[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]





 
MOBILIZING OUR CYBER DEFENSES: SECURING CRITICAL INFRASTRUCTURE AGAINST 
                         RUSSIAN CYBER THREATS

=======================================================================


                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 5, 2022

                               __________

                           Serial No. 117-50

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 



                                     

        Available via the World Wide Web: http://www.govinfo.gov
        
        
        

                               __________
                               
         

               U.S. GOVERNMENT PUBLISHING OFFICE 
 48-220                 WASHINGTON : 2024                             
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York, Vice 
    Chairman
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Ritchie Torres, a Representative in Congress From 
  the State of New York, and Vice Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5

                               Witnesses

Mr. Adam Meyers, Senior Vice President, Intelligence, 
  Crowdstrike:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
Mr. Kevin M. Morley, Manager, Federal Relations, American Water 
  Works Association:
  Oral Statement.................................................    14
  Prepared Statement.............................................    16
Mr. Steven Silberstein, Chief Executive Officer, Financial 
  Services Information Sharing and Analysis Center:
  Oral Statement.................................................    19
  Prepared Statement.............................................    21
Mr. Amit Yoran, Chairman and CEO, Tenable, Inc.:
  Oral Statement.................................................    44
  Prepared Statement.............................................    46

                             For the Record

The Honorable Ritchie Torres, a Representative in Congress From 
  the State of New York, and Vice Chairman, Committee on Homeland 
  Security:
  Statement of Sandra Joyce, Executive Vice President and Head of 
    Global Intelligence, Mandiant, Inc...........................   109
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Article, New York Times, March 20, 2017........................    61
  Article, ForeignPolicy.com, April 30, 2022.....................    65
  Article, The Atlantic, August 29, 2018.........................    70
The Honorable Andrew S. Clyde, a Representative in Congress From 
  the State of Georgia:
  Article, Zdnet.com, March 9, 2019..............................    98
  Article, cnn.com, October 29, 2020.............................   101
  Article, U.S. News and World Report, May 8, 2021...............   104

                                Appendix

Questions From Honorable Nanette Barragan for Adam Meyers........   113
Questions From Honorable Ralph Norman for Adam Meyers............   113
Questions From Chairman Bennie G. Thompson for Steven Silberstein   113
Question From Honorable Nanette Barragan for Steven Silberstein..   114
Questions From Honorable Ralph Norman for Steven Silberstein.....   114
Question From Honorable Nanette Barragan for Kevin M. Morley.....   114
Questions From Ranking Member Andrew Garbarino for Kevin M. 
  Morley.........................................................   114
Questions From Honorable Ralph Norman for Kevin M. Morley........   114
Questions From Honorable Nanette Barragan for Amit Yoran.........   116
Questions From Honorable Ralph Norman for Amit Yoran.............   117


MOBILIZING OUR CYBER DEFENSES: SECURING CRITICAL INFRASTRUCTURE AGAINST 
                         RUSSIAN CYBER THREATS

                              ----------                              


                         Tuesday, April 5, 2022

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:05 a.m., 310 
Cannon House Office Building, Hon. Ritchie Torres [Member of 
the committee] presiding.
    Present: Representatives Torres, Jackson Lee, Langevin, 
Correa, Slotkin, Cleaver, Green, Clarke, Watson Coleman, Rice, 
Gottheimer, Malinowski, Katko, Higgins, Bishop, Van Drew, 
Norman, Miller-Meeks, Clyde, Gimenez, LaTurner, Cammack, 
Pfluger, and Garbarino.
    Mr. Torres [presiding]. The Committee on Homeland Security 
will be in order. Without objection, the Chair is authorized to 
declare the committee in recess at any point.
    Good afternoon. Before we begin today's hearing, I want to 
extend sincere condolences on behalf of the committee to the 
family of Chairman Don Young, Dean of the House, whose life was 
celebrated at a memorial last week. Chairman Young's decades of 
service to the State of Alaska and to this great Nation will 
never be forgotten. Our thoughts are with his loved ones at 
this most difficult time.
    Today, the committee is meeting to examine how we can 
better secure our Nation's critical infrastructure against 
Russian cyber threats. Just over 1 month ago, Russian troops 
launched an unprovoked, unjustified invasion of Ukraine. The 
United States and its allies responded swiftly and decisively, 
imposing harsh sanctions against Russian financial 
institutions, Russian government leaders and oligarchs, and 
even Vladimir Putin himself.
    The Biden administration has also banned the import of 
Russian crude oil, petroleum, and natural gas; imposed export 
controls of critical technologies; and worked with our allies 
to ban Russia's largest banks from SWIFT. In time, these 
restrictions, together with additional actions taken by the 
United States and its allies, will cripple the Russian economy 
and undermine Putin's ability to continue his ill-conceived 
military operation in Ukraine.
    As Russia continues to struggle under the weight of 
sanctions imposed by the world's democracies, we must consider 
the potential risk to the homeland. Over the past decade, 
Russia has demonstrated its ability and willingness to use 
cyber tools to advance its global agenda. It has used its 
neighbors in Eastern Europe as test beds for deploying its 
cyber capabilities to interfere with elections, spread 
disinformation, and disrupt critical infrastructure. In 2015 
and 2016, for example, Russian hackers temporarily knocked out 
power to over 200,000 Ukrainians. In 2017, Russia unleashed 
NotPetya to disrupt Ukraine's financial system, but the malware 
affected networks across critical infrastructure sectors 
globally, including in the United States.
    Russia's willingness to deploy its cyber capabilities 
against the United States is similarly well-documented. Since 
at least 2008, the intelligence community has warned of 
Russia's formidable cyber capabilities in its annual threat 
assessment. In 2017, the intelligence community concluded that 
the Russian Government had attempted to interfere in the 2016 
Presidential elections, engaging in both information operations 
and targeting election infrastructure. The following year, DHS 
and FBI warned entities in a range of sectors from energy and 
aviation to water and critical manufacturing, that the Russian 
Government was attempting to gain access to their networks. 
Despite these warnings, the Federal Government and its private-
sector partners have been slow to chart an enduring course for 
strategic partnership.
    Historically, the Federal Government has struggled to 
demonstrate the security value of public-private partnerships. 
Meanwhile, the private sector has been reluctant to fully 
engage and feared new regulations. One of the most frustrating 
challenges we face is the lack of urgency to act based on 
intelligence alone. Too often, it has taken a major incident to 
force change.
    The SolarWinds supply chain attack is a good example. It 
forced a collective shift from passively observing policy 
problems to actively solving them. The President issued an 
Executive Order overhauling and modernizing the Federal 
Government's approach to securing its networks.
    Congress has also stepped up. It has increased 
cybersecurity funding and provided the administration with new 
authorities, including incident reporting and CyberSentry, that 
will help detect and disrupt malicious cyber campaigns faster.
    The private sector has come to the table to work with the 
Federal Government in new ways. The administration, Congress, 
and our private-sector partners have acted with urgency over 
the past year and left us better-prepared to defend U.S. 
networks. But there is still room to improve.
    First, the Biden administration has engaged in 
unprecedented cyber threat information and intelligence sharing 
with critical infrastructure owners and operators in advance of 
and during Russia's unprovoked invasion of Ukraine. Moving 
forward, the Government and private sector must assess the 
effectiveness of existing partnerships and continue to deepen 
strategic collaboration to defend against current and future 
cyber threats.
    Second, the administration has undertaken historic 
initiatives to raise the cybersecurity posture across all 16 
critical infrastructure sectors, which varies dramatically due 
to a range of factors from resources to regulation. To 
effectively defend against Russian cyber threats, the Federal 
Government must tailor its support to, and collaboration with, 
critical infrastructure sectors to their varying degrees of 
capability.
    Toward that end, I was pleased to see the President's 
budget proposal. The President proposed a new competitive grant 
program aimed at raising the cybersecurity posture of certain 
critical infrastructure sectors.
    Finally, the Federal Government and the private sector must 
work together to harness the security gains realized as we 
defend against Russian cyber threats in order to establish a 
new, heightened security baseline.
    I look forward to the witnesses' testimony and the Members' 
questions. I now recognize the Ranking Member of the full 
committee, the gentleman from New York, Mr. Katko, for an 
opening statement.
    [The statement of Vice Chairman Torres follows:]
               Statement of Vice Chairman Ritchie Torres
                             April 5, 2022
    Today, the committee is meeting to examine how we can better secure 
our Nation's critical infrastructure against Russian cyber threats. 
Just over 1 month ago, Russian troops launched an unprovoked, 
unjustified invasion of Ukraine. The United States and its allies 
responded swiftly and decisively, imposing harsh sanctions against 
Russian financial institutions, Russian government leaders and 
oligarchs, and even Vladimir Putin himself.
    The Biden administration has also banned the import of Russian 
crude oil, petroleum, and natural gas; imposed export controls of 
critical technologies; and worked with our allies to ban Russia's 
largest banks from SWIFT. In time, these restrictions--together with 
additional actions taken by the United States and its allies--will 
cripple the Russian economy and undermine Putin's ability to continue 
his ill-conceived military operation in Ukraine. As Russia continues to 
struggle under the weight of sanctions imposed by the world's 
democracies, we must consider the potential risks to the homeland.
    Over the past decade, Russia has demonstrated its ability and 
willingness to use cyber tools to advance its global agenda. It has 
used its neighbors in Eastern Europe as test beds for deploying its 
cyber capabilities to interfere with elections, spread disinformation, 
and disrupt critical infrastructure. In 2015 and 2016, for example, 
Russian hackers temporarily knocked out power to over 200,000 
Ukrainians. In 2017, Russia unleashed NotPetya to disrupt Ukraine's 
financial system, but the malware affected networks across critical 
infrastructure sectors globally, including in the United States.
    Russia's willingness to deploy its cyber capabilities against the 
United States is well-documented. Since at least 2008, the intelligence 
community has warned of Russia's formidable cyber capabilities in its 
annual threat assessment. In 2017, the intelligence community concluded 
that the Russian government had attempted to interfere in the 2016 
Presidential elections--engaging in both information operations and 
targeting election infrastructure. The following year, DHS and FBI 
warned entities in a range of sectors--from energy and aviation to 
water and critical manufacturing--that the Russian government was 
attempting to gain access to their networks. Despite these warnings, 
the Federal Government and its private-sector partners have been slow 
to chart an enduring course for strategic partnership.
    Historically, the Federal Government has struggled to demonstrate 
the security value of public-private partnerships. Meanwhile, the 
private sector has been reluctant to fully engage and feared new 
regulations. One of the most frustrating challenges we face is the lack 
of urgency to act based on intelligence alone. Too often, it has taken 
a major incident to force change.
    The SolarWinds supply chain attack is a good example. It forced a 
collective shift from admiring policy problems to solving them. The 
President issued an Executive Order overhauling and modernizing the 
Federal Government's approach to securing its networks.
    Congress has also stepped up. It has increased cybersecurity 
funding and provided the administration new authorities--including 
incident reporting and CyberSentry--that will help detect and eradicate 
malicious cyber campaigns faster. And the private sector has come to 
the table to work with the Federal Government in new ways.
    The administration, Congress, and our private-sector partners have 
acted with urgency over the past year and left us better-prepared to 
defend U.S. networks. But there is still room to improve.
    First, the Biden administration has engaged in unprecedented cyber 
threat information and intelligence sharing with critical 
infrastructure owners and operators in advance of and during Russia's 
unprovoked invasion of Ukraine. Moving forward, the government and 
private sector must assess the effectiveness of existing partnerships 
and continue to deepen strategic collaboration to defend against 
current and future cyber threats.
    Second, the administration has undertaken historic initiatives to 
raise the cybersecurity posture across all 16 critical infrastructure 
sectors, which varies dramatically due to a range of factors from 
resources to regulation. To effectively defend against Russian cyber 
threats, the Federal Government must tailor its support to, and 
collaboration with, critical infrastructure sectors to their varying 
degrees of capability.
    Toward that end, I was pleased to see the President's budget 
proposed a new competitive grant program aimed at raising the 
cybersecurity posture of certain critical infrastructure sectors. 
Finally, the Federal Government and the private sector must work 
together to harness the security gains realized as we defend against 
Russian cyber threats in order to establish a new, heightened security 
baseline.

    Mr. Katko. Thank you, Chairman Torres, for hosting this 
hearing today and I thank you to the witnesses for being here. 
It is a very important topic, obviously.
    Each of you play an extremely important role in the 
increasingly interconnected web of services that continues in 
our Nation's cybersecurity and critical infrastructure security 
realm. In fact, all of us here today play an important role in 
that ecosystem. We each have a job to do. As we have repeatedly 
seen, one misstep can have disastrous consequences for the 
Nation's infrastructure and the communities we represent. There 
has never been a more important time for our businesses, our 
State and local governments, and our Federal Government to be 
prepared not just to defend against cyber attacks, but to be 
resilient should an attack occur.
    As the Biden administration recently said, there is 
``evolving intelligence that the Russian Government is 
exploring options for potential cyber attacks.'' I don't need 
to tell you that today what that might mean for our 
constituents, or in the case of our panel, your customers and 
clients.
    Looking ahead at some of the particularly tangible attacks 
over the past few years, we can see that the motives have been 
either of financial gain or intelligence gathering, not pure 
destruction. Well, what if the goal was pure destruction? What 
if the goal was pure destruction?
    What if destructive attacks happened on critical 
infrastructure simultaneously? We saw this in 2017 with the 
NotPetya attack, which was a purely destructive campaign 
originally aimed at Ukrainian networks by Russian attackers but 
quickly spun out of control and ultimately caused over $10 
billion in damages globally. It impacted global shipping for 
weeks and wreaked havoc for companies around the world.
    There is so much this body should be doing to prepare for 
this type of threat. Thankfully, we have recently taken 
significant steps to make our country safer. Just 2 weeks ago, 
the Cyber Incident Reporting for Critical Infrastructure Act 
was signed into law as part of the omnibus appropriations bill 
for fiscal year 2022. This is one of the most important pieces 
of cybersecurity legislation in the past decade. No one will 
argue with that.
    Enhanced reporting to the Cybersecurity and Infrastructure 
Security Agency, or CISA, of significant cyber incidents and 
ransomware attacks on critical infrastructure will mean greater 
visibility for the Federal Government, earlier disruption of 
malicious cyber campaigns, and better information and threat 
intelligence going back out to the private sector so it can 
defend against future attacks. This legislation also solidifies 
CISA's role as a lead Federal agency for cybersecurity.
    I want to thank my colleagues in both the House and Senate, 
as well as the private sector, for their partnership and 
support in getting this most important piece of legislation 
across the finish line. The success of these tools is dependent 
on the success of the agencies we entrust them to. Fortunately, 
we have the extremely capable CISA Director Jen Easterly and 
National Cyber Director Chris Inglis at the helm of our 
Nation's cyber defenses. They have been working tirelessly to 
keep us safe and I thank them for their work. However, their 
impact only extends as far as their mandate. It is up to all of 
us, especially those of you here today, as industry leaders to 
keep your companies, clients, and customers, our very 
constituents, secure and resilient.
    I look forward to hearing from you all about your 
partnerships with CISA, what more you need from the Federal 
Government, what you don't need from the Federal Government, 
and the actions you are taking to secure our critical 
infrastructure. With that, Mr. Chairman, I yield back.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
    Thank you, Chairman Thompson, for hosting this hearing. And thank 
you to our witnesses for being here today.
    Each of you play an extremely important role in the increasingly 
interconnected web of services that constitutes our Nation's 
cybersecurity and critical infrastructure.
    In fact, all of us here play an important role in this ecosystem.
    We each have a job to do, and as we have repeatedly seen, one 
misstep can have disastrous consequences for the Nation's 
infrastructure and the communities we represent.
    There has never been a more important time for our businesses, our 
State and local governments, and our Federal Government to be prepared 
not just to defend against cyber attacks--but to be resilient should an 
attack occur.
    As the Biden administration recently said, there is ``evolving 
intelligence that the Russian government is exploring options for 
potential cyber attacks.''
    I don't need to tell anyone here today what that might mean for our 
constituents, or in the case of our panel, your customers and clients.
    Looking at some of the particularly tangible attacks over the past 
year, we can see that the motives have been either financial gain or 
intelligence gathering, NOT pure destruction.
    But what if the goal was pure destruction?
    What if destructive attacks happened on critical infrastructure 
simultaneously?
    We saw this in 2017 with the NotPetya attack, which was a purely 
destructive campaign originally aimed at Ukrainian networks by Russian 
attackers, but quickly spun out of control and ultimately caused over 
$10 billion in damages globally.
    It impacted global shipping for weeks and wreaked havoc for 
companies around the world.
    There is so much this body should be doing to prepare for this type 
of threat, and thankfully, we have recently taken significant steps to 
make our country safer.
    Just 2 weeks ago, the Cyber Incident Reporting for Critical 
Infrastructure Act was signed into law as part of the Omnibus 
Appropriations bill for fiscal year 2022.
    This is one of the most important pieces of cybersecurity 
legislation in the past decade.
    Enhanced reporting to the Cybersecurity and Infrastructure Security 
Agency, CISA, of significant cyber incidents and ransomware attacks on 
critical infrastructure will mean greater visibility for the Federal 
Government, earlier disruption of malicious cyber campaigns, and better 
information and threat intelligence going back out to the private 
sector so it can defend against future attacks.
    This legislation also solidifies CISA's roles as the lead Federal 
agency for cybersecurity.
    I want to thank my colleagues in both the House and Senate, as well 
as the private sector, for their partnership and support in getting 
this across the finish line.
    The success of these tools is dependent on the success of the 
agencies we entrust them to, and fortunately, we have the extremely 
capable CISA director, Jen Easterly, and National cyber director, Chris 
Inglis, at the helm of our Nation's cyber defense efforts.
    They have been working tirelessly to keep us safe, and I thank them 
for their work.
    However, their impact only extends as far as their mandate.
    It is up to all of us, especially those of you here today, as 
industry leaders, to keep your companies, clients, and customers--our 
constituents--secure and resilient.
    I look forward to hearing from you all about your partnerships with 
CISA, what more you need from the Federal Government, and the actions 
you're taking to secure our critical infrastructure.

