[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


               MOBILIZING OUR CYBER DEFENSES: MATURING 
               PUBLIC-PRIVATE PARTNERSHIPS TO SECURE 
               U.S. CRITICAL INFRASTRUCTURE

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                     CYBERSECURITY, INFRASTRUCTURE
                       PROTECTION, AND INNOVATION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 6, 2022

                               __________

                           Serial No. 117-51

                               __________

       Printed for the use of the Committee on Homeland Security                                  


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                                   

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
48-050 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------   
 
                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                                 ------                                

     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND 
                               INNOVATION

                 Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas            Andrew R. Garbarino, New York, 
James R. Langevin, Rhode Island          Ranking Member
Elissa Slotkin, Michigan             Ralph Norman, South Carolina
Kathleen M. Rice, New York           Diana Harshbarger, Tennessee
Ritchie Torres, New York             Andrew Clyde, Georgia
Bennie G. Thompson, Mississippi (ex  Jake LaTurner, Kansas
    officio)                         John Katko, New York (ex officio)
               Moira Bergin, Subcommittee Staff Director
          Austin Agrella, Minority Subcommittee Staff Director
                   Mariah Harding, Subcommittee Clerk
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Prepared Statement.............................................     6
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................    30
  Prepared Statement.............................................    31
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     6

                               Witnesses

Mr. Eric Goldstein, Executive Assistant Director for 
  Cybersecurity, Cybersecurity and Infrastructure Security 
  Agency, U.S. Department of Homeland Security:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11
Mr. Robert K. Knake, Deputy National Cyber Director for Strategy 
  and Budget, Principal Deputy National Cyber Director (Acting), 
  Office of the National Cyber Director, The White House:
  Oral Statement.................................................    16
  Prepared Statement.............................................    17
Ms. Tina Won Sherman, Director, Homeland Security and Justice, 
  U.S. Government Accountability Office:
  Oral Statement.................................................    20
  Prepared Statement.............................................    21

                             For the Record

The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Article, crn.in, April 5, 2022.................................    46
  Article, TechCrunch, December 10, 2021.........................    48
  Article, New York Times, July 29, 2021.........................    49
  Article, Washington Post, March 22, 2022.......................    50

                                Appendix

Questions From Chairman Bennie G. Thompson for Eric Goldstein....    55
Questions From Chairwoman Yvette D. Clarke for Eric Goldstein....    56
Questions From Honorable Sheila Jackson Lee for Eric Goldstein...    57
Questions From Ranking Member John Katko for Eric Goldstein......    58
Questions From Honorable Ralph Norman for Eric Goldstein.........    58
Questions From Chairman Bennie G. Thompson for Robert K. Knake...    59
Questions From Chairwoman Yvette D. Clarke for Robert K. Knake...    60
Questions From Honorable Sheila Jackson Lee for Robert K. Knake..    60
Question From Honorable James R. Langevin for Robert K. Knake....    60
Question From Ranking Member John Katko for Robert K. Knake......    61
Questions From Chairwoman Yvette D. Clarke for Tina Won Sherman..    61
Questions From Honorable Sheila Jackson Lee for Tina Won Sherman.    62

 
MOBILIZING OUR CYBER DEFENSES: MATURING PUBLIC-PRIVATE PARTNERSHIPS TO 
                  SECURE U.S. CRITICAL INFRASTRUCTURE

                              ----------                              


                        Wednesday, April 6, 2022

             U.S. House of Representatives,
                    Committee on Homeland Security,
                            Subcommittee on Cybersecurity, 
                                 Infrastructure Protection,
                                            and Innovation,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:03 a.m., in 
room 310 Cannon House Office Building, Hon. Yvette D. Clarke, 
[Chairwoman of the Subcommittee] presiding.
    Present: Representatives Clarke, Jackson Lee, Langevin, 
Slotkin, Garbarino, and Harshbarger.
    Also present: Representative Katko.
    Chairwoman Clarke. The Subcommittee on Cybersecurity 
Infrastructure Protection and Innovation will be in order. The 
subcommittee is meeting today to receive testimony on 
mobilizing our cyber defenses, maturing public-private 
partnerships to secure U.S. critical infrastructure. Without 
objection, the Chair is authorized to declare the committee in 
recess at any point.
    Good morning, everyone. I would like to thank the witnesses 
for participating in today's hearing on how we can build a 
better, more robust framework for protecting our Nation's most 
critical infrastructure.
    As some of you may know, this is not my first time serving 
as Chair of this subcommittee. The last time I presided over 
this panel was in 2011 during the 111th Congress. At that time, 
the Obama administration was working to develop and strengthen 
many of the policy frameworks we know today, which place DHS at 
the center of a voluntary, public-private partnership to 
promote strong cybersecurity across sectors. I have also served 
as Ranking Member of this subcommittee, working across the 
aisle to codify many of the those voluntary frameworks and 
information-sharing regimes. With that backdrop in mind, and 
with all due respect to the hard work that has been done, I 
think it is time to be candid about the limits of these 
voluntary partnerships and authorities.
    When I rejoined the subcommittee last year, we were reeling 
from a massive supply chain attack that gave Russia months of 
access to some of the most critical networks. We have had to 
watch from the sidelines as our critical infrastructure, from 
hospitals and meatpackers to manufacturers and pipelines, have 
been crippled by ransomware attacks.
    For the past few months, Federal officials, like the ones 
on our panel today, have been working around the clock to help 
private-sector owners and operators understand that they may 
soon be the target of retaliatory Russian cyber attacks. But we 
have no way of knowing if these operators are hearing those 
warnings and taking action to shore up their defenses. From 
where I am sitting, one thing is clear: The United States 
desperately needs to revamp the playbook it uses for critical 
infrastructure cybersecurity.
    We know that our Nation's critical infrastructure is 
vulnerable to cyber attacks and the Federal Government has 
resources it can bring to bear in closing security gaps, but we 
have been reluctant to make the private sector come to the 
table. The Federal Government also has the bird's-eye view 
vantage point to track cyber threats in one sector, then use 
that information to connect the dots on other malicious 
activities across sectors. But until recently, we haven't been 
willing to require critical infrastructure operators to provide 
that information to CISA.
    While the Biden administration has taken some aggressive 
steps to partner with the private sector in new, innovative 
ways, we have a long way to go and some big challenges ahead. 
Fortunately, we know that Congress can still come together to 
tackle big challenges. Most recently, enacted cyber incident 
reporting legislation is proof of that.
    To get this legislation across the finish line, we had to 
work across the aisle and with our partners in industry to find 
a solution that would give CISA the visibility it needs without 
needlessly burdening victims of a cyber attack. We found a 
smart, compromise solution there and I have faith that we can 
do it again here.
    My goal today is to get testimony that will help us answer 
the question what is next? How do we continue to mature the way 
the Government engages with critical infrastructure, 
particularly those entities that are the most critical of the 
critical or, as the Cyber Solarium Commission put it, our 
systemically important critical infrastructure, or SICI? Do we 
have a good sense of where these SICI assets are, who is 
operating them, and how they are being secured?
    Once we know who and what they are, what benefits should 
the Federal Government provide for these entities to help them 
protect themselves? Importantly, what burdens should they be 
asked to shoulder in light of their importance to our National 
security?
    This latter part is key. It is not enough to simply 
identify these most critical entities nor is it consistent with 
what the Solarium Commission proposed. We need to be able to 
answer the question what do these companies need to do as a 
result of their designation? What does the Federal Government 
need to do for them, whether that is better access to threat 
intelligence, enhanced operational collaboration, or other 
priority access to resources and support?
    It is not enough to simply make a list of our most vital 
assets. We need to know how we are going to operationalize it. 
We have tried this exercise in list-making before, from the 
National Asset Database to the designation of Section 9 
companies. Some of these efforts were costly and labor-
intensive, and none of them ever really lived up to the 
security gains originally envisioned. The through line for all 
these efforts is that at some point, Congress or the 
administration, or both, decided to punt on the question of 
benefits and burdens. That will not happen on my watch.
    I would like to recognize Representative Langevin and 
Ranking Member Katko for championing this issue and I look 
forward to continuing to work with them to craft this 
legislation in a way that avoids the pitfalls of the past. This 
hearing is an opportunity to help move the ball forward and 
hear how the administration is thinking about these challenges 
and working to upgrade its cybersecurity playbook.
    I thank the witnesses for participating today and I look 
forward to a robust discussion.
    [The statement of Chairwoman Clarke follows:]
                Statement of Chairwoman Yvette D. Clarke
                             April 6, 2022
    I would like to thank the witnesses for participating in today's 
hearing on how we can build a better, more robust framework for 
protecting our Nation's most critical infrastructure. As some of you 
may know, this is not my first time serving as Chair of this 
subcommittee. The last time I presided over this panel was in 2011, 
during the 111th Congress.
    At the time, the Obama administration was working to develop, and 
strengthen, many of the policy frameworks we know today--which place 
DHS at the center of a voluntary, public-private partnership to promote 
strong cybersecurity across sectors. I've also served as Ranking Member 
of this subcommittee, working across the aisle to codify many of those 
voluntary frameworks and information-sharing regimes.
    With that backdrop in mind--and with all due respect to the hard 
work that's been done--I think it's time to be candid about the limits 
of these voluntary partnerships and authorities.
    When I rejoined the subcommittee last year, we were reeling from a 
massive supply chain attack that gave Russia months of access to some 
of our most critical networks. We've had to watch from the sidelines as 
our critical infrastructure--from hospitals and meatpackers to 
manufacturers and pipelines--have been crippled by ransomware attacks.
    For the past few months, Federal officials--like the ones on our 
panel today--have been working around the clock to help private-sector 
owners and operators understand that they may soon be the target of 
retaliatory Russian cyber attacks. But we have no way of knowing if 
these operators are hearing those warnings and taking action to shore 
up their defenses. From where I'm sitting, one thing is clear, the 
United States desperately needs to revamp the playbook it uses for 
critical infrastructure cybersecurity.
    We know that our Nation's critical infrastructure is vulnerable to 
cyber attacks--and the Federal Government has resources it can bring to 
bear in closing security gaps. But we've been reluctant to make the 
private sector to come to the table. The Federal Government also has 
the bird's-eye view vantage point to track cyber threats in one sector, 
then use that information to connect the dots on other malicious 
activity across sectors. But until recently, we haven't been willing to 
require critical infrastructure operators to provide that information 
to CISA.
    While the Biden administration has taken some aggressive steps to 
partner with the private sector in new, innovative ways--we have a long 
way to go, and some big challenges ahead. Fortunately, we know that 
Congress can still come together to tackle big challenges. My recently-
enacted cyber incident reporting legislation is proof of that.
    To get this legislation across the finish line, we had to work 
across the aisle, and with our partners in industry, to find a solution 
that would give CISA the visibility it needs without needlessly 
burdening victims of a cyber attack. We found a smart, compromise 
solution there--and I have faith we can do it again here. My goal today 
is to get testimony that will help us answer the question--what's next?
    How do we continue to mature the way the Government engages with 
critical infrastructure--particularly those entities that are the 
``most critical of the critical''? Or, as the Cyber Solarium Commission 
put it, our ``Systemically Important Critical Infrastructure,'' or 
SICI? Do we have a good sense of where these SICI assets are, who's 
operating them, and how they're being secured?
    And, once we know who and what they are--what benefits should the 
Federal Government provide for these entities to help them protect 
themselves? Importantly, what burdens should they be asked to shoulder, 
in light of their importance to our National security?
    This latter part is key. It is not enough to simply identify these 
``most critical'' entities--nor is it consistent with what the Solarium 
Commission proposed. We need to be able to answer the question: What do 
these companies need to do as a result of their designation? What does 
the Federal Government need to do for them--whether that's better 
access to threat intelligence, enhanced operational collaboration, or 
other priority access to resources and support?
    It's not enough to simply make a list of our most vital assets--we 
need to know how we're going to operationalize it. We've tried this 
exercise in `list-making' before--from the National Asset Database, to 
the designation of ``Section 9'' companies. Some of these efforts were 
costly and labor-intensive, and none of them ever really lived up to 
the security gains originally envisioned. The through line for all 
these efforts is that at some point, Congress, or the administration, 
or both, decided to punt on the question of benefits and burdens. That 
will not happen on my watch.
    I would like to recognize Representative Langevin and Ranking 
Member Katko for championing this issue, and I look forward to 
continuing to work with them to craft this legislation in a way that 
avoids the pitfalls of the past. This hearing is an opportunity to help 
move the ball forward and hear how the
    Administration is thinking about these challenges and working to 
upgrade its cybersecurity playbook.

    Chairwoman Clarke. The Chair now recognizes the Ranking 
Member of the subcommittee, the gentleman from New York, Mr. 
Garbarino, for an opening statement.
    Mr. Garbarino. Thank you, Chairwoman Clarke, for calling 
this hearing today and thank you to the witnesses. I appreciate 
you being here to discuss how we can bridge the gap between 
public and private stakeholders and to discuss on-going efforts 
to identify and secure systemically important critical 
infrastructure.
    It is no secret that we are facing an unprecedented level 
of cyber attacks against our Nation's critical infrastructure. 
Recent breaches, like Colonial Pipeline and SolarWinds, among 
others, are sobering reminders of the devastation attacks can 
cause to our economic and National security.
    Additionally, yesterday's full committee hearing provided 
us with a stern reminder that cyber threats posed by foreign 
adversaries are only becoming more potent. Potential for 
malicious Russian cyber activity as well as attacks by other 
adversarial nations, like China, Iran, and North Korea, is only 
increasing. Congress must continue to facilitate public and 
private partnerships that are able to meet and repel these 
threats.
    Cyber space is seemingly endless and the Federal 
Government's visibility to monitor incidents is limited. While 
Congress recently took an important step by codifying our 
subcommittee's incident reporting framework at CISA, there is 
more that can be done.
    The vast majority of our Nation's critical infrastructure 
is owned and operated by the private sector. Therefore, 
information sharing between these stakeholders and the Federal 
Government is necessary to effectuate meaningful change. We 
need a process for the Federal Government to identify which 
infrastructure is systematically important and we need a plan 
for the private sector to protect those assets.
    Earlier in this Congress, I joined with my colleagues Mr. 
Katko and Ms. Spanberger in introducing bipartisan legislation, 
Securing Systemically Important Critical infrastructure Act. 
The bill authorizes CISA to designate certain entities of 
critical infrastructure as systemically important. By 
designating key elements, the Federal Government will signal to 
the private sector the assets that they should specifically 
prioritize in order to secure our Nation's critical sectors. As 
an original cosponsor of this effort I am confident that this 
is the best path forward.
    I am pleased to have an expert panel of witnesses here 
today to hear their perspectives on this initiative. We must 
create the foundation for strong public-private collaboration 
without adding additional regulatory burdens for the industry.
    I would like to say a quick note of thanks to CISA's Region 
2 team for joining me last week for a successful cybersecurity 
webinar for critical infrastructure partners in my district. It 
is information sharing like this, coupled with cyber incident 
reporting and systemically important critical infrastructure 
designation, that will be instrumental in hardening our cyber 
defenses.
    I look forward to hearing from our witnesses on how we can 
best move forward. Thank you again, Chairwoman.
    [The statement of Ranking Member Garbarino follows:]
            Statement of Ranking Member Andrew R. Garbarino
    Thank you, Chairwoman Clarke, for calling this hearing today. I 
appreciate our witnesses being here to discuss how we can bridge the 
gap between public and private stakeholders, and to discuss on-going 
efforts to identify and secure systemically important critical 
infrastructure.
    It is no secret that we are facing an unprecedented level of cyber 
attacks against our Nation's critical infrastructure. Recent breaches 
like Colonial Pipeline and SolarWinds, among others, are sobering 
reminders of the devastation that attacks can cause to our economic and 
National security.
    Additionally, yesterday's full committee hearing provided us with a 
stern reminder that the cyber threats posed by foreign adversaries are 
only becoming more potent. The potential for malicious Russian cyber 
activity, as well as attacks by other adversarial nations like China, 
Iran, and North Korea, is only increasing. Congress must continue to 
facilitate public and private partnerships that are able to meet and 
repel these threats.
    Cyber space is seemingly endless, and the Federal Government's 
visibility to monitor cyber incidents is limited. While Congress 
recently took an important step by codifying our subcommittee's 
incident reporting framework at CISA, there is more that can be done. 
The vast majority of our Nation's critical infrastructure is owned and 
operated by the private sector. Therefore, information sharing between 
these stakeholders and the Federal Government is necessary to 
effectuate meaningful change.
    We need a process for the Federal Government to identify which 
infrastructure is systemically important and we need a plan for the 
private sector to protect those assets.
    Earlier this Congress, I joined my colleagues Mr. Katko and Mrs. 
Spanberger in introducing bipartisan legislation, the Securing 
Systematically Important Critical Infrastructure Act. The bill 
authorizes CISA to designate certain entities of critical 
infrastructure as systemically important. By designating key elements, 
the Federal Government will signal to the private sector the assets 
that they should specifically prioritize in order to secure our 
Nation's critical sectors. As an original co-sponsor of this effort, I 
am confident that this is the best path forward.
    I'm pleased to have an expert panel of witnesses here today to hear 
their perspectives on this initiative. We must create the foundation 
for strong public-private collaboration without adding additional 
regulatory burdens for industry.
    I'd like to say a quick note of thanks to CISA's Region II team for 
joining me last week for a successful cybersecurity webinar for 
critical infrastructure partners in my district. It's information 
sharing like this, coupled with cyber incident reporting, and 
systemically important critical infrastructure designation, that will 
be instrumental in hardening our cyber defenses.
    I look forward to hearing from our witnesses on how we can best 
move forward.
    Thank you again, Chairwoman.

    Chairwoman Clarke. I thank the Ranking Member, Mr. 
Garbarino.
    Members are also reminded that the subcommittee will 
operate according to the guidelines laid out by the Chairman 
and Ranking Member in their February 3, 2021, colloquy 
regarding remote procedures. Additional Member statements may 
be submitted for the record.
    [The statements of Chairman Thompson and Honorable Jackson 
Lee follow:]
                Statement of Chairman Bennie G. Thompson
                             April 6, 2022
    This Congress has been marked by a series of high-profile cyber 
incidents, from SolarWinds to Colonial Pipeline to JBS. We have been 
forced to evaluate our current approach to critical infrastructure 
security and how the Federal Government and private sector collaborate. 
Our oversight revealed that we spend too much time examining challenges 
to effective public-private partnerships and are too slow to take bold 
action to address them--that is, unless Chairwoman Clarke is leading 
the charge.
    I want to applaud Chairwoman Clarke for the recent passage of the 
Cyber Incident Reporting for Critical Infrastructure Act. This critical 
legislation will position CISA to help its private-sector partners 
detect and disrupt malicious cyber campaigns sooner and provide 
enhanced situational awareness to inform strategic security 
investments. A mandatory cyber incident reporting framework is long 
overdue.
    I want to thank the Chairwoman for working with private-sector 
stakeholders, the administration, and our colleagues in the Senate to 
get it right. I would also like to thank Ranking Member Katko and 
Subcommittee Ranking Member Garbarino for their efforts to get this 
important legislation across the finish line. Despite this progress, we 
must do more to maximize the cybersecurity benefits of public-private 
collaboration.
    Yesterday, we heard from representatives from critical 
infrastructure sectors--including financial services and water--
regarding how they are working with the Federal Government to 
strengthen cyber defenses and build resilience. Although there were 
similarities in the witnesses' testimonies--both stressed the value of 
continuous two-way engagement between the Federal Government and the 
private sector--there were notable differences.
    The financial services sector is well-resourced, regulated, and 
capable of actioning both Classified and un-Classified information. In 
contrast, the water sector is under-resourced, largely unregulated, and 
would benefit from concise, properly contextualized security guidance.
    In short, while the financial services sector has the resources and 
capacity to engage in operational collaboration with the Federal 
Government, the water sector is still working to establish a stronger 
security baseline. Similar disparities exist across the 16 critical 
infrastructure sectors, and the Federal Government must tailor its 
approach to partnership accordingly.
    In doing so, it must prioritize collaboration with the private 
sector with the understanding that not all critical infrastructure is 
equally critical. Efforts to identify the most ``critical of the 
critical'' infrastructure are nothing new. But previous efforts--from 
the Section 9 designation to the National Asset Database--have fallen 
short.
    As we work to identify the most significant critical infrastructure 
and define the associated benefits and burdens, we must leverage 
lessons learned. Before I close, I want to thank Congressman Jim 
Langevin and Ranking Member Katko for their commitment to modernizing 
how the Federal Government engages with critical infrastructure. I look 
forward to working with them to refine and advance their approaches.
                                 ______
                                 
               Statement of Honorable Sheila Jackson Lee
                             April 6, 2022
    Chairwoman Clarke, and Ranking Member Garbarino, thank you for 
holding today's hearing on ``Mobilizing our Cyber Defenses: Maturing 
Public-Private Partnerships to Secure U.S. Critical Infrastructure.''
    I thank today's witnesses:
   Mr. Eric Goldstein, executive assistant director for 
        cybersecurity, Cybersecurity and Infrastructure Security 
        Agency;
   Mr. Robert K. Knake, deputy national cyber director for 
        strategy and budget & principal deputy national cyber director 
        (acting), Office of the National Cyber Director; and
   Ms. Tina Won Sherman, director, Homeland Security and 
        Justice, Government Accountability Office (Republican Witness).
    I thank each of you for bringing your expert view of the cyber 
threats against our Nation's critical infrastructure.
    The USA PATRIOT Act of 2001 defines CI as ``systems and assets, 
whether physical or virtual, so vital to the United States that the 
incapacity or destruction of such systems and assets would have a 
debilitating impact on security, National economic security, National 
public health or safety, or any combination of those matters.
    This hearing allows Members the opportunity to assess Federal 
efforts to mature collaboration with critical infrastructure owners and 
operators as they work to defend their networks and build resilience.
    The hearing is an opportunity to learn about existing partnerships 
between the public and private sectors regarding critical 
infrastructure protection, and what can be done to encourage greater 
collaboration to protect the most critical infrastructure from cyber 
threats.
    To address the current threat landscape, the Federal Government 
needs to rethink the way that it engages with key critical 
infrastructure partners--the ``most critical of the critical.''
    That starts by developing a clear understanding of critical 
functions and points of failure across the country--but that is not 
where it ends.
    The most important aspect of critical infrastructure is that it is 
essential to modern American life and strong link to economic 
competitiveness.
    Electricity, clean drinking water, functioning dams, spillways, 
levies, transportation, and food production are all under the heading 
critical infrastructure.
    The House Committee on Homeland Security has the responsibility of 
providing for the cybersecurity of Federal civilian agencies as well as 
the to secure the Nation's 16 critical infrastructure sectors from 
cyber and other threats.
    The list of critical infrastructure has expanded to include 
election systems following cyber incidents targeting election systems 
leading up to the 2016 National Elections.
    We know the threats that computing devices and systems face, which 
are almost too numerous to count:
   Bot-nets;
   Ransom-ware;
   Zero-Day Events;
   Mal-ware;
   Denial-of-Service Attacks;
   Distributed Denial-of-Service Attacks;
   Pharming;
   Phishing;
   Data Theft;
   Data Breaches;
   SQL Injection;
   Man-in-the-middle attack.
    This list is not exhaustive, but it does make clear the scope of 
the threat and why the United States can no longer rely solely on the 
resources of critical infrastructure owners and operators to secure 
assets absent Federal guidance and resources.
    This is why I introduced the Cybersecurity Vulnerability 
Remediation Act was introduced and passed the House during the 115th 
and 116th Congresses and has been updated again in the 117th Congress 
to meet the ever-evolving nature of cyber threats faced by Federal and 
private-sector information systems and our Nation's critical 
infrastructure.
    This bill, which was included in the National Defense Authorization 
Act for fiscal year 2022, goes significantly further than the first 
Cybersecurity Vulnerability bill that I introduced in the 115th 
Congress, to address the instance of Zero-Day Events that can lead to 
catastrophic cybersecurity failures of information and computing 
systems.
    H.R. 2980, the Cybersecurity Vulnerability Remediation Act:
   Changes the Department of Homeland Security (DHS) definition 
        of security vulnerability to include cybersecurity 
        vulnerability,
   Provides the plan to fix known cybersecurity 
        vulnerabilities,
   Gives the Department of Homeland Security the tools to know 
        more about ransomware attacks and ransom payments, and
   Creates greater transparency on how DHS will defend against 
        and mitigate cybersecurity vulnerabilities and lays the road 
        map for preparing the private sector to better prepare for and 
        mitigate cyber attacks.
    The bill requires a report that can include a Classified annex, 
which I strongly recommend to the Secretary of DHS so that it can be 
available should the agency elect to engage private-sector entities in 
a discussion on cyber attacks and breaches targeting critical 
infrastructure.
    This bill is needed because the Nation's dependence on networked 
computing makes us vulnerable to cyber threats.
    Soon I will be introducing 3 cybersecurity critical infrastructure 
bills to address many of the issues associated with cyber 
vulnerabilities found in the infrastructure our communities and that 
our Nation depends on.
    The focus I have had on cybersecurity and critical infrastructure 
is to protect against a crippling ``Zero-Day Event.''
    A Zero-Day Event describes the situation that network security 
professionals may find themselves when a previously unknown error or 
flaw in computing code is exploited by a cyber criminal or terrorist.
    The term ``Zero-Day Event'' simply means that there is zero time to 
prepare a defense against a cyber attack.
    When a defect in software is discovered then network engineers and 
software companies can work to develop a ``patch'' to fix the problem 
before it can be exploited by those who may seek to do harm.
    Because vulnerabilities can be used by adversaries it is important 
that this sensitive information be managed securely so details are not 
routinely made available neither to the public nor to Congress.
    Congress must do its job by providing the necessary leadership that 
moves the Nation from an unrealistic moat-and-drawbridge cybersecurity 
posture to one that is agile.
    Vulnerabilities of computing systems are not limited to intentional 
attacks, but can include acts of nature, human error, or technology 
failing to perform as intended.
    I am particularly concerned that so many jurisdictions rely on 
critical infrastructure that is inadequately maintained for physical 
and cybersecurity threats.
    Cybersecurity threats to critical infrastructure (CI) have 
accelerated rapidly in recent years.
    The U.S. framework for securing CI, set forth in Presidential 
Policy Directive 21 (PPD-21) and reinforced in statute, designates the 
Department of Homeland Security (DHS), through the Cybersecurity and 
Infrastructure Security Agency (CISA), to lead Federal efforts to 
secure critical CI across 16 diverse sectors, in coordination with 
designated Sector Risk Management Agencies (SRMAs) for each sector.
    However, these partnerships are largely voluntary, and most CI in 
the United States is privately-owned.
    High-profile cyber attacks such as SolarWinds and Colonial Pipeline 
have renewed questions about whether the voluntary partnership model is 
sufficient to address the current threat landscape.
    This is particularly true in light of recent elevated threats from 
Russia, which may seek to use malicious cyber attacks to retaliate for 
U.S. sanctions following their invasion of Ukraine.
    Because the majority of critical infrastructure is owned and 
operated by the private sector, CISA has limited visibility into 
malicious cyber activity on their networks, absent voluntary reporting 
and information sharing.
    Moreover, although in the past the Federal Government has attempted 
to establish a mechanism to identify and track those assets and 
entities most critical to regional and National security, it has failed 
to define its relationship with those entities in a way that would 
yield meaningful security benefits.
    The Biden administration has shown a willingness to move away from 
voluntary partnerships and toward a more regulatory model, but there 
are challenges in understanding how such a regime might work, and the 
entities to which it would apply.
    This step is long overdue because of the nature of critical 
infrastructure.
    A failure in critical infrastructure would have wide-spread 
consequences far beyond the scope of the critical infrastructure 
service delivery area.
    For this reason, there must be more accountability on the part of 
owners and operators and greater Federal agency engagement regarding 
the cybersecurity of these entities.
    I look forward to the testimony of today's witnesses.
    Thank you.

