 
Untold Story of NotPetya, the Most Devastating Cyberattack in History, 
(October 14, 2018), available at https://tech.industry-best-
practice.com/2018/10/14/the-untold-story-of-notpetya-the-most-
devastating-cyberattack-in-history/
    \2\ Id.
    \3\ House Committee on Transportation and Infrastructure, ``The 
Evolving Cybersecurity Landscape: Federal Perspectives on Securing the 
Nation's Infrastructure,''(December 2, 2021), available at https://
transportation.house.gov/committee-activity/hearings/the-evolving-
cybersecurity-landscape-federal-perspectives-on-securing-the-nations-
infrastructure; House Committee on Transportation and Infrastructure, 
``Hearing: The Evolving Cybersecurity Landscape: Industry Perspectives 
on Securing the Nation's Infrastructure,'' available at https://
transportation.house.gov/committee-activity/hearings/the-evolving-
cybersecurity-landscape-industry-perspectives-on-securing-the-nations-
infrastructure
    \4\ Id.
    \5\ GAO, ``The Department of Homeland Security's (DHS) Critical 
Infrastructure Protection Cost-Benefit Report,'' (June 26, 2009), p. 1, 
available at https://www.gao.gov/assets/gao-09-654r.pdf
    \6\ See for example, testimony of Scott Belcher and John Sullivan 
at House Committee on Transportation and Infrastructure, ``Hearing: The 
Evolving Cybersecurity Landscape: Industry Perspectives on Securing the 
Nation's Infrastructure,'' available at https://
transportation.house.gov/committee-activity/hearings/the-evolving-
cybersecurity-landscape-industry-perspectives-on-securing-the-nations-
infrastructure
    \7\ ``Hearing: The Evolving Cybersecurity Landscape: Industry 
Perspectives on Securing the Nation's Infrastructure,'' available at 
https://transportation.house.gov/committee-activity/hearings/
the-evolving-cybersecurity-landscape-industry-perspectives-on-securing-
the-nations-infrastructure
    \8\ The White House, PPD-21 Presidential Policy Directive--Critical 
Infrastructure Security and Resilience, (February 12, 2013), available 
at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/
presidential-policy-directive-critical-infrastructure-security-and-
resil
---------------------------------------------------------------------------
    This hearing will feature federal witnesses and focus on 
(1) actions the federal government is taking to address 
cybersecurity and preparedness of the transportation and 
infrastructure sectors, and (2) challenges agencies face in 
securing their own computer networks and the steps they are 
taking to address these challenges and to implement recent 
federal cybersecurity directives and other actions.

FEDERAL AGENCIES WITH A ROLE IN TRANSPORTATION AND INFRASTRUCTURE 
                    CYBERSECURITY

    In 2013, the federal government established a framework to 
guide the cybersecurity efforts of critical infrastructure 
owners and operators, which is set forth in the National 
Infrastructure Protection Plan (NIPP) 2013: Partnering for 
Critical Infrastructure Security and Resilience.\9\ The plan 
organizes critical infrastructure into 16 sectors and 
designates a federal department or agency as the lead 
coordinator--or sector risk management agency--for each 
sector.\10\
---------------------------------------------------------------------------
    \9\ National Infrastructure Protection Plan (NIPP) 2013: Partnering 
for Critical Infrastructure Security and Resilience, p. 3, available at 
https://www.cisa.gov/sites/default/files/publications/national-
infrastructure-protection-plan-2013-508.pdf
    \10\ NIPP, 2013 at p. 9.
---------------------------------------------------------------------------
    The agencies listed below serve as the federal interface 
for the prioritization and coordination of sector-specific 
security and resilience efforts, including for cybersecurity. 
These respective sectors are within the committee's 
jurisdictional purview.

----------------------------------------------------------------------------------------------------------------
                        Sector                                      Sector Risk Management Agencies
----------------------------------------------------------------------------------------------------------------
Government Facilities................................                           General Services Administration
                                                                          Federal Protective Service (DHS) \11\
----------------------------------------------------------------------------------------------------------------
Transportation Systems...............................                              Department of Transportation
                                                                                         U.S. Coast Guard (DHS)
                                                              Transportation Security Administration (DHS) \12\
----------------------------------------------------------------------------------------------------------------
Water and Wastewater Services........................                      Environmental Protection Agency \13\
----------------------------------------------------------------------------------------------------------------
Dams.................................................                Department of Homeland Security (DHS) \14\
----------------------------------------------------------------------------------------------------------------
Emergency Services...................................                Department of Homeland Security (DHS) \15\
----------------------------------------------------------------------------------------------------------------


    The responsibilities of sector risk management agencies 
include: \16\
---------------------------------------------------------------------------
    \11\ Department of Homeland Security and General Services 
Administration, ``Government Facilities Sector-Specific Plan,'' 2015, 
available at https://www.cisa.gov/sites/default/files/publications/
nipp-ssp-government-facilities-2015-508.pdf
    \12\ Department of Homeland Security and Department of 
Transportation, ``Transportation Systems Sector-Specific Plan,'' 2015, 
available at https://www.cisa.gov/sites/default/files/publications/
nipp-ssp-transportation-systems-2015-508.pdf
    \13\ NIPP, 2013 at p. 11.
    \14\ Id.
    \15\ Id.
    \16\ Id. at pp. 9-10.
---------------------------------------------------------------------------
     LCoordination with the Department of Homeland 
Security (DHS) and other relevant departments and agencies, and 
collaboration with infrastructure entities on the protection of 
critical infrastructure, including cybersecurity threats;
     LProviding and facilitating technical assistance 
for sector owners and operators to identify threats and 
vulnerabilities, improve cyber defenses, and help mitigate 
cyber incidents; and
     LParticipation in Sector-Specific Coordinating 
Councils, Government Coordinating Councils, and other 
coordinating bodies for their sector.\17\
---------------------------------------------------------------------------
    \17\ Id. at p. 43.
---------------------------------------------------------------------------

INFORMATION SHARING AND ANALYSIS CENTERS

    In addition to the above-mentioned federal assistance for 
cybersecurity, private industry offers assistance through 
sector-specific Information Sharing and Analysis Centers 
(ISAC). The concept of ISACs was first promulgated in 
Presidential Decision Directive-63 (PDD-63), signed on May 22, 
1998.\18\ Today the National Council of ISACs recognizes 26 
industry specific ISAC organizations.\19\ Typically, ISACs are 
nonprofit organizations that share information about threats, 
vulnerabilities, and mitigation within their particular 
sector.\20\ Some also provide awareness training and assistance 
in responding to cyber and other security incidents.\21\
---------------------------------------------------------------------------
    \18\ ``About ISACs,'' National Council of ISACs, available at 
https://www.nationalisacs.org/about-isacs
    \19\ ``About NCI,'' National Council of ISACs, available at https:/
/www.nationalisacs.org/about-nci
    \20\ National Council of ISACs web site, available at https://
www.nationalisacs.org/about-isacs
    \21\ For example, Aviation ISAC offers training and incident 
response analysis see: https://www.a-isac.com/aboutus; Maritime 
Transportation System ISAC offers training and threat alerts see: 
https://www.mtsisac.org/services
---------------------------------------------------------------------------
    For example, in the water sector, the Water Information 
Sharing and Analysis Center (WaterISAC) partners with various 
organizations, including the American Water Works Association, 
the Association of Metropolitan Water Agencies, and the 
National Rural Water Association.\22\ WaterISAC also maintains 
close contact with government agencies to access sensitive and 
classified security information.\23\ WaterISAC acts as an 
information clearinghouse and provides analysis and resources 
to its members to ``support response, mitigation, and 
resilience initiatives.'' \24\
---------------------------------------------------------------------------
    \22\ Water ISAC web site, available at https://www.waterisac.org/
about-us
    \23\ Id.
    \24\ Id.
---------------------------------------------------------------------------

FEDERAL CYBERSECURITY PREPAREDNESS AND INTERNAL WEAKNESSES

    While the federal government supports private actors 
regarding cybersecurity in critical infrastructure, significant 
work is needed within federal government agencies to improve 
their own cybersecurity defenses. In March 2021, GAO identified 
ten critical actions needed to address major cybersecurity 
challenges.\25\ The ten urgent needs fell under four major 
cybersecurity challenges previously identified by GAO, 
specifically: (1) Establishing a comprehensive cybersecurity 
strategy and performing effective oversight; (2) Securing 
federal systems and information; (3) Protecting cyber critical 
infrastructure; and (4) Protecting privacy and sensitive 
data.\26\
---------------------------------------------------------------------------
    \25\ GAO, ``Federal Government Needs to Urgently Pursue Critical 
Actions to Address Major Cybersecurity Challenges,'' (March 2021), p. 
9, available at https://www.gao.gov/assets/gao-21-288.pdf
    \26\ Id. at p. 8.
---------------------------------------------------------------------------
    The report also noted that establishing the Office of the 
National Cyber Director within the Executive Office of the 
President, as Congress did in early 2021, was ``an essential 
step forward'' towards addressing cybersecurity.\27\ Further, 
the recently passed Infrastructure Investment and Jobs Act 
directed $21 million for initial funding for this office, 
ensuring the federal government will be better situated to 
confront the nation's cyber threats and challenges.\28\
---------------------------------------------------------------------------
    \27\ Id. at p. i.
    \28\ Liz Carey, ``Infrastructure Act Includes $20M for Office of 
National Cyber Director,'' Homeland Preparedness News, (November 9, 
2021), available at https://homelandprepnews.com/stories/74682-
infrastructure-act-includes-20m-for-office-of-national-cyber-director/
---------------------------------------------------------------------------
    However, the GAO report also said, ``critical risks remain 
on supply chains, workforce management, and emerging 
technologies'' and pointed out that in December 2020, ``GAO 
reported that none of the 23 agencies in its review had fully 
implemented key foundational practices for managing information 
and communications technology supply chains.'' \29\ In May 
2021, GAO received updates from six of the 23 agencies 
regarding actions taken or planned to address its 
recommendations.\30\ However, none of the agencies had fully 
implemented the recommendations.\31\
---------------------------------------------------------------------------
    \29\ GAO, ``Federal Government Needs to Urgently Pursue Critical 
Actions to Address Major Cybersecurity Challenges,'' (March 2021), p 
ii, available at https://www.gao.gov/assets/gao-21-288.pdf
    \30\ GAO, ``Federal Agencies Need to Implement Recommendations to 
Manage Supply Chain Risk,'' (May 25, 2021), p 15, available at https://
www.gao.gov/assets/gao-21-594t.pdf
    \31\ Id. at p. 13.
---------------------------------------------------------------------------
    The report also highlighted the fact that since 2010, ``GAO 
has made nearly 80 recommendations to enhance infrastructure 
cybersecurity'' and that ``nearly 50'' of those recommendations 
have not been implemented heightening the risk to the nation's 
infrastructure.\32\ Overall, since 2010, GAO has issued more 
than 3,700 recommendations across the federal government, 
including DOT and its subagencies, that could improve the 
nation's cybersecurity.\33\ In July 2021, more than 950 of 
those recommendations remained unimplemented.\34\
---------------------------------------------------------------------------
    \32\ GAO, ``Federal Government Needs to Urgently Pursue Critical 
Actions to Address Major Cybersecurity Challenges,'' March 2021, p. ii, 
available at https://www.gao.gov/assets/gao-21-288.pdf
    \33\ GAO, ``Our Testimony to Congress on Efforts to Secure Oil and 
Gas Pipelines Against Cyberattacks,'' (July 28, 2021), available at 
https://www.gao.gov/blog/our-testimony-congress-efforts-secure-oil-and-
gas-pipelines-against-cyberattacks-video
    \34\ Id.

---------------------------------------------------------------------------
Department of Transportation (DOT)

    DOT and its 11 operating administrations and other 
components rely on hundreds of information technology systems 
for uses as diverse as air traffic control operations, 
disbursement of billions of dollars in loans and grants, 
managing sensitive personnel data, and many other functions key 
to DOT's mission.\35\ The DOT OIG has identified information 
security as a top management challenge for the Department and 
stated that addressing these weaknesses and strengthening 
controls is essential for protecting departmental information 
technology (IT) infrastructure and improving DOT's 
cybersecurity posture.\36\ These recurring cybersecurity 
weaknesses have resulted in key systems being vulnerable to 
cyberattacks, takeovers, and data breaches.\37\ In addition, in 
the DOT OIG's most recent Top Management Challenges report 
released in late October 2021, they found that DOT needs a 
``holistic approach with sustained focus and direction'' to 
resolve 66 open recommendations the DOT OIG made in previous 
audits.\38\ These recommendations are intended to help address 
10,663 security weaknesses identified in DOT plans of actions 
and milestones.\39\ The DOT OIG has also identified 
cybersecurity weaknesses at the component agencies within DOT. 
Specific problems the DOT OIG has identified include the 
following:
---------------------------------------------------------------------------
    \35\ DOT OIG, ``DOT Top Management Challenges FY 2022,'' (October 
27, 2021), available at https://www.oig.dot.gov/sites/default/files/
DOT%20FY%202022%20Top%20Management
%20Challenges.pdf
    \36\ Id.
    \37\ Id.
    \38\ Id.
    \39\ Id.
---------------------------------------------------------------------------
     LFederal Transit Administration (FTA). In October 
2021, the DOT OIG released a report on cybersecurity weaknesses 
of FTA's financial management systems that could affect FTA's 
ability to approve, process, and disburse COVID-19 funds.\40\ 
Among the OIG's findings: FTA has failed to fix security 
control weaknesses identified since 2016; it lacks sufficient 
contingency planning and incident response capabilities; and it 
``does not adequately monitor the security controls provided by 
or inherited from DOT's common control provider.'' \41\ The DOT 
OIG found that 139 of 269 security controls were not tested or 
implemented but reported as satisfied by FTA officials, for 
instance, increasing the exposure of FTA's financial management 
systems to outside threats.\42\ The DOT OIG made 13 
recommendations to correct these and other weaknesses and FTA 
has concurred with all of these recommendations.\43\
---------------------------------------------------------------------------
    \40\ DOT OIG, ``FTA Does Not Effectively Assess Security Controls 
or Remediate Cybersecurity Weaknesses To Ensure the Proper Safeguards 
Are in Place To Protect Its Financial Management Systems,'' (October 
20, 2021), available at https://www.oig.dot.gov/sites/default/
files/
FTA%20Financial%20Management%20Systems%20Security%20Controls%20Final
%20Report_10-20-21_REDACTED.pdf
    \41\ Id.
    \42\ Id.
    \43\ Id.
---------------------------------------------------------------------------
     LFederal Motor Carrier Safety Administration 
(FMCSA). FMCSA regulates and oversees the safety of commercial 
vehicles. In October 2021, the DOT OIG issued a report showing 
their investigators had exploited vulnerabilities in web 
servers at FMCSA that allowed them to gain unauthorized access 
to the agency's network.\44\ The agency also failed to detect 
the DOT OIG's placement of malware on their network.\45\ DOT 
OIG investigators were able to gain access to 13.6 million 
unencrypted records with personally identifiable 
information.\46\ The DOT OIG estimated that if malicious actors 
had obtained this information, it could have cost FMCSA up to 
$570 million in credit monitoring fees.\47\ FMCSA did not 
detect the breach, in part because it did not use required 
automated detection tools and malicious code protections.\48\ 
The DOT OIG also found that FMCSA does not always remediate 
vulnerabilities as quickly as DOT policy requires, putting 
FMCSA's network and data at risk for unauthorized access and 
compromise.\49\ FMCSA concurred with DOT OIG's 13 
recommendations and considers these issues ``resolved but open 
pending FMCSA's completion of'' its planned actions.\50\
---------------------------------------------------------------------------
    \44\ DOT OIG, ``FMCSA's IT Infrastructure Is at Risk for 
Compromise,'' (October 20, 2021), available at https://www.oig.dot.gov/
sites/default/files/FMCSA%20IT%20Infrastructure%20Final
%20Report_10-20-21%20REDACTED.pdf
    \45\ Id.
    \46\ Id.
    \47\ Id.
    \48\ Id.
    \49\ Id.
    \50\ Id.
---------------------------------------------------------------------------
     LFederal Aviation Administration (FAA). In August 
2021, the DOT OIG released a report on FAA's efforts to 
categorize its high-impact information systems.\51\ The report 
found that until recently, the agency's air traffic 
organization had never properly categorized its high-impact 
security systems, although these systems provide safety-
critical services.\52\ In addition, it found, ``FAA lacks 
formalized policies and procedures for selecting and 
implementing high security controls for its high-impact systems 
and continues to develop mitigations for security risks.'' \53\ 
The DOT OIG further found that FAA has not completed a required 
gap analysis to comply with federal standards for its 45 high-
impact systems ``and is essential for determining whether the 
organization's security and privacy risks have been effectively 
managed.'' \54\ Finally, the report said, ``FAA has not yet 
mitigated the risk that the NAS [National Airspace System] 
could be vulnerable to threats as the Agency works to implement 
high security controls, because it has not fully implemented 
enterprise security initiatives designed to protect NAS 
assets.'' \55\
---------------------------------------------------------------------------
    \51\ DOT OIG, ``FAA Is Taking Steps to Properly Categorize High-
Impact Information Systems but Security Risks Remain Until High 
Security Controls Are Implemented,'' (August 2, 2021), available at 
https://www.oig.dot.gov/sites/default/files/REDACTED%20Final%20Report
%20on%20FAA%20System%20Security%20Re-Categorizations.pdf
    \52\ Id.
    \53\ Id.
    \54\ Id.
    \55\ Id.
---------------------------------------------------------------------------
     LAviation Cyber Initiative (ACI). ACI is an 
interagency collaboration between FAA, the Department of 
Homeland Security (DHS), and the Department of Defense (DOD) 
that was informally established in 2016.\56\ Its objectives 
include identifying and analyzing cyber threats and 
vulnerabilities, engaging with aviation stakeholders to help 
reduce cyber risks, and seeking opportunities to improve risk 
mitigation.\57\ Its charter was finally approved in 2019, when 
10 priorities were set for 2019 and 2020. The DOT OIG found, 
however, that ACI has only implemented three of those 
priorities.\58\ In addition, according to GAO, the FAA has not 
developed mechanisms to monitor and evaluate cybersecurity 
issues that are raised in ACI coordination meetings and FAA's 
``oversight coordination activities are not supported by 
dedicated resources within'' the FAA's budget.\59\ GAO declared 
in a report it released in October 2020: ``Until FAA 
establishes a tracking mechanism for cybersecurity issues, it 
may be unable to ensure that all issues are appropriately 
addressed and resolved. Further, until it conducts an avionics 
cybersecurity risk assessment, it will not be able to 
effectively prioritize and dedicate resources to ensure that 
avionics cybersecurity risks are addressed in its oversight 
program.'' \60\ In addition, GAO found more broadly that ``FAA 
has not (1) assessed its oversight program to determine the 
priority of avionics cybersecurity risks, (2) developed an 
avionics cybersecurity training program, (3) issued guidance 
for independent cybersecurity testing, or (4) included periodic 
testing as part of its monitoring process.'' \61\
---------------------------------------------------------------------------
    \56\ DOT OIG, ``FAA and Its Partner Agencies Have Begun Work on the 
Aviation Cyber Initiative and Are Implementing Priorities,'' (September 
2, 2020), p. 1, available at https://www.oig.dot.gov/sites/default/
files/FAA%20Aviation%20Cyber%20Initiative%20Final%20Report
%5E09-02-20.pdf
    \57\ DOT Office of Inspector General, ``FAA and Its Partner 
Agencies Have Begun Work on the Aviation Cyber Initiative and Are 
Implementing Priorities,'' (September 2, 2020), p. 1, available at 
https://www.oig.dot.gov/sites/default/files/
FAA%20Aviation%20Cyber%20Initiative%20Final
%20Report%5E09-02-20.pdf; See also FAA, ``Aviation Cyber Initiative 
(ACI)'' available at https://www.faa.gov/air_traffic/technology/cas/
aci/media/documents/aci.pdf
    \58\ Id.
    \59\ GAO, ``AVIATION CYBERSECURITY: FAA Should Fully Implement Key 
Practices to Strengthen Its Oversight of Avionics Risks,'' GAO-21-86, 
(October 2020), available at https://www.gao.gov/products/gao-21-86
    \60\ Id.
    \61\ Id.

---------------------------------------------------------------------------
United States Coast Guard (Coast Guard or Service)

    The aging and underinvested status of the Coast Guard's 
cyber systems and IT infrastructure is at a crisis point as was 
highlighted during a Subcommittee on Coast Guard and Maritime 
Transportation hearing on November 16, 2021.\62\ The Coast 
Guard has historically struggled with IT modernization, and 
Commandant Karl Schultz has made it a priority in what the 
Coast Guard calls its ``Tech Revolution.'' \63\ The Tech 
Revolution road map outlines strategic goals, including 
modernizing cybersecurity and cyber resilience.\64\ Currently, 
the Coast Guard primarily operates on 1990s-era hardware and 
software, running the risk of critical failures even before its 
resilience can be challenged by cyber incidents.\65\ In 
February 2020, for instance, the Commandant stated that the 
Coast Guard's IT infrastructure was at the ``brink of 
catastrophic failure'' and highlighted the immediate need for 
$300 million in IT spending to modernize the Coast Guard's 
technological landscape.\66\
---------------------------------------------------------------------------
    \62\ House Committee on Transportation and Infrastructure, 
``Hearing: Rebuilding Coast Guard Infrastructure to Sustain and Enhance 
Mission Capability,'' (November 16, 2021), available at https://
transportation.house.gov/committee-activity/hearings/rebuilding-coast-
guard-infrastructure-to-sustain-and-enhance-mission-capability; James 
Ousman Cheek, ``Changing Tides: Appraising and Supporting the Coast 
Guard's Role In Changing Seas,'' Consortium for Ocean Leadership, 
(November 2021), available at https://oceanleadership.org/changing-
tides-appraising-and-supporting-the-coast-guards-role-in-changing-seas/
    \63\ Lauren Williams, ``As the Coast Guard wrestles with aging IT, 
cloud is a long-term conversation,'' FCW (August 2018), available at 
https://fcw.com/articles/2018/08/03/uscg-it-progress-williams.aspx
    \64\ United States Coast Guard, ``Tech Revolution: Vision for the 
Future,'' available at https://www.dcms.uscg.mil/Portals/10/CG-6/
roadmap/C5i-roadmap-FINAL-v6.pdf
    \65\ Connie Lee, ``BREAKING: Coast Guard Releases New 'Tech 
Revolution' Road Map,'' National Defense, (February 2020), available at 
https://www.nationaldefensemagazine.org/articles/2020/2/20/coast-guard-
releases-new-tech-revolution-roadmap
    \66\ Jackson Barnett, ``Coast Guard wants a `tech revolution' to 
dig itself out of IT from the '90s,'' Fed Scoop (February 2020), 
available at https://www.fedscoop.com/coast-guard-tech-revolution-
plan/.
---------------------------------------------------------------------------
    In its 2015 Cyber Strategy, the Coast Guard explained that 
in the digital age, their overall mission to ensure the safety, 
security, and stewardship of the nation's waters cannot 
effectively be met without the Coast Guard maintaining a robust 
and comprehensive cyber program.\67\ In 2021, working in close 
collaboration with DHS, DOD, government partners, foreign 
allies, and the maritime industry, the Coast Guard released its 
Cyber Strategic Outlook, an update to its cyber strategy to 
improve protection of the Marine Transportation System 
(MTS).\68\ The strategic outlook focused on three efforts: (1) 
Securing resilient information technology and operational 
technology networks to support all Coast Guard missions; (2) 
Employing frameworks, standards, and best practices in 
prevention and response activities to identify and manage cyber 
risks to the MTS; and (3) Projecting advanced cyberspace 
capabilities in and through the operating environment enabling 
the Service to fight and win across all domains.\69\
---------------------------------------------------------------------------
    \67\ Coast Guard, ``United States Coast Guard Cyber Security 
Strategy'' (June 2015), p. 10, available at https://www.dco.uscg.mil/
Portals/10/Cyber/Docs/CG_Cyber_Strategy.pdf?ver=
nejX4g9gQdBG29cX1HwFdA%3d%3d
    \68\ Coast Guard, ``United States Coast Guard Cyber Strategic 
Outlook,'' (August 2021), p. 4, available at https://www.uscg.mil/
Portals/0/Images/cyber/2021-Cyber-Strategic-Outlook.pdf
    \69\ Id. at p. 7.
---------------------------------------------------------------------------
    The MTS includes waterways, shorelines, ports, shipyards, 
facilities, bridges, and other infrastructure throughout the 
United States, facilitating $5.4 trillion of economic activity 
every year, representing about a quarter of U.S. gross domestic 
product.\70\ Over the past year, high-profile cyberattacks into 
U.S. networks have included crippling attacks on maritime 
infrastructure like the one that hit the Port of Kennewick, 
Washington, in November 2020.\71\ The port refused to pay a 
$200,000 ransom to cybercriminals who hijacked their computer 
systems cutting off emails and other IT systems.\72\ Email 
systems were restored by the end of the month, but it took 
longer to restore other compromised computer systems.\73\
---------------------------------------------------------------------------
    \70\ Id. at p. 3.
    \71\ Tri-City Areas Journal of Business, ``Cyberattack Hobbles Port 
of Kennewick,'' (December 2020), available at https://
www.tricitiesbusinessnews.com/2020/12/port-cyberattack/
    \72\ Id.
    \73\ Id.
---------------------------------------------------------------------------
    As the sector risk management agency responsible for 
protecting the MTS under DHS's designated critical 
infrastructure sectors, the Coast Guard designated its Captains 
of Port to ``lead governance by promoting cyber risk 
management, accountability, and the development and 
implementation of unified response plans.'' \74\ The Coast 
Guard also intends to ``refine cybersecurity incident reporting 
requirements and promote information sharing to improve the 
ability of owners and operators to prepare for, mitigate, and 
respond to threats to maritime critical infrastructure.'' \75\
---------------------------------------------------------------------------
    \74\ Coast Guard, ``Cyber Strategic Outlook,'' p. 7.
    \75\ Id. at p. 28.
---------------------------------------------------------------------------
    Under the 2021 Cyber Strategic Outlook, the Coast Guard 
intends to conduct offensive cyber operations to deny or 
degrade adversaries' ability to plan, fund, communicate, or 
execute their own cyber operations.\76\ To enable that 
capability, the Coast Guard seeks to establish an offensive 
Cyber Mission Team, interoperable with DOD cyber forces and 
DHS, and requested funding for continued cyber force 
development as part of its fiscal year (FY) 2022 budget 
request.\77\ Supplementing a Coast Guard Maritime Cyber 
Readiness Branch that already consists of three defensive Cyber 
Protection Teams, administrative and policy legal challenges 
remain for the Coast Guard's future cyber operations 
capability.\78\
---------------------------------------------------------------------------
    \76\ Coast Guard, ``Cyber Strategic Outlook,'' p. 32.
    \77\ Kimberly Underwood, ``Coast Guard Embarks on Cyber Offense,'' 
AFCEA, (October 2021), available at https://www.afcea.org/content/
coast-guard-embarks-cyber-offense
    \78\ Doubleday, ``Coast Guard looks to plug digital holes,'' 
Federal News Network, August 4, 2021, available at https://
federalnewsnetwork.com/cybersecurity/2021/08/coast-guard-looks-to-plug-
digital-holes-in-maritime-infrastructure-under-new-cyber-outlook/

---------------------------------------------------------------------------
Federal Emergency Management Agency (FEMA)

    In February 2021, DHS modified two existing FEMA 
Preparedness Grant programs to require recipients to spend at 
least 7.5 percent of their awards on improving their 
cybersecurity.\79\ This requirement was added to State Homeland 
Security Program (SHSP) grants, which received $415 million in 
FY 2021 , and Urban Area Security Initiative (UASI) grants, 
which received $615 million in FY 2021.\80\ State and local 
recipients of these grants can use the funding to conduct 
cybersecurity training and planning, cybersecurity risk 
assessments, and improve their critical infrastructure's 
cybersecurity.\81\ In addition, in FY 2021, when FEMA's Port 
Security Grant Program (PSGP) offered $100 million in 
assistance to state and local governments, applicants were 
slated to receive a 20 percent increase in their scores for 
addressing Cybersecurity National Priority Areas.\82\ PSGP is 
part of a broader FEMA effort to help protect transportation 
infrastructure against potential terrorist attacks.\83\
---------------------------------------------------------------------------
    \79\ FEMA Press Release, ``DHS Announces Funding Opportunity for 
$1.87 Billion in Preparedness Grants,'' February 25, 2021, available at 
https://www.fema.gov/press-release/20210225/dhs-announces-funding-
opportunity-187-billion-preparedness-grants
    \80\ Id.
    \81\ Id.
    \82\ FEMA--Port Security Grant Program Frequently Asked Questions, 
``Fiscal Year 2021 Port Security Grant Program,'' (February 25, 2021), 
available at https://www.fema.gov/sites/default/files/documents/
FEMA_FY2021-PSGP-FAQ_02-18-21.pdf
    \83\ Id.
---------------------------------------------------------------------------
Environmental Protection Agency (EPA)

    The EPA provides several cybersecurity services to state 
and local governments to help protect wastewater 
facilities.\84\ These services include an online briefing to 
help state's assess cyber risks, a cybersecurity incident 
action checklist, training and response exercises, a Water 
Sector Cybersecurity Technical Assistance Provider Program to 
train state and regional water sector technical assistance 
providers, an online Vulnerability Self-Assessment Tool, and 
tools for the development of a tabletop exercise for 
cybersecurity incidents.\85\
---------------------------------------------------------------------------
    \84\ EPA, ``EPA Cybersecurity Best Practices for the Water 
Sector,'' available at https://www.epa.gov/waterriskassessment/epa-
cybersecurity-best-practices-water-sector
    \85\ Id.

---------------------------------------------------------------------------
Transportation Security Administration (TSA)

    As a component agency of DHS since its creation in November 
2001, the TSA states its mission is to ``protect the nation's 
transportation systems to ensure freedom of movement for people 
and commerce.'' \86\ In a constantly changing threat 
environment, TSA now prepares for cyber-related events like 
physical threats, as expressed in its 2018 TSA Cybersecurity 
Roadmap.\87\ The roadmap provides the framework for how TSA can 
operate in the cyber environment, ensuring the protection of 
its data and information technology systems and ensuring the 
protection and resilience of the Transportation Systems 
Sector.\88\ In line with that framework, TSA has moved to 
mandate certain protections and incident reporting requirements 
in response to recent cyberattacks.\89\
---------------------------------------------------------------------------
    \86\ TSA, ``Mission,'' available at https://www.tsa.gov/about/tsa-
mission
    \87\ TSA, ``TSA Cybersecurity Roadmap 2018'' (November 2018), p 2, 
available at https://
www.tsa.gov/sites/default/files/documents/
tsa_cybersecurity_roadmap_adm_approved.pdf#::
text=TSA%E%2%80%99s%20mission%20responsibilities%20include%3A%20%281%29%
20
securing%20its%20own,in%20coordination%20with%20DHS%20to%20secure%20its
%20cyberspace
    \88\ Id.
    \89\ DHS, ``DHA Announces New Cybersecurity Requirements for 
Critical Pipeline Owners and Operators,'' (May 2021), available at 
https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-
requirements-critical-pipeline-owners-and-operators; see e.g., Holland 
and Knight, ``TSA's Pipeline of Cybersecurity Requirements,'' (August 
2021), available at https://
www.jdsupra.com/legalnews/tsa-s-pipeline-of-cybersecurity-5827015/
#::text=At%20a%202019
%20joint%20congressional,against%20an%20evolving%20threat%20environment
---------------------------------------------------------------------------
    In addition to addressing longstanding cybersecurity 
vulnerabilities in the nation's private pipeline system, TSA 
must also address its own cyber weaknesses that increase the 
vulnerability of the nation's pipelines. In July 2021, GAO 
highlighted that additional pipeline-related weaknesses remain 
in TSA's internal policies.\90\ These weaknesses include (1) 
incomplete information in TSA's pipeline risk assessments used 
to prioritize pipeline security reviews; and (2) aged protocols 
for responding to pipeline security incidents that TSA had not 
revised since 2010.\91\ TSA officials concurred with GAO 
recommendations in this area and anticipate updating their 
policies and guidelines over the next year.\92\ As TSA 
considers future directives mandating private sector action 
related to critical infrastructure, it is incumbent on TSA to 
maintain maximum credibility by fixing and updating its own 
cybersecurity policies and processes quickly and 
thoroughly.\93\
---------------------------------------------------------------------------
    \90\ GAO, ``TSA is Taking Steps to Address Some Pipeline Security 
Program Weaknesses,'' (July 2021), available at https://www.gao.gov/
assets/gao-21-105263.pdf
    \91\ Id.
    \92\ Id.
    \93\ See, e.g., Michael Hudson, ``What if the Threat Comes from 
Within? Federal Agencies Must Address the Risk,'' The Hill (June 2021), 
available at https://thehill.com/opinion/cybersecurity/557460-what-if-
the-threat-comes-from-within-federal-agencies-must-address
---------------------------------------------------------------------------
    In October 2021, the Department of Justice (DOJ) announced 
that DOJ may seek substantial fines on government contractors 
or companies that receive federal funds when they fail to 
follow TSA cybersecurity standards by knowingly providing 
deficient cybersecurity products or services, knowingly 
misrepresenting their cybersecurity practices or protocols, or 
knowingly violating obligations to monitor and report 
cybersecurity incidents and breaches.\94\
---------------------------------------------------------------------------
    \94\ Gevena Sands, ``TSA to impose cybersecurity on railroads and 
aviation industries,'' CNN, (October 2021), available at https://
www.cnn.com/2021/10/06/politics/tsa-cybersecurity-mandates-railroad-
aviation/index.html
---------------------------------------------------------------------------
Cybersecurity and Infrastructure Security Agency (CISA)

    The CISA is a component agency of DHS and leads national 
cybersecurity and infrastructure security efforts.\95\ CISA 
helps protect the federal government's computer networks and 
partners with stakeholders in the public and private sectors to 
help improve cybersecurity and resiliency.\96\ CISA also offers 
various services to stakeholders, including infrastructure 
assessments and analysis, information sharing between the 
public and private sector, training and exercises, and 
coordination of situational awareness and response to national 
cyber incidents.\97\
---------------------------------------------------------------------------
    \95\ Brian E. Humphreys, ``Critical Infrastructure: Emerging Trends 
and Policy Considerations for Congress,'' Congressional Research 
Service, July 8, 2019, available at https://
www.everycrsreport.com/files/
20190708_R45809_54416d7b2f43d41696e8e971832
aea5fe96a9919.pdf
    \96\ CISA web site, ``About CISA,'' available at https://
www.cisa.gov/about-cisa
    \97\ CISA Services Catalog, p. 11, available at https://
www.cisa.gov/sites/
default/files/publications/
FINAL_CISA%20Services%20Catalog%20v1.1_20201029_
508_0.pdf
---------------------------------------------------------------------------
    However, CISA's actions in some areas have been 
criticized.\98\ For instance, CISA is responsible for the 
safety, security, and resiliency of the more than 91,000 dams 
nationwide, 63 percent of which are privately owned.\99\ Dams 
are vulnerable to cybersecurity threats.\100\ In 2016, the DOJ 
charged seven hackers linked to the Iranian government with 
carrying out a coordinated large scale cyberattack against 
dozens of banks and a small dam outside New York City.\101\ In 
September 2021, the DHS OIG evaluated CISA's oversight of the 
Dams Sector and warned, ``when they fail, the effects create a 
cascade of water inundation and flooding to buildings and 
agriculture, loss of power, disruptions to transportation, and 
damage to communication lines.'' \102\ The report found that 
CISA does not manage or evaluate its Dams Sector activities, 
does not coordinate or track its own Dams Sector activities, 
does not gather or evaluate performance information on Dams 
Sector activities, does not consistently coordinate and 
effectively communicate with FEMA and other external Dams 
Sector partners and stakeholders, and has not updated 
overarching critical infrastructure plans.\103\ The agency 
concurred with the five recommendations the report made to 
improve CISA's oversight of the Dams Sector.\104\
---------------------------------------------------------------------------
    \98\ Department of Homeland Security Office of Inspector General, 
``CISA Can Improve Efforts to Ensure Dam Security and Resilience,'' 
(September 9, 2021), pp. 5-10, available at https://www.oig.dhs.gov/
sites/default/files/assets/2021-09/OIG-21-59-Sep21.pdf
    \99\ Id.
    \100\ Ryan Schoolmeesters, ``Lessons Learned From Dam Incidents and 
Failures,'' Association of State Dam Safety Officials, (Undated), 
available at https://damfailures.org/lessons-learned/site-security-is-
critical/
    \101\ ``Seven Iranians Working for Islamic Revolutionary Guard 
Corps--Affiliated Entities Charged for Conducting Coordinated Campaign 
of Cyber Attacks Against U.S. Financial Sector,'' U.S. Department of 
Justice, (March 24, 2016), available at https://www.justice.gov/opa/pr/
seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-
entities-charged
    \102\ Id.
    \103\ Department of Homeland Security Office of Inspector General, 
``CISA Can Improve Efforts to Ensure Dam Security and Resilience,'' 
(September 9, 2021), pp. 5-10, available athttps://www.oig.dhs.gov/
sites/default/files/assets/2021-09/OIG-21-59-Sep21.pdf
    \104\ Id.
---------------------------------------------------------------------------

CHRONOLOGY OF RECENT FEDERAL GOVERNMENT ACTIONS ON CYBERSECURITY

Obama Administration

     LExecutive Order (EO) 13636, Improving Critical 
Infrastructure Cybersecurity. This EO was issued by President 
Obama on February 12, 2013,\105\ and designed to improve 
critical infrastructure's ability to manage cyber risks.\106\ 
The EO sought to foster information sharing, promote the 
adoption of cybersecurity practices, and tasked the National 
Institute of Standards and Technology (NIST) with working with 
the private sector to identify voluntary standards and industry 
best practices in order to develop a voluntary Cybersecurity 
Framework whose adoption would help organizations enhance their 
cybersecurity preparedness and lower their risk of falling 
victim to cyberattacks.\107\
---------------------------------------------------------------------------
    \105\ Federal Register, ``Executive Order 12636 Improving Critical 
Infrastructure Cybersecurity,'' (February 12, 2013), available at 
https://www.federalregister.gov/documents/2013/02/19/2013-03915/
improving-critical-infrastructure-cybersecurity
    \106\ The White House (Obama Administration), ``Cybersecurity--
Executive Order 13626,'' available at https://
obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/eo-
13636
    \107\ The White House (Obama Administration), ``Executive Order--
Improving Critical Infrastructure Cybersecurity,'' (February 12, 2013), 
available at https://obamawhitehouse.archives.gov/the-press-office/
2013/02/12/executive-order-improving-critical-infrastructure-
cybersecurity
---------------------------------------------------------------------------
     LPresidential Policy Directive (PPD) 21--Critical 
Infrastructure Security and Resilience. This PPD was published 
in conjunction with EO 13636 on February 12, 2013, replaced an 
earlier PPD on critical infrastructure, and established a 
national policy on critical infrastructure security.\108\ The 
PPD directed agencies to develop a situational awareness 
capability, understand the consequences of infrastructure 
failures, mature public-private partnerships, and update the 
National Infrastructure Protection Plan.\109\
---------------------------------------------------------------------------
    \108\ CISA, ``Homeland Security Presidential Directive 7: Critical 
Infrastructure Identification, Prioritization, and Protection,'' 
available at https://www.cisa.gov/homeland-security-presidential-
directive-7; The White House (Obama Administration), ``Presidential 
Policy Directive--Critical Infrastructure and Resilience,'' (February 
12, 2013), available at https://obamawhitehouse.archives.gov/the-press-
office/2013/02/12/presidential-policy-directive-critical-
infrastructure-security-and-resil
    \109\ CISA, ``EO 13636 and PPD 21 Fact Sheet,'' (March 2013), 
available at https://www.cisa.gov/sites/default/files/publications/eo-
13636-ppd-21-fact-sheet-508.pdf

---------------------------------------------------------------------------
Trump Administration

     LEO 13800, Strengthening the Cybersecurity of 
Federal Networks and Critical Infrastructure. This EO was 
issued by President Trump on May 11, 2017 and designed to 
enhance ``the security of federal networks and critical 
infrastructure.'' \110\ Notably, the EO indicated that the 
president would hold agencies ``accountable for managing 
cybersecurity risk to their enterprises.'' \111\ It also 
empowered the DHS Secretary to serve ``as the nation's key 
coordinator for all aspects of critical infrastructure 
security, including cybersecurity.'' \112\
---------------------------------------------------------------------------
    \110\ The White House (Trump Administration), ``Presidential 
Executive Order on Strengthening the Cybersecurity of Federal Networks 
and Critical Infrastructure,'' May 11, 2017, available at https://
trumpwhitehouse.archives.gov/presidential-actions/presidential-
executive-order-
strengthening-cybersecurity-federal-networks-critical-infrastructure/
    \111\ Id.
    \112\ National Security Archive, ``President Trump's Executive 
Orders on Critical Infrastructure,'' available at https://
nsarchive.gwu.edu/briefing-book/cyber-vault/2020-10-22/president-
trumps-executive-orders-critical-infrastructure
---------------------------------------------------------------------------
     LEO 13833, Enhancing the Effectiveness of Agency 
Chief Information Officers. This EO was issued on May 15, 2018, 
by President Trump and empowered agency chief information 
officers (CIOs) by increasing their scope of authority, 
especially regarding agencies' IT management.\113\
---------------------------------------------------------------------------
    \113\ The White House (Trump Administration), ``President Donald J. 
Trump is Enhancing the Effectiveness of Agency Chief Information 
Officers,'' May 15, 2018, available at https://
trumpwhitehouse.archives.gov/briefings-statements/president-donald-j-
trump-enhancing-effectiveness-agency-chief-information-officers/
---------------------------------------------------------------------------
     LNational Maritime Cybersecurity Plan to the 
National Strategy for Maritime Security. Published in December 
2020, this plan was meant to integrate cybersecurity into the 
National Strategy for Maritime Security (NSMS).\114\ The plan 
committed to setting standards to mitigate risks in the 
maritime sector, promote information sharing, and build a cyber 
workforce.\115\ The 2020 plan followed President Trump 
designating the Maritime Transportation System (MTS) \116\ a 
``top priority'' in the 2017 National Security Strategy.\117\
---------------------------------------------------------------------------
    \114\ The White House (Trump Administration), ``National Maritime 
Cybersecurity Plan to the National Strategy for Maritime Security,'' 
(December 2020), available at https://trumpwhitehouse.archives.gov/wp-
content/uploads/2021/01/12.2.2020-National-Maritime-Cybersecurity-
Plan.pdf; Homeland Security Digital Library, ``National Maritime 
Cybersecurity Plan Released,'' (January 12, 2021), available at https:/
/www.hsdl.org/c/national-maritime-cybersecurity-plan-released/
    \115\ The White House (Trump Administration), ``National Maritime 
Cybersecurity Plan to the National Strategy for Maritime Security,'' 
(December 2020); Homeland Security Digital Library, ``National Maritime 
Cybersecurity Plan Released,'' (January 12, 2021), available at https:/
/www.hsdl.org/c/national-maritime-cybersecurity-plan-released/
    \116\ The Maritime Transportation System (MTS) includes the 
nation's waterways, ports, and land-side connectors, additional 
information available at https://www.maritime.dot.gov/outreach/
maritime-transportation-system-mts/maritime-transportation-system-mts
    \117\ The White House (Trump Administration), ``Statement from 
National Security Advisor Robert C. O'Brien Regarding the National 
Maritime Cybersecurity Plan,'' (January 5, 2021), available at https://
trumpwhitehouse.archives.gov/briefings-statements/statement-national-
security-advisor-robert-c-obrien-regarding-national-maritime-
cybersecurity-plan/
---------------------------------------------------------------------------
     LCyberspace Solarium Commission. This commission 
is a bipartisan and intergovernmental body created by the John 
S. McCain National Defense Authorization Act for Fiscal Year 
2019 with the purpose to develop a strategic approach to 
defense against significant cyberattacks.\118\ The Commission 
published its report in March 2020 and was reauthorized in the 
William M. (Mac) Thornberry National Defense Authorization Act 
for Fiscal Year 2021.\119\
---------------------------------------------------------------------------
    \118\ ``Cyberspace Solarium Commission,'' available at https://
www.solarium.gov/
    \119\ Id.

---------------------------------------------------------------------------
Biden Administration

     LIndustrial Control Systems Cybersecurity 
Initiative. This initiative, launched in April 2021, aims to 
improve the security of operational technology (OT) and 
industrial control systems (ICS) through the development and 
deployment of OT/ICS cyber monitoring technologies.\120\ The 
initiative also started a pilot program to improve 
cybersecurity of the electricity infrastructure, a ``100-Day 
plan,'' with aggressive milestones, which is led by the 
Department of Energy, in coordination with CISA.\121\
---------------------------------------------------------------------------
    \120\ Department of Energy, ``Progress Report: 100 Days of the 
Biden Administration's Industrial Control Systems (ICS) Cybersecurity 
Initiative and Electricity Subsector Action Plan,'' (August 16, 2021), 
available at https://www.energy.gov/articles/progress-report-100-days-
biden-administrations-industrial-control-systems-ics
    \121\ Id.
---------------------------------------------------------------------------
     LCybersecurity Sprints. CISA began a series of 
cybersecurity-focused ``60-day sprints'' in April 2021, the 
first focused on ransomware, with the following sprints focused 
on the cybersecurity workforce, ICS resilience, transportation 
security, election security, and international 
partnerships.\122\ The sprints aim to remove roadblocks, 
elevate existing cybersecurity efforts, and launch new efforts, 
with the first sprint on ransomware to include an awareness 
campaign and engagement with industry.\123\ The 60-day sprints 
and the 100-day plan are part of the Biden Administration's 
increased focus on cybersecurity issues.\124\
---------------------------------------------------------------------------
    \122\ Justin Katz, ``Mayorkas announces cyber `sprints' on 
ransomware, ICS, workforce,'' (March 31, 2021), available at https://
fcw.com/articles/2021/03/31/mayorkas-cyber-sprints-speech.aspx; Jory 
Heckman, ``DHS launching 60-day sprints ahead of upcoming executive 
order,'' (March 31, 2021), available at https://federalnewsnetwork.com/
cybersecurity/2021/03/dhs-launching-60-day-cyber-sprints-ahead-of-
upcoming-executive-order/
    \123\ DHS, ``Secretary Mayorkas Outlines His Vision for 
Cybersecurity Resilience,'' (March 31, 2021), available at https://
www.dhs.gov/news/2021/03/31/secretary-mayorkas-outlines-his-vision-
cybersecurity-resilience
    \124\ Id.
---------------------------------------------------------------------------
     LEO 14028, Improving the Nation's Cybersecurity. 
This EO was issued by President Biden on May 12, 2021,\125\ and 
is intended to improve cybersecurity by modernizing the defense 
of federal networks by moving to secure cloud services and a 
zero-trust architecture, improving information sharing by 
removing contractual barriers, and strengthening response 
capabilities.\126\ It also calls for the creation of a 
Cybersecurity Safety Review Board, modeled after the National 
Transportation Safety Board, that would examine significant 
cybersecurity incidents in order to help apply lessons learned 
from these incidents and improve the nation's cybersecurity 
defenses.\127\
---------------------------------------------------------------------------
    \125\ Federal Register, ``Executive Order 14028 Improving the 
Nation's Cybersecurity,'' (May 12, 2021), available at https://
www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-
nations-cybersecurity
    \126\ The White House, ``Fact Sheet: President Signs Executive 
Order Charting New Course to Improve the Nation's Cybersecurity and 
Protect Federal Government Networks,'' (May 12, 2021), available at 
https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/
12/fact-
sheet-president-signs-executive-order-charting-new-course-to-improve-
the-nations-cybersecurity-and-protect-federal-government-networks/
    \127\ Id.
---------------------------------------------------------------------------
     LTSA emergency security directives for the 
pipeline industry. TSA issued two emergency security directives 
due to the May 2021 Colonial Pipeline ransomware attack.\128\ 
The first, issued in May 2021, required pipeline companies to 
report cyber incidents to TSA and CISA, both part of DHS, and 
to name a cybersecurity point person; the second directive, 
issued in July 2021, required companies to develop an incident 
response plan for potential cyberattacks and implement specific 
mitigation measures to protect against ransomware attacks.\129\
---------------------------------------------------------------------------
    \128\ Ellen Nakashima, ``TSA to impose cybersecurity mandates on 
major rail and subway systems,'' The Washington Post, (October 6, 
2021), available at https://www.washingtonpost.com/national-security/
rail-cybersecurity-dhs-regulations/2021/10/06/b3db07da-2620-11ec-8831-
a31e7b3de188_story.html
    \129\ Ellen Nakashima and Lori Aratani, ``DHS to issue first 
cybersecurity regulations for pipelines after Colonial hack,'' The 
Washington Post, (May 25, 2021), available at https://
www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-
cybersecurity/; See also: DHS Press Release, ``DHS Announces New 
Cybersecurity Requirements for Critical Pipeline Owners and 
Operators,'' July 20, 2021, available at https://www.dhs.gov/news/2021/
07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-
owners-and-operators
---------------------------------------------------------------------------
     LNational Security Memorandum on Improving 
Cybersecurity for Critical Infrastructure Control Systems. This 
memorandum was issued by President Biden on July 28, 2021,\130\ 
and directed CISA and NIST to develop cybersecurity performance 
goals \131\ and formally established the ``Industrial Control 
Systems Cybersecurity Initiative.'' \132\ The Initiative is a 
voluntary and collaborative effort between federal partners and 
critical infrastructure owners and operators to improve 
collaboration and increase the use of new cybersecurity 
technologies.\133\ The Initiative was first launched earlier in 
April 2021 (see above) with the pilot program focused on the 
electricity subsector, with initiatives focused on the water 
and wastewater sector and the chemical sector to follow.\134\
---------------------------------------------------------------------------
    \130\ The White House, ``Background Press Call on Improving 
Cybersecurity of U.S. Critical Infrastructure,'' (July 28, 2021), 
available at https://www.whitehouse.gov/briefing-room/press-briefings/
2021/07/28/background-press-call-on-improving-cybersecurity-of-u-s-
critical-infrastructure/
    \131\ NIST, ``White House National Security Memo Issued: NIST & DHS 
Developing Cybersecurity Performance Goals for Critical Infrastructure 
Control Systems,'' (July 29, 2021), available at https://www.nist.gov/
news-events/news/2021/07/white-house-national-security-memo-issued-
nist-dhs-developing-cybersecurity
    \132\ The White House, ``Background Press Call on Improving 
Cybersecurity of U.S. Critical Infrastructure.''
    \133\ The White House, ``National Security Memorandum on Improving 
Cybersecurity for Critical Infrastructure Control Systems,'' (July 28, 
2021), available at https://www.whitehouse.gov/briefing-room/
statements-releases/2021/07/28/national-security-memorandum-on-
improving-cybersecurity-for-critical-infrastructure-control-systems/
    \134\ Id.
---------------------------------------------------------------------------
     LIn October 2021, TSA announced plans for an 
additional directive to address cybersecurity in the rail and 
aviation sectors.\135\ Reportedly, TSA will require higher-risk 
railroad and rail transit entities to report cyber incidents to 
the federal government, identify cybersecurity point persons, 
and put together contingency and recovery plans in case they 
become victims of cyberattacks.\136\ For the airline industry, 
TSA will reportedly require critical U.S. airport operators, 
passenger aircraft operators, and all-cargo aircraft operators 
to designate cybersecurity coordinators and report cyber 
incidents to CISA.\137\
---------------------------------------------------------------------------
    \135\ Ellen Nakashima, ``TSA to impose cybersecurity mandates on 
major rail and subway systems,'' The Washington Post.
    \136\ Id.
    \137\ Maggie Miller, ``TSA to issue regulations to secure rail, 
aviation groups against cyber threats,'' The Hill, (October 6, 2021), 
available at https://thehill.com/policy/cybersecurity/575580-tsa-to-
issue-regulations-to-secure-rail-aviation-groups-against-cyber
---------------------------------------------------------------------------
     LThe recently enacted bipartisan Infrastructure 
Investment and Jobs Act, (P.L. 117-58) provides approximately 
$2 billion ``to modernize and secure federal, state, and local 
IT and networks; protect critical infrastructure and utilities 
and support public or private entities as they respond to and 
recover from significant cyberattacks and breaches.'' \138\
---------------------------------------------------------------------------
    \138\ Public Law No. 117-58; Infrastructure Investment and Jobs 
Act, Congress.gov; White House Fact Sheet, ``Top 10 Programs in the 
Bipartisan Infrastructure Investment and Jobs Act That You May Not Have 
Heard About,'' (August 3, 2021), available at https://
www.whitehouse.gov/briefing-room/statements-releases/2021/08/03/fact-
sheet-top-10-programs-in-the-bipartisan-infrastructure-investment-and-
jobs-act-that-you-may-not-have-heard-about/
---------------------------------------------------------------------------