    Mr. Torres. All the Members of the committee are reminded 
that under the committee's rules, opening statements may be 
submitted for the record. Members are also reminded that the 
committee will operate according to the guidelines laid out by 
the Chairman and Ranking Member in our February 3, 2021, 
colloquy regarding remote procedures.
    I now welcome our panel of witnesses. Our first witness, 
Mr. Adam Meyers, is the senior vice president of intelligence 
at CrowdStrike. In that capacity, Mr. Meyers directs a team of 
cyber threat experts as they track criminal, state-sponsored, 
and nationalist cyber adversary groups across the globe.
    Our second witness, Mr. Steve Silberstein, is the CEO of 
the Financial Services ISAC, where he leads efforts to increase 
the value of information sharing in the financial services 
sector and improve how member organizations share critical 
information within the private sector and within Government.
    Our third witness, Dr. Kevin Morley, is a manager of 
Federal relations at the American Water Works Association. Dr. 
Morley works closely with multiple organizations to advance the 
security and preparedness of the water sector. His role 
includes supporting the development of standards that represent 
the minimum best practices of water sector risk and resilience 
management, including cybersecurity guidance.
    Our final witness, Mr. Amit Yoran, who is the chairman and 
CEO of Tenable. Mr. Yoran works with organizations to 
understand and reduce their cybersecurity risk. Prior, he 
served as a founding director of the United States Computer 
Emergency Readiness team, US-CERT program at DHS, and is a 
recognized security thought leader on operational technology.
    Without objection, the witnesses' full statements will be 
included in the record. I now ask each witness to summarize his 
statement for 5 minutes, beginning with Mr. Meyers.