    Chairwoman Clarke. I now welcome our panel of witnesses. 
First, I would like to welcome Mr. Eric Goldstein, the 
executive assistant director for cybersecurity at the 
Cybersecurity and Infrastructure Security Agency. Previously, 
Mr. Goldstein was the head of cybersecurity policy, strategy, 
and regulation at Goldman Sachs. Mr. Goldstein also served at 
CISA's precursor agency, the National Protection and Programs 
Directorate, for several years.
    Second, I would like to welcome Mr. Robert Knake. Mr. Knake 
is currently the deputy national cyber director of strategy and 
budget and the acting principal deputy national cyber director 
in the Office of the National Cyber Directorate. During the 
Obama administration Mr. Knake served as the director of 
cybersecurity policy at the National Security Council.
    Finally, I would like to welcome Dr. Tina Won Sherman, who 
is the director of homeland security and justice at the U.S. 
Government Accountability Office, GAO. Dr. Sherman manages work 
on the protection of the Nation's critical infrastructure 
assets and the security of the United States transportation 
system. During her tenure, Dr. Sherman has led reviews on a 
range of critical issues, including telecommunications, 
transportation, and defense.
    Without objection, the witnesses' full statements will be 
inserted into the record. I now ask that our witnesses will 
summarize their statements for 5 minutes, beginning with Mr. 
Goldstein.

 STATEMENT OF ERIC GOLDSTEIN, EXECUTIVE ASSISTANT DIRECTOR FOR 
   CYBERSECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY 
          AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Goldstein. Thank you so much. Chairwoman Clarke, 
Ranking Member Garbarino, it is really a privilege to be here 
today testifying on behalf of CISA, the Cybersecurity and 
Infrastructure Security Agency.
    This hearing occurs, of course, in the backdrop of Russia's 
unjust and tragic invasion of Ukraine and the on-going risk of 
malicious cyber activity. This subcommittee is to be commended 
on taking the time to examine CISA's role as our Nation's cyber 
defense agency and the manner in which we catalyze operational 
collaboration between Government and the private sector. This 
operational collaboration is foundational to our success as an 
agency and our shared goals of rapidly advancing cybersecurity 
across the country. We recognize at CISA that no individual 
organization, public or private, has the visibility or the 
ability alone to manage cybersecurity risk. So our goal is to 
change the traditional models of public-private collaboration 
and move to a new paradigm of public and private operational 
collaboration where we can scale more effectively to meet the 
risks that we are facing both today and into the future.
    Even as we evolve toward this model, we have already shown 
the benefits of true operational collaboration where Government 
partners and the private sector are working side-by-side. I 
look forward to speaking a bit more about our successes in this 
area and our work yet to come.
    The core of our operational collaboration efforts at CISA 
are through our Joint Cyber Defense Collaborative, or the JCDC, 
which was established by Congress to serve as the focal point 
for proactive planning and domestic cyber defense across 
Government and the private sector. In its short history, the 
JCDC has already pioneered several real innovations.
    The first is bringing together representatives from the 
core cyber operational agencies--CISA, FBI, NSA, U.S. Cyber 
Command--with partners across critical sectors--the Nation's 
largest technology companies, energy companies, financial 
institutions--to sit side-by-side in a virtual environment, 
exchanging information, developing mitigations, and then 
sharing information to protect the broader cybersecurity 
community. We initiated this sort of work with the 
vulnerability in the Log4j software library and we are now 
scaling it as part of our broader shields of effort in response 
to the Russian invasion of Ukraine, where our goal is to bring 
together the best and most effective capabilities across 
Government and the private sector so we can quickly learn about 
threat activity and mitigations, and then share it more broadly 
to protect the country.
    We are also deeply focused on the JCDC as a locus of 
proactive planning. Looking briefly at our work around the 
Russian invasion of Ukraine, in December we developed a joint 
public-private cyber defense plan. We exercised this plan in 
January. When the invasion occurred, we moved into execution, 
bringing together our partners across Government and the 
private sector to exchange information and collaborate at 
scale. We are showing through this work the value of the JCDC 
and operational collaboration in taking information into 
insights into action, all underpinned by proactive planning 
that brings together Government and the private sector as 
coequal partners through this work. We were gratified to hear 
in the subcommittee's hearing yesterday many of our partners in 
the private sector reflect the value of this partnership and 
the work that we have done, even as we mature going forward.
    But, of course, while our core goal is ensuring that every 
American organization has the information and tools needed to 
protect their enterprises and customers against cyber risks, 
our core goal is ensuring the continuity and resilience of 
National critical functions. For this reason, at CISA we are 
focused on identifying the systemically important entities, or 
SIEs as we call them, which, if degraded, would cause 
debilitating systemic or cascading impacts to National critical 
functions. We are engaged today in a rigorous effort to 
identify these entities, understand how they support National 
critical functions, and think creatively about how we can work 
collaboratively to build our operational collaboration and 
support these entities to reasonably assure the continuity of 
National critical functions under all conditions.
    We are grateful for the support of the subcommittee, 
including Mr. Katko and Mr. Langevin, at helping us advance 
these efforts. I am looking forward to conversation yet to come 
as we evolve this critical and essential work.
    It goes without saying that our Nation is facing 
unprecedented cybersecurity risk, but we are deepening our 
relationships, we are deepening the effectiveness of our 
collaboration and our services, and working across Government, 
our allies, and the private sector. With the support of 
Congress we are confident that we will make the difference we 
need to manage risk to our country.
    Thank you again for the privilege of appearing today. Very 
much looking forward to your questions.
    [The prepared statement of Mr. Goldstein follows:]
                  Prepared Statement of Eric Goldstein
                             April 6, 2022
    Chairwoman Clarke, Ranking Member Garbarino, and Members of the 
subcommittee, thank you for the opportunity to testify today on behalf 
of the Cybersecurity and Infrastructure Security Agency (CISA) 
regarding our efforts to evolve our partnerships with the private 
sector to enable true operational collaboration.
    In our globally interconnected world, our critical infrastructure 
and American ways of life face a wide array of serious risks with 
significant real-world consequences. Today, the critical functions 
within our society are built as ``systems of systems,'' complex designs 
with numerous interdependencies and systemic risks that can have 
cascading effects. This trend has yielded significant gains in 
efficiency and productivity, but also provides the opportunity for 
nation-state actors and criminals to potentially undermine our National 
security, economic prosperity, and public health or safety.
    The risks we face today are complex and dispersed, both 
geographically and across a variety of stakeholders. They are 
challenging to assess and difficult to address. Consequently, we must 
recognize that threats to our digital infrastructure are not bound by 
National borders. Rather, our critical infrastructure is integrated 
into a larger global cyber ecosystem requiring us to be at the constant 
ready.
    This committee is well aware of CISA's broader domestic role as the 
operational lead for Federal cybersecurity, and as the National 
coordinator for critical infrastructure security and resilience. The 
importance of CISA's mission and role has been clearly reflected during 
the war in Ukraine, as we have led the Nation's efforts across 
Government and the private sector to prepare for potential malicious 
cyber activity by Russian actors.
    Critical to our success, and at the heart of CISA's mission, is 
partnership and collaboration. Securing our Nation's cyber and critical 
infrastructure is a shared responsibility and has never been more 
important than it is today. Neither Government nor the private sector 
have the knowledge or resources to do it alone. At CISA, we are 
challenging traditional ways of doing business and are actively working 
with our Government, industry, academic, and international partners to 
change the paradigm from traditional public-private partnerships to 
public-private operational collaboration at scale. Operational 
collaboration is foundational for effective critical infrastructure 
security and resilience. Timely, trusted information fusion among 
stakeholders is essential.
    In the past year, CISA has made significant strides in this 
respect, particularly through the establishment of the Joint Cyber 
Defense Collaborative (JCDC) and our CISA Cybersecurity Advisory 
Committee (CSAC). These groups are examples of CISA's agency-wide 
dedication to operational collaboration and deep partnership, which is 
imbued across our mission divisions. By leveraging the expertise and 
unique authorities of Government and the private sector, CISA is 
better-positioned to connect with our stakeholders in industry and 
Government to share resources, analyses, and tools. This in turn helps 
our stakeholders build their own cyber, communications, and physical 
security and resilience. The net effect is a stronger Nation, better 
positioned to contend with the myriad threats we face to our 
cybersecurity and critical infrastructure.
    As we strive to make progress in the security of our Nation's 
critical infrastructure through our various partnership initiatives, we 
are not looking to duplicate the efforts of the private sector. 
Instead, CISA is looking for ways we can add value, such as bringing 
experts from Government and industry together, compiling a broader 
holistic view of the cyber landscape, and sharing information across 
sectors to ultimately make our Nation's critical infrastructure 
resilient against malicious cyber activity.
    Our work has taken on increased urgency subsequent to Russia's 
unprovoked invasion of Ukraine. CISA has been working closely with our 
critical infrastructure partners over the past several months to ensure 
awareness of potential threats. We have been providing additional 
resources, guidance, and support for months, and reiterated this call 
for critical infrastructure to adopt a heightened security posture in 
light of President Biden's statement that intelligence shows Russia may 
be exploring options for potential cyber attacks. As part of our 
broader ``Shields Up'' effort, we developed and published a variety of 
resources, including guidance for organizations, corporate leaders and 
CEOs, individuals, ransomware response, and a list of additional 
resources, multiple joint Cybersecurity Advisories (CSAs), mitigation 
guidance, including recent products on securing satellite 
communications and uninterruptible power supply devices, and a 
dedicated Technical Guidance web page with mitigation guidance and 
resources from CISA, the JCDC and other partners. Our goal with all of 
these efforts is to serve as a comprehensive resource for information 
about mitigations for the Russian cyber threat.
                joint cyber defense collaborative (jcdc)
    Given that the vast majority of our Nation's critical 
infrastructure is owned and operated by the private sector, the early 
warnings of a cyber attack affecting U.S. organizations are more likely 
to be identified by a private company rather than the Government. The 
private sector plays a vital role in working with CISA to improve our 
Nation's cybersecurity by helping to ensure that we are aware of new 
campaigns or intrusions so we can protect other possible victims.
    Critical to CISA's effort to build better operational collaborative 
channels is the JCDC, which leverages authorities granted in the fiscal 
year 2021 NDAA, among other authorities, and was launched by CISA in 
August 2021 to lead collaborative, public, and private-sector cyber 
defense planning, cybersecurity information fusion and analysis, and 
the purposeful dissemination of cyber defense guidance to reduce cyber 
risks to the Nation's critical infrastructure and the impact to our 
National Critical Functions (NCF).
    Today, the JCDC is a collection of more than 25 private-sector 
companies working with CISA and other Federal Government cybersecurity 
partner agencies--including DHS Office of Intelligence and Analysis, 
FBI, NSA, U.S. Cyber Command, the U.S. Secret Service, and relevant 
Sector Risk Management Agencies (SRMA)--to understand and respond to 
cyber threats. The diversity and unique capabilities of JCDC partners 
provides increased visibility and insight into the threat landscape and 
enables JCDC to develop plans and exercises against the most serious 
threats.
    The JCDC model reflects the reality that no one entity can secure 
cyber space alone. Collaboration across JCDC partners results in action 
across an expansive set of cybersecurity stakeholders throughout the 
Nation and the globe.
    By leveraging and unifying the respective capabilities, 
authorities, and expertise of the JCDC's partners, CISA is creating a 
proactive, rather than reactive, capability for the Government and 
private sector to work together to drive down risk even before an 
incident occurs. Should another incident like the compromises affecting 
SolarWinds Orion, Microsoft Exchange Server, or Colonial Pipeline 
occur, the strengthened connective tissue among our partners will allow 
for a more unified response.
    The JCDC operating model relies on regular analytic and data 
exchanges to enable common situational awareness and equip public and 
private-sector partners to take risk-informed coordinated action for 
our collective defense. Simply put, the work of the JCDC is about 
seeing the dots, connecting the dots, and collectively driving down 
risk to the Nation at scale. This alignment strengthens our mutual 
resilience and ability to address immediate and impending cyber 
incidents. Collaborative insights gleaned from the JCDC are then 
rapidly shared across the broader cybersecurity community, including 
through our Cybersecurity Information Sharing and Collaboration Program 
and through a broad ecosystem of Information Sharing and Analysis 
Centers (ISACs) and Organizations (ISAOs).
    In its short history, the JCDC has strengthened the lines of 
communication between industry and the Federal Government to improve 
real-time information sharing, planning, and exercising. For example, 
when CISA issued its emergency directive in response to the Log4j 
vulnerability, CISA leveraged the JCDC, establishing a senior 
leadership group within the the organization to coordinate collective 
action and ensure shared visibility into both the prevalence of the 
Log4j vulnerability and threat activity. By bringing together key 
Government and private-sector partners via the JCDC, including the 
agency's partners at the FBI and the NSA, CISA was able to ensure that 
the country's strongest capabilities were brought to bear in an 
integrated manner against the threat.
    Having built trust and strengthened relationships with our partners 
during our response to the Log4j incident, the JCDC was well-prepared 
to respond to the current dynamic threat environment amidst rising 
geopolitical tensions related to the Russia-Ukraine war.
    To ensure domestic resilience against potential cyber attacks in 
response to the Russia-Ukraine war, the President designated the 
Department of Homeland Security as the Lead Federal Agency (LFA) for 
domestic preparedness and response related to the current crisis. 
Secretary Mayorkas then established a Unified Coordination Group (UCG) 
and appointed CISA's executive director to serve as the senior response 
official to ensure Federal unity of effort across the U.S. Government. 
The stand-up of the UCG formalized the work CISA had been doing for 
months with Sector Risk Management Agencies (SRMAs) to inform 
stakeholders of the heightened threat environment, and conduct 
intelligence-based threat briefs for SRMA partner agencies, Sector and 
Government Coordinating Councils, and participants from the private 
sector and State and local community. In addition, CISA is working with 
FEMA, SRMAs, and other Federal partners to manage downstream physical 
consequences of potential cyber attacks. The Russia-Ukraine crisis has 
brought on a whole-of-Government and whole-of-Nation preparedness 
effort
    More broadly with the private sector though, the JCDC has served as 
a critical forum to implement standing operational collaboration 
channels.
    For example, CISA developed a Russia-Ukraine crisis plan with our 
JCDC partners that lays out phases and objectives of operational 
coordination between the U.S. Government and our private-sector 
partners amidst escalating geopolitical tensions. In mid-February, we 
conducted a tabletop exercise of this plan with our interagency and 
private-sector partners. We are using the plan as tensions escalate to 
guide and align our collective operational posture and support our 
ability to esynchronize defensive actions to mitigate harmful impacts 
to U.S. critical infrastructure from Russian cyber operations. In the 
wake of distributed denial-of-service (DDoS) and destructive malware 
attacks affecting Ukraine and other countries in the region, we are 
working very closely with JCDC and international cyber defense partners 
to understand and rapidly share information on these on-going malicious 
cyber activities.
    Moreover, JCDC's collaborative channels have allowed CISA to 
exchange technical information about recent incidents in Ukraine and 
conduct real-time analysis with interagency and industry partners. 
Further still, the JCDC established additional information-sharing 
mechanisms with the Nation's largest energy and financial companies, in 
coordination with the appropriate SRMAs, allowing CISA to provide 
additional early warning about Russian activity against U.S. 
institutions and exchange-related threat information and defensive 
measures.
    We recognize that many critical infrastructure partners or SLTT 
governments find it challenging to identify resources for urgent 
security improvements. In response, JCDC has worked with our partners 
to compile a list of free cybersecurity tools and services to help 
organizations further advance their security capabilities. This catalog 
includes CISA's own services, open-source tools, and free offerings 
from private-sector entities, including our JCDC partners. The catalog 
includes resources like malware and antivirus protection systems, 
vulnerability assessment solutions, tools that test password strength, 
distributed denial-of-service protection services and intelligence from 
several leading cybersecurity companies. This is particularly impactful 
for small businesses and SLTT organizations who are target-rich and 
resource-poor.
    Going forward, we continue to build and mature the JCDC construct. 
We are particularly focused on advancing our capability to create, 
exercise, and execute joint cyber defense plans. Upcoming planning 
efforts focus on the energy sector and collaboratively supporting 
defense of the Nation's election infrastructure. The JCDC has 
demonstrated the promise of a new model for public-private operational 
collaboration: Joint cyber planning--including deliberate and crisis 
action plans--through collaboration across the public and private 
sectors to prepare for and address the Nation's most pressing cyber 
risks, combined with integrated and institutionalized testing and 
assessments to continuously measure and improve the effectiveness of 
cyber defense planning and capabilities.
    Through these collaborative efforts, we will enable common 
situational awareness, information fusion, and analysis that equips 
public and private partners to take risk-informed coordinated action. 
This journey is not CISA's alone. Rather, we are embarking on a rapid 
evolution in concert with our partners across the inter-agency and 
private sector, with a shared goal of advancing our Nation's security 
and resilience at scale.
                 systemically important entities (sie)
    Through our operational collaboration efforts, we have learned that 
prioritization is essential. By focusing on systemic risks, growing 
interdependencies within and across sectors and our evolving reliance 
on information and communications technology (ICT), we will more 
effectively reduce the potential of cascading impacts associated with 
the failure of these technologies that could threaten our National and 
economic security.
    In March 2020, the Cyberspace Solarium Commission proposed a 
``designation of critical infrastructure entities that manage systems 
and assets whose disruption could have cascading, destabilizing effects 
on U.S. National security, economic security, and public health and 
safety.''\1\ At CISA, we are operationalizing this concept by 
developing approaches to identify Systemically Important Entities 
(SIE). These are entities that own, operate, or otherwise control 
critical infrastructure, prioritized based on indicators of systemic 
importance and the potential impact that their disrupted or corrupted 
functions will have a debilitating, systemic or cascading impact on our 
country's critical infrastructure and related NCFs, National security, 
National economic security, public health, public safety, or some 
combination thereof.
---------------------------------------------------------------------------
    \1\ United States of America. (2020). Cyberspace Solarium 
Commission, Final Report. p. 138. Retrieved from https://
www.cybersolarium.org/reports-and-white-papers.
---------------------------------------------------------------------------
    As the private sector owns and operates a vast majority of the 
Nation's critical infrastructure, partnerships like JCDC, CSAC, and 
others that foster integrated, collaborative engagement and interaction 
are essential to maintaining critical infrastructure security and 
resilience. Therefore, identifying systemically important private-
sector firms, in addition to SLTT and other public entities, is 
paramount to prioritizing the partnerships CISA establishes and 
maintains to reduce risk to critical infrastructure.
    To aid in this identification, CISA established an SIE effort 
within the National Risk Management Center (NRMC) to develop the SIE 
concept in order to prioritize CISA's delivery of services to those 
entities. CISA's SIE effort, which seeks to support and respond to 
partners and stakeholders across the Federal Government, private 
industry, and SLTT governments, will be the central body responsible 
for coordinating across CISA, DHS, and the interagency to manage 
stakeholder engagement with systemically important entities. 
Additionally, CISA is sponsoring work by the Homeland Security 
Operations Analysis Center (HSOAC) to develop a prototype analytic 
capability to identify SIEs at scale. By using advanced data-analytic 
techniques that evaluate entities based on their network centrality and 
sector revenue, we will be better able to identify and assess an SIE's 
importance across the NCFs and close gaps in their risk profiles.
    Identifying SIEs is more than just a naming and mapping exercise. 
By identifying SIEs we will be better positioned to understand the true 
landscape of institutions and systems whose disruption could have 
cascading and systemic effects to our critical infrastructure and 
related NCFs. This knowledge will better position us to prioritize 
these entities for CISA services and capabilities and identify mature 
entities whose partnership can help the Nation reduce systemic risk to 
our cyber and critical infrastructure.
    While we are committed to growing our capacity to collaborate and 
share information, CISA and our Federal partners are limited in our 
ability to influence private-sector functions, such as complex supply 
chains, that are an increasing source of cyber risk. Fortunately, SIEs 
can help set expectations for acceptable activities and behavior by 
employing effective supply chain security risk management practices.
    CISA will prioritize partnership and engagement with the SIE 
community and provide recommendations for addressing the emerging 
challenges of systemic risk. We particularly would benefit from 
specific input from partners regarding our efforts to improve our 
understanding of systemic risk.
    The SIE program is of critical importance. While we are committed 
to protecting all of the Nation's critical infrastructure, not all 
infrastructure is created equal. Assets and systems that are of such 
vital importance to our security require prioritized protection in 
collaboration with the private sector. In some cases, individual 
companies can reduce risk because they own or operate a significant 
portion of the assets and systems. CISA's efforts to begin the 
identification process of systemically important entities represents a 
vital, and necessary, first step in that process.
              cisa cybersecurity advisory committee (csac)
    Even as we work through the JCDC to collaborate around urgent risks 
of today and develop cyber defense plans to address those risks still 
ahead, we must also learn from diverse minds across the cybersecurity 
community to advance CISA's strategic maturation. To achieve this goal, 
we recently launched the CISA Cybersecurity Advisory Committee (CSAC), 
a key authority granted in the National Defense Authorization Act 
(NDAA) for fiscal year 2021.
    The CSAC was established with the purpose of bringing together 
strategic thinkers with diverse expertise and insights to examine 
issues and create recommendations related to the development, 
refinement, and implementation of policies and programs that will help 
to advance the cybersecurity mission of CISA as well as strengthen the 
cybersecurity of the United States. In December 2021, Director Easterly 
appointed 23 leading experts on cybersecurity, technology, risk 
management, privacy, and resilience from across industry, academia, and 
Government to serve as the CSAC's initial members. The diversity of the 
committee's members emphasizes the need for an ``all hands on deck'' 
approach to secure our digital networks.
    CSAC members advise, consult with, report to and make 
recommendations to the Director on the development, refinement, and 
implementation of policies, programs, planning, and training pertaining 
to CISA's cybersecurity mission. The committee will examine and make 
recommendations on a variety of topics collectively aimed at 
strengthening CISA and more broadly reshaping the cyber ecosystem to 
favor defense. These topics include growing the cyber workforce; 
reducing systemic risk to National critical functions; combating 
misinformation and disinformation impacting the security of critical 
infrastructure; and turning the corner on cyber hygiene by raising the 
baseline of security throughout the cyber ecosystem to advance an 
environment that favors the defender by better aligning Government and 
private-sector efforts to build resilience and improve cyber hygiene at 
scale. In addition, the CSAC recently established a new Technical 
Advisory Council, a subcommittee of the CSAC, with some of the most 
accomplished individuals in the cybersecurity community to provide CISA 
with expert insights into advancing our collaboration with the research 
community and ensuring that our programs reflect leading technology 
practices.
    Building on the momentum from the committee's inaugural meeting in 
December, the CSAC convened again just this past week on March 31. 
Protecting the Nation's critical infrastructure depends on a unified 
effort and we remain committed to ensuring that we have the right 
strategy in place to prepare for, respond to, and mitigate 
cybersecurity threats to our Nation's critical systems. CISA looks 
forward to the recommendations made by the committee Members and the 
subsequent subcommittees.
                    cyber safety review board (csrb)
    A continuous learning culture is critical to staying ahead of the 
increasingly sophisticated cyber threats we face in today's complex 
technology landscape. Recognizing this need, President Biden's 
Executive Order 14028 on Improving the Nation's Cybersecurity directed 
DHS to establish a Cyber Safety Review Board (CSRB) to review 
significant cyber incidents to ensure that the Nation fully understands 
and learns from significant cyber events that may threaten us all.
    The CSRB serves a deliberate function to review major cyber events 
and make concrete recommendations that would drive improvements within 
the private and public sectors. As a uniquely constituted advisory 
body, the CSRB will focus on learning lessons and sharing findings with 
the President, and with others who can benefit from them, as 
appropriate.
    The private sector has a significant role to play in providing 
visibility, validation, and insight into how cyber events emerge and 
which short and long-term improvements can stave off future, similar 
events, and incidents. The CSRB--composed of 15 highly-esteemed 
cybersecurity leaders from the Federal Government and the private 
sector--provides a unique forum for collaboration between Government 
and private-sector leaders who will deliver strategic recommendations 
to the President and the Secretary of Homeland Security.
                               conclusion
    Our Nation is at a turning point in cybersecurity. We must continue 
to work together, by deepening our operational collaboration and 
ensuring we have the plans and policies in place now, to defend against 
new and changing cyber threats going forward. Recent incidents and the 
on-going threat of malicious Russian cyber activity provide a stark 
reminder about the vulnerability of our country's critical 
infrastructure. The need for increased risk sharing and distribution 
between the Government and private sector is clear.
    The cyber ecosystem is a shared space with shared responsibilities 
and shared benefits, with every organization gaining from the 
interoperability, scale, and resilience of the internet and networked 
technologies. As a result, every organization must invest in protecting 
it. Together we can address the risks we all face. CISA's public and 
private-sector programs provide novel collaborative venues for diverse 
entities to evolve their relationships.
    Now is the time to act--and CISA is helping to lead our National 
call to action. We will deepen our partnerships with critical 
infrastructure partners, enhance our visibility into National 
cybersecurity, and drive targeted action to reduce vulnerabilities and 
detect our adversaries. In collaboration with our Government partners, 
critical infrastructure entities, our international allies, and with 
the support of Congress, we will make progress in addressing this risk 
and maintain the availability of critical services to the American 
people under all conditions.

    Chairwoman Clarke. Thank you for your testimony, Mr. 
Goldstein. I now recognize Mr. Knake to summarize his statement 
for 5 minutes.