                              WITNESS LIST

     LMr. Cordell Schachter, Chief Information Officer 
(CIO), Department of Transportation (DOT)
     LMr. Larry Grossman, Chief Information Security 
Officer (CISO), Federal Aviation Administration (FAA)
     LMs. Victoria Newhouse, Deputy Assistant 
Administrator for Policy, Plans, and Engagement, Transportation 
Security Administration (TSA)
     LRear Admiral John W. Mauger, Assistant Commandant 
for Prevention Policy (CG-5P), U.S. Coast Guard (USCG)
     LMr. Kevin Dorsey, Assistant Inspector General for 
Information Technology Audits, Office of Inspector General 
(OIG), Department of Transportation (DOT)
     LMr. Nick Marinos, Director, Information 
Technology and Cybersecurity, Government Accountability Office 
(GAO)
    Mr. DeFazio. The committee will come to order.
    I ask unanimous consent that the chair be authorized to 
declare a recess at any time during today's hearing.
    Without objection, so ordered.
    As a reminder, please keep your microphone muted, unless 
speaking. Should I hear any inadvertent background noise, I 
will request the Member please mute their microphone.
    To insert a document into the record, please email it to 
[email protected].
    I am going to abbreviate my opening statement. I will put 
the full statement in the record, given the fact that you 
probably can't hardly understand me, and I am having trouble.
    This is the second hearing. The last hearing was industry 
stakeholders, and we heard distressing and serious gaps, 
shortages of cyber personnel, a lack of even the most basic 
cyber hygiene practices, and a consensus among our witnesses 
that the Federal Government needed to help the private sector, 
which owns and operates 85 percent of the Nation's critical 
infrastructure, to defend itself from and respond to attacks.
    The bill, H.R. 3684, will provide funding at the local, 
State, and Federal level to enhance the Nation's cyber 
resilience and response to cybersecurity incidents. It improves 
the National Highway System and other public transportation 
systems' cybersecurity preparedness capabilities, and it 
empowers the newly established Office of the National Cyber 
Director, the President's principal adviser on cybersecurity 
policy and strategy, to identify cybersecurity incidents and 
coordinate a Federal response. Those are noteworthy steps, but 
there is more to do.
    Today we will hear from the Federal agencies responsible 
for transportation and other critical infrastructure, and their 
efforts to help private industry.
    We have, for the most part, relied upon a voluntary 
approach to protecting assets, choosing not to mandate 
standards for cybersecurity audits or exercises. In contrast, 
in other areas where private sector assets have the potential 
to cause significant harm, the Government has established very 
robust requirements--that would be nuclear power, aviation, 
drinking water, wastewater, and others--to make them safer and 
more resilient.
    But many of these industries relate to other critical 
industries, the private sector, and voluntary cooperation 
sometimes isn't enough. You have to spend a bunch of money on 
cybersecurity.
    The leeches on Wall Street are going to say, ``Hey, why are 
you spending all that money on cybersecurity? It is driving 
down your stock price. We want to see you just, you know, put 
the money in the bank.'' So there needs to be a little nudging 
here.
    And then, of course, the cost of the incident far exceeds 
the investment they should have and would have made to prevent 
that incident, absent an absolutely catastrophic incident, but 
more basic incidents or ransomware, and all these other things 
that are rather routine.
    So, I don't think that implementing basic cybersecurity 
standards, reporting requirements, and cybersecurity awareness 
training should be voluntary. It should be required. And public 
safety and the Nation's security depend upon these steps.
    In the wake of the Colonial Pipeline cyberattack, the 
Transportation Security Administration mandated specific 
cybersecurity protections for pipelines to defend against 
ransomware and other attacks. Colonial had turned down a 
comprehensive audit before the event, which might have helped 
prevent the event. But it was voluntary, so they said no, 
thanks, we don't want to know about our vulnerabilities.
    Last week, TSA issued basic cybersecurity enhancements for 
the aviation sector that will go into effect early next year, 
and I understand TSA intends to issue a security directive for 
passenger rail, high-risk freight rail, and the transit sector 
as early as today or this week. So, this is an appropriate time 
for this hearing.
    Both the GAO and the Department of Transportation's Office 
of Inspector General, who we will hear from today, have made 
thousands of recommendations related to cybersecurity 
weaknesses at Federal agencies. Many of these recommendations 
remain unaddressed. Some of their more alarming findings find 
DOT's failure to implement a cybersecurity risk management 
strategy and weaknesses in FAA's approach to cybersecurity for 
avionics systems in commercial aircraft.
    Similarly, the DOT IG has uncovered a range of 
cybersecurity deficiencies and deemed information security one 
of the Department's top management challenges. The OIG has 
found evidence of inconsistent software updates, lax 
enforcement of Federal cybersecurity requirements, and IT 
systems at DOT that are vulnerable to exploitation by hostile 
actors.
    I look forward to hearing from our expert witnesses today 
on the best mitigation and potential solutions, so that we can 
look forward.
    With that I recognize the ranking member, who hopefully has 
better control of his voice.
    [Mr. DeFazio's prepared statement follows:]

                                 
   Prepared Statement of Hon. Peter A. DeFazio, a Representative in 
      Congress from the State of Oregon, and Chair, Committee on 
                   Transportation and Infrastructure
    Last month, we heard from industry stakeholders and cybersecurity 
experts on the challenges they face in protecting our nation's 
transportation systems and critical infrastructure from cyberattacks. 
The testimony was troubling. Witnesses discussed serious gaps such as 
shortages of cybersecurity personnel and a lack of basic cyber hygiene 
practices. Notably, there was a consensus among our witnesses that 
more--not less--federal action is needed to help the private sector, 
which owns and operates an estimated 85 percent of the nation's 
critical infrastructure, defend itself from, respond to, and recover 
from cyberattacks.
    Since our November hearing, Congress passed with bipartisan support 
and the president signed H.R. 3684, the Infrastructure Investment and 
Jobs Act. Along with other vital investments in our nation's 
infrastructure, this bill takes significant steps toward improving the 
cybersecurity of our nation's critical infrastructure. It provides 
funding at the local, state, and federal level to enhance the nation's 
cyber resilience and response to cybersecurity incidents, it improves 
the national highway system and other public transportation systems' 
cybersecurity preparedness capabilities, and it empowers the newly 
established Office of the National Cyber Director, the president's 
principal advisor on cybersecurity policy and strategy, to identify 
cybersecurity incidents and coordinate a federal response. These steps 
are noteworthy, but there is much more to do.
    Today, we will hear from the federal agencies who are responsible 
for transportation systems and other critical infrastructure sectors 
about their efforts to help private industry address these 
cybersecurity gaps, as well as the challenges these agencies face 
themselves in protecting the government's own networks from 
cyberattacks.
    In the cybersecurity realm, the federal government has largely 
permitted the private sector to take a ``voluntary'' approach to 
protecting their assets, choosing not to mandate cybersecurity 
standards, cyber audits, or cybersecurity exercises. In contrast, in 
other areas where private sector assets have the potential to cause 
significant harm, the government has established requirements to 
protect the public.
    For example, nuclear power plants are subject to strict federal 
mandates on their operation. Commercial airlines must comply with 
federal reporting requirements regarding runway incursions and other 
safety-related mishaps. Drinking water utilities must report to the 
federal government if they detect spikes in lead or other dangerous 
chemicals that can harm the public. These requirements have not 
undermined these industries. In fact, they have made them stronger, 
safer, and more resilient.
    Yet, when it comes to intrusions into the networks of a critical 
infrastructure entity, an intrusion that could damage critical 
components of an airplane, a train, an oil or gas pipeline, or a port 
facility, if that network belongs to a private company, up until now, 
the federal government has merely asked for ``voluntary'' cooperation. 
As we learned at our last hearing, an astounding 30 percent of public 
transit agencies failed to report known breaches to anyone. I expect 
the statistics in the private sector are far worse. In addition, the 
short-term financial implications of making a cyber breach public, 
possibly affecting a company's economic bottom line or shrinking a 
CEO's bonus, inhibits cybersecurity transparency, masking known 
vulnerabilities that should be quickly corrected.
    Implementing basic cybersecurity standards, reporting requirements, 
and cybersecurity awareness training should not be voluntary--they 
should be required. The public's safety and the nation's security 
depend on these systems. While no single change can prevent every 
cyberattack, we need to raise the bar significantly and make 
cyberattacks on our systems much more difficult to accomplish.
    The Biden administration has taken notable steps to address these 
issues holistically. They have issued orders and memoranda to encourage 
infrastructure owners and operators to increase their cybersecurity 
investments to minimize threats to all critical infrastructure sectors. 
In the wake of the Colonial Pipeline cyberattack, the Transportation 
Security Administration mandated specific cybersecurity protections for 
pipelines to defend against ransomware and other attacks, along with 
contingency and recovery plans. Last week, TSA issued basic 
cybersecurity enhancements for the aviation sector that will go into 
effect early next year and I understand TSA intends to issue a security 
directive for passenger rail, high-risk freight rail, and the transit 
sector as early as today. So, we appear to have scheduled this hearing 
quite well. In addition, last month, the Cybersecurity and 
Infrastructure Security Agency issued a binding directive that ordered 
federal agencies to fix known software and hardware vulnerabilities in 
their computer networks within six months. For those that care about 
the public's safety and the nation's economic and national security, 
these efforts--in both the public and private sectors--should not be 
controversial. They should be welcomed and supported.
    Both the Government Accountability Office (GAO) and the Department 
of Transportation's Office of Inspector General (DOT OIG)--whom we will 
hear from today--have made thousands--literally thousands--of 
recommendations related to cybersecurity weaknesses at federal 
agencies. Many of these recommendations remain unaddressed.
    Some of GAO's more alarming findings include DOT's failure to 
implement a cybersecurity risk management strategy and weaknesses in 
FAA's approach to cybersecurity for avionics systems in commercial 
aircraft.
    Similarly, the DOT OIG has uncovered a range of cybersecurity 
deficiencies and deemed information security one of the department's 
top management challenges. The OIG has found, among other things, 
evidence of inconsistent software updates, lax enforcement of federal 
cybersecurity requirements, and IT systems at DOT that are vulnerable 
to exploitation by hostile actors.
    I look forward to hearing from our government witnesses today. I 
expect them to explain the steps they are taking to address the 
cybersecurity issues that have plagued them for far too long and update 
us on the status of their efforts to work with private industry to 
address the cybersecurity threats that endanger us all. As our 
transportation systems and critical infrastructure assets--both public 
and private--evolve, we become more efficient and connected than ever, 
but we also create new opportunities for cyber villains. To improve our 
resiliency to these threats, we must work together and address them in 
a holistic manner.
    With that, I recognize Ranking Member Graves for his opening 
statement.

    Mr. Graves of Missouri. Thank you, Mr. Chairman.
    Before I give my statement, I do want to acknowledge your 
announcement that you are not going to be seeking reelection 
next term, and I want to commend you for your long and 
distinguished career, serving over three decades in the House 
of Representatives. I think that says a lot.
    I have no doubt that you are going to finish out your term, 
and you are going to work just as hard as ever on behalf of 
your district and your constituents.
    And I also believe that you and I agree that the Committee 
on Transportation and Infrastructure is one of the best and 
most important committees in Congress. And I know you will 
continue to work diligently to address the vital issues before 
this committee in the coming months.
    I do wish you and your family all the best in your 
retirement.
    Turning to today's hearing, we will continue an examination 
on cybersecurity challenges for the transportation and 
infrastructure sectors.
    During our first hearing on this topic in November, we 
heard from the perspective of owners and operators of these 
critical assets about the steps that they have taken to improve 
their cybersecurity posture, the threats and risks that they 
still face, and the effectiveness of the Federal Government's 
cyber activities.
    Now we will hear testimony from some of those Federal 
agencies themselves and learn how they are providing support to 
transportation and infrastructure operators in boosting their 
cybersecurity preparedness and response capabilities.
    Stakeholders have expressed concerns about aspects of those 
Federal programs--for instance, the recent security directives 
from the TSA--and I hope we can get some answers on how to 
improve their implementation.
    We also will hear today about how Federal agencies are 
protecting their own systems, their own data, and 
infrastructure from ever-changing cyber threats. I look forward 
to hearing from our witness panel about the cyber challenges 
that they have identified and examined for the Federal agencies 
under the committee's jurisdiction, as well as receive updates 
from those agencies on how they are rising to meet these 
challenges.
    And I appreciate our witnesses joining us today and 
discussing how operators and Federal agencies can work 
collaboratively to improve the cybersecurity of our Nation's 
most critical transportation systems and infrastructure.
    So, with that, I would yield back, and I look forward to 
it.
    [Mr. Graves of Missouri's prepared statement follows:]

                                 
  Prepared Statement of Hon. Sam Graves, a Representative in Congress 
     from the State of Missouri, and Ranking Member, Committee on 
                   Transportation and Infrastructure
    Thank you, Chair DeFazio.
    For today's hearing, we will continue our examination of 
cybersecurity challenges for the transportation and infrastructure 
sectors. During our first hearing on this topic in November, we heard 
from the perspective of owners and operators of these critical assets 
about the steps they have taken to improve their cybersecurity posture, 
the threats and risks they still face, and the effectiveness of federal 
government cyber activities.
    Now we will hear testimony from some of those federal agencies 
themselves and learn how they are providing support to transportation 
and infrastructure operators in boosting their cybersecurity 
preparedness and response capabilities.
    Stakeholders have expressed concerns about aspects of these federal 
programs--for instance, the recent security directives from the TSA--
and I hope we can get some answers on how to improve their 
implementation.
    We will also hear today about how federal agencies are protecting 
their own systems, data, and infrastructure from ever-changing cyber 
threats. I look forward to hearing from our witness panel about the 
cyber challenges they've identified and examined for the federal 
agencies under the Committee's jurisdiction, as well as receive updates 
from those agencies on how they are rising to meet these challenges.
    I appreciate our witnesses joining us today and discussing how 
operators and federal agencies can work collaboratively to improve the 
cybersecurity of our nation's most critical transportation systems and 
infrastructure.

    Mr. DeFazio. [Addressing technical difficulties off the 
record.]
    Oh, thanks for the kind words, Sam. I know that the 
committee will continue its great work, between your leadership 
and others on the committee.
    With that I would like to move to recognizing the witnesses 
here today.
    The first is Mr. Cordell Schachter, Chief Information 
Officer, DOT; Mr. Larry Grossman, Chief Information Security 
Officer, Federal Aviation Administration; Ms. Victoria 
Newhouse, Deputy Assistant Administrator for Policy, Plans, and 
Engagement, Transportation Security Administration; Rear 
Admiral John W. Mauger, Assistant Commandant for Prevention 
Policy, United States Coast Guard; Mr. Kevin Dorsey, Assistant 
Inspector General for Information Technology Audits, Office of 
Inspector General, Department of Transportation; and Mr. Nick 
Marinos, Director, Information Technology and Cybersecurity at 
the GAO.
    With that, I would first recognize Mr. Schachter for 5 
minutes.
    Mr. Schachter?

TESTIMONY OF CORDELL SCHACHTER, CHIEF INFORMATION OFFICER, U.S. 
DEPARTMENT OF TRANSPORTATION; LARRY GROSSMAN, CHIEF INFORMATION 
  SECURITY OFFICER, FEDERAL AVIATION ADMINISTRATION; VICTORIA 
NEWHOUSE, DEPUTY ASSISTANT ADMINISTRATOR FOR POLICY, PLANS, AND 
   ENGAGEMENT, TRANSPORTATION SECURITY ADMINISTRATION, U.S. 
 DEPARTMENT OF HOMELAND SECURITY; REAR ADMIRAL JOHN W. MAUGER, 
 ASSISTANT COMMANDANT FOR PREVENTION POLICY, U.S. COAST GUARD; 
   KEVIN DORSEY, ASSISTANT INSPECTOR GENERAL FOR INFORMATION 
TECHNOLOGY AUDITS, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT 
  OF TRANSPORTATION; AND NICK MARINOS, DIRECTOR, INFORMATION 
 TECHNOLOGY AND CYBERSECURITY, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Mr. Schachter. Good morning, Chair DeFazio, Ranking Member 
Graves, and members of the committee. Thank you for the 
opportunity to testify before you today, and for your support 
of the Department of Transportation.
    I am Cordell Schachter, Chief Information Officer. I am 
honored to be here with FAA Chief Information Security Officer 
Larry Grossman, U.S. DOT Office of Inspector General Assistant 
Inspector General for IT Audits Kevin Dorsey, and officials 
from the U.S. Coast Guard, the Transportation Security 
Administration, and the Government Accountability Office.
    I was appointed U.S. DOT's chief information officer on 
August 30th of this year. My testimony today is based on my 
observations and review of DOT records during my 3 months in 
this position. My testimony is also informed by my 26 years of 
service as a local government official in New York City, 13 
years of that service as chief technology officer and CIO of 
New York City's department of transportation.
    In between two tours of New York City government service, I 
worked 9 years for several multinational technology companies. 
I have also taught master's level courses in civic technology 
at New York University in New York City, and at St. Peter's 
University in Jersey City, New Jersey.
    I believe U.S. DOT's cybersecurity program has improved the 
Department's information security posture, and we are on a path 
for continual improvement, according to Government best 
practices. U.S. DOT's executive ranks have many positions 
filled by professionals with the knowledge and the expertise of 
providing service directly to the public. This begins with 
Secretary Pete Buttigieg, Deputy Secretary Polly Trottenberg, 
and the leaders of many of our operating administrations or 
modes.
    They have also held key elected and appointed leadership 
positions in cities and States solving problems, protecting 
citizens, and improving the quality of life of their 
constituents.
    We now have before us one of the greatest opportunities to 
improve the quality of life for all Americans. We look forward 
to partnering with Congress and our sister Federal agencies to 
implement the landmark bipartisan infrastructure law.
    On the same day that President Biden signed the law, he 
executed an Executive order to ensure, among other priorities, 
increased coordination across the public sector to implement it 
effectively. We commit to that goal. Our executive leadership 
teams' experience includes making improvements to systems while 
they continue to operate. Similarly, we will continue to 
improve our existing systems to make them more cyber secure 
while they continue to operate, so that they resiliently 
support DOT's operations and the American people.
    I want to transparently acknowledge that we have multiple 
open audit findings from previous OIG and GAO cybersecurity 
audits. We respect and take seriously their assessments. I have 
designated cybersecurity improvement as the top priority for 
DOT's information technology organization, the Office of the 
Chief Information Officer. We have begun a series of cyber 
sprints to complete tasks and make plans to meet our Federal 
cybersecurity requirements, and implement best practices, 
including those from President Biden's Executive order for 
improving the Nation's cybersecurity.
    The cyber sprints prioritize three areas: system access 
control; website security; and improved governance, oversight, 
and coordination across DOT. These priority activities address 
OIG and GAO findings.
    DOT is actively working to meet its responsibilities to 
securely improve the Department's information technology 
infrastructure, while implementing our portions of the 
bipartisan infrastructure law.
    We will also meet the challenge of continuously improving 
the cybersecurity of DOT information technology systems, while 
keeping those systems available for use.
    We look forward to working with this committee, our agency 
partners, and the White House to strengthen and protect our 
infrastructure and systems.
    Thank you again for this opportunity to testify. I will be 
happy to answer your questions.
    [Mr. Schachter's prepared statement follows:]

                                 
  Prepared Statement of Cordell Schachter, Chief Information Officer, 
                   U.S. Department of Transportation
    Chair DeFazio, Ranking Member Graves, and Members of the Committee, 
thank you for the opportunity to testify before you today, and for your 
support of the Department of Transportation (DOT). I am honored to be 
here with Federal Aviation Administration (FAA) Chief Information 
Security Officer Larry Grossman, US DOT Office of Inspector General 
(OIG) Assistant Inspector General for IT Audits, Kevin Dorsey, and 
officials from the US Coast Guard, the Transportation Security 
Administration, and the U.S. Government Accountability Office (GAO).
    I was appointed US DOT's Chief Information Officer, or CIO on 
August 30th of this year. My testimony today is based on my 
observations and review of DOT records during my 3 months in this 
position. My testimony is also informed by my 26 years of service as a 
local government official in New York City (NYC), 13 years of that 
service as Chief Technology Officer and CIO of New York City's 
Department of Transportation. In between 2 tours of NYC government 
service, I worked 9 years for several multi-national technology 
companies. I have also taught masters level courses in civic technology 
at New York University in NYC and at Saint Peter's University in Jersey 
City, New Jersey. I believe US DOT's cyber security program has 
improved the department's information security posture and we're on a 
path for continual improvement according to government best practices.
    US DOT's executive ranks have many positions filled by 
professionals with the knowledge and the experience of providing 
service directly to the public. This begins with Secretary Pete 
Buttigieg, Deputy Secretary Polly Trottenberg, and the leaders of many 
of our Operating Administrations or modes. They have also held key 
elected and appointed leadership positions in cities and states solving 
problems, protecting citizens, and improving the quality of life of 
their constituents. We now have before us one of the greatest 
opportunities to improve the quality of life for all Americans. We look 
forward to partnering with Congress and our sister federal agencies to 
implement the landmark Bipartisan Infrastructure Law. In fact, on the 
same day that President Biden signed the Law, he executed an Executive 
Order to ensure--among other priorities--increased coordination across 
the public sector to implement it effectively.
    Our executive leadership team's experience includes making 
improvements to systems while they continue to operate. Similarly, 
we'll continue to improve our existing systems to make them more 
secure, while they continue to operate, so that they resiliently 
support DOT's operations and the American people.
    I want to transparently acknowledge that we have multiple open 
findings from previous OIG and GAO cybersecurity audits. I have 
designated cyber security improvement as the top priority for DOT's 
Information Technology organization, the Office of the Chief 
Information Officer.
    We have begun a series of ``cyber sprints'' that will establish 
Plans of Action and Milestones to meet our federal cyber security 
requirements and implement best practices, including those from 
President Biden's Executive Order 14028 Improving the Nation's 
Cybersecurity; the Federal Information Technology Acquisition Reform 
Act (FITARA); the Federal Information Security Management Act (FISMA); 
Office of Management and Budget (OMB) memoranda; the National Institute 
for Standards and Technology (NIST) Cybersecurity Framework; and 
inspector general and GAO findings.
    DOT is actively working to meet its responsibilities to securely 
improve the Department's information technology infrastructure while 
implementing our portions of the Bipartisan Infrastructure Law. We will 
also meet the challenge of continuously improving the cybersecurity of 
DOT information technology systems while keeping those systems 
available for use. We look forward to working with this Committee, our 
agency partners, and the White House to strengthen and protect our 
infrastructure and systems. Thank you again for the opportunity to 
testify. I will be happy to answer your questions.

    Mr. DeFazio. Thank you, Mr. Schachter, for doing it exactly 
in 5 minutes. I appreciate that. We will now move on to Mr. 
Larry Grossman.
    Mr. Grossman?
    Mr. Grossman. Good morning. From air traffic control, to 
the largest airliner, or the lightest drone, connectivity is 
the way of the future in aerospace. It is also why we have to 
constantly raise the bar when it comes to cybersecurity.
    Chair DeFazio, Ranking Member Graves, members of the 
committee, cyber threats are an ongoing concern, and our 
increasing reliance on highly integrated and interdependent 
computers and networks is cause for vigilance at all levels of 
the aviation industry. This is especially true at FAA, where we 
are responsible for operating the Nation's air traffic control 
system, and overseeing design, manufacture, and testing of 
aircraft and systems, including avionics, and also for me 
personally, as a pilot, a flight instructor, and an aircraft 
owner.
    But I am here today to discuss the FAA's approach to 
cybersecurity within our agency for those we regulate, and for 
the aerospace community at large.
    I want to start by noting the importance of this 
administration's recent Executive order on improving the 
Nation's cybersecurity, and I want to thank Congress for the 
continuing guidance and direction over many years.
    The FAA's efforts to address cyber challenges have 
benefited from your oversight and the cooperative efforts with 
other executive branch agencies.
    We appreciate all input as we continually strive to make 
our airspace system safer and more efficient. You have heard 
Administrator Dickson say it before, and I will repeat it here 
again: Safety is a journey, not a destination.
    The same is true of cybersecurity. What we do today will 
not be good enough for tomorrow or the day after. We are always 
striving to improve. We are constantly updating and evolving 
FAA cybersecurity strategy we put into action through the 
cross-agency Cybersecurity Steering Committee. The strategy 
includes protecting and defending FAA networks and systems, 
enhancing our risk management capabilities, building and 
maintaining workforce capabilities, and engaging with external 
partners.
    We defend our air traffic control and other networks by 
using separate and distinct security perimeters and controls 
that are the responsibility of the FAA chief information 
security officer and FAA chief information officer.
    To assess cyber threats and vulnerabilities to our 
networks, we have developed the cyber test facility at our 
William J. Hughes Technical Center, where we also conduct 
testing and evaluation. We ensure cyber resilience in connected 
aircraft through risk assessments during initial certification 
process, or any time there is a change to a previous design 
certification. When existing regulations will not provide 
adequate protection, we issue special conditions.
    Throughout an aircraft's life, operators must track 
cybersecurity issues in much the same way that they do for all 
other issues, using data-driven methodologies. That allows 
operators in the FAA to make informed risk management 
decisions. Smart decisions require a talented and dedicated 
cyber workforce, and we continue to invest in our people.
    Congress recognized the importance of this effort, and in 
2018 asked the FAA to enter into an agreement with the National 
Academy of Sciences to conduct the cybersecurity workforce 
study. The results of that study, which we received in June, 
made it clear that there is more work to do, although I will 
say that many of the recommendations are consistent with FAA 
cybersecurity strategic objectives, and many others align with 
broader, ongoing FAA workforce development and recruitment 
efforts.
    And finally, one of the major components of our strategy is 
to build and maintain relationships and trust with our external 
partners. This is critical for defending and reacting and 
recovering from a cyberattack. It is why we are a lead agency 
on the Aviation Cyber Initiative interagency task force with 
DHS and DoD. It is why we work collectively to identify and 
address cybersecurity risks in the aviation ecosystem. The 
ecosystem includes stakeholders ranging from airport 
authorities to manufacturers.
    As technology of the aviation ecosystem evolves, we expect 
that cybersecurity will continue to be a growing challenge and 
a significant component of aviation safety and aerospace 
efficiency. We are prepared for this challenge and look forward 
to keeping Congress and this committee informed on our 
progress.
    I will be happy to answer any questions that you may have.
    [Mr. Grossman's prepared statement follows:]

                                 
   Prepared Statement of Larry Grossman, Chief Information Security 
                Officer, Federal Aviation Administration
    Good morning Chair DeFazio, Ranking Member Graves, and Members of 
the Committee:
    Thank you for the opportunity to be here with you today to discuss 
the Federal Aviation Administration's (FAA) approach to cybersecurity, 
both in terms of how the FAA addresses cybersecurity matters internally 
and how the FAA interacts with the aviation community on cybersecurity 
matters.
    The core and continuing mission of the FAA is to provide the safest 
and most efficient aerospace system in the world. Technology has 
contributed greatly to the safety and efficiency of the national 
airspace system (NAS). It has also resulted in highly integrated and 
increasingly interdependent computers and networks supporting the 
aviation community. Cyber-based threats have made the integration of 
cybersecurity protections into all aspects of the FAA's mission 
increasingly important. This Administration has recognized the growing 
importance of cybersecurity. President Biden's Executive Order 14028, 
``Improving the Nation's Cybersecurity'', is a sweeping directive that 
addresses cyber threat information sharing, cybersecurity 
modernization, software supply chain security, identifying and 
remediating cyber vulnerabilities, and incident response.\1\ This 
executive order will drive many elements of FAA's strategic cyber 
initiatives across both the agency's IT infrastructure as well as the 
infrastructure of the NAS.
---------------------------------------------------------------------------
    \1\ https://www.federalregister.gov/documents/2021/05/17/2021-
10460/improving-the-nations-cybersecurity.
---------------------------------------------------------------------------
               FAA's Cybersecurity Structure and Strategy
    To achieve its mission, the FAA is dependent on information 
systems, and operates these systems in three separate domains: the NAS 
Domain, operated by FAA's Air Traffic Organization (ATO), the Mission 
Support Domain, operated by FAA's Office of Finance and Management 
(AFN), and the Research and Development Domain, operated by FAA's 
Office of NextGen (ANG). Each of the three domains represents a 
separate security perimeter with a distinct set of security controls. 
While each FAA Domain operator is responsible for the cybersecurity of 
its infrastructure, the FAA Chief Information Security Officer (CISO) 
and the Chief Information Officer have overall responsibility for the 
FAA's cybersecurity and ensuring that Domain operators comply with 
applicable agency, departmental, and federal requirements.
    Overall, the FAA manages all aspects of the agency's cybersecurity 
mission through the Cybersecurity Steering Committee (CSC). The CSC was 
established in 2014 after the agency recognized the need to work more 
holistically at cybersecurity across the FAA enterprise. The CSC is 
charged with developing the FAA's cybersecurity strategy, setting 
priorities, and operational guidelines in support of an integrated 
agency-wide approach to protecting the FAA from cyber-threats. The FAA 
Cybersecurity Strategy was first developed in 2015 and sets clear goals 
and objectives for the FAA's cybersecurity program. These 
responsibilities are all accomplished through the collaboration of AFN, 
ATO, ANG, the Office of Aviation Safety (AVS), the Office of Airports, 
the Office of Security & Hazardous Materials Safety, and the Department 
of Transportation (DOT) CISO as members of the FAA CSC. With the input 
of these groups, other FAA offices as needed, and oversight of the CSC 
by senior FAA officials, the FAA continues to review, update, and 
maintain the framework to support a more cyber-secure and resilient 
aviation ecosystem.
    Following the establishment of the CSC, Congress continued to 
recognize the growing significance of cyber-threats. In 2016, Congress 
directed the FAA to develop a comprehensive strategic framework to 
reduce cybersecurity risks to the NAS, civil aviation, and agency 
information systems. Congress also directed the FAA to establish a 
cybersecurity research and development plan for the NAS, clarify 
cybersecurity roles and responsibilities of FAA offices and employees, 
identify and implement actions to reduce cybersecurity risks to air 
traffic control systems, and assess the cost and timeline of developing 
and maintaining an agency-wide cybersecurity threat model.\2\ In 
response to the mandate, the FAA expanded its Cybersecurity Strategy 
and it is updated annually. The Cybersecurity Strategy discusses in 
detail the FAA's five goals which are: 1) refine and maintain a 
cybersecurity governance structure to enhance cross-domain synergy; 2) 
protect and defend FAA networks and systems to mitigate risks to FAA 
missions and service delivery; 3) enhance data-driven risk management 
decision capabilities; 4) build and maintain workforce capabilities for 
cybersecurity; and 5) build and maintain relationships with, and 
provide guidance to, external partners in government and industry to 
sustain and improve cybersecurity in the aviation ecosystem.
---------------------------------------------------------------------------
    \2\ Pub. Law No. 114-190, Sec.  2111.
---------------------------------------------------------------------------
    In 2018, Congress directed the FAA to assess the Cybersecurity 
Strategy for risks, review its objectives, and assess the FAA's level 
of engagement with stakeholders in carrying out the Strategy.\3\ 
Although the FAA found the Cybersecurity Strategy's framework to be 
fundamentally sound, modifications were made to align it with other 
executive branch cyber initiatives, such as the National Cybersecurity 
Strategy and the National Strategy for Aviation Security. Enhancements 
were made to address the growing use of cloud and ``as-a-service'' 
technologies. The Cybersecurity Strategy was also modified to reflect 
efforts to improve response times in mitigation of internet-facing 
vulnerabilities, as well as cyber hygiene principles. It was 
strengthened by including a focus on external stakeholder engagement 
activities, including information-sharing and best practices around 
aviation cybersecurity.
---------------------------------------------------------------------------
    \3\ Pub. Law No. 115-254, Sec.  509.
---------------------------------------------------------------------------
    Further, in response to a March 2019 DOT Office of Inspector 
General audit of FAA's Cybersecurity Strategy, the FAA finalized the 
application of its cyber risk model to support its air traffic mission 
and related systems, and established priorities for research and 
development activities on cybersecurity. These efforts have improved 
the FAA's ability to maintain up-to-date capabilities necessary for 
identifying and addressing rapidly evolving cyber threats.
           FAA's Cybersecurity Role in the Aviation Ecosystem
    When discussing cybersecurity as it relates to aviation, the FAA 
frequently refers to the ``aviation ecosystem.'' Aspects of the 
aviation ecosystem include aircraft, air carriers, airports, air 
traffic operations, maintenance facilities and the personnel that carry 
out the functions for each. Although there is some overlap of cyber 
responsibilities with other participants for certain parts of the 
ecosystem, the FAA has safety oversight responsibilities for aircraft 
design, manufacturing and testing of aeronautical products, production, 
the continuous operational safety of certified products, and the 
certification of airmen and maintenance personnel. This includes 
components installed in aircraft, such as avionics. These 
responsibilities require the FAA to routinely engage with other 
aviation cybersecurity stakeholders including the private sector and 
other executive branch agencies that may have cyber responsibilities in 
the aviation ecosystem.
    With respect to FAA's safety oversight responsibility in 
certificating aircraft, modern airplanes are designed and equipped with 
safety-enhancing systems that enable improved communications and 
navigation information. These systems rely on connectivity between an 
airplane and ground or space-based infrastructure. The reliance upon 
such connectivity creates cyber risks and, since such risks could 
affect the airworthiness of the aircraft, requires that such risks be 
addressed during the certification process. As part of the FAA's 
certification practices for standard category aircraft, cybersecurity 
risk assessments are conducted by the applicant when they apply for 
design certification or a change to a previously certified product. The 
FAA relies upon its broad safety regulatory authority to ensure that 
cyber risks are managed through the application of applicant-specific 
``special conditions'' that require critical aircraft systems to be 
protected from adverse intentional unauthorized electronic 
interference. The FAA issues special conditions, which are rules of 
particular applicability, when the current airworthiness regulations do 
not contain adequate or appropriate safety standards for a novel or 
unusual design feature. The FAA addresses cybersecurity safety issues 
in much the same way as all safety issues, by monitoring safety impacts 
using a data-driven methodology. In response to an October 2020 
Government Accountability Office report, the FAA conducted an initial 
cybersecurity risk assessment of avionic systems.\4\ The FAA intends to 
do an in-depth analysis of our oversight responsibilities with respect 
to current and evolving avionics. At the request of the FAA, the 
Aviation Rulemaking Advisory Committee made 30 recommendations on 
Aircraft Systems Information Security and Protection. To date, the FAA 
has updated policy, standards and industry guidance for certifying 
critical aircraft systems.
---------------------------------------------------------------------------
    \4\ https://www.gao.gov/assets/gao-21-86.pdf.
---------------------------------------------------------------------------
    The FAA also has a direct operational role in the air traffic 
aspect of the aviation ecosystem and manages cyber threats to the NAS 
Domain through ATO. The NAS Domain consists of over a hundred systems 
and an ever-growing networking infrastructure. The networking 
infrastructure is dedicated to NAS Domain operations and segregated 
from non-NAS infrastructures via secure monitored gateways. The NAS 
Domain provides five major FAA mission-critical services that directly 
support air traffic control: automation, communications, navigation, 
surveillance, and weather. ATO is responsible for air navigation 
services in all U.S.-controlled airspace and performs maintenance 
services for all NAS Domain systems. ATO is responsible for NAS Domain 
operational cybersecurity and provides the identification, protection, 
detection, response, and recovery capabilities to ensure continued NAS 
Domain operations under a range of cyber conditions. Further, in 
support of its cyber responsibilities for the NAS, in 2015, the FAA 
established the Cyber Test Facility, or CyTF, to assess cyber threats 
and vulnerabilities and conduct cyber testing and evaluation.
  FAA's Coordination with Other Stakeholders in the Aviation Ecosystem
    One of the major components of the FAA's Cybersecurity Strategy is 
focused on the FAA's continual effort to build and maintain 
relationships with, and provide guidance to, external partners in 
government and industry to sustain and improve cybersecurity in the 
aviation ecosystem. Building trust between the FAA and aviation 
cybersecurity stakeholders is critical to the success of building an 
aviation cybersecurity framework that enhances defense, reaction, and 
recovery from a cyber-incident and improves resilience. An example of 
the FAA's efforts in this area is the establishment of the Aviation 
Cyber Initiative (ACI) interagency task force. In May 2019 the 
Secretaries of Transportation, Homeland Security, and Defense chartered 
ACI as a forum for coordination and collaboration among federal 
agencies on a wide range of activities aimed at cyber risk reduction 
within the aviation ecosystem. Such activities include research, 
development, testing, evaluation initiatives relating to aviation 
cybersecurity, engaging with stakeholders on activities for reducing 
cyber risks, and seeking potential improvement opportunities and risk 
mitigation strategies. The task force is tri-chaired by the three 
Departments, with the FAA representing the DOT on the task force. Some 
of the key areas for ACI working groups involve efforts to increase 
information sharing among ecosystem stakeholders--including airports 
and airlines, participation in inter-agency cyber exercises, and the 
development of risk mitigation strategies and guidance to improve and 
standardize risk management across the aviation ecosystem.
    FAA's outreach, collaboration, and coordination with other 
stakeholders in the aviation ecosystem is not limited to its 
participation in ACI, and the FAA will continue to support information 
sharing efforts within the aviation industry to develop information 
security standards and best practices consistent with the National 
Institute of Standards and Technology Cybersecurity Framework. This 
engagement recognizes the increasingly interconnected nature of 
aviation information systems from the flight deck to air traffic 
control and air carrier operations, which necessitate innovative and 
collaborative solutions to secure them. Additionally, one-on-one 
engagements with industry groups and standards bodies are essential to 
ensure comprehensive cybersecurity policy and guidance for 
manufacturers and operators of aircraft. Further, the FAA will continue 
to actively engage with stakeholders around the globe to raise 
awareness of cybersecurity issues relevant to the aviation ecosystem 
and support initiatives to address cyber threats and vulnerabilities in 
a coordinated and collaborative manner.
                     FAA's Cybersecurity Workforce
    One of the overarching goals of the FAA's Cybersecurity Strategy is 
to continue building and maintaining the agency's workforce 
capabilities for cybersecurity. Congress also recognized the importance 
of this effort and in 2018 directed the FAA to enter into an agreement 
with the National Academy of Sciences to conduct a study on the FAA 
cybersecurity workforce in order to develop recommendations to increase 
its size, quality, and diversity.\5\ In June 2021, the FAA received the 
results of the Cyber Workforce Study, conducted by the National Academy 
of Sciences. The study identified key challenges facing the FAA's cyber 
workforce, it noted opportunities for strengthening that workforce, and 
made recommendations to help the FAA capitalize on those opportunities 
and address the challenges. For example, the study emphasized the 
importance of the FAA's ability to anticipate the need to continually 
retool the cybersecurity skills of its workforce given the rapidly 
changing nature of the challenge. It noted that the FAA cannot assume 
that today's cyber knowledge and skills will be sufficient to meet the 
needs of the future. The FAA recognizes that leveraging training and 
reskilling for the workforce will be a powerful tool for the FAA to 
grow and maintain the cyber skills needed now and in the future. The 
FAA also embraces the value of workforce training through participation 
in exercises. For example, the FAA regularly exercises its incident 
response plan to ensure familiarity with communications and escalation 
procedures. These internal exercises provide valuable experience for 
staff and increase the level of preparedness to respond to a cyber-
incident. The FAA will continue to examine where expanding internal 
exercises will benefit preparedness.
---------------------------------------------------------------------------
    \5\ Pub. Law No. 115-254, Sec.  549.
---------------------------------------------------------------------------
    Finally, many of the recommendations in the National Academy of 
Science study are consistent with the FAA's cybersecurity strategic 
objectives, and many others align with broader ongoing FAA workforce 
development, diversity, and recruitment efforts. As technology and 
systems continue to evolve to meet the aviation challenges of tomorrow, 
so must our workforce. The FAA recognizes that a diverse pool of talent 
is critical to finding the right people for the right job at the right 
time. We also recognize that competitiveness in cybersecurity hiring 
and retention is important in order to attract and retain top talent. 
The FAA will use all of its federal recruiting, hiring and retention 
capabilities to continue building and to maintain the FAA cybersecurity 
workforce.
                               Conclusion
    Chair DeFazio, Ranking Member Graves, and Members of the Committee, 
the FAA's cybersecurity responsibilities and our strategy to implement 
those responsibilities has expanded and evolved significantly over the 
years. Our efforts to address cybersecurity challenges have benefited 
from congressional oversight, our own initiatives, and our cooperative 
efforts with other executive branch agencies. As the technology of the 
aviation ecosystem evolves, we expect that cybersecurity will continue 
to be a growing challenge and a significant aspect of both aviation 
safety and the efficient use of airspace. We look forward to keeping 
Congress informed of our progress on all aspects of cybersecurity. I 
would be happy to answer any questions you may have.

    Mr. DeFazio. Thank you. Thank you, Mr. Grossman.
    Now, Ms. Victoria Newhouse, you are recognized for 5 
minutes.
    Ms. Newhouse. Good morning, Chairman DeFazio, Ranking 
Member Graves, and distinguished members of this committee. My 
name is Victoria Newhouse, and I serve as the Deputy Assistant 
Administrator for Policy, Plans, and Engagement at the 
Transportation Security Administration. I greatly appreciate 
the opportunity to appear before you today to discuss TSA's 
important role in cybersecurity for our Nation's 
infrastructure.
    As you know, TSA was established by the Aviation and 
Transportation Security Act, which was signed into law on 
November 19th, 2001. Under that law, TSA assumed the mission to 
oversee transportation security in all modes of transportation, 
be that aviation, or the Nation's surface transportation 
system, mass transit and passenger rail, freight rail, highway 
and motor carrier, pipeline, as well as supporting maritime 
security with our United States Coast Guard partners.
    As we recently observed TSA's 20th anniversary, we 
rededicated ourselves to our critical mission to protect our 
Nation's transportation systems.
    My personal commitment to TSA's important mission to 
ferociously protect our homeland is fueled by my own personal 
experience on September 11, 2001, surviving the attack on the 
Pentagon on that fateful day, when we all lost over 2,977 
friends, family members, and colleagues.
    This is not a mission we can accomplish alone. Our success 
is highly dependent on close collaboration and strong 
relationships with our transportation industry stakeholders and 
our Federal agency partners, including several who are on this 
esteemed panel today.
    Cybersecurity incidents affecting transportation are a 
growing, evolving, and persistent threat. Across the U.S. 
critical infrastructure, cyber threat actors have demonstrated 
their willingness and ability to conduct malicious cyber 
activities targeting critical infrastructure by exploiting the 
vulnerability of operational technology and information 
technology systems. Malicious cyber actors continue to target 
U.S. critical infrastructure through transportation systems. 
For instance, as mentioned earlier, the ransomware incident 
against the Colonial Pipeline last May underscores this threat.
    TSA is highly dedicated to protecting our transportation 
networks against these evolving threats, and we continue to 
work collaboratively with public and private stakeholders to 
drive the implementation of intelligence-driven, risk-based 
policies and programs, and continue our robust information-
sharing efforts.
    As reflected in the cybersecurity infrastructure testimony 
provided by our industry colleagues on November 4th of this 
year, we have a vital national interest in understanding, 
mitigating, and protecting its people and infrastructure from 
cybersecurity threats. Constantly evolving potential for 
malicious cyber activity against the transportation 
infrastructure points to the need for continued vigilance, 
information sharing, and development of dynamic policies and 
capabilities to strengthen our cybersecurity posture. TSA has 
fought to mitigate the degradation, destruction, or malfunction 
of systems that control this infrastructure by implementing 
immediate security requirements through security policies.
    After the Colonial Pipeline ransomware incident in May, 
there was a clear understanding that we need to take more 
actions to prevent another pipeline incident in the future. In 
that vein, TSA issued two security directives to immediately 
address these threats. We required the pipeline operators who 
operate and transport over 85 percent of the Nation's energy 
and assets to take immediate actions to report cybersecurity 
incidents to my partner agency, Cybersecurity and 
Infrastructure Security Agency; designate an express 
cybersecurity coordinator that is available 24/7; and implement 
specific mitigation measures.
    We continue our work across all of our modes, as credible 
cyber threat information is driving our most recent efforts to 
issue more directives in this vein. As Chairman DeFazio 
mentioned earlier, we are working with our rail, higher risk 
freight rail, passenger rail, and rail transit operators, and 
aviation in four critical actions: designate a cybersecurity 
coordinator; reporting incidents to CISA; developing an 
incident response plan; and conducting self-assessments to 
address potential vulnerabilities and gaps.
    Chairman DeFazio, we continue our robust engagement with 
our partners through our Surface Transportation Security 
Advisory Committee and our Aviation Security Advisory 
Committee, along with numerous corporate executives, all the 
way down to the security level.
    Chairman DeFazio, on behalf of all of my colleagues at TSA, 
we would like to congratulate you on your decades of service, 
and thank you for your service to all of us in our Nation.
    I look forward to taking any questions you may have. Thank 
you.
    [Ms. Newhouse's prepared statement follows:]

                                 
Prepared Statement of Victoria Newhouse, Deputy Assistant Administrator 
      for Policy, Plans, and Engagement, Transportation Security 
          Administration, U.S. Department of Homeland Security
    Good morning, Chairman DeFazio, Ranking Member Graves, and 
distinguished Members of the Committee. My name is Victoria Newhouse 
and I serve as the Deputy Assistant Administrator for Policy, Plans, 
and Engagement within the Transportation Security Administration (TSA). 
I appreciate the opportunity to appear before you today to discuss 
TSA's role in cybersecurity for our Nation's infrastructure.
    TSA was established by the Aviation and Transportation Security Act 
(ATSA), which was signed into law on November 19, 2001. With the 
enactment of ATSA, TSA assumed the mission to oversee security in all 
modes of transportation, be that aviation or the Nation's surface 
transportation systems--mass transit and passenger rail, freight rail, 
highway and motor carrier, pipeline, as well as supporting maritime 
security with our U.S. Coast Guard (USCG) partners. As we recently 
observed TSA's 20th anniversary, we rededicated ourselves to our 
critical mission to protect our Nation's transportation systems as they 
remain attractive targets for our adversaries to directly attack our 
Homeland, our commercial markets, and ultimately the freedoms we hold 
so dear. My personal commitment to TSA's important mission to 
ferociously protect our Homeland is fueled by my own experience on 
September 11, 2001, surviving the attack on the Pentagon on that 
fateful day when we lost 2,977 friends, family members and colleagues. 
This is not a mission we can accomplish alone. TSA's mission success is 
highly dependent on close collaboration and strong relationships with 
our transportation industry stakeholders and our Federal agency 
partners, including several who are present on this esteemed panel 
today. TSA's motto--``not on my watch''--truly reflects our collective 
approach to secure our Homeland against all threats, including 
cybersecurity threats.
                  Transportation Cybersecurity Threats
    Cybersecurity incidents affecting transportation are a growing, 
evolving, and persistent threat. Across U.S. critical infrastructure, 
cyber threat actors have demonstrated their willingness and ability to 
conduct malicious cyber activity targeting critical infrastructure by 
exploiting the vulnerability of Internet-accessible Operational 
Technology (OT) assets and Information Technology (IT) systems. 
Malicious cyber actors continue to target U.S. critical infrastructure, 
to include transportation systems, through malicious cyber activity and 
cyber espionage campaigns. For instance, the ransomware incident 
against Colonial Pipeline last May underscores this threat. The United 
States' adversaries and strategic competitors will continue to use 
cyber espionage and malicious cyber activity to seek economic, 
political and military advantage over the United States and its allies 
and partners. TSA is dedicated to protecting our Nation's 
transportation networks against evolving threats and continues to work 
collaboratively with public and private stakeholders to expand the 
implementation of intelligence-driven, risk-based policies and programs 
and continue robust information sharing to reinforce the security 
posture of these networks.
                    Addressing Cybersecurity Threats
    As reflected in cybersecurity and infrastructure testimony provided 
by industry colleagues to this committee on November 4, 2021, the 
United States has a vital national interest in understanding, 
mitigating, and protecting its people and infrastructure from 
cybersecurity threats in the transportation domain. The constantly 
evolving potential for malicious cyber activity against the 
transportation infrastructure point to the need for continued 
vigilance, information sharing, and development of dynamic policies and 
capabilities to strengthen our cybersecurity posture. Consistent with 
the President's National Security Memorandum on Improving Cybersecurity 
for Critical Infrastructure Control Systems (July 28, 2021), Department 
of Homeland Security priorities, and our broader statutory authorities, 
TSA has sought to mitigate the ``degradation, destruction, or 
malfunction of systems that control this infrastructure'' by 
implementing immediate security requirements through security policies.
    After the Colonial Pipeline ransomware incident in May, there was a 
clear understanding across the Administration, Congress, industry, and 
the public for the need to take action to prevent another pipeline 
incident in the future. The TSA Administrator leveraged authority under 
49 U.S.C. Sec. 114 to respond to emerging threats by directing select 
owners and operators of pipeline and natural gas facilities to 
implement necessary cyber protections. TSA issued two Security 
Directives (SDs), effective May 28, 2021, and July 26, 2021, to 
immediately address these threats. Among several requirements, the SDs 
required pipeline companies to report cybersecurity incidents to the 
Cybersecurity and Infrastructure Security Agency (CISA), designate a 
cybersecurity coordinator to be available 24/7, and implement specific 
mitigation measures to protect against ransomware incidents.
    Credible cyber threat information also supported our recent efforts 
to implement similar security measures across the domestic surface and 
aviation transportation networks. In the surface domain, new 
cybersecurity protocols require higher risk freight railroads, 
passenger rail and rail transit operators to take four critical 
actions:
    1.  Designate a cybersecurity coordinator;
    2.  Report cybersecurity incidents to CISA;
    3.  Develop a cybersecurity incident response plan to reduce the 
risk of an operational disruption; and
    4.  Conduct a cybersecurity self-assessment to identify potential 
gaps or vulnerabilities in their systems.

    In addition to these requirements, TSA also issued an Information 
Circular to lower risk surface transportation operators, including 
over-the-road buses and lower risk rail operators, strongly 
recommending they immediately implement these same measures.
    Within the aviation subsector, TSA recently updated established 
security programs with these same measures, starting with designating a 
cybersecurity coordinator and reporting specific cybersecurity 
incidents to CISA. In a second set of security program updates to be 
issued in the near future, TSA will also implement the requirements to 
conduct cybersecurity self-assessments and develop cybersecurity 
incident response plans.
    DHS and TSA engaged with stakeholders throughout the development 
process for these measures to ensure awareness of the threat picture, 
review draft proposals, and obtain industry feedback. This included 
stakeholder CEO-level discussions with DHS and TSA leaders, threat 
briefings for aviation, pipeline, and other surface transportation 
stakeholders, multiple policy reviews by industry and government 
stakeholders, and consistent engagement sessions with transportation 
associations and regulated entities for awareness on the proposed 
strategies. For example, we engaged TSA's Surface Transportation 
Security Advisory Committee (STSAC) on several occasions to share and 
discuss these new security requirements and held numerous stakeholder 
calls and engagements with the specific covered operators prior to 
issuing these most recent security requirements. In addition, airport 
and airline stakeholders also provided extensive input to our aviation 
cyber requirements to ensure they can operationalize them effectively 
and efficiently. Our interagency partners also participated extensively 
to ensure unity of effort across DHS and the interagency. We 
incorporated stakeholder inputs resulting in revisions to these 
cybersecurity policy requirements, including adjustments to incident 
reporting and response plan timeframes, defining reportable 
cybersecurity incidents, and using established methods to conduct self-
assessments. We continue working closely with stakeholders to assist 
with implementation and respond to any questions regarding these 
requirements with an eye on continually improving our collective 
efforts to secure the Nation's transportation systems from cyber 
threats.
                   Information Sharing and Engagement
    Our work does not simply end after issuing these cybersecurity 
requirements. On the contrary, the TSA enterprise continues our robust 
stakeholder engagement to mitigate cyber threats. We work closely with 
these covered operators to successfully implement these requirements, 
educate our vast network of transportation operators, and continue to 
seek input from both the STSAC and the Aviation Security Advisory 
Committee (ASAC) on how to best integrate cybersecurity into the fabric 
of our transportation security mission. For example, we have sought, 
incorporated, and continue to seek stakeholder input, including from 
those advisory committees, on TSA's Cybersecurity Roadmap. TSA conducts 
robust outreach with thousands of individual transportation operators 
to implement these requirements and ensure consistent application 
across the transportation sector. We continually seek opportunities to 
expand information exchanges and to provide evaluation tools and 
training programs to evaluate systems, identify vulnerabilities, and 
incorporate security measures and best practices that mitigate cyber 
threats. This includes efforts such as the Baseline Assessment for 
Security Enhancement (BASE) program and the Intermodal Security 
Training and Exercise Program (I-STEP). TSA actively supports broader 
DHS efforts, such as the 60-day Transportation Cybersecurity Sprint in 
September and October that focused on enhancing cyber risk management 
and cybersecurity in the context of the transportation sector with 
particular emphasis on TSA, CISA, and USCG engagements.
    On behalf of DHS, TSA and USCG are the Co-Sector Risk Management 
Agency for the Transportation Security Sector (TSS) along with the 
Department of Transportation (DOT). In that role, TSA serves as the 
executive agent with the USCG for developing, deploying, and promoting 
TSS-focused cybersecurity initiatives, programs, assessment tools, 
strategies, and threat and intelligence information-sharing products. 
TSA is in close alignment with CISA and coordinates on both a tactical 
and strategic level to raise the cybersecurity baseline across the 
transportation sector.
    TSA also supports DHS's cybersecurity efforts in alignment with the 
National Institute of Standards and Technology (NIST) Cybersecurity 
Framework (Framework). The Framework is designed to provide a 
foundation for industry to better manage and mitigate their cyber risk. 
TSA shares information and resources and develops products for 
stakeholders to support their adoption of the Framework. For example, 
TSA in conjunction with the USCG and the DOT, has been working with 
NIST to develop transportation-specific profiles for the Framework 
through a series of sector surveys to allow for further targeted sector 
adoption of the Framework.
    Robust information and intelligence sharing is a key enabler of 
TSA's mission to protect the nation's transportation systems to ensure 
the freedom of movement for people and commerce. TSA coordinates with 
the DHS Office of Intelligence and Analysis and Intelligence Community 
(IC) partners across the federal government to share cyber threat 
information with industry as soon as it becomes available. To enhance 
mission performance, TSA also facilitates both classified and 
unclassified briefings for industry representatives to ensure that the 
evolving threat picture is communicated to trade associations, industry 
executive leadership, and key industry security personnel. TSA's 
commitment to information sharing is strongly supported by two full-
time threat intelligence sharing cells--the Aviation Domain 
Intelligence Integration & Analysis Cell (ADIAC) and the Surface 
Information Sharing Cell (SISC). Through these information sharing 
entities, TSA shares thousands of threat items, including cyber threat 
information. Additionally, we issue various cyber assessments and 
analytic products, including Cybersecurity Awareness Messages to 
operators and other products in conjunction with our sister component 
CISA and Federal law enforcement, to ensure widest distribution across 
the transportation sector. These two information sharing cells are 
excellent examples of government and industry partnership, and their 
establishment resulted directly from stakeholder collaboration. For 
instance, the SISC's establishment fulfills an important STSAC 
recommendation, and we continue working to enhance the SISC's 
capabilities.
                                Closing
    Chairman DeFazio, Ranking Member Graves, and distinguished Members 
of the Committee, thank you for this opportunity to share the steps and 
measures TSA has taken in concert with our stakeholders to strengthen 
transportation critical infrastructure to address the serious and 
persistent cybersecurity threat. TSA is committed to ensuring 
appropriate security measures are in place to increase the cyber and 
physical security posture of our Nation's transportation systems. Thank 
you for the chance to appear before you today. I look forward to 
answering any questions you may have.