STATEMENT OF ADAM MEYERS, SENIOR VICE PRESIDENT, INTELLIGENCE, 
                          CROWDSTRIKE

    Mr. Meyers. Congressman Torres, Ranking Member Katko, and 
Members of the committee, thank you for the opportunity to 
testify today. As the world watches the conflict in Ukraine 
unfold, this hearing evaluating the posture of critical 
infrastructure security is particularly timely. Across the 
country, cybersecurity professionals in Government and industry 
are on high alert monitoring for the use of cyber operations 
within the conflict itself and preparing for the possibility of 
Russian attacks against U.S. critical infrastructure.
    CrowdStrike has supported cybersecurity initiatives for the 
U.S. Government and key allied governments across the globe. We 
actively participate in public-private partnerships such as 
CISA's JCDC, through which we have worked with select industry 
partners to disrupt Russian infrastructure preparing for cyber 
operations. It is CrowdStrike's goal to raise the cost of doing 
business for threat actors across the globe through our 
research, technology, and partnership.
    In the immediate lead-up to the 2022 conflict in Ukraine, 
Russian-nexus adversaries engaged in espionage, as well as 
disruptive and destructive attacks against government and 
commercial targets. The commencement of the conflict also 
activated Russian e-crime and hacktivist actors.
    Russia has a long history of leveraging cyber operations to 
effectuate political goals. Russian cyber operations against 
Ukraine began in earnest following the Euromaidan protests in 
2013. Attacks in 2015 and 2016 targeted critical 
infrastructure, famously disrupting power and distribution in 
the Ukraine. The NotPetya attack of 2017 caused a reported $10 
billion in damages across the globe.
    Numerous adversaries have contributed to the asymmetric 
campaign waged against Ukraine. One notable example observed in 
2014 was a coordinated campaign targeting the central election 
committee and Ukrainian media sector, which CrowdStrike 
attributes to Berserk Bear, an adversary group believed to be 
related to the FSB.
    As Russia began to amass forces on the Ukrainian border, 
Russian cyber threat activity targeting this Nation increased 
in kind. Beginning in mid-January 2022, website defacements, 
data theft, and destructive wiper attacks impacted numerous 
Ukrainian entities. The wiper attack and website defacements 
occurred immediately following a series of bilateral meetings 
between the United States and Russia regarding troop 
deployments. CrowdStrike currently associates these activities 
with the Russian-nexus threat actor we have designated Ember 
Bear, an adversary group that has operated against government 
and military organizations in Eastern Europe since early 2021.
    On 23 February, a second wiper attack was identified, which 
CrowdStrike tracks as DriveSlayer. More technically 
sophisticated than the Ember Bear activity from January, it is 
propagated by a worm allowing it to spread autonomously. The 
technical complexity and overlaps of tactics is consistent with 
previous operations and bear striking similarity to the 
NotPetya attack of 2017.
    The conflict in Ukraine has also impacted, perhaps even 
reshaped, the cyber criminal threat landscape. This is notable 
because Russia has long harbored and potentially leveraged for 
policy or political ends, e-crime threat actors. These 
adversaries now have potential to act in support of Russian 
state goals by acting as an irregular component performing 
disruptive attacks through ransomware around the globe and 
specifically in the United States.
    The conflict catalyzed a significant level of both pro-
Russian and pro-Ukrainian hacktivists. One pro-Russian group 
claimed a series of distributed denial-of-service attacks 
against Polish and Latvian government sites and targeted the 
National Bank of Poland. In a warning, they issued a reminder 
about the REvil ransomware, which disrupted U.S. critical 
infrastructure last spring.
    While U.S. critical infrastructure operators are 
increasingly focused on the threat from Russia, defensive 
capabilities differ significantly across the sectors. As 
sanctions by the United States and allies mount in scope and 
impact, the risk of targeted attacks against them becomes more 
acute. The U.S. Government has made significant strides over 
the past several years in coordinating with industry against 
cyber threats.
    The establishment of JCDC, in particular, where CrowdStrike 
participates as a plankholder, has helped strengthen industry 
and government collaboration. Russian activity to date has been 
modest relative to early fears. However, this could change at 
any time.
    U.S. critical infrastructure operators must remain on high 
alert. Critical infrastructure operators must still do 
cybersecurity well. This is a last-mile problem that cannot be 
solved through policy initiatives alone. Though not an 
exhaustive list, entities should develop and maintain a skilled 
work force and leverage measures identified in the Executive 
Order, such as the use of modern tools like multi-factor 
authentication, endpoint detection and response, and zero trust 
architectures, and also, proactive threat hunting.
    I will close by briefly highlighting recent collaboration 
with government and industry counterparts, Cloudflare and Ping 
Identity, to launch a free Critical Infrastructure Defense 
Project for the energy, water, and hospital sectors. We 
encourage eligible entities to consider participating in this 
program.
    Thank you for the opportunity to testify before you today. 
I look forward to your questions and continued discussion.
    [The prepared statement of Mr. Meyers follows:]
                   Prepared Statement of Adam Meyers
                             March 30, 2022
                            i. introduction
    Chairman Thompson, Ranking Member Katko, and Members of the 
committee, thank you for the opportunity to testify today. As the world 
watches the conflict in Ukraine unfold, cybersecurity professionals are 
on high alert. Colleagues from across Government and industry are 
monitoring the use of cyber means within the conflict itself and 
preparing for the possibility of Russian attacks abroad--either for the 
purposes of retaliation or coercion. This hearing evaluating critical 
infrastructure security posture is particularly timely.
    Since 2011 I have built and led the intelligence team at 
CrowdStrike, a commercial security technology company headquartered in 
the United States with offices around the globe. In my capacity as the 
head of intelligence, I manage a team of more than 200 professionals 
who conduct research on threat actors operating for State interests 
like espionage; financially motivated or criminal purposes; and to 
advance ``Hacktivist'' goals. This team tracks the technical, cultural, 
and behavioral aspects of these attacks to identify and attribute 
threat actors, extrapolate how they operate, and determine what can be 
done to mitigate these actions. Prior to CrowdStrike, I worked to 
secure the defense industrial base (DIB), where I supported numerous 
Federal customers across the military, intelligence community, and 
various civilian agencies in information security matters.
    The CrowdStrike Intelligence team has supported cybersecurity 
initiatives for the U.S. Government and key allied governments around 
the globe. We actively participate in public-private partnerships, such 
as the Cybersecurity and Infrastructure Agency's (CISA) Joint Cyber 
Defense Collaborative (JCDC), through which we have worked over the 
past few weeks with select industry partners to disrupt malicious 
Russian cyber infrastructure. Previously, we facilitated botnet 
disruptions such as the coordinated take down of the Kelihos botnet in 
partnership with the Department of Justice (DoJ)/Federal Bureau of 
Investigation (FBI)--the careful timing of which enabled the arrest, 
extradition to the United States, and successful prosecution of the 
operator. Through our research, technology, and partnership, it is 
CrowdStrike's goal to raise the cost of doing business for threat 
actors across the spectrum of cyber adversaries.
     ii. cyber activity associated with the conflict in ukraine \1\
---------------------------------------------------------------------------
    \1\ I have endeavored to cite as much source material as possible 
for this testimony. In some instances, however, it was most prudent to 
redact details like URLs. In other instances, I've cited limited-
distribution CrowdStrike research. Additional information and materials 
are available to committee staff upon request.
---------------------------------------------------------------------------
    In the immediate lead up to the 2022 military conflict in Ukraine, 
several Russian-state nexus threat actors engaged in espionage as well 
as disruptive and destructive attacks against government and commercial 
targets. The commencement of the conflict also activated Russian eCrime 
and ``Hacktivist'' actors. I will survey developments with each in 
turn, following a brief discussion of the recent history of Russian 
threat activity targeting Ukraine.
                            ii.1. background
    Russia has a long history of leveraging cyber operations to 
effectuate political goals in Ukraine. Russian cyber operations against 
Ukraine began in earnest following the Euromaidan protests which began 
in late 2013. The Main Center for Special Technologies (GTsST), Unit 
74455 of Russia's military intelligence organization,\2\ which 
CrowdStrike tracks as VOODOO BEAR,\3\ has been one of the major 
perpetrators of these offensive operations. The overarching motivation 
for VOODOO BEAR activities is to contribute to psychological operations 
seeking to degrade, delegitimize, or otherwise influence public trust 
in State institutions and industry sectors in target countries, 
including government, energy, transportation, and media organizations.
---------------------------------------------------------------------------
    \2\ Redesignated the Main Directorate of the General Staff of the 
Armed Forces of the Russian Federation, researchers and analysts still 
widely refer to this organization by its former acronym, GRU.
    \3\ CrowdStrike uses a cryptonym-based system to designate threat 
actors we track. Names generally take the form of a community- or 
researcher-derived codeword with some significance, followed by an 
animal type based on the actor's geography or motivation. This naming 
scheme is designed to be somewhat more descriptive than others, and can 
simplify and disambiguate communication and information sharing with 
government and industry counterparts, as well as assist customers' 
threat modeling processes. See Adam Meyers, Meet The Threat Actors: 
List of APTs and Adversary Groups, CrowdStrike Blog (Feb. 24, 2019), 
https://www.crowdstrike.com/blog/meet-the-adversaries/. Most notably 
for the purposes of this discussion, we use BEAR for Russian State-
nexus actors, SPIDER for criminal actors, and JACKAL for hacktivist 
actors.
---------------------------------------------------------------------------
    This adversary was behind notorious incidents such as disruptions 
to Ukrainian Critical Infrastructure resulting in power outages in both 
December 2015, and a year later, as well as campaigns targeting media, 
transportation, and electoral infrastructure. VOODOO BEAR operations 
created wider concern for the international community in June 2017 when 
a supply chain attack against a financial software update mechanism 
resulted in the deployment of NotPetya, a self-propagating destructive 
weapon masquerading as ransomware. The impact of the NotPetya incident 
by some estimates caused USD $10 Billion in total damage and impacted 
global companies and public services in a variety of sectors, including 
critical infrastructure providers.\4\
---------------------------------------------------------------------------
    \4\ Andy Greenberg, The Untold Story of NotPetya, the Most 
Devastating Cyberattack in History, WIRED (Aug. 22, 2018, 5 o'clock 
AM), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-
code-crashed-the-world/.
---------------------------------------------------------------------------
    Another threat actor, which CrowdStrike tracks as PRIMITIVE BEAR, 
has conducted wide-spread espionage against Ukrainian government 
targets since 2014. Believed to be operating from the city of 
Simferopol in Crimea, this actor represents an offensive cyber 
capability established specifically in a conflict region to facilitate 
rapid tasking and collection.
    Numerous other adversaries \5\ have contributed to the broader 
asymmetric campaign waged against Ukraine. One notable example observed 
in 2014 was a coordinated campaign targeting the Central Election 
Commission (CEC) and Ukrainian media sector which CrowdStrike 
attributes in part to BERSERK BEAR, a component of the Federal Security 
Service of the Russian Federation (FSB), and in part to the CyberBerkut 
hacktivist front.\6\ Taken together, this campaign intended to deliver 
effects against strategic targets in the effort to undermine the 
democratic process within Ukraine.
---------------------------------------------------------------------------
    \5\ FANCY BEAR, COZY BEAR, and RepeatingUmbra--which strongly 
overlaps with an adversary tracked as UNC1151 in the broader 
information security industry--actively conducted espionage campaigns 
targeting Ukraine within the last year.
    \6\ Brian Yates, CyberBerkut Attempt to Alter Ukrainian Election, 
Guardianlv (May 25, 2014), https://guardianlv.com/2014/05/cyberberkut-
attempt-to-alter-ukrainian-election/. 
---------------------------------------------------------------------------
II.2. Current Nation-State Activity
    As Russia began to amass forces on the Ukrainian border, Russian 
cyber threat activity targeting the Nation increased in kind. In mid-
January 2022, a campaign of website defacement and data theft impacted 
numerous Ukrainian government entities contemporaneously with a wiper 
attack that the security industry has dubbed Whispergate.\7\ The 
website defacements included messaging in Ukrainian, Russian, and 
Polish language that was of a threatening nature, and an image with 
metadata suggested the activity originated in Poland. The wiper attack 
and website defacements occurred immediately following a series of 
bilateral meetings between the United States and Russia regarding troop 
deployments near the Ukrainian border. Following the defacement and 
wiper attacks, several personas emerged in on-line underground forums 
offering data stolen in these incidents. CrowdStrike currently 
associates these activities with the Russian-nexus threat actor 
designated EMBER BEAR, an adversary group that has operated against 
government and military organizations in eastern Europe since early 
2021.
---------------------------------------------------------------------------
    \7\ CISA, Alert (AA22-057A): Destructive Malware Targeting 
Organizations in Ukraine (last revised Mar. 1, 2022), https://
www.cisa.gov/uscert/ncas/alerts/aa22-057a.
---------------------------------------------------------------------------
    In mid-February, various Ukrainian banking and governmental 
websites were targeted as part of a large-scale distributed denial-of-
service (DDoS) attack.\8\ This included the websites of Ukraine's 
Ministry of Defense and Armed Forces as well as the website of the 
State Savings Bank of Ukraine (Oschadbank) and the mobile application 
of Ukraine's largest commercial bank, PrivatBank. In concert with the 
DDoS attack, some banking customers were targeted with SMS messages 
falsely indicating ATM systems were not functioning, and bomb threats 
were made against several bank locations. The DDoS attacks were later 
attributed by various government officials to the Main Intelligence 
Directorate of the General Staff of the Armed Forces of the Russian 
Federation (``GRU'').
---------------------------------------------------------------------------
    \8\ Attention: There is No Threat to the Funds of Privatbank 
Depositors (Feb. 15, 2022), https://spravdi.gov.ua/uvaga-zhodnoyi-
zagrozy-dlya-koshtiv-vkladnykiv-pryvatbanku-nemaye/.
---------------------------------------------------------------------------
    On 23 February 2022 a second wiper attack was identified, which 
CrowdStrike tracks as DriveSlayer. More technically sophisticated than 
the WhisperGate/EMBER BEAR activity from January, DriveSlayer is 
propagated by a worm the broader cybersecurity industry tracks under 
the name HermeticWizard. The technical complexity and overlap of 
tactics is consistent with previous operations attributed to VOODOO 
BEAR. In what might be construed as a lesson learned from NotPetya's 
rampant spread, HermeticWizard was intentionally designed to limit its 
spread to the local network, theoretically limiting infections 
primarily to networks in Ukraine.
    On 24 February 2022, several Ukrainian government websites were 
displaying a defacement message before becoming unresponsive to visitor 
requests. The displayed message was almost identical to the one used in 
defacement activity against similar targets on 14 January 2022. Soon 
after the DriveSlayer wiper attack and website defacements, Russian 
troops attacked Ukraine. In the weeks since the commencement of 
military conflict numerous other incidents have been identified 
including additional wiper attacks, misinformation, and espionage 
against Ukrainian targets.
    Although beyond the scope of this testimony, I would at least like 
to note two other forms of activity associated with this conflict. The 
first is reported destructive attacks targeting Ukrainian satellite 
communications capabilities.\9\ The second is informational or 
psychological operations-type activities, likely including 
amplification through personas and propagation through social media. 
Elements of the researcher community are monitoring these types of 
operations, and information about their scope and effects is likely to 
become clearer over time.
---------------------------------------------------------------------------
    \9\ Ellen Makashima, Russian Military Behind Hack of Satellite 
Communication Devices in Ukraine at War's Outset, U.S. Officials Say, 
Washington Post (Mar. 24, 2022, 10:25 PM), https://
www.washingtonpost.com/national-security/2022/03/24/russian-military-
behind-hack-satellite-communication-devices-ukraine-wars-outset-us-
officials-say/.
---------------------------------------------------------------------------
II.3 eCrime
    The conflict in Ukraine has also impacted--perhaps even reshaped--
the criminal cyber threat ecosystem. This is notable because Russia has 
long harbored, and potentially leveraged for policy or political ends, 
eCrime threat actors. These adversaries now have the potential to act 
in support of Russian state goals, such as by acting as an irregular 
component, performing disruptive attacks around the globe and 
specifically in the United States.
    In the immediate wake of the invasion of Ukraine, eCrime actors who 