 STATEMENT OF ROBERT K. KNAKE, DEPUTY NATIONAL CYBER DIRECTOR 
   FOR STRATEGY AND BUDGET, PRINCIPAL DEPUTY NATIONAL CYBER 
 DIRECTOR (ACTING), OFFICE OF THE NATIONAL CYBER DIRECTOR, THE 
                          WHITE HOUSE

    Mr. Knake. Thank you, Chairwoman Clarke. Thank you, Mr. 
Garbarino, and thank you, Mr. Katko, for being here today. I 
very much appreciate the opportunity. It is very good to be 
back before this committee in my new role as deputy national 
cyber director in the Office of the National Cyber Directorate.
    So, we are the new kids in school and we are working 
closely with our colleagues at CISA. We are working very 
closely with our colleagues throughout the interagency and with 
our colleagues at the National Security Council in order to 
bring together a more cohesive effort on the part of the 
Federal Government when we are working with the private sector. 
So, that is what we are here for.
    So, today you will hear me say a lot of things that sound 
almost like what you might hear from Ms. Sherman. We are 
reviewing, we are evaluating, we are supporting rather than we 
are directing or we are operationalizing some activity. That is 
the role of CISA, that is the role of Eric Goldstein, and the 
SRMAs, Sector Risk Management Agencies.
    So, with that said, what I would like to talk about is in 
terms of the maturing public-private partnership, first, I 
think we really need to recognize how far we have actually 
come, particularly in the last few years. We have gone from a 
partnership that was fundamentally about having meetings 
between public policy officials and companies, and public 
policy officials and organizations, to one in which we have 
operational collaboration that, in some cases, is side-by-side, 
shoulder-to-shoulder, but, even more importantly, has been 
virtualized so that people at large companies can engage with 
the private sector, with the Government, and can do it in real 
time from where they were. This is a massive lead that the JCDC 
has really enabled over the last year. We are really seeing the 
benefits of that maturation as we confront the Russia threat.
    So, as we look to mature, we first need to recognize that 
we really have come a significant way. My hat is off to this 
Congress for giving the resources, the authorities, and looking 
at the organization of CISA and the SRMAs in order to make sure 
that we have got the right players on the field and they have 
got the right resources to do their jobs.
    So, where do we go from here I think is the big question? 
The Russia threat I think, as Eric has said, is really 
providing a focus. It is making sure that every single day we 
are improving our connectivity with the private sector, that 
when problems happen they are getting resolved. That if, for 
instance, somebody calls our office and says we have an issue, 
we can't find the right place to plug into the Government, we 
don't say, great, we will take that, we will stand up a new 
body at the White House to do it. No, we say, OK, I am going to 
get on the phone with Eric or, better yet, our engagement team 
is going to get on board with the JCDC and say how do we plug 
these guys in? That is happening every single day. So that 
improvement is something that we very much want to see continue 
as we face this Russia threat.
    I think Eric has given a very good encapsulation of what 
the JCDC does. Let me talk a little bit more about what we are 
doing with the Sector Risk Management Agencies, which we see as 
a vital partner in this effort.
    Many people have used the football analogy and I will use 
it here. If you have got the quarterback at CISA, you got to 
make sure you have strong players on the rest of the field, and 
that is where the SRMAs come in. Our office is evaluating, in 
partnership with those SRMAs, what are their capabilities? What 
are the resources they need? What are the gaps and how can we 
help fill them?
    Crucial to that we have heard from every private sector 
company we talked to is to make sure that we can provide the 
one thing that private companies can't do on their own, which 
is intelligence. Only the U.S. Government can collect 
intelligence and only the U.S. Government can provide it back. 
So, that is a major focus of our efforts.
    There is a great model here that the defense industrial 
base is engaged in with DOD. We think we can replicate it. The 
key is to build some connectivity between CISA and the SRMAs 
and the private sector, so we can really scale these great 
efforts. I think we are well on our way to that.
    Finally, as I think we look at the concept of the 
systemically important entities, it is fairly clear to us that 
DHS has the authorities to do the work they have done today. We 
are working with them to see are there other things you would 
like to do? Are there authorities you don't have in order to 
either identify, but, more importantly, provide support to or 
set performance goals with, tailored performance goals with 
those entities? So that is the last piece of what we are 
looking at in the very near term.
    Thank you for the opportunity to testify. I am looking 
forward to the discussion.
    [The prepared statement of Mr. Knake follows:]
                 Prepared Statement of Robert K. Knake
                             April 6, 2022
    Chairwoman Clarke, Ranking Member Garbarino, distinguished Members 
of the subcommittee, thank you for the privilege to appear before you 
today. It's an honor to appear alongside CISA's executive assistant 
director for cybersecurity Eric Goldstein. I am eager to share with you 
what the Office of the National Cyber Director (ONCD) is doing to 
mature the public-private partnership with industry to better secure 
critical infrastructure from cyber intrusions, including destructive 
cyber attacks. The Biden-Harris administration continues to strengthen 
our cybersecurity defenses and prepare our Nation with unprecedented 
focus, and the ONCD is proud to work alongside our interagency partners 
in these efforts.
    The President has taken aggressive action to secure the Nation's 
critical infrastructure and is prepared to use every tool to deter, 
disrupt, and when appropriate, respond to cyber attacks against our 
homeland. In May 2021, the President issued Executive Order 14028, 
mandating extensive cybersecurity measures for the Federal Government 
to ensure we are leading by example. The ONCD, working with our 
partners at the Office of Management and Budget (OMB) and the National 
Security Council, is conducting implementation oversight of Executive 
Order 14028, to ensure continued progress on fulfilling the Order's 
requirements.
    Since the fall 2021, as Russian President Vladimir Putin escalated 
his aggression against Ukraine, the Biden-Harris administration has 
worked to provide extensive briefings and advisories to U.S. businesses 
and individuals regarding potential threats and the cybersecurity 
measures they can put in place to protect themselves. CISA, the FBI, 
the National Security Agency's Cybersecurity Directorate--and, in many 
cases, our international partners--have issued numerous threat 
advisories outlining Russia's malicious intent and activities in cyber 
space and outing their tools and infrastructure. The professionals in 
our intelligence community have done outstanding work in exposing 
Putin's nefarious plots, while our cyber defenders continue to ensure 
strategic warnings are paired with actionable steps for companies and 
the American public to defend themselves.
    Recognizing the unique risks presented in cyber space for the 
conflict to spill out of Ukraine and onto our shores, the Federal 
Government has also partnered with industry on tabletop exercises, 
bringing important critical infrastructure stakeholders--including 
CEOs--together to operationalize collaboration and prepare for various 
scenarios. Paired with Classified intelligence read-ins and aggressive 
declassification efforts, these exercises help enhance resilience and 
coherence among our private-sector partners, Federal departments, and 
agencies. The administration has also been able to leverage 
relationships developed through public-private action plans under the 
President's Industrial Control Systems Cybersecurity Initiative to 
enhance the cybersecurity posture of the electricity, pipeline, and 
water sectors.
    On March 21, 2022, the President reiterated his warning about 
potential cyber attacks from Russia against critical infrastructure and 
urged companies to harden cyber defenses immediately and deploy best 
practices. The Government and private sectors must also continue to 
work together to build National resilience and productively 
collaborative to address and defeat the evolving cyber threats we face. 
The administration has prioritized stronger cybersecurity controls for 
critical infrastructure sectors where we have authority to do so and is 
creating innovative public-private partnerships and initiatives to 
enhance cybersecurity across all our critical infrastructure. Congress 
has partnered with us on these efforts, and we appreciate the 
bipartisan work of this committee to require companies to report cyber 
incidents to the U.S. Government. These efforts have become even more 
critical as we assess evolving intelligence that Russia may be 
exploring options for potential cyber attacks on U.S. critical 
infrastructure.
    The ONCD is helping to execute the Biden-Harris administration's 
cyber agenda by, among other things, working to improve public-private 
collaboration in cybersecurity. Through strategic engagements with 
stakeholders, the ONCD is establishing and maintaining relationships to 
enhance knowledge sharing and strategic coordination and collaboration. 
ONCD is working with the NSC, other White House components, and 
relevant agencies to harness the once-in-a-generation scope and scale 
of the Infrastructure Investment and Jobs Act to build infrastructure 
that is future-proofed and resilient to cyber threats, with standards 
and policy frameworks necessary for a durable cyber foundation.
    As we work with industry to invest in the resiliency of our 
infrastructure, we remain committed to rapidly improving our 
collaboration with industry to address today's cyber threats.
    We work closely with our Federal partners, including CISA, OMB, the 
Department of Justice, including the FBI, the National Institute of 
Standards and Technology (NIST), and Sector Risk Management Agencies 
(SRMAs) to expand engagement and partnership opportunities across 
sectoral lines and increase collaboration.
    CISA has a central role to play in building our capacity for 
collaboration with the private sector. I expect that EAD Goldstein will 
highlight CISA's on-going efforts in this area to mature collaboration 
and improve cybersecurity, but let me highlight one critical success. 
CISA leveraged the authority entrusted to it by Congress to establish 
the Joint Cyber Defense Collaborative (JCDC), an organization that 
brings together representatives from Government and industry 
collaborating to identify threats, develop crisis response plans, and 
foster the relationships needed to quickly share information and 
respond to malicious cyber incidents. The JCDC has already had some 
early successes, most notably by bringing Government and the private 
sector together to respond to the Log4j vulnerability. Building 
resilience to potentially catastrophic cyber incidents will require an 
unprecedented level of planning, information sharing, and operational 
collaboration. Efforts to connect Government and industry experts, such 
as the JCDC, can identify and address threats far more effectively than 
can any single organization operating alone.
    Equally important, however, is the role of SRMAs, each a vital 
component of the Federal Government's capacity to assist private-sector 
entities in improving cybersecurity. SRMAs have statutory 
responsibilities to work with their sectors on a day-to-day basis and 
help surface information relevant to other sectors and are vital for 
managing National risk. Agencies like the Department of Energy, the 
Department of the Treasury, and others are partnering closely with 
industry to share information, drive risk management activities, and 
collaborate to reduce risk.
    Sector Coordinating Councils and organizations like ISACs and ISAOs 
have been proven to be useful mechanisms for information sharing, but 
we need to mature the policies and procedures for strengthening 
collaboration. NSA's Cybersecurity Collaboration Center, in partnership 
with the Defense Industrial Base Sector, is an example of the power of 
bringing together cyber threat experts and network defenders to enable 
more secure Department of Defense (DoD) and defense industry platforms 
and systems.
    Resourcing SRMA functions, including those resident at CISA, is key 
to achieving the Federal coherence that is central to the strategic 
intent of the ONCD. ONCD is beginning an initiative to review the cyber 
capabilities and resources of SRMAs and understand the requirements to 
operationalize SRMAs so that they can better collaborate in cyber 
defense.
    As part of this review, ONCD is examining current authorities and a 
pilot program that can be used to mature these efforts. We are also 
examining how we can improve internal Government capacity to collect 
and share threat intelligence with these entities.
    We also need to strengthen our efforts to coordinate law 
enforcement capabilities with private-sector entities to combat 
botnets, ransomware, and other malicious activity. The Department of 
Justice, including the FBI, has enjoyed a string of successes in 
disrupting ransomware operations. ONCD is reviewing opportunities to 
create linkages to further mature the ability to coordinate these 
efforts with private-sector entities that may be targeted by threat 
actors or have information or capabilities that can support Government 
action.
    Congress, Presidential policy, the Department of Homeland Security, 
and SRMAs have long recognized the need to identify critical 
infrastructure that if successfully targeted by adversaries could cause 
disproportionate harm to the American people and the U.S. economy. 
Section 9 of Executive Order 13636 requires the Secretary of Homeland 
Security to identify critical infrastructure where a cybersecurity 
incident could reasonably result in catastrophic effects on public 
health or safety, economic security, or National security. In March 
2020, the Cyberspace Solarium Commission proposed a ``designation of 
critical infrastructure entities that manage systems and assets whose 
disruption could have cascading, destabilizing effects on U.S. National 
security, economic security, and public health and safety.'' These 
entities support National Critical Functions and are of heightened 
interest to nation-state adversaries. Given the potential consequences 
of a cyber incident impacting a Section 9 entity, there is a vested 
interest of both the Federal Government and the private sector to 
improve the security and resilience of these entities.
    The administration supports the general concept of identifying 
systemically important entities that own, operate, or otherwise control 
critical infrastructure. ONCD is evaluating how to enhance the Federal 
Government's capacity to reduce the risk to National Critical Functions 
posed by adversaries against the entities that own and operate our most 
important systems and assets and to understand and improve their 
resiliency to cyber attacks. Specifically, we are examining authority 
and capacity to provide prioritized support to, and opportunities to 
collaborate with, these entities, as well as the possibility for 
tailored obligations required on designated entities. Additionally, 
CISA is currently developing a plan and time line for the rulemaking 
required under the Cyber Incident Reporting for Critical Infrastructure 
Act, or ``CIRA''. We look forward to working with Congress to ensure 
that any potential framework for systemically important entities is 
complementary to CIRA and other on-going efforts across the 
administration.
    Finally, one of the most important things that we can do to mature 
the public-private partnership to secure U.S. critical infrastructure 
is to make sure we are extracting lessons learned from cyber incidents 
and implementing those lessons as rapidly as possible. The Biden-Harris 
administration created the Cyber Safety Review Board (CSRB) modeled 
after the National Transportation Safety Board with the goal of 
reviewing significant cyber incidents with this purpose in mind. 
Established in accordance with Section 5 of Executive Order 14028, the 
Board brings together Government and private-sector leaders to analyze 
significant cybersecurity incidents, generate lessons learned, and 
produce concrete recommendations to avoid future crises. Director 
Inglis proudly serves on the Board, which is currently undertaking a 
review of the vulnerabilities in the Log4j library that came to light 
last December. I am also actively engaged in the review. Importantly, 
following this first review, the CSRB will review its own processes and 
develop plans for improving future reviews.
    With the continued support of the President and the Congress, the 
Office of the National Cyber Director is committed to building robust 
relationships with industry and our interagency partners to enhance the 
security and resilience of our Nation's cyber ecosystem. Thank you for 
the opportunity to testify before you today, and I look forward to your 
questions.

    Chairwoman Clarke. Thank you for your testimony, Mr. Knake. 
I now recognize Dr. Sherman to summarize her statement for 5 
minutes.

STATEMENT OF TINA WON SHERMAN, DIRECTOR, HOMELAND SECURITY AND 
         JUSTICE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Sherman. Chairwoman Clarke, Ranking Member Garbarino, 
Ranking Member Katko, Members of the subcommittee, I am pleased 
to be here today to discuss our Nation's critical 
infrastructure alongside witnesses from two key Federal 
entities in this space.
    As evidenced by yesterday's testimonies on Russian cyber 
threats and in the Comptroller General of the United States' 
comments in front of the House Appropriations Committee 
protecting the assets, systems, and networks that underpin our 
daily lives is a pressing and monumental task. We must 
safeguard not only our oil and gas pipelines, our water, and 
food manufacturing facilities, but also our cell towers and 
satellites, our financial and health institutions, and more 
from cyber and other attacks that occur almost daily.
    The owners and operators of this infrastructure, many of 
whom are in the private sector, work closely with the Federal 
Government to implement measures that help prevent those 
attacks not only from foreign adversaries, but from domestic 
actors and insider threats. Regardless of their origins, the 
threats are real and require urgent action.
    The agency I represent, GAO, has reported on critical 
infrastructure protection in response to Congressional interest 
for many years. In 1997, GAO first designated information 
security as a Government-wide high-risk area and, in 2003, 
expanded that area to include critical infrastructure 
protection. Since 2021, we have issued reports on several areas 
where urgent action is needed. This includes CISA's 
transformation initiative following its 2020 reorganization, 
its prioritization efforts and role in supporting the 16 
critical infrastructure sectors, and Sector Risk Management 
Agencies' implementation of NIST's cybersecurity framework, to 
name a few.
    One of the repeated themes that cuts across this work is 
the continued need to improve collaboration between the 
Government and the private sector. The diffuse and voluntary 
nature of the critical infrastructure landscape continues to 
pose a range of challenges to this community, from implementing 
security standards and effectively analyzing risks to sharing 
threat-related information and providing timely support and 
guidance to stakeholders.
    The relatively new Federal entities, both CISA and ONCD, 
are uniquely positioned to play a significant role in 
protecting our Nation's critical infrastructure. Collaboration 
is essential and we have recommended to the Department of 
Homeland Security that it strengthen efforts between public and 
private partners. While the Department has communicated to us 
that they are taking steps to implement our recommendations, we 
urge them to do so even more expeditiously to protect our 
economy, public health and safety, and National security from 
any future attacks.
    Thank you for holding this hearing and for inviting me to 
participate in this conversation this morning.
    [The prepared statement of Ms. Sherman follows:]
                 Prepared Statement of Tina Won Sherman
                        Wednesday, April 6, 2022
                             gao highlights
    Highlights of GAO-22-105973, a testimony before the Subcommittee on 
Cybersecurity, Infrastructure Protection, and Innovation, Committee on 
Homeland Security, House of Representatives
Why GAO Did This Study
    The Nation's critical infrastructure consists of physical and cyber 
assets and systems that are vital to the United States. Their 
incapacity or destruction could have a debilitating impact on security, 
National public health and safety, or National economic security. 
Critical infrastructure provides the essential functions--such as 
supplying water, generating energy, and producing food--that underpin 
American society. Protecting this infrastructure is a National security 
priority.
    GAO first designated information security as a Government-wide 
high-risk area in 1997. This was expanded to include protecting: (1) 
Cyber critical infrastructure in 2003 and (2) the privacy of personally 
identifiable information in 2015.
    This statement discusses DHS's efforts to address critical 
infrastructure security. For this testimony, GAO relied on selected 
products it issued from September 2018 to March 2022, including GAO-21-
236 and GAO-22-104279.
What GAO Recommends
    GAO has made various recommendations to strengthen critical 
infrastructure security efforts, with which DHS has agreed. DHS has 
implemented or described planned actions to address these 
recommendations.
  critical infrastructure protection.--dhs actions urgently needed to 
          better protect the nation's critical infrastructure
What GAO Found
    To improve critical infrastructure security, key actions Department 
of Homeland Security (DHS) needs to take include: (1) Strengthening the 
Federal role in protecting the cybersecurity of critical infrastructure 
and (2) improving priority-setting efforts.
    Strengthen the Federal role in protecting the cybersecurity of 
critical infrastructure.--Pursuant to legislation enacted in 2018, the 
Cybersecurity and Infrastructure Security Agency (CISA) within DHS was 
charged with responsibility for enhancing the security of the Nation's 
critical infrastructure in the face of both physical and cyber threats. 
In March 2021, GAO reported that DHS needed to complete key activities 
related to the transformation of CISA. This includes finalizing the 
agency's mission-essential functions and completing workforce planning 
activities. GAO also reported that DHS needed to address challenges 
identified by selected critical infrastructure stakeholders, including 
having consistent stakeholder involvement in the development of related 
guidance. Accordingly, GAO made 11 recommendations to DHS, which the 
Department intends to implement by end of 2022.
    Improve priority-setting efforts.--Through the National Critical 
Infrastructure Prioritization Program, CISA is to identify a list of 
systems and assets that, if destroyed or disrupted, would cause 
National or regional catastrophic effects. Consistent with the 
Implementing Recommendations of the 9/11 Commission Act of 2007, CISA 
annually updates and prioritizes the list. The program's list is used 
to inform the awarding of preparedness grants to States. However, in 
March 2022, GAO reported that 9 of 12 CISA officials and all 10 of the 
infrastructure stakeholders GAO interviewed questioned the relevance 
and usefulness of the program. For example, stakeholders questioned the 
current relevance of the criteria used to add critical infrastructure 
to the Prioritization Program list. In 2019, CISA published a set of 55 
National critical functions of the Government and private sector 
considered vital to the security, economy, and public health and safety 
of the Nation (see figure). However, most of the Federal and non-
Federal critical infrastructure stakeholders that GAO interviewed 
reported being generally uninvolved with, unaware of, or without an 
understanding of the goals of the framework for its critical functions. 
GAO made recommendations to DHS in its March 2022 report to address 
these concerns, such as ensuring stakeholders are fully engaged in the 
framework's implementation, and DHS agreed with the recommendations.


    Chairwoman Clarke, Ranking Member Garbarino, and Members of the 
subcommittee: Thank you for the opportunity to contribute to today's 
discussion on Federal perspectives to secure the Nation's critical 
infrastructure.\1\ As you know, the Nation's critical infrastructure 
consists of physical and cyber assets and systems that are vital to the 
United States. Their incapacity or destruction could have a 
debilitating impact on security, National economic security, or 
National public health and safety.\2\ Critical infrastructure provides 
the essential functions--such as supplying water, generating energy, 
and producing food--that underpin American society. Protecting this 
infrastructure is a National security priority.
---------------------------------------------------------------------------
    \1\ The term ``critical infrastructure,'' as defined in the Uniting 
and Strengthening America by Providing Appropriate Tools Required to 
Intercept and Obstruct Terrorism Act of 2001, refers to systems and 
assets, whether physical or virtual, so vital to the United States that 
their incapacity or destruction would have a debilitating impact on 
security, National economic security, National public health or safety, 
or any combination of these. 42 U.S.C.  5195c(e).
    \2\ 242 U.S.C.  5195c(e).
---------------------------------------------------------------------------
    We have long stressed the urgent need for effective cybersecurity 
to protect critical infrastructure, as underscored by increasingly 
sophisticated threats and frequent cyber incidents.\3\ Recent events--
including the ransomware attack that led to a shutdown of a major U.S. 
fuel pipeline, cyber threat actors who obtained unauthorized access to 
a U.S. water treatment facility in an attempt to increase the amount of 
a caustic chemical that is used as part of the water treatment process, 
and a cyber attack campaign again U.S. Government agencies and other 
entities--have illustrated that the Nation's critical infrastructure 
continues to face growing cyber threats.\4\ Because the majority of 
critical infrastructure is owned and operated by the private sector, it 
is vital that the public and private sectors work together to protect 
these assets and systems.
---------------------------------------------------------------------------
    \3\ See, for example, GAO, Cybersecurity and Information 
Technology: Federal Agencies Need to Strengthen Efforts to Address 
High-Risk Areas, GAO-21-105325 (Washington, DC: July 28, 2021) and 
High-Risk Series: Federal Government Needs to Urgently Pursue Critical 
Actions to Address Major Cybersecurity Challenges, GAO-21-288 
(Washington, DC: Mar. 24, 2021).
    \4\ For more information regarding such recent events, see GAO, 
Cybersecurity: Federal Agencies Need to Implement Recommendations to 
Manage Supply Chain Risks, GAO-21-594T (Washington, DC: May 25, 2021). 
Ransomware is a type of malware used to deny access to IT systems or 
data and hold the systems or data hostage until a ransom is paid.
---------------------------------------------------------------------------
    My remarks today will focus on DHS's efforts to strengthen the 
Federal role in protecting the cybersecurity of critical infrastructure 
and improving its priority-setting efforts. This statement is based on 
the results of our prior work, which includes the reports and 
testimonies that we cite throughout this statement, issued from 
September 2018 to March 2022. Detailed information about the scope and 
methodology for our prior work can be found in the products cited 
throughout this statement.
    We conducted the work on which this statement is based in 
accordance with generally accepted Government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives.
                               background
    Information systems supporting Federal agencies and our Nation's 
critical infrastructure--such as transportation systems, 
communications, education, energy, and financial services--are 
inherently at risk. Compounding the risk, systems and networks used by 
Federal agencies and our Nation's critical infrastructure are also 
often interconnected with other internal and external systems and 
networks, including the internet. Examples of critical infrastructure 
are shown in figure 1.
    The Department of Homeland Security (DHS) coordinates the overall 
Federal effort for National critical infrastructure protection.\5\ This 
effort spans across the 16 Federally-designated sectors and 
prioritizing available resources to the most critical infrastructure 
can enhance our Nation's security, increase resiliency, and reduce 
risk.\6\ Our prior work has cited DHS actions to identify and assess 
risk to critical infrastructure. For example, we reported in March 2022 
on DHS's Cybersecurity and Infrastructure Security Agency's (CISA) 
programs to prioritize assets and systems for protection efforts.\7\ 
Specifically, we evaluated the National Critical Infrastructure 
Prioritization Program (NCIPP), which, consistent with the Implementing 
Recommendations of the 9/11 Commission Act of 2007, annually 
prioritizes critical infrastructure based on the consequences 
associated with the disruption or destruction of those assets.\8\ The 
program's list is used to inform the awarding of preparedness grants to 
States. We also examined CISA's National Critical Functions framework, 
which consists of 55 National Critical Functions, which are the 
functions of Government and non-Governmental entities so vital to the 
United States that their disruption, corruption, or dysfunction would 
have a debilitating effect on security, National economic security, 
National public health or safety, or any combination thereof. Our prior 
findings on both the NCIPP and National Critical Functions framework 
are discussed later in this statement.
---------------------------------------------------------------------------
    \5\ The Homeland Security Act of 2002 created DHS and gave the 
agency responsibilities for coordinating National critical 
infrastructure protection efforts. See generally Pub. L. No. 107-296, 
tit. II, 115 Stat. 2135, 2145.
    \6\ Federal policies identify 16 critical infrastructure sectors: 
Chemical; commercial facilities; communications; critical 
manufacturing; dams; defense industrial base; emergency services; 
energy; financial services; food and agriculture; Government 
facilities; health care and public health; information technology; 
nuclear reactors, materials, and waste; transportation systems; and 
water and wastewater systems.
    \7\ GAO, Critical Infrastructure Protection: CISA Should Improve 
Priority Setting, Stakeholder Involvement, and Threat Information 
Sharing, GAO-22-104279 (Washington, DC: Mar. 1, 2022)
    \8\ Originally developed in 2006, the NCIPP identifies critical 
infrastructure that would result in National-level consequences if 
disrupted or destroyed, resulting in Classified lists of specific 
assets, clusters, and systems. The NCIPP annually prioritizes critical 
infrastructure based on the consequences associated with the disruption 
or destruction of those assets. To conduct this work, CISA coordinates 
a voluntary effort with States and other partners to identify, 
prioritize, and categorize high-priority critical infrastructure.