    Mr. DeFazio. Thanks, Ms. Newhouse. I have quite a history 
with TSA. John Mica chaired the Aviation Subcommittee, and I 
was ranking, and it was under our jurisdiction then. We had no 
Homeland Security Committee, and we stood it up in pretty short 
order. And I can say it is still a work in progress. But, it is 
so far ahead of where we were pre-9/11. And I would love to go 
into that at some point and talk about it. But anyway, it is 
not the subject of this hearing.
    Rear Admiral John W. Mauger?
    Admiral Mauger. Good morning, Chairman DeFazio, Ranking 
Member Graves, and distinguished members of the committee. I am 
honored to be here this morning to discuss cybersecurity in the 
maritime transportation system, a top priority for the Coast 
Guard.
    Our national security and economic prosperity are 
inextricably linked to a safe and efficient Marine 
Transportation System, or MTS. The MTS is an integrated network 
of 361 ports and 25,000 miles of waterways. Marine 
transportation supports one-quarter of U.S. GDP, and provides 
employment for one in seven working-age Americans. The MTS 
enables our Armed Forces to project power around the globe, and 
any substantial disruption to marine transportation can cause 
cascading effects to our economy and to our national security. 
Cyberattacks are a significant threat to the maritime critical 
infrastructure. And while we must continue to work to prevent 
attacks, we must also be clear-eyed that attacks will occur, 
and we must ensure that the MTS is resilient.
    Protecting maritime critical infrastructure and ensuring 
resiliency is a shared responsibility. Thank you for holding 
both sessions to allow industry and Government to describe 
their efforts.
    The Coast Guard is the Nation's lead Federal agency for 
protecting the MTS. In August, the Commandant released a cyber 
strategic outlook to guide our work ahead. At the core of the 
Coast Guard strategy is the recognition that cybersecurity is 
an operational imperative, both for our Service and for the 
maritime industry. With support from Congress, we established 
Coast Guard Cyber Command, and built an operational force to 
execute missions and protect Coast Guard and DoD networks. 
Coast Guard cyber forces are manned, trained, and equipped, in 
accordance with joint DoD standards, but have a broad range of 
authorities to address complex issues spanning national defense 
and homeland security, including protecting the MTS.
    The Coast Guard's approach to protecting the MTS leverages 
our proven prevention and response framework. To prevent 
incidents, we leverage our authorities in the Nation's ports to 
set standards and conduct compliance. We refer to this as 
``cyber risk management'' and require accountability 
assessments, mitigation exercises, and incident reporting. To 
prepare for and respond to cyber incidents, Coast Guard sectors 
are leading field-level exercises with Area Maritime Security 
Committees and have established unified commands with FBI and 
CISA to lead the Federal response to cyberattacks in the ports.
    Cyberattacks will increasingly have physical impacts beyond 
computer networks. By incorporating cybersecurity into our 
prevention and response framework, we provide a comprehensive, 
all-hazards approach to this threat. But we cannot do this 
alone. As the co-Sector Risk Management Agency for 
transportation, we look to both CISA and TSA as key partners.
    The MTS is dependent on other critical infrastructure. CISA 
coordinates across sectors, shares threat and vulnerability 
information, and provides cyber technical assistance. These 
efforts build coherence within the interagency, foster 
collaboration with the private sector, and enhance our ability 
to protect the MTS. Our relationships with CISA and TSA are 
strong, and will continue to mature.
    Cybersecurity is a shared responsibility with the private 
sector, as well. Collaboration with the industry is paramount 
and focused on information sharing and good governance. At the 
national level, we stood up a Maritime Cyber Readiness Branch 
within Coast Guard Cyber Command as a focal point for maritime 
threat monitoring, information sharing, and response 
coordination. At the local level, we continue to strengthen 
communications through engagement at our Area Maritime Security 
Committees.
    Risk-based regulations, which leverage international and 
industry-recognized standards, are the foundation for good 
governance. With congressional support, we established the 
National Maritime Security Advisory Committee to facilitate 
consultation with industry on standards development. We worked 
with the International Maritime Organization, or IMO, to 
address the risks posed by foreign vessels. We are committed to 
a transparent approach, as we balance the urgency of cyber 
threats with informed rulemaking.
    The cyber threat is dynamic. As we continually evolve to 
address emergent needs, we will need Congress' continued 
support. We are grateful for the fiscal year 2021 
appropriations. The investments in Coast Guard Cyber Command 
provide additional capability for our Service, and serve a key 
role in protecting the MTS. The establishment of 22 MTS cyber 
advisors in the field are key nodes for coordination and 
collaboration at our field units.
    We look forward to the continued dialogue with Congress on 
this important issue, and I appreciate the opportunity to 
testify, and look forward to your questions.
    [Admiral Mauger's prepared statement follows:]

                                 
Prepared Statement of Rear Admiral John W. Mauger, Assistant Commandant 
                for Prevention Policy, U.S. Coast Guard
                              Introduction
    Good morning Chairman DeFazio, Ranking Member Graves, and 
distinguished Members of the Committee. I am honored to be here to 
discuss a top priority for the U.S. Coast Guard: cybersecurity in the 
marine transportation system (MTS). Since the early days of the Revenue 
Cutter Service, we have protected our Nation's waters, harbors, and 
ports. While much has changed over the centuries--with our missions 
expanding from sea, air, and land into cyberspace--our ethos and 
operational doctrine remain steadfast. We employ a risk-based approach 
to protect the Nation from threats in the maritime environment. 
Regardless of the threat, we leverage the full set of our authorities; 
the ingenuity and leadership of our people; and the breadth of our 
civil, military, and law enforcement partnerships to protect the 
Nation, its waterways, and those who operate on them.
    I recognize that protecting the MTS from cyber threats is also a 
top priority for Congress. The Coast Guard thanks Congress for Fiscal 
Year 2021 appropriations that will deliver more cyber risk management 
capability for the nation and build a more resilient MTS. The Coast 
Guard is committed to maximizing the return on this important 
investment and we look forward to the continued dialog with Congress on 
such a critical issue for our country.
          The Criticality of the Marine Transportation System
    Our national security and economic prosperity are inextricably 
linked to a safe and efficient MTS. One of the challenges with 
protecting the MTS is that it can be difficult to quantify. It is an 
integrated network that consists of 25,000 miles of coastal and inland 
waters and rivers serving 361 ports. But it is more than ports and 
waterways. It is cargo and cruise ships, passenger ferries, waterfront 
terminals, offshore facilities, buoys and beacons, bridges, and more. 
The MTS supports $5.4 trillion of economic activity each year and 
accounts for the employment of more than 30 million Americans. It also 
enables critical national security sealift capabilities, enabling U.S. 
Armed Forces to project and maintain power around the globe.
    The maritime transportation of cargo is considered the most 
economical, environmentally friendly, and efficient mode of freight 
transport. As the economic lifeblood of the global economy and critical 
to U.S. national interests, the MTS connects America's consumers, 
producers, manufacturers, and farmers to domestic and global markets. 
Any significant disruption to the MTS, whether man-made or natural, has 
the potential to cause cascading and devastating impact to our domestic 
and global supply chain and, consequently, America's economy and 
national security.
                        The Growing Cyber Risks
    Cyber attacks are a significant threat to the economic prosperity 
and security of the MTS, and will require a whole of nation effort to 
address the threat. The MTS's complex, interconnected network of 
information, sensors, and infrastructure continually evolves to promote 
the efficient transport of goods and services around the world. The 
information technology and operational technology networks vital to 
increasing the efficiency and transparency of the MTS also create 
complicated interdependencies, vulnerabilities, and risks.
    The size, complexity, and importance of the MTS make it an 
attractive target. Terrorists, criminals, activists, adversary nation 
states and state-sponsored actors may view a significant MTS disruption 
as favorable to their interests. The diversity of potential malicious 
actors and their increasing levels of sophistication present 
substantial challenges to government agencies and stakeholders focused 
on protecting the MTS from constantly evolving cyber threats.
    Recent destructive cyber activities highlight the risk posed to the 
vast networks and system of the MTS. Cyber attacks, such as ransomware 
attacks, can have a devastating impact on the operations of maritime 
critical infrastructure. A successful cyber attack could impose 
unrecoverable losses to port operations, electronically-stored 
information, national economic activity, and disruption to global 
supply chains. The increased use of automated systems in shipping, 
offshore platforms, and port and cargo facilities creates enormous 
efficiencies, but also introduces additional attack vectors for 
malicious cyber actors. This growing reliance on cyber-physical systems 
and technologies requires a comprehensive approach by all MTS 
stakeholders to manage cyber risks and ensure the safety and security 
of the MTS.
                         Shared Responsibility
    The U.S. Coast Guard is the Nation's lead federal agency for 
safeguarding the MTS. We apply a proven prevention and response 
framework to prevent or mitigate disruption to the MTS from the many 
risks it faces. Our authorities and capabilities cut across threat 
vectors, allowing operational commanders at the port level to quickly 
evaluate risks, apply resources, and lead a coordinated and effective 
response.
    Just like the other risks we manage, the maritime industry has a 
vital role in cyber risk management--Cyber risk management is a shared 
responsibility. In a number of forums and industry engagements, I hear 
the consistent message that cybersecurity does not have a one-size-
fits-all solution. I agree with that assessment. However, the building 
blocks of sound cyber risk management practices have common threads 
across the maritime industry and other critical infrastructure sectors.
    It starts with accountability and focus. First, companies need to 
identify and empower a responsible person with the authority and 
resources to address the cyber challenge. Then, companies need to have 
a plan. This includes conducting vulnerability assessments, identifying 
gaps, and working to close them. Third, companies need to exercise 
their plan, so cybersecurity is ingrained in all of the work they do. 
Lastly, companies need to report cyber incidents--reporting of 
cybersecurity incidents is absolutely critical because it enables a 
coordinated response, and more importantly, can help to inform other 
companies and critical infrastructure to take action and mitigate risk.
    Information sharing is clearly an essential component of our shared 
responsibility, and we have heard from industry that it must happen at 
the ``speed of cyber'' to spur meaningful prevention and response 
activities. While we have existing information sharing networks--within 
the Coast Guard and across government--we must deliver specific, timely 
information with appropriate levels of privacy protection in order to 
build trust and confidence in the system. Without that trust, we will 
lose the massive benefit of the industry's perspectives, experiences, 
and trends.
                    The U.S. Coast Guard's Approach
    For the U.S. Coast Guard, protecting the MTS from threats is not 
new, and we will continue to leverage our foundational operational 
concepts and strong relationships to strengthen the cyber resiliency of 
the MTS. In August of 2021, we released a new Coast Guard Cyber 
Strategic Outlook that outlines our strategic direction for facing 
cyber threat. One of the three primary Lines of Effort is to ``Protect 
the Marine Transportation System,'' and a fundamental element for this 
effort is applying our proven prevention and response framework.
Prevention
    The Prevention Concept of Operations--Standards, Compliance, and 
Assessment--guides all of our prevention missions including our cyber 
risk management activities. It begins with establishing expectations in 
the MTS. Regulations and standards provide a set of minimum 
requirements, and are critical to establishing effective and consistent 
governance regimes. With effective standards in place, compliance 
activities systematically verify that the governance regime is working. 
This part of the system is vital in identifying and correcting 
potential risks before they advance further and negatively impact the 
MTS. Effective assessment is paramount to continuous improvement. It 
provides process feedback and facilitates the identification of system 
failures so that corrective actions can be taken to improve standards 
and compliance activities.
    Importantly, we are operationalizing this framework at the port-
level. U.S. Coast Guard Captains of the Port are overseeing Maritime 
Transportation Security Act (MTSA)-regulated facilities as they 
incorporate cybersecurity into their mandated Facility Security 
Assessments and Facility Security Plans. We have provided the industry 
with detailed guidance on ways to meet the regulatory requirements 
related to computer systems and networks, including personnel training, 
drills and exercises, communication, vessel interfaces, security 
systems, access control, cargo handling, delivery of stores, and 
restricted area monitoring. On October 1, 2021, Coast Guard field units 
began reviewing these Facility Security Assessments and Facility 
Security Plans to validate that cybersecurity is satisfactorily 
addressed, and all MTSA-regulated facilities will be inspected for 
compliance by September 30, 2022.
    The U.S. Coast Guard worked closely with the International Maritime 
Organization on guidelines for commercial vessels operating 
internationally to integrate cyber risk management into mandated safety 
management systems. During regular inspections, the U.S. Coast Guard is 
verifying that foreign vessels operating in U.S. waters are complying 
with these requirements.
    The U.S. Coast Guard is hiring Cybersecurity Advisors at each Area, 
District, and Captain of the Port Zone. These new positions create a 
dedicated staff to build and maintain port level cyber-related 
relationships, facilitate information sharing across industry and 
government, advise Coast Guard and Unified Command decision-makers, and 
plan cyber-related security exercises.
    Finally, Coast Guard Cyber Command's (CGCYBER) Maritime Cyber 
Readiness Branch is assessing technology employed in the MTS, 
evaluating known or potential threats, and sharing information across 
industry and government. Their Cyber Protection Teams (CPTs) are 
conducting detailed vulnerability assessments of maritime critical 
infrastructure when requested to help the industry identify and close 
gaps in their cybersecurity systems.
Response
    Similar to our Prevention Concept of Operations, the U.S. Coast 
Guard has a proven, scalable response framework that can be tailored 
for all-hazards. This is especially important as cyber incidents can 
quickly transition to physical impact requiring operational commanders 
to immediately deploy assets to mitigate risks. Depending on the 
incident's size and severity, commanders will set clear response 
priorities, request specialized resources to help mitigate risk, and 
notify interagency partners to help coordinate the response. We are not 
approaching this alone.
    By regulation, MTSA-regulated vessels and facilities are required 
to report Transportation Security Incidents, breaches of security, and 
suspicious activity without delay. We have provided additional guidance 
on reporting requirements specifically related to cyber incidents. 
These reports enable our operational commanders to rapidly notify other 
government agencies, evaluate associated risks, deploy resources, and 
unify the response.
    CGCYBER is also bringing specialized operational capability to MTS 
cyber response. These teams will support maritime critical 
infrastructure owners and operators after a cyber attack and provide 
extensive technical expertise for post-incident investigation, 
response, and recovery. Their cyber skills are unprecedented for our 
Service.
    While we are converting our strategy into action, we know our work 
is not done. Through all of these prevention and response activities in 
the field and engagements with industry, the U.S. Coast Guard will 
capture lessons learned, recommendations, and best practices that 
strengthen the maritime industry's cybersecurity posture and inform 
future policy, law, and regulations.
                              Partnerships
    MTS cyber risk management requires a whole-of-government effort to 
protect America's critical infrastructure. As the Federal Maritime 
Security Coordinator, the U.S. Coast Guard Captain of the Port directs 
Area Maritime Security Committee (AMSC) activities. AMSCs are required 
by federal regulations and serve an essential coordinating function 
during normal operations and emergency response. They are comprised of 
government agency and maritime industry leaders, and have adapted to 
the cyber threat, serving as the primary local means to jointly 
evaluate cyber risks, share threat information, and participate in 
cyber preparedness exercises.
    In addition to being the federal government's lead regulator for 
the MTS, we are also the co-Sector Risk Management Agency (SRMA), along 
with the Department of Transportation for the Maritime Transportation 
Subsector, as outlined in Presidential Policy Directive 21. As an SRMA, 
we are responsible for coordinating risk management efforts, including 
cyber, with DHS, the Cybersecurity and Infrastructure Security Agency 
(CISA), other Federal departments and agencies, and MTS stakeholders. 
We also provide, support, and facilitate technical assistance for the 
MTS to address vulnerabilities and develop processes and procedures to 
mitigate risk.
    CISA is a key partner in all of our cyber risk management 
activities. CISA's technical expertise directly supports our ability to 
leverage our authorities and experience as the regulator and SRMA of 
the MTS. CISA provides technical expertise, integrates a whole-of-
government response, analyzes broader immediate and long-term impacts, 
and facilitates information sharing across transportation sectors. Our 
relationship with CISA is strong and will continue to mature.
    Our enduring relationship with the Department of Defense (DoD) is 
also crucial to safeguarding the MTS. In many cases, DoD's ability to 
surge forces from domestic to allied seaports depends on the same 
commercial maritime infrastructure as the MTS. We must ensure our surge 
capability and sea lines of communication will be secure and available 
during times of crisis. By sharing intelligence on cyber threats, 
developing interoperable capabilities like Cyber Protection Teams, and 
using DoD's expertise to protect our own cyber networks, we enable 
national security sealift capabilities and jointly support our nation's 
ability to project power around the globe.
                              Future Focus
    Recent cyber incidents, including attacks on multiple segments of 
maritime critical infrastructure only reinforce that cyberspace is a 
contested domain. Working in close collaboration with the Department of 
Homeland Security, CISA, and our other government partners, foreign 
allies, and the maritime industry, we will continue to leverage strong 
and established relationships across the maritime industry--at the 
international, national, and port levels--to build confidence and 
establish trust through cyber prevention and response activities.
    We have secured and safeguarded the maritime environment for over 
230 years. During that time we have faced many complex challenges. 
These trials have honed our operating concepts, bolstered our 
capabilities, and strengthened our resolve. We will employ these same 
concepts and capabilities to secure and protect our Nation and maritime 
critical infrastructure from malicious cyber activity and cyber 
attacks. In addressing cyber risks to ports and other aspects of the 
maritime industry, our commitment is to address those risks with the 
same level of professionalism, efficiency, and effectiveness that the 
public has come to expect. The Coast Guard will continue to adapt, as 
it has done over the last two centuries, to the challenges and 
opportunities that accompany technological advancements in our 
operating environment.
    Thank you for the opportunity to testify today, and thank you for 
your continued support of the United States Coast Guard. I am pleased 
to answer your questions.

    Mr. DeFazio. Thank you, Admiral.
    Mr. Kevin Dorsey?
    Mr. Dorsey. Good morning. Chairman DeFazio, Ranking Member 
Graves, and distinguished members of the committee, thank you 
for inviting me to testify on securing our Nation's 
infrastructure in an evolving cybersecurity landscape.
    The Department of Transportation relies on over 400 IT 
systems to ensure the safety and efficiency of our Nation's 
transportation system.
    As you know, malicious cyberattacks and other compromises 
to these systems and DOT networks may put public safety, 
sensitive information, or taxpayer dollars at risk. Our office 
has long identified cybersecurity as one of the Department's 
top management challenges.
    Today I will focus on three key areas: one, developing a 
comprehensive, DOT-wide cybersecurity strategy to address 
recurring weaknesses; two, protecting IT infrastructure and 
sensitive information within DOT's operating administrations; 
and three, coordinating with other agencies and industry 
partners.
    First, on the whole, DOT has established formal policies 
and procedures for a cybersecurity program that align with 
Federal guidelines. However, it still faces challenges 
implementing this program in a consistent or comprehensive 
manner. As a result, DOT faces the risk that its mission-
critical systems could be compromised. Our office has reported 
on longstanding deficiencies due to DOT's inconsistent 
enforcement of an enterprisewide information security program, 
ineffective communication with its operating administrations, 
and inadequate efforts to remediate recurring weaknesses.
    Many of these weaknesses can be attributed to DOT's lack of 
progress in addressing 66 of our prior audit recommendations, 
including those to resolve more than 10,000 identified 
vulnerabilities.
    Leadership challenges also limit DOT's oversight. For 
example, the individual serving as the acting chief information 
security officer over the last year was not tasked with 
information security as an official primary duty. That has made 
it difficult for DOT to implement long-term changes.
    Second, DOT must better protect the IT infrastructure 
managed by its operating administrations. For example, to 
increase cybersecurity, FAA must finish selecting and 
implementing more stringent security controls for 45 high-
impact systems that are critical for safely managing air 
traffic.
    In addition, unresolved security control deficiencies with 
FTA's financial management systems could impede its ability to 
disburse billions of grant dollars.
    Furthermore, during vulnerability assessments and 
penetration testing of the IT infrastructure at multiple 
operating administrations, we were able to gain unauthorized 
access to millions of sensitive records, including personal 
identifiable information.
    Finally, DOT is one of the lead agencies designated to 
protect the Nation's transportation infrastructure. As such, it 
must effectively partner with other Federal agencies and the 
private sector on efforts such as securing cloud-based services 
and meeting the President's recently issued Executive order on 
improving cybersecurity. To that end, FAA is working with DHS 
and DoD on the Aviation Cyber Initiative. Still, as the U.S. 
upgrades its transportation infrastructure, DOT must continue 
to strengthen and secure its IT systems and networks, while 
working to improve its efforts to respond to increasingly 
sophisticated malicious cyber campaigns.
    We remain committed to supporting DOT's efforts as it works 
to remediate existing vulnerabilities and bolster its overall 
cybersecurity posture. We will continue to update you on our 
work on these and related matters.
    This concludes my prepared statement. I would be happy to 
address any questions from you or members of the committee at 
this time.
    [Mr. Dorsey's prepared statement follows:]

                                 
  Prepared Statement of Kevin Dorsey, Assistant Inspector General for 
   Information Technology Audits, Office of Inspector General, U.S. 
                      Department of Transportation
    Chairman DeFazio, Ranking Member Graves, and Distinguished Members 
of the Committee:
    Thank you for inviting me to testify today on securing our Nation's 
infrastructure in an evolving cybersecurity landscape. As you know, the 
Department of Transportation (DOT) aims to ensure the United States has 
the safest, most efficient, and modern transportation system in the 
world. DOT relies on over 400 information technology (IT) systems to 
carry out this mission, including systems that manage air traffic, 
administer hundreds of billions of dollars, and maintain sensitive 
information about the transportation industry. DOT's cybersecurity 
program must protect these systems from malicious attacks and other 
compromises that may put public safety or taxpayer dollars at risk.
    DOT has expressed a commitment to improving its cybersecurity. 
Nevertheless, recent cyberattacks remind us why the Department must be 
prepared at all times to manage cyber threats, which may originate in 
unfriendly nation-states, international criminal syndicates, and even 
within the United States. Due to the increasing threat of sophisticated 
cyberattacks, DOT must frequently update its digital infrastructure, as 
well as its methodology for monitoring networks, detecting potential 
risks, identifying malicious activity, and mitigating threats to 
sensitive information and information systems.
    Our office has long identified cybersecurity as one of the 
Department's top management challenges--a challenge that will be 
compounded as DOT embarks on implementing new requirements under the 
President's recent Executive Order to improve the Nation's 
cybersecurity.\1\ My testimony today is based on our recent and ongoing 
audit work and will focus on DOT's challenges in three areas: (1) 
developing a comprehensive Departmentwide cybersecurity strategy to 
address recurring weaknesses, (2) protecting IT infrastructure and 
sensitive information at DOT Operating Administrations (OA), and (3) 
coordinating with other agencies and industry partners on cybersecurity 
in the transportation sector.
---------------------------------------------------------------------------
    \1\ Executive Order 14028: Improving the Nation's Cybersecurity 
(May 12, 2021).
---------------------------------------------------------------------------
                                Summary
    While DOT has formalized and documented most of the policies and 
procedures for its cybersecurity program, the Department continues to 
face significant challenges in its implementation. These challenges are 
due to persistent deficiencies caused by the inconsistent enforcement 
of an enterprise-wide information security program, ineffective 
communication with the OAs, leadership gaps, and inadequate efforts to 
remediate the issues associated with 66 of our prior-year audit 
recommendations. As a result, DOT faces the risk that its mission-
critical systems could be compromised. While working to strengthen its 
cybersecurity posture across the Department, DOT must also address 
ongoing challenges in protecting the IT infrastructure that its OAs 
manage and monitor. These challenges include selecting and implementing 
more stringent security controls \2\ for the Federal Aviation 
Administration's (FAA) high-impact systems that are critical for safely 
managing air traffic. We also recently reported that the Federal 
Transit Administration's (FTA) financial management systems have 
several security control deficiencies that could affect its ability to 
approve, process, and disburse billions of dollars of grant funds. 
Furthermore, our ongoing series of audits of the cybersecurity postures 
at multiple OAs has identified security weaknesses that could 
compromise millions of sensitive data records, including personally 
identifiable information (PII). These weaknesses are of particular 
concern given that OA networks are connected to DOT's overall IT 
infrastructure, exposing it to further risk. Finally, as one of the 
lead agencies \3\ in protecting the critical infrastructure of the 
Nation's transportation sector, DOT must effectively partner with other 
Federal agencies and the private sector to improve cybersecurity, such 
as when securing cloud-based services. Such efforts are critically 
important because the incapacitation or destruction of transportation 
assets, systems, and networks would have a debilitating effect on the 
Nation.
---------------------------------------------------------------------------
    \2\ Security controls are safeguards or countermeasures designed to 
protect the confidentiality, integrity, and availability of information 
that is processed, stored, or transmitted by systems or organizations 
and to manage information security risk.
    \3\ The other lead agency is the Department of Homeland Security.
---------------------------------------------------------------------------
                               Background
    New guidance from the President has changed the manner in which 
executive agencies must identify and manage risk associated with 
information systems. Issued on May 12, 2021, Executive Order 14028: 
Improving the Nation's Cybersecurity, directs the Federal Government to 
improve its efforts to identify, deter, protect against, detect, and 
respond to persistent and increasingly sophisticated malicious cyber 
campaigns that threaten the public and private sectors and ultimately 
the security and privacy of the American people. To protect our Nation 
from malicious cyber actors and foster a more secure cyberspace, the 
Order also requires the Federal Government to partner with the private 
sector, which must adapt to the continuously changing threat 
environment and ensure its products are built and operate securely.
    DOT's Office of the Chief Information Officer (OCIO), under 
authority granted by the Secretary of Transportation, has issued the 
Departmental Cybersecurity Policy,\4\ which establishes the policies, 
processes, procedures, and standards of the DOT cybersecurity program. 
The policy also implements the mandatory requirements specified for all 
Federal agencies in the Federal Information Security Modernization Act 
of 2014 (FISMA), as amended,\5\ and other laws, regulations, and 
standards related to information security, information assurance, and 
network security. FISMA requires Federal agencies to develop, document, 
and implement agencywide cybersecurity programs to protect the 
information and information systems that support their operations and 
assets. Under FISMA, DOT must provide information security protection 
commensurate with the risk and magnitude of the harm that could result 
from unauthorized access, use, disclosure, disruption, modification, or 
destruction of:
---------------------------------------------------------------------------
    \4\ DOT Order 1351.37, Departmental Cybersecurity Policy, July 14, 
2017.
    \5\ Pub. L. No. 113-283 (December 18, 2014).
---------------------------------------------------------------------------
      information collected or maintained by or on behalf of 
DOT; and
      information systems used or operated by DOT employees or 
contractors or by another organization on DOT's behalf.

    DOT is also required to implement mandatory cybersecurity 
requirements issued by other entities, including, but not limited to, 
the White House, Congress, Department of Homeland Security (DHS), 
Office of Management and Budget(OMB), and National Institute of 
Standards and Technology (NIST). The Department has adopted NIST's Risk 
Management Framework as the standard methodology for security 
authorization for its information systems and continuous monitoring of 
security controls.
  Developing a Comprehensive Departmentwide Cybersecurity Strategy To 
                      Address Recurring Weaknesses
    For the most part, DOT has formalized and documented its 
cybersecurity policies and procedures for protecting its information 
systems and data. Specifically the Departmental Cybersecurity Policy, 
and its supplement, the Departmental Cybersecurity Compendium, 
authorize DOT's Chief Information Officer (CIO) to secure all IT, 
information systems, networks, and data that support DOT operations. 
Moreover, in the wake of increased telework during the Coronavirus 
Disease 2019 (COVID-19) pandemic, the OCIO upgraded security and 
tripled departmental network bandwidth. These actions ensured that 
employees working from home could access systems and data to fulfill 
their responsibilities.
    The Department's formal policies align with Federal guidelines--
specifically, those for security controls for identifying and managing 
risks, protecting information systems, detecting potential 
cybersecurity incidents, and responding to and recovering from 
incidents. However, DOT does not implement them in a consistent or 
comprehensive manner. As a result, the Department faces the risk that 
its mission-critical systems could be compromised.
    Since 2003, we have conducted annual reviews of DOT's information 
security programs and practices, in accordance with FISMA requirements. 
As we reported in our most recent FISMA audit,\6\ the Department has 
yet to address longstanding cybersecurity deficiencies related to its 
practices for protecting its mission-critical systems from unauthorized 
access, alteration, or destruction. For example, we continue to note 
inconsistencies in DOT's implementation of its cybersecurity program 
(see table).
---------------------------------------------------------------------------
    \6\ Quality Control Review of the Independent Auditor's Report on 
the Assessment of DOT's Information Security System Program and 
Practices (OIG Report No. QC2022006), October 25, 2021. OIG reports are 
available on our website: https://www.oig.dot.gov/.

                     Table. Weaknesses in DOT's Implementation of Its Cybersecurity Program
----------------------------------------------------------------------------------------------------------------
                 Category                                      Issues OIG Identified in 2021
----------------------------------------------------------------------------------------------------------------
Risk management..........................   Inventories: DOT did not maintain accurate and complete inventories
                                            of all OA information systems and was unable to demonstrate that it
                                                    had a formal process in place for ensuring the accuracy and
                                           completeness of the hardware asset inventories it reports to OMB--key
                                                          prerequisites to an effective risk-management program
                                          ----------------------------------------------------------------------
                                           Security controls: DOT did not always test the security controls for
                                            its information systems or properly approve security assessment and
                                                                                    authorization documentation
                                          ----------------------------------------------------------------------
                                               Tracking vulnerabilities: DOT did not always report, manage, and
                                                    close security weaknesses identified in plans of action and
                                                                                             milestones (POA&M)
                                          ----------------------------------------------------------------------
                                             Supply chain risk management: DOT has not developed a supply chain
                                                risk management strategy and implementation plan to ensure that
                                                      external providers comply with departmental cybersecurity
                                                                                                   requirements
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Protecting DOT's information systems from         Configuration management: DOT has not consistently remediated
 risk of compromise......................   vulnerabilities related to unsupported operating systems, unpatched
                                                    applications, and configuration weaknesses, which may allow
                                                     unauthorized access into mission-critical systems and data
                                          ----------------------------------------------------------------------
                                               Identity and access management: Employees and contractors do not
                                              always access the DOT network with personal identity verification
                                             (PIV) cards because many Department systems are not enabled to use
                                                                               PIV cards or do not require them
                                          ----------------------------------------------------------------------
                                                Data protection and privacy: DOT does not always review privacy
                                            documentation designed for the protection of PII each year; in some
                                             cases, the documentation is not current or has not been developed.
                                              This puts the PII stored in DOT's information systems at risk for
                                                                                                     compromise
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Detecting potential cybersecurity threats      Information security continuous monitoring: DOT does not conduct
                                           annual security control assessments on some systems. As a result, it
                                           lacks an ongoing awareness of information security, vulnerabilities,
                                                                         and threats to systems and information
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Responding to cybersecurity incidents....  Incident response: DOT did not provide evidence that it evaluates the
                                                 effectiveness of its incident response technologies or adjusts
                                            configurations and toolsets as appropriate, raising questions about
                                               the effectiveness of its automated detection capabilities. DOT's
                                           Security Operations Center also does not have file-integrity checking
                                                                software for detecting signs of cyber incidents
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Recovering from cybersecurity incidents..  Contingency plans: DOT does not test all of its contingency plans on
                                             an annual basis; other plans have not been developed, reviewed, or
                                                updated in a timely manner. Comprehensive testing is crucial to
                                               ensure organizational systems and data are available and that IT
                                                           systems and applications can function during outages
----------------------------------------------------------------------------------------------------------------

                  Source: Independent auditor analysis

    Many of these and other weaknesses can be attributed to the 
Department's lack of progress in addressing our 66 prior-year audit 
recommendations. DOT has struggled to remediate its security weaknesses 
in a timely manner and has yet to close 10,663 vulnerabilities 
associated with its information systems, as compared with the 10,385 
weaknesses we found in 2020.\7\ Figure 1 identifies the number of DOT 
plans of action and milestones (POA&M) that have remained open for the 
past 6 years.
---------------------------------------------------------------------------
    \7\ Quality Control Review of the Independent Auditor's Report on 
the Assessment of DOT's Information Security Program and Practices (OIG 
Report No. QC2021003), October 26, 2020.
---------------------------------------------------------------------------

   Figure 1. Total Number of Open Departmentwide POA&Ms Since FY 2016


                    Source: OIG analysis of DOT data

    Furthermore, as early as 2012, we identified high-risk security 
vulnerabilities--including inconsistent software updates--that an 
attacker could exploit to control systems or access files and data. 
Since 2013, DOT has not had a comprehensive and accurate inventory of 
its information systems and, as a result, may be unable to identify and 
address all system vulnerabilities. The Department has also not 
resolved our 2018 recommendation to develop and maintain accurate 
inventories of cloud systems, contractor systems, and websites that 
allow public access. The lack of accurate inventories of its hardware 
assets may be even more critical in light of the increased use of 
telework in response to COVID-19.
    These vulnerabilities are compounded by the inconsistent 
enforcement of a Departmentwide information security program. For one, 
DOT has not had a permanent Chief Information Security Officer with the 
leadership authority to perform effective oversight and ensure 
accountability for departmental information security improvements for 
close to a year. Thus, it is challenging for DOT to move forward with a 
continuity of strategy that can affect long-term changes. To address 
these longstanding and recurring cybersecurity weaknesses, we made one 
overarching key recommendation to the Department this year: require the 
OCIO to develop a multiyear strategy and approach--complete with 
objective milestones and resource commitments--to implement the 
necessary corrective actions to ensure an effective information 
security program. To DOT's credit, it agreed with our recommendation 
and directed the CIO to develop and implement such an approach by 
December 2022.
Protecting IT Infrastructure and Sensitive Information at DOT Operating 
                            Administrations
    Our recent audit work shows that DOT faces ongoing challenges 
protecting the IT infrastructure that its OAs manage and monitor. This 
infrastructure includes systems that are integral to the safe and 
efficient operation of our Nation's transportation system; help manage 
the disbursement of billions of dollars to grantees; and contain 
sensitive information, including PII.
Strengthening Security Controls for High-Impact Systems at FAA
    The Department faces some of its most significant cybersecurity 
challenges at FAA, which owns 325--or about 75 percent--of DOT's 431 
information technology systems. Specifically, FAA operates a vast 
network of systems and facilities for managing air traffic in the 
National Airspace System (NAS). This complex network has evolved over 
the years into an amalgam of diverse legacy radars and newer satellite-
based systems for tracking aircraft, as well as a new initiative for 
controllers and pilots to share information through data link 
communications.
    Recognizing the importance of protecting its infrastructure from 
rapidly evolving cyber-based threats, FAA recently re-categorized 45 
low- and moderate-impact systems as high impact. According to the 
Federal Information Processing Standards,\8\ a high-impact system is 
one in which a security breach or loss is expected to have a severe or 
catastrophically adverse effect on organizational operations, assets, 
or individuals. For example, one of the recently re-categorized systems 
is the En Route Automation Modernization system, which air traffic 
controllers rely on to manage high-altitude air traffic nationwide.
---------------------------------------------------------------------------
    \8\ Federal Information Processing Standards Publication 199 (FIPS 
199), Standards for Security Categorization of Federal Information and 
Information Systems, February 2004.
---------------------------------------------------------------------------
    Re-categorizing a system as high impact creates more stringent 
security control requirements to safeguard the confidentiality, 
integrity, and availability of information processed or stored on the 
system. However, we recently reported that FAA lacks formalized 
policies and procedures for selecting and implementing high security 
controls for its high-impact systems.\9\ As FAA's reliance on 
interconnectivity increases, so does the risk of cybersecurity 
breaches, which can have a significant impact on the NAS. To increase 
cybersecurity, FAA must complete its selection and implementation of 
all required high-security controls for these mission-critical systems.
---------------------------------------------------------------------------
    \9\ FAA Is Taking Steps to Properly Categorize High-Impact 
Information Systems but Security Risks Remain Until High Security 
Controls Are Implemented (OIG Report No. IT2021033), August 2, 2021.
---------------------------------------------------------------------------
Protecting FTA's Financial Management Systems
    We recently reported \10\ that FTA's financial management systems 
have several security control deficiencies that could affect the 
Agency's ability to approve, process, and disburse grant funds, 
including nearly $70 billion in COVID-19 relief appropriations. 
Security controls for FTA financial management systems are especially 
critical given that the transit industry is vulnerable to cyberattacks. 
For example, we reported that in 2020 and 2021, at least five FTA grant 
recipients were victims of cyberattacks that exposed PII, personnel 
data, and financial data. Grant recipients' security incidents may 
result in the compromise of usernames and credentials and expose FTA to 
cyberattacks that may delay the distribution of COVID-19 related funds 
to recipients.
---------------------------------------------------------------------------
    \10\ FTA Does Not Effectively Assess Security Controls or Remediate 
Cybersecurity Weaknesses To Ensure the Proper Safeguards Are in Place 
To Protect Its Financial Management Systems (OIG Report No. IT2022005), 
October 20, 2021.
---------------------------------------------------------------------------
    Despite these risks, we found that FTA did not always effectively 
select, document, implement, and monitor the security controls for its 
financial management systems. For example, FTA security officials 
reported that 139 of 269 security controls were satisfied, but we found 
they were not tested or implemented as required. As a result of these 
and other issues, FTA officials may not have accurate pictures of 
security risks. Additionally, FTA has not remediated longstanding 
security control weaknesses that it has identified since 2016--
including issues with multifactor authentication--which increases the 
risk that malicious actors could gain unauthorized access. Other 
weaknesses include unsecure databases, a lack of integrity monitoring 
tools, and insufficient contingency and incident response planning. If 
compromised, these weaknesses could lead to a cybersecurity attack.
Safeguarding PII by Preventing Cyberattacks at Multiple OAs
    Several of our recent reviews have raised concerns regarding 
whether the OAs have the appropriate security controls in place to 
protect DOT's networks and information systems from unauthorized 
access, including insider threats. In our recent audits of the 
cybersecurity postures at the Volpe National Transportation Systems 
Center (Volpe), Maritime Administration (MARAD), and Federal Motor 
Carrier Safety Administration (FMCSA),\11\ we identified and could have 
exploited security weaknesses and accessed millions of data records. As 
part of our vulnerability assessments and penetration testing, we were 
able to access to millions of sensitive records, including PII (see 
figure 2).
---------------------------------------------------------------------------
    \11\ The Volpe Center's Information Technology Infrastructure Is at 
Risk for Compromise (OIG Report No. FI2016056), March 22, 2016; The 
Maritime Administration's Information Technology Infrastructure Is at 
Risk for Compromise (OIG Report No. FI2019057), July 24, 2019; FMCSA's 
IT Infrastructure Is at Risk of Compromise (OIG Report No. IT2022003), 
October 20, 2021.
---------------------------------------------------------------------------

   Figure 2. Number of Unauthorized PII Records That OIG Was Able To 
                   Access at Volpe, MARAD, and FMCSA


   Source: Results of OIG audits of Volpe, MARAD, and FMCSA security 
       postures conducted in 2016, 2019, and 2021, respectively.

    For example, we successfully penetrated FMCSA's infrastructure and 
gained unauthorized access to 13 million PII records. If breached, 
these systems could have cost the Department millions of dollars in 
credit monitoring fees to protect affected individuals from identity 
theft. We also identified recurring weaknesses that we could exploit, 
including poor security practices, such as weak administrative-level 
login credentials, unpatched servers and workstations, and a lack of 
encryption of sensitive data.
    Many of the weaknesses we found at FMCSA also tie into the same 
persistent enterprise-level security risks we found during our audits 
of MARAD and Volpe's IT networks and systems. These weaknesses are of 
particular concern given that these OAs' networks process, store, and 
transmit a substantial amount of sensitive information and are 
connected to DOT's overall network. Until the Department implements 
appropriate safeguards and countermeasures to protect its networks, DOT 
and its OAs will continue to be at risk for an enterprise-wide 
cybersecurity attack that could have a major impact on mission-critical 
systems. We plan to continue to review the IT infrastructure at 
individual OAs; our fourth audit in this series will focus on the 
Federal Highway Administration.
   Coordinating With Other Agencies and Industry Partners To Ensure 
               Cybersecurity in the Transportation Sector
    As a lead agency in protecting the critical infrastructure of the 
Nation's transportation sector, DOT must partner effectively with other 
Federal agencies and industry to mitigate vulnerabilities and ensure 
cybersecurity. Both DHS and DOT have the authority and responsibility 
to protect the U.S. transportation sector from physical and cyber 
threats.\12\ DOT also coordinates with other Federal agencies and 
industry partners. For example, the FAA Extension, Safety, and Security 
Act of 2016 directs FAA to develop a comprehensive, strategic framework 
to reduce cybersecurity risks to civil aviation. FAA's efforts to 
implement this framework involve coordinating and collaborating on 
aviation cybersecurity with DHS and the Department of Defense through 
the Aviation Cyber Initiative. Protecting flight-critical systems--and 
the safety of the flying public--from rapidly evolving cyber-based 
threats also requires the cooperation of aviation stakeholders from 
industry, airlines, airports, and manufacturers.
---------------------------------------------------------------------------
    \12\ See Executive Order 14028: Improving the Nation's 
Cybersecurity (May 12, 2021) and Presidential Policy Directive 21: 
Critical Infrastructure Security and Resilience (February 12, 2013).
---------------------------------------------------------------------------
    DOT's collaboration and coordination across the transportation 
sector is of critical importance because the incapacitation or 
destruction of transportation assets, systems, or networks would have a 
debilitating effect on the Nation's security, economy, and public 
health and safety. On May 8, 2021, for example, the Colonial Pipeline 
Company announced that it had halted its pipeline operations due to a 
ransomware attack, disrupting critical supplies of gasoline and other 
refined products throughout the East Coast. This incident and other 
cyberattacks have elevated concerns about the security of the Nation's 
critical infrastructure, including energy pipelines and the 
transportation sector.
    Accordingly, we will monitor DOT's ongoing efforts to ensure 
cybersecurity in the transportation sector, particularly as it 
increasingly relies on private-sector partners for internet-based 
computing services (commonly referred to as cloud services) to address 
IT needs. To that end, we have initiated a review of the Department's 
strategy to secure cloud services and transition toward zero trust 
architecture, key provisions of Executive Order 14028. As defined by 
NIST,\13\ zero trust focuses on protecting resources (assets, services, 
workflows, network accounts, etc.), rather than network location, which 
is no longer seen as the prime component of an entity's security 
posture. We will keep the committee updated on our progress in 
monitoring and assessing the Department's cybersecurity program, 
including its partnerships with the private sector and other agencies.
---------------------------------------------------------------------------
    \13\ NIST Special Publication 800-207, Zero Trust Architecture, 
August 2020. Zero trust assumes there is no implicit trust granted to 
assets or user accounts based solely on their physical or network 
location (i.e., local area networks versus the internet) or on asset 
ownership (enterprise or personally owned).
---------------------------------------------------------------------------
                               Conclusion
    DOT's cybersecurity program is critical to protect its vast network 
of IT systems from malicious attacks and other breaches that pose a 
threat to the U.S. transportation system. In today's rapidly evolving 
cybersecurity landscape, and as the Nation embarks on a new journey to 
upgrade and improve its transportation infrastructure, DOT faces 
significant challenges in strengthening its systems while adapting to 
new and rising challenges and threats. We remain committed to 
supporting the Department's efforts as it works to remediate existing 
vulnerabilities and bolster DOT's overall cybersecurity posture. We 
will continue to update you on our work on these and related matters.
    This concludes my prepared statement. I would be happy to address 
any questions from you or Members of the Committee at this time.

    Mr. DeFazio. Thank you. Thank you, Mr. Dorsey.
    And now, finally--this is ridiculous [referring to his 
laryngitis]--Mr. Nick Marinos.
    Mr. Marinos. Thank you, Chairman DeFazio, Ranking Member 
Graves, and members of the committee for inviting GAO to 
contribute to this important discussion about critical 
infrastructure cybersecurity.
    As you know, our Nation's infrastructure increasingly 
relies on IT systems to carry out operations, and the 
protection of these systems is vital to public confidence and 
safety, and to national security.
    GAO has long emphasized the urgent need for the Federal 
Government to improve its ability to protect against cyber 
threats to our Nation's infrastructure. In fact, we have 
designated cybersecurity as a Governmentwide, high-risk area 
since 1997. Our most recent high-risk updates to Congress 
emphasize the need for the Federal Government to address major 
cybersecurity challenges through 10 critical actions. Today I 
will focus on two of them.
    The first is the need to develop and execute a 
comprehensive, national cyber strategy, and the second is the 
need to strengthen the Federal role in protecting critical 
infrastructure from cyber threats.
    Over the last several decades, the Federal Government has 
struggled in establishing a national strategy to guide how we 
plan to engage both domestically and internationally on cyber-
related issues. Last year, we reported that the prior 
administration's national cyber strategy needed improvements, 
and that it was unclear which official was ultimately 
responsible for coordinating the execution of the national 
strategy. We recommended that the National Security Council 
update the document, and that Congress consider passing 
legislation to designate a position in the White House to lead 
such an effort.
    In January, we saw Congress pass a law that established the 
Office of the National Cyber Director within the Executive 
Office of the President. And in June, the Senate confirmed a 
Director to lead this new office. While this is an important 
step forward, until we see the executive branch establish a 
comprehensive strategy, our Government will continue to operate 
without a clear roadmap for how it intends to overcome the 
cyber threats facing the Nation.
    We have also long reported that the Federal Government has 
been challenged in working with the private sector to protect 
our Nation's critical infrastructure from cyberattacks. Since 
2010, we have made over 80 recommendations aimed at 
strengthening the role in critical infrastructure. This 
includes by enhancing the capabilities and services of DHS's 
Cybersecurity and Infrastructure Security Agency, known as 
CISA, and ensuring that Federal agencies with sector-specific 
responsibilities are providing their sector partners with the 
effective guidance and support they need. These include 
important corrective actions within the transportation sector, 
too, such as improving FAA's oversight of commercial airplane 
cybersecurity, and TSA's oversight of the cybersecurity of both 
critical pipeline and passenger rail systems.
    Finally, I would like to highlight the urgency for Federal 
agencies to implement all of the cyber-related recommendations 
that have come out of the work performed by GAO and the 
inspectors general. Since 2010, GAO has made over 3,700 
recommendations on cyber-related topics. Many of these 
recommendations extend far beyond topics related to critical 
infrastructure, but they represent work that is needed to 
elevate the entire Federal Government in its ability to tackle 
today's cyber problems, and to anticipate those we will face in 
the future.
    For example, they deal with important workforce issues, 
such as our recommendation to the Department of Transportation 
that it assess its skill gaps in order to better oversee 
automated technologies like those that control planes, trains, 
or vehicles without human intervention.
    They also call for improvements to Federal agencies' own 
protections, such as through our recommendations to DHS that it 
work with agencies, including FAA, to better implement 
cybersecurity tools that check for vulnerabilities and insecure 
configurations on agency networks.
    Although agencies deserve credit for implementing many of 
our recommendations, over 900 still have yet to be implemented, 
including over 50 related to improving critical infrastructure 
cybersecurity. So clearly, there is a lot more work to do, and 
we think that agencies need to move with a greater sense of 
urgency to improve their cybersecurity protections.
    In summary, in order for our Nation to overcome its ever-
mounting and increasing array of cyber-related challenges, our 
Federal Government needs to do a better job of implementing 
strategy, oversight, and coordination among Federal agencies, 
and with the owners and operators that are on the front lines 
of this digital battle.
    This concludes my remarks, and I look forward to answering 
any questions you may have. Thank you.
    [Mr. Marinos's prepared statement follows:]

                                 
 Prepared Statement of Nick Marinos, Director, Information Technology 
        and Cybersecurity, U.S. Government Accountability Office
 Cybersecurity: Federal Actions Urgently Needed to Better Protect the 
                    Nation's Critical Infrastructure
    Chairman DeFazio, Ranking Member Graves, and Members of the 
Committee:
    Thank you for the opportunity to contribute to today's discussion 
on federal perspectives to secure the nation's infrastructure. As you 
know, our nation's critical infrastructure sectors are dependent on 
information technology (IT) systems and digital data to carry out 
operations and to process, maintain, and report essential 
information.\1\ The security of these systems and data is vital to 
public confidence and national security, prosperity, and well-being.
---------------------------------------------------------------------------
    \1\ The term ``critical infrastructure,'' as defined in the Uniting 
and Strengthening America by Providing Appropriate Tools Required to 
Intercept and Obstruct Terrorism Act of 2001, refers to systems and 
assets, whether physical or virtual, so vital to the United States that 
their incapacity or destruction would have a debilitating impact on 
security, national economic security, national public health or safety, 
or any combination of these. 42 U.S.C. Sec.  5195c(e). Federal policies 
identify 16 critical infrastructure sectors: chemical; commercial 
facilities; communications; critical manufacturing; dams; defense 
industrial base; emergency services; energy; financial services; food 
and agriculture; government facilities; health care and public health; 
information technology; nuclear reactors, materials, and waste; 
transportation systems; and water and wastewater systems.
---------------------------------------------------------------------------
    We have long stressed the urgent need for effective cybersecurity, 
as underscored by increasingly sophisticated threats and frequent cyber 
incidents.\2\ Recent events, including the ransomware attack that led 
to a shutdown of a major U.S. fuel pipeline, have illustrated that the 
nation's critical infrastructure and the federal government's IT 
systems continue to face growing cyber threats.\3\ The cybersecurity of 
critical infrastructure sectors has been a long-standing challenge for 
the federal government, underscored by the need for federal agencies to 
improve their own cybersecurity posture and enhance the cybersecurity 
support provided to the nation's critical infrastructure.
---------------------------------------------------------------------------
    \2\ See, for example, GAO, Cybersecurity and Information 
Technology: Federal Agencies Need to Strengthen Efforts to Address 
High-Risk Areas, GAO-21-105325 (Washington, D.C.: July 28, 2021) and 
High-Risk Series: Federal Government Needs to Urgently Pursue Critical 
Actions to Address Major Cybersecurity Challenges, GAO-21-288 
(Washington, D.C.: Mar. 24, 2021).
    \3\ For more information regarding such recent events, see GAO, 
Cybersecurity: Federal Agencies Need to Implement Recommendations to 
Manage Supply Chain Risks, GAO-21-594T (Washington, D.C.: May 25, 
2021). Ransomware is a type of malware used to deny access to IT 
systems or data and hold the systems or data hostage until a ransom is 
paid.
---------------------------------------------------------------------------
    At your request, my remarks today will focus on the federal 
government's efforts to address the cybersecurity of the nation's 
critical infrastructure and will highlight critical areas where we have 
identified an urgent need for improvement. This statement is based on 
the results of our prior work, which includes the reports and 
testimonies that we cite throughout this statement. To develop the 
statement, we reviewed prior reports and testimonies that described 
cyber-related challenges faced by the nation and the extent to which 
federal entities have taken actions to address them. More detailed 
information about our scope and methodology can be found in the 
products cited throughout this statement.
    We conducted the work on which this statement is based in 
accordance with all sections of GAO's Quality Assurance Framework that 
are relevant to our objectives. The framework requires that we plan and 
perform the engagement to obtain sufficient and appropriate evidence to 
meet our stated objectives and to discuss any limitations in our work. 
We believe that the information and data obtained, and the analysis 
conducted, provide a reasonable basis for any findings and conclusions.
                               Background
    Information systems supporting federal agencies and our nation's 
critical infrastructure--such as transportation systems, 
communications, education, energy, and financial services--are 
inherently at risk. These systems are highly complex and dynamic, 
technologically diverse, and often geographically dispersed. This 
complexity increases the difficulty in identifying, managing, and 
protecting the numerous operating systems, applications, and devices 
comprising the systems and networks. Compounding the risk, systems and 
networks used by federal agencies and our nation's critical 
infrastructure are also often interconnected with other internal and 
external systems and networks, including the internet.
    With this greater connectivity, threat actors are increasingly 
willing and capable of conducting a cyberattack on our nation's 
critical infrastructure that could be disruptive and destructive. The 
2021 Annual Threat Assessment of the U.S. Intelligence Community and 
the 2020 Homeland Threat Assessment noted that criminal groups and 
nations pose the greatest cyberattack threats to our nation.\4\ 
According to the 2020 assessment, both criminal groups and nation cyber 
actors--motivated by profit, espionage, or disruption--will exploit the 
Coronavirus Disease 2019 (COVID-19) pandemic by targeting the U.S. 
health care and public health sector, government response entities, and 
the broader emergency services sector.
---------------------------------------------------------------------------
    \4\ Office of the Director of National Intelligence, Annual Threat 
Assessment of the U.S. Intelligence Community (April 9, 2021). 
Department of Homeland Security, Homeland Threat Assessment (October 6, 
2020).
---------------------------------------------------------------------------
    Recent events highlight the significant cyber threats facing the 
nation. For example,
      In May 7, 2021, the Colonial Pipeline Company learned 
that it was the victim of a cyberattack. A joint alert from the 
Cybersecurity and Infrastructure Security Agency (CISA) and the Federal 
Bureau of Investigation (FBI) indicated that malicious actors used 
ransomware against Colonial Pipeline's information technology 
network.\5\ The alert also explained that, to ensure the safety of the 
pipeline, the company disconnected certain industrial control systems 
that monitor and control physical pipeline functions so that they would 
not be compromised by the criminals. According to CISA and the FBI, as 
of May 11, 2021, there was no indication that the threat actors had 
compromised the industrial control systems. However, disconnecting 
these systems resulted in a temporary halt to all pipeline operations. 
This, in turn, led to gasoline shortages throughout the southeast 
United States.
---------------------------------------------------------------------------
    \5\ CISA and the FBI, DarkSide Ransomware: Best Practices for 
Preventing Business Disruption from Ransomware Attacks, Alert (AA21-
131A), May 11, 2021.
---------------------------------------------------------------------------
      In February 2021, CISA issued an alert explaining that 
cyber threat actors obtained unauthorized access to a U.S. water 
treatment facility's industrial controls systems and attempted to 
increase the amount of a caustic chemical that is used as part of the 
water treatment process. According to CISA, threat actors likely 
accessed systems by exploiting cybersecurity weakness, including poor 
password security and an outdated operating system.
      In December 2020, CISA issued an emergency directive and 
alert explaining that an advanced persistent threat actor had 
compromised the supply chain of a network management software suite and 
inserted a ``backdoor''--a malicious program that can potentially give 
an intruder remote access to an infected computer--into a genuine 
version of that software product. The malicious actor then used this 
backdoor, among other techniques, to initiate a cyberattack campaign 
against U.S. government agencies, critical infrastructure entities, and 
private sector organizations.
GAO Has Previously Identified Four Major Cybersecurity Challenges 
        Facing the Nation
    To underscore the importance of this issue, we have designated 
information security as a government-wide high-risk area since 1997.\6\ 
In 2003, we added the protection of critical infrastructure to the 
information security high-risk area, and, in 2015, we further expanded 
this area to include protecting the privacy of personally identifiable 
information.\7\
---------------------------------------------------------------------------
    \6\ GAO, High-Risk Series: Information Management and Technology, 
HR-97-9 (Washington, D.C.: Feb. 1997). GAO maintains a high-risk 
program to focus attention on government operations that it identifies 
as high-risk due to their greater vulnerabilities to fraud, waste, 
abuse, and mismanagement or the need for transformation to address 
economy, efficiency, or effectiveness challenges.
    \7\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, D.C.: 
Feb. 11, 2015) and High-Risk Series: An Update, GAO-03-119 (Washington, 
D.C.: Jan. 2003).
---------------------------------------------------------------------------
    In our high-risk updates from September 2018 and March 2021, we 
emphasized the critical need for the federal government to take 10 
specific actions to address four major cybersecurity challenges that 
the federal government faces.\8\ These challenges are: (1) establishing 
a comprehensive cybersecurity strategy and performing effective 
oversight, (2) securing federal systems and information, (3) protecting 
cyber critical infrastructure, and (4) protecting privacy and sensitive 
data. Figure 1 provides an overview of the critical actions needed to 
address these major cybersecurity challenges.
---------------------------------------------------------------------------
    \8\ GAO-21-288 and GAO, High-Risk Series: Urgent Actions Are Needed 
to Address Cybersecurity Challenges Facing the Nation, GAO-18-622 
(Washington, D.C.: Sept. 6, 2018).
---------------------------------------------------------------------------

      Figure 1: Ten Critical Actions Needed to Address Four Major 
                        Cybersecurity Challenges
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