are responsible for financially motivated malicious cyber activity 
began responding to the conflict. Some actors appeared to directly 
support Russian state interests. WIZARD SPIDER,\10\ an adversary that 
first surfaced in 2016 with their Trickbot malware, and is more 
recently associated with several ransomware operations including Ryuk 
and Conti, announced their full support of the Russian government and 
their willingness to retaliate against critical infrastructure 
entities.\11\ Other groups such as SALTY SPIDER, the operator of the 
Sality botnet, and SCULLY SPIDER, operator of the Danabot 
infrastructure, recently engaged in DDoS attacks uncharacteristic of 
their previous operations, against Ukrainian targets. It is unknown 
whether these incidents were motivated by patriotism, conducted at the 
direction of Russian security services, or followed some other motive 
such as financial gain.
---------------------------------------------------------------------------
    \10\ WIZARD SPIDER is not associated with the HermeticWizard wiper 
malware described above; the naming overlap is coincidental.
    \11\ In response to this announcement, a security researcher 
released logs of internal communications of this group exposing their 
composition, internal structure, recruitment strategies, financial 
infrastructure, and future ambitions. These leaks provided an 
unprecedented view into the internal machinations of a several hundred 
person organization built for the express purpose of conducting 
extortion, theft, and other criminal enterprises against Western 
organizations and critical infrastructures.
---------------------------------------------------------------------------
    In other cases, the criminal ecosystem broke with Russian members 
over the invasion. For example, some criminal forums--digital bazaars 
for buying and selling stolen information and tools for offensive cyber 
operations--began banning users associated with Russian Internet 
Protocol (IP) address space as a sort-of criminal community-driven 
sanction in response to the Russian aggressions against Ukraine.\12\ 
However, anti-Russian sentiment in the eCrime space was not wide-
spread, and most of the criminal groups tracked by CrowdStrike signaled 
that they were apolitical and primarily focused on revenue generation, 
consistent with their general modus operandi. Some groups have actually 
used the conflict as fodder for conducting operations, inserting 
malicious components into varying participatory DDoS tools marketed at 
individuals who want to lend their computers to attacks against Russia 
in response to the conflict. Ever opportunistic, some criminally-
motivated actors have used the conflict in Ukraine as material for 
lures, or implanted information stealers in participatory DDoS tools 
designed for individuals who wish to engage in hacktivism against 
Russian targets but lack the technical sophistication to launch attacks 
on their own.
---------------------------------------------------------------------------
    \12\ CrowdStrike Intelligence Reporting, Feb. 25, 2022.
---------------------------------------------------------------------------
II.4 Hacktivism
    The conflict catalyzed a significant level of both pro-Russian and 
pro-Ukrainian hacktivism. On the pro-Russian side, Killnet--a low-level 
Russian eCrime group--turned to hacktivism in response to Ukraine's 
coordinated effort to unite pro-Ukraine hacktivists, including the so-
called IT Army of Ukraine.\13\ Killnet claimed a series of DDoS attacks 
beyond Ukraine's borders and against websites controlled by the Polish 
and Latvian governments. Killnet also claimed a DDoS attack against the 
website of the National Bank of Poland. In a social media post, the 
group called the attack against the bank a ``warning'' and included 
links to the National Bank of Poland website as well as an on-line tool 
for checking website availability. The group threatened to target the 
Polish government if Warsaw escalated tensions between NATO and Russian 
forces in the region. Specifically, the group vowed to encrypt ``all 
information systems with internet access'' in Poland. In the warning, 
Killnet also issued a ``reminder'' about REvil (ransomware developed by 
the eCrime adversary PINCHY SPIDER) and a recent high-profile 
ransomware attack against a U.S. critical infrastructure operator.
---------------------------------------------------------------------------
    \13\ Russian Killnet Hackers Brought Down Anonymous Website, 
Ren.TV, (Mar. 1, 2022), [Source URL available to committee staff by 
request.]
---------------------------------------------------------------------------
    Pro-Ukrainian Hacktivism observed or reported to date includes:\14\
---------------------------------------------------------------------------
    \14\ Except where otherwise noted, information in this subsection 
is derived from CrowdStrike Intelligence Reporting, Jan.-Feb. 2022.
---------------------------------------------------------------------------
   Anonymous.--Since at least mid-February 2022, affiliates of 
        the hacktivist collective Anonymous advertised their intent to 
        conduct cyber operations should tensions in Ukraine escalate. 
        Self-identified Anonymous affiliates have claimed 
        responsibility for dozens of incidents since late February, 
        including DDoS attacks, website defacements, and leaks. 
        Anonymous affiliate's claims are frequently exaggerated, 
        however CrowdStrike has confirmed significant data leaks from 
        Russian-state-owned energy company Rosneft, Russia's censorship 
        agency Roskomnadzor, Russia's state-controlled oil pipeline 
        company Transneft, and the Central Bank of Russia. Some 
        affiliates have also claimed more disruptive attacks, including 
        destroying back-up images of mobile phones and file directories 
        from Rosneft and a brief take-over of multiple Russian state 
        media organizations to broadcast footage of the war in Ukraine.
   PARTISAN JACKAL.--The Cyber Partisans, which CrowdStrike 
        tracks as PARTISAN JACKAL, signifying its hacktivist 
        motivation, issued a statement on social media calling on 
        ``like-minded hackers'' in Ukraine and Russia to join forces 
        against the ``fascist campaign'' Russia has launched against 
        ``brotherly'' Ukraine. This statement followed a 24 February 
        2022 post announcing the formation of the ``Belarus Tactical 
        Group'' consisting of members of multiple other resistance 
        groups that PARTISAN JACKAL supports. PARTISAN JACKAL 
        previously responded to Russia's troop presence in Belarus by 
        encrypting several systems controlled by State-owned railway 
        operator Belarusian Railway.
   CURIOUS JACKAL.--Personas associated with Spanish-speaking 
        actor KelvinSecTeam, tracked as CURIOUS JACKAL, published 
        several posts on forums and social media detailing recent 
        targeting of the Russian government. This included posts with 
        at least 668 seemingly legitimate government files, information 
        on the State media outlet RT, and surveillance video 
        purportedly from inside a nuclear power plant in Russia.
   Ukrainian Government.--As the military conflict began, the 
        Ukrainian government reportedly started recruiting a volunteer 
        cyber force, the IT Army of Ukraine. Advertisements for 
        volunteers began circulating on hacker forums, calling on 
        Ukrainian forum members to ``get involved in the cyber defense 
        of our country.'' The forum posts reportedly directed users to 
        an application asking volunteers for areas of specialty and 
        professional references. The volunteers are reportedly divided 
        into defensive and offensive units.\15\ CrowdStrike has 
        observed the offensive units use social media outlets to 
        coordinate DDoS attacks against Russian government and private 
        industry websites.
---------------------------------------------------------------------------
    \15\ Joel Schectman and Christopher Bing, EXCLUSIVE Ukraine Calls 
on Hacker Underground to Defend Against Russia, Reuters (Feb. 24, 2022, 
6:51 PM), https://www.reuters.com/world/exclusive-ukraine-calls-hacker-
underground-defend-against-russia-2022-02-24/.
---------------------------------------------------------------------------
   Unknown actors.--Unidentified hacktivists defaced the 
        Russian Emergency Situations Ministry website. The hacktivists 
        replaced a ministry hotline number with a number Russian 
        soldiers could use to defect, changed news items on the front 
        page to ``Don't Believe Russian media--they lie'', and posted a 
        link offering ``full information about the war in Ukraine.'' 
        The same day, likely hacktivists posted insults aimed at 
        President Putin and Russians on Russian judicial websites.\16\
---------------------------------------------------------------------------
    \16\ Mary Ilyushina, Russian Government Website Face 
`Unprecedented' Wave of Hacking Attacks, Ministry Says, Washington Post 
(Mar. 17, 2022, 8:29AM), https://www.washingtonpost.com/world/2022/03/
17/russia-government-hacking-wave-unprecedented/.
---------------------------------------------------------------------------
   Supply chain.--In one deeply concerning incident, the 
        maintainer of `node-ipc' a popular open-source coding component 
        altered it to effectuate a targeted supply chain attack to 
        protest Russia's invasion of Ukraine. The maintainer released a 
        sabotaged version of the software that included malicious code 
        that would delete files or overwrite them with a heart emoji 
        for users based in Russia and Belarus, as determined by the 
        system's external IP address. The affected module is used as a 
        dependency in many nodejs-based applications, which were also 
        impacted by the malicious node-ipc versions. The unintended 
        consequences of this supply chain attack have not been fully 
        assessed, but it stands to erode trust in open source software 
        and damage the credibility of such projects.\17\
---------------------------------------------------------------------------
    \17\ Adam Bannister, NPM Maintainer Targets Russian Users with 
Data-Wiping `Protestware', Daily Swig (Mar. 21, 2022), https://
portswigger.net/daily swig/npm-maintainer-targets-russian-users-with-
data-wiping-protestware.
---------------------------------------------------------------------------
              iii. u.s. critical infrastructure readiness
    Since long before the current conflict in Ukraine, U.S. National 
security officials and cybersecurity industry analysts have raised 
concerns about Russia's demonstrated capabilities and potential 
intentions to attack U.S. critical infrastructure. Periodic breaches of 
operators in this space, attributed to Russia-nexus actors, illustrate 
that U.S. infrastructure could at least be held at risk, and possibly 
attacked, degraded, and destroyed, during a time of heightened 
geopolitical tensions. As the war in Ukraine drags on without Russia 
achieving its political objectives, and as sanctions by the United 
States and allies mount in scope and impact, the risk of such attacks 
becomes more acute.
    U.S. critical infrastructure operators, for their part, are 
increasingly focused on this threat. The U.S. Government, through 
collective efforts of the White House, CISA, the Department of Energy, 
and other Sector Risk Management Agencies, have rolled out a variety of 
awareness and assistance campaigns over the years to help strengthen 
infrastructure entities' security posture. There have been improvements 
over the past decade, albeit from a sometimes low baseline of 
readiness. Defensive capabilities also differ significantly across 
sectors. For structural reasons, we see different resourcing and 
outcomes across sectors like financial services and water utilities, 
for example.
        iv. u.s. government support and coordination mechanisms
    White House public statements and reported notifications and offers 
of assistance to State government leadership; the CISA #ShieldsUp 
campaign; and well-timed DoJ indictments represent an unprecedented 
level of communications engagement on cybersecurity from Executive 
branch leadership. These are all positive steps from an awareness 
perspective.
    The U.S. Government has made significant strides over the past few 
years in coordinating with industry against cyber threats. The 
establishment of JCDC in particular, where CrowdStrike participates as 
a plankholder organization, has helped strengthen cybersecurity and IT 
industry and Government collaboration and information sharing. Parallel 
efforts by non-Governmental organizations as well as other agencies 
with different authorities and mandates also help the community. Many 
of these have formed organically over the years, and in my assessment, 
contribute to a healthy ecosystem. Mature entities like CrowdStrike and 
others in the cybersecurity industry can support participation in 
multiple groups organized around different themes, interests, and 
relationships so long as there is marginal value--and this ultimately 
promotes sharing.
    Beyond the cybersecurity industry, businesses and critical 
infrastructure operators have significant limitations and constraints 
on time, attention, and resources. Those seeking support or fulfilling 
regulatory obligations presently collaborate through some or all of 
CISA, a different Sector Risk Management Agency, and the FBI. Views 
within the community differ about the extent to which the status quo 
``choose your partner''-style system is equal to the threats we face, 
and my co-panelists are better suited than me to address the efficacy 
for their respective sectors. I will just note here that the recent 
consolidation of Incident Reporting under CISA appears likely to 
promote rapid analysis and dissemination of threat indicators and 
trends, which can improve security posture across the board.
                   v. conclusions and recommendations
    Russian state actors have used cyber means over the years to 
advance its political agenda, and that continues in the context of the 
on-going war in Ukraine. Events there have also affected the shape of 
the broader eCrime ecosystem and activated both pro-Russia and pro-
Ukraine hacktivism. Outside the immediate theater of conflict, Russian 
activity to date has been modest relative to early fears. However, this 
could change at any time and indeed there are indications that Russia 
may become more aggressive in retaliation for foreign support to 
Ukraine and significant sanctions on Russian personnel and entities. 
U.S. critical infrastructure operators must remain on high alert. With 
significant media coverage and the efforts of U.S. Government actions 
and warnings described above, it appears that private-sector entities 
are increasingly taking note.
    But even with awareness sufficiently raised, and new resources and 
support, critical infrastructure operators must still ``do'' 
cybersecurity well. This is a ``last mile'' problem that cannot be 
solved through policy initiatives alone. Though not an exhaustive list, 
entities should:
   Build relationships with law enforcement or homeland 
        security staff that can help during an incident.
   Develop or maintain access to know-how and skilled workers 
        or support staff. This includes having an incident response 
        plan in place and, in many cases, a retainer with a qualified 
        provider of incident response services.
   Levage measures identified in Executive Order 14028 on 
        Improving the Nation's Cybersecurity. This includes use of 
        modern IT enterprise security tools and concepts like Multi-
        Factor Authentication (MFA) and Endpoint Detection and Response 
        (EDR); sufficient logging; migration where practical to cloud/
        Software-as-a-Service (SaaS) applications; implementation of 
        Zero Trust Architectures; and proactive threat hunting for 
        adversaries within their networks.
   Utilize, where appropriate, specialized tools and 
        capabilities required for Operational Technology (OT) security. 
        For small and medium-sized organizations--say, those with fewer 
        than 6 or 8 dedicated cybersecurity staff--one of the biggest 
        ``needle movers'' in recent years has probably been the 
        increasing adoption of managed security service providers 
        (MSSP)/Managed Detection and Response (MDR) providers. This is 
        a trend that should be encouraged and incentivized.
    Congress' efforts in recent years implementing Cyberspace Solarium 
Commission recommendations and, most recently, Incident Reporting 
measures will absolutely help. In addition, consider:
   Ensuring CISA is sufficiently resourced to carry out both 
        its Federal Civilian Executive Branch (FCEB) and private 
        sector/infrastructure security mandate.
   Strengthening FCEB cybersecurity by modernizing the Federal 
        Information Security Management Act (FISMA) to reduce 
        compliance burdens and Federal Risk and Authorization 
        Management Program (FedRAMP) to speed authorizations.
   Expanding the use of shared services procurement models for 
        Federal IT to create operational efficiencies, particularly for 
        cyber threat intelligence and adoption of state-of-the-art 
        cybersecurity technologies.
   Working with CISA to guarantee that new Incident Reporting 
        mandates do not become overly burdensome to victims and reduce 
        focus on remediation during a cyber incident or event.
   Taking measures to expand National incident response 
        capacity.
    I'll close by briefly referencing efforts CrowdStrike has 
undertaken to support defensive efforts during this time of increased 
risk. As noted above, we have collaborated with organizations like JCDC 
to address active campaigns. As always, we endeavor to openly publish 
through our blog materials that might help the community understand 
emerging threats and threat actors, and we will continue to do that as 
appropriate. We have taken special measures to strengthen defenses of 
current customers, and in consultation with Government partners we 
collaborated with industry counterparts Cloudflare and Ping Identity to 
launch a free Critical Infrastructure Defense Project for the Energy, 
Water, and Hospital sectors.\18\ We encourage eligible entities to 
consider participating in this program.
---------------------------------------------------------------------------
    \18\ Rapidly Improving Cyber Readiness for U.S. Critical 
Infrastructure, Critical Infrastructure Defense Project, https://
criticalinfrastructuredefense.org/.
---------------------------------------------------------------------------
    Thank you for the opportunity to testify before you today. I look 
forward to your questions and our continued discussion.