GAO Has Previously Identified Four Major Cybersecurity Challenges 
        Facing the Nation
    To underscore the importance of this issue, we have designated 
information security as a Government-wide high-risk area since 1997.\9\ 
In 2003, we added the protection of critical infrastructure to the 
information security high-risk area, and, in 2015, we further expanded 
this area to include protecting the privacy of personally identifiable 
information.\10\
---------------------------------------------------------------------------
    \9\ GAO, High-Risk Series: Information Management and Technology, 
HR-97-9 (Washington, DC: Feb. 1997). GAO maintains a high-risk program 
to focus attention on Government operations that it identifies as high-
risk due to their greater vulnerabilities to fraud, waste, abuse, and 
mismanagement or the need for transformation to address economy, 
efficiency, or effectiveness challenges.
    \10\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: 
Feb. 11, 2015) and High-Risk Series: An Update, GAO-03-119 (Washington, 
DC: Jan. 2003).
---------------------------------------------------------------------------
    In our high-risk updates from September 2018 and March 2021, we 
emphasized the critical need for the Federal Government to take 10 
specific actions to address 4 major cybersecurity challenges that the 
Federal Government faces.\11\ These challenges are: (1) Establishing a 
comprehensive cybersecurity strategy and performing effective 
oversight, (2) securing Federal systems and information, (3) protecting 
cyber critical infrastructure, and (4) protecting privacy and sensitive 
data.
---------------------------------------------------------------------------
    \11\ GAO-21-288 and GAO, High-Risk Series: Urgent Actions Are 
Needed to Address Cybersecurity Challenges Facing the Nation, GAO-18-
622 (Washington, DC: Sept. 6, 2018).
---------------------------------------------------------------------------
Federal Law and Policy Establish Requirements for Critical 
        Infrastructure
    Federal law and policy establish roles and responsibilities for the 
protection of critical infrastructure, discussed below in chronological 
order.
   Presidential Policy Directive 21.--In February 2013, the 
        White House-issued Presidential Policy Directive 21, Critical 
        Infrastructure Security and Resilience, to specify critical 
        infrastructure responsibilities.\12\ Among other things, the 
        order designated 9 Federal sector-specific agencies with lead 
        roles in protecting critical infrastructure sectors. The lead 
        agencies coordinate Federally-sponsored activities within their 
        respective sectors. The policy also directed DHS to coordinate 
        with lead agencies to develop a description of functional 
        relationships across the Federal Government related to critical 
        infrastructure security and resilience. The policy further 
        provided that DHS, in coordination with lead agencies, to 
        conduct an analysis and recommend options for improving public-
        private partnership effectiveness.
---------------------------------------------------------------------------
    \12\ The White House, Presidential Policy Directive/PPD-21: 
Critical Infrastructure Security and Resilience, (Washington, DC: Feb. 
12, 2013).
---------------------------------------------------------------------------
   Executive Order 13636.--In February 2013, the White House-
        issued Improving Critical Infrastructure Cybersecurity, 
        Executive Order 13636, which called for a partnership with the 
        owners and operators of critical infrastructure to improve 
        cybersecurity-related information sharing.\13\ To do so, the 
        order established mechanisms for promoting engagement between 
        Federal and private organizations. Further, the order directed 
        DHS, with help from the lead agencies, to identify, annually 
        review, and update a list of critical infrastructure sectors 
        for which a cybersecurity incident could reasonably result in 
        catastrophic effects on public health or safety, economic 
        security, or National security.
---------------------------------------------------------------------------
    \13\ Exec. Order No. 13,636, 78 Fed. Reg. 11,737 (Feb. 19, 2013).
---------------------------------------------------------------------------
   National Institute of Standards and Technology (NIST) 
        Cybersecurity Framework.--Executive Order 13636 directed NIST 
        to lead the development of a flexible performance-based 
        cybersecurity framework that was to include a set of standards, 
        procedures, and processes.\14\ Further, the order directed the 
        lead agencies, in consultation with DHS and other interested 
        agencies, to coordinate with critical infrastructure partners 
        to review the cybersecurity framework. The agencies, if 
        necessary, should develop implementation guidance or 
        supplemental materials to address sector-specific risks and 
        operating environments.
---------------------------------------------------------------------------
    \14\ The Cybersecurity Enhancement Act of 2014 authorized NIST to 
facilitate and support the development of a voluntary set of standards 
to reduce cyber risks to critical infrastructure. 15 U.S.C.  
272(c)(15). The Framework for Improving Critical Infrastructure 
Cybersecurity represents that voluntary set of standards.
---------------------------------------------------------------------------
    In response to the order, in February 2014, NIST first published 
        its framework--a voluntary, flexible, performance-based 
        framework of cybersecurity standards and procedures. The 
        framework, which was updated in April 2018, outlines a risk-
        based approach to managing cybersecurity that is composed of 
        three major parts: A framework core, profiles, and 
        implementation tiers.\15\ The framework core provides a set of 
        activities to achieve specific cybersecurity outcomes and 
        references examples of guidance to achieve those outcomes.
---------------------------------------------------------------------------
    \15\ National Institute of Standards and Technology, Framework for 
Improving Critical Infrastructure Cybersecurity, Version 1.1 
(Washington, DC: April 2018).
---------------------------------------------------------------------------
   Cybersecurity and Infrastructure Security Agency Act of 
        2018.--The November 2018 act established CISA,\16\ within DHS, 
        and gave it responsibility to coordinate a National effort to 
        secure and protect against critical infrastructure risks. To 
        implement this legislation, CISA undertook a three-phase 
        organizational transformation initiative aimed at unifying the 
        agency, improving mission effectiveness, and enhancing the 
        workplace experience for CISA employees.
---------------------------------------------------------------------------
    \16\ Cybersecurity and Infrastructure Security Agency Act of 2018, 
Pub. L. No. 115-278, 132 Stat. 4168, 4169, (Nov. 16, 2018) (codified at 
6 U.S.C.  652). The act renamed the DHS National Protection and 
Programs Directorate as CISA.
---------------------------------------------------------------------------
   William M. (Mac) Thornberry National Defense Authorization 
        Act for Fiscal Year 2021.--The act established roles and 
        responsibilities for lead agencies, known as sector risk 
        management agencies, in protecting the 16 critical 
        infrastructure agencies.\17\ According to the act, among other 
        things, the lead agencies are required to: (1) Coordinate with 
        DHS and collaborate with critical infrastructure owners and 
        operators, regulatory agencies, and others; (2) support sector 
        risk management, in coordination with CISA; (3) assess sector 
        risk, in coordination with CISA; (4) coordinate the sector, 
        including by serving as a day-to-day Federal interface for the 
        prioritization and coordination of sector-specific activities; 
        and (5) support incident management, including supporting CISA, 
        upon request, in asset response activities.
---------------------------------------------------------------------------
    \17\ The William M. (Mac) Thornberry National Defense Authorization 
Act for Fiscal Year 2021 states that the term ``sector risk management 
agency'' replaces the term ``sector-specific agency'' in the Homeland 
Security Act of 2002. The act amends the Homeland Security Act of 2002 
and sets out sector risk management agency responsibilities within this 
critical infrastructure framework. Pub. L. No. 116-283,  9002, 134 
Stat. 3388, 4768.
---------------------------------------------------------------------------
    The act also established the Office of the National Cyber Director 
        within the Executive Office of the President.\18\ Among other 
        responsibilities, the Director is to serve as the principal 
        advisor to the White House on cybersecurity policy and 
        strategy, including coordination of implementation of National 
        cyber policy and strategy.
---------------------------------------------------------------------------
    \18\ Pub. L. No. 116-283,  1752, 134 Stat. at 4144 (codified at 6 
U.S.C.  1500).
---------------------------------------------------------------------------
    In June 2021, the Senate confirmed a director to lead this new 
        office. In October 2021, the National Cyber Director issued a 
        strategic intent statement, outlining a vision for the 
        Director's office and the high-level lines of efforts it 
        intends to focus on, including National and Federal 
        cybersecurity; budget review and assessment; and planning and 
        incident response, among others.\19\
---------------------------------------------------------------------------
    \19\ The White House, A Strategic Intent Statement for the Office 
of the National Cyber Director (Washington, DC: Oct. 28, 2021).
---------------------------------------------------------------------------
   Executive Order 14028.--In May 2021, the President issued, 
        Improving the Nation's Cybersecurity, Executive Order 14028, 
        that was prompted, in part, by malicious cyber campaigns that 
        threaten the public and private sectors.\20\
---------------------------------------------------------------------------
    \20\ Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 17, 2021).
---------------------------------------------------------------------------
     dhs actions urgently needed to protect critical infrastructure
    Over the last several decades, we have emphasized the urgent need 
for the Federal Government to improve its ability to protect against 
cyber and other threats to our Nation's critical infrastructure. In our 
recent work, we emphasized the need for the Federal Government to 
address major cybersecurity challenges through critical actions. These 
actions include the need for DHS to strengthen its role in protecting 
the cybersecurity of critical infrastructure. In addition, as we 
reported in March 2022, DHS's CISA should take actions to improve its 
priority-setting efforts for the protection of critical 
infrastructure.\21\
---------------------------------------------------------------------------
    \21\ GAO-22-104279.
---------------------------------------------------------------------------
DHS Needs to Strengthen Its Role in Protecting the Cybersecurity of 
        Critical Infrastructure
    The Federal Government has been challenged in working with the 
private sector to protect critical infrastructure. We have made 
recommendations aimed at strengthening DHS's role in critical 
infrastructure cybersecurity, including by: (1) Enhancing the 
capabilities and services of CISA and (2) ensuring that Federal 
agencies with sector-specific responsibilities are providing their 
sector partners with effective guidance and support.
            DHS Needs to Complete CISA Transformation Activities
    The importance of clear cybersecurity leadership extends beyond the 
White House to other key Executive branch agencies, including DHS. 
Federal legislation enacted in November 2018 established CISA within 
the Department to advance the mission of protecting Federal civilian 
agencies' networks from cyber threats and to enhance the security of 
the Nation's critical infrastructure in the face of both physical and 
cyber threats. The act elevated CISA to agency status; prescribed 
changes to its structure, including mandating that it have separate 
divisions on cybersecurity, infrastructure security, and emergency 
communications; and assigned specific responsibilities to the 
agency.\22\
---------------------------------------------------------------------------
    \22\ Cybersecurity and Infrastructure Security Agency Act of 2018, 
Pub. L. No. 115-278,  2,132 Stat. 4168, 4169, (codified at 6 U.S.C.  
652). The act renamed the DHS National Protection and Programs 
Directorate as CISA.
---------------------------------------------------------------------------
    To implement the statutory requirements, CISA leadership launched 
an organizational transformation initiative. In March 2021, we reported 
that CISA had completed the first two of the three phases of its 
organizational transformation initiative.\23\ Specifically, we noted 
DHS had not fully implemented its phase three transformation, which 
included finalizing the agency's mission-essential functions and 
completing workforce-planning activities by December 2020.
---------------------------------------------------------------------------
    \23\ GAO, Cybersecurity and Infrastructure Security Agency: Actions 
Needed to Ensure Organizational Changes Result in More Effective 
Cybersecurity for Our Nation, GAO-21-236 (Washington, DC: Mar. 10, 
2021).
---------------------------------------------------------------------------
    We also found that of 10 selected key practices for effective 
agency reforms we previously identified, CISA's organizational 
transformation generally addressed 4, partially addressed 5, and did 
not address 1. Further, we reported on a number of challenges that 
selected Government and private-sector stakeholders had noted when 
coordinating with CISA, including a lack of clarity surrounding its 
organizational changes and the lack of stakeholder involvement in 
developing guidance. Although CISA had activities under way to mitigate 
some of these challenges, it had not developed strategies to, among 
other things, clarify changes to its organizational structure. Figure 2 
below describes the coordination challenges identified by private-
sector stakeholders.


    To address these weaknesses, we made 11 recommendations to DHS. The 
Department concurred with our recommendations and, as of September 
2021, reported that it intends to fully implement them by the end of 
calendar year 2022. Implementing these recommendations will better 
position CISA to ensure the success of its reorganization efforts and 
carry out its mission to lead National efforts to identify and respond 
to cyber and other risks to our Nation's infrastructure.
            Sector Risk Management Agencies Need to Ensure Effective 
                    Guidance and Support
    Since 2010, we have made about 80 recommendations for various 
Federal agencies to enhance infrastructure cybersecurity. For example, 
in February 2020, we recommended that agencies better measure the 
adoption of the NIST framework of voluntary cyber standards and correct 
sector-specific weaknesses. Specifically, we found that most sector 
risk management agencies were not collecting and reporting on 
improvements in the protection of critical infrastructure as a result 
of using the framework across the sectors.\24\ We concluded that 
collecting and reporting on these improvements would help the sectors 
understand the extent to which sectors are better protecting their 
critical infrastructure from cyber threats.
---------------------------------------------------------------------------
    \24\ GAO, Critical Infrastructure Protection: Additional Actions 
Needed to Identify Framework Adoption and Resulting Improvements, GAO-
20-299 (Washington, DC: Apr. 9, 2020).
---------------------------------------------------------------------------
    To address these issues, we made 10 recommendations--one to NIST on 
establishing time frames for completing selected programs--and 9 to the 
lead agencies, to collect and report on improvements gained from using 
the framework. Eight agencies agreed with the recommendations, while 
one neither agreed nor disagreed and one partially agreed. However, as 
of November 2021, none of the recommendations had been implemented. 
Until the lead agencies collect and report on improvements gained from 
adopting the framework, the extent to which the 16 critical 
infrastructure sectors are better protecting their critical 
infrastructure from threats will be largely unknown. We reiterated 
these recommendations in a February 2022 report.\25\
---------------------------------------------------------------------------
    \25\ GAO, Critical Infrastructure Protection: Agencies Need to 
Assess Adoption of Cybersecurity Guidance, GAO-22-105103 (Washington, 
DC: Feb. 9, 2022).
---------------------------------------------------------------------------
    We have also frequently reported on the need for lead agencies to 
enhance the cybersecurity of their related critical infrastructure 
sectors and subsectors--such as transportation systems, communications, 
energy, education, and financial services.\26\
---------------------------------------------------------------------------
    \26\ GAO-21-288. See also GAO, Critical Infrastructure Protection: 
TSA Is Taking Steps to Address Some Pipeline Security Program 
Weaknesses, GAO-21-105263 (Washington, DC: July 27, 2021); GAO, 
Passenger Rail Security: TSA Engages with Stakeholders but Could Better 
Identify and Share Standards and Key Practices, GAO-20-404 (Washington, 
DC: Apr. 3, 2020); GAO, Critical Infrastructure Protection: CISA Should 
Assess the Effectiveness of its Actions to Support the Communications 
Sector, GAO-20-104462 (Washington, DC: Nov. 23, 2021); GAO, Critical 
Infrastructure Protection: Actions Needed to Address Significant 
Cybersecurity Risks Facing the Electric Grid, GAO-19-332 (Washington, 
DC: Aug. 26, 2019); GAO, Electric Grid Cybersecurity: DOE Needs to 
Ensure Its Plans Fully Address Risks to Distribution Systems, GAO-21-81 
(Washington, DC: Mar. 18, 2021); GAO, Critical Infrastructure 
Protection: Education Should Take Additional Steps to Help Protect K-12 
Schools from Cyber Threats, GAO-22-105024 (Washington, DC: Oct. 13, 
2021); and GAO, Critical Infrastructure Protection: Treasury Needs to 
Improve Tracking of Financial Sector Cybersecurity Risk Mitigation 
Efforts, GAO-20-631 (Washington, DC: Sept. 17, 2020).
---------------------------------------------------------------------------
CISA Should Improve its Priority-Setting Efforts
            CISA and Critical Infrastructure Stakeholders Do Not Find 
                    the NCIPP Useful
    In our March 2022 report, CISA and other critical infrastructure 
stakeholders we spoke with told us that the NCIPP's results were of 
little use. In addition, the stakeholders raised concerns with the 
program, which included the relevance of the program's criteria given 
the current threat environment, limited State participation, and lack 
of use among critical infrastructure stakeholders.\27\
---------------------------------------------------------------------------
    \27\ GAO-22-104279.
---------------------------------------------------------------------------
    Relevance of NCIPP criteria, given current threat environment.--We 
reported in March 2022 that CISA and other stakeholders questioned the 
present-day relevance of the criteria for adding critical 
infrastructure to the NCIPP list. To be included on the NCIPP's Level 1 
list (its highest consequence list), an asset's destruction or 
disruption must meet minimum specified consequence thresholds for at 
least two of the following four categories: Economic loss, fatalities, 
mass evacuation length, and degradation of National security.\28\
---------------------------------------------------------------------------
    \28\ CISA coordinates a voluntary effort with States and other 
partners to identify, prioritize, and categorize high-priority critical 
infrastructure as either Level 1 or Level 2 based on the possible 
consequences to the Nation in terms of our factors--fatalities, 
economic loss, mass evacuation length, and degradation of National 
security. According to DHS, the overwhelming majority of the assets and 
systems identified through the NCIPP are categorized as Level 2. Only a 
small subset of assets meet the Level 1 consequence threshold--those 
whose loss or damage could result in major National or regional impacts 
similar to the impacts of Hurricane Katrina or the September 11, 2001, 
attacks. The precise consequence thresholds for inclusion on the NCIPP 
list are information that DHS has designated as ``for official use 
only.'' We did not include the specific thresholds in this report so 
that we could publically present the results of our work.
---------------------------------------------------------------------------
    Senior officials with CISA, as well as other Federal, State, and 
private-sector officials we spoke with said that the consequence 
thresholds for these criteria did not reflect the current threat 
environment, which focuses more on cyber attacks and extreme weather 
events. The threat environment also focuses on vulnerabilities or 
attacks that can affect multiple entities within a short period. In 
this scenario, the consequences related to a single asset, entity, 
system, or cluster may not reach NCIPP thresholds, but the aggregate 
impacts may be Nationally significant, according to CISA officials.
    Limited State participation.--As part of the NCIPP process, we 
found in our March 2022 report that State homeland security agencies 
identify relevant critical infrastructure--both public and private--and 
nominate those assets for inclusion on the NCIPP list.\29\ However, 
CISA data showed that since fiscal year 2017, no more than 14 States 
(of 56 States and territories) provided new nominations or updates to 
the program in any given fiscal year.
---------------------------------------------------------------------------
    \29\ GAO-22-104279.
---------------------------------------------------------------------------
    Lack of use among critical infrastructure stakeholders.--Critical 
infrastructure stakeholders, including Protective Security Advisors 
(PSAs) and Cybersecurity Advisor (CSAs),\30\ we interviewed for our 
March 2022 report also questioned the NCIPP's usefulness.\31\ These 
stakeholders noted that the data were not accurate, relevant, 
consistent, or reflective of infrastructure risk. For example:
---------------------------------------------------------------------------
    \30\ CISA offers government (Federal, State, local, Tribal, and 
territorial), private sector, and other critical infrastructure 
stakeholders a suite of programs and services to identify and mitigate 
risks to infrastructure security. These include infrastructure and 
cybersecurity services, some of which are carried out by CISA's PSAs 
and CSAs. PSAs are operators with expertise in physical security 
protection, and CSAs are cybersecurity specialists responsible for 
helping to bolster owners' and operators' cybersecurity capabilities. 
Both types of advisors use their respective assessment tools to work 
with critical infrastructure stakeholders to help make critical 
infrastructure more resilient. CSAs and PSAs operate across CISA's 10 
regions. CSAs and PSAs we interviewed were from Regions 2, 3, 4, 5, 7, 
and 8. We also interviewed the CISA Regional Coordinator from Region 10 
for contextual information on the regional coordinator role; however, 
this interview is not included in our overall total number of regional 
stakeholder interviews, which include only the PSAs and CSAs.
    \31\ GAO-22-104279.
---------------------------------------------------------------------------
   PSAs and CSAs.--Three of the 12 PSAs and CSAs we spoke with 
        reported using the NCIPP list to a limited degree when planning 
        annual outreach to some facilities. However, these same 
        officials (as well as the other 9 we spoke with) all questioned 
        the list's accuracy and relevance. For example, one CSA said 
        that the current NCIPP list was missing key assets that needed 
        protection because the current criteria to be included on the 
        list were outdated.
   Sector Risk Management Agencies.--None of the 4 Sector Risk 
        Management Agency officials we contacted reported regularly 
        using the NCIPP list.\32\ Sector Risk Management Agency 
        officials raised a number of issues with the results, leading 
        them to not rely on the list for risk management purposes. For 
        example, officials from one Sector Risk Management Agency said 
        their department had a copy of the list, but it was generally 
        not something they referred to regularly or used in their 
        efforts. Officials felt that the types of infrastructure on the 
        list were not consistent across regions.
---------------------------------------------------------------------------
    \32\ Sector Risk Management Agencies we interviewed were the 
Department of Energy (energy sector), Environmental Protection Agency 
(water sector), and CISA (both the critical manufacturing and IT 
sectors).
---------------------------------------------------------------------------
   State homeland security agencies.--Only 1 of the 6 State 
        homeland security agencies we contacted reported regularly 
        using the NCIPP list.\33\ State homeland security agency 
        officials questioned the list's accuracy, and most said that 
        they did not use the list to inform risk communication or 
        influence decisions.
---------------------------------------------------------------------------
    \33\ One State homeland security official said that while data on 
the NCIPP was problematic, his State did refer to the NCIPP each year 
to inform the State's grant allocation methodology.
---------------------------------------------------------------------------
    Given the evolving risk landscape and CISA and the critical 
infrastructure community's recognition of the NCIPP's limitations, we 
made two recommendations to CISA regarding NCIPP: (1) That the agency 
improve its NCIPP process to better reflect current threats and (2) the 
agency should seek input from States that have not provided recent 
updates on identifying critical infrastructure. DHS concurred with the 
recommendations and described initial actions under way or planned in 
response to our report, with completion expected by September 2023.
            Limited Understanding of National Critical Functions 
                    Framework May Pose Challenges
    We reported in March 2022 that CISA's National Risk Management 
Center published a set of 55 critical functions in spring 2019 as part 
of its new National Critical Functions framework.\34\ According to CISA 
officials, since 9/11, the complexity and interdependency of critical 
infrastructure has expanded significantly. While the NCIPP has 
historically focused on protecting physical assets within the context 
of the 16 critical infrastructure sectors, primarily from acts of 
terrorism, the framework reflects a shift in risk management. The shift 
emphasizes resilience--maintaining and restoring the Nation's essential 
services and customary conveniences--along with hazards and threats 
that are increasingly cross-cutting in nature, particularly around 
cybersecurity and natural disasters. The complete list of functions is 
shown in figure 3.
---------------------------------------------------------------------------
    \34\ GAO-22-104279.
    
    
    Seven of 25 critical infrastructure stakeholders we met with were 
aware of and supportive of CISA's new direction and had positive 
feedback on the National Critical Functions; however, most of the 
Federal and non-Federal critical infrastructure stakeholders we 
interviewed reported being generally uninvolved with, unaware of, or 
not understanding the goals of the framework. Specifically, 
stakeholders did not understand how the framework related to 
prioritizing infrastructure, how it affected planning and operations, 
or where their particular organizations fell within the framework.
    For example, 8 of the 25 officials we interviewed said that 
communication from CISA headquarters regarding the National Critical 
Functions framework needed improvement. Industry officials from 1 of 
the 4 sectors we met with said that their sector's members were trying 
to cooperate with CISA and provide data when CISA requested it but said 
that the requests were often broad or their goals unclear. Officials 
from one State homeland security agency said that CISA often shares 
complex and academic presentations about sophisticated risk modeling 
and visualizations; however, officials said they felt those 
presentations were too complicated and, therefore, they did not know 
how they were supposed to use the information.
    Five of 6 CISA regional CSAs--who are responsible for reducing 
cybersecurity risks to the Nation's critical infrastructure--were also 
not using or did not understand how the National Critical Functions 
would affect their stakeholders, despite some of the functions having a 
cyber and IT focus. For example, one advisor said that they and their 
stakeholders--organizations for which he provides cybersecurity 
assessments--are bombarded with information. The advisor stated that 
they have not had time to understand the National Critical Functions 
framework, which they believed was more focused on physical security, 
rather than cybersecurity. The PSA and CSA in one region said that 
there was no prioritization within the 55 critical functions, making 
everything equally critical. Accordingly, the officials said they did 
not have a clear sense of what they--or DHS broadly--should prioritize. 
In response, CISA officials stated that stakeholders with local 
operational responsibilities were the least likely to be familiar with 
the National Critical Functions. These functions were conceived to 
improve the analysis and management of cross-sector and National risks. 
Still, CISA officials acknowledged the need to improve connection 
between the National Critical Functions framework and local and 
operational risk management activities and communications.
    As we stated in our March 2022 report, helping to ensure that 
stakeholders understand the goals of the framework and are involved in 
its implementation could aid CISA in its future infrastructure 
protection efforts.\35\ We therefore recommended that CISA ensure that 
stakeholders are fully engaged in the implementation of the National 
Critical Functions framework. DHS concurred with the recommendation and 
described initial actions under way or planned in response to our 
report, with estimated completion by October 2022.
---------------------------------------------------------------------------
    \35\ GAO-22-104279.
---------------------------------------------------------------------------
    In summary, cyber attacks, physical attacks, and other threats 
facing the Nation's critical infrastructure require an effective and 
coordinated public-private response. CISA has undertaken a wide range 
of efforts to identify and prioritize nationally significant critical 
infrastructure. However, as our previously-reported findings and 
recommendations indicate, urgent action is needed and CISA should take 
steps to improve and further these efforts. By taking steps to ensure 
that is process for identifying and prioritizing critical 
infrastructure accounts for current threats and meets the needs of all 
States, CISA and its partners could have a more relevant and useful 
understanding of critical infrastructure risk.
    Chairwoman Clarke, Ranking Member Garbarino, and Members of the 
subcommittee, this completes my prepared statement. I would be pleased 
to respond to any questions that you may have.