  Source: GAO analysis; images: peshkov/stock.adobe.com; Gorodenkoff/
     stock.adobe.com; metamorworks/stock.adobe.com; Monster Ztudio/
                     stock.adobe.com. GAO-22-105530

    Since 2010, we have made about 3,700 recommendations related to our 
high-risk area focused on enhancing our nation's cybersecurity efforts. 
As of November 2021, about 900 of those recommendations had yet to be 
implemented.
    As indicated by the figure above, these recommendations include but 
also extend far beyond topics related to critical infrastructure 
cybersecurity, representing work across all of the high-risk challenge 
areas and calling for urgent actions to help address them. The 
following examples reflect the wide range of challenge areas:
      Cybersecurity workforce management. In December 2020, we 
reported that the U.S. Department of Transportation's (DOT) workforce 
faced challenges related to overseeing the safety of automated 
technologies, such as those that control a function or task of a plane, 
train, or vehicle without human intervention.\9\ These technologies 
require regulatory expertise as well as engineering, data analysis, and 
cybersecurity skills. Although DOT had identified most skills it needed 
to oversee automated technologies, it had not fully assessed whether 
its workforce had these skills. Accordingly, we recommended that DOT 
(1) assess skill gaps in key occupations involved in overseeing 
automated technologies and (2) regularly measure the progress of 
strategies implemented to close skill gaps. As of November 2021, these 
recommendations had not yet been fully implemented, although DOT 
reported it intended to so by June 2022.
---------------------------------------------------------------------------
    \9\ GAO, Automated Technologies: DOT Should Take Steps to Ensure 
Its Workforce Has Skills Needed to Oversee Safety, GAO-21-197 
(Washington, D.C.: Dec. 18, 2020).
---------------------------------------------------------------------------
      Government-wide cybersecurity initiatives. Federal 
agencies face cyber threats against that continue to grow in number and 
sophistication. The Continuous Diagnostics and Mitigation (CDM) program 
was established to provide federal agencies with tools and services 
that have the intended capability to automate network monitoring, 
correlate and analyze security-related information, and enhance risk-
based decision making at agency and government-wide levels. In August 
2020, we reported that selected agencies--the Federal Aviation 
Administration (FAA), Indian Health Services, and Small Business 
Administration--had generally deployed these tools intended to provide 
cybersecurity data to support the Department of Homeland Security's 
(DHS) CDM program.\10\ However, while agencies reported that the 
program improved their network awareness, none of the three agencies 
had effectively implemented all key CDM program requirements. As part 
of our review, we made six recommendations to DHS and nine 
recommendations to the three selected agencies. DHS and the selected 
agencies concurred with the recommendations. As of November 2021, only 
one of the recommendations made to DHS had been implemented.
---------------------------------------------------------------------------
    \10\ GAO, Cybersecurity: DHS and Selected Agencies Need to Address 
Shortcomings in Implementation of Network Monitoring Program, GAO-20-
598 (Washington, D.C.: Aug. 18, 2020).
---------------------------------------------------------------------------
      Federal agency cybersecurity risk management. In July 
2019, we reported on key practices for establishing an agency-wide 
cybersecurity risk management program that include designating a 
cybersecurity risk executive, developing a risk management strategy and 
policies to facilitate risk-based decisions, assessing cyber risks to 
the agency, and establishing coordination with the agency's enterprise 
risk management program.\11\ Although the 23 agencies we reviewed 
almost always designated a risk executive, they often did not fully 
incorporate other key practices in their programs, such as (1) 
establishing a cybersecurity risk management strategy to delineate 
boundaries for risk-based decisions; (2) establishing a process for 
assessing agency-wide cybersecurity risks; and (3) establishing a 
process for coordinating between cybersecurity and enterprise risk 
management programs for managing all major risks.\12\ We made 57 
recommendations to the 23 agencies to address the challenges identified 
in our report. As of November 2021, 25 of these recommendations had yet 
to be implemented.
---------------------------------------------------------------------------
    \11\ GAO, Cybersecurity: Agencies Need to Fully Establish Risk 
Management Programs and Address Challenges, GAO-19-384 (Washington, 
D.C.: July 25, 2019).
    \12\ The 23 civilian CFO Act agencies are the Departments of 
Agriculture, Commerce, Education, Energy, Health and Human Services, 
Homeland Security, Housing and Urban Development, the Interior, 
Justice, Labor, State, Transportation, the Treasury, and Veterans 
Affairs; the Environmental Protection Agency; General Services 
Administration; National Aeronautics and Space Administration; National 
Science Foundation; Nuclear Regulatory Commission; Office of Personnel 
Management; Small Business Administration; Social Security 
Administration; and the U.S. Agency for International Development. 
There are 24 CFO Act agencies. We did not include the Department of 
Defense because our scope was the civilian agencies.
---------------------------------------------------------------------------
Federal Law and Policy Establish Requirements for Critical 
        Infrastructure Cybersecurity
    Federal law and policy establish roles and responsibilities for the 
protection of critical infrastructure, discussed in chronological 
order.
      Executive Order 13636. In February 2013, the White House 
issued Improving Critical Infrastructure Cybersecurity, Executive Order 
13636, which called for a partnership with the owners and operators of 
critical infrastructure to improve cybersecurity-related information 
sharing.\13\ To do so, the order established mechanisms for promoting 
engagement between federal and private organizations. Among other 
things, the order designated nine federal sector-specific agencies with 
lead roles in protecting critical infrastructure sectors. The lead 
agencies coordinate federally sponsored activities within their 
respective sectors. Further, the order directed DHS, with help from the 
lead agencies, to identify, annually review, and update a list of 
critical infrastructure sectors for which a cybersecurity incident 
could reasonably result in catastrophic effects on public health or 
safety, economic security, or national security.
---------------------------------------------------------------------------
    \13\ The White House, Improving Critical Infrastructure 
Cybersecurity, Executive Order 13636 (Washington, D.C.: Feb. 12, 2013), 
78 Fed. Reg. 11739 (Feb. 19, 2013).
---------------------------------------------------------------------------
      Presidential Policy Directive 21. Also, in February 2013, 
the White House issued Presidential Policy Directive 21, Critical 
Infrastructure Security and Resilience, to further specify critical 
infrastructure responsibilities.\14\ Among other things, the policy 
directed DHS to coordinate with lead agencies to develop a description 
of functional relationships across the federal government related to 
critical infrastructure security and resilience. The policy further 
prescribed DHS, in coordination with lead agencies, to conduct an 
analysis and recommend options for improving public-private partnership 
effectiveness.
---------------------------------------------------------------------------
    \14\ The White House, Presidential Policy Directive/PPD-21: 
Critical Infrastructure Security and Resilience, (Washington, D.C.: 
Feb. 12, 2013).
---------------------------------------------------------------------------
      National Institute of Standards and Technology (NIST) 
Cybersecurity Framework. Executive Order 13636 directed NIST to lead 
the development of a flexible performance-based cybersecurity framework 
that was to include a set of standards, procedures, and processes.\15\ 
Further, the order directed the lead agencies, in consultation with DHS 
and other interested agencies, to coordinate with critical 
infrastructure partners to review the cybersecurity framework. The 
agencies, if necessary, should develop implementation guidance or 
supplemental materials to address sector-specific risks and operating 
environments.
---------------------------------------------------------------------------
    \15\ The Cybersecurity Enhancement Act of 2014 authorized NIST to 
facilitate and support the development of a voluntary set of standards 
to reduce cyber risks to critical infrastructure. 15 U.S.C. Sec.  
272(c)(15). The Framework for Improving Critical Infrastructure 
Cybersecurity represents that voluntary set of standards.
---------------------------------------------------------------------------
         In response to the order, in February 2014, NIST first 
published its framework--a voluntary, flexible, performance-based 
framework of cybersecurity standards and procedures. The framework, 
which was updated in April 2018, outlines a risk-based approach to 
managing cybersecurity that is composed of three major parts: a 
framework core, profiles, and implementation tiers.\16\ The framework 
core provides a set of activities to achieve specific cybersecurity 
outcomes and references examples of guidance to achieve those outcomes.
---------------------------------------------------------------------------
    \16\ National Institute of Standards and Technology, Framework for 
Improving Critical Infrastructure Cybersecurity, Version 1.1 
(Washington, D.C.: April 2018).
---------------------------------------------------------------------------
      Cybersecurity and Infrastructure Security Agency (CISA) 
Act of 2018. The November 2018 act established CISA,\17\ within DHS, to 
advance the mission of protecting federal civilian agencies' networks 
from cyber threats and to enhance the security of the nation's critical 
infrastructure in the face of both physical and cyber threats. To 
implement this legislation, CISA undertook a three-phase organizational 
transformation initiative aimed at unifying the agency, improving 
mission effectiveness, and enhancing the workplace experience for CISA 
employees.
---------------------------------------------------------------------------
    \17\ Cybersecurity and Infrastructure Security Agency Act of 2018, 
Pub. L. No. 115-278, 132 Stat. 4168, 4169, (Nov. 16, 2018) (codified at 
6 U.S.C. Sec. 652). The act renamed the DHS National Protection and 
Programs Directorate as CISA.
---------------------------------------------------------------------------
      National Defense Authorization Act (NDAA) for Fiscal Year 
2021. The act established roles and responsibilities for lead agencies, 
known as sector risk management agencies, in protecting the 16 critical 
infrastructure agencies.\18\ According to the act, the lead agencies 
are required to (1) coordinate with DHS and collaborate with critical 
infrastructure owners and operators, regulatory agencies, and others; 
(2) support sector risk management, in coordination with CISA; (3) 
assess sector risk, in coordination with CISA; (4) coordinate the 
sector, including by serving as a day-to-day federal interface for the 
prioritization and coordination of sector-specific activities; and (5) 
support incident management, including supporting CISA, upon request, 
in asset response activities.
---------------------------------------------------------------------------
    \18\ The William M. (Mac) Thornberry National Defense Authorization 
Act for Fiscal Year 2021 states that the term ``sector risk management 
agency'' replaces the term ``sector-specific agency'' in the Homeland 
Security Act of 2002. The NDAA amends the Homeland Security Act of 2002 
and sets out sector risk management agency responsibilities within this 
critical infrastructure framework. Pub. L. No. 116-283, Sec.  9002, 134 
Stat. 3388, 4768 (Jan. 1, 2021).
---------------------------------------------------------------------------
Federal Actions Urgently Needed to Protect Critical Infrastructure from 
                             Cyber Threats
    Over the last several decades, we have emphasized the urgent need 
for the federal government to improve its ability to protect against 
cyber threats to our nation's infrastructure. In recent high-risk 
updates, we emphasized the critical need for the federal government to 
address major cybersecurity challenges through critical actions. This 
includes the need for the federal government to (1) develop and execute 
a comprehensive national cyber strategy and (2) strengthen the federal 
role in protecting the cybersecurity of critical infrastructure.
Executive Branch Urgently Needs to Establish and Implement a 
        Comprehensive National Cyber Strategy
    We and others have reported on the challenges in establishing a 
comprehensive national strategy to guide how the United States 
government will engage both domestically and internationally on 
cybersecurity related matters. In September 2020, we reported that the 
prior administration's 2018 National Cyber Strategy \19\ and associated 
2019 Implementation Plan had collectively detailed the executive 
branch's approach to managing the nation's cybersecurity. However, 
these documents only addressed some, but not all, of the desirable 
characteristics of national strategies, such as goals and resources 
needed.\20\ Accordingly, we recommended that the National Security 
Council work with relevant federal entities to update cybersecurity 
strategy documents to include goals and resource information, among 
other things.\21\ The National Security Council staff neither agreed 
nor disagreed with our recommendation and has yet to address it.
---------------------------------------------------------------------------
    \19\ The White House, National Cyber Strategy of the United States 
of America (Washington, D.C.: September 2018).
    \20\ GAO, Cybersecurity: Clarity of Leadership Urgently Needed to 
Fully Implement the National Strategy, GAO-20-629 (Washington, D.C.: 
Sept. 22, 2020).
    \21\ The National Cyber Strategy assigns National Security Council 
staff to coordinate with departments, agencies, and the Office of 
Management and Budget on a plan to implement the strategy.
---------------------------------------------------------------------------
    We have also stressed the urgency and necessity of clearly defining 
a central leadership role in order to coordinate the government's 
efforts to overcome the nation's cyber-related threats and challenges. 
In September 2020, we also reported that, in light of the elimination 
of the White House Cybersecurity Coordinator position in May 2018, it 
was unclear which official within the executive branch ultimately 
maintained responsibility for coordinating the execution of the 
National Cyber Strategy and related implementation plan. Accordingly, 
we suggested that Congress consider legislation to designate a position 
in the White House to lead such an effort. In January 2021, the NDAA 
for Fiscal Year 2021 established the Office of the National Cyber 
Director within the Executive Office of the President.\22\ Among other 
responsibilities, the Director is to serve as the principal advisor to 
the White House on cybersecurity policy and strategy, including 
coordination of implementation of national cyber policy and strategy.
---------------------------------------------------------------------------
    \22\ Pub. L. No. 116-283, Div. A, Title XVII, Sec.  1752, 134 Stat. 
4144 (Jan. 1, 2021) (codified at 6 U.S.C. Sec.  1500).
---------------------------------------------------------------------------
    In June 2021, the Senate confirmed a Director to lead this new 
office. In October 2021, the National Cyber Director issued a strategic 
intent statement, outlining a vision for the Director's office and the 
high-level lines of efforts it intends to focus on, including national 
and federal cybersecurity; budget review and assessment; and planning 
and incident response, among others.\23\
---------------------------------------------------------------------------
    \23\ The White House, A Strategic Intent Statement for the Office 
of the National Cyber Director (Washington, D.C.: Oct. 28, 2021).
---------------------------------------------------------------------------
    The establishment of a National Cyber Director is an important step 
toward positioning the federal government to better direct activities 
to overcome the nation's cyber threats and challenges and to perform 
effective oversight. Nevertheless, the implementation of our 
recommendation to fully develop and execute a comprehensive national 
cyber strategy remains more urgent than ever to ensure that there is a 
clear roadmap for overcoming the cyber challenges facing our nation, 
including its critical infrastructure.
Federal Government Needs to Strengthen Its Role in Protecting the 
        Cybersecurity of Critical Infrastructure
    The federal government has been challenged in working with the 
private sector to protect cyber critical infrastructure. We have made 
recommendations aimed at strengthening the federal role in critical 
infrastructure cybersecurity, including by (1) enhancing the 
capabilities and services of DHS' Cybersecurity and Infrastructure 
Security Agency and (2) ensuring that federal agencies with sector-
specific responsibilities are providing their sector partners with 
effective guidance and support.
DHS Needs to Complete CISA Transformation Activities to Better Support 
        Critical Infrastructure Owners and Operators
    The importance of clear cybersecurity leadership extends beyond the 
White House to other key executive branch agencies, including DHS. 
Federal legislation enacted in November 2018 established CISA within 
the department to advance the mission of protecting federal civilian 
agencies' networks from cyber threats and to enhance the security of 
the nation's critical infrastructure in the face of both physical and 
cyber threats. The act elevated CISA to agency status; prescribed 
changes to its structure, including mandating that it have separate 
divisions on cybersecurity, infrastructure security, and emergency 
communications; and assigned specific responsibilities to the 
agency.\24\
---------------------------------------------------------------------------
    \24\ Cybersecurity and Infrastructure Security Agency Act of 2018, 
Pub. L. No. 115-278, Sec.  2,132 Stat. 4168, 4169, (Nov. 16, 
2018)(codified at 6 U.S.C. Sec. 652). The act renamed the DHS National 
Protection and Programs Directorate as CISA.
---------------------------------------------------------------------------
    To implement the statutory requirements, CISA leadership launched 
an organizational transformation initiative. In March 2021, we reported 
that while CISA had completed the first two of the three phases of its 
organizational transformation initiative.\25\ Specifically, we noted 
DHS had not fully implemented its phase three transformation, which 
included finalizing the agency's mission-essential functions and 
completing workforce-planning activities, that was intended to be 
completed by December 2020.
---------------------------------------------------------------------------
    \25\ GAO, Cybersecurity and Infrastructure Security Agency: Actions 
Needed to Ensure Organizational Changes Result in More Effective 
Cybersecurity for Our Nation, GAO-21-236 (Washington, D.C.: Mar. 10, 
2021).
---------------------------------------------------------------------------
    We also reported that of 10 selected key practices for effective 
agency reforms we previously identified, CISA's organizational 
transformation generally addressed four, partially addressed five, and 
did not address one. Further, we reported on a number of challenges 
that selected government and private-sector stakeholders had noted when 
coordinating with CISA, including a lack of clarity surrounding its 
organizational changes and the lack of stakeholder involvement in 
developing guidance. Although CISA had activities under way to mitigate 
some of these challenges, it had not developed strategies to, among 
other things, clarify changes to its organizational structure. Figure 2 
below describes the coordination challenges identified by private-
sector stakeholders.

   Figure 2: Cybersecurity and Infrastructure Security Agency (CISA) 
 Coordination Challenges Reported by Stakeholders Representing the 16 
                    Critical Infrastructure Sectors
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

     Source: GAO analysis of stakeholder interviews. GAO-22-105530

    To address these weaknesses, we made 11 recommendations to DHS. The 
department concurred with our recommendations and, as of September 
2021, reported that it intends to fully implement them by the end of 
calendar year 2022. Implementing these recommendations will better 
position CISA to ensure the success of its reorganization efforts and 
carry out its mission to lead national efforts to identify and respond 
to cyber and other risks to our nation's infrastructure.
Sector Risk Management Agencies Need to Ensure Effective Guidance and 
        Support of Critical Infrastructure Owners and Operators
    Since 2010, we have made about 80 recommendations for various 
federal agencies to enhance infrastructure cybersecurity. For example, 
in February 2020, we recommended that agencies better measure the 
adoption of the NIST framework of voluntary cyber standards and correct 
sector-specific weaknesses. Specifically, we reported that most sector 
lead agencies--known as sector risk management agencies \26\--were not 
collecting and reporting on improvements in the protection of critical 
infrastructure as a result of using the framework across the 
sectors.\27\ We concluded that collecting and reporting on these 
improvements would help the sectors understand the extent to which 
sectors are better protecting their critical infrastructure from cyber 
threats.
---------------------------------------------------------------------------
    \26\ Sector-specific agencies was a term formally used to describe 
the nine agencies that have a lead role in protecting the 16 critical 
infrastructure sectors. Pursuant to the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 
116-283, Sec.  9002, any reference to sector-specific agencies in any 
law, regulation, document, or other paper of the United States shall be 
deemed a reference to the sector risk management agency of the relevant 
critical infrastructure sector.
    \27\ GAO, Critical Infrastructure Protection: Additional Actions 
Needed to Identify Framework Adoption and Resulting Improvements, GAO-
20-299 (Washington, D.C.: Apr. 9, 2020).
---------------------------------------------------------------------------
    To address these issues, we made 10 recommendations--one to NIST on 
establishing time frames for completing selected programs--and nine to 
the lead agencies, to collect and report on improvements gained from 
using the framework. Eight agencies agreed with the recommendations, 
while one neither agreed nor disagreed and one partially agreed. 
However, as of November 2021, none of the recommendations had been 
implemented. Until the lead agencies collect and report on improvements 
gained from adopting the framework, the extent to which the 16 critical 
infrastructure sectors are better protecting their critical 
infrastructure from threats will be largely unknown.
    We have also frequently reported on the need for lead agencies to 
enhance the cybersecurity of their related critical infrastructure 
sectors and subsectors--such as transportation systems, communications, 
energy, education, and financial services.\28\
---------------------------------------------------------------------------
    \28\ GAO-21-288.
---------------------------------------------------------------------------
      Aviation.\29\ The Federal Aviation Administration (FAA) 
is responsible for overseeing the safety of commercial aviation, 
including avionics systems. The growing connectivity between airplanes 
and these systems may present increasing opportunities for cyberattacks 
on commercial planes. In October 2020, we reported that FAA had 
established a process for certification and oversight of U.S. 
commercial airplanes, including their operations.\30\ However, FAA had 
not prioritized risk-based cybersecurity oversight or included periodic 
testing as part of its monitoring process, among other things. To 
address these and other related issues, we made six recommendations to 
FAA; however, as of November 2021, the agency had not implemented the 
recommendations.
---------------------------------------------------------------------------
    \29\ The transportation systems sector consists of seven key 
subsectors, including aviation.
    \30\ GAO, Aviation Cybersecurity: FAA Should Fully Implement Key 
Practices to Strengthen Its Oversight of Avionics Risks, GAO-21-86 
(Washington, D.C.: Oct. 9, 2020).
---------------------------------------------------------------------------
      Mass Transit and Passenger Rail.\31\ Recent physical and 
cyberattacks on rail systems in U.S. and foreign cities highlight the 
importance of strengthening and securing passenger rail systems around 
the world. TSA is the primary federal agency responsible for securing 
transportation in the United States. To assess risk elements for 
physical and cyber security in passenger rail, TSA utilizes various 
risk assessments, including, among other things, the Baseline 
Assessment for Security Enhancement (BASE).\32\ TSA uses these risk 
assessments to evaluate threat, vulnerability, and consequence for 
attack scenarios across various transportation modes. In April 2020, we 
reported \33\ that while TSA had taken initial steps to share 
cybersecurity key practices and other information with passenger rail 
stakeholders, the BASE assessment did not fully reflect the updated 
cybersecurity key practices presented in NIST's Cybersecurity 
Framework,\34\ nor did it include the framework in a list of available 
cyber resources.\35\ Our review of the BASE cybersecurity questions in 
the template found that they covered selected activities associated 
with three of the five functions outlined in the framework--Identify, 
Protect, and Respond. However, the remaining two functions--Detect and 
Recover--were not represented in the BASE. We made two recommendations 
to TSA, including that the agency update the BASE cybersecurity 
questions to ensure they reflect key practices. DHS agreed with our 
recommendations. As of November 2021, one recommendation had not been 
implemented.
---------------------------------------------------------------------------
    \31\ The transportation systems sector consists of seven key 
subsectors, including mass transit and passenger rail.
    \32\ The BASE is a voluntary security assessment of national mass 
transit, passenger rail, and highway systems conducted by TSA surface 
transportation inspectors that addresses potential vulnerabilities, 
among other things. The BASE is a nonregulatory security assessment, 
which requires surface transportation entities' voluntary 
participation. It consists of an assessment template with 17 security 
action items developed by TSA and the Federal Transit Administration 
that address, among other best practices, security training programs, 
risk information sharing, and cybersecurity. TSA developed this 
assessment in 2006 to increase domain awareness, enhance prevention and 
protection capabilities, and further response preparedness of passenger 
transit systems nationwide.
    \33\ GAO, Passenger Rail Security: TSA Engages with Stakeholders 
but Could Better Identify and Share Standards and Key Practices, GAO-
20-404 (Washington, D.C.: Apr. 3, 2020).
    \34\ NIST, Framework for Improving Critical Infrastructure 
Cybersecurity.
    \35\ For example, TSA has shared cybersecurity information through 
American Public Transportation Association working groups, through 
training exercises such as the Intermodal Security Training and 
Exercise Program, and through regional cybersecurity workshops 
promoting the NIST Cybersecurity Framework. TSA further shares 
cybersecurity key practices through questions in the BASE.
---------------------------------------------------------------------------
      Pipeline Systems.\36\ The nation depends on the 
interstate pipeline system to deliver critical resources such as oil 
and natural gas. This increasingly computerized system is an attractive 
target for hackers and terrorists. In December 2018, we found 
weaknesses in the Transportation Security Administration's (TSA) 
management of its pipeline security efforts.\37\ We reported that TSA, 
a component agency of DHS, had issued revised pipeline security 
guidelines; however, the revisions did not include all elements from 
the NIST Cybersecurity Framework and did not include clear definitions 
to ensure the identification of critical facilities by pipeline 
operators.\38\ We also reported that the agency had conducted pipeline 
security reviews to assess pipeline systems vulnerabilities; however, 
the quantity of TSA's reviews of corporate and critical facilities 
security had varied considerably. To address these and other issues we 
made 10 recommendations to TSA. The agency agreed with all of our 
recommendations. In July 2021, we testified that the TSA had not fully 
addressed pipeline cybersecurity-related weaknesses that GAO had 
previously identified, such as aged protocols for responding to 
pipeline security incidents.\39\ As of November 2021, TSA had 
implemented 10 of the 13 recommendations from 2018 and 2019 and had not 
implemented three.
---------------------------------------------------------------------------
    \36\ The transportation systems sector consists of seven key 
subsectors, including pipeline systems.
    \37\ GAO, Critical Infrastructure Protection: Actions Needed to 
Address Significant Weaknesses in TSA's Pipeline Security Program 
Management, GAO-19-48 (Washington, D.C.: Dec. 18, 2018).
    \38\ National Institute of Standards and Technology, Framework for 
Improving Critical Infrastructure Cybersecurity, Version 1.0 
(Gaithersburg, MD: Feb. 12, 2014).
    \39\ GAO, Critical Infrastructure Protection: TSA Is Taking Steps 
to Address Some Pipeline Security Program Weaknesses, GAO-21-105263 
(Washington, D.C.: July 27, 2021).
---------------------------------------------------------------------------
      Communications. The Communications sector is an integral 
component of the U.S. economy and faces serious cyber-related threats 
that could affect the operations of local, regional, and national level 
networks. In November 2021, we reported that CISA has a leadership role 
in coordinating federal efforts intended to aid in the resilience of 
the Communications Sector.\40\ The agency fulfills its responsibilities 
to private sector owners and operators through a variety of programs 
and services, including incident management and information sharing. We 
found CISA had not assessed the effectiveness of these activities, nor 
updated a strategic sector guidance document, despite being recommended 
by DHS to do so every 4 years. Specifically, the current plan, from 
2015, lacks information on new and emerging threats to the 
Communications Sector, such as security threats to the communications 
technology supply chain. Developing and issuing updated guidance would 
enable CISA to set goals, objectives, and priorities that address 
threats and risks to the sector, and help meet its sector risk 
management agency responsibilities. As such, we made three 
recommendations to CISA, including that the agency assess the 
effectiveness of support provided to sector, and revise the sector plan 
to include, among other things, new and emerging threats and risks. DHS 
concurred with the recommendations and described initial actions under 
way or planned to address them in a 2021 letter in response to our 
report.
---------------------------------------------------------------------------
    \40\ GAO, Critical Infrastructure Protection: CISA Should Assess 
the Effectiveness of its Actions to Support the Communications Sector, 
GAO-20-104462 (Washington, D.C.: Nov. 23, 2021).
---------------------------------------------------------------------------
      Energy. The U.S. grid's distributing systems--which carry 
electricity from transmission systems to consumers and are regulated 
primarily by states--are increasingly at risk from cyberattacks. In 
August 2019, we reported that the electric grid faced various 
cybersecurity risks.\41\ We noted that the Department of Energy (DOE) 
had developed plans and an assessment to address the risks. However, 
these documents did not fully address all of the key characteristics of 
a national strategy. Subsequently, in March 2021, we reported that the 
electric grid's distribution systems continued to face various 
cybersecurity risks.\42\ DOE had developed plans and an assessment to 
address the risks to the electric grid; however, these documents did 
not fully address risks to the grid's distribution systems. To mitigate 
this issue, we recommended that the department more fully address cyber 
risks to the grid's distribution systems in its plans to implement the 
national cybersecurity strategy for the grid. DOE agreed with our 
recommendation; however, as of November 2021, the department had not 
implemented our recommendation.
---------------------------------------------------------------------------
    \41\ GAO, Critical Infrastructure Protection: Actions Needed to 
Address Significant Cybersecurity Risks Facing the Electric Grid, GAO-
19-332 (Washington, D.C.: Aug. 26, 2019).
    \42\ GAO, Electric Grid Cybersecurity: DOE Needs to Ensure Its 
Plans Fully Address Risks to Distribution Systems, GAO-21-81 
(Washington, D.C.: Mar. 18, 2021).
---------------------------------------------------------------------------
      Education. When the COVID-19 pandemic forced the closure 
of schools across the nation, many kindergarten through grade 12 (K-12) 
schools moved from in-person to remote education, increasing their 
dependence on IT and making them potentially more vulnerable to 
cyberattacks. In October 2021, we reported that the Department of 
Education's sector-specific plan for the Education Facilities subsector 
had not been updated since 2010 and did not reflect substantially 
changed cybersecurity risks affecting K-12 schools.\43\ Further, 
Education had not determined whether sector-specific guidance was 
needed for K-12 schools to help protect against cyber threats, 
including against the increasing threat of ransomware attacks. To 
address these issues, we recommended that Education initiate a meeting 
with CISA to determine how to update its sector-specific plan and 
determine whether sector-specific guidance is needed. Education 
concurred with GAO's recommendations and described actions that it 
would take to address them.
---------------------------------------------------------------------------
    \43\ GAO, Critical Infrastructure Protection: Education Should Take 
Additional Steps to Help Protect K-12 Schools from Cyber Threats, GAO-
22-105024 (Washington, D.C.: Oct. 13, 2021).
---------------------------------------------------------------------------
      Financial Services. The federal government has long 
identified the financial services sector as a critical component of the 
nation's infrastructure. In September 2020, we reported that the 
Department of the Treasury and other federal agencies were taking steps 
to reduce risks and bolster the financial sector's efforts to improve 
its cybersecurity.\44\ However, Treasury had not worked with other 
federal agencies and sector partners to better measure progress and to 
prioritize efforts in line with sector cybersecurity goals laid out in 
the implementation plan of the 2018 National Cyber Strategy. To address 
these issues, we made two recommendations to Treasury. The department 
agreed with our recommendations; however, as of November 2021, Treasury 
had not implemented the recommendations.
---------------------------------------------------------------------------
    \44\ GAO, Critical Infrastructure Protection: Treasury Needs to 
Improve Tracking of Financial Sector Cybersecurity Risk Mitigation 
Efforts, GAO-20-631 (Washington, D.C.: Sept. 17, 2020).

    Overall, federal agencies have not addressed most of our 
recommendations related to protecting critical infrastructure.\45\ 
About 50 of the about 80 recommendations made in our public reports 
since 2010 have not been implemented, as of November 2021. We also 
designated 14 of these as priority recommendations; as of November 
2021, 11 had not been implemented. Until our recommendations are fully 
addressed, federal agencies will not be effectively positioned to 
ensure critical infrastructure sectors are adequately protected from 
potentially harmful cybersecurity threats.
---------------------------------------------------------------------------
    \45\ GAO-21-288.
---------------------------------------------------------------------------
    In summary, the federal government needs to move with a greater 
sense of urgency in response to the serious cybersecurity threats faced 
by the nation and its critical infrastructure. This would include 
developing and executing a comprehensive national strategy and 
strengthening the federal role in protecting the cybersecurity of 
critical infrastructure. Without implementing our recommendations, the 
federal government will continue to be hindered in its ability to 
provide effective support to the cybersecurity of the nation's critical 
infrastructure. As a result, the risk of unprotected infrastructure 
being harmed is heightened.
    Chairman DeFazio, Ranking Member Graves, and Members of the 
Committee, this completes my prepared statement. I would be pleased to 
respond to any questions that you may have.

    Mr. DeFazio. Thank you for your testimony. I will try and 
squeak out a couple of questions here.
    Mr. Grossman, what are--briefly--let's say, the top three 
cybersecurity challenges at the FAA?
    And what are you doing to quickly implement measures to 
mitigate this?
    Mr. Grossman. Thank you for your question, Chairman 
DeFazio.
    The FAA operates a large, complex infrastructure of 
interconnected networks and services. We have many service 
providers. Connectivity includes satellite-based 
communications, automated communications between aircraft, et 
cetera. The system has become very, very complex.
    Most of our challenges really are around the purpose-built, 
legacy nav systems that are in operation today. These systems 
are operated 24/7/365, they require extensive testing, and 
operate custom-built software. Really, they don't allow remote 
patching capabilities. So, keeping up with the cyber hygiene 
component is a fairly large challenge from an FAA air traffic 
control perspective.
    We protect that system, though, through compensating 
controls, meaning that network, while it is very difficult to 
patch and update, is very difficult to attach to, as well. It 
doesn't have internet access. There is a very mature access 
control list. In other words, system A can only speak to system 
B over very specific ports, with very specific protocols, and 
everything else is not addressed.
    Additionally, we----
    Mr. DeFazio. One more----
    Mr. Grossman. OK, sir.
    Mr. DeFazio. Mr. Dorsey, you were pretty critical, I 
thought. Do you agree with Mr. Grossman's assessment on the top 
challenges, and why do you think they aren't yet rectified?
    Mr. Dorsey. Thank you for your question, Chairman DeFazio.
    I think the three key top challenges for the Department 
are: to solidify leadership at the chief information security 
officer level to provide the needed leadership, oversight, and 
accountability necessary for agencywide improvements to address 
ongoing information security weaknesses; two, I think the 
Department needs to develop a comprehensive, DOT-wide 
cybersecurity strategy to address recurring weaknesses; and 
three, they need to better protect and secure its IT 
infrastructure and sensitive information from potential 
compromises.
    Those are the three key areas I believe that the Department 
needs to focus on to address the weaknesses that we have 
identified over the last 10 years.
    Mr. DeFazio. So, Mr. Grossman, are those things in 
progress?
    Mr. Grossman. Well, I am the chief information security 
officer for the FAA, so there is leadership within FAA, and we 
are working with the OIG to close these audit recommendations.
    We believe that we have protections in place. While many of 
the compliance-type audits have a lot of findings, the actual 
vulnerabilities are, in our opinion, most of them are mitigated 
through compensating controls.
    Mr. DeFazio. OK, all right.
    Mr. Dorsey. Sir----
    Mr. DeFazio. I have exhausted my time----
    Mr. Dorsey. Sir?
    Mr. DeFazio. OK, briefly.
    Mr. Dorsey. Sir, when I was speaking----
    Mr. DeFazio. Sure.
    Mr. Dorsey. Sir, when I was speaking of the chief 
information officer, chief information security officer, I was 
speaking about at the Department level. They are responsible 
for providing oversight of all of the OAs, including FAA. Thank 
you.
    Mr. DeFazio. So, you are saying at DOT, [inaudible] FAA and 
other agencies?
    Mr. Dorsey. Yes, sir. Thank you.
    Mr. DeFazio. And there is no one in that position right 
now?
    Mr. Dorsey. There is no permanent chief information 
security officer at the Department level at this time.
    Mr. DeFazio. OK.
    Mr. Dorsey. When we were conducting our reviews last year, 
there was a--he was serving as the acting chief information 
security officer.
    Mr. DeFazio. OK, all right. Well, thank you. I am going to 
yield now to Ranking Member Graves, because he can ask 
questions better with a voice than I can. Thank you.
    Mr. Crawford. All right, thank you, Mr. Chairman.
    As a committee, we continue to hear conflicting reports 
from TSA and pipeline industry stakeholders regarding the 
process and engagements throughout the issuance of two TSA 
security directives.
    Furthermore, myself and Ranking Member Graves, as well as 
Senate Committee on Homeland Security and Governmental Affairs 
Ranking Member Portman, sent letters to DHS OIG to review the 
process in which TSA and CISA drafted the directives, which I 
ask unanimous consent to be entered into the record, Mr. 
Chairman.
    Mr. DeFazio. Without objection.
    [The information follows:]

                                 
   Letter of November 12, 2021, to Hon. Joseph V. Cuffari, Inspector 
General, Department of Homeland Security, from Hon. Sam Graves, Ranking 
Member, Committee on Transportation and Infrastructure and Hon. Eric A. 
     ``Rick'' Crawford, Ranking Member, Subcommittee on Railroads, 
 Pipelines, and Hazardous Materials, Submitted for the Record by Hon. 
                       Eric A. ``Rick'' Crawford
    Committee on Transportation and Infrastructure,
                             U.S. House of Representatives,
                                              Washington, DC 20515,
                                                 November 12, 2021.
The Honorable Joseph V. Cuffari,
Inspector General,
Department of Homeland Security, Office of the Inspector General, 
        Washington, DC 20528-0305.
    Dear Inspector General Cuffari:
    We write to request a review of the Transportation Security 
Agency's (TSA's) use of emergency security directives in coordination 
with the Cybersecurity and Infrastructure Security Agency (CISA) for 
the transportation and infrastructure sectors.
    On May 27, 2021, TSA Administrator David Pekoske exercised 
emergency authority following the Colonial Pipeline ransomware attack 
and issued a security directive mandating certain pipeline operators to 
take actions to strengthen their cybersecurity measures.\1\ On July 20, 
2021, TSA issued a second pipeline-focused security directive outlining 
further mandatory steps required of pipeline operators.\2\ 
Unfortunately, we have learned that these security directives were 
likely established with little communication or input from relevant 
stakeholders, would require burdensome reporting, and their 
prescriptive requirements could potentially interfere with safe 
pipeline operations and existing cybersecurity measures.\3\ On August 
24, 2021, several associations representing pipeline operators affected 
by the new security directives wrote to TSA outlining these concerns 
with the directives and urged TSA to share threat information so 
operators can better defend against potential cyber threats.\4\
---------------------------------------------------------------------------
    \1\ Press Release, DHS, DHS Announces New Cybersecurity 
Requirements for Critical Pipeline Owners and Operators (May 27, 2021), 
available at https://www.dhs.gov/news/2021/05/27/dhs-announces-new-
cybersecurity-requirements-critical-pipeline-owners-and-operators.
    \2\ Press Release, DHS, DHS Announces New Cybersecurity 
Requirements for Critical Pipeline Owners and Operators (Jul. 20, 
2021), available at https://www.dhs.gov/news/2021/07/20/dhs-announces-
new-cybersecurity-requirements-critical-pipeline-owners-and-operators.
    \3\ Aaron Schaffer and Ellen Nakashima, New emergency cyber 
regulations lay out `urgently needed' rules for pipelines but draw 
mixed reviews, Wash. Post, (Oct. 3, 2021), available at https://
www.washingtonpost.com/national-security/cybersecurity-energy-
pipelines-ransomware/2021/10/03/6df9cab2-2157-11ec-8200-
5e3fd4c49f5e_story.html.
    \4\ Letter from Pipeline Trade Associations to TSA Administrator 
David P. Pekoske (Aug. 24, 2021) (on file with Committee).
---------------------------------------------------------------------------
    In addition to the security directives for pipeline operators, on 
October 6, 2021, Department of Homeland Security (DHS) Administrator 
Alejandro Mayorkas announced TSA would issue additional security 
directives on cybersecurity for railroads and rail transit, as well as 
further mandatory requirements for aviation.\5\ Stakeholders have also 
expressed serious concerns with the development and potential 
implementation of any forthcoming directives, citing the stringent 
timeframes for reporting, high costs for compliance, and the extensive 
amount of information to be reported, which may obscure true cyber 
threats.\6\
---------------------------------------------------------------------------
    \5\ Press Release, DHS, Secretary Mayorkas Delivers Remarks at the 
12th Annual Billington CyberSecurity Summit (Oct. 6, 2021), available 
at https://www.dhs.gov/news/2021/10/06/secretary-mayorkas-delivers-
remarks-12th-annual-billington-cybersecurity-summit.
    \6\ Letter from the American Public Transportation Association to 
the Hon. Peter A. DeFazio and the Hon. Sam Graves, H. Comm. on 
Transportation & Infrastructure (Nov. 4, 2021) (on file with 
Committee); see also: The Evolving Cybersecurity Landscape: Industry 
Perspectives on Securing the Nation's Infrastructure: Hearing before 
the H. Comm. on Transportation & Infrastructure, 117th Cong. (Nov. 4, 
2021) (Statement of Tom Farmer, Asst. Vice President, Security, 
Association of American Railroads), available at https://
transportation.house.gov/imo/media/doc/2021-11-04%20Testimony%20-
%20Thomas%20Farmer.pdf.
---------------------------------------------------------------------------
    We must protect our Nation's critical transportation and 
infrastructure assets against cyber-attacks and intrusions from 
malicious actors. The consequences of failing to do so could lead to 
negative impacts on the operability and reliability of our most 
essential transportation and infrastructure assets and subsequently 
affect safety, business operations, and the economies that rely upon 
them.\7\ However, in doing so, we must ensure that efforts to secure 
our transportation and infrastructure are done in a collaborative 
manner with private industry and relevant stakeholders and do not 
impose regulatory burdens that interfere with ongoing cybersecurity 
efforts.
---------------------------------------------------------------------------
    \7\ The Evolving Cybersecurity Landscape: Industry Perspectives on 
Securing the Nation's Infrastructure: Hearing before the H. Comm. on 
Transportation & Infrastructure, 117th Cong. (Nov. 4, 2021), available 
at https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID
=114196.
---------------------------------------------------------------------------
    Given this, we are concerned that the recently issued and 
forthcoming security directives from TSA on cybersecurity in the 
transportation and infrastructure sectors do not follow these critical 
principles. To address these concerns, we request a review of TSA's 
development and issuance of security directives or emergency amendments 
this year. In particular, we request that you examine the following in 
regards each security directive or emergency amendment related to 
cybersecurity issued or in development this year:
    1.  The basis for the directive or amendment and, in each case, the 
basis for employing the emergency authority under section 114(l)(2) of 
title 49, United States Code, to issue those directives without full 
notice and comment, including:
      a.  Any consultation with the Office of the Secretary of Homeland 
Security or the Executive Office of the President;
      b.  TSA's identification of imminent, elevated, or additional 
specific threats to infrastructure and operations of pipelines, 
railroads, rail transit systems, and the aviation sector; and
      c.  The timing and public announcements of the directives 
including those announced by the Secretary for railroads, rail transit 
agencies, and the aviation sector on October 6, 2021;
    2.  The consultation process with stakeholders in each case, 
including industry, other federal agencies, and Congress, which should 
examine:
      a.  The timelines accorded for affected industries to provide 
feedback;
      b.  The extent to which TSA modified the content of the draft 
security directives to address industry comments or concerns raised by 
stakeholders in the pipeline, railroad, rail transit, and aviation 
industries ; and
      c.  The Federal agencies that contributed to the development of 
these security directives and their involvement, including the 
Department of Transportation, and any modifications to the content of 
the draft security directives to address any comments or concerns;
    3.  The basis for designating of all or parts of the draft and 
final security directives and related documents as Sensitive Security 
Information (SSI) and the non-designation of the final SD-01 as SSI 
including:
      a.  Whether the SSI designation was used to restrict access for 
any reason other than those authorized by law;
      b.  The basis for designating information as SSI in a draft but 
not a final security directive; and
      c.  The specific information designated as SSI in each draft or 
final security directive and why such a designation was made;
    4.  Whether CISA has statutory authority to order private sector 
entities to report cybersecurity incidences, including those contained 
in the Security Directives, to the agency; should examine:
      a.  The history of TSA using its statutory authority to require 
reporting by private sector entities to other agencies of the 
government.
    5.  The workforce capacity at TSA or CISA to develop and implement 
security directives for the transportation and infrastructure sectors, 
including:
      a.  The number of full-time employees dedicated to development 
and implementation of the security directives;
      b.  The number of staff with expertise in the industrial, safety, 
or cybersecurity operations of the pipeline, railroads, rail transit, 
and aviation industries; and
      c.  Any use of other federal agencies or federal government 
contractors to develop or implement the security directives.

    We request that you review this matter and submit a report to us 
within 120 days. In the interim, we request that you provide us with 
regular updates. Thank you for your attention to this matter. If you 
have questions, please contact Melissa Beaumont, with the Minority 
Staff of the Subcommittee on Railroads, Pipelines, and Hazardous 
Materials [phone number redacted].
        Sincerely,
                                                Sam Graves,
                                                    Ranking Member.
                                             Rick Crawford,
                                    Ranking Member, Subcommittee on
                     Railroads, Pipelines, and Hazardous Materials.

cc:  The Honorable Peter A. DeFazio, Chair, Committee on Transportation 
and Infrastructure
     The Honorable Donald Payne, Subcommittee on Railroads, Pipelines, 
and Hazardous Materials of the Committee on Transportation and 
Infrastructure

                                 
   Letter of October 28, 2021, to Hon. Joseph V. Cuffari, Inspector 
  General, Department of Homeland Security, from Senator Rob Portman, 
Ranking Member, Senate Committee on Homeland Security and Governmental 
   Affairs et al., Submitted for the Record by Hon. Eric A. ``Rick'' 
                                Crawford
                              United States Senate,
                                            Washington, DC,
                                                  October 28, 2021.
The Honorable Joseph V. Cuffari,
Inspector General,
Department of Homeland Security, Office of the Inspector General, 
        Washington, DC 20528-0305.
    Dear Mr. Cuffari:
    We write to request you review the process by which the 
Transportation Security Administration (TSA) has developed and issued 
several emergency security directives this year, including recently 
issued and announced cybersecurity directives developed in consultation 
with the Cybersecurity and Infrastructure Security Agency (CISA).
    Our critical infrastructure must be secured and protected against 
cyberattacks. However, securing critical infrastructure requires a 
collaborative approach with the experts in these industries--the people 
who operate this critical infrastructure and who are charged with 
implementing these directives. We believe that care must be taken to 
avoid unnecessarily burdensome requirements that shift resources away 
from responding to cyberattacks to regulatory compliance. 
Unfortunately, we have received reports that TSA and CISA failed to 
give adequate consideration to feedback from stakeholders and subject 
matter experts who work in these fields and that the requirements are 
too inflexible. We are also troubled that TSA and the DHS Office of 
Legislative Affairs (DHS OLA) refused to provide copies of the draft 
directives to Congress, including the Chairs and Ranking Members of its 
congressional oversight committees, despite having shared copies with 
the pipeline industry.
    The TSA Administrator has the statutory authority to issue security 
regulations in the transportation sector. Under a related authority, 
which had never before been exercised with the pipeline sector, the 
Administrator may issue emergency security regulations or directives 
without notice and comment if the Administrator determines that it 
``must be issued immediately in order to protect transportation 
security.'' \1\ At least until earlier this year, TSA had worked in 
close coordination with industry stakeholders to develop practical 
security guidelines and policies.\2\
---------------------------------------------------------------------------
    \1\ 49 U.S.C. Sec.  114 (l)(2)(A).
    \2\ Transp. Sec. Admin, U.S. Dep't Of Homeland Sec., Pipeline 
Security Guidelines (2018), available at https://www.tsa.gov/sites/
default/files/pipeline_security_guidelines.pdf.
---------------------------------------------------------------------------
    We are concerned that the recently issued security directives 
appear to depart from TSA's historically collaborative relationship 
with industry experts. On May 27, 2021, in response to the Colonial 
Pipeline ransomware attack, TSA Administrator David Pekoske exercised 
the emergency security directive authority and issued TSA's first ever 
pipeline-focused security directive (SD-01).\3\ On July 20th, TSA 
issued a second security directive to the pipeline industry entitled, 
``Security Directive Pipeline--2021-02: Pipeline Cybersecurity 
Mitigation Actions, Contingency Planning, and Testing'' (SD-02).\4\ In 
response, on August 24, 2021, associations representing more than 2,700 
companies in the oil and natural gas subsector sent a letter to TSA 
Administrator Pekoske warning of inadequate consultation and that the 
resulting security directives could have ``operational safety and 
reliability'' impacts.\5\
---------------------------------------------------------------------------
    \3\ Ratification of Security Directive, 86 Fed. Reg. 38209 (Jul. 
20, 2021); Press Release, U.S. Dep't of Homeland Sec., DHS Announces 
New Cybersecurity Requirements for Critical Pipeline Owners and 
Operators (May 27, 2021), https://www.dhs.gov/news/2021/05/27/dhs-
announces-new-cybersecurity-requirements-critical-pipeline-owners-and-
operators.
    \4\ Press Release, U.S. Dep't of Homeland Sec., DHS Announces New 
Cybersecurity Requirements for Critical Pipeline Owners and Operators 
(Jul. 20, 2021), https://www.dhs.gov/news/2021/07/20/dhs-announces-new-
cybersecurity-requirements-critical-pipeline-owners-and-operators.
    \5\ Letter from Pipeline Trade Associations to TSA Administrator 
David P. Pekoske (Aug. 24, 2021) (enclosed).
---------------------------------------------------------------------------
    On October 6th, Secretary Mayorkas announced TSA would issue 
additional security directives requiring railroad and airport operators 
to improve their cybersecurity practices.\6\ Public reports again 
indicate that TSA provided very little time for industry feedback.\7\
---------------------------------------------------------------------------
    \6\ Press Release, U.S. Dep't of Homeland Sec., Secretary Mayorkas 
Delivers Remarks at the 12th Annual Billington CyberSecurity Summit 
(Oct. 6, 2021), https://www.dhs.gov/news/2021/10/06/secretary-mayorkas-
delivers-remarks-12th-annual-billington-cybersecurity-summit.
    \7\ E.g., Oriana Pawlyk, Freight rail blasts TSA cybersecurity 
proposal as redundant, Politico (Oct. 6, 2021), https://
subscriber.politicopro.com/article/2021/10/freight-rail-blasts-tsa-
cybersecurity-proposal-as-redundant-3991607.
---------------------------------------------------------------------------
    Another area of concern is that TSA and the DHS OLA also refused to 
provide copies of the draft directives to Congress, including the 
Chairs and Ranking Members of its congressional oversight committees, 
despite having shared copies of the drafts with the pipeline industry. 
In a briefing with Senate staff on July 15, 2021, TSA officials 
explained they would not be providing a draft of SD-02 to Senate staff 
because it was pre-decisional and therefore deliberative.\8\ This 
argument appears to misapprehend the function and limits of the 
deliberative process privilege, which is not a bar to disclosure, 
especially not to Congress, and in any event is generally considered 
waived once an agency has ``officially acknowledged'' the record by 
prior disclosure outside the Government, as here.\9\
---------------------------------------------------------------------------
    \8\ Briefing with HSGAC Staff (Jul. 15, 2021) (notes on file with 
Committee).
    \9\ See, e.g., Fitzgibbon v. CIA, 911 F.2d 755, 765 (1990).
---------------------------------------------------------------------------
    We agree that critical infrastructure must be protected against 
cyber-attacks, particularly in the wake of the Colonial Pipeline 
ransomware attack, but the process by which TSA has issued these 
directives raises concerns. To address these concerns, we request that 
you review TSA's development and issuance of emergency security 
directives this year. Specifically, we request that you examine the 
following with regard to each emergency security directive or emergency 
amendment related to cybersecurity issued this year:
    1.  The basis for the directive or amendment and, in each case, the 
basis for employing the emergency authority under section 114(l)(2) of 
title 49, United States Code, to issue those directives without full 
notice and comment, including:
      a.  Any consultation with the Office of the Secretary of Homeland 
Security or the Executive Office of the President;
      b.  TSA's identification of additional threats to pipeline 
critical infrastructure, rail transit systems, and the aviation sector; 
and
      c.  The timing of the directives and announcements of the 
directives including those announced on October 6;
    2.  The consultation process with stakeholders in each case, 
including industry, other agencies, and Congress, which should examine:
      a.  The timeline for affected industries to provide feedback;
      b.  The extent to which TSA modified draft security directives to 
address industry comments or concerns; and
      c.  The Federal agencies who contributed to the development of 
these security directives and their involvement;
    3.  The basis for designating of all or parts of the draft and 
final security directives and related documents as Sensitive Security 
Information (SSI) and the non-designation of the final SD-01 as SSI 
including:
      a.  Whether the SSI designation was used to restrict access for 
any reason other than those reasons authorized by law;
      b.  The basis for designating information as SSI in a draft but 
not a final security directive; and
      c.  The specific information designated as SSI in each draft or 
final security directive and why such a designation was made; and
    4.  The basis for withholding the draft directives from Congress.

    We request that you review this matter and submit a report to us 
within 120 days. In the interim, we request that you provide us with 
monthly updates. Thank you for your prompt attention to this important 
request.
        Sincerely,
                                               Rob Portman,
   Ranking Member, Committee on Homeland Security and Governmental 
                                                           Affairs.
                                            James Lankford,
  Ranking Member, Subcommittee on Government Operations and Border 
       Management, Committee on Homeland Security and Governmental 
                                                           Affairs.
                                         M. Michael Rounds,
                                             United States Senator.