    Mr. Torres. Thank you for your testimony. I now recognize 
Dr. Morley to summarize his statement for 5 minutes.

   STATEMENT OF KEVIN M. MORLEY, MANAGER, FEDERAL RELATIONS, 
                AMERICAN WATER WORKS ASSOCIATION

    Mr. Morley. Good morning, Chairman, Congressman Torres, 
Ranking Member Katko, and Members of the committee. I 
appreciate this opportunity to discuss cybersecurity in the 
water sector and the support provided by our Federal partners. 
Our members represent water systems large and small, municipal, 
investor-owned, urban, and rural, to protect public health and 
the environment and enhance the quality of life. In the modern 
era of utility operations, this mission also includes managing 
cybersecurity risks that may threaten the essential lifeline 
function that water professionals provide 24/7/365.
    The current threat situation illustrates both the necessity 
and the strength of continuous two-way engagement and the value 
of partnership that is necessary to jointly manage cyber 
threats facing our Nation. AWWA recognizes the cybersecurity 
challenge and believes a new approach is necessary, one that 
recognizes the technical and financial challenges facing the 
sector. This approach would set minimum cybersecurity standards 
for all types of water systems. An effort that would provide a 
tiered risk-based and performance-based set of requirements 
modeled on a similar approach applied in the electric sector.
    Federal oversight for such approach would be provided by 
EPA given their existing statutory role in the water sector. 
AWWA stands ready to work with Congress, the sector, and our 
Federal partners to implement the strategy that supports 
sustainable cybersecurity protection that recognizes the 
variability in water systems across the Nation.
    In late December, working with our sector partners, EPA and 
CISA, we reached out, through EPA, to 58,000 water systems 
alerting them to Russian cyber threat activities identified by 
CISA. The associated advisories have been shared across 
multiple communication platforms to ensure the widest possible 
distribution. These engagements help professional organizations 
like AWWA amplify the message of our Federal partners about the 
evolving threat environment.
    The new Shields Up campaign deployed by CISA has been very 
well received and represents a welcome reorganization of the 
information available to critical infrastructure systems. In 
many cases, however, advisories and alerts are highly technical 
and may be difficult to implement by entities that lack in-
house cybersecurity expertise.
    To enhance the effectiveness of information sharing, we 
recommend that CISA work with EPA and partners like AWWA, the 
WaterISAC, and the Water Sector Coordinating Council to 
properly contextualize threat information and ensure that the 
information transmitted is concise and actionable.
    In addition, expedient declassification of threat 
intelligence is essential. While there is often tension getting 
information moved to the unclassed level, in reality, most 
entities simply want two things. What is the vulnerability and 
what is the solution to mitigate it?
    AWWA's cybersecurity guidance and assessment tool, first 
issued in 2014, have been updated regularly. They support the 
water sector's use of the NIST cybersecurity framework and help 
community water systems to address the cyber provisions 
implemented by Congress in America's Water Infrastructure Act 
of 2018.
    These resources also support the recommendations in several 
Executive Orders, recent National security memorandums, and 
ANSI/AWWA standards. Coordination with EPA, NIST, and CISA was 
essential in developing these resources, which provide a strong 
foundation for cybersecurity risk management.
    I do want to highlight CISA's Cyber Hygiene program, a 
service that I believe provides some of the most immediate risk 
reduction benefits to users. We recommend that EPA, CISA, and 
the sector organizations coordinate on a unified outreach 
campaign to increase deployment of CyHy to water systems, 
especially small and medium utilities.
    CISA and EPA are currently working with the Water Sector 
Coordinating Council on the Industrial Control Systems 
Cybersecurity Initiative. This 100-day action plan will review 
the scalability of ICS monitoring technology deployment and 
establish information-sharing protocols with our Federal 
partners.
    Partnership is a key element of AWWA's cybersecurity risk 
management activities. I just want to share with you two quick 
examples. We have partnered with CISA and Idaho National Lab to 
integrate the findings of our assessment tool with CISA's 
cybersecurity evaluation tool, or CSET. In addition, over the 
last several years, we worked with EPA, USDA, partners like 
RCAP under grants to provide guidance and training to systems 
serving less than 10,000 people.
    We encourage continued investment and support for this type 
of capacity development considering there are more than 40,000 
community water systems that serve less than 3,300 people.
    In summary, these are demonstrations of the value and power 
of collaborative partnership between the water sector and our 
Federal partners. We welcome the opportunity to build on these 
successful engagements using a framework that is adaptive to 
the dynamic nature of the threat, recognizes the variability 
and the operational complexity and system maturity, and the 
reality of the financial and technical capacity challenges 
facing our Nation's water systems. I thank this opportunity to 
speak with the committee and look forward to your questions.
    [The prepared statement of Mr. Morley follows:]
                 Prepared Statement of Kevin M. Morley
                             April 5, 2022
    Good morning, Chairman Thompson, Ranking Member Katko, and Members 
of the committee. My name is Kevin Morley, and I am the Federal 
relations manager for the American Water Works Association, or AWWA, on 
whose behalf I am speaking today. I appreciate this opportunity to 
offer AWWA's perspectives on how cybersecurity threats are being 
addressed in the water sector (drinking water and wastewater systems). 
AWWA's 50,000 members span the full spectrum of the water profession. 
Our utility members represent water systems large and small, municipal 
and investor-owned, urban and rural. We work to protect public health 
and the environment, support the economy, and enhance our quality of 
life. In the modern era of water utility operations, our mission also 
includes managing cybersecurity risks that threaten the essential 
lifeline function water professionals provide 24/7/365.
    AWWA strongly values collaboration and information sharing with our 
Federal partners to address the dynamic nature of the cyber threats 
facing our critical infrastructure systems. Recent Federal 
recommendations on how to mitigate Russian cyber threats have been 
invaluable. The water sector has actively participated in multiple 
briefings provided by the Cybersecurity and Infrastructure Security 
Agency (CISA) and U.S. Environmental Protection Agency (EPA) that 
illuminate the evolving threat environment and help professional 
organizations, such as AWWA, build awareness among members. Working 
with sector partners, EPA reached out to 58,000 water systems 
collectively serving about 300 million Americans regarding cyber threat 
concerns at the end of December 2021. This led to several sector-level 
briefings hosted by EPA to share information on Russian cyber threat 
activity. The associated advisories have been shared across multiple 
communication platforms to ensure the widest possible distribution to 
water utility owners and operators.
    The current situation illustrates both the necessity and strength 
of continuous two-way engagement to jointly manage the cyber threats 
facing critical infrastructure systems, including drinking water and 
wastewater systems. Functionally, we see the following areas of 
collaboration as most essential:
   Actionable Threat Intelligence,
   Vulnerability Mitigation and Technical Assistance,
   Partnership and a Path Forward.
                     actionable threat intelligence
    We recognize the complexity and sensitivity of the intelligence 
efforts developed by our Federal partners. CISA, and its predecessors, 
have generated copious amounts of information, alerts, and advisories 
on a multitude of cyber vulnerabilities that have enabled many entities 
to address otherwise unknown security gaps. The new Shields Up campaign 
deployed by CISA has been very well-received and represents a welcome 
reorganization of the information disseminated to assist and guide 
critical infrastructure sectors. There are multiple Federal partners 
that assess threats and develop valuable mitigation recommendations 
that are valuable but often difficult for a single water system to 
track and monitor absent a centralized hub for dissemination. Shields 
Up has provided a unified platform to share this information in a 
format that allows sector organizations, such as AWWA, to effectively 
amplify the recommendations developed by CISA and our Federal partners 
for cybersecurity risk management.
    To enhance the effectiveness of the information being shared, we 
recommend that CISA work with Sector Risk Management Agencies (SRMA)--
EPA in the water sector's case--and partners like AWWA, WaterISAC and 
the Water Sector Coordinating Council to properly contextualize threat 
information. In many cases, advisories and alerts are quite technical, 
and they may be difficult to implement by entities without in-house 
cybersecurity experts. It should be recognized that many systems are 
divisions of municipal government and certain systems are not directly 
managed by the water utility. Integrating sector subject-matter experts 
into the review and development of threat alerts and advisories will 
help ensure that the information transmitted to the sector is concise, 
actionable, and properly contextualized.
    Expedient declassification of threat intelligence is essential to 
ensure that system owners and operators can effectively deploy 
mitigations. While there is often tension in getting information moved 
below a certain classification level, the reality is most entities 
simply want to know what the vulnerability is and how it can be 
mitigated. The variables that often drive classification such as 
attribution and tactics, techniques, and procedures (TTPs) are rarely 
of direct interest to the end user of the technology or system that may 
have been compromised.
           vulnerability mitigation and technical assistance
    AWWA, in alignment with our mission, has been directly engaged in 
developing resources to facilitate the assessment of cybersecurity 
vulnerabilities. This effort is centered on the controls provided in 
the NIST Cybersecurity Framework. AWWA's sector-specific guidance and 
assessment tool \1\ provides a water utility with a tailored 
application of the NIST CSF that is based on its application of certain 
technologies. Using the tool allows utility assessment of cybersecurity 
controls and practices to be right-sized in a manner that emphasizes 
actions that address the highest priority controls expected to quickly 
provide the greatest risk reduction value. Coordination with NIST, EPA, 
and CISA was essential in developing this resource. Collaboration with 
our Federal partners provided a strong foundation for creating a 
consistent and repeatable course of action to reduce vulnerabilities to 
cyber attacks as recommended in Executive Order 13636 and several ANSI/
AWWA standards.\2\ \3\ \4\ The guidance and assessment tool were first 
released in 2014 and are regularly updated to help community water 
systems comply with the cybersecurity provisions included in section 
2013 of America's Water Infrastructure Act (AWIA) of 2018 (Pub. L. 115-
270). In AWIA, Congress placed an emphasis on assessing and taking 
action to mitigate cybersecurity threats that could impact drinking 
water utility operations and/or business enterprise systems.
---------------------------------------------------------------------------
    \1\ American Water Works Association, Water Sector Cybersecurity 
Risk Management Guidance and Assessment Tool, https://www.awwa.org/
cybersecurity.
    \2\ ANSI/AWWA G430: Security Practices for Operations and 
Management.
    \3\ ANSI/AWWA J100: Risk and Resilience Management of Water and 
Wastewater Systems.
    \4\ ANSI/AWWA G440: Emergency Preparedness Practices.
---------------------------------------------------------------------------
    Cybersecurity vulnerabilities are a critical concern in the entire 
water sector. AWWA's resources are designed to assist all water systems 
in assessing potential vulnerabilities with various technology 
applications. Once a vulnerability is identified, many of the CISA 
resources can help mitigate risks. One valuable resource is the Cyber 
Hygiene Service that assesses the ``health'' of an entity's publicly 
accessible web applications by checking for known vulnerabilities and 
weak configurations. This service is likely to provide the most 
immediate risk reduction benefit to users based on the actionable 
mitigation recommendations included in the reports provided to 
subscribers by CISA. We recommend that EPA, CISA, and sector 
organizations coordinate a unified outreach campaign to increase 
deployment of this resource among water systems, especially smaller and 
medium-sized utilities.
    As water system cyber capabilities mature, other CISA-based 
resources provide support for long-term, sustainable cyber risk 
management strategies. The Cyber Security Evaluation Tool (CSET) 
provides more advanced capabilities to users. AWWA worked with CISA and 
Idaho National Lab to integrate AWWA's Assessment Tool output with 
CSET. This new functionality allows a water system that has used 
AWWA's tool to seamlessly transition their information into CSET, a 
resource that provides advanced features and analysis of system 
architecture and controls. This is an excellent demonstration of 
partnership between the sector and Federal Government to advance our 
shared objective of improving the cybersecurity capabilities of water 
utilities.
    The diversity in the water sector is unique among U.S. utility 
sectors in both the size and complexity of water systems that provide 
drinking water and wastewater services across the country as either a 
public agency or a privately-owned utility. Consequently, education and 
training are an on-going activity and need within the sector. A 
partnership with the United States Department of Agriculture 
facilitated the development of materials and important training on 
cybersecurity for small systems. Through an EPA small systems capacity 
development grant, AWWA and the Rural Community Assistance Partnership 
(RCAP) also were able to provide guidance and training on AWIA 
compliance, including directed outreach and training on cybersecurity. 
The training drew on a scaled-down version of the AWWA guidance, 
targeted to the needs of small systems. AWWA produced facilitated 
training, eLearning resources, and a guidance document for small 
utilities titled Water Sector Cybersecurity Risk Management Guidance 
for Small Systems.\5\ This ``getting started guide'' is intended to 
help small, rural utilities improve their cybersecurity practices. The 
intended users serve populations of fewer than 10,000 people, and 
particularly, utilities that serve fewer than 3,300 people. This 
resource was prepared to reflect the reality that many of the controls 
in the NIST CSF do not apply to the environment of many small 
utilities.
---------------------------------------------------------------------------
    \5\ AWWA, Water Sector Cybersecurity Risk Management Guidance for 
Small Systems.
---------------------------------------------------------------------------
    These types of capacity development efforts are essential when 
considering there are more than 45,000 community water systems that 
serve fewer than 3,300 people. AWWA encourages continued support for 
this type of engagement, given that cybersecurity is a threat to 
critical infrastructure systems of all sizes and types.
    The water sector is actively engaged with CISA and EPA through the 
Water Sector Coordinating Council on the Industrial Control Systems 
(ICS) Cybersecurity Initiative. This 100-day action plan will review 
the scalability of ICS monitoring technology deployment, such as CISA's 
CyberSentry, including the development of criteria for the adoption of 
such technology by water systems. In addition, the action plan will 
seek to establish the necessary information-sharing protocols with 
Federal partners leveraging the actions already taken by the electric 
and gas sectors. The direct involvement of subject-matter experts from 
the water sector is essential for ensuring that this type of action 
properly accounts for the operational needs and constraints of a water 
utility.
                     partnership and a path forward
    Under Presidential Policy Directive 21, each sector has an 
established Sector Coordinating Council (SCC). The intent of this 
framework is partnership between CISA and SRMAs on critical homeland 
security matters facing the Nation. While SCCs have provided invaluable 
support in fulfilling the mission of CISA and SMRAs, there is always 
opportunity for improvement and continued growth. Given the scale of 
the water sector, the function of the Water SCC and WaterISAC can be 
more consistently leveraged to provide real-time assessment and 
calibration of critical information-sharing products that may be 
developed by Federal partners. Federal water sector-specific resources 
should not be developed and released independent of review and 
coordination by relevant subject-matter experts, such as the members 
that constitute the Water SCC and supporting associations. Our shared 
mission to facilitate the secure operations of critical infrastructure 
is stronger when we work collaboratively and leverage the assets and 
resources each can bring to bear on the challenges imposed by cyber 
threats. Consistent messaging and clarity on how our respective 
resources and guidance documents complement each other is in the best 
interest of the public we serve together.
    AWWA recognizes the cybersecurity challenge and is committed to 
establishing a new paradigm for cybersecurity governance in the water 
sector. We believe a new approach \6\ is necessary, one that recognizes 
the technical and financial challenges facing the sector and sets 
minimum cybersecurity standards for all types of water systems. A 
tiered risk-and performance-based requirements model similar to the 
approach used in the electric sector under the auspices of North 
American Electric Reliability Corporation (NERC) would underpin this 
approach in the water sector. An entity similar to NERC would be 
created in the water sector to lead the development of the requirements 
using subject-matter experts from the field. It would also perform 
periodic third-party conformity assessments. Federal oversight and 
approval of requirements would be provided by the EPA, given existing 
statutory authority for water and wastewater utility operations. A 
recent report by Foundation for the Defense of Democracies (FDD)\7\ 
recognized the merits of such an oversight body in providing on-going 
industry-led cyber threat mitigation efforts. AWWA welcomes the 
opportunity to work with our Federal partners to implement a strategy 
that provides sustainable cybersecurity protection that recognizes the 
variability in the maturity and complexity of water systems.
---------------------------------------------------------------------------
    \6\ Paul Stockton, Strengthening the Cybersecurity of America's 
Water Systems: Industry-Led Regulatory Options (Washington, DC: 
American Water Works Association, August 2021).
    \7\ Foundation for the Defense of Democracies, Poor Cybersecurity 
Makes Water a Weak Link in Critical Infrastructure.