    Chairwoman Clarke. Thank you, Dr. Sherman, for your 
testimony this morning. The Chair now recognizes the Ranking 
Member of the full committee, the gentleman from New York, Mr. 
Katko, for an opening statement.
    Mr. Katko. Thank you, Madam Chair, for giving me the time 
to speak today, and thank you all for being here. It is a most 
important topic. I thank you, Mr. Garbarino, for holding this 
important hearing, as well.
    The public-private partnership that CISA maintains are 
integral to its ability to protect the Nation from 
cybersecurity threats. Yesterday's full committee hearing which 
we had in this room showed us that CISA's work in this space is 
excelling, but there is always room for improvement. We must 
work to ensure that CISA maintains the tools, resources, and 
relationships that it needs to protect our Nation's critical 
infrastructure.
    I have worked diligently, as well as my colleagues have, to 
ensure that CISA's adequately resourced in terms of funding, 
authorities, and work force, but we can't overlook the 
importance of the close and trusted relationships that CISA has 
developed with the private sector. It is just outstanding what 
you have done and we have got to keep that going. Those 
relationships is what allows the agency to collect and 
disseminate timely and valuable threat information in a trusted 
manner.
    Despite the passage of the cyber incident reporting 
legislation this year, which I think is a critical piece of 
legislation, which Madam Chair was a lead on, we can't lose 
sight of the value of those voluntary relationships. For 
example, last year, CISA took an important step forward by 
leveraging the authorities provided in the fiscal year 2021 
NDAA to establish the Joint Cyber Defense Collaborative, or 
JCDC. As the committee discussed yesterday, the JCDC has served 
as a force multiplier for our Nation's cybersecurity and it is 
wholly dependent on the voluntary relationship framework.
    Last year, I introduced the Securing Systemically Important 
Critical Infrastructure Act to allow CISA to efficiently 
allocate its resources by establishing a thoughtful, 
transparent, stakeholder-engaged process to identify what truly 
constitutes critical infrastructure. This methodical 
identification process would be accompanied by a prioritization 
of benefits for those entities deemed SICI. For the first time 
this effort would move CISA away from the current first-come 
first-served approach model by establishing a true risk-based 
approach to Federal cyber assistance.
    While there are conflicting opinions between my colleagues 
and myself on the right direction for SICI, I think we can all 
agree that allowing CISA to maintain its close partnerships 
with the private sector is the keystone to its long-term 
success and the cybersecurity of our Nation.
    I look forward to exploring these issues further with our 
witnesses today and I thank you again for being here. I thank, 
again, Chairwoman Clarke and Ranking Member Garbarino for your 
work on these issues. With that, I yield back.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
    Thank you, Chairwoman Clarke and Ranking Member Garbarino for 
holding this important hearing today.
    The public-private partnerships that CISA maintains are integral to 
its ability to protect the Nation from cybersecurity threats.
    Yesterday's full committee hearing showed us that CISA's work in 
this space is excelling, but there is always room for improvement.
    We must work to ensure that CISA maintains the tools, resources, 
and relationships it needs to protect our Nation's critical 
infrastructure.
    I've worked diligently to ensure that CISA is adequately resourced 
in terms of funding, authorities, and workforce, but we can't overlook 
the importance of the close and trusted relationships that CISA 
maintains.
    Those relationships are what allows the agency to collect and 
disseminate timely and valuable threat information.
    Despite the passage of Cyber Incident Reporting legislation this 
year, we can't lose sight of the value of those voluntary 
relationships.
    For example, last year, CISA took an important step forward by 
leveraging the authorities provided in the fiscal year 2021 NDAA to 
establish the Joint Cyber Defense Collaborative, or ``JCDC.''
    As the committee discussed yesterday, the JCDC has served as a 
force multiplier for our Nation's cybersecurity, and it is wholly 
dependent on the voluntary relationship framework.
    Last year, I introduced the Securing Systemically Important 
Critical Infrastructure Act to allow CISA to more efficiently allocate 
its resources by establishing a thoughtful, transparent, stakeholder-
engaged process to identify what truly constitutes critical 
infrastructure.
    This methodical identification process would be accompanied by 
prioritization of benefits for those entities deemed SICI. For the 
first time, this effort would move CISA away from the current first-
come, first-served model by establishing a true risk-based approach to 
Federal cyber assistance.
    While there are conflicting opinions on the right direction for 
SICI, I think we can all agree that allowing CISA to maintain its close 
partnerships with the private sector is the keystone to its long-term 
success, and the cybersecurity of our Nation.
    I look forward to exploring these issues further with our 
witnesses. Thank you again for being here, and thank you, Chairwoman 
Clarke and Ranking Member Garbarino, for your work on these issues.

    Chairwoman Clarke. I thank our Ranking Member, Mr. Katko, 
for his opening statement. I want to thank our witnesses for 
their testimony.
    I will remind the subcommittee that we will each have 5 
minutes to question the panel. I now recognize myself for 
questions.
    As I mentioned in my opening, with cyber incident reporting 
legislation behind us, I want to use this hearing to talk about 
what is next. The Solarium Commission recommended a new 
designation for entities that are the most critical of the 
critical or systemically important to our National security, 
which would come with benefits, such as threat intelligence, 
and burdens, like security requirements.
    Mr. Goldstein, broadly speaking, does CISA support the 
concept of codifying this designation as the Solarium 
Commission described it with benefits and burdens for designees 
or is CISA envisioning a different approach?
    Mr. Goldstein. Thank you, ma'am. Prioritization is 
foundational to our ability to protect the country against both 
cyber and physical threats. Within CISA today we are focused on 
developing a list of what we call systemically important 
entities that are critical to National critical function, these 
sorts of services upon which Americans depend every day to go 
about their daily lives. Based upon this prioritization effort, 
we will be more effectively able to drive operational 
collaboration with those organizations that have the ability, 
the scale, the visibility to drive down risk for the Nation and 
prioritize our provision of services and develop new services 
that are most effectively tailored to support those entities 
that are most critical to our country.
    Our work in developing this systemically important entity 
list aligns closely to the definition and the approach proposed 
by the Solarium Commission. Our focus importantly here is on 
entities, who are the organizations with whom we need to 
partner. But the underlying philosophy of prioritization as an 
enabler of collaboration and an enabler of risk reduction is 
one in which we are wholeheartedly focused.
    Our priority today is ensuring that we understand these 
prioritized entities and we can work within our current 
voluntary model to ensure that we are driving operational 
collaboration and provision of services to drive down risk to 
these entities and the National critical functions that they 
support. We very much look forward to updating the subcommittee 
and your staff on our progress in developing this list and 
working with you going forward to ensure we have the 
authorities and resources to make the best use of this 
prioritization.
    Chairwoman Clarke. Mr. Knake, as Congress considers this 
new designation, what are some of the competing priorities and 
tradeoffs? For instance, is the goal to cement long-term 
operational partnerships with key partners or is it more about 
developing a dynamic methodology that can be used as threats 
evolve, whether that is a pandemic, a hurricane, or a war in 
Eastern Europe?
    Mr. Knake. Thank you for the question. I think we want to 
look at, and I think this aligns very well with where CISA is 
and the National Risk Management Center is, on the ability to 
both have a dynamic list based on current threats as well as an 
understanding of what are the entities that are on a 
consequence base the most essential and the most important? So, 
what we have seen as we work through the pandemic, what we have 
seen as we work through the threat from Russia, is CISA and the 
NRMC have been able to move quite rapidly to say here are the 
organizations that are most affected by this emerging threat, 
who are most at risk.
    At the same time, a much smaller list is needed and exists 
of those systemically important entities that are really just 
consequence-driven, that no matter what the vulnerabilities are 
or the threats are, we need to make sure that they have got the 
protections in place so the American people can be assured that 
the services and the functions they provide will continue. So, 
I don't think it is necessarily an either/or.
    Chairwoman Clarke. Dr. Sherman, this is not the first time 
we have tried to identify our most significant infrastructure. 
Can you talk about some of the challenges GAO has uncovered 
with respect to maintaining these lists and making sure they 
are relevant and useful? How important is it that we go into 
this with a clear sense of the goals and security outcomes we 
are trying to achieve?
    Ms. Sherman. Ensuring that the list is valued or perceived 
as valued, relevant, and useful by stakeholders, both within 
Government and the private sector, is critical. Yes, goals and 
strategies are also key.
    Based on our work, actually both in 2013 and the work that 
we recently carried out in 2022, there were similar themes that 
we identified with respect to the list that emerges from the 
National Asset Database. The first one is concerns not only 
from external private-sector stakeholders, but within the 
Federal Government, as well, that the assets on the list are 
not reflective of current threats, most importantly cyber 
attacks. Therefore, again, to be able to demonstrate the value 
of that list, it is important to make sure that it is current, 
relevant, and useful.
    Then finally, with respect to goals and strategies, it is 
absolutely important to make sure that it is transparent and 
clear in terms of what the endpoint is for having a list. Let 
us prioritize how it will be used and working backward to make 
sure those goals and strategies are met.
    Chairwoman Clarke. Thank you. Before I yield back I want to 
know how critical it is that as you begin rolling up your 
sleeves on cyber incident reporting, we do everything you can 
to expedite this rulemaking, recognizing, of course, that we 
also need to allow for ample stakeholder consultation and 
regulatory harmonization.
    With that, I now recognize the Ranking Member of the 
subcommittee, the gentleman from New York, Mr. Garbarino, for 
his questions.
    Mr. Garbarino. Thank you, Chairwoman. Mr. Goldstein, you 
were just talking about the voluntary relationship model and 
JCDC, I think, is a great example of what has been going on. 
Have you run into any hurdles in building this out? If so, how 
can we help?
    Mr. Goldstein. Thank you, sir. The collaboration that we 
have seen through the Joint Cyber Defense Collaborative has 
been nothing short of remarkable. In the course of our Nation's 
response to the Russian invasion of Ukraine, we have 
operational collaboration virtual environment through the JCDC 
with our Nation's largest and most important technology 
companies, energy firms, financial entities, and those 
organizations were identified based upon their criticality, 
really a leading example of the sort of operational 
collaboration that we can drive through efforts like the 
identification of systemically important entities.
    What we have seen, and this was reflected in yesterday's 
hearing in the full committee, is the best way of incentivizing 
voluntary collaboration is for the Government to show value, 
the Government to be at the table cohesively as a co-equal 
partner across all of the different agencies that have 
different equities in this space, with CISA serving as the 
convening platform, as the lead for domestic cyber defense. 
Then providing our partners in the private sector with both the 
platform and the opportunity to exchange information and get 
real value in return.
    We have seen remarkable improvements even in the last 6 
months in this kind of effort and we are excited for the 
maturation to come.
    Mr. Garbarino. That is great to hear. Do you think that 
these partnerships with the companies, the private sector being 
so willing to work with us and have this partnership, should we 
be concerned that these relationships might change if CISA 
takes more of a regulator role, if we turn it into a regulator? 
Is that a concern that you have heard from the private sector?
    Mr. Goldstein. Certainly CISA's role in the current space 
as a trusted partner in cybersecurity, where our goal is solely 
to catalyze and improve cybersecurity as a voluntary partner, 
is one that is invaluable. That is a relationship that we work 
very hard to preserve and advance with partners across sectors.
    Mr. Garbarino. The Chairwoman mentioned it. The Chairwoman 
mentioned when she talked about the importance for rulemaking, 
especially with the new cyber incident reporting bill, but 
systemically critical infrastructures, you know, making sure 
that list up to date, as Dr. Sherman said, do you have the 
resources to be able to do both right now? Do you need more? 
Can you tell us what CISA needs?
    Mr. Goldstein. So, we are deeply grateful for the work of 
Congress and this committee for providing CISA with additional 
resources in the recently-passed omnibus and working with us to 
ensure that we have a growth trajectory that aligns with the 
breadth of our National mission. Certainly we know that the 
cyber and physical security risks facing our country continue 
to get more grave and we look forward to working with the 
committee to ensure that in future years our growth continues 
on the appropriate pace so that we can effectively address the 
threats we are facing.
    Mr. Garbarino. But you feel like you will be able to get 
both done?
    Mr. Goldstein. Today we are able to execute the mission 
ahead of us in the immediate future, but certainly we will want 
to continue to work together to ensure that we continue to meet 
the risk.
    Mr. Garbarino. Great. Dr. Sherman, you mentioned in your 
opening statement that you have a list of items that you want 
the agency and DHS to take up and you are hoping to implement 
them quickly. What is on the list? What recommendations do you 
have?
    Ms. Sherman. Sure. So, based on the recent report and the 
comments I made in response to Chairwoman Clarke, it is 
important to ensure that the list that is prioritized as a 
function of the National Asset Database reflects current 
threats. We also believe that stakeholder input is increased. 
We feel like it is important to make sure that State and local 
governments, as well as the private sector, are able to more 
proactively share their perspective in terms of nominations and 
removals as part of the list, the prioritization list.
    One of the things that we had found actually over the past 
5 fiscal years is that in any given fiscal year there were no 
more than 14 States that provided input to CISA related to the 
prioritized list. We think that is for several reasons, one of 
which is that they don't find value in the list because it is 
not reflective of what they think is truly important. They 
don't believe that the different types of infrastructure that 
are included on the list are consistent across States. They 
have raised concerns that--with respect to how the list is 
actually used and how meaningful it really is for them.
    So, we definitely believe that increased stakeholder is 
important, as well.
    Mr. Garbarino. I appreciate that and I am out of time, so I 
yield back. Thank you, Chairwoman.
    Chairwoman Clarke. I now recognize the Ranking Member of 
the full committee, the other gentleman from New York, Mr. 
Katko, for his questions at this time.
    Mr. Katko. The other gentleman. Thank you very much, Madam 
Chair. Thank you all for your testimony.
    I must say at the outset, Mr. Knake, I was thinking when 
you were talking about how good it is to have a National cyber 
director finally in place again and someone that can be the 
coach of the whole field here. I am very pleased with what is 
going on there and the relationship Inglis has with the various 
subsets, one of which is CISA.
    Mr. Goldstein, I can't say enough how encouraging it is to 
see that CISA is developing those really trusted and treasured 
partnerships with the private sector. It is so critical to 
their mission. The more we can develop that trust and the 
trusted exchange of information, by far we are going to make 
this whole cyber landscape safer. So, it is in that vein that I 
have a couple of questions for you.
    Obviously, we are all concerned about infrastructure in 
general and systemically important critical infrastructure in 
particular given the threat that Russia now poses, an increased 
threat. So, I wonder if you can give us an update on the 
current State of the effort to define SICI, as you will, which 
is not the best acronym, by the way. I know that is why CISA 
came up with the PISCES acronym and I want to figure out what 
the two are. So, why don't you explain to us what the two are 
and how they work together? Maybe give us, after that, give us 
a little bit of the private-sector input, if you would.
    Mr. Goldstein. Thank you, sir. Of course. At CISA, through 
our National Risk Management Center, we are currently focused 
on developing our list of systemically-important entities, and 
these are organizations that own, operate, or otherwise control 
critical infrastructure that, if degraded, would have 
debilitating systemic or cascading impact on our National 
security or----
    Mr. Katko. So, just to interrupt you just for a second, I 
think that is so important because if all critical 
infrastructure is systemically important than nothing is, 
right? So, we have to take the most critical of the critical. 
Is that basically the effort we are trying to do here?
    Mr. Goldstein. Yes, sir.
    Mr. Katko. OK. Well, go ahead.
    Mr. Goldstein. Importantly, sir, there are a few important 
nuances with the definition that we are utilizing at CISA. The 
first, as I mentioned at the outset, is our focus on entities 
because we need to figure out the organizations with whom we 
are partnering. So focusing on entities allows us to use this 
prioritization to actually drive collaboration and drive 
provision of services to those organizations we need to help.
    The second important aspect is this idea of cascading 
effects or systemic impact, which means that we can look at 
some of these smaller organizations, organizations in the 
supply chain that are deeply critical, but actually might not 
be--might not have as much revenue or market share as others in 
a given sector.
    The third piece, which really is critical, is the tie to 
National critical functions, the services upon which the 
American people and businesses rely every day to go about our 
daily lives. By tying the entity list to National critical 
functions, that then lets us do the rigorous analysis to figure 
out how do we keep these functions at the end of the day 
available and resilient? Which really is why we are all here.
    Today, our National Risk Management Center has developed a 
rigorous methodology to decompose our National critical 
functions into a list of systemically important entities. That 
work is on-going and our goal here is for this to be both a 
rigorous and strongly methodological approach, but also one 
that is transparent and gets input from our partners in 
Government and the private sector to ensure, to Ms. Sherman's 
very well-taken point, that we have--that the list is 
understood and credible by those organizations who are so 
designated on the list.
    Mr. Katko. Yes, so if you could just drill down a little 
bit more on the private sector input. What is the nature and 
quality of the input you are getting from them right now or 
asking for?
    Mr. Goldstein. So, thus far, we are still at the fairly 
early stages of that process. We are beginning to reach out 
through our sector fora to get input on the methodology and the 
process. As this work evolves and we generate the underlying 
lists for National critical functions, we do intend to do 
robust engagement with our sector partners with whom we work so 
closely to ensure that both the methodology is understood and 
the outputs therefrom.
    Mr. Katko. OK, great. Thank you very much and I appreciate 
that. I really strongly encourage you to continue your 
collaborative effort with the private sector.
    Mr. Knake, is there anything you want to add to that? Your 
microphone, please.
    Mr. Knake. I am sorry, sir. Just that we are working very 
closely with CISA as we try and understand what additional 
authorities they may need in order to further this work. I 
think we have a good sense of where they are today and what 
they have been able to do under current authority. We need to 
work with them to identify are there additional authorities 
that would help them do that kind-of deeper level 
identification you are discussing?
    Mr. Katko. Thank you very much. I know I am out of time, 
but I just want to say, Ms. Sherman, the work that your office 
does. Please keep it up because your input is very valued and I 
wanted to let you know that even though I didn't have time to 
ask you a question.
    I yield back. Thank you very much.
    Chairwoman Clarke. The Chair will now recognize other 
Members for questions they may wish to ask the witnesses. In 
accordance with the guidelines laid out by the Chairman and 
Ranking Member in their February 3 colloquy, I will recognize 
Members in order of seniority, alternating between the Majority 
and the Minority. Members are also reminded to unmute 
themselves when recognized for questioning.
    The Chair now recognizes for 5 minutes the gentlewoman from 
Texas, Ms. Sheila Jackson Lee.
    Ms. Jackson Lee. Let me thank the Chair very much for this 
hearing and the Ranking Member, as well, and the committee. Let 
me pose questions.
    As I listened to Ranking Member Katko's question, let me 
ask all three, starting with Mr. Goldstein and then following 
Mr. Knake and Ms. Won Sherman. I would appreciate it if they 
were brief because I have a series of questions, but I really 
would like to know the gaps in the authorities that have 
impeded previous efforts to identify and boost the security of 
critical infrastructure.
    We have been on a long journey on this and we certainly 
have been on a long journey as it relates to finding out about 
critical infrastructure. I remember doing this in the early 
2000's and looking at water and other forms of the electric 
grid, but really looking at it from probably a very naive 
perspective.
    What is happening now? What impedes you from having the 
fullest comprehensive review on this vast critical 
infrastructure subjected now to dangerous operators, such as 
those housed in Russia?
    Mr. Goldstein. Thank you, ma'am. Congress, led by this 
committee, has done an extraordinary job over the past few 
years of providing CISA with new and robust authorities for us 
to conduct our mission as the Nation's lead for domestic cyber 
defense, whether that is establishing the Joint Cyber Defense 
Collaborative last year, whether it is providing the authority 
to establish mandatory incident reporting requirements this 
year, or even, going a few years back, providing us the ability 
to issue subpoenas to identify the operators of vulnerable 
devices or protect information shared with us.
    Ms. Jackson Lee. Let me interject to say that I want to 
go--I thank you for recognizing that I would like to ensure 
that we know what else we need to do.
    Mr. Goldstein. Yes, ma'am. At this point today, we are 
focused on fully implementing the authorities that we have been 
provided, including those that were just recently provided this 
year through the Congress and good work of this committee. Very 
much looking forward to working with this committee and your 
staffs to ensure that any gaps or impediments as they emerge 
are rapidly identified and we can work with Congress to address 
them.
    Ms. Jackson Lee. All right. Does anyone have any specifics 
that have not answered, Mr. Knake or Ms. Won Sherman?
    Mr. Knake. Thank you. Thank you, Congresswoman. What I 
would add is it is a gap, but we don't necessarily know at this 
point whether it needs to be filled, so I want to be careful in 
making this point.
    Right now, DHS wouldn't have the capacity to do what might 
be called a census. They wouldn't have the capacity to go out 
to critical infrastructures, say provide us this information 
back, and then we will evaluate it. Now, whether they need that 
authority, whether they need that information is an open 
question. They have got a lot of other data sources that they 
can pull on to identify critical infrastructure at this point. 
So I think it is an open question as to whether or not that 
kind of census-like activity would really actually be 
important.
    Ms. Jackson Lee. I think that is an important point you 
made.
    Let me just change the question for you, Ms. Won Sherman, 
and ask about the narrative dealing with Russia and the example 
of Colonial Pipeline. They were housed in Russia, obviously. 
The Russian government at that time indicated that they as a 
government were not involved. But in light of the horrors in 
Ukraine and the seemingly ramping up on the Russian 
government's sort-of negative operations that may include cyber 
attacks that they have done in other countries, what do we need 
to do here in the United States domestically?
    Ms. Sherman. One area I would like to speak to has to do 
with CISA's role as the National coordinator for the Sector 
Risk Management Agencies. This is a space that we are starting 
to look more into at GAO. You know, at this stage we believe 
that CISA has several opportunities to be able to more 
proactively engage with those Sector Risk Management Agencies. 
As a Sector Risk Management Agency itself for multiple sectors, 
to be able to bring them along in terms of implementing and 
carrying out their responsibilities from the fiscal year 2021 
NDAA, and to be able to improve the information sharing as well 
as coordination within the sector and across all of the sectors 
to ensure that there is a more informed understanding of the 
key issues in the various sectors, especially in the lifeline 
sectors and those specific to the concerns that you are raising 
here with respect to Russia.
    Ms. Jackson Lee. Thank you very much. Thank you, Madam 
Chair. I yield back.
    Chairwoman Clarke. The Chair now recognizes for 5 minutes 
the gentlewoman from Tennessee, Mrs. Harshbarger.
    Mrs. Harshbarger. Thank you, Chairwoman. Thank you, 
witnesses, for being here today. I do have a question for Mr. 
Knake.
    As we are all aware, there is a new incident reporting law 
on the books, but that doesn't mean we can lose sight of the 
importance of the voluntary relationships between CISA and the 
private sector. I guess my question is, should Congress be 
considering any additional incentives that could be used to 
enhance the two-way dialog between the Federal Government and 
owners and operators of critical infrastructure?
    The reason I ask that is I have multiple companies within 
my district, when I go visit, they tell me they have been--had 
cyber attacks and been hacked multiple times. They just go 
ahead and pay the ransomware and don't report that to the FBI. 
So, there is probably reasons that they don't report that. Of 
course, they don't want their customer base to think they can't 
protect their information or stockholder--you know, the stocks 
go down and they don't want to be hauled in front of Congress.
    But tell me what you are doing to make that a better 
private partnership with these Government entities, sir.
    Mr. Knake. Thank you for the question. It is a really 
important one.
    I believe as part of that bill one of the things that CISA 
was instructed to do that we are part of is to establish a new 
ransomware task force that is going to look at these issues. So 
I believe we are on a fairly tight time line to get that stood 
up and to start figuring out how we can make sure that 
ransomware is treated as the National security priority that it 
is and that our Government, which is often very focused on 
these large systemically important entities that affect the 
entire Nation is providing support, is providing services, and 
is providing incentives to those smaller businesses that are 
really the backbone of the economy.
    So that ransomware task force, which Congress has mandated 
that we will play a large role in and that CISA will lead, is 
absolutely essentially to that activity.
    Mrs. Harshbarger. Well, it absolutely is. We were in the 
SCIF talking about the cyber threats from Russia and one of my 
colleagues asked how will we know when we are hit? They said, 
well, we will know when it--when we are hit. So, is there 
anything we can do to preemptively stop it?
    You know, I think about and I talk about TBA in my district 
and how they--you know, I talked to their CEO and how they 
protect the TBA system basically from attacks as far as the 
grid or EMP and things like that. But cyber is a very big 
threat and they said they had--they were protected. So, you 
know, it is a little bit worrisome that you won't know until it 
happens.
    In the first hearing I was ever in, you remember that we 
had 9 different Government agencies hacked and they didn't even 
know it. We had Microsoft and FireEye and SolarWinds, and I am 
like what can we do to protect these private companies and our 
own Government? It is worrisome. Anybody have a response?
    Mr. Goldstein. Yes, ma'am. I will offer a few points on 
that great question about it.
    The first is we really collectively need to push a cultural 
change in how we think as a country about cyber incident 
reporting. It is terrific and Congress has provided CISA with 
the authority to mandate reporting. But even in lieu of that 
requirement or while that requirement is being executed, the 
rulemaking organizations need to understand the value of 
reporting incidents to the Federal Government, which is, of 
course, first so that the U.S. Government can offer assistance 
if needed, but it is also so that we can help understand the 
breadth of campaigns and contain them before other 
organizations are victimized.
    That is why at CISA we have had our Shields Up campaign for 
months now, really evangelizing this perspective that if you 
see anything unusual in your networks, tell the U.S. 
Government, tell CISA, so that we can help understand is this 
actually a leading indicator of a foreign adversary campaign? 
Also why at CISA--it was wonderful to hear Mr. Garbarino talk 
about his meeting with our Region 2 colleagues. Because we have 
regional representatives throughout the country who every day 
are knocking on doors, physically and virtually, and explaining 
the value of proactively voluntary reporting. Again, CISA is 
not a regulator in this space and so our goal exclusively is to 
ensure that organizations know how to protect themselves and to 
help identify intrusions, so we can help safeguard others.
    Mrs. Harshbarger. OK. Well, thank you for that answer. With 
that, I will yield back.
    Chairwoman Clarke. The Chair now recognizes for 5 minutes 
the gentleman from Rhode Island, Mr. Langevin.
    Mr. Langevin. Good morning. Madam Chair, can you hear me 
OK?
    Chairwoman Clarke. Yes, we can.
    Mr. Langevin. Very good. Well, I want to thank you, Madam 
Chair, for hosting this very important hearing. I want to thank 
our witnesses for their testimony today and the exceptional 
work you are doing in protecting our Nation's cybersecurity.
    Let me just associate myself with the remarks from the 
Ranking Member in complimenting CISA and how closely you are 
working with private-sector entities to make sure that they are 
secure. Also I applaud you for the work you have done under 
Director Easterly's leadership and Director Goldstein in 
standing up the Shields Up Program to make sure that we are 
prepared for any blowback and threats from Russia.
    So, let me start with Mr. Knake. So, I believe that, you 
know, one important factor in considering SICI or other public-
private cybersecurity partnerships is the degree to which those 
partnerships need to be shaped by the cybersecurity maturity of 
the entities that are involved. So, a critical infrastructure 
entity's in-house cybersecurity capability will affect really 
the utility of different kinds of assistance the Government can 
provide.
    You know, for many resource-constrained critical 
infrastructure entities, technical assistance and other CISA 
services can be extremely valuable. But other critical 
infrastructure entities have a much higher degree of 
cybersecurity maturity, including many of those that I would 
construe as systemically important critical infrastructure. For 
those entities, the return on investment of technical 
assistance would be lower whereas access to more actionable 
cyber threat intelligence to inform their own defenses would be 
more helpful.
    So, Mr. Knake, how is ONCD thinking about this issue in the 
context of promoting operational collaboration with 
systemically important critical infrastructure?
    Mr. Knake. Thank you, Congressman. That is a great 
question.
    I think you are right. If you look at a lot of the 
systemically important entities, these are very well-resourced 
organizations for cybersecurity. They purchase many of the 
services that CISA could provide to them. That is not where 
they are looking for support. They have got their own red-
teaming capability. They have got their threat hunting 
capability. It is probably more important for CISA to deploy 
those resources strategically to the organizations that are 
important or systemically important, but don't have the kind of 
budget, let us say, some of these larger entities do.
    When we talk to these large systemically important entities 
the thing that they really do emphasize is that intelligence 
piece. What is the one thing that they are not allowed to do, 
right? They cannot go out and collect foreign intelligence in 
the way that the U.S. intelligence community can. That would be 
illegal for them to do. They understand that, but yet they see 
the need to collect that kind of threat intelligence, have it 
shared with them, have it operationalized by them. So, I think 
that is the critical important piece here.
    What we are looking at is what are the opportunities to 
really move that into real time? How can we move from 
situations in which we are saying come down to the SCIF at the 
FBI office wherever you are located and we will give you a 
brief, to how can we get this out to you in a secure form that 
you can use to protect your network? There is a lot that we can 
do, there is a lot that we have done to declassify data, to 
push it out broadly, push it out widely on the internet. I 
applaud what CISA's done in that regard.
    But we are really trying to look at how could we actually, 
with these systemically important entities, really bring them 
into some kind of collaborative environment where we could 
trust that that environment is secure and this kind of 
information can be shared?
    Mr. Langevin. Yes. That is why I think the joint 
collaborative environment which the Solarium Commission has 
recommended and which is a top priority for me this year was to 
create that common tool set for sharing information in real 
time and understanding context.
    But for both of you, based on testimony we have heard 
today, it is clear that CISA's systemically important entities 
effort is engaged in a rigorous identification process, but the 
next steps of what to do with the list appear less clear to me 
than the Solarium Commission's vision of SICI, which recalls 
for specific benefits and obligations to SICI entities. So, 
while an accurate identification process is important, we must 
also have a clear picture of the policies and strategies that 
will govern and strengthen the partnership between Federal 
Government and our most critical infrastructure entities.
    So, for Mr. Knake and Mr. Goldstein, if CISA develops a 
list of systemically important entities, what does the 
administration plan to do with it? How would those factors, 
like cyber maturity, as we discussed today, play a role in 
where and how the Government would prioritize its efforts to 
partner with critical infrastructure owners and operators?
    Mr. Goldstein. Yes, sir. Thank you for that question. As 
ever, thank you for your leadership on this critical issue.
    We are focused on utilizing the SIE list for two main 
purposes. In the first instance recognizing that on value, such 
a list is that its applicability will evolve over time as the 
risk environment changes apace. But the first is to use it to 
drive operational collaboration and bring together 
organizations across sectors, across National critical 
functions into the Joint Cyber Defense Collaborative to enable 
that sort of risk-reduction efforts that we are already doing 
with highly critical entities across three sectors in the 
context of the Russian invasion of Ukraine. As the SIE effort 
expands, we will be able to do that prioritized collaboration 
more effectively.
    The second piece is focusing on supply chains with these 
key SIE entities to ensure, to Rob's very well-taken point, if 
an organization doesn't need U.S. Government risk-reduction 
services, we can understand their dependencies and their supply 
chains to reduce their risk going forward.
    Chairwoman Clarke. The gentleman's time has expired.
    Mr. Langevin. Thank you, Madam Chair.
    Chairwoman Clarke. The gentleman's time has expired. Thank 
you, too, Mr. Langevin, for all of your dedication and hard 
work in this space.
    The Chair now recognizes for 5 minutes the gentlewoman from 
Michigan, Ms. Slotkin.
    Ms. Slotkin. Thanks very much, Madam Chair. Thanks for 
being here. I echo my comments that Representative Langevin, 
Representative Katko are two Members who have a ton of in-depth 
knowledge on cyber and it is really difficult to think of both 
of them not here next term.
    I wanted to take kind-of a 40,000-foot view for a second. 
You know, I think, unfortunately, what I hear from people in my 
district more often than not is they have no idea, you know, 
who in the U.S. Government is protecting them from cyber 
attack. They feel like they are on the front lines, that they 
are being attacked all the time, and their Government--they 
just don't know like who is the 9-1-1 call? What does it look 
like, these folks who are protecting me or trying to protect 
me? They know what a police officer looks like. They know what 
someone in the military looks like. So, I would just put a note 
in that we need to also communicate to the American public, not 
just within Washington circles, kind-of what we do, what you 
all do to protect people.
    But I want to talk about two sectors that we haven't talked 
about very much. One is the agriculture sector and second is K 
through 12 schools. In the ag sector, obviously JBS, the 
ransomware attack last year, was a really big deal. I come from 
a district with a ton of farmers and it was like the first 
thing on their mind when I brought the Secretary of Agriculture 
last summer.
    So, my understanding is there is not an ISAC or like a 
community of folks that are focused on cybersecurity in the ag 
world. Can you tell me briefly, first and foremost, what you 
are doing and what reassurance we can give farmers that our 
food security systems are protected and being looked at?
    Then second, K though 12, it is just amazing. You get 10 
superintendents from my district together. Every single one of 
them has been the victim of a ransomware attack. Every single 
one of them is desperate for tools to protect our kids' data.
    So, tell me what we are doing in those two sectors, please, 
if you could.
    Mr. Goldstein. Certainly. Both great questions. Regarding 
the food and ag sector, you know, certainly the ransomware 
intrusion affecting JBS put in stark relief the impacts that a 
cyber intrusion on the food and ag sector could have on the 
availability of the food supply to the American people. You 
know, I actually personally met this week with a number of the 
largest meat producers in the country and this sector is one 
that is of paramount importance to our collaborative efforts.
    Our goal with the food and ag sectors, as with other 
sectors, is to work really closely with those organizations and 
their security leadership that accounts for the preponderance 
of food production, food distribution, and food supply in this 
country understand areas of needed improvement or areas where 
we can help advance their cybersecurity programs and then 
ensure that they are getting the specific services, tools, and 
information from CISA and our partners, including USDA, as 
applicable, to meet them where they are. So our goal with this 
sector is to really partner with the organizations that 
contribute to the related National critical functions to ensure 
that we are providing them with everything we can to shore up 
their security.
    K-12 cybersecurity, ma'am, as you note, is an absolute 
urgent issue. We know that many K-12 school districts lack the 
resources and maturity to secure their networks in many cases 
against sophisticated threats. Congress thoughtfully 
anticipated this issue in passing the K-12 Cybersecurity Act, 
which directed CISA to conduct a study on this very issue and 
assess how we can provide more effective services and tools and 
information to the K-12 cybersecurity community. That work is 
on-going. I am very much looking forward to briefing this 
subcommittee on our conclusions, but this is an area where our 
regional team members at CISA have so much value because we 
know----
    Ms. Slotkin. Yes, I am a cosponsor of that legislation. I 
think I would offer that our cybersecurity community, which is 
doing yeoman's work in trying to, you know, gain all these 
connections with these different sectors, it is one thing to 
come and testify, it is one thing to kind-of have conversations 
about what you are doing in a forum like this. I would offer 
that part of the responsibilities of your agencies is to also 
communicate out to normal people who have no idea how to keep 
themselves safe. I would just ask that you maybe look at your 
budget on this matter and redouble your efforts to communicate 
to real people who don't understand what you all do and how it 
protects them and how that should be--how their 
responsibilities fit into that. Right? Making sure they are 
doing everything they can on cyber hygiene.
    So, thank you for that. Thank you for your work. I yield 
back.
    Chairwoman Clarke. I thank the gentlewoman for her line of 
questioning. I wanted to recognize the Ranking Member for a 
follow-up question. I myself have a few follow-up questions, so 
I yield to the gentleman from New York, Mr. Garbarino.
    Mr. Garbarino. Thank you, Chairwoman. Are you sure you 
don't want to go first? Whatever, I can go. OK. Thank you.
    Mr. Goldstein, you started answering this question before 
and Ms. Sherman brought up when she talked about sector risk 
management coordination and how you are going to work together 
with these other agencies. I know you have already started, 
CISA has already started some programs through the Section 9 
list and the U.S. Department of Energy has begun initiatives to 
strengthen resilience in the energy sector. What is CISA's plan 
to make sure that all the Sector Risk Management Agencies have 
a say in determining what is systemically critical 
infrastructure and to make sure everybody is kept up-to-date 
and, you know, everybody is reading from the same sheet of 
music?
    Mr. Goldstein. Yes, thank you, sir. The SRMAs are critical 
partners in really everything we do at CISA. But particularly 
when we are identifying systemically important entities, SIEs, 
the SRMAs fill two essential roles.
    The first is helping us make sure that the methodology that 
we are using for identification in the first instance 
incorporates the relevant expertise from each SRMA, so that we 
are not underweighting or overweighting different variables 
that might contribute to getting a suboptimal list for a given 
National critical function, but then essentially, when we have 
a list established for a given National critical function, the 
SRMAs are critical partners in figuring out how do we as a U.S. 
Government bring together everything that we can offer to 
improve the security and resilience of entities that are 
supporting a given NCF.
    Critically in this phase, you know, in CISA's as the 
National coordinator for critical infrastructure's security and 
resilience and the lead for National cyber defense, that does 
not mean that we are the sole actor in providing these services 
and information. The SRMAs, in many cases, have unique sectoral 
risk management expertise, particularly regarding understanding 
how a cyber intrusion or physical event could impact the 
continuity of a National critical function. So by partnering 
with the SRMAs, we can combined CISA's generally applicable 
expertise in both cyber and physical security with the sector 
knowledge of an SRMA. That is the combination that we believe 
adds real value to set directives.
    Mr. Garbarino. I appreciate that. Just to question Ms. 
Sherman, do you have any ideas or suggestions on how to make 
sure that there is no confusion?
    Ms. Sherman. Sure. Well, maybe two quick points related to 
the SRMAs. The first, as discussed yesterday during the 
hearing, there is a range of maturity levels when it comes to 
Sector Risk Management Agencies, you know, spanning from, for 
example, you talked about the financial services sector all the 
way to the water sector and everything in between. So, I think 
it is important for CISA to be able to work to bring along 
those less mature sectors and to work with the relevant SRMA in 
those instances to make sure they have the support and 
resources and coordination needed.
    The other point I wanted to raise actually is around the 
update to the National plan and the sector-specific plans. The 
National plan has been in place since 2013 and CISA is actively 
undertaking an update effort. I think by the end of this year 
is the goal.
    One of the things, some of the conversations that we have 
had with Sector Risk Management Agencies is that they are 
holding still and updating their sector-specific plan until the 
National plan update occurs. So we do think that this is 
something timely and important for CISA to continue to act on 
so that those updates and, again, the relevancy and the value 
of the guidance that's being provided to the sectors and the 
steps that they need to take will be laid out in those plans 
and is something that they can act on.
    Mr. Garbarino. Thank you. I yield back.
    Chairwoman Clarke. Thank you, Ranking Member. Mr. 
Goldstein, I have a couple of clarifying questions before we 
close.
    First, CISA's working to identify systemically important 
entities. Right now, does CISA have the authority to compel any 
SIE to share information about security measures they have in 
place?
    Mr. Goldstein. No, ma'am. At this point, we do not have the 
authority to compel organizations to share cybersecurity 
information. Our focus is on building these trusted 
partnerships in which organizations voluntarily work with us to 
share information that we need to understand and manage 
cybersecurity risk.
    Chairwoman Clarke. Does CISA have the authority to compel 
information about their vendors or supply chains?
    Mr. Goldstein. Currently, we do no have the authority to 
compel private organizations to provide CISA with information 
about the vendors or supply chains.
    Chairwoman Clarke. Does CISA have the authority to compel 
any other information it may need to fully assess an SIE's 
relative security risk or vulnerability?
    Mr. Goldstein. Today CISA does not have such authority as 
to compel private organizations. We have narrow authorities, 
ma'am, as you are aware, for our subpoena authority to compel 
disclosure of voluntary devices being used by an organization, 
but certainly not specific to the security controls in place by 
an SIE. Certainly, those authorities may exist elsewhere in 
Government, but not within CISA.
    Chairwoman Clarke. So, what kind of information enhance 
CISA's understanding of National systemic risk?
    Mr. Goldstein. Our approach today is understanding the 
entities that contribute to the continuity of National critical 
functions, bringing those organizations in.
    I think it is relevant to note here that in our view, the 
U.S. Government and the private sector has a shared interest in 
ensuring the continuity and resilience of National critical 
functions. Thus far, we have shown great success in building 
trusted partnerships in which we have a shared goal with the 
private sector to ensure continuity and resilience of NCFs. By 
building that trust, we are able to catalyze information 
sharing to the degree needed to execute our mission.
    Chairwoman Clarke. Second, do you anticipate that the 
concept of SICI or systemically important entities will replace 
the list of Section 9 entities?
    Mr. Goldstein. We certainly envision the SIE process as an 
evolution or maturation of the Section 9. We're tying the list 
to National critical functions and focusing on cascading and 
systemic impact will be improvement over the Section 9 process 
and allow us to drive operational collaboration more 
effectively.
    Chairwoman Clarke. So, do you anticipate a replacement or 
just sort-of archiving what--how do you sort-of manage all that 
information?
    Mr. Goldstein. Our goal would be that if we achieve our 
intended outcomes with the SIE list, that the SIE list would 
resolve the need for a separate Section 9 list. Ideally, the 
SIE list will meet the intent of Section 9 of E.O. 13636 and 
allow us to do even more with the critical prioritization of 
entities across the country.
    Chairwoman Clarke. If Congress were to codify the concept 
of SICI or SIEs without also replacing new requirements on 
designated--excuse me, also placing new requirements on 
designated entities, how would that list be different from the 
existing Section 9 program?
    Mr. Goldstein. So, today our work to develop the SIE list 
differs in important ways from the Section 9 program, including 
tying the SIE list back to National critical functions, 
ensuring that we are encompassing the breadth of critical 
sector, for example, the IT sector was excluded specifically 
from the Section 9 program in the underlying Executive Order as 
well as focusing on cascading and systemic risk so that we are 
not only identifying the largest entities in the country, but 
also ones that, by virtue of their unique dependencies or 
relationships, pose a potential risk to the continuity of 
National critical functions.
    Chairwoman Clarke. Very well. It is my understanding that 
we have an additional question or questions from Congresswoman 
Sheila Jackson Lee of Texas. You are recognized at this time.
    Ms. Jackson Lee. Thank you, Madam Chair. Thank you for this 
very good hearing.
    I would like to ask unanimous consent to introduce into the 
record several articles: ``From SolarWinds to Log4j: The Global 
Impact of Today's Cybersecurity Vulnerability,'' April 5, 2022; 
Tech Crunch, ``Apple, iCloud, Twitter, and Minecraft Vulnerable 
to `Ubiquitous' Zero-Day Flaw''; ``Biden Signs an Executive 
Order Aimed at Protecting Critical American Infrastructure from 
Cyber Attacks''; and ``Biden Warns U.S. Companies to Gear It Up 
Against Russian Hacks.''
    Chairwoman Clarke. So ordered.
    Ms. Jackson Lee. I ask unanimous consent, Madam Chair, to 
include that in the record.
    Chairwoman Clarke. So ordered.
    Ms. Jackson Lee. Thank you so very much.
    Chairwoman Clarke. So ordered.
    [The information follows:]
  From SolarWinds to Log4j The global impact of today's cybersecurity 
                            vulnerabilities
By CRN Team--April 5, 2022
By Harish Kumar, Head, Enterprise & Government, Check Point Software 
        Technologies, India & SAARC
            http://www.crn.in/columns/from_solarwinds_to_log4j_the_glo- 
                    bal_impact_of_todays_cybersecurity_vulnerabilities
    If the past year has taught businesses anything, it's that the 
impact of targeted cyber attacks and security vulnerabilities is now, 
without doubt, universal. From the fallout of the Solar Winds software 
supply chain attack to the exposed Apache Log4j vulnerability, the case 
for organizations of all shapes and sizes to have a comprehensive and 
robust security infrastructure in place has never been stronger, even 
if they themselves aren't necessarily in the crosshairs.
    Many regard the now-infamous SolarWinds breach in late 2020 as a 
major catalyst for what would become a frenzy of ``Gen V'' or fifth-
generation attacks that persist to this day. Such large-scale, multi-
vector attacks have virtually unlimited reach, with devastating 
security consequences for businesses and governments around the world. 
A year later, the Apache Log4j vulnerability was exposed, which made it 
possible for malicious actors to execute code remotely on almost any 
targeted computer to take control, steal data or even hijack a user's 
machine to mine cryptocurrency.
    The former was an orchestrated attack by an advanced persistent 
threat group, the latter was an exposed zero-day vulnerability that 
nobody saw coming. One thing both incidents have in common, however, 
was that they increased risk and vulnerability for businesses in every 
sector, in every corner of the world. As organizations plot their 
course through 2022 and beyond, it's never been clearer that 
cybersecurity is a global issue rather than a local one, and this 
should be reflected in every cybersecurity strategy moving forward.
                     the rise of ``gen v'' attacks
    Gen V attacks are unique in the way that they leverage broad attack 
surfaces and multiple infection vectors to infiltrate large numbers of 
organizations, and they are increasing at an unprecedented rate. At a 
time when businesses and government agencies are expanding their 
network footprint, adding more endpoint and connected device into their 
technology mix, the risk of being impacted by a Gen V attack has also 
never been higher. As outlined in our 2022 Security Report, the 
SolarWinds breach, which impacted organizations around the world, 
kickstarted a torrent of supply chain attacks that still plague 
businesses today. In a year that saw cyber attacks against corporate 
networks increase by 50 percent across the board, software vendors like 
SolarWinds experienced the largest year-on-year growth in attacks with 
an increase of 146 percent. Today's corporate economy is built on an 
intricate web of software supply chains, which means that with every 
additional attack on a software vendor, the vulnerability of businesses 
around the world is further amplified.
                fuelling attacks: the sunburst catalyst
    The SolarWinds software supply chain attack was facilitated by a 
back door knovm as `Sunburst', which was added to the SolarWinds Orion 
system before being distributed to customers globally via a routine 
update. This gave the APT (advanced persistent threat) group involved 
covert access to thousands of SolarWinds customers' networks, from 
government agencies to Fortune 500 companies. Unfortunately, this mode 
of attack from APT groups is now on the rise. As our report details, 
the REvil ransomware group targeted multiple managed service providers 
(MSPs) throughout 2021, and in July managed to embed a malicious 
software update in IT company Kaseya's patch management and client 
monitoring tool. Thousands of unsuspecting businesses were impacted, 
with millions of U.S. dollars demanded in ransom.
    Sunburst also likely inspired the attack on Colonial Pipeline, 
which carries almost half of the fuel consumed by the U.S. East Coast. 
The nation-state APT group, DarkSide, was allegedly behind the attack, 
employing a Ransomware-as-a-Service model, meaning it relied on third-
party affiliate programs to orchestrate the breach. This is one of the 
most striking examples to date of how tools used to carry out such 
attacks are becoming democratized and more widely used, again ramping 
up the pressure on businesses to guard their perimeters.
    While the assets of the REvil ransomware group have since been 
seized and its ringleaders arrested, you cannot arrest code. Once one 
threat group make headway with a particular attack, it doesn't take 
much for an affiliate member to keep that momentum going. Emotet, one 
of the most dangerous botnets in history, made a return in November 
2021 following its takedown a year earlier. It's a trojan primarily 
spread through links, spam emails, malicious scripts and macroenabled 
document files, and once it infects a user it can spread like wildfire 
without detection, stealing banking credentials and financial data from 
individuals, companies, and governments around the world.
                  ambushed by zero-day vulnerabilities
    While targeted attacks like the ones outlined above are presenting 
an increased threat to organizations around the world, so are exploits 
and vulnerabilities. In December last year, a remote code execution 
vulnerability was reported in Apache Log4j, the most popular java 
logging library in the world. This library is embedded in almost all of 
the services and applications we use in our day-to-day lives, from 
Twitter and Amazon to Microsoft and Minecraft. Initially used by some 
threat actors to leverage cryptocurrency mining resources at the 
expense of their victims, there's no reason an exploit like this 
couldn't be used for more sophisticated and nefarious attacks. Check 
Point Research detected approximately 40,000 attack attempts just 2 
hours after the Log4j vulnerability was revealed, and a further 830,000 
attack attempts 72 hours into the event.
    These zero-day vulnerabilities earn their name from their ability 
to completely blindside businesses, giving them virtually no time to 
react before they become potential victims. It then becomes a race 
between threat actors and their ability to exploit the vulnerability, 
and how quickly businesses can close the gap in their defenses.
                global threats require a global solution
    The threat climate has changed. The traditional defensive line that 
businesses can draw between themselves and the rest of the cyber 
landscape has become blurred to the point that it may as well not 
exist. Instead of guarding a static perimeter, businesses need to take 
a more holistic and real-time view of their security infrastructure. 
Security practitioners need to be able to maintain 360-degree 
visibility of their entire network, regardless of how far and wide it 
has been distributed. They also need access to real-time threat 
intelligence on a global scale, so they can pre-empt far-reaching zero-
day vulnerabilities and targeted software supply chain attacks like the 
ones outlined above.
    Check Point's Infinity platform, for instance, is the only security 
platform of its kind that offered pre-emptive protection for customers 
against the Log4j exploit. It's the first modern, consolidated security 
platform specifically designed to guard against zero-day 
vulnerabilities and sophisticated fifth-generation attacks across all 
networks, cloud deployments and endpoints. Part of Infinity's success 
is its ability to leverage Check Point's ThreatCloud, a real-time 
global threat intelligence platform that monitors networks around the 
world for emerging threats and vulnerabilities.
    If organizations around the world want to operate safely and 
securely in 2022 and beyond, they need to start seeing cybersecurity as 
a global issue rather than a local one, and evolve their security 
strategies accordingly. Only then will they be able to confidently 
defend themselves against a threat landscape that knows no bounds and 
cannot be contained by borders.
    If you have an interesting article/experience/case study to share, 
please get in touch with us at [email protected]
                                 ______
                                 