Enclosure
             attachment 1: letter to administrator pekoske
             American Fuel and Petrochemical Manufacturers,
                                  American Gas Association,
                             Association of Oil Pipe Lines,
                              American Petroleum Institute,
                           American Public Gas Association,
             Interstate Natural Gas Association of America,
                                 GPA Midstream Association,
                                                   August 24, 2021.
The Honorable David P. Pekoske,
Administrator,
Transportation Security Administration, 601 South 12th Street, 
        Arlington, VA 20598-6020.
    Administrator Pekoske,
    The included pipeline trade associations, AFPM, AGA, AOPL, API, 
APGA, INGAA, and GPA Midstream appreciate the opportunity to provide 
feedback on the recent Security Directive 2021-02, issued on July 19, 
2021 (Directive). These trade associations represent almost all aspects 
of U.S. energy pipeline operations that serve customers reliably across 
North America. The associations' members represent refineries and 
petrochemical operators--through which pipelines receive and distribute 
products, regional and local natural gas distribution pipelines, 
liquids pipelines, integrated and midstream natural gas and oil 
companies, operators of municipal natural gas systems, natural gas 
transmission pipelines, and natural gas product pipelines and 
processors. Across the industry, our members all share the same 
concerns with the implementation of Security Directive 2021-02 and the 
process with which it was developed. For nearly two decades, we have 
worked along-side TSA in a structured oversight model applying risk-
based methodology that properly balanced pipeline security with 
operational reliability and safety. We understand the ongoing situation 
presented by ransomware and other cyber threats to critical 
infrastructure and are committed to working with TSA to continue sound 
pipeline security practices and policies.
    Open communication, process transparency, and timely engagement 
with the industry have been hallmarks of the TSA pipeline security 
program. Concerningly, these fundamental elements of a strong security 
partnership were not fully realized during the process used to develop 
the Directive. We wish to reemphasize the need for TSA to work 
efficiently with affected companies on successful Directive 
implementation, especially now that compliance deadlines are 
approaching. We encourage TSA and its technical experts to work closely 
with industry experts to ensure mutual understanding of how 
requirements in the Directive could impact operational reliability.
    While we appreciate that TSA published an initial list of 
frequently asked questions (FAQs) focused on administrative matters, 
there remain several unanswered technical questions submitted by the 
associations and our members to which TSA guidance is critical for 
compliance. These unanswered questions have left operators with 
significant uncertainty about what is required for compliance. We urge 
TSA to release the technical FAQs in a timelier manner--TSA's timeline 
to responding to questions should be consistent with the rapid 
deadlines established under the Directive. We also ask TSA to apply 
learnings from the recent Directive development process to improve the 
agency's procedures for obtaining stakeholder input on future pipeline 
security initiatives and avoid recreating the implementation challenges 
and uncertainty our members are now experiencing.
    Operational reliability and safety are extremely important to the 
pipeline industry. The Directive's potential to cause operational 
disruptions or threaten safe operations remains a concern of affected 
pipeline operators. Our pipeline operators have expert knowledge 
regarding their assets, how they are managed to meet customer needs, 
and how to comply with the various state and federal regulations under 
which they are required to operate. As the Directive was developed, 
industry conveyed highly probable operational safety and reliability 
concerns that could arise by imposing prescriptive cyber requirements 
and untenable timelines without specific understanding of a company's 
existing cybersecurity protections and operations. We appreciate that 
TSA addressed some of our recommendations and responded to our 
feedback. Regretfully, significant concerns remain. The broad scope and 
prescriptive nature of the Directive create potential conflicts with 
TSA pipeline Security Guidelines and with existing cybersecurity and 
safety regulations from other federal government entities. The 
prescribed implementation schedule creates safety and reliability 
concerns. We urge TSA to work closely and quickly with operators on 
Directive implementation to ensure affected pipelines do not have to 
choose between complying with the Directive and ensuring continued 
safety and reliable operations.
    The Directive allows operators flexibility to submit alternative 
compliance options to TSA for consideration, and TSA has stated it will 
respond promptly to these submissions. We recognize TSA believes 
operator concerns may be addressed through this alternative submittal 
option. However, the usability of this option is limited without 
further clarity on TSA's anticipated criteria and timelines for review 
of alternative proposals relative to the Directive's deadlines, what 
recourse operators have if TSA disagrees with proposed alternative 
compliance options, and how TSA will address scenarios where an 
operator determines that extensive equipment retrofits will take longer 
time periods than envisioned by TSA. Furthermore, TSA should ensure 
operators are not penalized for awaiting TSA's clarification of these 
issues and approval of alternative proposals as the Directive's 
deadlines approach. Pipeline operators also face challenges applying 
the Directive in the context of broader corporate structures, given 
that cybersecurity for some pipeline operations is managed across 
individual companies and countries as part of enterprise-level 
cybersecurity and information technology systems that also cover non-
pipeline operations. As the Directive is currently written, and without 
clarity from TSA, some operators are in the position of guessing what 
nonoperational networks (e.g., finance, HR, etc.) are impacted by the 
Directive and may be applying prescriptive measures that divert 
resources while not addressing the actual risks to pipeline operations. 
We urge TSA to provide more clarity on the scope, so that operators can 
make more sound determinations of what is necessary to avoid disrupting 
operations or threatening pipeline safety.
    We also urge TSA to reconsider its process for implementing 
pipeline security initiatives in the future to ensure better input on 
the compatibility of proposed security requirements with pipeline 
operational technology. It is important TSA make timely updates to its 
pipeline security policies to keep up with evolving threats. At the 
same time, it is equally important TSA's process does not sacrifice 
input from the regulated industry for the sake of speed. TSA's 
authorizing statute \1\ and the Administrative Procedures Act require 
that the agency use formal notice-and-comment rulemaking as the primary 
vehicle for issuing new requirements. In this case, we believe the 
robust stakeholder input and advisory committee review provided by a 
notice-and-comment rulemaking would have resolved many of the 
substantive challenges created by the current Directive text and 
promoted stronger public-private partnership for pipeline security. We 
acknowledge that TSA may wish to protect certain aspects of its 
proposed requirements as Sensitive Security Information and note that 
procedures other than formal notice-and-comment can also be successful 
in soliciting and incorporating necessary input on a timely basis.
---------------------------------------------------------------------------
    \1\ 49 U.S.C. Sec.  114(l)(2)(A).
---------------------------------------------------------------------------
    Our associations are also concerned that, as you testified to the 
Senate Commerce Committee on July 27, 2021, there is additional threat 
information driving the urgency of the Directive and the timelines that 
have been set. This threat intelligence has not been shared with 
potentially affected companies. Pipeline operators are best positioned 
to design mitigations to defend their systems against new threats based 
on their risk-based security programs. They are unable to effectively 
prepare for threats about which they have not been briefed. While we do 
appreciate the recent offer of a Secret level briefing to a limited 
group of associations within the Beltway, we again highlight the need 
for TSA, and the broader intelligence community, to ensure they are 
sharing the most timely and relevant information directly with the 
potentially impacted operators. We urge TSA, and other agencies that 
have threat information relevant to pipelines, to brief all potentially 
affected companies as soon as possible to ensure they can appropriately 
defend against current threats. We also encourage TSA to work with the 
broader intelligence community (IC) to provide regularly scheduled 
briefings to pipeline industry experts to ensure operators are 
appropriately informed about the evolving threats to their systems. TSA 
should also work with the IC to provide as much timely, unclassified 
information as possible to operators to ensure it is actionable and can 
be disseminated to operators who do not possess security clearances.
    Listed below is a summary of our requests.
      TSA and its technical experts should work closely and 
quickly with industry experts to ensure mutual understanding of how 
requirements in the Directive could impact operational safety and 
reliability.
      TSA should release the technical FAQs immediately.
      TSA should provide clarity on anticipated criteria and 
timelines for review of alternative proposals, including addressing 
operator recourse if TSA disagrees with the alternative proposal and 
how TSA will address supply chain limitations.
      TSA should ensure operators are not penalized for 
awaiting TSA's review of alternative proposals.
      TSA should provide more clarity on the Directive's scope 
so that operators can make more sound determinations of what is 
necessary to avoid disrupting operations or threatening pipeline 
safety.
      TSA should reconsider its process for implementing 
pipeline security initiatives in the future to ensure better input on 
the compatibility of proposed security requirements with pipeline 
operational technology.
      TSA and pertinent government intelligence community 
should brief all potentially affected pipelines on relevant 
cybersecurity threat intelligence as soon as possible.

    The associations and our members are committed to supporting 
efforts to build pipeline cyber security capability, and we look 
forward to further discussing our concerns and potential solutions to 
ensure the Directive implementation can be successful.

    Mr. Crawford. Thank you, Mr. Chairman.
    I would just like to--to Ms. Newhouse, how would TSA 
evaluate implementation of the pipeline security directives?
    Ms. Newhouse. Thank you for your question, Congressman 
Crawford.
    We continue extensive, extensive engagement. That is the 
hallmark of what we are doing in order to ensure continuous 
improvement. We have actually developed and implemented an 
entire field surface operational structure to do this. So, we 
have boots on the ground.
    And what we have been finding, thus far, we--as you 
mentioned, sir, we have issued two security directives this 
summer, post-Colonial Pipeline. We are proud to announce, on 
behalf of us and our stakeholders, that all stakeholders that 
are subject to that directive have met all of the requirements 
in the very first security directive. It was very tight 
guidelines, communicated beautifully with us, very vocal, and, 
frankly, very direct with us when they met challenges.
    We are now in the process----
    Mr. Crawford. Let me ask you about those challenges, if I 
could. What challenges have you identified during 
implementation?
    Ms. Newhouse. Well, I think the biggest one--and we have 
actually taken this to heart--is the definition of a reportable 
cybersecurity incident. And we have taken steps and a great 
deal of feedback to modify that definition to not include all 
potential incidents.
    Mr. Crawford. OK.
    Ms. Newhouse. We have narrowed that, and focused that, 
based on industry feedback.
    Mr. Crawford. Excellent. Recently, the oil and natural gas 
pipeline trade associations jointly requested TSA conduct an 
advance notice of proposed rulemaking to gather information 
vital to drafting a proposed regulation to replace the expiring 
security directives.
    I ask unanimous consent for this letter to be entered into 
the record, Mr. Chairman.
    Mr. DeFazio. Without objection.
    [The information follows:]

                                 
 Letter of November 22, 2021, to Hon. David P. Pekoske, Administrator, 
    Transportation Security Administration, from American Fuel and 
 Petrochemical Manufacturers et al., Submitted for the Record by Hon. 
                       Eric A. ``Rick'' Crawford
             American Fuel and Petrochemical Manufacturers,
                                  American Gas Association,
                             Association of Oil Pipe Lines,
                              American Petroleum Institute,
                           American Public Gas Association,
             Interstate Natural Gas Association of America,
                                 GPA Midstream Association,
                                                 November 22, 2021.
The Honorable David P. Pekoske,
Administrator,
Transportation Security Administration, 6595 Springfield Center Drive, 
        Springfield, VA 22150.
    Administrator Pekoske,
    The included pipeline trade associations, AFPM, AGA, AOPL, API, 
APGA, INGAA, and GPA Midstream appreciate the opportunity to engage 
with TSA in the next phase of pipeline cybersecurity regulations. These 
trade associations represent almost all aspects of U.S. energy pipeline 
operations that serve customers reliably across North America. The 
associations' members represent refineries and petrochemical 
operators--through which pipelines receive and distribute products, 
regional and local natural gas distribution pipelines, liquids 
pipelines, integrated and midstream natural gas and oil companies, 
operators of municipal natural gas systems, natural gas transmission 
pipelines, and natural gas product pipelines and processors.
    Across the industry, our members all share the same concerns 
regarding TSA's development of pipeline cybersecurity regulations. Both 
pipeline Security Directives \1\ are slated to sunset in May and July 
2022, respectively. Based on conversations with you and the TSA Surface 
Operations and Policy sections, we understand TSA intends to pursue 
formal rulemaking for pipeline cybersecurity to replace the Security 
Directives. Your remarks to our associations and members this Fall 
regarding collaboration and process transparency around future 
rulemaking were well-received. Notably, you welcomed the opportunity 
for pre-rulemaking meetings with stakeholders and underscored TSA's 
intention to have a robust, thoughtful comment period for each phase of 
the rulemaking process.
---------------------------------------------------------------------------
    \1\ Security Directive Pipeline 2021-01 issued on May 28, 2021 and 
Security Directive Pipeline 2021-02 issued on July 19, 2021
---------------------------------------------------------------------------
    In light of this, we strongly urge TSA to issue an Advanced Notice 
of Proposed Rulemaking (ANPRM) well in advance of the sunset dates for 
the Security Directives. Further, given the rule will likely affect a 
broader range of companies than presently impacted by the Security 
Directives, an ANPRM is appropriate for obtaining input from the 
additional potentially impacted entities.
    TSA can leverage the ANPRM formal process to receive feedback from 
industry and public stakeholders on risk-based pipeline cybersecurity 
regulations and responses to questions that promote a greater 
understanding of what are reasonable, applicable, auditable, and 
sustainable regulations. For example, central questions TSA should 
address as part of pipeline cybersecurity development include:
    1.  What types of cybersecurity risks are most threatening to 
operating a pipeline safely and without interruption?
    2.  How can TSA design a cybersecurity regulatory program to best 
address the risks faced by pipeline operators?
    3.  What factors should TSA consider to ensure cybersecurity 
regulatory requirements do not disrupt or impair pipeline operations or 
safety systems?
    4.  How should TSA design a cybersecurity regulatory program so 
that it is able to evolve with the risks and tactics of cybercriminals?

    By following the approach of other federal government agencies and 
asking a series of questions on the subject matter, TSA can develop, 
issue, and receive ANPRM comments on a short timeline. To the extent 
TSA questions whether an ANPRM would add additional time to the 
rulemaking process, our trade associations pledge to respond to an 
ANPRM in a timely manner.
    Operational reliability and safety are important to the pipeline 
industry. We are committed to supporting efforts to advance pipeline 
cybersecurity capability. Our associations and members have the 
technical expertise to inform such regulations so that prescribed 
actions do not compromise reliability and safety, nor conflict with 
existing cybersecurity regulations. We look forward to working with TSA 
on regulation development.

    Mr. Crawford. Thank you, sir. I hate to keep bothering you 
with that, I know your throat is killing you.
    As they stated, TSA can leverage the ANPRM informal process 
to promote a greater understanding of what are reasonable, 
applicable, auditable, and sustainable regulations.
    Will TSA issue an ANPRM to gather this important 
information?
    Ms. Newhouse. Thank you for your question, Congressman.
    We are considering all of our options, including the most 
transparent options. An ANPRM, or advanced notice of proposed 
rulemaking, is one tool that we have exercised in the past 
successfully. And as we have continued robust engagement both 
at the classified and unclassified level with all of our 
surface transportation stakeholders, in particular our 
pipeline, rail, freight rail, passenger rail, and aviation 
stakeholders, we are considering all of those options. So yes, 
sir, that is on the table.
    Mr. Crawford. As you know, we are anticipating the release 
of a new security directive for rail. It should be as early as 
this afternoon, if I understand correctly.
    Unfortunately, we have heard concerns about the development 
of these directives from stakeholders, including from the 
freight rail industry, at our previous hearing on 
cybersecurity, and in a November 4th letter from the American 
Public Transportation Association, which I also ask unanimous 
consent to be entered into the record.
    I apologize for that inconvenience one more time, Mr. 
Chairman.
    Mr. DeFazio. Without objection.
    [The information follows:]

                                 
   Letter of November 4, 2021, to Hon. Peter A. DeFazio and Hon. Sam 
Graves of the Committee on Transportation and Infrastructure, from Paul 
    P. Skoutelas, President and CEO, American Public Transportation 
Association, Submitted for the Record by Hon. Eric A. ``Rick'' Crawford
        American Public Transportation Association,
                         1300 I Street NW, Suite 1200 East,
                                              Washington, DC 20005,
                                                  November 4, 2021.
The Honorable Peter A. DeFazio,
Chairman,
House Committee on Transportation and Infrastructure, 2165 Rayburn 
        House Office Building, Washington, DC 20515.
The Honorable Sam Graves,
Ranking Member,
House Committee on Transportation and Infrastructure, 2164 Rayburn 
        House Office Building, Washington, DC 20515.
    Dear Chairman DeFazio and Ranking Member Graves:
    On behalf of the 1,500 member organizations of the American Public 
Transportation Association (APTA), and in advance of the House 
Committee on Transportation and Infrastructure's hearing on The 
Evolving Cybersecurity Landscape: Industry Perspectives on Securing the 
Nation's Infrastructure, I write to share our concerns on the 
forthcoming Transportation Security Administration (TSA) Security 
Directive for rail transit and passenger rail operations. On October 6, 
2021, U.S. Department of Homeland Security Secretary Alejandro Mayorkas 
announced that TSA is expected to impose cybersecurity mandates on 
certain rail transit systems and railroads, including a stringent 
incident reporting deadline and a short timeframe to develop and 
implement response and contingency plans.
    Specifically, APTA is concerned that TSA is imposing these new and 
potentially costly requirements through an emergency security directive 
without the benefit of public notice and comment, including an analysis 
of the economic impact of the new requirements on rail transit and 
passenger rail operators. For example, mandating a prescriptive 24-hour 
reporting requirement in a security directive could negatively affect 
cyber response and mitigation by diverting personnel and resources to 
reporting when incident response is most critical. Further, the 
additional personnel and resources needed to comply with the 
requirements will add significant compliance costs just as transit 
agencies are working to recover from the COVID-19 pandemic. TSA has 
previously employed the federal rulemaking process for other security 
requirements on surface transportation systems, including a rulemaking 
on Security Training for Surface Transportation Employees (86 Fed. Reg. 
23629).
    Accordingly, APTA strongly recommends that the Committee on 
Transportation and Infrastructure urge TSA to utilize the federal 
rulemaking process for this security directive and allow for public 
comment before imposing any new requirements. Publication in the 
Federal Register, with an opportunity for notice and comment, will 
allow all affected parties, including APTA members, to identify 
concerns and potential impacts of the proposed requirements on rail 
transit and passenger rail operations, and would provide TSA sufficient 
time to address any issues raised during the process.
    In addition, APTA recommends that TSA provide technical assistance, 
workshops, response plan templates, and funding for public transit 
agencies to implement the requirements of any final security directive.
    We welcome any opportunity to work with the Committee on 
Transportation and Infrastructure to address these important issues and 
ensure that rail transit and passenger rail operators continue to meet 
any cyber or other security challenges that may arise.
        Sincerely,
                                         Paul P. Skoutelas,
                                                 President and CEO.