    Mr. Torres. Thank you for your testimony. I now recognize 
Mr. Silberstein to summarize his statement for 5 minutes.

   STATEMENT OF STEVEN SILBERSTEIN, CHIEF EXECUTIVE OFFICER, 
   FINANCIAL SERVICES INFORMATION SHARING AND ANALYSIS CENTER

    Mr. Silberstein. Thank you, Chairman Torres, Ranking Member 
Katko, and honorable of Members of the committee for this 
opportunity to testify. I am Steven Silberstein, CEO of the 
Financial Services Information Sharing and Analysis Center, 
known as FS-ISAC.
    You should know upfront that the financial sector is well-
situated to navigate the current threat environment but remains 
highly vigilant not knowing what may come next. Financial 
sanctions suggest the sector to be a distinct target but the 
sector benefits from an historic security experience dating 
back to the days of physical safes to protect cash. Before 
adding details, I would like to explain the role of FS-ISAC 
within the sector.
    FS-ISAC exists to foster the resilience of the global 
financial services sector and its customers. As a private, 
nonprofit association, FS-ISAC membership consists of 
approximately 5,000 financial institutions in nearly 70 
countries that together represent $100 trillion of deposits and 
assets under custody.
    We manage this critical cyber community with more than 100 
staff situated around the globe. FS-ISAC is the global cyber 
intelligence-sharing community for the financial sector 
allowing us to take a follow-the-sun approach.
    The highly competitive financial service industry 
recognizes that collaboration around cybersecurity is a must, 
just as historically cooperating to establish clearinghouses 
and exchanges where all parties can meet to complete a 
transaction. Similarly, cyber criminals don't target just one 
institution. Instead, they try to maximize their investment by 
attacking many. If one firm notices that its systems are being 
targeted, it will share this information with its peers through 
the FS-ISAC, empowering our members to prepare and defend 
against an attack before it happens to them. With a sector-wide 
view, we are better able to prepare firms for emerging threats 
and new vulnerabilities.
    In addition to our operational mission, we have been an 
active member of the Financial Services Sector Coordinating 
Council, FSSCC, since its inception 20 years ago. The council 
is comprised of the sector's key operators and associations 
through which nearly the entire sector is represented.
    Let me switch to the effective role played by our public-
sector partners during this current incident, and this must be 
acknowledged. We applaud the Biden-Harris administration and 
its sharing of information throughout the escalating situation 
in Eastern Europe and the Russian invasion of Ukraine. The 
sector appreciates the paradigm shift from reactive to 
proactive sharing of information--excuse me--the repeated and 
consistent messaging, and realistic context provided by CISA, 
the Cybersecurity Information Sharing Agency, joined by the 
NSA, U.S. Treasury, FBI, and other Government organizations has 
allowed our sector to institute the necessary security 
precautions and motivated institutions to conduct timely 
reviews of their cyber hygiene and incident response plans.
    Following the stand-up of the Unified Coordination Group, 
UCG, by the Department of Homeland Security last month, 
Treasury and CISA leadership engaged with the sector to develop 
a joint playbook for how the Government and industry may 
communicate and engage during incident response and recovery 
for this critical sector during the current heightened 
tensions. Also, as noted by my colleagues, CISA's new JCDC, 
Joint Cyber Defense Collaborative, provides a key 
communications channel while fostering real-time information 
sharing among the sector, CISA, the U.S. Treasury, critical 
infrastructure, and other stakeholders. The JCDC enables our 
analysts to engage with sector-specific insights and review 
technical exchanges for sector implications, again, for sector 
distribution.
    As I speak, the financial sector has not experienced an 
increased level of cyber attacks directly attributable to 
Russia. We are always tracking the continuous background noise 
of low-level cyber attacks and reconnaissance missions. 
However, outside of the conflict zone, we are not seeing any 
significant uptick in attacks attributable to any specific 
geography or threat actor. But the early and continued sharing 
of warnings and technical information by CISA and the 
Government have prompted the financial sector to open emergency 
communications channels at the end of last year. We activated 
the sector's Core Executive Response Group, which is part of 
our all-hazards playbook. On this recurring call, Government 
leadership from Treasury, CISA, and regulators communicate and 
provide updates on emerging vulnerabilities, associated 
mitigations, and resiliency plans for the sector.
    Over the last 100 days, the sector's various information 
channels have effectively amplified the Government's warnings, 
alerts, and available resources, and we have participated in a 
useful array of Classified and un-Classified stakeholder 
engagements.
    In conclusion, I would like to share that FS-ISAC and our 
fellow sector organizations stand ready to work with the 
administration, Congress, and this committee in any way we can 
protect the financial sector, its customers, and economic 
security. The direction of sharing has been very effective and 
we are optimistic that it will continue and advance the 
security for all. Thank you, again, for the opportunity today. 
I am happy to answer any questions when they come.
    [The prepared statement of Mr. Silberstein follows:]
                Prepared Statement of Steven Silberstein
                             March 30, 2022
    Chairman Thompson, Ranking Member Katko and Honorable Members of 
the committee, thank you for the opportunity to testify at this hearing 
on ``Mobilizing Our Cyber Defenses: Securing Critical Infrastructure 
Against Russian Cyber Threats.'' I am Steven Silberstein, CEO of the 
Financial Services Information Sharing and Analysis Center, or FS-ISAC.
    My statement will illustrate how the strong and effective 
partnership between the financial sector and the Federal Government 
enhances the resilience of this critical sector not only generally, but 
also specifically with respect to the current geopolitical situation. 
You should know up front that the sector is well-situated to navigate 
the current threat environment, but remains highly vigilant, not 
knowing what may come next. Before sharing these details, I would like 
to explain the role of the FS-ISAC within the financial sector.
                        the role of the fs-isac
    The FS-ISAC exists to foster the resilience and continuity of the 
global financial services infrastructure, individual financial 
institutions and, of course, customers, against acts that could 
significantly disrupt the sector's ability to provide services critical 
to the orderly functioning of the economy. As such, FS-ISAC stands 
front and center in the face of continued cyber attacks against 
financial institutions.
    The financial sector formed the very first ISAC in 1999 in response 
to Presidential Decision Directive 63, which in 1998 called for the 
private sector to establish ISACs and for the public and private 
sectors to collaborate to protect critical infrastructure from cyber 
threats and attacks. A private, nonprofit association, the FS-ISAC 
represents nearly 5,000 financial institution members in nearly 70 
countries that, together, have nearly $100 trillion under management.
    Members include commercial banks, credit unions, exchanges, 
clearing houses, brokerages and investment companies, insurance 
companies, payments processors, and financial trade associations. 
Headquartered in Reston, Virginia, we manage this critical network with 
more than 100 people situated in about 10 countries. The FS-ISAC is the 
only global cyber intelligence-sharing community solely focused on the 
financial sector, allowing it to take a ``follow-the-sun'' approach, 
with staff continuously working with the members.
    It might surprise the committee to learn that a highly competitive 
industry like financial services can be very collaborative when it 
comes to cybersecurity. It makes sense, though, because cyber criminals 
try to target as many victims as possible with the same attack. In that 
way they earn a better return on their nefarious investment. Moreover, 
given the sector's reliance on public trust, an attack on one bank 
could damage the trust of customers of other banks, a dangerous 
situation for the financial sector and the public at large.
    Thus, if one firm notices that its systems are being targeted, it 
will share that information with its peers through the FS-ISAC, 
empowering other members to prepare for and defend against that attack 
before it happens to them. Our thousands of member financial 
institutions report cyber activity daily on our secure platform. In 
turn, our global intelligence team reviews, processes, and analyzes the 
intelligence and provides members with alerts, updates, and briefings--
such as the attached report on cyber challenges in 2022. In addition to 
the daily intake and dissemination of current threats, we conduct 
regular threat calls to provide more details and context and provide 
members with a secure chat capability. There is a wide variety of 
channels, based on charter-like banking or insurance--geography, 
incidents, and current issues like the Russian/Ukraine situation. 
Unlike individual firms, we can see how many institutions experience 
the same type of threat or attack, allowing us to gauge across the 
sector its seriousness and sophistication.
    We publish executive-level reports to arm boards and leadership 
with a high-level understanding of the cyber threat landscape so they 
can make strategic business decisions about investing in cybersecurity 
and resource allocation. Not only does the FS-ISAC monitor intelligence 
and cyber threats, but it also conducts exercises that simulate attack 
scenarios based on the current threats. This allows members to practice 
how they would respond and develop a plan in the event of an incident.
    A recent example may illustrate how these capabilities combine to 
improve resilience. In 2021, the New Zealand Stock exchange was the 
target of a distributed denial-of-service (DDoS) attack. Such an attack 
intends to clog a network so as to crash a website or system. This 
event was part of a wave of DDoS attacks that affected more than 100 
financial institutions globally. It is not an exaggeration to say 
thousands of institutions could have been attacked if not for the 
intelligence sharing on FS-ISAC's platform, which enabled financial 
institutions to share critical information needed for members to shore 
up their defenses to prevent the attack from expanding.
    Two important nonprofit subsidiaries of FS-ISAC deserve mention--
Sheltered Harbor and the Financial Data Exchange (FDX). Sheltered 
Harbor protects public confidence in the financial sector if a 
devastating event like a cyber attack causes an institution's critical 
systems and its backups to fail. FDX seeks to unify the financial 
sector around a common, interoperable, and royalty-free standard for 
the secure access of user-permissioned financial data. Background 
documents on both nonprofits are attached.
                     financial sector collaboration
    Of course, the FS-ISAC does not perform this role in isolation. On 
the contrary, the financial sector boasts a history and depth of 
collaboration among competitors and between it and Government that 
bolsters resilience and ultimately serves the needs and interests of 
its customers.
    Ahead of the Year 2000 Rollover, for example, financial 
institutions voluntarily graded their readiness and shared scores with 
regulators on a global basis. This incentivized the entire sector to be 
prepared. Following 9/11, the financial sector decided to coordinate to 
enhance its readiness and to more effectively collaborate with the 
Government, forming the Financial Services Sector Coordinating Council 
(FSSCC) in 2002. This closely followed Federal and State financial 
regulators, which, led by the U.S. Department of the Treasury, formed 
the Financial and Banking Information Infrastructure Committee (FBIIC) 
earlier in 2002. More information about FBIIC may be found at 
fbiic.gov. The financial sector effectively established its own 
Government and sector coordinating councils well before the creation of 
the U.S. Department of Homeland Security, illustrating its commitment 
to partnership, as well as its ability to innovate, to be ahead of the 
curve on matters like the protection of its own critical 
infrastructure.
    The FSSCC is comprised of the sector's key organizations, through 
which nearly the entire sector is represented, including the American 
Bankers Association; the Bank Policy Institute (BPI) and BITS, its 
technology policy division; the Securities Industry and Financial 
Markets Association (SIFMA); the Analysis and Resilience Center for 
Systemic Risk (ARC); the Independent Community Bankers of America and 
the FS-ISAC. I would like to recognize the current FSSCC chair and vice 
chair (respectively) for their leadership and partnership: Ron Green, 
chief security officer of Mastercard; and Chris Feeney, executive vice 
president at BPI and president of BITS. An overview of FSSCC is 
attached and a full list of members can be found at fsscc.org.
    During FSSCC's 20 years, the FS-ISAC evolved into the operational 
arm of FSSCC, complementing FSSCC's role as the policy arm on critical 
infrastructure protection matters. The FS-ISAC developed a playbook 
that outlines how it responds to cyber threats and incidents on a daily 
basis. It includes a section developed in coordination with FSSCC, 
SIFMA, and FBIIC that lays out a process for these four sector 
organizations to come together, if necessary, in response to a 
significant incident--forming the Core Executive Response Group (CERG), 
to ensure information is distributed as appropriate across the sector.
    The CERG proved valuable during the early phases of COVID-19. As we 
watched the virus spread at the end of 2019 and beginning of 2020, we 
recognized the need for the sector, public and private, to discuss how 
we should respond to it and share ideas for protecting financial 
institutions and customers alike by keeping critical infrastructure 
operating. FS-ISAC called together the CERG on January 30, 2020, ahead 
of most alarm bells going off in the United States, to be prepared if 
the inevitable occurred. The CERG participants met for nearly 18 
months, sharing information about the virus, addressing common 
challenges and sharing effective practices for operating in the face of 
it. During this time, we also tackled SolarWinds, a Microsoft Exchange 
vulnerability and other incidents that arose while still managing the 
effects of the COVID-19 pandemic.
    Though largely unknown, this CERG experience exemplifies the 
success of the public/private partnership within the financial sector. 
Leadership from the Treasury Department and the Cybersecurity and 
Infrastructure Security Agency (CISA), along with Federal and State 
regulators, met regularly--often multiple times per week--with their 
counterparts from FS-ISAC, financial trade associations, and key 
financial firms to ensure customers could continue to receive financial 
products and services through the challenging early phases of the 
pandemic.
    Our sector collaboration also extends beyond the financial sector 
itself. We are members of the National Council of ISACs, sharing 
information regularly with other member ISACs, particularly during 
critical events and incidents. Given financial sector reliance on 
telecommunications and electricity, FSSCC and FS-ISAC led the 
development of a tri-sector playbook in 2018. The three sectors 
exercised the playbook prior to the pandemic and regularly used it 
during the pandemic to ensure information flowed freely among these 
three sectors.
    The sector's collaboration with the Treasury Department, as our 
Sector Risk Management Agency (SMRA), constitutes another important 
component of the partnership. The Treasury Department helps ensure that 
CISA receives accurate, comprehensive information about current sector 
operations and any potential incidents. Moreover, the Treasury 
Department coordinates with the sector and CISA to identify sector 
risks and then assess and mitigate them through, for example, informing 
National Critical Functions, conducting regular exercises to test 
preparedness and emergency planning. The value of the Treasury 
Department's SRMA role came to thefore ahead of the current 
geopolitical crisis, which I will address shortly.
    I have elaborated at length on the partnerships within the 
financial sector, because we responded to the crisis of the moment 
within this context. The FS-ISAC knows well how to promote the 
resilience of our members, and we do so in conjunction with our 
financial sector partners, public and private, in a familiar, trusted, 
and effective fashion. As such, the effective role played by our public 
sector partners must be acknowledged.
             current collaboration with the u.s. government
    We applaud the Biden-Harris administration and its various Federal 
Government components on the expeditious and early sharing of 
information throughout the escalating geopolitical situation in Eastern 
Europe and current Russian invasion of Ukraine. The sector appreciated 
the paradigm shift from reactive to proactive warnings forecasting 
Russian military action, the potential for Russia to engage in 
malicious cyber activity against the United States and evolving 
intelligence that Russia may be exploring options for potential cyber 
attacks. The repeated, consistent messaging and realistic context 
provided by CISA, the Federal Bureau of Investigations (FBI), the 
Treasury Department and other Government organizations allowed our 
sector to prepare for and institute the necessary security precautions, 
motivating institutions to conduct expeditious reviews of their 
incident response and regional personnel evacuation plans.
    This early and continued sharing of indicators of compromise (IOCs) 
and warnings by CISA and the Treasury Department prompted the financial 
sector to open emergency communications channels prior to the 2021 
holiday season and activate the sector's CERG on December 15, 2021. On 
this recurring call, Government leadership, including the Treasury 
Department, CISA, and Government regulators, provides updates on 
emerging vulnerabilities and associated mitigations, as well as current 
sanctions announcements, and facilitates the regular exchange of 
preparation activities taken by the sector.
    As part of its role as the National coordinator for critical 
infrastructure security and resilience, CISA has actively engaged with 
its Government and industry partners, including our SRMA, to share 
Classified and un-Classified information. The rapid de-Classification 
and passage of IOCs and malicious internet protocol (IP) addresses to 
the sector by the Federal Government is commended. Financial sector 
representatives have participated in several broad cross-sector 
information calls, as well as monthly un-Classified and Classified 
briefs hosted by the Treasury Department. There are also weekly 
intelligence collaboration sessions with the Treasury Department and 
ARC member firms.
    Additionally, the establishment of CISA's ``Shields-Up'' web page, 
available at cisa.gov, has proven to be a great awareness tool for 
critical infrastructure organizations--and the business community as a 
whole--housing in one place the latest technical products and security 
guidance and steps organizations, businesses, and individuals can take 
to heighten their security posture and ensure they are prepared for a 
disruptive cyber incident. In addition to the various alerts, 
advisories, and insight products, CISA also established a catalog of 
free services from Government partners, the open-source community, and 
its Joint Cyber Defense Collaborative (JCDC) members to assist with the 
challenge of identifying resources to address urgent security issues. 
My organization, as well as our sector's trade associations and other 
partners, have consistently amplified these information products and 
resources to thousands of organizations around the country.
    Operationally, the FS-ISAC, along with other representatives of the 
financial services sector, have engaged directly with CISA and the 
Treasury Department via a dedicated JCDC communications channel to 
foster near-real-time information sharing. The JCDC brings together 
public and private partners to begin to unify defensive actions and 
drive down risk in advance of cyber incidents occurring and help 
strengthen the Nation's cyber defenses through planning, preparation, 
and information sharing. This direct engagement within the JCDC has 
also allowed the FS-ISAC analysts to provide sector specific insights 
and review technical exchanges for sector implications that can then be 
distributed to the sector at large.
    Let me now turn to the current cyber threat and the manner in which 
the financial sector is handling it.
                          state of the sector
    As I write this statement, the financial sector has not experienced 
an increased level of cyber attacks coming from Russia. Of course, we 
are always tracking ``background noise'' in terms of low-level cyber 
attacks, mostly from threat actors scanning for vulnerabilities. 
However, outside of the conflict zone, we are not seeing any 
significant uptick in attacks attributable to any specific geography or 
threat actor. I reiterate that this assessment holds true as I prepare 
to deliver this statement to the committee, but we are always on the 
watch in the event this changes.
    Over the last 100 days, the financial sector has taken various 
precautionary steps to not only ensure our individual organizations, 
but also the sector as a whole, is as prepared as it can be at this 
point. As described previously, the sector's various coordination and 
information-sharing elements have amplified the administration's 
warnings and cyber alerts/advisories to thousands of entities around 
the world, as well as participated in an assorted array of un-
Classified and Classified stakeholder engagement opportunities. Our 
recurring CERG calls with leaders from across the sector have ensured 
we will be aware of any change in the security of the financial system.
    Currently, the FS-ISAC Cyber Threat Level (CTL), a barometer of the 
cyber threat landscape as collectively determined by our member 
financial firms, is elevated. Elevated is the second level of four 
levels on the scale; the CTL has not been raised to high or severe, for 
the reasons noted previously. This means that the financial sector is 
in a state of heightened cybersecurity awareness and is taking extra 
steps to strengthen cyber defenses. There is heightened awareness and 
diligence across most of the globe, given that the adversary is well-
practiced and--armed on the cyber side. However, the cybersecurity 
measures highlighted last week by the administration are critical 
baseline practices and should always be implemented to increase 
preparedness and operational resilience.
    Financial institutions, and banks in particular, have always had to 
protect themselves. Long before cyber threats existed, criminals like 
Willie Sutton targeted banks because ``that was where the money was.''
    Criminals have since evolved, using sophisticated tools to attack 
financial institutions, and some nation-states have followed suit. 
Fortunately, the sector's ability to thwart such attacks has evolved in 
tandem, and the financial system remains attentive to and is well-
prepared to defend against potential sophisticated Russian cyber 
attacks.
    The FS-ISAC and other sector organizations have been raising the 
level of cyber resilience within the sector for more than 20 years. 
Working with thousands of financial firms around the world, we know the 
tactics, techniques, and procedures used by Russian state and non-state 
actors up until now. Given that, our members have been preparing to 
defend themselves by securing networks and servers, ensuring data is 
properly backed up, patching vulnerabilities, reducing access to 
systems to the absolute minimum, exercising to practice how to respond 
in various scenarios, and, of course, heightening vigilance across the 
board. The financial sector recognizes that preparation is the most 
important component, as targets do not receive the same type of 
``heads-up'' warning with cyber incidents as in a kinetic war. Our 
organizations always need to be prepared.
                 improving public/private collaboration
    The public/private partnership is not simply alive and well; it 
thrives within the financial sector. I cannot speak more highly of the 
value provided by the Treasury Department, CISA, FBIIC, FBI, and U.S. 
Secret Service to the cause of enhancing resilience. All are to be 
commended for their contributions. Of course, as in any endeavor, 
improvements can always be made. To that end, I offer two brief items 
for enhancing collaboration.
   The Treasury Department and CISA have recently increased the 
        amount of information shared with the sector, and I applaud 
        them for it. With respect to both Classified and un-Classified 
        information, we encourage this trend to continue and increase, 
        for the greater protection of the sector.
   The highly regulated and global financial sector faces a 
        variety of incident reporting requirements. We urge 
        collaboration to minimize the operational impact of multiple 
        incident reporting requirements unique to the financial sector.
    These suggested improvements do not detract from the productive 
partnership that serves the financial sector and its customers so very 
well. The sector's secure posture in the light of Russian cyber threats 
testifies, in no small part, to that partnership.
                               conclusion
    In closing, I wish to reiterate that the financial sector is 
currently secure but remains highly vigilant. That we have not yet seen 
the attacks anticipated does not mean they will not come. If they do, 
the sector will be prepared. The FS-ISAC and our fellow sector 
organizations stand ready to work with the administration, Congress and 
this committee in any way we can to protect the financial sector, its 
customers and economic security. Please do not hesitate to call upon 
us.
    Thank you again for the opportunity to testify before you today. I 
am happy to answer any questions Members of the committee may have.
    Attachments:
   FS-ISAC Annual Global Intelligence Office Report, 
        ``Navigating Cyber 2022'' (March 2022)
   Financial Services Sector Coordinating Council (FSSCC) 
        Overview
   Sheltered Harbor Overview
   Financial Data Exchange (FDX) Overview
  
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   


    Mr. Torres. Thank you for your testimony. I now recognize 
Mr. Yoran to summarize his statement for 5 minutes.

    STATEMENT OF AMIT YORAN, CHAIRMAN AND CEO, TENABLE, INC.