Apple iCloud, Twitter, and Minecraft vulnerable to ubiquitous zero-day 
                                  flaw
TechCrunch, Carly Page@carlypage_/1:24 PM EST--December 10, 2021
    A number of popular services, including Apple iCloud, Twitter, 
Cloudflare, Minecraft and Steam, are reportedly vulnerable to a zero-
day vulnerability affecting a popular Java logging library.
    The vulnerability, dubbed ``Log4Shell'' by researchers at LunaSec 
and credited to Chen Zhaojun of Alibaba, has been found in Apache 
Log4j, an open source logging utility that's used in a huge number of 
apps, websites and services. Log4Shell was first discovered in 
Microsoft-owned Minecraft, though LunaSec warns that ``many, many 
services'' are vulnerable to this exploit due to Log4j's ``ubiquitous'' 
presence in almost all major Java-based enterprise apps and servers. In 
a blog post, the cybersecurity company warned that anybody using Apache 
Struts is ``likely vulnerable.''
    Companies with servers confirmed to be vulnerable to Log4Shell 
attack so far include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, 
NetEase, Tencent and Elastic, though there are likely hundreds if not 
thousands of other organizations affected. In a statement given to 
TechCrunch, Cloudflare said it has updated systems to prevent attacks, 
adding that it saw no evidence of exploitation.
    Robert Joyce, the director of Cybersecurity at the NSA, confirmed 
that GHIDRA, a free and open source reverse engineering tool developed 
by the agency, is also affected: ``The Log4j vulnerability is a 
significant threat for exploitation due to the widespread inclusion in 
software frameworks, even NSA's GHIDRA,'' he said.
    The Computer Emergency Response Team (CERT) for New Zealand, 
Deutsche Telekom's CERT, and the Greynoise web monitoring service have 
all warned that attackers are actively looking for servers vulnerable 
to Log4Shell attacks. According to the latter, around 100 distinct 
hosts are scanning the internet for ways to exploit Log4j 
vulnerability.
    Kayla Underkoffler, a senior security technologist at HackerOne, 
tells TechCrunch that this zero-day highlights the ``threat that open 
source software presents as a growing portion of the world's critical 
supply chain attack surfaces.''
    ``Open source software is behind nearly all modern digital 
infrastructure, with the average application using 528 different open 
source components,'' Underkoffler said. ``The majority of high-risk 
open source vulnerabilities discovered in 2020 have also existed in 
code for more than 2 years and most organizations lack direct control 
over open source software within supply chains to easily fix these 
weaknesses. Securing this often poorly funded software is imperative 
for any organization that relies on it.''
    The Apache Software Foundation has released an emergency security 
update today to patch the zero-day vulnerability in Log4j, along with 
mitigation steps for those unable to update immediately. Game developer 
Mojang Studios has also released an emergency Minecraft security update 
to address the bug.
    Updated with comment from Cloudflare.
    https://techcrunch.com/2021/12/10/apple-icloud-twitter-and-
minecraft-vulnerable-to-ubiquitous-zero-day-exploit/
                                 ______
                                 
 Biden signs an executive order aimed at protecting critical American 
                   infrastructure from cyber attacks
New York Times, July 29, 2021
https://www.nytimes.com/2021/07/28/us/politics/cyber-security-biden-
        executive-order.html
    The effort is a way to get beyond the patchwork of mandates and 
voluntary action to protect electric utilities, gas pipelines, water 
supplies, and industrial sites that keep the economy running.
    A day after President Biden warned that cyber attacks could lead to 
a ``real shooting war,'' he signed an executive order on Wednesday 
aimed at preventing hackings on America's critical infrastructure.
    While the order has been in the works for some time, the need was 
driven home by a series of major ransomware attacks, including against 
Colonial Pipeline, which provides the East Coast with 45 percent of its 
gasoline, jet fuel and diesel.
    The order was mostly filled with voluntary measures for companies 
to meet a series of on-line security standards, like encrypting data 
and requiring two-factor authentication for all users on a system, to 
stymie hackers who possess stolen passwords. In a call with reporters 
Tuesday night, a senior administration official said the idea was to 
develop ``cybersecurity performance goals'' to assess how prepared each 
company or utility was.
    The effort is a way to get beyond the ``woefully insufficient'' 
patchwork of mandates and voluntary actions to protect electric 
utilities, gas pipelines, water supplies and industrial sites that keep 
the economy running, the official said.
    Such efforts have been tried before, dating to the presidency of 
George W. Bush. But Mr. Biden is the first president to talk about the 
issue--almost every week--as a national security imperative. It was the 
central topic of his meeting in June with President Vladimir V. Putin 
of Russia. And on Tuesday, visiting the Office of the Director of 
National Intelligence, Mr. Biden gave a grim assessment of where he 
believed the constant, short-of-war attacks on the United States, both 
state-sponsored operations and criminal ransomware, are headed.
    ``If we end up in a war, a real shooting war with a major power,'' 
he told the intelligence officers there, ``it's going to be as a 
consequence of a cyberbreach of great consequence. And it's increasing 
exponentially--the capabilities.''
    Mr. Biden's chief challenge now is a lack of authority to mandate 
changes. He has already imposed security standards on providers of 
software to the Federal Government, betting that if a company is banned 
from selling to the government it will also suffer in the commercial 
marketplace. He has ordered a series of increased protections for 
Federal agencies, 10 of which were affected by the SolarWinds hacking 
last year, a broad invasion of the software ``supply chain'' used by 
18,000 companies and governments.
    But key elements of American infrastructure are run by private 
companies and in Colonial Pipeline's case, Russian-speaking hackers 
brought down the distribution system almost accidentally, after 
attacking the company's business systems. That was followed by another 
ransomware attack on JBS, the world's largest beef producer, which paid 
$11 million to start running again.
    For years, many industries have maintained informal organizations 
that share cyberthreat information or best practices. But there are so 
many holes in the system that it has been relatively easy for Iran, 
Russia, China and ransomware groups to find ways to place malicious 
software in the systems, or initiate attacks that freeze data and make 
it impossible to operate, as happened to Colonial Pipeline and JBS.
    The measures outlined in the new national security memorandum, 
called ``Improving Cybersecurity for Critical Infrastructure Control 
Systems,'' are being coordinated by the Department of Homeland 
Security's Cybersecurity and Infrastructure Security Agency and the 
Commerce Department's unit that sets industrial standards.
                                 ______
                                 