    Mr. Crawford. Ms. Newhouse, how much stakeholder engagement 
has TSA conducted while working on these directives?
    And how is TSA specifically incorporating feedback into 
these directives?
    Ms. Newhouse. Thank you, Congressman.
    We have continued robust engagement and, frankly, we have 
been working extremely closely with the United States 
intelligence community, our partners at CISA, and particularly 
the Departments of Homeland Security, DOT, Department of 
Energy, and across the interagency to provide that background 
information, that threat information that is driving all of 
these requirements.
    As recently as this week, I, along with several of my top 
leadership here at TSA, have met with freight rail and 
passenger rail executives with a classified briefing in our 
facilities to show them what we are seeing, elicit input, and 
ask them for more input for either future requirements or other 
guidelines that we could issue together, versus us just telling 
them this is what they need to do.
    So, we have--we have been having some successful 
engagements. As a matter of fact, today, a number of pipeline 
individuals, CISOs, and other security personnel are receiving 
briefings, as we speak, and we do have an apparatus around the 
United States to support those briefings, thanks to our law 
enforcement and intelligence community partners.
    Mr. DeFazio. I thank the----
    Mr. Crawford. Will you consider utilizing the Federal 
rulemaking process for any future cyber requirements?
    Mr. DeFazio. I think his time has expired.
    Ms. Newhouse. Absolutely, Congressman. All of those options 
are on the table.
    Mr. Crawford. Thank you. I yield back.
    Mr. DeFazio. I thank the gentleman. Representative Norton 
is now recognized.
    Ms. Norton. Thank you very much, Mr. Chairman. I hope 
everyone can hear me. My first question is for Mr. Schachter of 
DOT, Mr. Grossman of FAA, and Ms. Newhouse of TSA. I am 
interested in information sharing among Federal partners.
    You each oversee critical infrastructure entities, with 
some overlap, especially regarding aviation and surface 
transportation, which I am particularly interested in because I 
sit on the Subcommittee on Aviation, and serve as chair of the 
Subcommittee on Highways and Transit.
    Can you explain to us in some detail how you collaborate to 
oversee the same sectors and critical infrastructure entities?
    [Pause.]
    Ms. Norton. Mr. Schachter, Mr. Grossman, Ms. Newhouse?
    Mr. Schachter. Am I on mute?
    Thank you very much for that question, Congresswoman. 
Information sharing is vital to securing the Nation's critical 
infrastructure, and the infrastructure that DOT is responsible 
for.
    We collaborate extensively within DOT. We collaborate with 
the FAA, and also with our Federal partners--in particular, 
TSA, CISA, and even with OMB, which houses the Federal chief 
information security officer. Chris DeRusha, the Federal Chief 
Information Security Officer, was one of the first Federal 
officials that I met--virtually, of course--after joining the 
DOT in late August.
    I have had subsequent sessions with Jen Easterly, as well 
as Chris Inglis, the Assistant Director and National Cyber 
Director. And we intend to keep up an open channel of 
communication, as well as following up on various directives 
and formal information sharing that DHS has required.
    Ms. Norton. Thank you.
    Mr. Marinos, Mr. Dorsey, can you highlight cybersecurity 
issues that give you the most concern, and also explain why you 
believe the Government has repeatedly failed to fully address 
them?
    Mr. Marinos. Yes, Congresswoman. I could jump in first, and 
perhaps Kevin can go after.
    I think the bottom line is that we are constantly operating 
behind the eight ball. The reality is that it just takes one 
successful cyberattack to take down an organization, and each 
Federal agency, as well as owners and operators in critical 
infrastructure, have to protect themselves against countless 
numbers of attacks. And so, in order to do that, we need our 
Federal Government to be operating in the most strategic way 
possible.
    So, as I mentioned in my oral statement, the importance of 
having a national strategy isn't just to have something on 
paper, but to actually execute that strategy. And that also 
carries forward to those agencies like the Department of 
Transportation, TSA, and others who have sector-specific 
responsibilities to do the same.
    We have seen consistently in our work that agencies have 
had challenges in maintaining very up-to-date sector plans that 
actually would talk about the cyber threats that agencies are 
facing and the infrastructure is facing today. So, we think it 
is very important for sector-specific agencies to work with 
their industry partners to make sure that they are operating 
off the same song sheet, if you will.
    Ms. Norton. Thank you very much.
    Thank you, Mr. Chairman, I yield back.
    Mr. DeFazio. I thank the gentlelady for yielding back. I am 
now going to yield the chair to Andre Carson, who, as we all 
know, has a loud and booming voice, and you will be able to 
understand him. So, thank you.
    Mr. Carson [presiding]. Thank you, Chair, I hope you feel 
better. We appreciate you.
    Mr. Gibbs?
    Mr. Gibbs. Thank you, Chair. This hearing is titled, ``The 
Evolving Cybersecurity Landscape: Federal Perspectives on 
Securing the Nation's Infrastructure.'' I was really kind of 
surprised we didn't bring in a witness from the Cybersecurity 
and Infrastructure Security Agency, CISA. It might be a good 
idea for the future.
    Admiral Mauger, we had testimony in the past, and we know 
that the Coast Guard is trying to update your own IT systems 
and the significant challenges you face in doing that. Can you 
provide us an update on how the Coast Guard is working to 
improve in this area, and improve your IT systems that you have 
been mandated by Congress to do?
    Admiral Mauger. Congressman Gibbs, our approach to 
protecting the maritime transportation system relies on us 
having our own ability to defend and operate our networks.
    And so, as part of the Commandant's strategy for our work 
ahead, he has put defend and operate the networks, protect 
maritime critical infrastructure, and enable Coast Guard 
operations as those three pillars for how we move forward to 
accomplish all of our missions.
    With regard to defending and operating our networks through 
investments in the CARES Act, with over $65 million in funding, 
we have been able to make significant investments to modernize 
our infrastructure and push more information out to our mobile 
users out in the field, and our cutters underway.
    But all of this is premised--our security is premised on it 
being an operational imperative. And so, the key thing that has 
really driven us forward is the establishment of Coast Guard 
Cyber Command as an operational command under the purview of a 
two-star commander that oversees our daily mission execution in 
the IT space, and then the coordination with our CIO, who is 
driving those investments and modernization projects forward.
    Mr. Gibbs. OK, thank you. Also, Admiral, can you expand a 
little bit on the activities and resources you are making 
available to the ports to work with our port facilities at the 
port level on their IT infrastructure, cybersecurity?
    Admiral Mauger. Congressman, at the port level we are 
really focused on working across the prevention and response 
framework to ensure that we have the ability to defend, and 
then also respond resiliently from attacks. This is a shared 
responsibility between the private sector and the Federal 
agencies involved, and so we are doing a number of different 
things.
    First of all, we put standards in place that require them 
to conduct assessments, have an accountable person, develop a 
plan, mitigate that plan, exercise it, and report incidents. 
All those pieces are really important.
    Through those assessments, we then have the opportunity to 
drive investments through the Port Security Grant Program to 
update security posture in the ports. And so last year, $17 
million was allocated from the Port Security Grant Program for 
cybersecurity.
    These are some of the things that are being done to 
increase the capability of the commercial infrastructure, while 
also maintaining our operational ability.
    Mr. Gibbs. Also, Admiral, as your role as assistant 
commandant for prevention policy, you are responsible for the 
Coast Guard's maritime safety and security regulatory programs. 
Which side is winning: the increased cyber threats or increased 
digital-based safety operational enhancements?
    How are we doing? I guess the question is, how are we doing 
in this fight? Who is winning it?
    Admiral Mauger. Congressman, it is not an either/or 
proposition for this. It is really an all-of-the-above.
    And so, as the assistant commandant for prevention policy, 
we make sure that we bring together the best of our ability to 
secure private industry, but then be able to respond, as well. 
And so, leveraging our prevention and response framework, we 
have made sure that we have taken a multilayered approach to 
engaging with the industry, sharing information with them at 
the local level through the Area Maritime Security Committees, 
and conducting compliance activities, and then, at the national 
level, engaging across the interagency with our National 
Maritime Security Advisory Committee, with the MTS-ISAC, and 
then with other interagency partners to make sure that we are 
tied together, and providing a comprehensive network and 
comprehensive approach to this problem.
    Mr. Gibbs. All right, thank you. I am just about out of 
time. I just wanted to mention that I know you are not a 
cybersecurity expert yourself, and so, hopefully, you are aware 
of that fact, and you are coordinating with your cybersecurity 
people, both at the Coast Guard, and also in the private 
sector.
    And I have to yield back, I am out of time. Thank you for 
your service.
    Mr. Carson. Mr. Larsen?
    Mr. Larsen. Thank you, Mr. Chair.
    Mr. Dorsey, has the GAO investigated the progress of the 
Federal agencies or the private sector in implementing the 
guidance and requirements laid out in the May Executive order 
from the President to modernize and strengthen the defense of 
Federal technology systems?
    Mr. Dorsey. Thank you for that question, Congressman. 
However, you asked whether or not the GAO has investigated. I 
think that question should be directed towards the GAO 
representative. That is, if I am not mistaken.
    Mr. Larsen. I am sorry, yes. Well, the GAO representative 
Mr. Marinos, can answer that.
    Mr. Marinos. Yes, Congressman, happy to. We have looked at 
aspects of the Executive order. We, actually, just have work 
underway right now, specifically looking at the progress that 
has been made by the administration in actually overseeing 
whether the many requirements that it has placed on agencies 
have actually been adhered to.
    So, there are aspects within it that our work has touched 
on, including cloud computing and supply chain, more recently, 
but we have work underway right now that is going to be looking 
squarely at the Executive order.
    Mr. Larsen. And do you have the timeline laid out for the 
report already?
    Mr. Marinos. We are expecting to be able to periodically 
report on the status of implementing the Executive order 
throughout the upcoming calendar year. So, we are looking to 
provide information out sort of in a real-time basis, looking 
to provide something closer to the early spring.
    Mr. Larsen. Early spring? Thank you.
    And Mr. Dorsey, then, I will go back to you. At what point 
would the DOT IG get involved?
    Mr. Dorsey. Thank you for your question, Congressman. 
Actually, we have actually already initiated a review of the 
DOT's efforts to implement cloud-based services with respect to 
the request, or issues that were identified in the Presidential 
Executive order directing Federal agencies to ensure that they 
secure their cloud-based services as they migrate forward.
    We are also planning to look at the Department's efforts to 
implement or migrate towards a zero trust architecture, as 
outlined in the President's Executive order, too.
    I have also been in contact with the Department's chief 
information officer, and he has informed me that the Department 
is working towards addressing the current initiatives, and I 
plan to work with him over the next year or two to ensure that 
the Department is doing what they say they are planning to do, 
as well as report back to the administration, as necessary. 
Thank you.
    Mr. Larsen. Thank you.
    Mr. Grossman, the U.S. aviation sector is very complex. I 
am sure that you are considering that complexity as you 
consider how to make the system less vulnerable to 
cyberattacks.
    But the testimony from GAO in the first part of the hearing 
a few weeks ago stated that less than half of the respondents 
to a global study investigating cybersecurity trends within the 
air transport industry identified cybersecurity as a top 
organizational risk.
    Have you all considered how Congress can incentivize the 
private sector to address cybersecurity issues?
    Mr. Grossman. How Congress can----
    Mr. Larsen. Incentivize the private sector to address these 
cybersecurity issues that continue to persist in the air 
transport industry.
    Mr. Grossman. Well, we have reached out to industry through 
the Aviation Cyber Initiative extensively. We have built a 
community of interest of over 1,000 members that is across all 
of the components of the aviation ecosystem. And we are using 
the bully pulpit, and it seems to be, from an aviation 
perspective, we seem to be gaining a lot of traction.
    Mr. Larsen. Can I follow up on that with a particular 
issue? And I don't know if you are handling this at FAA, but 
Chair DeFazio and I recently have expressed safety concerns to 
the Federal Communications Commission on the telecom industry's 
plan to utilize the C-band for 5G broadband service, and the 
potential interference with aircraft radio altimeters.
    I know that Administrator Dickson is weighing in on this 
with the FCC. Can you update us on what the status of that is, 
and, as well, are there other technologies that are coming 
online that we need to be concerned about?
    Mr. Grossman. Well, Congressman, thank you for that 
question.
    I am not personally involved with the 5G effort, but I am 
aware that the telecommunications companies have voluntarily 
agreed to a 1-month deployment delay to their 5G C-band to 
allow further safety analysis.
    We believe that aviation and 5G C-band wireless services 
can safely coexist, and the FCC and FAA are using this time to 
gather and exchange information to come up with a path forward.
    Mr. Larsen. Yes, and I guess implied in our letter is that 
whatever solution you all think you come up with, that we would 
be very interested in that solution to make some determinations 
about our own thoughts on it.
    Mr. Grossman. Absolutely.
    Mr. Larsen. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Carson. Thank you.
    Mr. Perry?
    Mr. Perry. Thank you very much, Mr. Chairman.
    Mr. Schachter and Mr. Marinos, during last month's hearing 
on cybersecurity threats, I had an interesting back-and-forth 
with Mr. Scott Belcher from the Mineta Transportation Institute 
regarding the increased cybersecurity threats associated with 
the transition to electric buses, and the fact that it brings 
with it a whole new level of cyber exposure and other security 
risks not previously anticipated.
    Mr. Belcher agreed that these increased risks include the 
ability to degrade batteries remotely, cause fires, manually 
take over controls of the vehicle, et cetera, and went on as 
far as to say we would be safer if we were still running diesel 
buses.
    Now, I am a fan of both diesel and--well, all of them. We 
have just got to be ready to implement the processes to make 
sure that we are safe.
    While we were discussing these issues in the context of 
electric buses purchased by transit agencies with FTA funding, 
these concerns are much more widespread than just buses. In 
fact, the same concerns apply to our electric vehicles, owned 
either by the Government or by private citizens, and the 
associated charging infrastructure.
    I wonder if either of you can expand on the significant 
increase in cybersecurity risks and threats we should expect as 
the result of the reckless pursuit of an electrified vehicle 
fleet by the majority, this administration, and, unfortunately, 
some Socialist-voting Members of my own party. Can you expand 
upon what we can expect?
    Mr. Schachter. Well, thank you. Thank you for that 
question.
    I think we are conflating two separate and very important 
issues. One is the fuel that any vehicle uses, whether it is 
electric power, diesel power. Inherently, they are not more or 
less at risk, from a cyber perspective.
    What we are really talking about here, and the cyber issue, 
is the electronic control system that is on board with not only 
electric buses, but if you were to buy a new diesel bus, or 
gasoline bus, or gasoline car, those vehicles all have some 
sort of electronic control system there, communications system, 
which is potentially vulnerable. And the correct steps, just 
like in protecting Government IT systems, the correct steps 
need to be taken to protect the IT system in that vehicle.
    And when we are talking about fossil-fuel powered vehicles 
or electric vehicles--obviously, the administration has 
identified addressing climate change as a top priority. And if 
we take the conversation to the subject of this hearing, which 
is cybersecurity, there are means and mechanisms of protecting 
those vehicles' intelligence systems on board. And we need to 
do that. And there are several organizations within DOT at work 
on that right now.
    Mr. Perry. Mr. Marinos?
    Mr. Marinos. Yes, Congressman. We have looked at issues 
with respect to modern vehicle cybersecurity over the last 
several years. And indeed, whether the fuel is gas or electric, 
the reality is that we are seeing an increase in the number of 
interfaces, the number of chips that are being placed, and the 
systems that those chips are powering.
    In fact, that is what we are seeing right now, as one of 
the challenges in terms of supply chain, is having those chips 
to be able to manufacture new cars, regardless of the fuel.
    The reality is that, if those interfaces are not properly 
secured, they can be exploited through direct physical access, 
and even remotely, as well. I think the reality, and maybe the 
very important element to this, is the need for our workforce 
to be able to be in the best position to oversee these types of 
automated technologies. And, as we reported back earlier this 
year, we think that the Department of Transportation needs to 
take a close look at its workforce to make sure that, as 
vehicles become more and more autonomous, that they have the 
appropriate folks in place to oversee that type of technology.
    Mr. Perry. Given DOT's lackluster cybersecurity posture at 
this moment, do you think they are prepared to deal with a 
massive increase in risk?
    And I would characterize--while I know that all of them 
have electronic interfaces, chips, and so on and so forth, not 
all of them have the ability to set the battery on fire if they 
are not battery-powered, if the battery is just in there to 
start the vehicle.
    But would you say that they are prepared to deal with the 
increase in risk?
    Mr. Marinos. I think that the Department--and I don't want 
to speak on its behalf, but in response to our recent work--I 
think would also recognize that it has more to do, in terms of 
being able to fill the skill gaps that they are going to need 
to fill to be in the best position to oversee this emerging 
technology.
    Mr. Perry. Mr. Schachter?
    Mr. Schachter. I would say DOT's security posture is on par 
or even better than other organizations that I have observed.
    All of us--the Government, as a whole, as well as 
individual agencies--will have a continual challenge to meet 
cybersecurity requirements. And, as we have said earlier in the 
hearing, we receive thousands of cybersecurity attacks every 
day, and only one has to slip through. So, normal batting 
averages here don't apply. We have to be perfect to protect our 
systems, our agencies, the Government, and the American people. 
It is an immense challenge with limited resources. We all know 
that.
    So that--I think DOT's posture is forward. Its attempts to 
include some of the very latest technologies--we were already 
on the road to many of the items that are contained in 
President Biden's Executive order on cybersecurity before that 
Executive order was issued.
    The audit that was referred to a little while ago by Mr. 
Dorsey regarding cloud services, they are seen as a best 
practice, as opposed to desktop applications, because they can 
be better protected from a common perimeter. And DOT had 
previously organized itself into a--using a common operating 
environment, unifying all of the operating modes, with the 
exception of FAA, into a single system, thereby providing one 
surface to protect from attacks. That is a best practice.
    We were there prior--toward the----
    Mr. Carson. The gentleman's time has expired.
    Mr. Perry. Thank you, Mr. Chairman, I yield.
    Mr. Carson. Mrs. Napolitano?
    Mrs. Napolitano. Yes, sir. Thank you, Mr. Chairman.
    Mr. Marinos, you highlight in the testimony that, in 
February of this year, the Cybersecurity and Infrastructure 
Security Agency issued an alert explaining that the cyber 
threat actors obtained an unauthorized access to a U.S. water 
treatment facility's industrial control system and attempted to 
increase the amount of caustic chemical that is used as part of 
the treatment process.
    My biggest concern is on security of our water systems, 
including our treatment plants, our dams, and our waterways. 
Are we doing enough to address the water systems' security? And 
what are your concerns in this area?
    Mr. Marinos. Simply put, we aren't, Congresswoman. The 
threats to the water infrastructure are real, and it comes from 
many of the same challenges that other sectors like it suffer, 
which include a reliance on legacy systems, systems that are 
not only outdated, but beyond even being supported by the 
vendors that actually created them.
    These include also workforce issues, having appropriate 
staff within often very small organizations that manage these 
types of facilities to be able to respond. In fact, in the case 
of the February attack, or the attempted attack, it was 
fortunate that there was, according to reports, an official 
that was actually monitoring, and was able to see the efforts 
as it happened, so they were able to thwart it.
    And so, I think the reality is that there needs to be more 
that is done. We are encouraged by the fact that Congress 
passed a law last year to establish in law the expectations of 
sector-specific agencies, known as Sector Risk Management 
Agencies, and the Environmental Protection Agency is that for 
the water sector.
    We think that EPA can do more to reach out to the sector to 
better understand whether the guidance that it provides is 
adequate to be able to address many of the challenges that I 
mentioned.
    Mrs. Napolitano. Would you suggest that they do training, 
virtual training of all water agencies, small and large?
    Mr. Marinos. Yes, I think that it is important for them to 
do that, in concert with their sector partners. And so, there 
is a good establishment of both Government and sector-specific 
representation that, as I am aware, based on even the prior 
hearing that your committee held, are working towards better 
training.
    But the reality is that we need to continue to see that 
happen more rapidly, because those cyber threats continue to 
evolve, as well.
    Mrs. Napolitano. Well, that is everyday security. We are 
having 1,000 or more security threats a day. Certainly, we can 
train people what to look for, initially, without having to 
wait months for training.
    Mr. Marinos. That is a very important point, Congresswoman. 
It is about elevating the entire cybersecurity awareness of the 
Nation. The reality is that, until we do that, the bad guys are 
going to continue to exploit those that have the least 
knowledge and expertise in this area.
    Mrs. Napolitano. So, what are your biggest concerns in the 
area?
    Mr. Marinos. Well, I think first and foremost is making 
sure that the support that Federal Government agencies is 
providing is the right one, and that means doing more to assess 
what the actual risks are to the specific sectors, and then 
reflecting that in actual plans that they can execute.
    Mrs. Napolitano. Would that be EPA's responsibility?
    Mr. Marinos. That would be EPA's. It would also be the 
Department of Homeland Security within CISA.
    We are still waiting to see a National Infrastructure 
Protection Plan get updated, hoping to see that in the next 
couple of years. But unfortunately, sectors can't wait to do 
that themselves.
    Mrs. Napolitano. Well, we should promote some kind of 
movement to immediately start assisting the agencies that have 
no way of knowing what to look for.
    Mr. Marinos. Well, actually, Congresswoman, you have done 
that in law. So, Congress did pass a law that tasked GAO with 
evaluating how effective Sector Risk Management Agencies are in 
fulfilling their statutory responsibilities. So, we will be 
reporting back to you in the near future.
    Mrs. Napolitano. Yes, but many agencies are too small. They 
don't have personnel that are either equipped or trained, and 
they may not know that the new law exists, and it would help in 
being able to help them identify. So, we need to go down to the 
grassroots, to the smallest of the small.
    Mr. Marinos. I would agree. I think a better--not only 
better information about what the expectations and 
responsibilities are, but also what offerings the Federal 
Government can provide through CISA, through EPA, and others to 
those operators that need the help is very important.
    Mrs. Napolitano. Well, with the Army Corps' oversight over 
the dams, I think they should be part of it, too.
    Mr. Marinos. They are part of the sectors that have been 
identified. So, responsibilities do carry forward to the 
agencies that have responsibilities for dams, as well.
    Mrs. Napolitano. Thank you very much for your concern, and 
I look forward to talking to you later.
    Mr. Chairman, I yield back.
    Mr. Carson. The gentlelady yields back.
    Mr. Davis?
    Mr. Rodney Davis. Thank you, Mr. Chair.
    First, Ms. Newhouse, we understand that TSA will soon 
release security directives for passenger rail, freight rail, 
and rail transit operators.
    But unfortunately, though, we have heard concerns about the 
development of these directives from stakeholders, not the TSA, 
including from the freight rail industry. And that was at our 
previous hearing on cybersecurity and in a November 4th letter 
from the American Public Transportation Association, which, Mr. 
Chair, I ask unanimous consent to insert into the record.
    Mr. Carson. Without objection.
    [This letter was submitted for the record by Hon. Eric A. 
``Rick'' Crawford on page 179.]
    Mr. Rodney Davis. Thank you.
    Ms. Newhouse, it is good to see you again. I can't wait to 
see you all in person.
    Unfortunately, the TSA failed to provide this committee 
with advance notice of this, despite that you were coming here 
the same week to discuss these same cybersecurity issues. 
Committee staff even asked and were essentially told to wait 
for official congressional notification, despite what we knew 
of other committees receiving advance notice.
    After back-and-forth by staff, I am told we received an 
embargoed copy at 9:25 a.m. this morning, which really doesn't 
give our team or us any time to meaningfully review, and 
actually figure out what important questions we might have for 
you today to ask you about it.
    Further, the letters attached indicate that the directives 
were actually issued yesterday, December 1st, which was--I just 
want you to take a message back, Ms. Newhouse, that this 
committee--because we, obviously, have some jurisdiction over 
the issues we are talking about today, otherwise you wouldn't 
be here--we expect to be notified of actions that your agency 
is going to take, just like other committees get that 
notification.
    If anything you are doing is going to affect the modes of 
transportation, and the safety of those modes of 
transportation, and the areas that we have jurisdiction over, 
we expect to be notified here. I mean, we are one of the 
largest committees in Congress. Can you please make sure you 
send that message back to your colleagues, and take that 
message back to TSA, too? Because we are pretty frustrated. And 
frankly, these are issues that I think we all ought to work 
together on, and--instead of have a minimal amount of time to 
be able to address them.
    But thank you, it is great to see you. I hope to talk to 
you again in the future, and I look forward to our next 
meeting.
    Mr. Marinos, it is my understanding that the GAO is in the 
process of completing its annual report on cybersecurity and 
surveillance threats to Congress. In undertaking this 
assessment, how has GAO pursued access to House and Senate 
cybersecurity data, and how does the GAO plan to ensure that 
information about Congress' cyber posture remains secure?
    Mr. Marinos. Well, first, Congressman, I just want to say 
that we appreciate Congress tasking us with this important 
review, and we take the responsibility of performing it very 
seriously.
    In terms of how we are protecting the information, we 
recognize that the information that we have been asked to 
review is very sensitive, but we also have a very long, 
successful track record of handling and protecting sensitive 
information that we receive from Government agencies, and also 
from industry. And we will, obviously, apply the most rigorous 
protections that we can to the information that we that we 
receive.
    Mr. Rodney Davis. Well, as you can imagine, access to House 
data is something that we all--Republicans, Democrats--guard 
very closely. However, we also recognize GAO's expertise in 
this area, and hope congressional entities are cooperating so 
that we achieve the desired aim of the annual report. So, thank 
you, again.
    Another question, Mr. Marinos. We have seen attacks on our 
critical infrastructure, including the one earlier this year on 
the Colonial Pipeline, as mentioned in earlier testimony. 
Monitoring is critical to thwart future attacks. However, 
monitoring is not the end of what our efforts should be, and we 
should have a layered approach to cybersecurity, especially 
when protecting our Nation's most vital infrastructure assets.
    Can you tell us--and this may be a question for DOT also, 
Mr. Schachter--what is the Department of Transportation doing 
to fortify our critical assets in the field, such as air 
traffic control towers, pipelines, and railroads, that are 
carrying hazardous materials or passengers, so that they can 
operate effectively when malicious actors have already 
compromised the integrity of the network?
    Let's just go to you, Mr. Schachter. Can you answer that 
with the time I have left?
    Mr. Schachter. Sure. Thank you very much for the question.
    So, DOT, in each of the areas that you mentioned, is 
working with our private-sector partners to improve their 
cybersecurity practices. And, as stated before, our cooperation 
through TSA to those private-sector partners, we act as co-
sector risk management officials in those areas. So, we need 
the participation from all of those parties to become more 
cyber secure.
    Mr. Rodney Davis. Well, we continue to offer to work with 
you on these endeavors. And I apologize for mispronouncing your 
name earlier, Mr. Schachter.
    Thank you all for being here today, and I yield back the 
balance of my time.
    Mr. Carson. The gentleman yields back.
    Mr. Johnson?
    Mr. Johnson of Georgia. Thank you, Mr. Chairman, and thank 
you to the witnesses for your time and your testimony today.
    During part 1 of this hearing, we learned how our critical 
infrastructure remains vulnerable to cyberattacks. And in 
October of 2021, the DOT's OIG released a report on the Federal 
Transit Administration's cybersecurity weaknesses, which found 
that weaknesses in FTA's financial management systems could 
affect its ability to disburse COVID-19 funds.
    In Atlanta, the Metropolitan Atlanta Rapid Transit 
Authority has been anticipating $284 million in emergency 
funding, which is critical to the mobility of our residents, 
especially communities of color and essential workers who 
disproportionately depend on transit to get to work and school. 
My constituents can't afford a delay in funding because of a 
cybersecurity incident.
    The OIG report notes that the FTA has failed to fix 
weaknesses that have been known since 2016, a total of 5 years. 
While the delay is not unique to FTA, it puts us all at risk. 
Mr. Dorsey, why has FTA moved so slowly to implement security 
control fixes?
    Mr. Dorsey. Thank you for your question, Congressman.
    We have worked with the Department for a number of years 
regarding the various cybersecurity weaknesses that we have 
identified through our reviews of the various--what we call 
system-level reviews. And with respect to FTA, what the 
Department had informed us was the fact that they had accepted 
the risk for a number of reasons regarding why they had these 
longstanding weaknesses.
    One of the reasons was primarily because they said they had 
to get the proper guidance at the Department level, with 
respect to addressing some of the weaknesses.
    Another reason was the fact that they had stated that they 
were concerned about decommissioning their systems or upgrading 
their systems for the fear that the systems needed to be 
operational 24/7.
    With those issues in mind, we decided to report out on 
those particular weaknesses. And what the FTA decided to do, 
after we had reported out, they indicated to us that they would 
take the immediate actions to address our concerns.
    Mr. Johnson of Georgia. Well----
    Mr. Dorsey. However, regarding the vulnerabilities 
associated with the 6 years or so associated with outdated 
databases, the Department had indicated----
    Mr. Johnson of Georgia. Well----
    Mr. Dorsey [continuing]. They would provide us with a 
response by 2023.
    Mr. Johnson of Georgia. Well, let me ask you, is there 
anything that Congress needs to do to ensure that FTA maintains 
better control over their cybersecurity?
    Mr. Dorsey. I believe what Congress can do is work with the 
Department, and maybe provide a sprint initiative, if you will, 
and require them to make sure they prioritize the 
implementation of what we consider to be some of the most 
significant cybersecurity weaknesses that we have identified 
over the years, and make sure that they follow up with Congress 
and report on their attempts and efforts to address those 
weaknesses.
    Mr. Johnson of Georgia. Thank you.
    Mr. Schachter, as the chief information officer at DOT, you 
lead on IT and cybersecurity issues. How can you ensure that 
DOT's component agencies, such as FTA and FAA, have the 
resources, capabilities, and leadership to correct current 
cybersecurity deficiencies, so that cities like Atlanta are not 
detrimentally impacted?
    Mr. Schachter. Well, thank you very much for that question.
    And as I specified in my testimony, cybersecurity is our 
number-one priority. And I highlighted three areas that we are 
prioritizing within that to take immediate action: the first is 
access control; the second is website security; and the third 
is governance and coordination across DOT. All of those issues 
are impacted, involved in the situations that you mentioned and 
Mr. Dorsey has mentioned.
    We have created cyber sprints, that I also referenced in my 
testimony, as a way to expedite improved performance in all of 
these areas. And I believe we will be able to report back to 
you later this year that we have made significant improvements.
    Mr. Johnson of Georgia. Thank you. My time is up, and I 
yield back.
    Mr. Carson. The gentleman yields back.
    Mr. Babin?
    Dr. Babin. Sir, thank you, Mr. Chairman. As I said the 
other week, when we had witnesses from the private sector here, 
I am so glad that we are having this hearing, and prioritizing 
this very important topic, for this committee to weigh in on 
the issue of cybersecurity in the transportation and critical 
infrastructure space. It is a great responsibility, and one we 
should all take very, very seriously.
    It is also a very timely topic. Right before we went home 
for Thanksgiving, the Director of CISA told the House Homeland 
Security Committee that ``ransomware has become the scourge on 
nearly every facet of our lives, and it's a prime example of 
the vulnerabilities that are emerging as our digital and our 
physical infrastructure increasingly converge.'' She went on to 
say that, ``The American way of life faces serious risks.''
    She is right. internet attacks are a full-fledged standard 
feature of our modern-day life. Hardly a day passes anymore 
without a media story breaking about a cyberattack, or at least 
a threat. These threats are disruptive, costly, and potentially 
life threatening. All of us saw what happened with the Colonial 
Pipeline breach last May, and how the attack led to gas 
shortages and interrupted supply chains.
    There is certainly a legitimate and appropriate role for us 
in the Federal Government to play in protecting the American 
people and our companies and businesses against theft, 
espionage, and cyberattacks. No question that each of you 
testifying here today are fighting for our national security. 
However, as you all know, cyber intrusions are very hard to 
track.
    We have got to be extraordinarily careful, as lawmakers, 
and as rulemakers, that we don't meddle in something that we 
don't properly understand, and unintentionally create more 
bloated regulation, or stifle innovation with overly burdensome 
requirements that don't truly secure our infrastructure. Any 
policy that we push forward has got to be aggressive, but 
consistent with our Nation's founding principles. Meanwhile, we 
provide for the common defense, while at the same time 
protecting civil liberties and free economic markets.
    Former Director of National Intelligence, and my former 
Texas colleague and classmate, John Ratcliffe, said that we 
need to attribute these attacks and either overtly or covertly 
retaliate against those responsible, thereby creating a 
deterrent for the future. If our long-term strategy to cyber 
criminals is just to simply pay the ransoms, and hope for the 
best with cyber insurance, we will certainly lose to our foes 
in this new battlefront.
    So, my question for you all is this, and I will open this 
to anyone who would like to answer, time permitting: What are 
some commonsense steps we, as lawmakers, can take to help you, 
our partners in the executive branch, better protect our 
infrastructure, and to encourage better reporting of cyber 
threats without infringing on people's civil liberties and the 
free market? I will open that up.
    Mr. Schachter. Thank you for that----
    Admiral Mauger. Congressman--go ahead. I will yield to my 
colleague at DOT.
    Dr. Babin. OK. Then, Admiral, you can come on second. Thank 
you.
    Mr. Schachter. Thank you, Congressman. Thank you, Admiral, 
I will try to be brief.
    I think your--one, a summary of your statement, 
Congressman, is that cybersecurity is everyone's 
responsibility, public sector and private sector, and we are 
all going to either succeed or fail at this together.
    And I think, from a congressional standpoint, it is 
understanding that new systems, or improvements to existing 
systems, need to be secure by design, and created with 
cybersecurity in mind. That is step 1. That would help us 
achieve our objectives. Thank you.
    Dr. Babin. Thank you.
    Admiral?
    Admiral Mauger. Congressman, thank you. I support the 
comments made by Mr. Schachter there, at DOT. What I would 
offer, as well, though, is that we have to treat cybersecurity 
as an operational imperative, and it has to be part of an 
overall risk management approach within--about the private 
sector and the Federal Government.
    And so, I think that in order to achieve that, you have to 
have an accountable person, they have to be able to do an 
assessment, and understand the risks. They have to be empowered 
to manage those risks. And then it also comes back to 
exercising and reporting.
    When it comes to reporting, right now we have to change the 
paradigm from ``what is the minimum I need to disclose?'' to 
``how can I help protect others?'' Because, as we've heard 
through testimony already, these incidents cut across so many 
different infrastructures, and reporting really helps us to 
make us all stronger, Congressman.
    Dr. Babin. Absolutely. Thank you so very much. And I hope 
that we will remember retaliation can curtail some of this.
    I will yield back, Mr. Chairman.
    Mr. Carson. The gentleman yields back. At this time, I will 
yield to myself.
    Mr. Grossman, the aviation sector is composed of aircraft, 
airlines, airports, and aviation operators, such as air traffic 
control personnel and ground crew. As you know, it's a mix of 
private-sector companies and public agencies, including the 
FAA. However, a cyberattack on one portion of this sector can 
have cascading effects on the entire system, with devastating 
impacts to the public.
    Can you describe, from a cybersecurity perspective, how the 
FAA assists and supports the aviation sector?
    Mr. Grossman. Absolutely, thank you for that question, 
Congressman. The FAA engages with industry on several fronts. 
We are a regulator and a collaborator.
    So, from a collaboration perspective, we engage with much 
of the aviation community through efforts like the Aviation 
ISAC, which we are close partners with; the Aviation Sector 
Coordinating Council; manufacturer associations; and, of 
course, through our primary engagement, the ACI, the Aviation 
Cyber Initiative. In these engagements, we share best practices 
and standards, guidance, and we promote information sharing.
    As a regulator, we work directly with manufacturers and 
[inaudible] standards to assure that these two are kind of 
married up, and so folks are using industry standards, and are 
building products that are appropriate.
    Mr. Carson. So, in defending the aviation sector from 
various cyber crimes, do you believe it is important to 
coordinate and even cooperate with the private sector to assist 
them?
    Mr. Grossman. Well, I think, as Mr. Schachter mentioned 
earlier, cybersecurity is a team sport, and we are all in this 
together. The public and private sector work together, which is 
really why we formed the cyber initiative for aviation itself, 
across the entire ecosystem, so we can work more 
collaboratively with operators, manufacturers, and other 
agencies. Private and public sectors work together to share 
information and to try to improve the resiliency of the 
ecosystem.
    Mr. Carson. So, this is for the entire panel: Where do you 
see the biggest cyber threats coming from, from specific actors 
like the recent attacks on local government entities with 
ransomware, from foreign entities, from nonstate actors?
    Are there significant threats from even some of our own 
weaknesses, like our failure to update and strengthen our cyber 
infrastructure, or poor cyber hygiene, and failure to apply 
strict cybersecurity protocols?
    What are your insights?
    Mr. Grossman. Well, Congressman, I think you just listed 
them all. I don't know that any of us--I don't want to speak 
for the rest of the panel--would highlight one over the other.
    We are all aware of the recent compromise of SolarWinds 
that occurred last year, but there are other threats out there. 
And I think that compromise is certainly still fresh in our 
minds. But, I wouldn't choose that actor over other actors or 
other vulnerabilities, if you were asking me which is worse.
    Mr. Marinos. But I would like to just mention that--I think 
it has come up several times, both from the witnesses and from 
the congressmen, as well--it is the interdependencies between 
the critical infrastructure that make this so challenging.
    So, we are talking about transportation, and transportation 
not only relies on other sectors to operate effectively, but 
other sectors rely on it, as well. We issued a report just last 
month on the communication sector, and the transportation 
sector was one of those sectors that had been identified by 
CISA as one it depended on. In other words, it could not 
operate without it.
    And so, I think the challenge there is, while there is 
resiliency built in, in many ways, to physical attacks, the 
cyberattacks continue to show us that we need to do more to not 
only shore up specific sectors, but the entire Nation's 
approach to cybersecurity, as well, which is why we emphasized 
in our recent work the importance of having a national cyber 
strategy, so that it can be an all-in-Government effort to 
elevate our cyber capabilities within the Nation.
    Mr. Carson. Thank you. Thank you all.
    Mr. Graves of Louisiana?
    Mr. Graves of Louisiana. Thank you, Mr. Chairman. I 
appreciate the witnesses testifying today, and I appreciate the 
importance of this topic. We have offered a number of 
amendments trying to increase funds for different cybersecurity 
programs related to infrastructure, and I think this is 
critically important.
    Ms. Newhouse, and perhaps Admiral, your testimonies discuss 
information sharing between TSA and the Coast Guard to identify 
and manage threats in the maritime transportation system. How 
do you communicate the threats to the individual ports, and how 
do you help to manage risk within the MTS?
    Admiral Mauger. Congressman, thanks for that question. So, 
unity of effort within the Coast Guard is part of our DNA, and 
so we take a multilevel approach to share information at the 
speed of cyber here, with the industry. But this is a dynamic 
threat environment. And going forward, we need to use a 
combination of both existing tools and new tools, or new 
methods, to get after the information sharing.
    So, for this multilevel approach at the local level, we 
work through our Area Maritime Security Committees. Each of 
those have established cyber subcommittees that are responsible 
for that day-to-day sharing of information, for conducting the 
exercises, for reviewing best practices, and understanding how 
to move forward. Those same people, then, are integral to 
response efforts when they occur in the ports.
    At the national level, we work through a number of 
different means. We have established a Maritime Cyber Readiness 
Branch within our Coast Guard Cyber Command that really becomes 
a focal point for threat information, dissemination, technical 
assistance to the field, and connection to the interagency. We 
have embedded folks in CISA. We meet regularly with the other 
Sector Risk Management Agencies. We engage with the MTS 
Information Sharing and Analysis Center, and we look for every 
opportunity to continue to share information, communicate 
threats, and understand the vulnerabilities in this industry, 
so we can protect the MTS.
    Mr. Graves of Louisiana. Thank you.
    And TSA, anything to update there?
    Ms. Newhouse. Thank you, Congressman. And to complement 
Admiral Mauger's information, I would like to say, yes, the 
United States Coast Guard has primacy in our Nation's ports. 
However, TSA plays an important role to support the security of 
the maritime transportation system.
    To that end, we have, actually, developed the TSA exercise 
training program, which started, frankly, as a port STEP, 
Security Training and Exercise Program. It started in the 
maritime sector in the mid-2000s. We have grown that training 
and exercise program across all modes of transportation.
    The U.S. Coast Guard is an important partner, where, as 
Admiral Mauger mentioned, we can actually exercise at both a 
national and a local level. And if an entity is not able to 
participate, we do maintain all of those lessons learned and 
exercise information in accessible systems to thousands of 
local operators, first responders, and those law enforcement 
professionals who support the security of the Nation's ports 
and other transportation modes.
    Congress also generously chartered the Surface 
Transportation Security Advisory Committee a few years ago. 
Amongst the members includes, obviously, our stakeholders, our 
private-sector stakeholders representing a multitude of 
interests across all surface transportation modes. However, we 
also have 14 Federal agencies that also serve on that committee 
as nonvoting, contributing members, so our----
    Mr. Graves of Louisiana. Ms. Newhouse? Ms. Newhouse, I 
think my concern is, if we have a very active, very live 
incident, the ability to quickly communicate and disseminate 
that information with the ports, I am not sure that the 
security committees or the apparatus that you are describing 
allows for that direct and sort of nimble communication to the 
ports and other potential threatened entities out there. And 
that is where my concern is.
    I just have about 45 seconds left, I wanted to ask one 
other question of the Coast Guard, and then I am going to 
follow up with you all through questions for the record.
    Admiral, can you tell me whether or not you all are working 
with FEMA to update the NIMS system to be able to track and 
follow through on cyber incidents?
    Admiral Mauger. Congressman, in terms of, first of all, 
communication with the ports, we have 24-hour watches that have 
access to the information and share that information. But I 
look forward to your questions, and followup questions.
    With regard to incident response, we stand up at the local 
level a unified command, which is a structure that was 
established under NIMS to be able to respond to incidents. And 
we can be happy to provide more information about that, and 
follow up, or later during this hearing, if you would like.
    Mr. Graves of Louisiana. That would be great. And maybe 
NIMS isn't the perfect system, but it seems like there needs to 
be some type of mechanism like that for tracking 
accountability.
    Thank you, Mr. Chairman, I yield back.
    Mr. Carson. The gentleman yields back.
    Ms. Titus?
    Ms. Titus. Thank you very much. I would like to go back and 
follow up on some of Mr. Carson's comments about coordinating 
with the private sector.
    Mr. Grossman, you mentioned the ISAC, I think. One area 
that you all didn't talk about, the coordination, is in 
commercial space. We have been hearing a lot about these 
billionaire joy rides to outer space, but we know that is an 
important industry, it can help us take products up to the 
space station, or launch satellites, so a good potential use 
there. And there are a variety of companies that are starting 
to get into this. And I think that that increases the potential 
for cyber threats.
    I wonder if you could talk about how these ISACs work; if 
you are looking at cyber threats, how we coordinate with the 
commercial space industry.
    Mr. Grossman. Congresswoman, thank you for your question. 
Unfortunately, that doesn't fall under my purview.
    However, I understand FAA's Office of Commercial Space 
Transportation is heavily involved in the development of the 
space cybersecurity policies and assisted the development of 
the ISAC and the space policy directive. That directive 
established key cybersecurity principles to guide and serve as 
a foundation for the U.S. approach to cyber protection of space 
systems.
    I could certainly follow up with you, though, to get more 
information on your question, if you would like.
    Ms. Titus. Well, I would appreciate that, because I realize 
it is not directly under what you do, but you do a lot of 
things all around that area, and I think it is something that 
is worth bringing to the attention of the committee, because it 
is going to become increasingly at issue, as we do more of this 
private space adventures, I guess.
    I would ask Ms. Newhouse--I know you were instrumental in 
setting up the whole PreCheck program, so you are very informed 
on how this works, and you got it off the ground, and we have 
seen it expand now. The line for PreCheck is longer than the 
regular line, I think.
    But one of the things that we have heard in areas that 
are--rural communities, is that they have a hard time actually 
coming in person to get the PreCheck clearance, so there is 
some attempt to move to remote applications. Could you talk 
about that, and how that data that could be collected remotely 
can also be protected?
    And do you need legislation for that, or is it something 
you can just do internally, or through regulation?
    Ms. Newhouse. Thank you for your question, Congresswoman, 
and thank you very much for your support of the TSA PreCheck 
program. We greatly appreciate the insights that Congress and 
all of our stakeholders give us on a daily basis.
    I can say, at a very high level, I do know that the office 
that runs that program for TSA has endeavored to expand 
enrollment capabilities, as you mentioned, Congresswoman, and 
we are actually in progress of bringing on additional contract 
support, different vendors to do that in a secure manner.
    I am happy to get back to you and your staff with specific 
answers to those questions on how we are best requiring 
protection of that information, and how we will oversee that 
information. Thank you.
    Ms. Titus. Thank you. I would appreciate that. So much of 
our information is shared in an airport, whether it is through 
TSA, or just plugging in while you are waiting for your flight, 
or even on the flight itself.
    So, I think that, to be sure that this is all secure, 
information in the screening process--because the trip begins 
when you get out of the car at the airport. We want that to all 
work well, and we want people to feel secure that that 
information can't be compromised. So, I look forward to getting 
that from you.
    And I will yield back, Mr. Chairman.
    Ms. Davids of Kansas [presiding]. The gentlewoman yields 
back. The Chair now recognizes Mr. Weber for 5 minutes.
    Mr. Weber. Thank you, Madam Chairwoman. I appreciate that. 
I want to talk a minute about pipelines. I appreciated Garret 
Graves's comments about ports, and we will tie these together.
    As you all know, the Colonial Pipeline system was hacked 
into--I think it was May of this year. It was down for 4 or 5 
days. It feeds the Southeastern United States, moves about 2\1/
2\ million barrels of product a day, which is gasoline and jet 
fuel, diesel, extremely important to our infrastructure, 
obviously, energy infrastructure; we would argue national 
security infrastructure, because we are going to need fuel to 
move our military stuff.
    The Keystone Pipeline comes into our district, it is about 
one-third [inaudible] without any redundancy of the Keystone 
Pipeline, or more pipeline security stuff--and many of you all 
probably know pipelines have a 99-percent safety rating 
[inaudible] all that [inaudible] with them. They move product 
the most efficiently and the most safely. All that to say that, 
from an energy perspective, with vulnerability of being hacked, 
would it sound like we ought to have a system in place to 
notify either pipeline operators--I would add ports to it, like 
Congressman Graves did, as well as other ways that we move 
energy.
    Since we have limited time--and I know we talked about 
doing it at cyber speed, so to speak, but should there be a 
process in place to where the greatest amount of energy is 
protected as early on as possible? I don't know. Is that 
possible?
    Mr. Schachter, I go to you. Is that something that sounds, 
number one, a good idea; and, number two, possible?
    Mr. Schachter. Thank you for that question. If I understand 
it correctly, we are talking about coordination and 
communication between the private-sector partners that provide 
the energy, the fuels, the pipeline operators, as well as the 
Government, in its regulatory capacity.
    Mr. Weber. Correct.
    Mr. Schachter. I believe TSA----
    Mr. Weber. And with ports--let me also say ports, too, 
because, you know, our country runs on--the economy of our 
country, it is important, runs on trade. So, let's not leave 
the ports out.
    Mr. Schachter. OK. So the same principles will apply in my 
answer, thank you.
    Mr. Weber. Right.
    Mr. Schachter. TSA has moved aggressively to improve 
information sharing and incident reporting from all of those 
private-sector actors, and to coordinate with both DOT and 
other Government regulatory bodies that have an interest in 
those areas.
    As you probably know, ports, as well as the pipelines, are 
also privately operated, so that we have to work with those 
private-sector partners, and try to influence them and advise 
them to improve their own cybersecurity practices to protect 
their systems, so that they are less likely to be attacked. 
Some of that is standard IT access control, but it also moves 
into operational technology, which are very specialized, and 
outside the realm of DOT information technology.
    Mr. Weber. But if we had a system to catch that--I know we 
monitor a lot of stuff--and be able to communicate that as 
quickly as possible--I know there was some discussion about 
banks here a while--some years back since I've been in 
Congress--same thing.
    But if we had a system in place where we could at least be 
a--I don't know what the right term is--co-managing partner, or 
have a process--I am going to move on to the admiral next--
whereby, if we know something is in the making, we can alert 
them as quickly as possible, and thereby protect our 
infrastructure, in terms of energy, national security, and the 
marketplace, if you will, Admiral, what do you think? Sounds 
like a good idea?
    Admiral Mauger. Congressman, intelligence and understanding 
what is happening to the threat level is really a critical 
piece of how we collectively protect the Nation.
    And so, we have established procedures by which we can 
share information rapidly, both through the interagency, down 
to our field units, and, in several cases, with the private 
sector, through our Area Maritime Security Committees.
    What we are also finding out, though, is that this is a 
very broad problem. And so, it is important that we get 
together and collaborate at the lowest level possible. CISA has 
established a Joint Cyber Defense Collaborative that is 
bringing private sector and the interagency together at a low 
level to be able to see those threats and challenges as they 
evolve, and share those out rapidly, and put the mitigations in 
place. And so, this is an important issue, and we are getting 
after it.
    Mr. Weber. Well, thank you for that.
    And Madam Chair, I cannot see the clock. How much time do I 
have left?
    Ms. Davids of Kansas. The gentleman's time has expired.
    Mr. Weber. Well, let me just end with one quick thing for 
Ms. Newhouse, for the TSA.
    If you can prevent the random disappearance of my wife's 
TSA number on her airline tickets, it would be worth everything 
to me in Congress.
    [Laughter.]
    Mr. Weber. I appreciate what you all----
    Ms. Newhouse. Congressman, we are happy to help. If you 
have any questions, or any Members here have questions about 
TSA PreCheck or your family members, please let me know, and I 
am happy to make sure we solve any issues. Thank you.
    Mr. Weber. Thank you so much.
    Thank you, Madam Chair. I yield back.
    Ms. Davids of Kansas. Thank you. The gentleman yields back. 
Ms. Brownley is now recognized for 5 minutes.
    Ms. Brownley. Thank you, Madam Chair. My first question is 
to Mr. Dorsey.
    Mr. Dorsey, in October your office issued a disturbing 
report about IT security weaknesses at the Federal Motor 
Carrier Safety Administration. You placed malware in the 
network, and the agency failed to detect it.
    So, I was curious to know, is this a practice that you do 
in other agencies? Why was this particular agency selected for 
this exercise? I am sort of curious of the thought process 
behind it.
    Mr. Dorsey. Thank you very much, Congresswoman, for your 
question.
    Throughout our reviews on an annual basis, we have issued a 
number of audits with respect to our vulnerability assessments 
and penetration testing work of the Department's IT 
infrastructure to determine whether or not the Department has 
established secure practices to protect and secure its IT 
infrastructure.
    Our review of the Federal Motor Carrier Safety 
Administration was not our first review of the Department's IT 
infrastructure. As a matter of fact, it was the third review. 
We initially started back in 2016, and issued a report on Volpe 
Center, the Department's research arm, and we followed that up 
with a review of the Department's MARAD association. And 
Federal Motor Carriers was just the third in a series of 
reviews that we are planning to do with respect to assessing 
the Department's security posture at all of its operating 
administrations. We just initiated another review of the 
Federal Highway Administration's IT infrastructure.
    And what we are doing that for is to determine whether or 
not the Department is instituting the proper controls, 
enforcing oversight of their own policies that they have in 
place, where we have identified, primarily, persistent security 
weaknesses that has provided us with a path to actually 
compromise the Department's IT infrastructure.
    Ms. Brownley. Did the Federal Highway Administration fare 
better?
    Mr. Dorsey. We just initiated that review. We normally take 
about 7 to 10 months to complete our review, and we will be 
reporting out on the status of that review at that time.
    But what we have found in the past is just, primarily, 
persistent weaknesses in basic things, such as lack of strong 
passwords, unpatched or what we consider to be software that is 
not updated in various operating systems. We find a lack of 
encryption in data. And those persistent weaknesses are how we, 
primarily, were able to penetrate the Department's IT 
infrastructure.
    Ms. Brownley. Thank you, sir.
    Mr. Schachter, I know you have only been in the 
Department--in your opening comments you said you have been 
there for 3 months. Certainly, 11 years in the city of New 
York.
    And I guess, you know, I would just like to ask you, what 
grade would you give yourself at this particular point? Would 
it be an A, a B, a C, a D, an F? How would you grade yourself 
right now?
    Mr. Schachter. Well, thank you for the question. I don't 
have enough information yet to provide that sort of an 
assessment.
    What I can tell you, and as Mr. Dorsey mentioned, some of 
those audit findings do go back to 2016, before DOT created a 
central operating environment for the purpose of addressing, 
across DOT, some of the very same findings that OIG found in 
multiple modes related to access control, vulnerability in 
patch management. That the common operating environment gives 
us much better tools to provide that security across all the 
modes at DOT who use this common operating environment.
    So, our performance has already improved, but we have a 
ways to go. And we are transparently acknowledging that, as I 
did in my opening statement.
    Ms. Brownley. And----
    Mr. Schachter. And I think, as--pardon me?
    Ms. Brownley. Well, I just wanted to go on to another 
question, because I only have a few more seconds left.
    Mr. Schachter. Sure.
    Ms. Brownley. So, you have also mentioned limited resources 
several times in your answers today. And so, I am wondering, do 
you have enough resources to do what you think you need to do?
    And, if not, are you planning on making further budget 
requests in the 2023 budget cycle?
    Mr. Schachter. Thank you for that question, as well. I am 
still too new to the position to fully assess whether we have 
sufficient resources, as needed to address this, or the 
resources in the right place, or with the right expertise. And 
I expect, before too long, to be able to share that 
information.
    Ms. Brownley. Thank you, sir. My time is up.
    Madam Chair, I yield back.
    Ms. Davids of Kansas. Thank you. The gentlewoman yields 
back. The Chair now recognizes Mr. Burchett for 5 minutes.
    Mr. Burchett. Thank you, Chairlady. This is for Rear 
Admiral Mauger.
    How do you say your name, sir? Is it Mauger or Mauger?
    Admiral Mauger. It is Mauger, Congressman, thank you.
    Mr. Burchett. All right, all right. And you can call me 
Tim. Semper paratus, I believe, is your all's motto, if I am 
correct.
    I am really concerned about the Russian efforts to target 
the undersea fiber optic cables that carry 99 percent of U.S. 
communications abroad, many of which are operated by private 
companies.
    I understand that a lot of information about our undersea 
cable system is classified, but, given the Coast Guard's role 
in protecting the Marine Transportation System, can you comment 
on our Nation's ability to prevent and respond to cyberattacks 
against our undersea cable infrastructure?
    Admiral Mauger. Congressman, our maritime transportation 
critical infrastructure is varied, and it is dependent on other 
modes of critical infrastructure.
    And, as you have highlighted, there are very substantial 
threats against the maritime critical infrastructure every day. 
And so that is why we have put together an--that is why we have 
operationalized our cybersecurity and made it part of our 
prevention and response framework, to make sure that we are 
getting after this threat at the speed and pace at which it 
demands.
    I can offer you a followup brief with regard to cables, if 
you would like, sir.
    Mr. Burchett. I would really like that.
    Just out of curiosity, how many ribbons are on your chest?
    [Laughter.]
    Admiral Mauger. Congressman, actually, I don't even know 
how many ribbons are on my chest here, so----
    Mr. Burchett. That is very----
    Admiral Mauger. Maybe I can get you that answer for the 
record.
    Mr. Burchett. That is all right. No, it is very 
distracting, but I think it is pretty cool. Thank you, brother, 
for serving our country.
    I will always remember a buddy of mine, Ron Eisenberg, back 
home, who is a Coastie, and I always remember at the Veterans 
Day celebration, that everybody gets up and sings their Service 
anthems, or whatever, and my daddy was an old Marine Corps--so 
he would sing the Marine Corps hymn. And there is always just 
one Coastie in all of Knox County that would get up and sing, 
and he would just scream it out in the back, because he would 
be by himself. And I always thought that was pretty cool. But 
thank you.
    Hey, this is for Ms. Newhouse at the TSA. I won't get after 
you for the terrible service sometimes I see people get, 
because in Knoxville, Tennessee, actually, the group is pretty 
good. I always gripe about the one up here, in DC, which is, in 
my opinion, pretty lackluster.
    But a couple of months ago the TSA announced plans to issue 
new cybersecurity regulations for rail and airline companies. 
Now, how much time did your all's agency give the impacted 
stakeholders to respond and provide feedback on those 
directives?
    Ms. Newhouse. Thank you, Congressman. And thank you for 
recognizing our fine transportation security officers, 
particularly in Tennessee. We are very proud of them, and they 
are, frankly, amongst our top-performing airports and officers 
in the country. So, thank you for that compliment.
    With respect to the rail and higher risk rail and rail 
transit directives, along with the aviation security program 
changes, actually, we have followed a very robust rubric of 
engagement. I will give you an example. For aviation, we 
utilize existing security requirements and programs, and 
provided ample notice and comment, both verbally and in writing 
in multiple sessions.
    And we have also, as I mentioned in my opening to 
Congressman Crawford, we have taken that feedback and updated 
definitions of a reportable cybersecurity incident. So, we have 
taken that seriously.
    With respect to my rail partners, as I mentioned earlier in 
my testimony, we have embarked on a robust engagement at the 
CEO level, starting with Secretary Mayorkas, Administrator 
Pekoske, amongst many other DHS senior officials along with our 
CISA partners, to engage both at the classified level and the 
unclassified level to describe the known, ongoing, and 
persistent threats that are driving these policies.
    We then provided written copies to the regulated parties to 
have an opportunity to review these, albeit in certain 
circumstances we do need to act swiftly, given the persistent 
threat. However, what we have done, and particularly over this 
last month, I can personally tell you from my office, the 
standpoint, we have engaged extensively over these last 4 weeks 
and have been updated, based on those feedbacks, particularly 
from our rail partners. Thank you.
    Mr. Burchett. Has your agency received any concerns from 
the stakeholders about how the upcoming cybersecurity 
directives would impact their current operations?
    Ms. Newhouse. Thank you, Congressman. Yes. Everything we do 
every day is about continuous improvement, and one of those 
areas of continuous improvement is to, first, do no harm and, 
actually, complement operations while securing those 
operations.
    So, we have heard a number of concerns to ensure that all 
operators, large and small, can apply these cybersecurity 
measures in an effective and efficient manner. So, we do take 
that into consideration, and we continue to solicit feedback. 
We are not just done when we issue the documents. It is a 
continuous feedback loop and improvement.
    Mr. Burchett. Thank----
    Ms. Newhouse. And we stand committed to that.
    Mr. Burchett. Thank you. I have run out of time.
    And I yield none of my time back to you, Chairlady. Thank 
you.
    Ms. Davids of Kansas. The gentleman yields. The Chair now 
recognizes Mr. Payne for 5 minutes.
    Mr. Payne. Thank you, Madam Chair.
    And Ms. Newhouse, I am going to contact you outside of this 
hearing with some respects to PreCheck at Newark International 
Airport. I received some documents from flyers that flew into 
Newark that had an issue with the PreCheck. But I will do that 
at a later time.
    Under the Rail Safety Improvement Act of 2008, Congress 
mandated railroads that carried hazardous materials and 
passengers to install Positive Train Control systems. Positive 
Train Control systems work to prevent unsafe movements and 
accidents by using an information network to regulate trains' 
positions.
    Can you elaborate on the new TSA directive concerning 
cybersecurity in passenger and freight rail?
    And how will this directive help secure PTC systems?
    Ms. Newhouse. Thank you for your question, Congressman, and 
we look forward to receiving the inquiry regarding TSA 
PreCheck. We are happy to help.
    With respect to the new rail security directives--and we 
have just worked with our partners to implement--it really--
with respect to Positive Train Control and any other 
operational or informational technology systems, those 
directives apply to all of it.
    And, if I may, we have focused very heavily on reporting. 
We have to know what--even anything that could, really, 
reasonably impact those operations, whether it is PTC or other 
IT or OT systems. So, the early warning and indicators are 
critical. So, that is part of the strategy with these new 
directives, is to designate that coordinator, have a 24/7 
availability to report those incidents to CISA.
    As Admiral Mauger mentioned, CISA has a--what we call a 
clearinghouse. This is central. In addition to multiple--and we 
don't forestall any other reporting requirements, or reporting 
channels that operators may have to independent operating 
agencies, but CISA is central, CISA is the center of the United 
States Government--to maintain that information, and 
disseminate it fast. It can go at the national level down to 
the local level.
    Again, with respect to any IT and OT system, we are 
requiring these rail operators to develop a cybersecurity 
incident response plan. We are working with them. We are doing 
that in concert with all of the modal administrations at DOT. 
We want to make sure that our folks in the field, as you are 
well familiar with them, have that information, and have that 
at hand.
    Mr. Payne. Yes----
    Ms. Newhouse. Back to--we are asking the operators to 
conduct self-assessments, and identify vulnerabilities and 
gaps, and have us help them close those gaps. Thank you.
    Mr. Payne. Thank you.
    Mr. Marinos, good cyber hygiene is critical to keeping our 
cyber transportation infrastructure safe and operational. 
Federal agencies must not be exempt from adhering to cyber 
hygiene standards.
    As chairman of the Railroads, Pipelines, and Hazardous 
Materials Subcommittee, I have a responsibility to ensure that 
the Federal Railroad Administration meets the evolving threat 
of cyberattacks. How can Congress better assist agencies such 
as FRA to develop and keep good cyber hygiene practices?
    Mr. Marinos. Congressman Payne, I think the best method of 
doing that is your continued support of the inspectors general 
community, as well as to GAO and the audits that we conduct. It 
is extremely helpful, and productive, in particular to have 
Congress' support, not only during our audits, but also 
following them, when it comes to recommendations that we have 
made. And so, we are grateful for that support.
    I think the important thing when it comes to, in 
particular, smaller entities, is to ensure that those 
departments and agencies that they are part of have the 
capability to monitor the performance themselves. And likewise, 
at the more central level, OMB and the Federal CIO and Federal 
CISA offices are doing everything they can to, likewise, give 
feedback to big and small agencies in what they need to do to 
get better at cybersecurity.
    Mr. Payne. Well, I thank you for that answer.
    And, Madam Chair, I will yield back.
    Ms. Davids of Kansas. I thank you, the gentleman yields 
back. The Chair now recognizes Mr. Balderson for 5 minutes.
    Mr. Balderson. Thank you, Madam Chair. My first question is 
to Mr. Grossman.
    Mr. Grossman, good morning, first of all. Last year, the 
GAO offered six recommendations to the FAA to strengthen its 
avionics cybersecurity oversight program. The GAO report found 
that evolving cyber threats and increasing connectivity between 
airplanes and other systems could put future flight safety at 
risk if the FAA doesn't prioritize oversight.
    Can you discuss what the FAA is doing to ensure these 
networks and systems are secure from cyber threats?
    Mr. Grossman. Good morning, or good afternoon, Congressman, 
thank you for the question.
    Yes, FAA looks at, really, at the whole system of the 
airplane, once avionics equipment is installed, to assure that 
there is proper procedures and protections.
    The avionics GAO audit that you referenced, the GAO issued 
six recommendations. We have already proposed closure on two of 
those. Three of those are scheduled for closure in March. And 
just one we have not concurred with. So, we welcomed that 
audit, and made some significant changes.
    Mr. Balderson. OK, thank you. One of the recommendations 
that the GAO made, which the FAA did not concur with, was to 
consider revising its policies and procedures for periodic 
independent testing. Can you discuss why the FAA disagreed with 
this recommendation?
    Mr. Grossman. Absolutely, sir. It was independent testing 
on aircraft that are currently flying in the fleet today, and 
we were concerned that independent testing--or penetration 
testing is how we had discussed with the GAO--on aircraft that 
are in the fleet, that are active aircraft, could leave 
residual damage to the avionics systems, affecting safety.
    Mr. Balderson. OK, thank you. And I have one more followup 
for you: Has the FAA developed an avionics cybersecurity 
training program?
    Mr. Grossman. An avionics cybersecurity training program?
    Mr. Balderson. Yes.
    Mr. Grossman. I am not aware of what we have developed, but 
I can certainly look into that and get back to you.
    Mr. Balderson. Thank you very much, I appreciate it.
    Mr. Marinos, thank you for joining us this afternoon. In 
December of 2020, GAO reported that none of the 23 agencies in 
its review had fully implemented key foundational practices for 
managing information in communications technology supply 
chains.
    Since 2010, GAO has made nearly 80 recommendations to 
enhance infrastructure cybersecurity. As of November, nearly 50 
of those recommendations have not been implemented.
    While we don't have time to go over all of these 
recommendations, could you please discuss which of these 
unimplemented recommendations should be given priority?
    Mr. Marinos. Yes, Congressman. I appreciate you pointing 
out the importance of the recommendations that we have 
outstanding.
    In addition to the recommendations that we made within that 
specific avionics report that you mentioned earlier in your 
questioning, I believe that the top recommendations with 
respect to critical infrastructure include making sure that 
Federal agencies that have sector-specific responsibilities are 
doing everything they can to assess what the cyber risks are to 
their respective sectors; put forward plans with stakeholder 
engagement that makes sense on how they are going to support 
those sectors; and then execute.
    To put it very carefully, most of those recommendations 
really expressed that in a variety of different ways across 
sectors that extend beyond transportation to include things 
like the grid, K through 12, financial services, and other 
sectors, as well.
    We also think it is very important for CISA to continue its 
effort to reach its full potential. When Congress passed a law 
in 2018 establishing CISA, the agency that grew out of NPPD 
took on a large set of activities that it had challenged itself 
to complete by the end of 2020.
    Unfortunately, a report that we issued earlier this year 
showed that they were not able to achieve quite a few of the 
important activities related to workforce planning, incident 
response, identifying essential functions. These are activities 
that CISA needs to complete as quickly as possible, and we have 
heard from CISA that there is intent to do many of those 
things, either by the end of this year or next. The urgency is 
there for that organization to gain its full potential to be 
able to provide support, both to infrastructure and to Federal 
agencies, as well.
    Mr. Balderson. OK, thank you very much.
    Madam Chair, I yield back.
    Ms. Davids of Kansas. The gentleman yields back. The Chair 
now recognizes Mr. Malinowski for 5 minutes.
    [Pause.]
    Ms. Davids of Kansas. It looks like Mr. Malinowski might 
not be on.
    Mr. Carter, you are now recognized for 5 minutes.
    Mr. Carter of Louisiana. Thank you, Madam Chair. I greatly 
appreciate the opportunity. Thank you so much to our 
participants.
    Mr. Marinos and Mr. Dorsey, both of your organizations have 
provided a lot of oversight of Federal Government cybersecurity 
strengths and weaknesses. Have either of your organizations 
looked at how prepared or vulnerable agencies are to potential 
cybersecurity attacks, specifically around the time of natural 
disasters?
    As you know, my district in Louisiana suffered a 
substantial storm, one of the largest ever. And my fear is, as 
we know, that hurricanes come every year, the intensity 
increases, and my fear is that our critical infrastructure is 
particularly vulnerable during those periods.
    Can you share with me your thoughts on ideas and/or 
practices to protect our critical infrastructure during natural 
disasters?
    Mr. Marinos. Yes, I would be happy to, Congressman. And I 
think that you noted in the previous hearing that the National 
Association of State CIOs had also identified that as a real 
threat. And so, I think it does speak to just how important it 
is to consider, not only when we can be strong at our most 
resilient state, but also at our weakest points, which can come 
often with natural disasters.
    What I would say is, over the course of the last several 
decades, GAO has been tasked by Congress to look specifically 
at how Federal agencies are preparing themselves for man-made 
or natural disasters through continuity of operations 
activities. And a key part of continuity planning is to ensure 
the continual availability of information, and you can't do 
that without thinking about cybersecurity, as well. I think 
that is probably a very important part of looking at any 
cybersecurity program at a Federal agency, is its ability to 
recover from disasters.
    I am not sure if Mr. Dorsey may have more specific DOT-
related examples to provide, but I am happy to pass it over to 
him.
    Mr. Dorsey. Thank you for the question, Congressman. And 
thank you, GAO.
    I just wanted to say that we have just recently initiated a 
review of the Department's high-value assets. And what we found 
is that the Department's high-value assets program is heavily 
reliant on the Department of Homeland Security efforts to work 
with the Department in assessing the Department's high-value 
assets.
    The Department has identified 21 high-value assets. From 
our understanding, there have been at least four assessments 
since the Department of Homeland Security has actually 
initiated its review of DOT's programs, and we are planning to 
continue our work over the next several months to determine 
what the actual governance process is that the Department has 
in place, as well as whether or not they are actually taking 
the initial steps required to assess and remediate the 
potential for a threat of any of those high-value assets. And--
--
    Mr. Carter of Louisiana. How do you disseminate that 
information with local governments or States, so that they are 
equipped for future instances?
    I understand you guys have several practices or studies 
that are ongoing, trying to determine best practices. How do 
you disseminate information so local governments are prepared, 
are better prepared?
    Mr. Dorsey. Our job is primarily to report directly to the 
department heads, as well as Congress. And how that information 
is disseminated down to the State and local level, I don't 
have----
    Mr. Carter of Louisiana. Mr. Marinos, could you respond to 
that, sir?
    Mr. Marinos. Yes, sir. I think that falls on the shoulders 
of CISA. We have seen CISA develop its capabilities, especially 
when it comes to the support it can provide to State and local 
governments, and to owners and operators that may not have 
capabilities to do things like assess their own capabilities. 
Those are offerings and services that CISA has.
    One thing that we have seen is an important need for CISA 
to continue its outreach across the board, whether they are big 
or small operators, so that there is awareness about what the 
Federal Government can do ahead of time, so that it can prepare 
itself to be resilient in the event of a situation like you 
describe, where natural disaster may coincide with a 
cyberattack.
    Mr. Carter of Louisiana. It would be very helpful if you 
would share with us information that we might be able to share 
with our local governments and States on what to do in the case 
of hurricanes or wildfires.
    You can imagine the devastation if someone took control of 
our apparatus, and we were not able to dispatch emergency EMS 
or fire equipment. These are real-life issues that, 
unfortunately, are becoming far too frequently experienced with 
local and State governments.
    So, thank you very much for your time and attention. Any 
information that you can share with us on how we, as a 
committee, can do better, or push buttons further to provide 
resources or awareness so this information is gotten out, and 
we are able to be prepared for future instances, as we know, 
unfortunately, they are becoming far too common.
    I yield back, thank you.
    Mr. Auchincloss [presiding]. The gentleman yields. The 
Chair recognizes Mr. Fitzpatrick for 5 minutes.
    Mr. Fitzpatrick. Thank you, Mr. Chairman.
    Ms. Newhouse, thank you for being with us today. When the 
Colonial Pipeline suffered their ransomware attack in May, we 
saw the grave impacts on our Nation and our infrastructure. 
TSA's directives to require reporting and incident report plans 
were needed.
    In 2020, the average estimated time to identify a breach 
was over 200 days.
    So, my question, first question, is what more is being done 
by your agency to identify cyberattacks in a quicker fashion?
    Ms. Newhouse. Thank you for your support and your question, 
Congressman.
    Actually, with respect to those security directives to the 
pipeline industry, we require reporting of the incidents within 
12 hours. And that is because of the criticality of our 
Nation's pipelines, the fact that they carry the majority of--
the significant effects that it would have if those were 
attacked, because they carry the majority of the resources 
needed to run this country. So that is why we were very 
forward-leaning in establishing that immediate timeframe. And 
we have since also updated that definition, as I have 
mentioned, of what is a reportable cybersecurity incident, in 
collaboration with industry.
    Mr. Fitzpatrick. Secondly, it has been found that well over 
80 percent of breaches are financially motivated, and the 
average ransomware payment rose over one-third in 2020, from 
2019 levels, to over $100,000.
    Do you believe that American companies should continue to 
pay ransoms to bad actors?
    And if not, do you think that legislation would be needed 
to, basically, disincentivize or, if not, ban and make illegal 
ransom payments altogether, and have more of a Federal program 
to address that?
    Ms. Newhouse. As referenced earlier, CISA Director Easterly 
referenced ransomware as likely the highest level of malicious 
cyber activity.
    I would say that, through the Department of Homeland 
Security, and CISA in particular, we work very closely with our 
law enforcement, the FBI, both Federal and State and local law 
enforcement, to identify those opportunities.
    I would defer to my CISA colleagues on how we can best 
combat ransomware from a technical standpoint, in addition to 
the financial aspects, as well. I am happy to take that back 
and coordinate that for you, Congressman.
    Mr. Fitzpatrick. Thank you, Ms. Newhouse.
    Mr. Chairman, I yield back.
    Mr. Auchincloss. The Chair recognizes Ms. Bourdeaux for a 
period of 5 minutes.
    Ms. Bourdeaux. Thank you so much, Mr. Chairman.
    We have all seen the far-reaching negative implications of 
cybersecurity attacks on the transportation sector. For 
example, in May of 2021, the ransomware attack on the Colonial 
Pipeline resulted in more than 43 percent of gas stations in my 
home State of Georgia being out of gas.
    It is clear from today's testimony that more work needs to 
be done to strengthen cybersecurity protections in all areas of 
the transportation sector.
    Mr. Grossman, in your written testimony you talk about the 
value of training through participation exercises or 
simulations. My district is home to Curiosity Lab at Peachtree 
Corners, which is a one-of-a-kind living lab designed to 
provide a real-world test environment to advance next 
generation intelligence, mobility, and smart city technology.
    What kind of simulations do you run to prepare your staff 
for cybersecurity attacks?
    And could you talk a little bit about the benefits of those 
real-life simulations?
    Mr. Grossman. Absolutely, Congresswoman, thank you very 
much for that question.
    As I mentioned in my oral testimony, as well, we have 
developed a cyber test facility in Atlantic City at our William 
J. Hughes Technical Center that serves as kind of the 
cornerstone of some of our exercise activities. We regularly 
conduct incident response exercises that include both the 
mission support side, or the normal, IT side of FAA, as well as 
the operational side, or the NAS, the National Airspace System.
    In addition to that, we conduct external exercises with DHS 
and all of Government. There are cyber exercises.
    We have also conducted international exercises with the 
Caribbean, with Mexico, and several other countries. This year, 
we have begun looking at cyber ranges, so that we can actually 
inject real-world cybersecurity threat into our exercises, so 
that we can get an actual look at what an actual attack would 
look like.
    Typically, when we simulated exercise, it is just the 
data----
    [Audio malfunction.]
    Ms. Bourdeaux. Might have lost----
    Mr. Grossman. Yes, I am sorry.
    Ms. Bourdeaux. Yes, I might have lost you for a second 
there.
    Mr. Grossman. I apologize.
    Ms. Bourdeaux. OK. So just to follow up with that, Mr. 
Schachter at the DOT, are there similar types of exercises that 
you do that you could talk a little about, and what the value 
add is of having that kind of real-life simulation?
    Mr. Schachter. Well, thank you for that question, because 
it gives me an opportunity to discuss, actually, one of the 
most effective and least expensive type of simulation 
exercises, and that is one where we send, essentially, a test 
email encouraging people to click on an unknown link, a 
technique called phishing.
    And what we see is, by repeating that on a regular basis, 
people get much smarter, and become much more cautious about 
clicking on those links. And, as was mentioned a little while 
ago, this is a prime way that malware gets introduced into 
enterprise environments unknowingly by people within the 
organization.
    So, this is a, as I said, a very effective, very 
inexpensive means of protecting the network, and providing 
greater access control.
    Ms. Bourdeaux. Thank you very much. I yield back the 
balance of my time.
    Mr. Auchincloss. The Chair recognizes Mr. Mast for a period 
of 5 minutes.
    Mr. Mast. Thank you.
    Admiral, I would love to start with you. Number one, thank 
you for your service in the United States Coast Guard. I very 
much appreciate that. I want to talk a little bit about this.
    If your men and women are physically attacked, do they 
return fire?
    Admiral Mauger. Congressman, we have a well-established, 
well-rehearsed, well-trained process in place for use of force 
in the Coast Guard. It is not my area of expertise. And so, if 
you want to go into that in more detail, I would be happy to 
take that question for the record or set up a briefing for you.
    Mr. Mast. Not a lot of detail, just logically and 
commonsensically, if somebody points the muzzle of a rifle at 
one of your men or women, and depresses the trigger, and moves 
around at a couple thousand feet per second towards one of your 
men and women, are they going to return fire?
    Admiral Mauger. Congressman, they will execute the Coast 
Guard use of force policy, and so, if fired on by an adversary, 
they will fire back.
    Mr. Mast. That is right. Like I said, that is not meant to 
be provocative, right? It is common sense that they will.
    Again, understanding you are not a shooter by your own 
admission, do you think that they should shoot until they 
totally eliminate the threat? Just opinion, I am looking for 
opinion on this. I understand you are not a shooter.
    Admiral Mauger. Congressman, I think that, in the general 
sense, our folks need to ensure their own personal protection, 
and for the protection of their colleagues, and ensure the 
protection of any members of the public as well. And so, they 
will carry out and continue with the use of force policy until 
that local Coast Guard's women or men is sure that things are 
safe.
    Mr. Mast. And we should dispatch the threats, in my 
opinion, and I have been a part of doing that in a different 
place.
    And I want to layer this on cyberattacks and cyber threats. 
And the reason that I asked that was to go and layer that on 
this question: Should we approach a cyberattack in the same way 
that we would approach a physical attack? Should we go out 
there?
    There is a moment that it turns from defending myself to 
going out there and seeking a violent course of action to 
dispatch the threat that is coming against me. And it becomes 
offensive, and that is not provocative.
    Should we be pursuing that in every instance of being shot 
at in the form of cyber, that we dispatch that threat so that 
it can never again pose that threat to us again?
    Admiral Mauger. So, Congressman, as we move this into the 
cyber landscape, it is really important to understand that 
there are key differences.
    There is a big difference between attributing a shooter 
right in front of you, using force against you that you can see 
and react to, versus somebody in the cyberspace that might be 
working through a different adversary, or he might be working 
through a different venue to get after you. So, attribution in 
cyberspace is really critical.
    That said, the Coast Guard released a cyber strategic 
outlook in August that puts together three lines of effort: the 
first line of effort is about defending and operating our 
networks and DoD networks; the second one is about protecting 
the maritime transportation system, and we bring together the 
full spectrum of the prevention and response framework to 
protect the maritime transportation system; and then the 
third----
    Mr. Mast. Do you----
    Admiral Mauger [continuing]. Element is----
    Mr. Mast. Do you believe in making that transition, 
however, from we were attacked, we are now assessing what 
happened from the attack, and we are now transitioning to 
offensive, to eliminate where we assess the origin of that 
threat?
    If you can assess the origin of that threat, do you believe 
in becoming offensive against that threat?
    Admiral Mauger. Congressman, we are building, with support 
from Congress in fiscal year 2021, and with support from the 
administration in the fiscal year 2022 President's budget, we 
are building out a cyber mission team capability that allows us 
to take full spectrum operations, provided that we have the 
right authorities in place, against adversaries.
    And so----
    Mr. Mast. So, that is a yes.
    Admiral Mauger [continuing]. It is an important part----
    Mr. Mast. The full spectrum, meaning----
    Admiral Mauger. It is an important part of our strategy.
    Mr. Mast. Full spectrum, meaning yes, you believe you 
should have that capability to transition to the offensive 
against where you believe a threat originated from.
    Admiral Mauger. Congressman, that is the key part of our 
three lines of effort and our strategic outlook. We are 
aligning our training under the joint DoD standards, so that we 
can work closely with the Department of Defense to carry out 
what the Nation needs from their forces.
    Mr. Mast. Very good.
    Mr. Auchincloss. The gentleman's time has expired.
    Mr. Mast. Thank you, Mr. Chair.
    Mr. Auchincloss. The Chair recognizes himself for 5 
minutes.
    Last month, we heard from industries on real-world 
challenges they face, and I look forward to speaking with our 
witnesses today on how the Federal Government can work with its 
private-sector partners to protect and strengthen our digital 
infrastructure, as well.
    This question is for, first, Mr. Dorsey, and then Mr. 
Marinos, in that order, please.
    My district in Massachusetts has two leaders, at least, in 
the cybersecurity industry. Industrial Defender is 
headquartered in Foxborough, Massachusetts, and CyberArk in 
Newton. These companies work on security roadmaps and software 
to protect complex operational technology in line with NIST 
compliance.
    Has the DOT Inspector General's Office and/or the GAO 
looked at how Federal agencies are interacting with companies 
like these, and local transportation agencies?
    And do you have any recommendations for improving public-
private coordination and cooperation?
    And these questions are first for Mr. Dorsey, and then for 
Mr. Marinos.
    Mr. Dorsey. Thank you for your question, Congressman. The 
Department of Transportation Office of Inspector General has 
not looked at that line of coordination, if you will.
    But what I will say is that, as part of our annual 
assessments through FEMA, we do work with the Department, and 
ask them a series of questions from the standpoint of a supply 
chain, a risk management area. And what we do with that line of 
reasoning is just to go back and determine whether or not the 
Department has taken appropriate steps with respect to ensuring 
that any vendor-related software that they get is not 
associated with any type of counterfeit efforts, or anything 
like that.
    And we also make a determination as to what extent does DOT 
ensure that products, system components, systems, and services 
of external providers are consistent with DOT cybersecurity 
policy. That is a new requirement that just has been 
incorporated in the IT system metrics that we have to assess on 
an annual basis.
    Outside of that, that is how we go about communicating with 
the OMB, as well as how we report to Congress with respect to 
what the Department's efforts are in that particular arena. 
Thank you.
    Mr. Auchincloss. Mr. Marinos?
    Mr. Marinos. Yes. So, Congressman, two thoughts here.
    One, GAO was tasked by law to evaluate the adequacy of 
standards that the National Institute of Standards and 
Technology puts out. So NIST. And the biggest one in this area 
is the cybersecurity framework.
    And as part of the four reviews--we are actually wrapping 
up the fourth just in the next few months--we looked at how 
this cyber framework was pulled together, including what kind 
of engagement NIST had in doing a public exposure draft, and 
receiving comments from outside stakeholders, and then 
incorporating them into the framework. They have done this on a 
couple of iterations of the framework, and they, of course, do 
it on other special publications, as well.
    So, we may not necessarily interact directly with 
organizations like those that you mentioned, but we certainly 
evaluate how NIST is taking in information from folks out 
there, the experts out there on cybersecurity, and whether they 
can use that to better the framework and the guidance that is 
being put out.
    And then the second thing I just mentioned too, though, is 
that GAO does engage quite often with State and local audit 
offices, including the Massachusetts State Auditor's Office, as 
well. And that has been a really great opportunity, because it 
gives us a chance to have a better sense of how effective 
Federal guidance is within their capacity, and what are sort of 
the threats and the landscape that they are also seeing State 
and local agencies have to combat, as well.
    Mr. Auchincloss. Thank you to you both. The Chair yields 
the balance of his time and recognizes Mr. Johnson for 5 
minutes.
    Mr. Johnson of South Dakota. Mr. Chairman, are you talking 
about Mr. Johnson of South Dakota?
    Mr. Auchincloss. Yes, sorry.
    Mr. Johnson of South Dakota. Very good. No, not a problem. 
All right, well, I will start with Mr. Grossman.
    And Mr. Grossman, I recently had the opportunity to visit 
an air traffic control facility in Sioux Falls just a couple of 
weeks ago, and it was fantastic, really dedicated people, for 
sure. Sean Hennet and others showed me around. But I couldn't 
help but notice how antiquated some of the computer equipment 
was. There were some newer systems, but they seemed to be 
intermingled with some that were older than many of the folks 
working in the tower.
    And so, give me some sense, very quickly, of the kind of 
challenges that we have keeping these systems safe when they 
are so antiquated.
    Mr. Grossman. Well, thank you for your question, and I 
appreciate your trip.
    I think, from a cyber perspective, those systems, while 
they appear to be old, we are able to keep them secure. If you 
are asking about simply replacing those systems, that is really 
not in my area. I would have to take your question back to our 
air traffic organization. But from a cybersecurity perspective, 
even though they appear old, they are certainly secure.
    Mr. Johnson of South Dakota. OK, very good. I appreciate 
that. And maybe I will shift gears now to Mr. Marinos.
    I listened with interest when you noted that GAO has made 
3,000 recommendations for improving cybersecurity to Federal 
agencies, and with even more interest when you noted that there 
are more than 900 of them that have not been implemented by 
those agencies.
    We haven't had a lot of discussion today about dams, which 
is under the jurisdiction of this committee. Sir, are you aware 
of any particular--and obviously, the dams are critically 
important, both from an electrical generation perspective, as 
well as a flood control perspective for this country--are you 
aware of any particular recommendations that have been made to 
the Department of Homeland Security vis-a-vis cybersecurity for 
our dam infrastructure that have not been implemented?
    Mr. Marinos. Actually, Congressman, sort of building off of 
the most recent question that I answered, the NIST 
cybersecurity framework, obviously, applies to all sectors. And 
so, as part of the work of the series of four reviews we have 
done, we have actually gone out to DHS and the other now Sector 
Risk Management Agencies, and we have asked them whether their 
respective sectors are finding it useful. You know, are they 
adopting it?
    And so, that would include the dam sector, as well, the 
subsector, as well.
    And so, in those instances, we have seen that Federal 
agencies are challenged, not only within that sector, within 
others, to be able to have that kind of dialogue with 
operators, big and small, within their respective sectors. 
There are a variety of reasons for that.
    One, there may simply not be the appropriate expertise at 
the operators to be able to interact, to provide that kind of 
feedback, even to be able to use the framework in the way that 
it is intended. It is a very expansive set of sort of--it is 
like--it has been sort of equated to, like, a grocery store. 
They can go in and pick and choose the cyber protections that 
you might want to implement.
    And so, I think the important thing is for DHS to make sure 
that it is getting feedback from, not only the dam sector, but 
others, to make sure that the support and guidance it is 
providing is actually useful.
    Mr. Johnson of South Dakota. So--and I think that is 
helpful. But, as you alluded to with your last answer, that is 
more comprehensive, right? It is across all impacted agencies.
    Does anything in particular stand out with regard--I mean, 
we were talking about some of the antiquated IT systems in 
place for the FAA. I happen to know that that is also the case 
for the operations of the dam systems with Western Area Power 
Administration and others. Anything in particular that comes to 
mind with that subsector?
    Mr. Marinos. Absolutely. And it doesn't just relate to that 
specific sector. But, as you point out, legacy systems, 
especially with operational technology, are something that 
operators need to be thinking about ahead, have a plan for how 
they intend to modernize.
    And as Larry pointed out, as Mr. Grossman pointed out, many 
of those systems may actually have, in some ways, better 
protections if they are air-gapped. In other words, if they are 
not connected to business systems within those respective 
companies, they may be better suited for the sort of 
operational control activities that they do.
    But the reality is that, again, that connection to the 
Federal Government--how do those operators know what the 
greatest threats are? That is going to require a good amount of 
information sharing, to and from, to kind of know what the 
posture is within the dam sector, as an example.
    Mr. Johnson of South Dakota. Yes, I think that is well 
said, sir.
    Has GAO indicated the investment gap--as we talk about 
these legacy systems and the need to replace them, has GAO 
estimated the size of that gap in dollars and cents?
    And could you point me toward a particular report that I 
could review to learn more?
    Mr. Marinos. I am happy to share information from the 
Federal agency side, and maybe that equates to the private 
sector. But the Federal Government continues to spend 80 
percent of its IT budget on legacy activities, not on 
modernizing. And so, I think that is an important aspect, as 
well as--as the DOT CIO mentioned--modernizing with security in 
mind from the beginning.
    Mr. Johnson of South Dakota. Very good. Thank you, Mr. 
Chairman, and I yield back.
    Mr. Auchincloss. The Chair recognizes Mr. Malinowski for 5 
minutes.
    Mr. Malinowski. Thank you, Mr. Chairman. I want to zoom out 
a bit--no pun intended--and talk about the future of 
transportation, 5, 10, 15 years from now, and get into how the 
Department is guarding against new and emerging threats. And 
then I want to ask Mr. Schachter for his thoughts, and Mr. 
Marinos for his reaction.
    I participated a few days ago in a tabletop exercise that 
simulated a hostile power taking down our GPS system, something 
that obviously would have incredibly dire implications, even 
today, for nearly all modes of transportation: air, rail, 
maritime, and more.
    In the consumer automobile context, some of America's 
largest companies--Tesla, Apple, Alphabet--are investing 
billions of dollars in autonomous vehicle technology. I was in 
a meeting just yesterday with Sundar Pichai, the CEO of 
Alphabet, which owns an autonomous driving startup, Waymo, and 
he reaffirmed his interest to us in bringing that technology to 
the market.
    So, while there is no expert consensus on precisely when 
there will be widespread adoption of level 4, level 5 autonomy, 
I think it is safe to say that we are going to have a huge 
number of vehicles on the road, certainly by the 2030s, that 
are heavily or even exclusively reliant on artificial 
intelligence to make decisions about accelerating, braking, 
turning, every road decision. And, in fact, today every car is 
rolling off the assembly line packed with computers. Many have 
internet-based, internet-enabled entertainment systems that are 
pre-installed, and there is even more revolutionary 
technological change to come, including, potentially, cars that 
are charged by the highways that they drive on themselves.
    As all of you know, any product, device, or service that is 
connected to the internet, or that is otherwise reliant on 
code, is going to be vulnerable, potentially vulnerable, to 
compromise. And the stakes are going to be incredibly high when 
we are talking about software-powered machines that are 
carrying people at 70 miles or more down the freeway.
    So, Mr. Schachter, recognizing your primary focus is on the 
internal IT management of the Department, that you have only 
been on the job for a few months, and you are not personally 
writing the regulations related to autonomy or grid safety, I 
do want to ask you some big-picture questions about how you and 
your colleagues are thinking about the threats that are around 
the corner.
    What cyber-related challenges does the Department expect to 
encounter in 5, 10, 15 years, when the technologies that we are 
just talking about today become mainstream?
    What is going to keep your successor up at night, and what, 
if anything, are you doing now to prepare?
    Mr. Schachter. Well, thank you very much for that question.
    GPS and overall positioning, navigation, and timing are 
very important issues that DOT is studying in multiple places. 
The best example I can give you actually relates back to my 
experience in New York City, where we were one of the three 
national connected vehicle test locations through a Department 
of Transportation connected vehicle pilot program.
    And securely communicating with all of the test vehicles, 
and standing up a security credential management system so that 
the vehicles were communicating for basic safety information 
like emergency braking, or even a traffic signal phase 
warnings, like when you were about to approach a red signal, we 
wanted to be sure, and the Federal Government wanted us to be 
sure, that all of those transmissions were from authenticated 
actors, and nobody was spoofing actors and potentially causing 
harm to either the people operating vehicles, or other road 
users, as well.
    So, that is a future technology that is not so far away, 
but certainly demonstrates the issue involved that you are 
referencing, that those communications need to be secure, and 
we need to know, both on the transmitting and receiving end, 
they are from partners we recognize.
    Mr. Malinowski. I guess I am out of time. I yield back.
    Mr. Auchincloss. The Chair recognizes Miss Gonzalez-Colon 
for 5 minutes.
    Miss Gonzalez-Colon. Thank you, Mr. Chair. My question will 
be to Mr. Larry Grossman. And the question will be--I just want 
to bring to attention that the FAA decision to utilize section 
804 to consolidate air traffic control operations in Miami for 
the Caribbean Basin, which includes Puerto Rico, and San Juan 
Airport operates with 1970s technology.
    Yet the San Juan Flight Center handles more than 4,000 
flights, mostly consistent--all flights, including arrivals, 
departures, and overflights for Puerto Rico, the U.S. Virgin 
Islands, the British Virgin Islands, and overflights from South 
America, due to its 400-mile-long airspace, which can take 
commercial airlines an hour to transit through. And this is the 
same number of flights that Atlanta airspace covers, from 
Charlotte to Savannah.
    So, my question will be, while I understand that this has 
been done to consolidate operations, and for cost savings, my 
concern is, what are the assurances that a cyberattack on the 
FAA facilities in Miami won't affect air traffic control 
operations in Puerto Rico?
    And what type of redundancies are put in place for smaller 
airports in rural and remote places, should a larger airport's 
air traffic control operations be affected by a cyberattack, 
considering that we have the international airport, but, as 
well, smaller airports around the island?
    Mr. Grossman. Well, thank you very much for your question. 
I am not, as I am sure you know, I am not responsible 
specifically for facilities consolidation.
    But from a cyber perspective, the protections that our air 
traffic control systems have are virtually identical, whether a 
facility is local, or whether it is remote and managed through 
our secure communication protocols, which is a service that we 
obtain. But that service is the same, whether you are dealing 
with a local facility or a remote facility. The security 
parameters are the same.
    Miss Gonzalez-Colon. Mr. Grossman, you have been talking 
about the aviation ecosystem. And with this concept in mind, 
what kind of training do airport and air traffic control 
workers get on cybersecurity?
    Mr. Grossman. Well, I can't speak for airport workers that 
are not specifically employees or our contractors, but I can 
tell you that all air traffic controllers are required to take 
yearly security awareness training, as are all our contract 
employees, contract tower employees, et cetera. Employees--go 
ahead, sorry.
    Miss Gonzalez-Colon. After the first hearing we had on this 
topic, some employees last month in the hearing said that they 
were conducting personal business on work computers, or even 
personal cell phones that exposed the companies they worked for 
to cyberattacks. How can we ensure that the same does not 
happen in airports around the country, or while airplanes are 
in the sky?
    Mr. Grossman. Well, I can assure you that there is no 
personal business done on any mission-critical system or 
service. Individuals' Government-issued workstations that they 
get their email on, they are permitted to do limited personal 
use, and that is very limited, you know, if someone needed to, 
on their break time, log into the bank, or something like that.
    Miss Gonzalez-Colon. Thank you.
    Mr. Dorsey, if you don't mind, how often does DOT test its 
security controls as part of the risk management issues the OIG 
identified in 2021?
    And what do those tests include?
    And do we have any operating agency experience a full 
cyberattack with different types of attacks?
    Mr. Dorsey. Thank you for the question, Congresswoman.
    We assessed the Department's areas in testing cybersecurity 
controls based on the NIST cybersecurity framework in five 
different areas. We determined whether or not the Department is 
adequately testing security controls centered around 
identifying and managing risk, protecting its IT systems from a 
configuration management standpoint, from a daily access and 
management standpoint----
    Mr. Auchincloss. The gentlewoman's time has expired.
    Miss Gonzalez-Colon. Thank you.
    Mr. Dorsey. I will be happy to provide you with an updated 
response on the record.
    Miss Gonzalez-Colon. Thank you.
    Mr. Auchincloss. The Chair recognizes Mr. Carbajal for 5 
minutes.
    Mr. Carbajal. Thank you, Mr. Chair.
    The shortcomings in our Nation's cybersecurity readiness 
are apparent, both in the public and the private sectors, as 
evidenced by the cyberattacks this year, including on the 
Colonial Pipeline and JBS Foods. We cannot leave ourselves 
vulnerable enough to allow bad actors to control essential 
infrastructure such as energy supply, water management, supply 
chains, and public transit.
    Mr. Dorsey, as you noted in your testimony, your office has 
identified information security as a top management challenge 
in the Department of Transportation. But yet the DOT has not 
resolved dozens of open recommendations by your office in the 
last year.
    In the report done by Clifton Larson Allen LLP released in 
October of this year, they concluded that the DOT must develop 
and communicate an organizationwide supply chain risk 
management strategy and implementation plan to guide and govern 
supply chain risks.
    What do you see as barriers to this recommendation being 
implemented?
    And given the supply chain issues we are currently 
experiencing, how urgently can the Department of Transportation 
act on this recommendation to avoid future disruptions?
    [Pause.]
    Mr. Carbajal. I think you need to get unmuted.
    Mr. Dorsey. Sorry. Thank you for the question, Congressman.
    As noted in my testimony, I noted three key areas that the 
Department needs to take immediate steps to address their 
cybersecurity issues that we have identified over the years. 
Similar to addressing supply chain risk management issues, this 
applies to all of the cybersecurity issues associated with the 
Department.
    And what the Department needs to do, from the start, is 
solidify its leadership at the Department's Chief Information 
Security Office level to ensure that, working with the current 
and new chief information officer, that they establish the 
right type of framework and controls to ensure the enforcement 
of the various recommendations that we have made over the 
years.
    The second thing that the Department needs to do is to 
develop a comprehensive, DOT-wide cybersecurity strategy to 
address our recurring weaknesses. Until they do so, which we 
have made a recommendation--we have made an overarching 
recommendation this year, and to the Department's credit, they 
agreed to implement that particular recommendation. Once they 
do that, and they meet the intent of the recommendation, then I 
think that will go a long way with addressing some of the 
concerns regarding supply chain risk management.
    And the last thing the Department needs to do is to ensure 
they put the proper controls in place to protect and secure its 
IT infrastructure. And in regards to supply chain risk 
management, that is a key area that we focused on during our 
enterprise-level review this year, and we will continue to 
report out on that as we move forward. Thank you.
    Mr. Carbajal. Thank you.
    Ms. Newhouse, leaving ourselves open to ransomware and 
other cyberattacks puts people's lives in jeopardy. It is a 
national security risk and threatens our economy. There needs 
to be a better communication between the private sector and 
Government to ensure we are prepared for future attacks.
    In our hearing of November 4th, we heard concerns from 
industry representatives that reporting mandates would create a 
flood of information, resulting in pertinent information being 
lost or skipped over by agencies.
    What steps are being taken by the TSA to ensure reporting 
mandates are collecting and processing pertinent information in 
an effective manner?
    And, two, can you walk me through how TSA takes in reported 
cyber threats, and then processes the data?
    Ms. Newhouse. Thank you, Congressman, I appreciate that. 
And I am very proud of the fact that we have continued robust 
engagement, a lot of engagement with a lot of stakeholders, 
including those who served on the panel, the previous hearing.
    Particularly, just myself in this past week, we have had 
executive-level meetings with senior executives in rail and 
passenger rail on this very topic. We have received their 
feedback on what we call our draft security directives, and 
that better informed our definition of what we were looking 
for, in terms of a reportable cybersecurity incident. We have 
made it more effective, less broad. So, it is an actual--or an 
incident that is reasonably likely to have a devastating impact 
on any of their systems.
    So, it is also important to note that those reports go to 
what we call CISA Central. The Cybersecurity and Infrastructure 
Security Agency has a centralized operation center. Our 
directives mandate reporting of that information to CISA 
Central.
    Mr. Carbajal. Thank you. My time is up. I yield back.
    Mr. Auchincloss. The Chair recognizes Ms. Van Duyne for 5 
minutes.
    Ms. Van Duyne. Thank you very much. I want to thank all of 
you for being with us this morning.
    My district is home to Dallas-Fort Worth International 
Airport, which is also the largest economic driver in the State 
of Texas, and one of the Nation's most important airline hubs. 
Over Thanksgiving weekend, we saw passenger numbers exceed 90 
percent of pre-pandemic volume throughout the country.
    DFW Airport is part of a working group with DHS and TSA, 
and I have heard that they have benefited from transparency, 
and have gained valuable information from working together, 
while also making positive improvements after TSA conducted a 
review.
    Mr. Grossman, many of our airport critical systems, such as 
radar systems, are hosted by airports around the country. Does 
the FAA offer collaboration similar to what we have seen with 
DHS and TSA for airports?
    And the second question would be what more can the FAA do 
to expand current collaboration and increase information 
sharing with our airports?
    Mr. Grossman. Thank you for those questions. I may have you 
repeat the first one, but I will answer the second one first.
    We collaborate extensively with airports through our 
Aviation Cyber Initiative, as well as the Aviation Sector 
Coordinating Council, which has airport authorities and AIA as 
members. And so, our collaboration with airports is pretty rich 
in substance. We share best practices with airports and, on 
many occasions, when there was a vulnerability identified, I 
believe on an airport lighting system that was a non-FAA 
component, we immediately shared that across the airport 
industry.
    And I would just ask if you could repeat the first 
question.
    Ms. Van Duyne. So, the first question I talked about DHS 
and TSA, and how they have collaborations in a working group 
that is focused on transparencies and ways to better 
collaborate, and I didn't know if--the question was, does the 
FAA have a similar working group with airports, like the other 
two do?
    Mr. Grossman. Well, we participate with TSA on the airports 
working group. And so----
    Ms. Van Duyne. OK. OK. I have got a followup question for 
Mr. Grossman and for Victoria Newhouse.
    Everything that we have heard from airlines is that in 
2022, that could be a record-breaking year, in terms of traffic 
from Europe, the Middle East, and South America, given the 
pent-up demand.
    So, obviously, Omicron can throw a wrench into those plans, 
but CBP staffing for international arrivals is going to be 
critical. It could be a significant pinch point, if they are 
not prepared. So how is the FAA preparing for further 
disruptions in the system, as we move closer to the busiest 
travel time of the year?
    Mr. Grossman. Well, again, that is--I apologize, that is 
not a cybersecurity-specific question. I believe our staffing 
numbers are not going to be impacted by that.
    Ms. Van Duyne. OK, so are you expecting further 
disruptions, or no?
    Mr. Grossman. I am not expecting any further disruptions, 
no.
    Ms. Van Duyne. OK, so there are no preparations being made, 
then, for the increased travel in 2022?
    Mr. Grossman. Well, we are staffed for that increased 
travel. I guess I am not sure of----
    Ms. Van Duyne. OK.
    Mr. Grossman [continuing]. The question, specifically.
    Ms. Van Duyne. OK.
    Mr. Grossman. So----
    Ms. Van Duyne. So, Ms. Newhouse, what is the TSA's plan to 
ensure checkpoints have proper staffing, and wait times are 
minimized for passengers?
    Ms. Newhouse. Congresswoman, we are leaning forward very 
heavily. As you may have heard from Administrator Pekoske over 
this past year, we have worked very hard to hire as many 
officers as we can. It is a very competitive labor market.
    But we are also focused on ensuring real-time reporting. We 
share that with our airline and airport partners daily, and 
sometimes hourly, to ensure any sort of issues in the system, 
whether it is equipment or personnel-related, is addressed 
immediately.
    Last, we do have our national deployment force that is 
ready and able to deploy at a moment's notice to support 
increased operations around the country. We have seen that 
successfully for major sporting events, such as the Super Bowl, 
spring training. Also, in the event of a natural disaster, we 
are able to put our personnel in to support air operations, 
while the personnel who are affected on the ground and their 
families can evacuate safely. Thank you.
    Ms. Van Duyne. I appreciate that. I, again, have gotten 
lots of calls and questions from folks who are constituents in 
the 24th Congressional District. They travel a lot, and there 
is a lot of frustration that they are feeling like the lines 
are getting much longer, that there are fewer TSA folks 
working. So, I just want to make sure that that is a focus that 
you guys are working on.
    Thank you very much, and I yield back.
    Mr. Auchincloss. The Chair recognizes Mr. Lamb for 5 
minutes.
    Mr. Lamb. Thank you, Mr. Chair, and thank you to all of our 
witnesses.
    Mr. Dorsey, I wanted to start with you. I took from your 
testimony that, while there are several sort of technological 
and purely cybersecurity issues at play here, there seems to 
be, at the foundation, kind of a personnel issue of maintaining 
consistent leadership in the key roles, and keeping people in 
place, and bringing people up through the system so that they 
understand it. And that is very similar to what I have seen on 
other committees dealing not only with cybersecurity, but also 
just kind of like talent--or technology acquisition and 
implementation.
    And so, it is not an easy problem to solve. I was just 
curious if, in your work, you saw any commonalities about why 
we were losing people, why we were failing to gain them in the 
first place, or any suggestions about how we could start to fix 
the personnel side of this.
    Mr. Dorsey. Thank you for your question, Congressman.
    Our assessments don't necessarily review what the 
workforce-related issues are, with respect to the Department's 
cybersecurity posture. So, I will not be able to provide you 
with a direct answer.
    What I will say is that I am very encouraged by the 
Department's current chief information officer, and the various 
discussions that I have had with him regarding the effort and 
his plans, moving forward, with respect to addressing the 
workforce issues.
    What our reviews have found is that there has been 
inconsistency at the top regarding the Department's leadership 
from the chief information officer, as well as the chief 
information security officer. And, as I noted in my testimony, 
over the last year the Department had an acting chief 
information security officer who said cybersecurity was not his 
primary role and responsibility.
    But what I will say is I am encouraged by the conversations 
that I have had with the current chief information officer, and 
I look forward to working with him, moving forward. Thank you.
    Mr. Lamb. I appreciate that, thank you.
    Do any of our agency witnesses want to weigh in on this 
question?
    Basically, what I am trying to get at is this is a common 
problem for us, because, obviously, people with strong 
cybersecurity management backgrounds are also in very high 
demand in the private sector. So, I don't know if you have any 
success stories or suggestions you could make to us about 
trying to put ourselves on a firmer footing here, from a 
personnel perspective.
    Is that Mr. Schachter from DOT?
    You are on mute, it sounds like.
    Mr. Schachter. Thank you. Yes, I would like to respond to 
that, and thank you for the question.
    It gives me the opportunity to say that, after having noted 
that improving cybersecurity at DOT is our number-one priority. 
Our second priority is investing in our workforce, and that 
means investing and helping them develop their careers, so that 
they are not only able to perform at higher levels with their 
current responsibilities, but they are adequately prepared for 
future responsibilities.
    It also includes recruitment and making sure that we hire 
in the right people with the greatest potential, and that we 
are looking at our own people for future professional 
opportunities.
    I will refer back to my experience as CTO and CIO at the 
New York City Department of Transportation, where I served for 
13 years. And in that role, we were able to achieve very low 
levels of attrition, due to a robust training program that 
invested in our staff, made them part of the agency's strategic 
mission, where they felt ownership and empowered. And even 
though the private sector often came calling with higher 
salaries, we lost relatively few people.
    And I understand, from industry information, that is a 
frequent problem not only for the Government, but even private-
sector companies losing staff to one another as each tries to 
outdo the others for the best food, or health club, in addition 
to just cash compensation. And the Government is often at a 
disadvantage when trying to compete in that arena.
    So, I think what we can do, though, is we play to our 
strengths, which is the importance of our mission, the 
opportunity for people to make a contribution to improving--and 
now, in this environment--the United States. And I believe that 
we will have a compelling story to tell that will both attract 
good new people, as well as help us keep the good ones that we 
already have.
    Mr. Lamb. I agree. We have to appeal to their patriotism. 
And I hope, if there is a way that we can help any of your 
agencies do that, you will let us know, because we know how 
important it is. Thank you for your participation.
    Mr. Chair, I yield back.
    Mr. Auchincloss. The Chair recognizes Mrs. Steel for 5 
minutes.
    Mrs. Steel. Thank you very much. Thank you, Mr. Chairman 
and Ranking Member Graves, for holding this important hearing.
    During my tenure, while serving as Orange County Supervisor 
and on the board of directors for the Orange County 
Transportation Authority, there was a cyberattack on the OCTA. 
Hackers froze some of OCTA's computer systems for 2 days and 
demanded ransom to unfreeze them. We did not pay the ransom, 
and chose to ignore the demand, and we had staff restore all 
infected servers. We are very lucky about it.
    So, I want to ask Ms. Newhouse, are there ways Federal 
agencies can improve communication with State and local 
government to best protect against these cyberattacks?
    And do you think the United States has the proper workforce 
to fight these current and future threats?
    These threats are coming in from sometimes China, sometimes 
North Korea. So, do you have that?
    Ms. Newhouse. Thank you, Congresswoman, and we are very 
proud of our relationships with our both Federal, State, and 
local partners, many of whom operate critical transportation 
assets throughout the country.
    We have a very robust field operation now in place that 
focuses solely on surface operations. That is one resource that 
is available 24/7. Each region of our country--we have divided 
it up into six regions--has a responsible executive, and an 
entire team of personnel ready to go to engage one-on-one.
    But you are absolutely--you hit it on the nail. That 
continued collaboration and dissemination of information, it 
could be anonymized, but it is important that we continue to 
provide both threat and indicator information to all operators, 
whether they are State or local or private, and we have 
established a number of mechanisms to do that through our 
directives.
    We are also looking for [inaudible] reporting so that way 
we can filter that, and make sure it gets sent out anonymized, 
and work through CISA and CISA Central to make sure those 
reports are getting disseminated in a very timely manner. Our 
TSA Operations Center also serves that--I would call it a 
redundancy.
    Third, we do have what I think are pretty unique 
information-sharing cells within the United States Government. 
We actually have groups of individuals, both for surface 
transportation and aviation, that can actually participate in 
daily threat briefings with the TSA. They can do it remotely 
from their locations, and that is another opportunity where we, 
again, provide that persistent information, both indicators, 
threat and tools.
    We do also have--you point out that the nation-state 
actors--CISA's security bulletins, just as recently as last 
week, was issued referencing a nation-state actor. That is 
where TSA, the DHS enterprise, works very closely with our U.S. 
intelligence community. We rely closely and heavily on their 
intelligence and assessments, along with our Federal Bureau of 
Investigation and other law enforcement entities.
    We do have the workforce in place in the United States 
Government. I have a background in intelligence operations 
myself, and I can say with personal knowledge that we do have 
direct access to that intelligence and law enforcement 
information.
    Mrs. Steel. Thank you very much for your detailed answer.
    Admiral, I have a question that--you know, protecting 
against cyber threats is really critical for the Ports of Long 
Beach and L.A. Right now, we have a supply chain crisis, as we 
have about 175 ships waiting to unload. So, it is very 
important.
    So, Congress has made several changes to better integrate 
cybersecurity planning and response. How is the Coast Guard 
conducting vulnerability assessments of maritime critical 
infrastructure?
    Can you describe how the Coast Guard builds cyber 
resilience in the Ports of L.A. and Long Beach to protect this 
port and others like it from attack?
    Admiral Mauger. Congresswoman, the current supply chain 
crisis really highlights the importance of the MTS to our 
national economy, and to our national security, and it really 
emphasizes the need to put proper protective measures in place, 
but then also be able to be resilient and respond to attack.
    We have put together a comprehensive framework as the lead 
Federal maritime regulator across the whole prevention and 
response framework, to make sure that port communities and 
maritime critical infrastructure are able to prevent attacks, 
but then are able to respond and be resilient.
    The Port Security Grant Program is a key program for 
building resiliency into the ports. Through funding in fiscal 
year 2021, we were able to fund 60 projects at about $18 
million and provide key ports such as the Ports of L.A. and 
L.B. the opportunity to increase their assessments.
    And I am happy to follow up with a brief for you, ma'am, 
afterwards, if desired.
    Mrs. Steel. Thank you very much, Admiral. I have one more 
question, but you know what? I am going to just submit this 
question.
    Thank you. My time is up, and I yield back.
    Mr. Auchincloss. That concludes our hearing.
    I would like to thank each of the witnesses for your 
testimony today. Your comments have been insightful and 
helpful.
    I ask unanimous consent that the record of today's hearing 
remain open until such time as our witnesses have provided 
answers to any questions that may have been submitted to them 
in writing.
    I also ask unanimous consent that the record remain open 
for 15 days for any additional comments and information 
submitted by Members or witnesses to be included in the record 
of today's hearing.
    Without objection so ordered.
    The committee stands adjourned.
    [Whereupon, at 1:20 p.m., the committee was adjourned.]