    Mr. Yoran. Thank you, Chairman Torres, Ranking Member 
Katko, and Members of the committee. Thank you for the 
opportunity to testify today and your leadership during this 
incredibly important time.
    I am Amit Yoran, chairman and CEO of Tenable. With over 
40,000 customers world-wide, including just about every Federal 
department and agency, a majority of the Fortune 500, and 
numerous Global 2000 organizations, Tenable is the world's 
leading provider of vulnerability management and cyber risk 
assessment capabilities.
    Recently, LAPSUS$ has shown that with only $25,000 a group 
of teenagers could get into organizations with mature 
cybersecurity practices. Consider Russia, with much deeper 
pockets, focus, and mission, targeting critical infrastructure. 
That should be a sobering, if not terrifying, call to action.
    U.S. critical infrastructure is a complex network of 16 
interconnected sectors, each with varying degrees of 
cybersecurity preparedness and risk management practices. Many 
organizations increasingly interconnect IT and OT systems in 
pursuit of improved efficiency resulting in increased 
vulnerability. These risks are exacerbated when exposing slow-
moving, highly-structured environments to the pace, speed, and 
dynamic threats introduced through the IT world.
    Last year's Colonial Pipeline and ensuing gas supply 
failures serve as a stark example of the potential impact of 
increasing IT-OT convergence and the importance of basic cyber 
hygiene. Government policy should not allow for learned 
helplessness by Government agencies or private industry. There 
is too much at stake for individuals and organizations to 
remain negligent, not taking even the basic steps to improve 
their cyber posture and manage cyber risk proactively.
    CISA has already recommended best practices that 
organizations can implement to prepare themselves from a cyber 
perspective through its Shields Up initiative. These 
recommendations align strongly with the best practice 
recommendations of numerous security advocacy groups, industry 
associations, working groups, and regulatory bodies. 
Organizations that fail to implement these basic steps should 
be held accountable.
    The SEC's proposed cybersecurity risk management strategy, 
governance, and disclosure would require public companies to 
disclose their policies and procedures for identifying and 
managing cybersecurity risks, management's role in implementing 
cyber policies and procedures, and the board of directors' 
cybersecurity expertise. This proposal stands alongside the 
recently passed Cyber Incident Reporting legislation for timely 
and transparent notification of cyber breaches as the two 
actions that would most dramatically improve our cybersecurity 
preparedness as a Nation. Requiring greater transparency of 
cyber risk practices and oversight, forces companies to treat 
cybersecurity risk as business risk and will lead to stronger 
cybersecurity governance and accountability among corporate 
leaders and boards. This results in more effective 
cybersecurity, period.
    For decades now, critical infrastructure operators have 
highlighted the complexity, impracticality, and challenges of 
updating infrastructure software, applying patches, and 
hardening their systems. I will not minimize the seemingly 
overwhelming nature of these tasks from where we sit today. But 
these things can be done. We should be able to design, develop, 
and deploy critical infrastructure software that is capable of 
being patched and operated in a protected, secure, and 
resilient fashion.
    I can tell you, that unless we make a stand, unless we show 
our resolve, unless we demonstrate our commitment to a more 
secure future, there will be a hearing like this one decades 
from now wondering why responsible action wasn't taken. While 
Americans remain at strategic risk, we can only conclude that 
market forces around cybersecurity have not achieved successful 
equilibrium. Free markets work best with risk informed decision 
making and transparency. Pushing for such a regulatory regime 
should be a nonpartisan effort. Such an effort would fuel, not 
stifle, innovation, discover new approaches in cybersecurity, 
and new approaches in critical infrastructure service delivery.
    Thank you, again, Chairman Torres, Ranking Member Katko, 
and all the Members of the committee, for your attention to 
this important topic. I look forward to working with you and 
your colleagues, as cybersecurity remains a critical issue 
facing our Nation and economic security. I appreciate the 
opportunity to testify today and look forward to answering your 
questions.
    [The prepared statement of Mr. Yoran follows:]
                    Prepared Statement of Amit Yoran
                             March 30, 2022
                              introduction
    Chairman Thompson, Ranking Member Katko, and Members of the 
committee, thank you for the opportunity to testify today on securing 
our critical infrastructure against Russian cyber threats. We are at a 
major inflection point in history and how we respond will make all the 
difference. Thank you for your leadership always, and particularly at 
this incredibly important time.
    My name is Amit Yoran and I am the chairman and CEO of Tenable. I 
have spent more than 20 years in the cybersecurity field, both as a 
public servant and in industry. I earned a master's in computer science 
from The George Washington University and a bachelor's in computer 
science from the United States Military Academy. I served as the 
director of the National Cybersecurity Division and as the founding 
director of the United States Computer Emergency Readiness Team (US-
CERT) program. Additionally, I have served on a number of Presidential 
advisory commissions. As an innovator and entrepreneur in the security 
space, I founded and built two security companies: Riptech, acquired by 
Symantec; and NetWitness, from which I went on to serve as the 
president of RSA after it acquired NetWitness. I have also served as a 
director and advisor to security startups and industry advisory boards. 
I have previously testified before Congressional committees on 
cybersecurity policy, encryption, and other related issues.
    The company I lead, Tenable, is headquartered in Columbia, 
Maryland. Tenable has over 1,600 employees globally and more than 
40,000 customers world-wide. Tenable is publicly traded on the NASDAQ 
and is the world's leading provider of vulnerability management 
capabilities. Our company provides organizations with an unmatched 
breadth of visibility and depth of analytics to measure and communicate 
cyber risk. We believe cybersecurity is foundational to making better 
and more strategic decisions. Our goal is to eliminate blind spots and 
help organizations prioritize which actions they can take to most 
efficiently reduce exposure and loss.
    Simply put, Tenable empowers organizations of all sizes to 
understand and reduce their cyber risk. For the Federal Government 
specifically, Tenable provides the most widely-deployed vulnerability 
assessment solution, serving just about every department and agency. 
Our solutions are also broadly used by State and local governments to 
manage cyber risk.
                        understanding the threat
    Knowing what the threat is, the impact it could have on your 
systems and how to respond is far more important than knowing where the 
threat is coming from.
    Understanding where the threat is coming from is useful from the 
perspective of National cyber strategy, defense, and intelligence. It 
can also help determine how to prioritize remediations based on the 
motivations of threat actors. Beyond that, knowing where a threat is 
coming from has little impact on how an organization responds. For 
almost all organizations, cybersecurity risk management practices are 
the same regardless of whether the attack is coming from the Russians, 
other nation-states, cyber criminals, or other bad actors.
    Ransomware against critical infrastructure providers is incredibly 
profitable for cyber criminals, as demonstrated by the Conti ransomware 
data leaks. The Conti group and its affiliates reportedly made use of 
over 30 known vulnerabilities, some of which were first disclosed in 
2018. The Conti bitcoin wallet data showed more than $1 billion had 
been paid, creating a massive funding method for Russian actors. 
Ransomware is also a very flexible weapon, as demonstrated by the 
Russian-attributed malware BlackEnergy and CrashOverride, both of which 
were used in attacks against the Ukrainian power grid, and were very 
sophisticated and modular with payloads that could be delivered in 
near-real time to the victim. Two separate indictments from the 
Department of Justice (DOJ) were unsealed on March 25, charging four 
Russian nationals for extensive hacking campaigns against critical 
infrastructure providers world-wide.\1\
---------------------------------------------------------------------------
    \1\ TechTarget, ``US indicts Russian nationals for critical 
infrastructure attacks,'' https://www.techtarget.com/searchsecurity/
news/252515161/US-indicts-Russian-nationals-for-critical-
infrastructure-attacks.
---------------------------------------------------------------------------
    LAPSUS$ has shown that with only $25,000, a group of teenagers 
could gain access into organizations that have even the most mature 
security practices. The thought of a nation-state--with much deeper 
pockets, focus, patience and a mission--targeting these sectors should 
be a sobering, if not terrifying, call to urgent action.
               the state of u.s. critical infrastructure
    Last week, President Biden warned of the potential for Russian 
cyber attacks against the United States in response to the economic 
costs we have imposed following the invasion of Ukraine. He urged 
Governors, private-sector partners, and critical infrastructure 
providers to harden their cyber defenses immediately. The White House 
also issued a Fact Sheet, ``Act Now to Protect Against Potential 
Cyberattacks,'' that called for companies to deploy multi-factor 
authentication, continuous monitoring, and threat mitigation, to make 
sure systems are patched and protected against all known 
vulnerabilities, build security into products from the ground up, and 
use modern tools to check for known and potential vulnerabilities.
    Critical infrastructure is not one thing, and most critical 
infrastructure industries vastly differ. The Cybersecurity and 
Infrastructure Security Agency (CISA) has identified 16 critical 
infrastructure sectors in the United States, including financial 
services, energy providers, water and wastewater treatment facilities, 
and transportation systems. There is no singular defense paradigm that 
could effectively be applied across all the sectors. Some critical 
infrastructure providers have a high degree of cybersecurity 
preparedness, strong risk understanding and risk management practices, 
and very strong security programs. Others are woefully ill-prepared.
    All critical infrastructure sectors continue to undergo digital 
transformation, resulting in an expanding cyber attack surface. New 
technology investments represent great efficiency opportunities, like 
the move to smart factories and smart cities, but these shifts can 
introduce real gaps in security. Without enhancements to security and 
resiliency, critical infrastructure providers are left unprepared to 
address cyber threats.
    Just this week, a new report from the Center for Strategic and 
International Studies (CSIS) and Trellix, yet again, put this lack of 
preparedness in writing. The report, based on survey results from 800 
IT decision makers from several countries around the world, including 
the United States, found that 9 percent of critical infrastructure 
operators don't even have a cybersecurity strategy in place, despite 
the fact that 85 percent of respondents believe they have been targeted 
by a nation-state cyber threat.
    Certain critical infrastructure sectors better understand strategic 
risk assessments and cyber risk management as a discipline. Generally 
speaking, the cybersecurity practices in these markets and industries 
have been more highly regulated than others.
    For example, the financial services sector has long relied on IT 
and has built strong cyber risk management processes and practices. 
Most modern banks realize that, in many ways, they are technology 
companies. For decades, everything from bank accounts to transactions 
to data analytics have been digitized, resulting in a culture of strong 
security practices. These security practices have been encouraged 
through a high level of regulation and oversight. While dramatic 
differences can be found in the security readiness of individual banks, 
the sector as a whole has strong security and is resilient as a 
critical infrastructure.
    For years, the electric industry operated on voluntary compliance 
of reliability standards, but following the Northeast blackout of 2003, 
Congress authorized the mandatory development of reliability standards, 
which included cybersecurity (Energy Policy Act of 2005).
    Due, in part, to regulation by the Federal Energy Regulatory 
Commission (FERC), which oversees the reliable operation of the bulk 
power system, the electric sector has improved cyber resiliency. FERC 
certified the North American Electric Reliability Corporation (NERC) to 
oversee electric reliability, and as part of its definition of 
resilience, included cybersecurity as critical. Today, cybersecurity 
standards in the energy sector continue to be developed and enforced by 
NERC resulting in improved security and reliability.
    As IT and operational technology (OT) systems become increasingly 
interconnected, even some well-managed critical infrastructure sectors 
remain at risk. For example, some industries, such as mining, chemical 
plants, and fuel pipelines, already have safety systems to prevent 
destruction of physical infrastructure and bodily harm or loss of life. 
However, as organizations increasingly interconnect their IT and OT 
systems in the pursuit of improved efficiency, more control settings 
become digitized. As a result, the effectiveness of some of these 
safety measures may be brought into question.
    On May 7, 2021, Colonial Pipeline was hit with a ransomware attack 
that caused the company to shut its operations for 6 days, prompting 
the President of the United States to issue a state of emergency. The 
compromise affected billing systems responsible for tracking and 
invoicing the amount of fuel each distributor receives. These business 
systems were actually located in the organization's IT environment, not 
its OT environment. The OT systems that control the pipeline itself 
were not directly accessed in the attack. Yet, the fear and uncertainty 
of the possible reach of the attack contributed to Colonial Pipeline's 
decision to shut down pipeline operations. Colonial Pipeline ultimately 
ended up paying the hacking group DarkSide a total of 75 bitcoins ($4.4 
million) for the ability to unlock its systems and get fuel back out to 
a majority of the East Coast. This highly visible incident serves as a 
stark example of the potential negative impact of increasing IT/OT 
convergence.
    The Colonial Pipeline incident also highlights the importance of 
maintaining cyber hygiene. The attack vector in this case was the 
cracking of a password for an account no longer in use, that had remote 
access to the corporate network. Enabling multi-factor authentication 
and disabling dormant accounts are simple but effective examples of 
things that need to be done methodically and rigorously to reduce 
exposure.
    Other critical infrastructure sectors have not prioritized cyber 
and are largely blindsided by cyber as a strategic risk. Some of these 
sectors haven't historically thought of interconnectivity, access, 
complexity, and digitization as strategic cyber risk and haven't been 
regulated in that way.
    For example, many health care providers and hospitals have long 
viewed IT as a cost efficiency play for automation and sharing 
information when needed to provide better care, not necessarily a 
strategic asset. Consequently, attackers have caught many health care 
organizations off guard.
    Ransomware attacks on the health care sector have demonstrated its 
susceptibility to cyber attacks and have often exposed poor cyber 
hygiene practices. WannaCry, which took advantage of a well-known 
vulnerability for which patches were widely available and broadly 
distributed, shut down hospitals around the world. Even though medical 
equipment was still operating, hospitals couldn't on-board new patients 
or use their systems to track the distribution of medicines. Just last 
year, Scripps Healthcare, a non-profit health care organization with 5 
hospitals and 19 outpatient facilities in Southern California, was hit 
with a ransomware attack that impacted critical IT and back-up systems. 
Scripps was forced to reroute stroke and heart attack patients to other 
facilities, an impact that could have cost lives. The company lost 
nearly $113 million as an immediate result of the attack, and now faces 
a class action lawsuit due to the medical records of nearly 150,000 
patients being exposed.
    While the Scripps example is a costly one, it is but one example of 
how much ransomware attacks are costing our medical industry. If we 
look at the number of ransomware attacks across the health care 
industry alone in 2020, combining the ransoms paid and the amount of 
downtime tracked, there was a loss of $20.8 billion. This is double 
what it was in 2019 and 10 times more than in 2018.\2\
---------------------------------------------------------------------------
    \2\ HIPPA Journal, ``Scripps Health Ransomware Attack Cost 
Increases to Almost $113 Million,'' https://www.hipaajournal.com/
scripps-health-ransomware-attack-cost-113-million/; GovInfoSecurity, 
``Scripps Health Reports Financial Toll of Ransomware Attack,'' https:/
/www.govinfosecurity.com/scripps-health-reports-financial-toll-
ransomware-attack-a-17288; Comparitech, ``Ransomware attacks on US 
healthcare organizations cost $20.8bn in 2020,'' https://
www.comparitech.com/blog/information-security/ransomware-attacks-
hospitals-data/
#How_much_did_these_ransomware_attacks_cost_healthcare_organizations_in_
2020.
---------------------------------------------------------------------------
    A closer look at the data reveals stark differences among critical 
infrastructure sectors. According to Tenable's own vulnerability data, 
financial services organizations and organizations in the energy 
sector, which encompasses more than the electric sector, average about 
the same number of critical vulnerabilities per device, showing a 
relative approximation in the maturity of their cyber practices. 
Contrast that with health care and manufacturing, which average twice 
as many critical vulnerabilities per device. The median time for 
financial services and energy sector organizations to remediate a 
critical vulnerability is approximately 12 days, while manufacturing 
and health care average 29 and 32 days, respectively. This gap provides 
adversaries ample opportunity and highlights the sample disparities in 
the cyber maturity of these sectors.
    There are also vast disparities in the amount of funding available 
to critical infrastructure providers. Many systems run by 
municipalities, such as water and wastewater, do not have the same 
funding or cybersecurity expertise to combat the evolving threats. In 
February 2021, a water treatment plant was breached in Oldsmar, 
Florida, a town of 15,000. The attacker attempted to change the 
alkaline levels in the water to a level that would severely damage 
human tissue. It's another striking example of the risks of IT/OT 
convergence; the attacker gained access to a remote IT management 
software called Team Viewer, and from there ``accessed the system by 
exploiting cybersecurity weaknesses including poor password security, 
and an outdated Windows 7 operating system,'' according to the FBI. 
This attack further demonstrates the significance of proper system 
hygiene.\3\
---------------------------------------------------------------------------
    \3\ ABC News WFTS Tampa Bay, ``FBI: Water system hack likely caused 
by remote access program, old software and poor password security,'' 
https://www.abcactionnews.com/news/local-news/i-team-investigates/fbi-
water-system-hack-likely-caused-by-remote-access-program-old-software-
and-poor-password-security; Wired, ``A Hacker Tried to Poison a Florida 
City's Water Supply, Officials Say,'' https://www.wired.com/story/
oldsmar-florida-water-utility-hack/.
---------------------------------------------------------------------------
    Some critical infrastructure sectors, including the energy sector's 
oil and gas refining and extraction industries, are still largely 
unregulated when it comes to cybersecurity, and that is a particularly 
concerning scenario when we consider that those critical systems are 
frequently managed using workstations running on outdated operating 
systems and software. It's worth noting that pipeline owners and 
operators are now subject to new baseline cybersecurity standards 
through a TSA Directive,\4\ however the rest of the sector remains 
largely unregulated.
---------------------------------------------------------------------------
    \4\ U.S. Department of Homeland Security, ``DHS Announces New 
Cybersecurity Requirements for Critical Pipeline Owners and 
Operators,'' https://www.dhs.gov/news/2021/05/27/dhs-announces-new-
cybersecurity-requirements-critical-pipeline-owners-and-operators.
---------------------------------------------------------------------------
         rapid connectivity and the risks of it/ot convergence
    A recent assessment of an available search engine for internet-
connected devices revealed that more than 28,000 Industrial Control 
Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) 
systems are directly accessible from the internet.\5\ While not 
directly accessible from the internet, countless more can be accessed 
via increasingly popular service portals, which can themselves be 
compromised. Combine that with human error and frequency of poorly 
configured software, and the rapid connectivity required to keep 
today's OT environments running efficiently, we may be entering an era 
which exponentially hastens systemic cybersecurity failures. Systems 
that are interconnected in ways they weren't designed leads to 
complexity and breeds insecurity.
---------------------------------------------------------------------------
    \5\ Shodan, https://www.shodan.io/.
---------------------------------------------------------------------------
    These systems, and other OT technologies used in critical 
infrastructure environments, are notoriously difficult to patch because 
systems may have to be taken down and thoroughly tested each time an 
update is made. Existing operating models for most OT environments, 
such as power plants, gas pipelines, and manufacturing plants, leave 
little margin for downtime. These companies have historically tried to 
reduce their exposure by highly segmenting their environments, but the 
increase of IT/OT convergence is making segmentation less effective, 
resulting in systems that can't be patched or secured as targets.
    Furthermore, many critical infrastructure organizations still fail 
to segment their IT and OT environments. There are increasingly 
compelling business reasons to create interconnection points between 
these environments, but doing so without an appreciation of the 
consequences such actions represent can result in system risks which 
are not understood.
             what can critical infrastructure providers do?
    Critical infrastructure providers have a duty of care, highlighted 
in turbulent times, to be responsible stewards of the services that are 
relied on by millions of Americans. Protecting ourselves means knowing 
what's on your network and maintaining it in good working order, which 
includes protecting against known vulnerabilities.
    As more people have access to these systems, security quickly 
breaks down unless tight identity management practices are in place. 
Systems must be treated as if a sophisticated adversary already has or 
can gain access.
    CISA released insightful guidance on recommended practices that 
organizations can take to best prepare themselves from a cyber 
perspective. Some of these practices include:
   Asset Inventory and Risk Characterization.--The foundation 
        for every security framework, whether IT or OT, always begins 
        with visibility into the assets for which you are responsible. 
        It is critically important to be able to understand the network 
        layout of your environments, the systems that reside in those 
        networks, the software installed, how they are configured, how 
        they are accessed, and the function they serve to the mission 
        of the organization. Only when you have this level of 
        visibility can you begin to quantify the risk profile of these 
        environments and a strategy to secure it.
   Vulnerability and Patch Management Program.--It is important 
        for every organization to follow a well-defined vulnerability 
        and configuration management program that is able to not only 
        identify Common Vulnerabilities and Exposures (CVEs) in the 
        environment, but also identify how these critical systems are 
        configured and identify when those configurations change. They 
        also need well-defined processes in place to remediate issues 
        identified through patch and configuration management programs 
        that take into account the complexities of the systems running 
        and the importance they play to the organization.
   Network Segmentation and Remote Access.--Historically, OT 
        systems have been completely separated from other environments. 
        With the convergence of IT/OT systems, this practice is 
        increasingly untenable and frequently violated. Whether it is 
        Active Directory trusts between corporate and OT domains, or 
        remote access being granted to enable remote access for 
        monitoring or troubleshooting purposes, interconnectivity of 
        systems is already today's reality. A continual audit of access 
        and interconnectivity into these environments is an absolute 
        imperative, and that includes assessing and monitoring the 
        integrity of the Active Directory and other access control 
        systems. Who is allowed to connect to them and the hygiene of 
        the systems that are connecting are foundational to 
        understanding the integrity of and risk to critical 
        infrastructures.
   Cybersecurity Training/Education on OT.--Because OT 
        environments have historically been separated from everything 
        else, the notion of securing them is relatively new for both IT 
        personnel as well as OT engineers. Training must be mandatory 
        for OT engineers, who have typically not had to consider the 
        cyber risks their actions or inactions might introduce. IT 
        security teams in these organizations must also undergo 
        training to better understand the ways that OT systems differ 
        from IT, and the unique challenges associated with securing 
        critical infrastructure.
                 how can the government help industry?
    Government policy should not allow for ``learned helplessness'' by 
Federal Government agencies or private industry. Helplessness allows 
individuals and organizations to remain negligent and avoid 
accountability for not taking even the most basic steps to improve 
cyber posture. Government can surely play a stronger role in 
deterrence, to include thoughtful consideration of offensive 
capabilities, attributing attacks and establishing retorts and 
countermeasures as appropriate; however, those efforts should not 
replace strong basic cyber hygiene practices.
    Tenable recommends the following steps that Government should 
implement to enhance the cyber preparedness of U.S. critical 
infrastructure:
   Establish baseline cybersecurity standards of care for 
        critical infrastructure that align with international standards 
        and the National Institutes of Standards and Technology (NIST) 
        Cybersecurity Framework, based on effective cyber hygiene 
        practices.--Basic cyber hygiene for critical infrastructure 
        operators includes continuous understanding of what assets are 
        on your network, ensuring strong identity and access 
        management, scanning for and patching known vulnerabilities, 
        and implementing incident detection and response capabilities.
   Finalize and implement the proposed SEC rule that requires 
        public companies to disclose their policies and practices to 
        address their cybersecurity risks.--The SEC's Proposed Rule on 
        Cybersecurity Risk Management, Strategy, Governance and 
        Disclosure would require public companies to disclose their 
        policies and procedures for identifying and managing 
        cybersecurity risks, management's role in implementing cyber 
        policies and procedures, and the board of directors' 
        cybersecurity expertise.\6\ This is the single action that 
        would most dramatically improve our cybersecurity preparedness 
        as a Nation. Requiring greater transparency of cyber risk 
        practices and oversight forces companies to treat cybersecurity 
        risk as a business risk and will lead to stronger cybersecurity 
        governance and accountability among corporate leaders and 
        boards, and ultimately more effective cybersecurity practices.
---------------------------------------------------------------------------
    \6\ Cyberspace Solarium Commission, Final Report, https://
www.solarium.gov/report.
---------------------------------------------------------------------------
     Cybersecurity breaches can damage a company's financial 
            condition. In addition to the costs of remediation from a 
            cyber attack and loss of customers, revenue, and 
            reputation, there are risks of shareholder lawsuits, 
            customer lawsuits, increases in insurance premiums and 
            increased scrutiny from external auditors and the board of 
            directors. There are indirect consequences to cyber 
            failures as well; cyber attacks can distract management, 
            resulting in new problems; they can also trigger customer 
            audits of a company's cybersecurity defenses, which can 
            lead to the involvement of outside counsel and other third 
            parties, and significant added expenses.\7\ In forcing 
            corporate leadership to pay attention, this proposal serves 
            as the most significant driver for companies to establish 
            baseline cybersecurity practices and processes.
---------------------------------------------------------------------------
    \7\ Harvard Business Review, ``The SEC Is Serious About 
Cybersecurity. Is Your Company?'' https://hbr.org/2021/09/the-sec-is-
serious-about-cybersecurity-is-your-company.
---------------------------------------------------------------------------
   Implement the cyber incident reporting requirements included 
        in the fiscal year 2022 Omnibus Appropriations bill.--CISA must 
        implement these new requirements in a way that will enable 
        actionable incident information to be shared with owners and 
        operators of critical infrastructure systems so that they can 
        take steps to protect themselves and seek to mitigate any on-
        going attacks.
   Support and strengthen value-added engagement between the 
        private sector and public sector.--The JCDC, of which Tenable 
        is a member, is bringing together representatives from private 
        industry and key Government agencies to drive strategic 
        planning and incident response capabilities. This type of 
        operational Government-industry engagement has been a positive 
        step forward, and we thank CISA and Director Jen Easterly for 
        their continued support and urge them to continue strengthening 
        the JCDC's alignment.
    In response to the on-going Russia-Ukraine conflict, CISA 
        established its Shields Up initiative to encourage all 
        organizations to adopt a heightened posture of vigilance. 
        Shields Up has developed helpful resources to empower 
        organizations to prepare for and defend against cyber attacks.
               protecting government networks and systems
   Accelerate effective Zero Trust implementation by Federal 
        agencies.--Congress should provide Federal agencies with the 
        resources needed to implement Cyber Executive Order 14028 to 
        modernize and strengthen our collective cyber defenses, 
        recognizing that Zero Trust is a philosophy that dictates 
        systems design and operation, not a singular product.
   Strengthen Government networks by including protection of 
        Federal OT and Active Directory services in the Continuous 
        Diagnostics and Mitigation (CDM) Program:
     OT.--Federal civilian agencies own and operate a multitude 
            of OT and ICS, particularly through the Departments of 
            Energy and Commerce. However, the Government doesn't 
            currently have a firm grasp of all the assets it controls. 
            By adding OT/ICS security to the CDM program, Government 
            agencies will be required to conduct an inventory of their 
            OT/ICS systems, and to take steps to strengthen their 
            security.
     Active Directory.--Active Directory is one of, if not the 
            most highly targeted and compromised pieces of 
            infrastructure. These systems provide access control across 
            the network and persistence should attacks be detected. As 
            highlighted by the Mandiant breach disclosures, Russian and 
            other foreign intelligence services are actively targeting 
            Active Directory when going after U.S. Government systems. 
            All Government systems must incorporate Active Directory 
            security to ensure least privileges for user identities, 
            and to scan for misconfigurations that can be exploited to 
            gain access to Active Directory and monitor for on-going 
            suspicious and high-risk activities within Active 
            Directory.\8\
---------------------------------------------------------------------------
    \8\ U.S Department of Commerce, ``NOAA Inadequately Managed Its 
Active Directories That Support Critical Missions,'' https://
www.oig.doc.gov/OIGPublications/OIG-22-018-A.pdf.
---------------------------------------------------------------------------
   Implement Section 1505 of the fiscal year 2022 National 
        Defense Authorization Act.--This provision requires the 
        Department of Defense to conduct an inventory of OT assets and 
        update its policies to establish baseline cybersecurity 
        requirements for operational technology.
   Establish metrics for transparency and accountability.--
        Congress should update its oversight of agency cybersecurity by 
        using the Federal Information Technology Acquisition Reform Act 
        as a model to replace existing unstructured agency reporting. A 
        cybersecurity scorecard would provide improved transparency 
        metrics and milestones against which all agencies measure and 
        report their progress.\9\
---------------------------------------------------------------------------
    \9\ MITRE, ``Eight Recommendation for Congress to Improve Federal 
Cybersecurity,'' https://www.mitre.org/sites/default/files/
publications/pr-21-3403-eight-recommendations-for-congress-to-improve-
federal-cybersecurity.pdf.
---------------------------------------------------------------------------
   Ensure sufficient funding for CISA and the Office of the 
        National Cyber Director to ensure they can meet mission 
        requirements.--I supported the creation of the Office of the 
        National Cyber Director and applaud Director Chris Inglis' 
        efforts to stand up and staff the new office. The threats to 
        Federal networks and critical infrastructure are growing at a 
        significant rate, and CISA must serve as an effective 
        coordinator to strengthen security in these environments. 
        Congress should see the fiscal year 2022 appropriations for 
        CISA as a new baseline number, which should grow at a rate 
        commensurate with the needs of the mission.
                               onclusion
    There are fundamental steps all providers must take, from knowing 
what's on their network and how those systems are vulnerable to 
addressing those exposures, and from controlling user access and 
privileges to managing critical systems that are interconnected, that 
will make it harder for bad actors to compromise critical 
infrastructures.
    Many critical operating environments lack a formal systemic 
approach to risk assessments and processes, let alone the continuous 
visibility expected for critical services and high-value targets. These 
formal processes are desperately needed as rapid increases in access 
and interconnectivity dramatically increase risk. In these instances, 
regulation for transparency and standards of care can help drive 
improvement in risk management practices and at the same time foster 
innovation.
    I would like to thank Chairman Thompson, Ranking Member Katko, and 
all the Members of the committee for your attention to this important 
issue. I appreciate the opportunity to testify today and look forward 
to working with you and your colleagues as we collectively mobilize our 
cyber defenses.