      Biden warns U.S. companies to gird up against Russian hacks
Washington Post, March 22, 2022
https://www.washingtonpost.com/politics/2022/03/22/biden-warns-us-
        companies-gird-up-against-russian-hacks/
    Welcome to The Cybersecurity 202! I've seen ``The Power of the 
Dog,'' ``Licorice Pizza,'' ``Drive My Car,'' and ``Don't Look Up,'' so 
far this year, and I'm not rooting for any of them for Best Picture 
yet. Is there a better one in the mix?
    Below: The online verification firm Okta says there's ``no ongoing 
malicious activity'' after hackers claim to access networks connected 
to the company, and NSO's old owners are fighting in court with its new 
owners.
    The White House has issued its starkest warning that Russia may be 
planning cyberattacks against critical-sector U.S. companies amid the 
Ukraine invasion.
    There's ``evolving intelligence'' that the Kremlin is actively 
exploring its cyberattack options, President Biden said in a statement, 
warning that companies have a ``responsibility to strengthen the 
cybersecurity and resilience of the critical services and technologies 
on which Americans rely.''
    Deputy national security adviser Anne Neuberger described the alert 
as a ``call to action'' for companies to raise their cyber defenses, 
during a White House press briefing. She tied it to a series of U.S. 
intelligence releases in recent months aimed at shining light on 
Russian planning.
    Biden later warned that he believes a Russian cyberattack ``is 
coming'' per CNN's Kaitlan Collins:
    Context: The alert comes after Russia has lobbed a series of 
digital attacks at the Ukrainian government and critical industry 
sectors. But there's been no sign so far of major disruptive hacks 
against U.S. targets even as the government has imposed increasingly 
harsh sanctions that have battered the Russian economy.
    The public alert followed classified briefings government officials 
conducted last week for more than 100 companies in sectors at the 
highest risk of Russian hacks, Neuberger said. The briefing was 
prompted by ``preparatory activity'' by Russian hackers, she aid.
    U.S. analysts have detected scanning of some critical sectors' 
computers by Russian government actors and other preparatory work, one 
U.S. official told my colleague Ellen Nakashima on the condition of 
anonymity because of the matter's sensitivity. But whether that is a 
signal that there will be a cyberattack on a critical system is not 
clear, Neuberger said.
    Neuberger declined to name specific industry sectors under threat 
but said they're part of critical infrastructure--a government 
designation that includes industries deemed vital to the economy and 
national security, including energy, finance, transportation and 
pipelines. The warning reflects a grave concern that U.S. companies 
aren't sufficiently prepared to withstand a Russian cyber assault--even 
after years of concerted pressure from government cyber officials that 
ramped up even further in the run up to the Ukraine invasion.
    Neuberger lamented that foreign hackers continue to regularly crack 
into companies using known computer bugs that the companies could have 
patched against if they were more diligent.
    ``This is deeply troubling,'' she said. Neuberger compared the 
companies to New Yorkers that were robbed after leaving their doors 
unlocked.
    The warning also reflects a deep anxiety that companies that have 
girded their defenses against Russian hacking will let their guards 
down as the Ukraine conflict drags on.
    ``The White House is running out of ways to keep the alert levels 
up for cyber incident responders,'' Tatyana Bolton, a former 
Cybersecurity and Infrastructure Security Agency official who now leads 
cyber programs for the R Street Institute, told me. ``It's very 
difficult to stay on a high level of alert for a long amount of time 
because we're humans and alert levels go down as time passes.''
    A second U.S. Government official Ellen spoke with described 
``fatigue'' among industry cyber pros who've been working long hours 
for weeks on end as part of CISA's ``Shields Up'' initiative to guard 
against Russian hacking.
    ``Since this heightened threat environment started, it's been like 
`Shields Up.' So people ask, `When do we put shields down?' '' the 
official said.
    Some industry officials said the Government's latest alert didn't 
tell them anything they didn't already know.
    ``I don't see anything new there that we haven't already been 
informed of,'' Bill Fehrman, CEO of Berkshire Hathaway Energy and co-
chair of the Electricity Subsector Coordinating Council, whose sector 
was given a classified briefing last week, told Ellen.
    ``Our defensive postures remain in `Shields Up' position,'' he 
added.
    Government only has limited options to make private industry 
improve their cyber defenses.
    Officials have gone into hyperdrive sharing information about 
cyberthreats and best practices, but mostly lack the authority to 
compel companies to adopt those practices.
    In a handful of industries where government has broader cyber 
authorities, such as pipelines, its requirements have received a cool 
reception from industry leaders.
    Congress recently passed a bill requiring critical infrastructure 
firms to alert the government when they're hacked, but even that will 
take a year or longer to go into effect.
    One hope among cyber analysts is that the focus on improving cyber 
defenses will outlast the current conflict.
    ``My hope is that the Russia crisis will spur long-term investments 
in cybersecurity and critical infrastructure resilience,'' Mark 
Montgomery, executive director of the congressionally led Cyberspace 
Solarium Commission, told me. ``My fear is it will be treated as it has 
been [after cyber crises] in the past and forgotten soon thereafter.''
The Keys
Okta says no ongoing malicious activity after `attempt to compromise' 
        third-party contractor
    The online verification company stated in a tweet that screenshot 
photos posted to Telegram by the ransomware hacking gang LAPSUS$ seemed 
to be related to a January ``attempt to compromise the account of a 
third-party customer support engineer working for one of our 
subprocessors.''
    ``There is no evidence of ongoing malicious activity beyond the 
activity detected in January,'' Okta CEO Todd McKinnon said.
    It wasn't clear from the statement how much access the gang had to 
Okta systems. The hacking gang claimed the screenshots showed internal 
Okta systems. Okta said in an earlier statement that it was 
investigating the breach reports.
    Okta is used by thousands of companies to verify employees' 
identities before they access company digital systems making it an 
especially valuable hacker target.
    One of the hacker screenshots purported to be of a dashboard for 
the cybersecurity company Cloudflare. Cloudflare CEO Matthew Prince 
said the company was resetting Okta credentials for some users out of 
an ``abundance of caution.''
    Microsoft is also investigating LAPUS$ claims it breached some of 
the company's systems. Here's more from CyberScoop's AJ Vicens.
NSO Group's former owners are locked in a court battle with its current 
        owners
    The fund that owns NSO is now run by Berkeley Research Group. 
(Sebastian Scheiner/AP)
    The fight stems from an effort to assess how much the embattled 
spyware company is worth--a valuation that could lead to a big payout 
for the former leaders of a fund that bought NSO Group in 2019, Stefan 
Kowski and Bastian Lueken of Novalpina Capital, Bloomberg News's 
Jonathan Browning reports.
    Kowski and Lueken were ousted by the fund's investors in 2021 and 
replaced with Berkeley Research Group, which currently runs the fund. 
NSO's value has likely dropped since then, largely due to extensive 
reporting by The Washington Post and 16 media partners that found NSO 
clients used its Pegasus spyware to hack devices belonging to 
journalists and activists.
    NSO has reportedly mulled shutting down its Pegasus division since 
then.
    ``Lawyers for Kowski allege that BRG reneged on a commitment to get 
the Israeli company fairly valued,'' Browning writes. ``According to 
emails disclosed in Kowski's filing, BRG responded to say that with NSO 
shutting down Pegasus, it was therefore `unfeasible (and was always 
unworkable)' to conduct an independent valuation.''
Iran-linked hackers are trolling the head of Israel's Mossad spy agency
    A group of purported Iranian hackers released a document that they 
said was a stolen 2020 pay stub belonging to Mossad chief David Barnea. 
The gang said more sensitive leaks were on the way, Haaretz's Omer 
Benjakob reports. It's not clear if the leaked document is authentic, 
but it ``was intended to disprove Israel's claim that the hack was of 
an old device belonging to his wife'' and therefore not of 
significance, Benjakob writes.
    The group previously published a video showing personal photos, 
tickets, tax documents and a video clip of Barnea. The Israeli prime 
minister's office said Barnea's phone wasn't hacked and the ``materials 
in question are old,'' the Times of Israel's Emanuel Fabian reported.
    ``Israel believes the hack was revenge for an airstrike in Iran 
last month, which caused heavy damage to the country's drone network,'' 
Benjakob writes.
    Hackers have a history of taunting their victims and enemies 
online, as well as making boisterous claims about their exploits. For 
example, a hacker taunted top Obama administration officials after he 
hacked their accounts. And late last year, a hacker appeared to breach 
an FBI email system to vilify a security researcher.
                            government scan
Ransomware attacks on the supply chain are national security threat, 
        officials say
    U.S. supply chains are struggling even without cyberattacks. (Eric 
Risberg/AP)
    Hacks targeting the U.S. logistics and shipping industries could 
crush the already struggling supply chain, warned a U.S. Customs and 
Border Protection intelligence bulletin dated March 7. Much of the 
bulletin focused on a cyberattack on Seattle logistics firm Expeditors 
International, though it didn't say who was behind the attack, Yahoo 
News's Jana Winter reports.
    The hacks could also make it tougher to crack down on smuggling. 
``Large-scale attacks on the logistics industry pose the risk of 
increased illicit activity through ports of entry due to the shutdowns 
of computer systems which are essential to CBP processing and security 
procedures,'' the bulletin said.

    Ms. Jackson Lee. I am going to go again to CISA and reflect 
on the testimony that you gave that indicated you made great 
strides in establishing joint cyber defense, CISA's 
Cybersecurity Advisory Committee, et cetera. Can you give 
examples, just point it because I have other questions, of the 
significant strides that CISA has made in the establishment of 
this Joint Cyber and the CISA Cybersecurity Advisory Committee?
    Then if you would answer is this Joint Cyber Defense 
Collaborative in authorization language? Would you answer that, 
please? Thank you.
    Mr. Goldstein. Yes, ma'am, of course. Let me answer the 
last part first.
    So, yes, Congress established a Joint Cyber Planning Office 
in the National Defense Authorization Act 2 years ago. The JCDC 
is the maturation the Joint Cyber Planning Office using the 
same underlying authorization passed by Congress with the 
leadership of this committee and, of course, Mr. Langevin.
    We have had actually remarkable successes with the Joint 
Cyber Defense Collaborative thus far. Ma'am, I will reference 
it particularly through the articles you have noted. Around our 
response to the Log4j software library vulnerability, we 
brought together, frankly, within hours, many of the largest 
technology companies in the world to understand what 
technologies were impacted by the vulnerability, the cyber 
defense measures that were effective in mitigating the risk of 
the vulnerability. Then we set up broadly applicable and widely 
disseminated websites and products that we share with 
stakeholders across the country, and indeed across the world, 
driving mitigation of the vulnerability at scale.
    We could never have done that work without the insights 
that we were able to glean and enrich from our private-sector 
partners in the Joint Cyber Defense Collaborative. We are now 
doing very similar work, but even more at scale, around the 
risk of----
    Ms. Jackson Lee. Thank you.
    Mr. Goldstein. Sorry, ma'am?
    Ms. Jackson Lee. Thank you. Ms. Won Sherman, let us go back 
to my premise about the bad actor that Russia has become, so 
much so that you can't distinguish between Russia's violence 
and cyber attacks from the criminals that are lodged in their 
town. I want to pursue your line of statements that you made 
when I asked you previously and your point about that the 
Federal Government needs to take--needs to include 
strengthening the Federal role in terms of dealing with the 
critical infrastructure, strengthening the Federal role in 
protecting the cybersecurity and critical infrastructure, and 
improving priority-setting efforts. Having in your mind the 
backdrop of Russia's rising threat, could you further enhance 
that comment, please? Ms. Won Sherman.
    Ms. Sherman. Almost made it through without doing that. 
Apologies.
    Yes, you know, at this stage some of the other findings 
that we had come across in our review highlighted, for example, 
some of the challenges with the National critical functions' 
framework, which looks to have promise and it is great to hear 
all of the perspective and efforts that have been carried out 
and are under way as part of that framework.
    The concerns that we have identified as part of that 
particular framework is making sure that there is a clear 
understanding, both within, again, the Federal Government and 
all of the levels of Government and the private sector, of 
exactly what the priority-setting looks like and how the 
priority-setting is going to actually be carried out, what the 
goal of the framework is, and what impact there might be on 
planning and operations. I tie that back to your question 
related to Russia and the Russia cyber threats and thinking 
about the various sectors and all of the functions that cut 
across those sectors and the importance of making sure that the 
private-sector entities and all of the levels of Government 
have a clear understanding and awareness of what actions that 
they would need to take and where they sit in terms of planning 
and operations.
    So it is definitely an area that we have made several 
recommendations in and we think it is important not only for 
the broader framework effort, but for some of these very real-
time incidents that are occurring.
    Ms. Jackson Lee. Thank you. Madam Chair, I intend to 
introduce legislation and look forward to working with you 
around this zero-day potential that has been moving for so many 
years and now may be even more of a threat.
    Thank you for yielding and I yield back. Thank you.
    Chairwoman Clarke. Thank you very much, Congresswoman.
    With that, I thank the witnesses for their valuable 
testimony and the Members for their questions. The Members of 
the subcommittee may have additional questions for the 
witnesses and we ask that you respond expeditiously in writing 
to those questions.
    The Chair reminds Members that the subcommittee record will 
remain open for 10 business days. Without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 11:27 a.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