                       Submissions for the Record

                              ----------                              

  Prepared Statement of Hon. Frederica S. Wilson, a Representative in 
                   Congress from the State of Florida
    Thank you, Chairman DeFazio, for today's hearing.
    As our nation's critical infrastructure increasingly relies on 
cutting-edge technology, cybersecurity must be a top priority to avert 
attacks on facilities and systems, such as the Turkey Point Nuclear 
Generating Station located in South Florida.
    It is imperative that the federal government is a leader in this 
space to help stakeholders implement the best cybersecurity practices.
    Failing to do so will compromise critical systems that can have 
devastating impacts on our safety, economy, and security.
    I am grateful that the Biden administration has taken steps to 
improve the nation's cybersecurity by issuing Executive Order 14028 to 
improve the nation's infrastructure.
    I am also proud to have supported the roughly $2 billion provided 
in the Infrastructure Investment and Jobs Act to modernize and secure 
our critical infrastructure.
    I look forward to working with my colleagues and the private sector 
to enhance cybersecurity preparedness, increase the cybersecurity 
workforce, and protect citizens.
    With that, I have a few questions.


                                Appendix

                              ----------                              


  Questions from Hon. Frederica S. Wilson to Cordell Schachter, Chief 
         Information Officer, U.S. Department of Transportation

    Question 1. Mr. Schachter: Thank you for your testimony. As you 
mentioned in your statement, there are multiple open findings from 
previous cybersecurity audits, which puts DOT at risk. Some of these 
findings were reported years ago. In some instances, even when 
recommendations were reported as completed, they were not tested or 
implemented properly, as was the case with the FTA's financial 
management systems.
    Mr. Schachter: What is the department's long-term plan to expedite 
the implementation of cybersecurity recommendations and how will 
current efforts, like the cyber sprints, help?
    Answer. Thank you for the opportunity to address the issues raised 
in this question. We take seriously open audit findings that require 
action. Cyber Sprints accelerate progress by focusing Office of the CIO 
and Operating Administration information technology staff efforts on 
priority activities, eliminating obstacles to progress during frequent 
checkpoints, and engaging additional or leadership resources if needed. 
Among the criteria of tasks addressed in the sprints are open audit 
findings.

     Question from Hon. Garret Graves to Cordell Schachter, Chief 
         Information Officer, U.S. Department of Transportation

    Question 2. I've read reports that there are some 500,000 vacancies 
for cybersecurity professionals in the U.S. workforce, making it nearly 
impossible for us to get a handle on the next generation of threats. 
Additionally, we've heard from industry that they feel that talent is 
relegated to SCIFs in the federal government, fusion centers, and big 
technology companies--preventing talent from being available to 
critical infrastructure at the local level. What can we be doing to 
rethink the workforce model for cybersecurity-specific professionals?
    Answer. Thank you for the opportunity to address the issues raised 
in this question. DOT's Office of the Chief Information Officer 
(OCIO)'s two top priorities are improving DOT's cybersecurity and 
workforce development of OCIO staff, including recruiting high quality 
cybersecurity experts. I believe the government mission is a compelling 
``selling point'' to attract new staff. Similarly, working at US DOT 
and helping protect the nation's critical infrastructure in 
transportation is another compelling selling point for recruitment. We 
will also continue working with our commercial and governmental 
partners to engage the resources we need. Federal cyber workforce 
training and education initiatives can be found at the Department of 
Commerce National Institute of Standards and Technology's National 
Initiative for Cybersecurity Education (NICE), the National Science 
Foundation's CyberCorps Scholarships for Service, and CISA's National 
Initiative for Cybersecurity Careers and Studies.

Question from Hon. Seth Moulton to Cordell Schachter, Chief Information 
               Officer, U.S. Department of Transportation

    Question 3. Mr. Schachter, America depends critically on GPS for 
much more than just navigation with our smartphones, and we have no 
alternative system. This creates a single point of failure, vulnerable 
to both cyber and kinetic threats. In fact, after their government's 
November 15 ASAT test, a Russian state television broadcast boasted 
they could destroy all our GPS satellites at the same time. The 
National Timing Resilience and Security Act of 2018 mandated the 
Department Transportation have a backup and alternative system up and 
running by December 2020, but the previous administration did nothing. 
What is the Biden administration's Department of Transportation doing 
to comply with the law and get a GPS complementary and backup system in 
operation to decrease the severity of threats like these from Russia 
and China?
    Answer. Thank you for providing an opportunity to provide a 
detailed response to this important question. Our Global Positioning 
System (GPS) is the predominant technology in the field for 
Positioning, Navigation, and Timing (PNT). It supports critical 
transportation infrastructure and is essential for national and 
economic security in many other areas. There are an estimated 900 
million GPS receivers across America, including those used for 
emergency response, transportation safety, general navigation, timing 
signals, and high-precision instruments for local-area climatology 
studies, weather prediction, surveying, precision agriculture, machine 
control, and scientific applications.
    DOT conducted a GPS Backup and Complementary PNT Demonstration 
involving 11 technology vendors in response to a requirement in the FY 
2018 National Defense Authorization Act (NDAA). The 2021 DOT 
Complementary PNT Demonstration Report to Congress recommends that DOT 
develop requirements, standards, test procedures, and performance 
monitoring capabilities to ensure that civil PNT services, and the 
equipment that utilizes them, meet necessary levels of interoperable 
safety and resilience.
    The ``Frank LoBiondo Coast Guard Authorization Act of 2018,'' (P.L. 
115-282; December 4, 2018) included Sec. 514, ``Backup National Timing 
System,'' also known as the ``National Timing Resilience and Security 
Act of 2018.''
    We support the proposed repeal of the National Timing Resilience 
and Security Act in the President's FY 2022 Budget Request. This is 
informed by recent federal analyses, reports, and technology 
demonstrations, where DOT finds that 1) no single solution for the 
provision of back-up PNT services can meet the diversity of critical 
infrastructure application requirements, and 2) it would be inefficient 
and anti-competitive for the Federal Government to procure or otherwise 
fund a specific backup PNT solution for non-federal users.
    Rather than building or otherwise procuring a new system, DOT, in 
partnership with the Department of Homeland Security, is better 
positioned to enable and encourage the owners and operators of critical 
infrastructure to be responsible users of PNT, leveraging commercially-
available PNT technologies to secure access to complementary PNT 
services.

     Questions from Hon. Michael Guest to Cordell Schachter, Chief 
         Information Officer, U.S. Department of Transportation

    Question 4. Each state has a designated CISA ``Protective Security 
Advisor'' that coordinates with members of the critical infrastructure 
community and works to help them prepare/defend against cyber-attacks. 
Can you tell me about the interface your agencies have with these 
Advisors and what role they play in your industries?
    Answer. DOT's Office of Intelligence, Security, and Emergency 
Response facilitates DOT's role as Co-Sector Risk Management Agency for 
the Transportation Systems sector infrastructure. It partners with the 
other Co-Sector Risk Management Agency, the Department of Homeland 
Security (DHS) and its Transportation Security Administration and U.S. 
Coast Guard. DOT does directly engage with CISA's Protective Security 
Advisors (PSAs). During incident response PSAs and DOT may act in 
parallel. For example, during a hurricane, PSAs based in the region 
impacted may provide local information about cross-sector 
infrastructure concerns to DHS for integration with national response 
efforts led by FEMA. DOT's Office of Intelligence, Security, and 
Emergency Response may also provide information to inform FEMA's 
national response.

    Question 5. Earlier this year, in discussions with CISA Director 
Inglis, we discussed the importance of protecting our digital 
infrastructure, its supply chain, and preventing overdependency of 
manufacturing critical digital goods by adversarial countries, which 
they could possibly use against us. How can the FAA and DOT work 
alongside private sector stakeholders and Congress to strengthen our 
digital infrastructure supply chain, industry standards, and 
enforcement of those standards when it comes to high level digital 
hardware?
    Answer. The FAA and DOT works in partnership with DHS and DOD 
through the Aviation Cyber Initiative (ACI) Interagency Task Force in 
engaging with a range of government, industry, and international 
stakeholders to identify, assess, and analyze cyber threats, 
vulnerabilities, and consequences within the aviation ecosystem through 
research, development, testing, and evaluation initiatives. The ACI 
mission is to reduce cybersecurity risks and improve cyber resilience 
to support safe, secure, and efficient operations of the Nation's 
Aviation Ecosystem. We also leverage industry expertise to develop and 
update industry standards relevant to aviation cybersecurity. An 
example is RTCA Special Committee SC-216, which is chaired by a 
representative industry stakeholder and has an FAA policy 
representative.\1\ SC-216 recently revised their Aeronautical Systems 
Security standard (DO-365A). This past December, the committee also 
published a new standard, Aeronautical Information System Security 
Framework Guidance (DO-391). All of our efforts with Standards 
Development Organizations (SDO) are geared towards developing industry 
standards that can be used as an acceptable means of compliance to one 
or more of our certification requirements. SDOs, like RTCA, ASTM and 
SAE, often have counterpart working groups in the European standards 
development community, which provides additional expertise and a wider 
global acceptance of the developed standards.
---------------------------------------------------------------------------
    \1\ https://www.rtca.org/sc-216/.
---------------------------------------------------------------------------
    We also note that Chris Inglis is the National Cyber Director, a 
position that is different than the Director of CISA. The Director of 
CISA is Jen Easterly.

    Question 6. Director Inglis also emphasized the need for 
accountability in cybersecurity practices. Each one of you represents a 
different set of industry stakeholders with vastly different needs in 
this space. For bad actors within your jurisdiction that allow their 
cybersecurity measures to fall below public or industry standards, what 
are ways that Congress and your agencies can hold those folks 
accountable? Many stakeholders mention that they are more robust in 
developing cybersecurity measures and have been for decades. So, what 
are ways to hold bad actors accountable without installing mandates 
that may limit the private sector's own work in this space?
    Answer. Thank you for the opportunity to address the issues raised 
in this question. The Department of Homeland Security (DHS) and the 
Department of Transportation (DOT) are designated as the Co-Sector Risk 
Management Agencies (SRMAs) for the Transportation Systems Sector. DHS, 
specifically through the Transportation Security Administration (TSA), 
worked with DOT and its Operating Administrations (OAs) to coordinate 
industry outreach efforts aimed at informing and receiving feedback 
from stakeholders on available cybersecurity training and resources; 
and more recently, TSA's Security Directives and security program 
amendments on cybersecurity. Additionally, TSA spearheads the 
developments of the National Strategy for Transportation Security as 
the lead for DHS. Further, TSA has worked extensively with CISA to 
assess sector cyber risk, including the Pipeline Cybersecurity 
Initiative (PCI) and the ACI, which conduct Validated Architecture 
Design Review assessments of major pipeline and airport systems.
    DOT is working closely with TSA, CISA, and the Department of Energy 
in the implementation of the President's Industrial Control System 
Cybersecurity Initiative for natural gas pipelines. The Initiative is a 
voluntary effort by government and critical infrastructure owners and 
operators. DOT is also participating in the CISA and NIST led effort to 
develop cybersecurity performance goals for control systems and 
critical infrastructure, as outlined in National Security Memorandum 5 
(NSM-5) issued by President Biden last July. However, voluntary 
measures alone in some cases may be inadequate to address the rapidly 
evolving threat facing the critical infrastructure every American 
relies on. TSA has issued cybersecurity-related Security Directives and 
Information Circulars (IC) for critical elements of surface 
transportation--including pipelines--and has also issued Security 
Program Changes and an IC for aviation elements.
    We have balanced responsibility with flexibility by prioritizing 
certain operator practices as requirements and others as 
recommendations using our authorities. These include each operator 
designating a cybersecurity coordinator, implementing specific 
mitigations measures to reduce cybersecurity risk, and developing plans 
to minimize disruption in the event of a malicious cyber intrusion.

    Question 7. Many industry stakeholders utilize early notification 
networks. However, the public sector lacks a robust system to alert 
private carriers or shippers of an attack across the system. To 
critical infrastructure, the ability to limit damage seems crucial. Can 
you expand on how early notification networks are used by the private 
sector and why coordination with a federal government system is so 
important?
    Answer. CISA and FBI periodically issue joint Cybersecurity 
Advisories (CSAs) which are posted on the CISA Alerts webpage. These 
Alerts are also pushed to a wide-range of stakeholders, to include the 
Sector Risk Management Agencies and Information Sharing and Analysis 
Centers (ISACs) for further dissemination to sector stakeholders. There 
are also several private companies who offer similar notification 
products. The US Coast Guard and CISA are responsible for notifications 
to the Maritime subsector.
    In the railroad subsector, the Association of American Railroads 
(AAR) utilizes the Railway Alert Network (RAN) to provide early 
notifications to the private sector. Separately, when Federal Railroad 
Administration (FRA) reporting is either required or deemed necessary, 
the agency provides situational reports to AAR, the American Short Line 
and Regional Railroad Association (ASLRRA), the Transportation Security 
Administration (TSA), and the Surface Deployment and Distribution 
Command (SDDC). These situational reports are generally disseminated to 
the carriers participating in RAN.
    In the commercial motor vehicle subsector, FMCSA leverages 
GovDelivery, a web-based e-mail subscription management system, for 
providing news and information emails and posts notifications about 
jurisdiction-specific changes and updates in processes and guidelines. 
Notifications can span the following subtopics: Announcements & News, 
Registration & Licensing, Rules & Regulations, Rulemaking, Rulemaking 
Notices, and Outreach.

    Question from Hon. Nikema Williams to Cordell Schachter, Chief 
         Information Officer, U.S. Department of Transportation

    Question 8. In last month's hearing on this topic, we heard about 
the need for local transportation agencies to assess their own level of 
``cyber maturity''--understanding what cyber protections they have and 
what protections they need. Drawing both on your experience in federal 
and local government, how can local transportation agencies best access 
support and resources from the Department of Transportation to assess 
and strengthen their own cyber protections?
    Answer. Thank you for the opportunity to address the issues raised 
in this question. DOT has many resources publicly available to local 
transportation agencies to assess and strengthen their own cyber 
protections. For example, the following webpage lists documents with 
guidance on multiple cyber topics. https://rosap.ntl.bts.gov/
gsearch?terms=cyber&maxResults=50&start=0
    DOT's Federal Highway Administration (FHWA) regularly provides 
information about best practices gathered from agencies such as TSA and 
the National Institute of Standards and Technology. FHWA supports its 
stakeholders' work to improve their cybersecurity including reporting 
and responding to cybersecurity incidents and providing training and 
reference materials.
    DOT has also been collaborating with CISA on establishing a common 
baseline of cyber performance goals for critical infrastructure control 
systems which will be finalized this summer. DOT will also be 
contributing to the transportation sector-specific cybersecurity 
performance goals which will build upon the common baseline and include 
goals specific to the transportation sector and subsectors. More 
information can be found here: https://www.cisa.gov/control-systems-
goals-and-objectives

   Questions from Hon. Frederica S. Wilson to Larry Grossman, Chief 
     Information Security Officer, Federal Aviation Administration

    Question 1. Mr. Grossman, in your statement, you mentioned the 
National Academy of Sciences study on the FAA's cybersecurity 
workforce, which was directed by Congress. The results of this study 
were received in June 2021. Please elaborate on the study's 
recommendations to increase workforce diversity and what specific 
objectives and action items the FAA has in place to achieve that goal.
    Answer. The Federal Aviation Administration (FAA) recognizes the 
importance of recruiting efforts to attract a diverse pool of qualified 
employees. The agency's current initiatives include cybersecurity as 
part of a broader aviation-focused engagement. In the FAA's Science, 
Technology, Engineering, and Math (STEM) Aviation and Space Education 
(AVSED) program, youth from diverse backgrounds are inspired to pursue 
aerospace careers, including those that are cybersecurity-focused. The 
FAA currently leverages several federal hiring and personnel management 
authorities afforded to cyber-specific employees, such as on-the-spot 
hiring.
    Pursuant to Section 549 of the FAA Reauthorization Act of 2018 (PL 
115-254), the National Academy of Sciences (NAS) published a report 
examining the FAA's cybersecurity workforce challenges, reviewing the 
current strategy for meeting those challenges, and recommending ways to 
strengthen the FAA's cybersecurity workforce titled: ``Looking Ahead at 
the Cybersecurity Workforce at the Federal Aviation 
Administration''.\1\ FAA reviewed the NAS report and recently provided 
a report to Congress regarding the results of the study.\2\ The 
challenges identified in the study, along with opportunities and 
recommendations, have validated existing FAA cyber workforce 
initiatives and inspired potential new initiatives. Through the six 
strategic outcomes, continued investment in existing initiatives, and 
promoting new programs developed as a result of this study, the FAA 
will strengthen its cybersecurity workforce today and in the future.
---------------------------------------------------------------------------
    \1\ https://www.nap.edu/catalog/26105/looking-ahead-at-the-
cybersecurity-workforce-at-the-federal-aviation-administration#.
    \2\ https://www.faa.gov/sites/faa.gov/files/2022-01/PL_115-
254_Sec549_FAA_
Response_to_Nat_Academy_Sciences_study_FAA_Cybersecurity_Workforce.pdf.
---------------------------------------------------------------------------

 Question from Hon. Garret Graves to Larry Grossman, Chief Information 
           Security Officer, Federal Aviation Administration

    Question 2. I've read reports that there are some 500,000 vacancies 
for cybersecurity professionals in the U.S. workforce, making it nearly 
impossible for us to get a handle on the next generation of threats. 
Additionally, we've heard from industry that they feel that talent is 
relegated to SCIFs in the federal government, fusion centers, and big 
technology companies--preventing talent from being available to 
critical infrastructure at the local level. What can we be doing to 
rethink the workforce model for cybersecurity-specific professionals?
    Answer. The Federal Aviation Administration (FAA) recognizes the 
challenging cybersecurity labor market, similar to many other 
organizations seeking to hire and retain cyber personnel. There are 
many programs in place in the federal government to accelerate and 
simplify the hiring process for cybersecurity personnel.
    The FAA recognizes the importance of recruiting efforts to attract 
a diverse pool of qualified employees. The agency's current initiatives 
include cybersecurity as part of a broader aviation-focused engagement. 
In the FAA's Science, Technology, Engineering, and Math (STEM) Aviation 
and Space Education (AVSED) program, youth from diverse backgrounds are 
inspired to pursue aerospace careers. The program seeks to create a 
consistent pipeline of aerospace professionals for the workforce of the 
future, including those that are cybersecurity-focused.
    While the FAA has some employees who work in a Sensitive 
Compartmented Information Facility (SCIF) environment very few members 
of our cybersecurity workforce are relegated to a SCIF, rather they 
will enter the SCIF only for classified discussions, then leave the 
secure area to engage with other FAA staff and aviation stakeholders as 
needed. Pursuant to Section 549 of the FAA Reauthorization Act of 2018 
(PL 115-254), the National Academy of Sciences (NAS) published a report 
examining the FAA's cybersecurity workforce challenges, reviewing the 
current strategy for meeting those challenges, and recommending ways to 
strengthen the FAA's cybersecurity workforce titled: ``Looking Ahead at 
the Cybersecurity Workforce at the Federal Aviation 
Administration''.\3\ FAA reviewed the NAS report and recently provided 
a report to Congress regarding the results of the study.\4\ The 
challenges identified in the study, along with opportunities and 
recommendations, have validated existing FAA cyber workforce 
initiatives and inspired potential new initiatives. Through the six 
strategic outcomes, continued investment in existing initiatives, and 
promoting new programs developed as a result of this study, the FAA 
will strengthen its cybersecurity workforce today and in the future.
---------------------------------------------------------------------------
    \3\ https://www.nap.edu/catalog/26105/looking-ahead-at-the-
cybersecurity-workforce-at-the-federal-aviation-administration#.
    \4\ https://www.faa.gov/sites/faa.gov/files/2022-01/PL_115-
254_Sec549_FAA_
Response_to_Nat_Academy_Sciences_study_FAA_Cybersecurity_Workforce.pdf.
---------------------------------------------------------------------------

Questions from Hon. Michael Guest to Larry Grossman, Chief Information 
           Security Officer, Federal Aviation Administration

    Question 3. Each state has a designated CISA ``Protective Security 
Advisor'' that coordinates with members of the critical infrastructure 
community and works to help them prepare/defend against cyber-attacks. 
Can you tell me about the interface your agencies have with these 
Advisors and what role they play in your industries?
    Answer. The Cybersecurity and Infrastructure Security Agency (CISA) 
Protective Security Advisor program is within the Department of 
Homeland Security (DHS). DHS serves as a tri-chair of the Aviation 
Cyber Initiative (ACI) with the Department of Defense and the 
Department of Transportation (DOT), with the Federal Aviation 
Administration (FAA) representing DOT. Through this partnership, we 
coordinate and collaborate with government and industry to improve 
cybersecurity protections and response capabilities. ACI focuses on 
cybersecurity protections within the aviation sub-sector of the 
critical infrastructure community and includes an active Community of 
Interest (COI) that includes over 1000 participants across the aviation 
ecosystem from both the public and private sector. COI participants 
include airlines and airfreight, aircraft and avionics manufacturers, 
aviation industry associations and service providers, academia, and 
Federally Funded Research and Development Centers. ACI includes both 
domestic and international participants as cybersecurity protections 
within the aviation community are a global concern. Current priorities 
of ACI include aviation cybersecurity risk mitigation efforts, cyber 
research and development, information sharing, cybersecurity training 
specific to the unique aspects of the aviation environment, and 
aviation cybersecurity exercises.

    Question 4. Earlier this year, in discussions with CISA Director 
Inglis, we discussed the importance of protecting our digital 
infrastructure, its supply chain, and preventing overdependency of 
manufacturing critical digital goods by adversarial countries, which 
they could possibly use against us. How can the FAA and DOT work 
alongside private sector stakeholders and Congress to strengthen our 
digital infrastructure supply chain, industry standards, and 
enforcement of those standards when it comes to high level digital 
hardware?
    Answer. The FAA and DOT continue to work in partnership with DHS 
and CISA through the ACI Tri-Chair relationship to create a balance 
between government and private partnerships. We also leverage industry 
expertise to develop and update industry standards relevant to aviation 
cybersecurity. An example is RTCA Special Committee SC-216, which is 
chaired by a representative industry stakeholder and has an FAA policy 
representative.\5\ SC-216 recently revised their Aeronautical Systems 
Security standard (DO-365A). This past December, the committee also 
published a new standard, Aeronautical Information System Security 
Framework Guidance (DO-391). All of our efforts with Standards 
Development Organizations (SDO) are geared towards developing industry 
standards that can be used as an acceptable means of compliance to one 
or more of our certification requirements. SDOs, like RTCA, ASTM and 
SAE, often have counterpart working groups in the European standards 
development community, which provides additional expertise and a wider 
global acceptance of the developed standards.
---------------------------------------------------------------------------
    \5\ https://www.rtca.org/sc-216/.

    Question 5. Director Inglis also emphasized the need for 
accountability in cybersecurity practices. Each one of you represents a 
different set of industry stakeholders with vastly different needs in 
this space. For bad actors within your jurisdiction that allow their 
cybersecurity measures to fall below public or industry standards, what 
are ways that Congress and your agencies can hold those folks 
accountable? Many stakeholders mention that they are more robust in 
developing cybersecurity measures and have been for decades. So, what 
are ways to hold bad actors accountable without installing mandates 
that may limit the private sector's own work in this space?
    Answer. The FAA advises a cautious approach when considering any 
potential aviation-related cybersecurity mandates and highlights that 
any such mandates would need to provide sufficient flexibility, in 
terms of measures and timelines for implementing enhancements, to allow 
industry participants to appropriately protect the diverse range of 
systems used in the aviation sub-sector. The expected improvement to 
the industry's defenses from any mandate must also be carefully weighed 
against its associated costs, taking into account the highly 
sophisticated nature of some attacks.
    Within the realm of the FAA's responsibility as the aviation safety 
regulator and air navigation service provider for the U.S., the FAA 
finds it much more successful to engage with our industry stakeholders 
to encourage the voluntary adoption of successful cyber-hygiene 
protocols. Our stakeholders are highly motivated to keep their systems 
secure from cyber-attacks, as breaches of vulnerable systems can equate 
to economic loss, loss of public trust, loss of efficiency and loss of 
market share. We must also remember that our stakeholders' systems and 
security needs vary widely and security solutions must be tailored--one 
size does not fit all.

    Question 6. Many industry stakeholders utilize early notification 
networks. However, the public sector lacks a robust system to alert 
private carriers or shippers of an attack across the system. To 
critical infrastructure, the ability to limit damage seems crucial. Can 
you expand on how early notification networks are used by the private 
sector and why coordination with a federal government system is so 
important?
    Answer. FAA regulations require reporting of a variety of aviation 
safety-related issues, but are generally agnostic as to their potential 
cause, which may be unknown at the time of initial reporting. DHS is 
the lead agency to receive private sector reports of cybersecurity 
incidents and to facilitate individual asset or whole of government 
response during a significant cyber incident. DHS's National 
Cybersecurity and Communications Center shares information across the 
public and private sectors (including the Aviation Information Sharing 
and Analysis Center) to protect against similar incidents in the 
future. The sharing of information is usually in the form of Alerts/
Advisories and Bulletins, Initial Network Analysis Reports and/or 
Cybersecurity Coordination Action and Response calls. These early 
notifications provide an opportunity for the government and private 
sector partners to minimize the impact of a cyberattack by proactively 
implementing protection mechanisms to block attacks while focusing 
monitoring on those assets that are potentially the most vulnerable.
    The Department of Justice, through the Federal Bureau of 
Investigation and the National Cyber Investigative Joint Task Force, is 
the lead agency for threat response during a significant incident. With 
respect to aviation specifically, recent Transportation Security 
Administration updates to airport and aircraft operator security 
program requirements established cybersecurity incident reporting 
requirements for airports and aircraft operators with the relevant 
types of security programs.

     Questions from Hon. Nikema Williams to Larry Grossman, Chief 
     Information Security Officer, Federal Aviation Administration

    Question 7. Mr. Grossman, millions depend on both the services and 
economic activity from transportation systems in my district, and a 
disruption to one part of the system can impact the rest. A disruption 
to the Hartsfield Jackson Atlanta International Airport could reach 
from Delta Airlines to international travelers to aviation workers who 
live in my district. Could you please describe how the Federal Aviation 
Administration supports and shares information with airports like mine 
to help safeguard the transportation system that depends on them from a 
cyberattack?
    Answer. The Federal Aviation Administration (FAA) participates in a 
variety of airport safety and security government partnerships and 
initiatives that identify and mitigate cyber threats to the nation's 
airports and collaborate with partner agencies to disseminate airport-
related cyber threat information. In addition, Department of Homeland 
Security's (DHS) National Cybersecurity and Communications Center 
shares information across the public and private sectors to protect 
against cybersecurity incidents. Moreover, the Transportation Security 
Administration (TSA) recently published updated requirements regarding 
cybersecurity information sharing for the nation's airports. In 
addition, the FAA is one of the tri-chairs of the Aviation Cyber 
Initiative, and the FAA works collaboratively with DHS and Department 
of Defense to improve cybersecurity across the Aviation Ecosystem. This 
collaboration includes participants across the airports community.

    Question 8. Mr. Grossman, Internet access is an airport essential. 
In 2018, Hartsfield-Jackson Atlanta International Airport's Wi-Fi 
connectivity had to be taken down amidst a city-wide cyberattack. Do 
you have any recommendations that will ensure airports can provide 
Internet access to travelers while minimizing their networks' 
vulnerability to cyberattacks?
    Answer. While outside of FAA's mission set, FAA supports and 
encourages industry efforts for the development of cybersecurity risk 
management programs, information security standards and best practices 
consistent with the National Institute of Standards and Technology 
Cybersecurity Framework. The city-wide cyberattack in Atlanta was 
indeed a surprising and widespread outage. During a cyberattack, 
sometimes user connectivity may be affected for the protection of both 
the users and systems, any response to an event must be aligned with 
the potential impact associated with that event. TSA, who does have 
statutory authority over airport cybersecurity operations, recently 
published guidance for the nation's airports regarding cybersecurity. 
The Office of Airports, along with the rest of the FAA, is working 
closely with TSA to support their efforts.

 Question from Hon. Steve Cohen to Victoria Newhouse, Deputy Assistant 
    Administrator for Policy, Plans, and Engagement, Transportation 
     Security Administration, U.S. Department of Homeland Security

    Question 1. When traveling--especially while in airports, train 
stations, or buses--people often make use of public Wi-Fi connections, 
public charging ports, and other resources to keep their devices 
charged and connected to the internet. What precautions is TSA taking 
to oversee these services to prevent cyberattacks through public 
networks or to stop cybercriminals from setting up networks that mimic 
the genuine ones?
    Answer. The Transportation Security Administration (TSA) recently 
issued cybersecurity requirements to operators in the aviation, 
surface, and pipeline modes of transportation, including cybersecurity 
incident reporting requirements. While these requirements vary to some 
extent based on the operational requirements of each mode, all are 
aimed at establishing a baseline of cybersecurity protection. To the 
extent a public-facing Wi-Fi network is under the control of a covered 
owner/operator, it may be subject to the new requirements.
    Public networks, Wi-Fi connections, or other internet connections 
provided, operated, and maintained by persons who are not covered by 
the cybersecurity requirements noted above are not regulated by TSA.
    The federal government continues to review and analyze 
cybersecurity requirements within the various transportation modes. To 
the extent not covered by existing requirements for aviation and 
surface operators, we may consider additional measures to ensure 
Information Technology and Operational Technology systems operated and 
maintained by third-party vendors and contractor meet appropriate 
security standards.

 Questions from Hon. Sam Graves to Victoria Newhouse, Deputy Assistant 
    Administrator for Policy, Plans, and Engagement, Transportation 
     Security Administration, U.S. Department of Homeland Security

    Question 2. Now that TSA has issued its security directive for 
railroads, transit, and passenger rail, will TSA work with the affected 
industries to develop guidance and other helpful materials to ensure 
the contents and requirements of the Security Directives are well 
understood and to support compliance with their mandated actions and 
measures? How will this be done?
    Answer. TSA offers assistance to surface transportation owners/
operators in understanding and complying with the security measures 
identified within the Security Directives (SDs) through a variety of 
means. TSA has and will continue to host industry calls with surface 
transportation owner/operators discussing the provisions within the 
SDs. The calls provide an opportunity for TSA to answer questions to 
ensure understanding of the requirements and support compliance with 
the defined security measures. Within each SD, an email address is 
provided to allow industry to contact TSA should they have questions. 
As common-themed questions are identified, TSA issues Frequently Asked 
Questions (FAQs) to all applicable owner/operators. TSA also has 
developed and will supplement guidance documents to provide additional 
support to covered entities. TSA will also work with the trade 
associations representing the covered owner/operators to provide 
informational webinars and share best practices for implementing the 
provisions of the SDs.

    Question 3. TSA's Security Directive Pipeline--2021-02: Pipeline 
Cybersecurity Mitigation Actions, Contingency Planning, and Testing (SD 
02) requires covered pipeline owner/operators to implement mitigation 
measures by certain dates. To better understand TSA's implementation of 
this program, operator compliance with its requirements, the 
feasibility of TSA's program and the ability of TSA to implement it as 
designed, please provide performance data for the following metrics:
    a.  The number of covered pipeline owner/operators (operators);
    Answer. 97

    b.  The number of operators in full compliance with measures with a 
30-day implementation due date, a 90-day implementation due date, and a 
120-day implementation due date;
    Answer. 63 compliant with 30 days; 22 compliant with 90 days; 30 
compliant with 120 days. 11 compliant with all measures (30, 90, and 
120-day).

    c.  The number of operators proposing alternative measures for 
measures with a 30-day implementation due date;
    Answer. 12

    d.  The number of alternative measure proposals for measures with a 
30-day implementation due date;
    Answer. 15

    e.  The number of alternative measure proposals for measures with a 
30-day implementation due date that TSA has accepted;
    Answer. 0

    f.  The number of alternative measures proposals for measures with 
a 30-day implementation due date that TSA has rejected;
    Answer. 2

    g.  The number of alternative measures proposals for measures with 
a 30-day implementation due date that TSA is still reviewing;
    Answer. 13

    h.  The number of operators proposing alternative measures for 
measures with a 90-day implementation due date:
    Answer. 44

    i.  The number of alternative measures proposals for measures with 
a 90-day implementation due date:
    Answer. 93

    j.  The number of alternative measures proposals for measures with 
a 90-day implementation that TSA has started reviewing;
    Answer. 93

    k.  The number of alternative measures proposals for measures with 
a 90-day implementation due date that TSA has accepted;
    Answer. 3

    l.  The number of alternative measures proposed for measures with a 
90-day implementation due date that TSA has rejected:
    Answer. 0

    m.  The number of alternative measures proposed for measures with a 
90-day implementation due date that TSA is still reviewing:
    Answer. 93

    n.  The number of operators proposing alternative measures for 
measures with a 120-day implementation due date;
    Answer. 20

    o.  The number of alternative measures proposals for measures with 
a 120-day implementation due date;
    Answer. 21

    p.  The number of alternative measures proposals for measures with 
a 120-day implementation that TSA has started reviewing:
    Answer. 21

    q.  The number of alternative measures proposals for measures with 
a 120-day implementation due date that TSA has accepted;
    Answer. 0

    r.  The number of alternative measures proposed for measures with a 
120-day implementation due date that TSA has rejected;
    Answer. 0

    s.  The number of alternative measures proposed for measures with a 
120-day implementation due date that TSA is still reviewing;
    Answer. 21

    t.  The number of operators requesting additional time for measures 
with a 30-day implementation due date;
    Answer. 37

    u.  The number of requests for additional time for measures with a 
30-day implementation due date:
    Answer. 55

    v.  The number of requests for additional time for measures with a 
30-day implementation due date that TSA has accepted;
    Answer. 55

    w.  The number of requests for additional time for measures with a 
30-day implementation due date that TSA has rejected:
    Answer. 0

    x.  The number of requests for additional time for measures with a 
30-day implementation due date that TSA is still reviewing:
    Answer. 0

    y.  The number of operators requesting additional time for measures 
with a 90-day implementation due date:
    Answer. 65

    z.  The number of requests for additional time for measures with a 
90-day implementation due date:
    Answer. 361 (total measures from 65 companies).

    aa.  The number of requests for additional time for measures with a 
90-day implementation that TSA has started reviewing:
    Answer. 361

    bb.  The number of requests for additional time for measures with a 
90-day implementation due date that TSA has accepted;
    Answer. 284 (Action Plan Letters have been sent)

    cc.  The number of requests for additional time for measures with a 
90-day implementation due date that TSA has rejected;
    Answer. 0

    dd.  The number of requests for additional time for measures with a 
90-day implementation due date that TSA is still reviewing
    Answer. 77 (Action Plan letters still need to be drafted).

    ee.  The number of operators requesting additional time for 
measures with a 120-day implementation due date;
    Answer. 57

    ff.  The number of requests for additional time for measures with a 
120-day implementation due date;
    Answer. 99

    gg.  The number of requests for additional time for measures with a 
120-day implementation that TSA has started reviewing;
    Answer. 99

    hh.  The number of requests for additional time for measures with a 
120-day implementation due date that TSA has accepted;
    Answer. 22

    ii.  The number of requests for additional time for measures with a 
120-day implementation due date that TSA has rejected; and,
    Answer. 0

    jj.  The number of requests for additional time for measures with a 
120-day implementation due date that TSA is still reviewing.
    Answer. 77

  Questions from Hon. Eric A. ``Rick'' Crawford to Victoria Newhouse, 
   Deputy Assistant Administrator for Policy, Plans, and Engagement, 
  Transportation Security Administration, U.S. Department of Homeland 
                                Security

    Question 4. A major concern we've heard about the pipeline security 
directives was that they were developed without meaningful input from 
stakeholders with expertise in pipeline safety and operations, creating 
implementation issues. For instance, some pipelines need to shut down 
operations to implement the requirements. When the Colonial pipeline 
shut down, the effects were felt across the entire southeast when 
energy prices increased as people lost access to critical energy 
products.
    a.  How is TSA ensuring it will have the resources and technical 
expertise to address technical issues for these and potential future 
rulemakings and security directives?
    Answer. TSA partnered with the Cybersecurity and Infrastructure 
Security Agency (CISA), the United States Coast Guard (USCG), the U.S. 
Department of Energy (DOE), and the Pipeline and Hazardous Materials 
Safety Administration (PHMSA) of the U.S. Department of Transportation 
(DOT) in the development of SDs to ensure the utilization of high-level 
technical expertise from other federal agencies. In addition to 
interagency support, TSA has and will continue to seek input from 
subject matter experts from the pipeline industry.
    CISA remains engaged in providing cybersecurity subject matter 
expertise in support of the SD implementation process. TSA is 
leveraging CISA guidance and assessments to conduct further mode-
specific research and identify mechanisms to obtain stakeholder cyber 
measures, determine gaps, and work with the National Risk Management 
Center to develop a prioritized list of cyber risks. In addition, TSA 
has recently hired cybersecurity specialists to work both in policy and 
operations.
      Between October and November 2021, TSA Security 
Operations, Surface Operations established a new Cybersecurity Branch 
to conduct and facilitate surface cybersecurity related assessments and 
outreach efforts. Ten of the eleven cybersecurity expert positions have 
been filled. In addition to the establishment of this Branch, there are 
five Transportation Security Inspectors currently undergoing 
cybersecurity specialized training to become cyber assessors.
      TSA created a Cybersecurity section within the Policy, 
Plans, and Engagement Surface Policy Division, Industry Engagement 
Branch. This section is led by one Section Chief and supported by seven 
cybersecurity specialists. This section coordinates with Surface 
Operation's new Cybersecurity Branch, CISA, and other subject matter 
experts to ensure vulnerability information, guidance, and mitigation 
measures are shared as appropriate.

    b.  How is TSA leveraging the expertise of other federal agencies, 
such as DOT, in development and implementation of its security 
directives and cybersecurity requirements for the transportation 
sectors?
    Answer. TSA continues to leverage the subject matter expertise 
within the Department of Homeland Security, including CISA, as well as 
the DOT's modal administrations for both surface and aviation 
transportation. All of these federal partners provided crucial input 
into the development of the TSA Cyber SDs and Information Circular. 
Furthermore, all parties provided detailed information on the specifics 
of these Cyber SDs and Information Circular to surface transportation 
stakeholders through numerous conference calls and other industry 
engagements. TSA, CISA, DOT, and other partners continue to provide 
opportunities for industry to raise concerns, ask questions, or request 
additional clarification through direct contact with TSA. TSA 
coordinates the appropriate responses with federal partners to ensure 
the industry receives responses needed to support successful 
implementation of the Cyber SDs and Information Circular actions.
    In the case of pipelines, TSA partnered with CISA, USCG, DOE, and 
PHMSA in the development of those SDs. The SDs include a provision that 
allows operators to raise any safety concerns associated with SD 
implementation, which are then shared with PHMSA for review and 
feedback.