     Questions From Chairman Bennie G. Thompson for Eric Goldstein
    Question 1a. In his testimony and responses to Member questions, 
Mr. Goldstein described the Systemically Important Entity process as an 
``evolution'' or ``maturation'' of the Section 9 [of Executive Order 
13636] list, with a goal of driving ``operational collaboration'' and 
understanding Systemically Important Entities' ``dependencies and 
supply chains to reduce their risk going forward.''
    Is it CISA's/ONCD's goal to codify the framework established in 
Section 9 of Executive Order 13636?
    Question 1b. Section 10 of Executive Order 13636 directed Federal 
agencies to engage in a review of ``the preliminary Cybersecurity 
Framework and determine if current cybersecurity regulatory 
requirements are sufficient given current and projected risks,'' among 
other things. Did Section 10 of Executive Order 13636 result in the 
imposition of any new security obligations on Section 9 companies? If 
so, please describe. If not, why not? In light of the current threat 
environment, is the administration revisiting the analysis described by 
Section 10?
    Answer. Response was not received at the time of publication.
    Question 2a. At the hearing Mr. Goldstein testified: ``We certainly 
envision the Systemically Important Entity (SIE) process as an 
evolution or maturation of the Section 9 list. We're tying the list to 
National critical functions, and focusing on cascading a systemic 
impact will be an improvement over the Section 9 process and allow us 
to drive operational collaboration more effectively.''
    Please provide a description of the methodology CISA currently uses 
to identify SIEs, and describe how it differs from the methodology used 
in Section 9 designations.
    Question 2b. Do you anticipate that tying the Systemically 
Important Entity list to National Critical Functions will result in a 
list of entities that differs significantly from the existing list of 
Section 9 entities? Or do you anticipate that the National Critical 
Functions analysis will drive analysis of interdependencies among SIEs?
    Question 2c. Are there Section 9 entities that you do not believe 
will identified as Systemically Important Entities because the analysis 
is tied to National Critical Functions?
    Question 2d. As the SIE process continues to evolve, do you 
anticipate identifying ``tiers'' of Systemically Important Entities to 
reflect both an entity's systemic importance and the sophistication 
with which it can operationally collaborate with the Federal 
Government?
    Question 2e. How many SIEs has CISA currently identified? Please 
provide a breakdown of such list by sector, the number of SIEs 
currently enrolled in CISA programs and services, the number of 
currently engaged in operational collaboration with CISA, and any other 
information that would be helpful to characterize CISA's current 
understanding of SIEs.
    Question 2f. What information does CISA need in order to fully and 
accurately identify and understand systemic risks to SIEs, and where 
does that information originate? What data sources is CISA currently 
able to leverage to carry out this work, and what data is CISA 
currently unable to obtain?
    Answer. Response was not received at the time of publication.
    Question 3a. The Cyberspace Solarium Commission (CSC) recommended 
Congress codify a new designation for SICI. The concept behind SICI is 
that certain entities--those that operate our most vital systems and 
assets--should be granted special assistance from the U.S. Government 
and should be expected to shoulder additional security and information-
sharing requirements befitting their unique status and importance.
    If Congress were to create a regime that aligns as closely as 
possible to the CSC's proposal (i.e., a designation that comes with 
benefits and burdens), what are the most critical, impactful programs 
or partnership models that Congress should consider for purposes of 
mandating participation from designates entities? What types of 
information should be shared?
    Question 3b. Are there authorities CISA currently lacks that it 
would need if Congress were to decide to mandate such participation, 
collaboration, or sharing?
    Question 3c. Assuming there are no changes to CISA's current 
funding levels, does CISA have the resources, personnel, and overall 
capacity to scale up these services beyond what is being offered now--
and at what point would additional resources be required to meet 
heightened demand?
    Answer. Response was not received at the time of publication.
    Question 4a. As the conversation about SICI evolves, there 
continues to be confusion about the proper terminology and definitions. 
The CSC report proposed the term ``SICI,'' but you testified that CISA 
is instead using the term ``Systemically Important Entities,'' or SIEs.
    Please define Systemically Important Entity.
    Question 4b. In your view, does this definition differ from the 
concept of SICI recommended by the CSC? If so, how?
    Question 4c. What security objectives does CISA hope the SIE effort 
will accomplish? Please provide benchmarks and time lines.
    Question 4d. Director Easterly has also recently utilized the term 
``Primary Systemically Important Entities,'' or PISCES. What 
differentiates these terms from one another? How do they work together?
    Answer. Response was not received at the time of publication.
    Question 5. If Congress were to codify the concept of SICI/SIEs 
without adding any additional requirements on designated entities, how 
would that list be different from the Section 9 program?
    Answer. Response was not received at the time of publication.
     Questions From Chairwoman Yvette D. Clarke for Eric Goldstein
    Question 1a. You noted that CISA's understanding of National 
systemic risk is rooted in the continuity and resilience of NCFs, and 
that the list of SIEs that CISA is currently identifying would be tied 
to NCFs. It would seem that, to do this work effectively, CISA would 
need a fairly granular understanding of critical assets within each 
region, the vendors they use, the security measures they have in place, 
and an overall sense of where they sit in the supply chain. However, as 
you testified, CISA has no authority to compel any organization to turn 
over this information.
    How can CISA purport to understand the universe of assets and 
entities most critical to regional and National security--and the 
systemic cyber risks they face--without reliable access to information 
on the security posture and supply chains of SIEs?
    Question 1b. Is there any other information that CISA needs in 
order to fully assess an SIE's relative security risk or vulnerability?
    Question 1c. If Congress were to grant CISA broader compulsory 
authorities, how might CISA leverage these data streams to better 
understand and reduce systemic risks?
    Question 1d. Would this include an understanding of the security 
measures critical entities have in place? Their vendors or supply 
chains? Or any other critical information that could be needed to fully 
assess an SIE's relative security risk or vulnerability?
    Answer. Response was not received at the time of publication.
    Question 2. We know that CISA currently maintains a National Asset 
Database. You noted in your testimony that through your research, you 
found that no more than 14 States ever provided input to CISA related 
to the National Asset Database.
    What does CISA intend to do to ensure that this stakeholder input 
from the State and local levels is improved and appreciated?
    Answer. Response was not received at the time of publication.
    Question 3a. Earlier this year Congress passed legislation 
requiring certain critical infrastructure owners and operators to 
report major cyber incidents to CISA pursuant to rules set forth by 
CISA in an upcoming rulemaking. However, it may take years for these 
rules to go into effect. Recognizing the urgency of the current threat 
landscape, Congress also directed CISA to stand up voluntary reporting 
mechanisms that organizations can use to report cyber incidents and 
other threat information today, in lieu of formal requirements. CISA 
has been encouraging entities to report cyber incidents and other 
anomalous activity through those voluntary channels--particularly in 
response to potential escalation of Russian cyber threats.
    How many voluntary reports has CISA received since this legislation 
was enacted in March--and from how many entities? Would you 
characterize this as an uptick in reporting, or is it on par with the 
past reporting levels?
    Question 3b. How would you describe the nature and usefulness of 
the information CISA is receiving through this voluntary reporting?
    Question 3c. How has CISA acted on the information it has received? 
For instance, has CISA used technical data to detect malicious cyber 
activity across sectors or inform guidance that can be disseminated 
broadly?
    Answer. Response was not received at the time of publication.
    Question 4. In light of the March 21 announcement by the President 
on the evolving intelligence concerning a potential cyber threat from 
Russia, and the accompanying White House fact sheet encouraging U.S. 
critical infrastructure entities, technology and software companies to 
increasingly incorporate security by design, automation, a Software 
Bill of Materials and undertake other efforts to improve security of 
software development, what role do you see for CISA and/or ONCD in 
ensuring Infrastructure Investment & Jobs Act funding is implemented 
with the greatest attention paid to the cybersecurity standards and 
requirements built into it?
    Answer. Response was not received at the time of publication.
    Question 5. The recent ``Shields Up'' warnings from CISA reinforce 
that today's threat landscape demands the most proactive posture 
possible. What's a recent example of operational collaboration between 
the private sector and the U.S. Government giving us advanced warning 
before the Russian military invasion in Ukraine about the nature of 
Russian cyber aggression we could reasonably expect and the 
sophistication of those actors?
    Answer. Response was not received at the time of publication.
     Questions From Honorable Sheila Jackson Lee for Eric Goldstein
    Question 1a. On page 2 of your testimony, the last paragraph 
begins: ``In the past year, CISA has made significant strides in this 
respect, particularly through the establishment of the Joint Cyber 
Defense Collaborative (JCDC) and our CISA Cybersecurity Advisory 
Committee (CSAC). These groups are examples of CISA's agency-wide 
dedication to operational collaboration and deep partnership, which is 
imbued across our mission divisions. By leveraging the expertise and 
unique authorities of Government and the private sector, CISA is 
better-positioned to connect with our stakeholders in industry and 
Government to share resources, analyses, and tools.''
    Can you give examples of the ``significant strides'' that CISA has 
made through the establishment of the Joint Cyber Defense Collaborative 
(JCDC) and our CISA Cybersecurity Advisory Committee (CSAC)?
    Question 1b. Is the Joint Cyber Defense Collaborative in 
authorization language?
    Question 1c. What industries, entities, or institutions are part of 
the stakeholders who are building their own cyber, communications, and 
physical security and resilience efforts?
    Answer. Response was not received at the time of publication.
    Question 2a. On page 3 of your statement, you state that: ``Our 
work has taken on increased urgency subsequent to Russia's unprovoked 
invasion of Ukraine. CISA has been working closely with our critical 
infrastructure partners over the past several months to ensure 
awareness of potential threats.''
    What are examples of the cause for the increased urgency due to 
Russia's unprovoked invasion of Ukraine?
    Question 2b. How have critical infrastructure owners and operators 
responded to the call ``to adopt a heightened security posture in light 
of President Biden's statement that intelligence shows Russia may be 
exploring options for potential cyber attacks. As part of our broader 
`Shields Up' effort . . . ''?
    Answer. Response was not received at the time of publication.
    Question 3. In your testimony, on page 3, you say, ``The JCDC 
operating model relies on regular analytic and data exchanges to enable 
common situational awareness and equip public and private-sector 
partners to take risk-informed coordinated action for our collective 
defense.'' I am aware that at the onset of the Federal Government's 
focus on getting better collaboration and cooperation from private-
sector critical infrastructure owners and operators that there were 
rough patches.
    How would you characterize the cooperation and engagement of 
private-sector partners?
    Answer. Response was not received at the time of publication.
    Question 4. You mentioned the critical importance of the Log4j 
incident in moving stakeholders toward better cooperation. Your 
testimony states, ``having built trust and strengthened relationships 
with our partners during our response to the Log4j incident . . . ''.
    How did this incident make the difference in what the program is 
able to accomplish today?
    Answer. Response was not received at the time of publication.
      Questions From Ranking Member John Katko for Eric Goldstein
    Question 1. The administration has identified some sectors, and 
specifically the energy sector, as at risk from ``evolving'' Russian 
cyber threats. How is CISA, as the Sector Risk Management Agency (SRMA) 
for 9 critical infrastructure sectors, leveraging independent and 
third-party data, like security ratings, to provide baseline cyber risk 
assessments to these sectors?
    Answer. Response was not received at the time of publication.
    Question 2. Does CISA continuously monitor the cyber health of a 
given sector, or does CISA rely on a different means of assessing the 
cyber health of a sector? How does CISA leverage new tools and 
capabilities like security ratings to automate this task, and to see 
sector-wide cybersecurity risks in real time?
    Answer. Response was not received at the time of publication.
    Question 3. Can you describe the process and criteria that CISA is 
using to evaluate endpoint detection and response (EDR) products as it 
works to fulfill the requirements laid out by EO 14028 for a centrally 
located EDR initiative? What are CISA's plans to ensure that a clear 
process is in place and what are the time lines for doing so?
    Answer. Response was not received at the time of publication.
    Question 4. In light of the March 21 announcement by the President 
on the evolving intelligence concerning a potential cyber threat from 
Russia, and the accompanying White House fact sheet encouraging U.S. 
critical infrastructure entities, technology and software companies to 
increasingly incorporate security by design, automation, a Software 
Bill of Materials and undertake other efforts to improve security of 
software development, what role do you see for CISA and/or ONCD in 
ensuring Infrastructure Investment & Jobs Act funding is implemented 
with the greatest attention paid to the cybersecurity standards and 
requirements built into it?
    Answer. Response was not received at the time of publication.
    Question 5. DoD has recently launched several initiatives to 
improve Defense Industrial Base security. DoD is leveraging the same 
technology that is used to harden the .mil to provide outside-in 
visibility into the resilience of these industry stakeholders that play 
equally central roles in our National security.
    What are CISA's plans to leverage similar attack surface management 
capability for a strategic National snapshot and proactive 
vulnerability notification across the entire critical infrastructure 
community?
    Answer. Response was not received at the time of publication.
        Questions From Honorable Ralph Norman for Eric Goldstein
    Question 1a. This committee has addressed at length the increasing 
threat that cyber attacks pose to our National security and the privacy 
and security of American workers and families served by businesses 
large and small around the country. The concern I'd like to raise is 
one of regulatory fragmentation. Congress recently passed the Cyber 
Incident Reporting for Critical Infrastructure Act as part of the 
recent Omnibus to require covered entities to notify CISA of cyber 
attacks within 72 hours. The problem is that multiple Federal 
regulators can require firms to notify them of the exact same cyber 
incident that CISA also requires notification for. For instance, with 
CISA notification requirements and similar proposed and final cyber 
incident rulemakings by multiple Federal and State regulators, one firm 
experiencing a single cybersecurity incident would likely have to 
notify several different Federal regulators of that same incident right 
in the middle of a tumultuous period in which covered entities should 
first and foremost be tending to the interests, privacy, and security 
of their customers and consumers. This regulatory fragmentation 
undermines Federal efforts and the efforts of covered entities under 
the law to respond in real time to and guard against cyber attacks. The 
Cyber Incident Reporting Act requires the DHS Secretary to lead a Cyber 
Incident Reporting Council to harmonize Federal reporting requirements 
and identify opportunities to streamline that reporting process.
    How does CISA plan to streamline its cyber incident notification 
process to avoid regulatory fragmentation and ensure a single Federal 
notification procedure?
    Answer. Response was not received at the time of publication.
    Question 1b. How are you going to ensure that covered entities 
under the law do not have to notify multiple regulators of the same 
cyber incident in the middle of doing what they need to protect their 
customers?
    Answer. Response was not received at the time of publication.
     Questions From Chairman Bennie G. Thompson for Robert K. Knake
    Question 1a. In his testimony and responses to Member questions, 
Mr. Goldstein described the Systemically Important Entity process as an 
``evolution'' or ``maturation'' of the Section 9 [of Executive Order 
13636] list, with a goal of driving ``operational collaboration'' and 
understanding Systemically Important Entities' ``dependencies and 
supply chains to reduce their risk going forward.''
    Is it CISA's/ONCD's goal to codify the framework established in 
Section 9 of Executive Order 13636?
    Question 1b. Section 10 of Executive Order 13636 directed Federal 
agencies to engage in a review of ``the preliminary Cybersecurity 
Framework and determine if current cybersecurity regulatory 
requirements are sufficient given current and projected risks,'' among 
other things. Did Section 10 of Executive Order 13636 result in the 
imposition of any new security obligations on Section 9 companies? If 
so, please describe. If not, why not? In light of the current threat 
environment, is the administration revisiting the analysis described by 
Section 10?
    Answer. Response was not received at the time of publication.
    Question 2a. At the hearing Mr. Goldstein testified: ``We certainly 
envision the Systemically Important Entity (SIE) process as an 
evolution or maturation of the Section 9 list. We're tying the list to 
National critical functions, and focusing on cascading a systemic 
impact will be an improvement over the Section 9 process and allow us 
to drive operational collaboration more effectively.''
    Please provide a description of the methodology CISA currently uses 
to identify SIEs, and describe how it differs from the methodology used 
in Section 9 designations.
    Question 2b. Do you anticipate that tying the Systemically 
Important Entity list to National Critical Functions will result in a 
list of entities that differs significantly from the existing list of 
Section 9 entities? Or do you anticipate that the National Critical 
Functions analysis will drive analysis of interdependencies among SIEs?
    Question 2c. Are there Section 9 entities that you do not believe 
will identified as Systemically Important Entities because the analysis 
is tied to National Critical Functions?
    Question 2d. As the SIE process continues to evolve, do you 
anticipate identifying ``tiers'' of Systemically Important Entities to 
reflect both an entity's systemic importance and the sophistication 
with which it can operationally collaborate with the Federal 
Government?
    Question 2e. How many SIEs has CISA currently identified? Please 
provide a breakdown of such list by sector, the number of SIEs 
currently enrolled in CISA programs and services, the number of 
currently engaged in operational collaboration with CISA, and any other 
information that would be helpful to characterize CISA's current 
understanding of SIEs.
    Question 2f. What information does CISA need in order to fully and 
accurately identify and understand systemic risks to SIEs, and where 
does that information originate? What data sources is CISA currently 
able to leverage to carry out this work, and what data is CISA 
currently unable to obtain?
    Answer. Response was not received at the time of publication.
    Question 3a. The Cyberspace Solarium Commission (CSC) recommended 
Congress codify a new designation for SICI. The concept behind SICI is 
that certain entities--those that operate our most vital systems and 
assets--should be granted special assistance from the U.S. Government 
and should be expected shoulder additional security and information-
sharing requirements befitting their unique status and importance.
    If Congress were to create a regime that aligns as closely as 
possible to the CSC's proposal (i.e., a designation that comes with 
benefits and burdens), what are the most critical, impactful programs 
or partnership models that Congress should consider for purposes of 
mandating participation from designates entities? What types of 
information should be shared?
    Question 3b. Are there authorities CISA currently lacks that it 
would need if Congress were to decide to mandate such participation, 
collaboration, or sharing?
    Question 3c. Assuming there are no changes to CISA's current 
funding levels, does CISA have the resources, personnel, and overall 
capacity to scale up these services beyond what is being offered now--
and at what point would additional resources be required to meet 
heightened demand?
    Answer. Response was not received at the time of publication.
    Question 4. If Congress were to codify the concept of SICI/SIEs 
without adding any additional requirements on designated entities, how 
would that list be different from the Section 9 program?
    Answer. Response was not received at the time of publication.
     Questions From Chairwoman Yvette D. Clarke for Robert K. Knake
    Question 1. In response to Member questions, you observed that many 
entities that would be classified as SICI/SIEs are very well-resourced 
organizations, with their own red teaming and threat-hunting 
capabilities. However, a major roadblock for these entities is that 
they cannot collect intelligence in the way the U.S. intelligence 
community can.
    What is the ONCD's stance on the creation of a Joint Collaborative 
Environment, which would allow for these entities to participate in a 
collaborative environment where it can be trusted that the information 
being shared there between the public and private sectors can be 
secured?
    Answer. Response was not received at the time of publication.
    Question 2. How is ONCD working with CISA to develop a greater 
understanding of potential additional authorities that could help CISA 
conduct its SIE process and its collaboration with key sector partners?
    Answer. Response was not received at the time of publication.
    Question 3. In light of the March 21 announcement by the President 
on the evolving intelligence concerning a potential cyber threat from 
Russia, and the accompanying White House fact sheet encouraging U.S. 
critical infrastructure entities, technology, and software companies to 
increasingly incorporate security by design, automation, a Software 
Bill of Materials and undertake other efforts to improve security of 
software development, what role do you see for CISA and/or ONCD in 
ensuring Infrastructure Investment & Jobs Act funding is implemented 
with the greatest attention paid to the cybersecurity standards and 
requirements built into it?
    Answer. Response was not received at the time of publication.
    Questions From Honorable Sheila Jackson Lee for Robert K. Knake
    Question 1. In your testimony you speak about how Russia's 
unprovoked aggression against Ukraine is causing heightened threats 
against U.S. cyber interest.
    Has this link between the desire by a Nation that they may 
anticipate will be opposed by the United States resulted in cyber 
attack in the past?
    Answer. Response was not received at the time of publication.
    Question 2a. Russia interfered in the U.S. Presidential elections 
in 2016 and again in 2020. A Russia hacker group is said to have 
attacked Colonial Pipeline.
    Are we seeing official and unofficial Russia-based attacks without 
seeing a link between the two types of threats?
    Question 2b. Is it true that the coding style used to construct 
cyber attacks can indicate their source?
    Question 2c. How reliably can we track and assign attribution for 
attacks?
    Question 2d. Have we been doing enough to raise the cost of attacks 
to make the ransomware less attractive as a tool for theft?
    Answer. Response was not received at the time of publication.
    Question 3a. On page 6 you stated in your testimony: ``Recognizing 
the unique risks presented in cyber space for the conflict to spill out 
of Ukraine and onto our shores, the Federal Government has also 
partnered with industry on tabletop exercises, bringing important 
critical infrastructure stakeholders''.
    Are we at risk of being pulled into a virtual conflict over 
Russia's brutal war against Ukraine and if yes, what would that look 
like?
    Answer. Response was not received at the time of publication.
     Question From Honorable James R. Langevin for Robert K. Knake
    Question. Based on the testimony we heard, it's clear that the 
CISA's Systemically Important Entities effort is engaged in a rigorous 
identification process. But the next steps of what to do with its list 
appear less clear to me than the Solarium Commission's vision for SICI, 
which calls for specific benefits and obligations to SICI entities. 
While an accurate identification process is important, we must also 
have a clear picture of the policies and strategies that will govern 
and strengthen the partnership between the Federal Government and our 
most critical of critical infrastructure entities.
    If CISA develops a list of systemically important entities, what 
does the administration plan to do with it? How would factors like 
cyber maturity, as we discussed, play a role in where and how the 
Government would prioritize its efforts to partner with critical 
infrastructure owners and operators?
    Answer. Response was not received at the time of publication.
      Question From Ranking Member John Katko for Robert K. Knake
    Question. In light of the March 21 announcement by the President on 
the evolving intelligence concerning a potential cyber threat from 
Russia, and the accompanying White House fact sheet encouraging U.S. 
critical infrastructure entities, technology, and software companies to 
increasingly incorporate security by design, automation, a Software 
Bill of Materials and undertake other efforts to improve security of 
software development, what role do you see for CISA and/or ONCD in 
ensuring Infrastructure Investment & Jobs Act funding is implemented 
with the greatest attention paid to the cybersecurity standards and 
requirements built into it?
    Answer. Response was not received at the time of publication.
    Questions From Chairwoman Yvette D. Clarke for Tina Won Sherman
    Question 1. The National Infrastructure Protection Plan was last 
updated in 2013. This hold-up has led to SRMAs not updating their 
Sector-Specific Plans until the National Infrastructure Protection Plan 
update occurs.
    Dr. Sherman, how has this delay in updating the National 
Infrastructure Protection Plan hindered SRMA efforts to protect the 
critical infrastructure sectors they work with? What has the impact 
been on CISA's ability to protect U.S. critical infrastructure?
    Answer. The 2013 National Infrastructure Protection Plan's lack of 
a recent update has led to limitations for Sector Risk Management 
Agencies (SRMAs)--the Federal departments charged with providing 
critical infrastructure sector owner/operators with specialized 
expertise--in two ways.
    First, SRMAs and CISA have no updated guidance for how best to 
modify their activities, if needed, in response to requirements for 
SRMAs in the National Defense Authorization Act for Fiscal Year 2021, 
such as supporting National risk assessment efforts and contributing to 
critical infrastructure owner/operator emergency preparedness.\1\ As 
part of GAO's on-going review evaluating SRMA responsibilities, GAO is 
examining whether SRMA's have sufficient guidance from the Department 
of Homeland Security on approaches for addressing such 
responsibilities.
---------------------------------------------------------------------------
    \1\ See 6 U.S.C.  665d.
---------------------------------------------------------------------------
    Second, the 2013 National Infrastructure Protection Plan calls for 
SRMAs to update their sector-specific plans on a regular basis. 
However, SRMAs were without a recent update of the 2013 plan to help 
guide sector-specific plan revisions. CISA reported in November 2021 
that most SRMAs updated their respective sector-specific plans 
following the publication of the 2013 National Plan and those sector-
specific plans currently serve as the strategic guidance for the 
sectors. However, given the passage of time since these plans were 
published, they may not reflect the current threat environment. For 
example, as GAO reported in November 2021, CISA had not updated the 
2015 Communications Sector-Specific Plan.\2\ As a result, the 2015 plan 
lacked information on new and emerging threats to the Communications 
Sector, such as security threats to the communications technology 
supply chain, and disruptions to position, navigation, and timing 
services.
---------------------------------------------------------------------------
    \2\ GAO, Critical Infrastructure Protection: CISA Should Assess the 
Effectiveness of its Actions to Support the Communications Sector, GAO-
22-104462 (Washington, DC: Nov. 23, 2021).
---------------------------------------------------------------------------
    Question 2. Dr. Sherman, we know that CISA currently maintains a 
National Asset Database. You noted in your testimony that through your 
research, you found that no more than 14 States ever provided input to 
CISA related to the National Asset Database.
    Why have so few States provided input to CISA regarding this 
database?
    Answer. CISA data showed that from fiscal years 2017 through 2021, 
no more than 14 States (of 56 States and territories) provided new 
nominations or updates to the National Critical Infrastructure 
Prioritization Program in any given fiscal year.\3\ State officials GAO 
interviewed questioned the program's usefulness, which may lead to less 
State participation. Of the 6 State homeland security agencies GAO 
contacted, only one reported regularly using the program list. 
Officials from these 6 State agencies also questioned the list's 
accuracy, and most said that they did not use the list to inform risk 
communication or influence decisions. Officials from 3 of 6 State 
agencies said that there were assets on the list that were not critical 
to their States. Some of the State officials also said that the 
infrastructure on the list seemed inconsistent from State to State and 
that the criteria for adding assets were highly subjective, making the 
list generally unreliable, in their view.\4\
---------------------------------------------------------------------------
    \3\ The Implementing Recommendations of the 9/11 Commission Act 
required the Secretary of Homeland Security to establish and maintain a 
single prioritized list of systems and assets in a National database 
that the Secretary determines would, if destroyed or disrupted, cause 
National or regional catastrophic effects. See 6 U.S.C.  664. 
Consistent with this requirement, DHS developed the National Critical 
Infrastructure Prioritization Program.
    \4\ GAO, Critical Infrastructure Protection: CISA Should Improve 
Priority Setting, Stakeholder Involvement, and Threat Information 
Sharing, GAO-22-104279, (Washington, DC: Mar. 1, 2022).
---------------------------------------------------------------------------
    In addition, critical infrastructure officials, including State 
officials, GAO interviewed questioned the present-day relevance of the 
criteria for adding infrastructure to the program list, another reason 
for limited State participation. Specifically, to be included on the 
program's Level 1 list (its highest consequence list), an asset's 
destruction or disruption must meet minimum specified consequence 
thresholds for at least 2 of the following 4 categories: Economic loss, 
fatalities, mass evacuation length, and degradation of National 
security. Senior officials with CISA, as well as other Federal, State, 
and private-sector officials GAO spoke with, said that the consequence 
thresholds for these criteria did not reflect the threat environment 
today, which focuses more on cyber attacks and extreme weather events. 
The current day threat environment also focuses on vulnerabilities or 
attacks that can affect multiple entities within a short period. In 
this scenario, the consequences related to a single asset, entity, 
system, or cluster may not reach program thresholds, but the aggregate 
impacts may be nationally significant, according to CISA officials.
    Questions From Honorable Sheila Jackson Lee for Tina Won Sherman
    Question 1. You begin your testimony with the statement: ``To 
improve critical infrastructure security, key actions Department of 
Homeland Security (DHS) needs to take include: (1) Strengthening the 
Federal role in protecting the cybersecurity of critical infrastructure 
and (2) improving priority-setting efforts.'' Excerpt from your 
testimony: ``Strengthen the Federal role in protecting the 
cybersecurity of critical infrastructure. Pursuant to legislation 
enacted in 2018, the Cybersecurity and Infrastructure Security Agency 
(CISA) within DHS was charged with responsibility for enhancing the 
security of the Nation's critical infrastructure in the face of both 
physical and cyber threats. In March 2021, GAO reported that DHS needed 
to complete key activities related to the transformation of CISA. This 
includes finalizing the agency's mission-essential functions and 
completing workforce planning activities. GAO also reported that DHS 
needed to address challenges identified by selected critical 
infrastructure stakeholders, including having consistent stakeholder 
involvement in the development of related guidance. Accordingly, GAO 
made 11 recommendations to DHS, which the Department intends to 
implement by end of 2022. Improve priority setting efforts. Through the 
National Critical Infrastructure Prioritization Program, CISA is to 
identify a list of systems and assets that, if destroyed or disrupted, 
would cause National or regional catastrophic effects. Consistent with 
the Implementing Recommendations of the 9/11 Commission Act of 2007, 
CISA annually updates and prioritizes the list. The program's list is 
used to inform the awarding of preparedness grants to States. However, 
in March 2022, GAO reported that 9 of 12 CISA officials and all 10 of 
the infrastructure stakeholders GAO interviewed questioned the 
relevance and usefulness of the program. For example, stakeholders 
questioned the current relevance of the criteria used to add critical 
infrastructure to the Prioritization Program list. In 2019, CISA 
published a set of 55 National critical functions of the Government and 
private sector considered vital to the security, economy, and public 
health and safety of the Nation (see figure). However, most of the 
Federal and non-Federal critical infrastructure stakeholders that GAO 
interviewed reported being generally uninvolved with, unaware of, or 
without an understanding of the goals of the framework for its critical 
functions. GAO made recommendations to DHS in its March 2022 report to 
address these concerns, such as ensuring stakeholders are fully engaged 
in the framework's implementation, and DHS agreed with the 
recommendations.''
    I have stressed the need for hyper focus on protecting the Nation's 
critical infrastructure for well over a decade.
    Today, as we watch Russia's total disregard for human life--men, 
women, children, and the elderly are being slaughtered before our eyes. 
It is clear that there are no rules of engagement, no Geneva Convention 
fears that will save any of us should Russia engage in a full onslaught 
against domestic critical infrastructure.
    Are we at a point where everyone, private sector, public sector, 
National security, and law enforcement are on the same page when we 
talk about the importance of critical infrastructure cyber defense?
    Answer. The John S. McCain National Defense Authorization Act for 
Fiscal Year 2019 created the Cyberspace Solarium Commission to develop 
consensus on a strategic approach to defending the United States 
against cyber attacks of significant consequences.\5\ The commission's 
March 2020 report was based on collaboration with a wide range of 
critical infrastructure stakeholders, including private sector, public 
sector, National security, and law enforcement officials. The report 
highlighted the importance of critical infrastructure cyber defense and 
identified approaches for improving the Federal role in leading 
collaborative cybersecurity efforts.
---------------------------------------------------------------------------
    \5\ Pub. L. No. 115-232,  1652, 132 Stat. 1636, 2140 (2018).
---------------------------------------------------------------------------
    In addition, a recent Executive Order and GAO's work on high-risk 
issues facing the Federal Government have identified cybersecurity as a 
National priority. The May 2021 Executive Order on Improving the 
Nation's Cybersecurity recognized that persistent and increasingly 
sophisticated malicious cyber campaigns threaten the public sector, the 
private sector, and ultimately the American people's security and 
privacy.\6\ The Executive Order called for improvements in the Federal 
Government's efforts to identify, deter, protect against, detect, and 
respond to these actions and actors. In its March 2021 High-Risk 
report, GAO also identified the importance of addressing 4 major 
cybersecurity challenges and 10 associated critical actions, shown in 
the figure below.\7\ Although the Federal Government has made selected 
improvements, it needs to move with a greater sense of urgency 
commensurate with the rapidly-evolving and grave threats to the 
country.
---------------------------------------------------------------------------
    \6\ Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 17, 2021).
    \7\ GAO, High-Risk Series: Federal Government Needs to Urgently 
Pursue Critical Actions to Address Major Cybersecurity Challenges, GAO-
21-288 (Washington, DC: Mar. 24, 2021).


    In recent years, GAO has also identified several specific areas of 
stakeholder cybersecurity engagement in need of improvement:
   National Critical Infrastructure Prioritization Program.--
        Through the National Critical Infrastructure Prioritization 
        Program, the Cybersecurity and Infrastructure Security Agency 
        (CISA) is to identify a list of systems and assets that, if 
        destroyed or disrupted, would cause National or regional 
        catastrophic effects. State officials nominate systems and 
        assets for inclusion on this list. GAO's March 2022 report 
        found that CISA and other stakeholders questioned the present-
        day relevance of NCIPP criteria for adding infrastructure to 
        the list.\8\ For example, senior officials with CISA, as well 
        as other Federal, State, and private-sector officials GAO spoke 
        with, said that the consequence thresholds for the criteria did 
        not reflect the threat environment today, which focuses more on 
        cyber attacks and extreme weather events.
---------------------------------------------------------------------------
    \8\ GAO-22-104279.
---------------------------------------------------------------------------
   Pipeline security.--DHS oversees pipeline security for the 
        Federal Government, providing both voluntary guidance and 
        required cybersecurity measures for pipeline owner/operators. 
        DHS prioritizes its outreach to pipeline owner/operators based 
        on a risk assessment. GAO reported in December 2018 that DHS's 
        pipeline risk assessments were missing key inputs, including a 
        measure of cybersecurity vulnerabilities.\9\ Pipeline owner/
        operators will likely receive more targeted guidance if DHS 
        collected more information from owner/operators on 
        cybersecurity vulnerabilities as part of its risk-ranking 
        effort.
---------------------------------------------------------------------------
    \9\ GAO, Critical Infrastructure Protection: Actions Needed to 
Address Significant Weaknesses in TSA's Pipeline Security Program 
Management, GAO-19-48 (Washington, DC: Dec. 18, 2018).
---------------------------------------------------------------------------
   Chemical security.--The Department of Homeland Security's 
        Chemical Facility Anti-Terrorism Standards program reviews 
        high-risk chemical facilities for adherence to security 
        standards, including cybersecurity performance standards. GAO 
        reported in May 2020 that the program had yet to incorporate 
        identified cybersecurity knowledge, skills, and abilities for 
        inspectors in its workforce planning processes or track data 
        related to covered facilities' reliance on information systems 
        when assessing its workforce needs.\10\ Chemical facility 
        owner/operators will likely receive higher-quality inspections 
        if planning for DHS's inspector workforce includes attention to 
        cybersecurity competencies.
---------------------------------------------------------------------------
    \10\ GAO, Critical Infrastructure Protection: Actions Needed to 
Enhance DHS Oversight of Cybersecurity at High-Risk Chemical 
Facilities, GAO-20-453 (Washington, DC: May 14, 2020).
---------------------------------------------------------------------------
    Question 2. Is the GAO tracking how collaborations on the issue of 
cybersecurity of critical infrastructure is being translated into 
concrete improvements?
    Answer. Since 2010, GAO has made about 80 recommendations for 
various agencies to enhance infrastructure cybersecurity.\11\ For 
example, in February 2020, GAO recommended that agencies better measure 
the adoption of the National Institute of Standards and Technology 
framework of voluntary cyber standards and correct sector-specific 
weaknesses. Specifically, GAO reported that most Sector Risk Management 
Agencies were not collecting and reporting on improvements in the 
protection of critical infrastructure as a result of using the 
framework across the sectors.\12\ Therefore, GAO made 10 
recommendations--one to the National Institute of Standards and 
Technology on establishing time frames for completing selected 
programs--and 9 to the lead agencies, to collect and report on 
improvements gained from using the framework. Eight of these agencies 
agreed with the recommendations, while one neither agreed nor disagreed 
and one partially agreed. However, as of November 2021, none of the 
recommendations had been implemented. Until the lead agencies collect 
and report on improvements gained from adopting the framework, the 
extent to which the 16 critical infrastructure sectors are better 
protecting their critical infrastructure from threats will be largely 
unknown. GAO reiterated these recommendations in February 2022.\13\
---------------------------------------------------------------------------
    \11\ GAO, High-Risk Series: Federal Government Needs to Urgently 
Pursue Critical Actions to Address Major Cybersecurity Challenges, GAO-
21-288 (Washington, DC: Mar. 24, 2021).
    \12\ GAO, Critical Infrastructure Protection: Additional Actions 
Needed to Identify Framework Adoption and Resulting Improvements, GAO-
20-299 (Washington, DC: Apr. 9, 2020).
    \13\ GAO, Critical Infrastructure Protection: Agencies Need to 
Assess Adoption of Cybersecurity Guidance, GAO-22-105103 (Washington, 
DC: Feb. 9, 2022).
---------------------------------------------------------------------------
    GAO has also reported on the need for lead agencies to enhance the 
cybersecurity of their critical infrastructure sectors and subsectors--
such as communications, energy, education, financial services, and 
transportation systems.\14\
---------------------------------------------------------------------------
    \14\ See, for example, GAO, Cybersecurity: Federal Actions Urgently 
Needed to Better Protect the Nation's Critical Infrastructure, GAO-22-
105530 (Washington, DC: Dec. 2, 2021).
---------------------------------------------------------------------------
    Question 3. The GAO is well-suited to collecting data and reporting 
on the progress of regulatory and legislative intent for a broad range 
of policy issues. Does GAO have the resources needed to keep pace with 
the DHS's expanded focus on cybersecurity and cyber defense?
    In March 2022, GAO released its strategic plan for fiscal years 
2022 through 2027 along with reports on the key efforts GAO expects to 
cover during this period, as well as current trends affecting 
Government and society.\15\ One of GAO's key goals is to help Congress 
respond to changing security threats and the challenges of global 
interdependence. Among other things, key efforts related to this goal 
focus on assessing cyber risks to the security and resilience of the 
Nation's critical infrastructure and assessing DHS's efforts to manage 
risks and share information with public and private-sector partners to 
protect the Nation's critical infrastructure.
---------------------------------------------------------------------------
    \15\ GAO, Strategic Plan 2022-2027, GAO-22-1SP (Washington, DC: 
Mar. 15, 2022); GAO, Key Efforts 2022-2027, GAO-22-2SP (Washington, DC: 
Mar. 15, 2022); and GAO, Trends Affecting Government and Society, GAO-
22-3SP (Washington, DC: Mar. 15, 2022).
---------------------------------------------------------------------------
    In April 2022, the Comptroller General of the United States 
testified on the subject of GAO's budget request of $810.3 million for 
fiscal year 2023.\16\ This budget request will enable GAO to increase 
capabilities associated with growing cybersecurity developments and 
complex National security issues, among other topics. Given the 
critical importance of these topics, GAO is continuing to grow its 
workforce for cybersecurity and National security. For example, on 
April 20, 2022, GAO posted an announcement for multiple senior analyst 
positions focusing on National security. Further, GAO's growing cyber 
expertise includes its Center for Enhanced Cybersecurity, a dedicated 
group of cyber professionals that could delve into the technical 
details of agency systems and networks and identify underlying 
persistent cybersecurity weaknesses. As networks and information 
systems have become more elaborate, diverse, and interconnected, GAO 
has recognized the need to cultivate a center of excellence to conduct 
in-depth technical audits.
---------------------------------------------------------------------------
    \16\ GAO Budget, Before House Appropriations Committee, 
Subcommittee on Legislative Branch, 117th Cong. (2022) (Statement of 
Comptroller Gen. of the United States Gene L. Dodaro). Accessed April 
28, 2022, https://plus.cq.com/doc/testimony-6503637?2.
---------------------------------------------------------------------------
    Finally, GAO has reported that key actions DHS needs to take 
include strengthening the Federal role in protecting the cybersecurity 
of critical infrastructure and improving priority-setting efforts.\17\
---------------------------------------------------------------------------
    \17\ GAO, Critical Infrastructure Protection: DHS Actions Urgently 
Needed to Better Protect the Nation's Critical Infrastructure, GAO-22-
105973 (Washington, DC: Apr. 6, 2022).
---------------------------------------------------------------------------

                                 [all]