    Question 5. The previous mandatory directives for pipelines 
followed the Colonial Pipeline ransomware attack. What incident or 
security threats are necessitating a mandatory security directive and 
requirements for freight rail, transit, and aviation? How does TSA plan 
to ensure ongoing timely and secure communications about cyber threats 
to the transportation and infrastructure sectors?
    Answer. Cyber threats from attackers remain acute. Attackers use 
cyber operations to steal information, influence populations, and 
damage industry, including physical and digital critical 
infrastructure. The Director of National Intelligence has stated that 
our adversaries and strategic competitors possess cyberattack 
capabilities they could use against U.S. critical infrastructure, 
including U.S. transportation. Additionally, nation states' increasing 
use of cyber operations as a tool of national power, including 
increasing use by militaries around the world, raises the prospect of 
more destructive and disruptive cyber activity against all U.S. 
critical infrastructure, including transportation.
    We remain concerned about the disruptive impacts of ransomware 
attacks, as demonstrated by the Colonial Pipeline attack. The U.S. 
Department of Homeland Security (DHS) stated in late 2020 that 
ransomware attacks--which have at least doubled since 2017--are often 
directed against critical infrastructure entities at the state and 
local level by exploiting gaps in cybersecurity, and that 
cybercriminals will increasingly target U.S. critical infrastructure to 
generate profit, including through ransomware.
    Cyber actors have demonstrated their willingness to conduct cyber-
attacks against critical infrastructure by exploiting the vulnerability 
of Internet-accessible Operational Technology (OT) assets and 
Information Technology (IT) systems. As shown by recent ransomware 
attacks, the United States' adversaries and strategic competitors will 
continue to use cyber espionage and cyberattacks to seek political, 
economic, and military advantage over the United States and its allies 
and partners.
    Cybersecurity incidents affecting surface transportation are a 
growing threat. Given the multitude of connected devices already in use 
by the surface transportation industry and the vast amount of data 
generated (with more coming online soon), protecting the higher-risk 
freight railroads, passenger railroads, and rail transit systems has 
become an increasing critically important and complex undertaking to 
protect critical infrastructure from malicious cyber-attack and other 
cybersecurity-related threats.
    As an example: In April 2021, hackers breached several computer 
systems of the Metropolitan Transportation Authority, the nation's 
largest mass transit agency that transports millions of people in and 
around New York City every day. The intrusion was discovered in late 
April when hackers linked to the Chinese government exploited security 
flaws in Pulse Connect Secure, a Virtual Personal Network that allows 
employees to connect remotely to their employer's network. The 
cyberattack impacted three of the transit agency's 18 systems.
    TSA also continues to share the most relevant and timely 
information with surface transportation stakeholders to counter this 
persistent threat. Most recently, a joint cybersecurity advisory from 
the Federal Bureau of Investigation (FBI), CISA, the Australian Cyber 
Security Centre, and the United Kingdom's National Cyber Security 
Centre highlighted ongoing malicious cyber activity by an advanced 
persistent threat (APT) group associated with the government of Iran. 
The advisory cited: ``The Iranian government-sponsored APT actors are 
actively targeting a broad range of victims across multiple U.S. 
critical infrastructure sectors, including the Transportation Sector 
and the Healthcare and Public Health Sector, as well as Australian 
organizations.''
    TSA has a number of methods to provide timely security 
communications to regulated parties. The primary means is through the 
Homeland Security Information Network (HSIN), by which regulated 
entities have access to their appropriate security web-board. These 
web-boards house security requirements, intelligence reports, 
frequently asked questions, information circulars, advisories, and 
other communications. TSA also routinely invites impacted regulated 
parties to receive classified and unclassified briefings on ongoing 
threats. TSA also has a number of working groups through which 
information is shared.
    With regard to ensuring ongoing and timely communications about 
cyber threats are provided to the transportation and infrastructure 
sectors, TSA continues to bolster its intelligence information sharing 
efforts. TSA has also partnered with aviation and surface stakeholders 
to increase two-way sharing of cyber security threats to critical 
infrastructure. This includes the creation and resourcing of two full-
time threat intelligence cells: the Aviation Domain Intelligence 
Integration & Analysis Cell and the Surface Information Sharing Cell. 
TSA's Field Intelligence Officers also routinely engage with 
stakeholders around the country directly by passing threat information 
and providing tailored classified and unclassified threat briefings.
    Since the issuance of the SDs, TSA collaborated with the White 
House National Security Council and the Office of Director of National 
Intelligence to provide SD-impacted pipeline senior executives with 
classified threat information. TSA also provided classified briefings 
to pipeline Chief Executive Officers and Chief Information Officers/
Chief Information Security Officers at TSA Headquarters. The TSA 
Headquarters briefings were a combined effort between TSA, CISA, and 
FBI. TSA will continue to provide classified briefings twice a year for 
pipeline owner/operators.
    TSA also provided a security briefing to members of the Freight 
Rail and Passenger Rail industries impacted by the Rail SDs. Plans call 
for additional security briefings for rail industry representatives on 
a recurring basis.
    With respect to airport operators and aircraft operators, TSA, 
under 49 CFR sections 1542.303(a) and 1544.305(a), has the ability to 
issue mandatory measures when the agency determines that ``additional 
security measures are necessary to respond to a threat assessment or to 
a specific threat against civil aviation.'' In the case of aviation 
requirements, TSA is opting to issue new requirements under TSA's 
standard ``Amendment by TSA'' process (see 49 CFR sections 1542.105(c) 
and 1544.105(c)). An Amendment by TSA may be issued ``if the safety and 
the public interest require an amendment.'' This process does not 
require there to be an imminent security threat or incident to have 
occurred to issue new security measures.

    Question 6. Does TSA or other federal agencies share any analysis 
of information provided by the transportation and infrastructure 
sectors on cyber incidents, threats, or vulnerabilities? Will the 
information these industries are required to report to DHS be analyzed 
and shared to help bolster their cyber risk management?
    Answer. Presidential Policy Directive (PPD) 41 calls for Federal 
cyber incident response agencies to share incident information with 
each other to achieve unity of governmental effort (see PPD-41 Sec.  
III.D). Information provided to CISA pursuant to the SDs will be shared 
by CISA with TSA and also shared with the National Response Center and 
other agencies as appropriate.
    TSA is leveraging CISA guidance and assessments to conduct further 
mode-specific research and identify mechanisms to obtain stakeholder 
cyber measures, determine gaps, and work with the National Risk 
Management Center to develop a prioritized list of cyber risks.
    TSA has shared lessons learned from the first pipeline Security 
Directive (SD01) with industry representatives via stakeholder calls 
and trade association meetings.
    When TSA issued the requirements for reporting cybersecurity 
incidents, the regulated parties were told that the information 
provided to the CISA and to TSA may be used in reports. Specifically, 
it said ``TSA may use the information, with company-specific data 
redacted, for TSA's intelligence-derived reports. TSA and CISA also may 
use information submitted for vulnerability identification, trend 
analysis, or to generate anonymized indicators of compromise or other 
cybersecurity products to prevent other cybersecurity incidents.''
    TSA has a number of methods to communicate timely and secure 
communications to regulated parties. The primary means is through the 
HSIN, by which regulated entities have access to their appropriate 
security web-board. These web-boards house security requirements, 
intelligence reports, frequently asked questions, information 
circulars, advisories, and other communications. TSA also routinely 
invites impacted regulated parties to receive classified and 
unclassified briefings on ongoing threats. TSA also has a number of 
outlets by which to share information such as trade associations and 
their cybersecurity workgroups, sector coordinating councils, and 
information sharing and analysis centers. Through the use of HSIN, 
briefings, and those various information sharing outlets, industry 
stakeholders are provided with multiple facets to increase awareness of 
current events, and identified cybersecurity threats and 
vulnerabilities.

Questions from Hon. Seth Moulton to Victoria Newhouse, Deputy Assistant 
    Administrator for Policy, Plans, and Engagement, Transportation 
     Security Administration, U.S. Department of Homeland Security

    Question 7. Ms. Newhouse, new cybersecurity requirements for rail 
carriers were announced the day of this hearing, which includes 
designating a cybersecurity coordinator, reporting hacking incidents 
within 24 hours, conducting a vulnerability assessment, and developing 
an incident-response plan for breaches. During our previous 
cybersecurity hearing, the rail industry representative seemed opposed 
to federal regulations regarding cybersecurity mandates in the private 
sector. Can you explain why the rail industry is considered high-risk 
and in need of this directive? What benefits do you expect from 
mandating these new measures compared to voluntary guidance?
    Answer. Cybersecurity incidents affecting surface transportation 
entities are a growing threat that pose a risk to the national and 
economic security of the United States. The cybersecurity security 
directives were issued to the rail industry (higher risk freight 
railroads, passenger railroads, and rail transit agencies) due to their 
criticality to the nation's economy and national defense. These 
entities transport the largest volumes of cargo and people and have 
been the targets of cyber threat actors. While many of these entities 
have initiated protective measures for enhanced cybersecurity, TSA 
determined that there was a need to establish a baseline of practices 
such as those included in the security directives.
    The surface transportation industry utilizes a multitude of 
connected devices and generates vast amounts of data. Malicious actors 
have increasingly demonstrated the capability to conduct cyber-attacks 
exploiting the vulnerabilities of Internet-accessible OT assets and IT 
systems. In recent years, cyber attackers have maliciously targeted the 
critical infrastructure of surface transportation modes in the U.S., 
including freight railroads, passenger railroads, and rail transit 
systems, with multiple cyberattack and cyber espionage campaigns.\1\ By 
targeting the integrated cyber and physical infrastructure of surface 
transportation entities, these actions threaten the safe, secure, and 
uninterrupted daily operation of surface transportation systems relied 
upon by the U.S. economy with potential to cause nation-wide impact. 
Given the significant ongoing threat to the surface transportation 
sector, protecting the higher-risk freight railroads, passenger 
railroads, and rail transit systems from malicious cyber-attack and 
other cybersecurity-related threats is critically important to 
safeguarding the nation's critical infrastructure. To counter this 
threat, TSA determined that the requirements of Security Directive 
1580-21-01 and Security Directive 1582-21-01 were urgently needed to 
protect the surface transportation sector by mitigating and eliminating 
cybersecurity vulnerabilities.
---------------------------------------------------------------------------
    \1\ These activities include the April 2021 breach of New York 
City's Metropolitan Transportation Authority (the nation's largest mass 
transit agency) by hackers linked to the Chinese government; the 
December 2020 ``Sunburst'' attack on transit agencies; the August 2020 
attack on the Southeastern Pennsylvania Transportation Authority; the 
2017 ransomware attack on the Sacramento Regional Transit District; and 
the November 2016 ransomware attack on the San Francisco Municipal 
Transportation agency. This threat is ongoing: on November 17, 2021 the 
FBI, CISA, the Australian Cyber Security Centre, and the United 
Kingdom's National Cyber Security Centre issued a joint cybersecurity 
advisory highlighting ongoing malicious cyber activity by an APT that 
these agencies associated with the government of Iran. The advisory 
states that ``The Iranian government-sponsored APT actors are actively 
targeting a broad range of victims across multiple U.S. critical 
infrastructure sectors, including the Transportation Sector and the 
Healthcare and Public Health Sector, as well as Australian 
organizations.'' Alert AA21-321A (November 17, 2021).
---------------------------------------------------------------------------
    Congress granted the TSA Administrator broad statutory 
responsibility and authority with respect to the security of the 
transportation system. Under the authorities of 49 U.S.C. section 114, 
TSA may take immediate action to impose measures to protect 
transportation security without providing notice or an opportunity for 
comment. This provision specifically recognizes that there are times 
when action is necessary that does not provide for the rather lengthy 
process necessary to issue a notice of proposed rulemaking and finalize 
a rule.
    TSA's regulations identify higher-risk owner/operators of freight 
railroads, passenger railroads, and rail transit operations. These 
determinations align with DHS's official definition of risk as the 
``potential for an adverse outcome assessed as a function of threats, 
vulnerabilities, and consequences associated with an incident, event, 
or occurrence.'' TSA has determined that the higher-risk freight 
railroads are those designated as Class I based on their revenue (over 
$72.9 billion in 2013), as well as any freight railroad that transports 
one or more of the categories of Rail Security-Sensitive Materials in a 
high threat urban area. The Nation depends on these systems to move 
freight in support of critical sectors and passengers.
    TSA has determined the higher-risk rail transit systems and 
passenger railroads in the context of resource allocations under the 
Transit Security Grant Program using a model approved by the DHS 
Secretary and vetted by Congress. These systems are all located in high 
threat urban areas and carry the most passengers as a percentage of 
daily ridership totals.
    Although TSA continues to work with these industries to develop and 
implement cybersecurity measures voluntarily, the industries have not 
achieved 100 percent adoption of the recommended measures. To establish 
a baseline of behavior for higher-risk operations to protect against 
cyber-actors and ongoing cyberattacks against the transportation 
sector, TSA worked with both private-sector and public-sector partners 
to identify existing vulnerabilities, develop mitigation strategies and 
cybersecurity measures, and install response and restore protocols to 
more quickly address immediate threats through security directives. 
Entities not covered by the security directives are still recommended 
to implement the same measures through voluntary actions.
    In accordance with the National Security Memorandum on Improving 
Cybersecurity for Critical Infrastructure Control Systems (Jul 29, 
2021), TSA has issued these Security Directives due to the ongoing 
cybersecurity threat to surface transportation systems and associated 
infrastructure to prevent against the significant harm to the national 
and economic security of the United States that could result from the 
``degradation, destruction, or malfunction of systems that control this 
infrastructure.'' In order to mitigate these threats, TSA believes 
mandatory measures will ensure industry is taking appropriate actions 
to mitigate potential vulnerabilities from the ongoing cybersecurity 
threats.

    Questions from Hon. Garret Graves to Victoria Newhouse, Deputy 
      Assistant Administrator for Policy, Plans, and Engagement, 
  Transportation Security Administration, U.S. Department of Homeland 
                                Security

    Question 8. Your testimony discusses information sharing between 
TSA and the USCG to identify and manage threats in the Maritime 
Transportation System (MTS). How does TSA communicate threats to our 
individual ports as part of the effort to manage risks in the MTS?
    Answer. USCG has primary responsibility to manage threats in the 
Maritime Transportation System (MTS). If TSA has relevant threat 
information affecting the MTS, it is made available to the USCG. TSA 
also receives relevant threat information from the USCG for awareness. 
TSA Surface inspectors and Field Intelligence Officers participate in 
the quarterly Area Maritime Security Committee meetings, which include 
facility security officers and other maritime stakeholders to share 
intelligence and current maritime security and safety issues. Surface 
inspectors also attend other maritime-related association meetings at 
the local ports where similar information is shared.

    Question 9. I've read reports that there are some 500,000 vacancies 
for cybersecurity professionals in the U.S. workforce, making it nearly 
impossible for us to get a handle on the next generation of threats. 
Additionally, we've heard from industry that they feel that talent is 
relegated to SCIFs in the federal government, fusion centers, and big 
technology companies--preventing talent from being available to 
critical infrastructure at the local level. What can we be doing to 
rethink the workforce model for cybersecurity-specific professionals?
    Answer. Cybersecurity touches all modes of critical infrastructure, 
including transportation. TSA is working to expand the cybersecurity 
workforce in a number of capacities including hiring cybersecurity 
professionals to our Policy and Operational teams. Expanding TSA's 
cyber threat analysis footprint supports TSA efforts to enhance cyber-
related intelligence analyses and products covering all modes of 
transportation; strengthen cyber threat analysis by developing 
integrated, repeatable processes for identification, analysis and 
sharing of cyber incidents; and increase the engagement and sharing of 
intelligence with stakeholders. Moving forward, the goal of all federal 
agencies is to assist efforts private industry and at state and local 
levels by ensuring information is classified at the lowest possible 
level, which make information more accessible.
    While DHS and TSA cannot directly influence the ability of 
transportation providers to hire and retain cybersecurity 
professionals, there may be options to create training and educational 
opportunities that transportation providers could leverage to assist in 
the development of their own workforces.

    Questions from Hon. Michael Guest to Victoria Newhouse, Deputy 
      Assistant Administrator for Policy, Plans, and Engagement, 
  Transportation Security Administration, U.S. Department of Homeland 
                                Security

    Question 10. Each state has a designated CISA ``Protective Security 
Advisor'' that coordinates with members of the critical infrastructure 
community and works to help them prepare/defend against cyber-attacks. 
Can you tell me about the interface your agencies have with these 
Advisors and what role they play in your industries?
    Answer. TSA works with both Protective Security Advisors (PSA) and 
Cybersecurity Advisors (CSA) from CISA. TSA partnerships with regional 
CSAs across the U.S. allow for an expanded coordination of expertise 
and outreach into the transportation sector community. TSA has 
collaborated at the regional level with CSAs in conducting a wide 
variety of stakeholder and trade association cybersecurity related 
workshops. Along with the CSA relationships, TSA is establishing a 
surface transportation cyber information sharing network through the 
development of the Surface Information Sharing Cell serving as the hub, 
with spokes assuring engagement with organizations, including CISA and 
voluntary industry partnerships, in each surface transportation mode 
with necessary analytical support.
    In one specific example of recent coordination, TSA partnered with 
CISA PSAs to help raise industry awareness and to promote pipeline 
owner/operators' participation in the Validated Architecture Design 
Review program.

    Question 11. Many industry stakeholders utilize early notification 
networks. However, the public sector lacks a robust system to alert 
private carriers or shippers of an attack across the system. To 
critical infrastructure, the ability to limit damage seems crucial. Can 
you expand on how early notification networks are used by the private 
sector and why coordination with a federal government system is so 
important?
    Answer. Public/private partnerships are critical to prevent, 
protect, mitigate, respond, and recover from cyber-actors' attempts to 
disrupt the transportation sector or from ongoing cyberattacks to IT 
and OT systems. These partnerships are important for a number of 
reasons. First, information sharing. As a repository to collect 
information on cybersecurity incidents, the federal government is able 
to effectively analyze the information and send it out to other 
impacted or potentially impacted parties. This may help to mitigate the 
impact of an incident. Second, understanding incident impact/scope. 
From the point of view of the impacted party, it may be difficult to 
understand the scope of an incident. By sharing, the federal government 
is able to piece together disparate pieces of information and fully 
understand the full impact of an incident. Third, coordinated response. 
The federal government's role in a cybersecurity incident will be to 
coordinate the response effectively at the federal level, and all the 
way down to the local level. In each of these cases, it is important to 
keep in mind that all of this is possible due to the relationships 
built between government agencies, as well as with private companies.
    TSA continues to work with federal government partners and private-
sector transportation stakeholders to limit cyber related disruptions. 
TSA routinely coordinates the sharing of both non-classified and 
classified security information as appropriate with its transportation 
sector partners. This includes the identification of new 
vulnerabilities and the sharing of known mitigation measures to close 
the identified security gaps.
    Additionally, as recommended by the Surface Transportation Security 
Advisory Committee to the TSA Administrator, TSA has begun to establish 
a surface transportation cyber information sharing network on threats, 
incidents, and security concerns and related alerts, advisories, 
analyses, and assessments. This includes the establishment of the 
Surface Information Sharing Cell to serve as the hub, with spokes 
assuring engagement with organizations in each surface transportation 
mode, for the exchange of reporting, analyses, advisories, and alerts 
on cyber threats, incidents, and security concerns--with necessary 
analytical support.

Questions from Hon. Frederica S. Wilson to Rear Admiral John W. Mauger, 
      Assistant Commandant for Prevention Policy, U.S. Coast Guard

    Question 1. Admiral Mauger: Thank you for your service and today's 
testimony. As chair of the Florida Ports Caucus and a strong supporter 
of PortMiami in South Florida, protecting the maritime industry is very 
important to me. You mentioned that MTSA-regulated vessels and 
facilities are required to report transportation security incidents, 
breaches of security, and suspicious activity without delay. How 
effective has this provision been in helping the Coast Guard protect 
our maritime industry and could similar provisions help improve 
cybersecurity in other transportation sectors?
    Answer. The timely reporting of Transportation Security Incidents 
(TSI), Breaches of Security, and Suspicious Activity, to include cyber 
incidents, by regulated vessels and facilities has proven effective and 
allowed the Coast Guard to respond and, where necessary, deploy 
resources, while also coordinating with other agencies as appropriate. 
In 2016, the Coast Guard released a policy letter expanding on the 
regulatory requirement for cyber incident reporting, which includes 
more information on how to identify whether a cyber-incident is 
considered a TSI, Breach of Security, or Suspicious Activity. This 
policy letter also outlines that Coast Guard regulated entities can 
report incidents to the Cybersecurity and Infrastructure Security 
Agency (CISA) in lieu of the Coast Guard. This is similar to the 
reporting mechanism established through the Transportation Security 
Administration's security directives. This policy remains in effect 
today, and the Coast Guard may further refine it as government and 
industry experience with cyber incident reporting continues to grow. 
Details from a reported cyber incident, after vetting, may be 
incorporated into a Maritime Cyber Alert or other suitable messaging to 
share with the broader community to raise awareness of potential 
threats, vulnerabilities, and consequences to the Marine Transportation 
System (MTS), or through CISA to all sectors of critical 
infrastructure.
    The provisions are only mandatory for vessels and facilities 
subject to Maritime Transportation Security Act of 2002 (MTSA), which 
does not capture all components of the MTS. Similar provisions could 
improve cybersecurity awareness in other transportation sectors, or for 
a broader portion of the MTS, so long as reporting requirements are 
clear. This is particularly the case if multiple agencies have a role 
in regulations and oversight of a transportation sector. The 
Administration also supports efforts to mandate the reporting of cyber 
incidents to critical infrastructure and the timely sharing of those 
incidents with Sector Risk Management Agencies.

   Questions from Hon. Garret Graves to Rear Admiral John W. Mauger, 
      Assistant Commandant for Prevention Policy, U.S. Coast Guard

    Question 2. Your testimony discusses information sharing between 
the U.S. Coast Guard and TSA to identify and manage threats in the 
Maritime Transportation System (MTS). How does the USCG communicate 
threats to our individual ports as part of the effort to manage risks 
in the MTS?
    Answer. The Coast Guard leverages several mechanisms for 
communicating threats to our ports and MTS stakeholders, whether the 
threats are to the MTS at-large, or to specific stakeholders. 
Communication can take the shape of Marine Safety Information 
Bulletins, Maritime Cyber Alerts, Coast Guard messages, articles, etc. 
Dissemination of the information, regardless of form, can go through 
multiple avenues based on need. These include Area Maritime Security 
Committees, Port Security Specialists and Cyber Coordinators/Advisors 
at the Area, District, and Sector level to pass information to their 
network of contacts, CISA, the Maritime Transportation System 
Information Sharing and Analysis Center (MTS-ISAC), Partners within the 
Government Coordinating Council and Sector Coordinating Council, and 
through other Sector Risk Management Agencies.

    Question 3. Lack of resources and personnel has been a hurdle for 
the U.S. Coast Guard to adapt to securing the MTS from cyber threats as 
opposed to traditional facilities security. Has the U.S. Coast Guard 
investigated opportunities to coordinate (and consolidate) its existing 
cybersecurity initiatives across U.S. Coast Guard mission areas?
    Answer. The Coast Guard continually reviews opportunities to 
coordinate and consolidate new and existing cybersecurity initiatives 
across mission areas. The Service recently published the 2021 Cyber 
Strategic Outlook (CSO), which charts the path to meet the challenges 
of a rapidly evolving cyber domain. Key to the CSO are three lines of 
effort: (1) Defend and Operate the Enterprise Mission Platform, (2) 
Protect the Marine Transportation System, and (3) Operate In and 
Through Cyberspace. The Coast Guard continues to operationalize Marine 
Transportation System cyber risk management from the headquarters 
program level to the port level, including the incorporation of 
cybersecurity into the Service's prevention and response framework.

    Question 4. The U.S. Coast Guard uses the FEMA National Incident 
Management System (NIMS) for physical security. Is the Coast Guard 
working with FEMA to update NIMS to respond to cyber incidents?
    Answer. Yes. The Coast Guard is working with other U.S. Department 
of Homeland Security components, including the Federal Emergency 
Management Agency and CISA, to examine the application of the National 
Incident Management System as well as the National Cyber Incident 
Response Plan to cyber incident response.

    Question 5. It is my understanding that there is a current U.S. 
Coast Guard-led Research and Development effort to develop a Threat 
Intelligence Partnership for the Maritime Transportation System. Could 
you provide an update on this partnership and detail how this system is 
anticipated to be deployed to protect the MTS?
    Answer. The Threat Intelligence Partnership is a Research and 
Development effort to develop technology that improves data analytics 
and information systems to better inform Marine Transportation System 
entities of threats and provide recommended actionable improvements to 
security. The system concept is in the early stages of development with 
additional analysis required to determine when a production system 
might be available. The project, and the experience of developing it 
thus far, has confirmed a need to improve collaboration with U.S. 
Government partners in the areas of critical infrastructure, 
cybersecurity, homeland security, and maritime commerce.
    This project is sponsored by Coast Guard Intelligence, funded by 
the Naval Information Warfare Command, contracted through the Naval 
Research Laboratories, and involves Louisiana State University and the 
Stevenson Technology Corporation.

    Question 6. The Maritime Transportation System community wants 
actionable guidance from the U.S. Coast Guard on what they need to be 
doing to protect against an ever more diverse set of cyber threats. Has 
the U.S. Coast Guard investigated opportunities to provide (or require) 
cybersecurity training to our maritime industries and ports, as the 
U.S. Coast Guard currently requires trainings on physical and 
facilities security?
    Answer. Per Title 33 of the Code of Federal Regulations, vessel and 
facility security personnel and non-security personnel can obtain 
baseline security knowledge requirements through training or equivalent 
job experience. Existing guidance in NVIC 01-20 ``Guidelines for 
Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) 
Regulated Facilities'' recommends that Facility Security Plans describe 
how cybersecurity is included as part of personnel training, policies, 
and procedures, and how this material will be kept current and 
monitored for effectiveness.
    There is no Coast Guard-developed or approved cybersecurity 
training for industry. The Coast Guard shares local training 
opportunities through Area Maritime Security Committees at the port 
level.
    The Coast Guard will consider training requirements as it evaluates 
future cyber regulations for the marine transportation system.

    Question 7. I've read reports that there are some 500,000 vacancies 
for cybersecurity professionals in the U.S. workforce, making it nearly 
impossible for us to get a handle on the next generation of threats. 
Additionally, we've heard from industry that they feel that talent is 
relegated to SCIFs in the federal government, fusion centers, and big 
technology companies--preventing talent from being available to 
critical infrastructure at the local level. What can we be doing to 
rethink the workforce model for cybersecurity-specific professionals?
    Answer. The Coast Guard is working to ensure the Service's cyber 
workforce is well-trained, effective, and retains talent using 
workforce retention interventions (bonuses) for active duty and 
civilian members to provide compensation commensurate to civilian 
counterparts. Additionally, the Coast Guard is augmenting the cyber 
workforce with Reserve and Auxiliary members to ensure adequate surge 
capacity and providing opportunities to attain sought after 
certifications and training opportunities within the Cyberspace 
operations. The Coast Guard's workforce management initiatives continue 
to evolve to meet the demands of a fast paced and growing cyber 
community and our cyber professionals are fully prepared to meet the 
Service's needs.

   Questions from Hon. Michael Guest to Rear Admiral John W. Mauger, 
      Assistant Commandant for Prevention Policy, U.S. Coast Guard

    Question 8. In your testimony you reference a shared responsibility 
between Coast Guard and private industry. You list ``conducting 
vulnerability assessments,'' ``Exercising plans,'' and ``reporting 
cyber incidents'' as ways Coast Guard CYBER interacts with industry 
stakeholders to boost or assess cybersecurity plans. On October 1, the 
Coast Guard launched reviews of Facility Security Assessments and 
Facility Security Plans of MTSA-regulated facilities (Maritime 
Transportation Security Act).
    a.  Prior to this initiative, could you give me a percentage of 
facilities that actively cooperated with Coast Guard on these plans?
    Answer. Beginning October 1st, 2021, facilities were required to 
have cybersecurity incorporated, along with physical security, at their 
first annual audit. Before that, the Coast Guard did not have clear 
visibility as to whether or not facilities incorporated cybersecurity 
into their overall security posture. Some facilities opted to include 
cybersecurity in their required Facility Security Assessments and 
Facility Security Plans, but the number is estimated to be less than 2 
percent, and the degree to which cybersecurity was incorporated varied 
from facility to facility. Additionally, a lack of cybersecurity 
inclusion in Facility Security Assessments (FSA) and Facility Security 
Plans (FSP) does not necessarily mean that some facilities were not 
still considering cybersecurity.

    b.  Additionally, is there any incentive or penalties for 
facilities if they do not conduct assessments or adhere to industry 
standards if they are attacked, especially for MTSA-regulated 
facilities?
    Answer. Facilities were provided with a 1-year period, ending 
September 30, 2022, to incorporate cybersecurity into their FSAs and 
FSPs, since no previous guidance existed. Beginning October 1, 2022, 
all facilities must be in compliance, and will be subject to action by 
Captains of the Ports (COTP) in cases of non-compliance. Options 
available to COTPs include issuing deficiencies, imposing fines, and 
civil penalties. The COTP may place operational controls on the 
facility and/or seek enforcement actions (Letter of Warning, Notice of 
Violation, Civil Penalty) on the owner/operator of the MTSA-regulated 
facility.

    Question 9. The National Cyber Director, Director Chris Inglis, 
also emphasized the need for accountability in cybersecurity practices. 
Each one of you represents a different set of industry stakeholders 
with vastly different needs in this space.
    a.  For bad actors within your jurisdiction that allow their 
cybersecurity measures to fall below public or industry standards, what 
are ways that Congress and your agencies can hold those folks 
accountable?
    Answer. Title 33, Code of Federal Regulations parts 105 and 106, 
which implement MTSA of 2002, require regulated facilities to maintain 
an approved FSP. Existing regulations require owners and operators of 
MTSA-regulated facilities to analyze vulnerabilities associated with 
radio and telecommunication equipment, including computer systems and 
networks, otherwise known as cybersecurity. When cybersecurity 
vulnerabilities are identified, an owner or operator demonstrates 
compliance by providing its cybersecurity mitigation procedures in the 
FSP. When a MTSA-regulated facility is found to not be following the 
measures or procedures noted in their FSP, or are otherwise not in 
compliance with the relevant regulations, the Captain of the Port may 
place operational controls on the facility and/or seek enforcement 
actions (Letter of Warning, Notice of Violation, Civil Penalty) on the 
owner/operator of the MTSA-regulated facility.

    b.  Many stakeholders mention that they are more robust in 
developing cybersecurity measures and have been for decades. So, what 
are ways to hold bad actors accountable without installing mandates 
that may limit the private sector's own work in this space?
    Answer. Although the MTSA regulations in 33 CFR parts 105 and 106 
are mandatory, it is up to each facility to determine how to identify, 
assess, and address the vulnerabilities of their computer systems and 
networks. While there is a baseline of what is required, this does not 
limit individual facilities from implementing additional protective 
measures. For example, each individual facility should determine the 
organizational structure; number of employees; the employee roles, 
responsibilities, and access permissions; and, the employee training 
needed so that its security personnel can address the facility's cyber 
security risks. Each facility should also determine how, and where, its 
data is stored and, if it is stored offsite, whether the data has a 
critical link to the safety and/or security functions of the facility. 
If such a critical link exists, the facility should address any 
vulnerabilities. Other motivating efforts include engaging stakeholders 
through multi-agency, multi-stakeholder initiatives such as Area 
Maritime Security Committees, Harbor Safety Committees, and others that 
encourage mutual efforts to bolster cyber risk management throughout 
the MTS.

    Question 10. Each state has a designated CISA ``Protective Security 
Advisor'' that coordinates with members of the critical infrastructure 
community and works to help them prepare/defend against cyber-attacks. 
Can you tell me about the interface your agencies have with these 
Advisors and what role they play in your industries?
    Answer. The Coast Guard interfaces with CISA Protective Security 
Advisors (PSA), Cybersecurity Advisors (CSA), and other CISA regional 
personnel through the Area Maritime Security Committees (AMSCs) as well 
as other Coast Guard points of contact. AMSCs are required by federal 
regulations and serve an essential coordinating function during normal 
operations and emergency response. They are comprised of government 
agency and maritime industry leaders, and serve as the primary local 
means to jointly evaluate cyber risks, share threat information, and 
participate in cyber preparedness exercises. Coast Guard field 
personnel work collaboratively with PSAs, CSAs, and other regional 
personnel as needed, the AMSC, during Regional Resiliency Assessment 
Programs, interagency/stakeholder meetings, local exercises, training 
offerings, incidents, and special events. As there is a cyber-physical 
security convergence with many threats we face as a country, the PSAs 
and CSAs work together to bring that combined expertise, as well as 
tools and resources, to our maritime partners.

    Question 11. Many industry stakeholders utilize early notification 
networks. However, the public sector lacks a robust system to alert 
private carriers or shippers of an attack across the system. To 
critical infrastructure, the ability to limit damage seems crucial. Can 
you expand on how early notification networks are used by the private 
sector and why coordination with a federal government system is so 
important?
    Answer. The evolving nature of cyber threats and vulnerabilities 
includes the fact that incidents affecting one component of the MTS, or 
other critical infrastructure sectors, could quickly and easily affect 
other components. Early and detailed notifications enable responding 
agencies and stakeholders to quickly assess, respond to, and recover 
from a cybersecurity incident while allowing others to take appropriate 
steps to prepare for and mitigate such incidents. Multiple government 
agencies respond to cybersecurity incidents, which necessitates timely 
reporting and shared information to facilitate a coordinated response.
    Early notifications enable Coast Guard COTP to evaluate risks 
associated with a cybersecurity incident and deploy resources or impose 
appropriate operational controls when necessary (i.e. halt transfer 
operations, require tug boats to assist a ship, etc.). Early 
notifications also allow the Coast Guard's Cyber Command to support the 
impacted company remotely or deploy a specialized Cyber Protection Team 
to help them with the technical aspects of their assessment and 
response.
    Notification networks include the Coast Guard's National Response 
Center, where MTSA-regulated facilities are required to report 
Transportation Security Incidents, Breaches of Security, and Suspicious 
Activity, to include cybersecurity events. Additionally, CISA receives 
and shares reports of cybersecurity incidents. In addition to agency 
messaging, the MTS-ISAC assists in the dissemination of key information 
to stakeholders.

  Questions from Hon. Frederica S. Wilson to Kevin Dorsey, Assistant 
    Inspector General for Information Technology Audits, Office of 
          Inspector General, U.S. Department of Transportation

    Question 1. Mr. Dorsey, in your testimony, you highlighted that 
DOT's weaknesses can be attributed to its lack of progress in 
addressing previous audit recommendations. Between 2017 and 2020, the 
number of weaknesses more than doubled to over 10,000 under the 
previous administration. How will the $2 billion that was provided 
under the Infrastructure and Investment Jobs Act help the Biden 
administration address this problem and how can DOT prevent such a 
sharp increase in the future?
    Answer. While the Act provides $2 billion for funding cybersecurity 
improvements and other critical infrastructure needs, we do not have 
any ongoing work that would allow us to assess how this funding may 
help address the weaknesses identified in my testimony. As my testimony 
stated, we made an overarching recommendation to DOT to require the 
Office of the Chief Information Officer to develop a multiyear strategy 
and approach--complete with objective milestones and resource 
commitments--to implement the necessary corrective actions to address 
these weaknesses and ensure an effective information security program. 
Implementing this recommendation will allow the Department to 
prioritize these weaknesses and calculate the resources necessary for 
resolving recurring cybersecurity issues while also addressing new 
concerns as they arise. An effective information security program will 
help DOT mitigate risks of cyberattacks and prevent such a sharp 
increase of recurring cybersecurity issues in the future.

 Question from Hon. Garret Graves to Kevin Dorsey, Assistant Inspector 
General for Information Technology Audits, Office of Inspector General, 
                   U.S. Department of Transportation

    Question 2. I've read reports that there are some 500,000 vacancies 
for cybersecurity professionals in the U.S. workforce, making it nearly 
impossible for us to get a handle on the next generation of threats. 
Additionally, we've heard from industry that they feel that talent is 
relegated to SCIFs in the federal government, fusion centers, and big 
technology companies--preventing talent from being available to 
critical infrastructure at the local level. What can we be doing to 
rethink the workforce model for cybersecurity-specific professionals?
    Answer. While DOT OIG does not have any ongoing work regarding the 
workforce model for cybersecurity-specific professionals, this 
challenge is not unique to DOT. GAO has recognized cybersecurity among 
the mission-critical skills gaps that contribute to the placement of 
Strategic Human Capital Management on its annual High Risk List report. 
Moreover, as illustrated by the examples of cyberattacks on local 
government and private infrastructure noted in my testimony, there is 
an acute need for cybersecurity talent outside the Federal Government. 
As to the Federal workforce, the Department of Homeland Security (DHS) 
recently launched the Cybersecurity Talent Management System (CTMS) to 
help it recruit, develop, and retain top cybersecurity professionals. 
If proven successful, this could serve as a model to be adopted 
elsewhere.

Questions from Hon. Michael Guest to Kevin Dorsey, Assistant Inspector 
General for Information Technology Audits, Office of Inspector General, 
                   U.S. Department of Transportation

    Question 3. Each state has a designated CISA ``Protective Security 
Advisor'' that coordinates with members of the critical infrastructure 
community and works to help them prepare/defend against cyber-attacks. 
Can you tell me about the interface your agencies have with these 
Advisors and what role they play in your industries?
    Answer. The CISA Protective Security Advisor meets with Department 
staff. Given the Office of Inspector General's independent role, we do 
not interface with the advisor. This question would be best answered by 
someone at the Department level.

    Question 4. Many industry stakeholders utilize early notification 
networks. However, the public sector lacks a robust system to alert 
private carriers or shippers of an attack across the system. To 
critical infrastructure, the ability to limit damage seems crucial. Can 
you expand on how early notification networks are used by the private 
sector and why coordination with a federal government system is so 
important?
    Answer. While our office does not have any ongoing work 
specifically related to early notification networks used by the private 
sector, the importance of DOT's coordination with the private sector to 
enhance cybersecurity is clear. As I stated in my testimony, DOT is a 
lead agency, along with DHS, in protecting the critical infrastructure 
of the Nation's transportation sector. As such, DOT must partner 
effectively with other Federal agencies and the private sector to 
mitigate vulnerabilities and ensure a robust cybersecurity posture. For 
example, the FAA Extension, Safety, and Security Act of 2016 directs 
FAA to develop a comprehensive, strategic framework to reduce 
cybersecurity risks to civil aviation. FAA's efforts to implement this 
framework involve coordinating and collaborating on aviation 
cybersecurity with DHS and the Department of Defense through the 
Aviation Cyber Initiative. Protecting flight-critical systems--and the 
safety of the flying public--from rapidly evolving cyber-based threats 
also requires the cooperation of aviation stakeholders from industry, 
airlines, airports, and manufacturers. This is a good start, but it is 
only one step in what will be necessary for the development of a robust 
coordination effort between the private sector and the Federal 
Government to protect the transportation sector's critical 
infrastructure.

Questions from Hon. Steve Cohen to Nick Marinos, Director, Information 
  Technology and Cybersecurity, U.S. Government Accountability Office

    Question 1. In July, GAO highlighted pipeline-related weaknesses 
that stemmed from TSA's own internal policies, which included 
conducting risk assessments with incomplete information and using 
protocols for responding to pipeline incidents that had not been 
revised since 2010. Is there anything you would like to add regarding 
GAO's review of these issues?
    Answer. In July 2021, we testified that the Transportation Security 
Administration (TSA), within the Department of Homeland Security (DHS), 
had not fully addressed pipeline cybersecurity-related weaknesses that 
GAO had previously identified, such as incomplete information for 
pipeline risk assessments and aged protocols for responding to pipeline 
security incidents.\1\ Fully addressing our recommendations will better 
ensure that TSA's actions are well-coordinated with other federal 
agencies in response to a pipeline-related physical or cyber incident, 
and that pipeline stakeholders understand federal agencies' roles and 
responsibilities in helping pipeline owner/operators to restore service 
after a pipeline-related physical or cyber incident.
---------------------------------------------------------------------------
    \1\ GAO, Critical Infrastructure Protection: TSA Is Taking Steps to 
Address Some Pipeline Security Program Weaknesses, GAO-21-105263 
(Washington, D.C.: July 27, 2021).
---------------------------------------------------------------------------
    Specifically, GAO reports in 2018 and 2019 identified weaknesses in 
TSA's oversight and guidance, and made 13 recommendations to address 
those weaknesses.\2\ TSA concurred with GAO's recommendations. As of 
November 2021, TSA had implemented 10 of the 13 recommendations but had 
not implemented the following:
---------------------------------------------------------------------------
    \2\ GAO, Critical Infrastructure Protection: Key Pipeline Security 
Documents Need to Reflect Current Operating Environment, GAO-19-426 
(Washington, D.C.: June 5, 2019) and Critical Infrastructure 
Protection: Actions Needed to Address Significant Weaknesses in TSA's 
Pipeline Security Program Management, GAO-19-48 (Washington, D.C.: Dec. 
18, 2018).
---------------------------------------------------------------------------
    1.  In 2018, we recommended that TSA should identify or develop 
other data sources relevant to threat, vulnerability, and consequence 
consistent with DHS's critical infrastructure risk mitigation 
priorities and incorporate that data into the Pipeline Relative Risk 
Ranking Tool to assess relative risk of critical pipeline systems. As 
of July 2021, TSA officials reported meeting with representatives from 
DHS and the Federal Emergency Management Agency (FEMA) to obtain their 
input on the identification of sources relevant to threat, 
vulnerability and consequence consistent with DHS's priorities. 
According to TSA officials, further action on this recommendation had 
been limited due to the agency's work on the pandemic response and the 
lack of funding for contractor support.
    2.  In 2018, we also recommended that TSA should take steps to 
coordinate an independent, external peer review of its Pipeline 
Relative Risk Ranking Tool. As of July 2021, DHS officials stated that 
TSA intends to take steps to coordinate an independent, external peer 
review of its Pipeline Relative Risk Ranking Tool after the agency has 
addressed the above-mentioned open recommendation.
    3.  In 2019, we recommended that TSA periodically review, and as 
appropriate, update the 2010 Pipeline Security and Incident Recovery 
Protocol Plan to ensure the plan reflects relevant changes in pipeline 
security threats (including those related to cybersecurity), 
technology, federal law and policy, and any other factors relevant to 
the security of the nation's pipeline systems. According to TSA 
officials, as of August 2021, the agency had completed a review of the 
2010 Pipeline Security and Incident Recovery Protocol Plan and 
determined that updates were needed.

    We will continue to monitor TSA's efforts to implement our 
recommendations.

    Question 2. We have heard numerous reports of local governments 
being targeted by ransomware and other cybersecurity threats. Local 
agencies may be especially under-prepared to respond to the increasing 
level of risk. As you know, the bipartisan infrastructure bill we 
passed into law allocates $1 billion to improve state and local 
government cybersecurity through a new Department of Homeland Security 
grant program. Can you discuss how this funding may impact local 
transportation agencies and if you have any recommendations for how the 
federal government can better assist or coordinate with state and local 
governments' cybersecurity efforts?
    Answer. Increased funding may help to improve cybersecurity and 
critical infrastructure for transportation agencies through grants to 
states, local, tribal, and territorial governments from the State and 
Local Cybersecurity Grant Program established by the Infrastructure 
Investment and Jobs Act.\3\ The act also calls for the establishment of 
the Safety Data Initiative to promote the use of data integration, data 
visualization, and advanced analytics for surface transportation safety 
through the development of innovative practices and products for use by 
federal, state, and local entities. This initiative is designed to 
encourage the sharing of data between and among federal, state, and 
local transportation agencies.
---------------------------------------------------------------------------
    \3\ Infrastructure Investment and Jobs Act, Pub. L. No 117-58, 135 
Stat. 429, 1272, Sec.  70612 (2021).
---------------------------------------------------------------------------
    Additionally, the act also requires GAO to conduct a review of the 
State and Local Cybersecurity Grant Program including the grant 
selection process by DHS and a sample of grants awarded. In light of 
your interest in state and local governments' cybersecurity efforts, we 
will reach out to your office during our review of the program.
    On the subject of federal assistance to state and local 
governments' cybersecurity efforts, DHS's Cybersecurity and 
Infrastructure Security Agency (CISA) created CISA Central to be a 
unified portal and point of contact for critical infrastructure 
partners and stakeholders to contact CISA and request assistance.\4\ 
Furthermore, as the lead agency responsible for overseeing domestic 
critical infrastructure protection efforts, CISA's ability to 
effectively coordinate and consult with federal agencies; state, local, 
territorial, and tribal governments; and the private sector is 
critical. Consequently, in March 2021, we reported on CISA's 
organizational transformation initiative and its ability to coordinate 
effectively with stakeholders.\5\ Among other things, we reported on a 
number of challenges that selected government and private-sector 
stakeholders had noted when coordinating with CISA, including the lack 
of stakeholder involvement in developing guidance.
---------------------------------------------------------------------------
    \4\ https://www.cisa.gov/central.
    \5\ GAO, Cybersecurity and Infrastructure Security Agency: Actions 
Needed to Ensure Organizational Changes Result in More Effective 
Cybersecurity for Our Nation, GAO-21-236 (Washington, D.C.: Mar. 10, 
2021).
---------------------------------------------------------------------------
    To address these and other weaknesses, we made 11 recommendations 
to DHS. Of these, three recommendations directly related to challenges 
reported by stakeholders. The department concurred with our 
recommendations and, as of September 2021, reported that it intends to 
implement them by the end of calendar year 2022. As part of our ongoing 
work, we will continue to monitor CISA's efforts to carry out its 
mission to identify and respond to cyber and other risks to our 
nation's infrastructure.

     Questions from Hon. Garret Graves to Nick Marinos, Director, 
       Information Technology and Cybersecurity, U.S. Government 
                         Accountability Office

    Question 3. I've read reports that there are some 500,000 vacancies 
for cybersecurity professionals in the U.S. workforce, making it nearly 
impossible for us to get a handle on the next generation of threats. 
Additionally, we've heard from industry that they feel that talent is 
relegated to SCIFs in the federal government, fusion centers, and big 
technology companies--preventing talent from being available to 
critical infrastructure at the local level. What can we be doing to 
rethink the workforce model for cybersecurity-specific professionals?
    Answer. Prior GAO reports have pointed out that the federal 
government and private industry face a persistent shortage of 
cybersecurity-specific professionals to combat cyber threats.\6\ In 
November 2021, we reported that a potential method for developing a 
talented and diverse cadre of digital-ready, tech-savvy federal 
employees is the creation of a digital service academy--similar to 
military academies--to train future civil servants in the digital 
skills needed to modernize government.\7\ For example, staff with 
knowledge, skills, and abilities to secure digital services could help 
agencies more effectively manage risks associated with the 
cybersecurity of systems in a cloud environment.
---------------------------------------------------------------------------
    \6\ See, for example, GAO, High-Risk Series: Federal Government 
Needs to Urgently Pursue Critical Actions to Address Major 
Cybersecurity Challenges, GAO-21-288 (Washington, D.C.: Mar. 24, 2021).
    \7\ GAO, Digital Services: Considerations for a Federal Academy to 
Develop a Pipeline of Digital Staff, GAO-22-105388 (Washington, D.C.: 
Nov. 19, 2021).
---------------------------------------------------------------------------
    The Cyberspace Solarium Commission has made recommendations related 
to cybersecurity workforce management challenges, including that the 
U.S. government should take a number of cyber-oriented actions, such as 
expanding federal cyber training programs.\8\ Particularly, the 
Commission recommended that DHS, the National Science Foundation, and 
the Office of Personnel Management expand the CyberCorps: Scholarship 
for Service program, which agencies could use to increase the supply of 
cybersecurity talent. This program provides scholarships and stipends 
to undergraduate and graduate students who are pursuing information 
security-related degrees, in exchange for up to three years of federal 
service after graduation.\9\ In particular, the program is designed to 
recruit and train the next generation of IT professionals to meet the 
needs of the cybersecurity mission for federal, state, local, and 
tribal governments.
---------------------------------------------------------------------------
    \8\ U.S. Cyberspace Solarium Commission, U.S. Cyberspace Solarium 
Commission Final Report (Washington, D.C.: March 2020).
    \9\ https://www.sfs.opm.gov.

    Question 4. DOD has been implementing the Cybersecurity Maturity 
Model Certification (CMMC), requiring CMMC credentials to qualify a 
bidder for a federal contract and therefore providing additional 
security to our federal systems. However, a downside to the CMMC system 
is the financial burden of obtaining credentials, which hurts small 
businesses in their efforts to receive DOD Contracts. As credentialing 
spreads across other areas of the federal government, including to DOT, 
do you have any suggestions for how other agencies can learn from the 
DOD CMMC process to ensure a high degree of cyber security for our 
contractors, while ensuring that small businesses have an opportunity 
to participate in federal contracting?
    Answer. In December 2021, we reported that the Department of 
Defense's (DOD) Cybersecurity Maturity Model Certification (CMMC) 
process is ongoing due, in part, to delays in certifying assessors as 
well as concerns from small businesses.\10\ The scope of the work we 
have conducted so far has not directly related to how other federal 
agencies can learn from the DOD CMMC process and ensure small 
businesses have opportunities to participate in federal contracting.
---------------------------------------------------------------------------
    \10\ GAO, Defense Contractor Cybersecurity: Stakeholder 
Communication and Performance Goals Could Improve Certification 
Framework, GAO-22-104679 (Washington, D.C.: Dec. 8, 2021).
---------------------------------------------------------------------------
    Nevertheless, during the course of our review of DOD's 
implementation of CMMC, government and industry representatives raised 
a number of issues that are important to the future course of CMMC. 
They include CMMC adoption by other federal agencies. In particular, 
monitoring efforts other federal agencies are considering or taking to 
adopt CMMC or similar requirements for their supply chains. In 
addition, industry--especially, small businesses--expressed a range of 
concerns about CMMC implementation, such as costs and assessment 
consistency. For example, during our discussion group with small 
defense contractors, a participant told us that small businesses may 
consider the added cost and competitive uncertainty as incentives to 
exit the government contracts marketplace. While DOD engaged with 
industry in refining early versions of CMMC, it had not provided 
sufficient details and timely communication on implementation. Until 
DOD improves this communication, industry will be challenged to 
implement protections for DOD's sensitive data.

     Questions from Hon. Michael Guest to Nick Marinos, Director, 
       Information Technology and Cybersecurity, U.S. Government 
                         Accountability Office

    Question 5. Each state has a designated CISA ``Protective Security 
Advisor'' that coordinates with members of the critical infrastructure 
community and works to help them prepare/defend against cyber-attacks. 
Can you tell me about the interface your agencies have with these 
Advisors and what role they play in your industries?
    Answer. As a legislative branch agency, GAO does not interface with 
CISA's Protective Security Advisor (PSA) program unless there is a 
request by congressional committees or subcommittees, or is statutorily 
required by public laws or committee reports.
    For fiscal year 2020, CISA's PSA program expended approximately 
$38.5 million and had 127 staff. Specifically, CISA is increasing its 
presence in the form of staff who work directly with critical 
infrastructure partners and communities at the regional, state, tribal, 
and local level. These staff include local and regional Protective 
Security Advisors and Cybersecurity Advisors, among other personnel, 
based in 10 regional offices.\11\ These advisors support critical 
infrastructure owners and operators by providing products and services, 
such as assessments, training, exercises, and workshops. For example, 
Cybersecurity Advisors provide briefings and assessments of 
cybersecurity and resilience for owners and operators.\12\ In addition, 
Protective Security Advisors, complete surveys and assessments that 
help identify the security and resilience of individual owners' and 
operators' facilities.
---------------------------------------------------------------------------
    \11\ CISA's regional offices also include Emergency Communications 
Coordinators who support federal, state, local, tribal, and territorial 
government public safety communications mission partners.
    \12\ A cyber resilience review assessment is a nontechnical 
assessment to evaluate an organization's operational resilience and 
cybersecurity practices.

    Question 6. Many industry stakeholders utilize early notification 
networks. However, the public sector lacks a robust system to alert 
private carriers or shippers of an attack across the system. To 
critical infrastructure, the ability to limit damage seems crucial. Can 
you expand on how early notification networks are used by the private 
sector and why coordination with a federal government system is so 
important?
    Answer. The importance of having early notification that a 
cybersecurity incident is occurring on a network is highlighted in the 
May 2021 Executive Order 14028, Improving the Nation's Cybersecurity, 
issued by the White House.\13\ The executive order requires the federal 
government to employ all appropriate resources and authorities to 
maximize the early detection of cybersecurity vulnerabilities and 
incidents on its networks. While this topic of how early notification 
networks are being used by the private sector is outside the scope of 
the work we have conducted so far, we will be glad to discuss a 
potential request for future work on this topic with your staff.
---------------------------------------------------------------------------
    \13\ The White House, Improving the Nation's Cybersecurity, 
Executive Order 14028 (Washington, D.C.: May 12, 2021).
---------------------------------------------------------------------------
    On the subject of federal coordination with the private sector, in 
November 2021, we reported that CISA has a leadership role in 
coordinating federal efforts intended to aid in the resilience of the 
Communications Sector, an integral component of the U.S. economy, which 
faces serious cyber-related threats that could affect the operations of 
local, regional, and national level networks.\14\ The agency fulfills 
its responsibilities to private sector owners and operators through a 
variety of programs and services, including incident management and 
information sharing. With respect to incident management, CISA is 
responsible for coordinating federal activities to support 
Communications Sector infrastructure owners and operators during 
incidents, such as outages caused by severe weather. With respect to 
information sharing, in addition to managing federal coordination 
during incidents impacting the Communications Sector, CISA shares 
information with sector stakeholders to enhance their cybersecurity and 
improve interoperability, situational awareness, and preparedness for 
responding to and managing incidents.
---------------------------------------------------------------------------
    \14\ GAO, Critical Infrastructure Protection: CISA Should Assess 
the Effectiveness of its Actions to Support the Communications Sector, 
GAO-22-104462 (Washington, D.C.: Nov. 23, 2021).
---------------------------------------------------------------------------
    We found that CISA had not assessed the effectiveness of such 
activities, despite DHS recommending that they to do so every four 
years. As such, we made three recommendations to CISA, including that 
the agency assess the effectiveness of support provided to the sector, 
and revise the sector plan to include new and emerging threats and 
risks, among other things. DHS concurred with the recommendations and 
described initial actions under way and plans to address them in 
response to our report.

                                [all]