    Mr. Torres. I thank the witnesses for their testimony. I 
will remind each Member that he or she will have 5 minutes to 
question the witnesses. I will now recognize myself for 
questions.
    Ransomware attacks that have stolen billions of dollars 
from American households, businesses, and governments have come 
disproportionately from Russian cyber threats. SolarWinds, the 
largest espionage campaign in history, Colonial Pipeline, the 
largest breach of energy infrastructure in history, JBS, the 
largest breach of food infrastructure in history, all of these 
intrusions came from Russian cyber threats. Mr. Meyers, would 
it be fair to think of Russia as a superpower in cyber space?
    Mr. Meyers. Yes, Congressman, I think that Russia has 
demonstrated through numerous years and numerous campaigns 
significant technical capabilities and intent to target Western 
and U.S. infrastructure.
    Mr. Torres. Even though the United States may have more 
cyber capabilities than Russia, there is a sense in which the 
United States might have more cyber vulnerabilities because 
American infrastructure tends to be more automated, more 
computerized. Is that a fair assessment?
    Mr. Meyers. Yes, sir.
    Mr. Torres. You know, we would never expect an American 
business in a physical conflict to defend itself successfully 
against a superpower like Russia. Is it reasonable and 
realistic to expect an American business in a cyber conflict to 
defend itself successfully against a cyber superpower? Mr. 
Yoran, do you have any thoughts on that?
    Mr. Yoran. I don't think it is reasonable to expect that 
all critical infrastructure operators would be able to defend 
themselves in totality against a sophisticated cyber superpower 
like Russia. I do think it is reasonable to expect that they 
exercise a good standard of care with their system, including 
maintaining their systems in good repair, searching for 
vulnerabilities, fixing vulnerabilities, addressing high-
priority threats that CISA and others have shared with them. In 
doing so, I think they can significantly reduce their exposure 
and the probability of causing significant outage.
    Mr. Torres. Should the U.S. Government assume a greater 
role in defending privately-owned and -operated critical 
infrastructure, a role that extends beyond public awareness 
campaigns and voluntary public-private partnerships?
    Mr. Yoran. I don't think the U.S. Government should be in 
the cyber defense role where they are defending critical 
networks and critical infrastructure where they might not 
understand the changes that they might make and how those might 
impact the critical infrastructure. It is incumbent upon those 
operators which understand the systems, how those systems 
operate, how they work together, and how they fit to defend 
those networks, with help from intelligence, information, and 
prioritization from their Government partners.
    Mr. Torres. Should the Federal Government mandate best 
practices in cyber hygiene like multi-factor authentication 
across all the sectors of critical infrastructure?
    Mr. Yoran. I believe that each--and I am going to keep 
answering questions unless one of my colleagues jumps in or 
unless these questions are directed at me. I believe it is 
critical and important for the Federal Government to mandate 
cyber best practices noting, however, that there is not one 
cyber best practice across all critical infrastructures. And 
that the regulatory agencies and sector-specific agencies 
should work with CISA and their private-sector counterparts to 
develop those and maintain those best practices.
    Mr. Torres. Mr. Meyers, should we mandate multi-factor 
authentication across all sectors or critical infrastructure?
    Mr. Meyers. I would point to the Executive Order and the 
recommendations there as a good example. As far as mandating, I 
think that there is not necessarily a deep understanding of how 
these systems are architected and leveraged in the commercial 
sectors. So, I think recommendations are probably a good first 
step.
    Mr. Torres. In February 2021, a hacker broke into the local 
water system for Oldsmar, Florida, a town of 15,000 people, and 
raised the sodium hydroxide levels in an attempt to poison the 
water supply. There are tens of thousands of water systems in 
America, and most of them are run by local governments that 
often lack the wherewithal to sufficiently invest in their own 
cybersecurity. The Foundation for Defense of Democracies has 
been sounding the alarm about what infrastructure is the 
weakest link in the critical infrastructure chain. The 
Foundation for Defense of Democracies, the Government 
Accountability Office, the Cyberspace Solarium Commission, all 
of these entities have been critical of the EPA's performance 
as the sector risk management agency. Dr. Morley, how can a 
water system that is so fragile, and so fragmented, and so 
federated be secured from Russian cyber threats?
    Mr. Morley. Sure. I, you know, recognize the question, sir, 
and I believe that some of that recognizes some of the capacity 
issues that we have identified in the sector as being 
challenges in implementation of certain cybersecurity best 
practices. That would be a great example of where further 
implementation of the CyHy program would be very beneficial to 
a community like Oldsmar or other utility systems. It is also 
the reason why AWWA has developed a white paper talking about a 
framework, a new governance approach for cybersecurity in the 
water sector. A collaborative process modeled on what is in the 
electric sector. I welcome the opportunity to discuss that 
further.
    Mr. Torres. I now recognize the Ranking Member of the full 
committee, the gentleman from New York, Mr. Katko, for 
questions.
    Mr. Katko. Thank you, Mr. Chairman, and thank you all for 
your testimony today. You know, when I first came on this 
committee 7-plus years ago, ISIS was for sure the greatest 
threat to our country, ISIS inspired terrorist attacks in this 
country. They manifested themselves in several cataclysmic 
events like in San Bernardino, and the Pulse night club, and 
many others.
    The threat dynamic has changed dramatically for the 
homeland since then. We have done a much better job dealing 
with those types of incidents. ISIS has been degraded but not 
eliminated. So, the threat persists but it is not like it was. 
But the greatest threat that is to our country right now, in my 
mind for sure, is what we are talking about today, 
cybersecurity and the threat of cyber attacks against this 
country.
    I noted some in my opening statement over the past few 
years, we have had many very serious attacks. China clearly has 
state actors perpetrating those attacks. Russia has gangs, if 
you will, within Russia that operate under the imprimatur of 
the Russian government and at their disposal when needed to do 
so. Given the conflict in Ukraine, obviously, that is a big 
concern right now.
    So, with that as setting the table, what I am trying to 
figure out and understand is what is most vulnerable, and how 
do you go about helping it? There is a tug-and-pull between is 
it just good old-fashioned Government regulation? Or is it good 
old-fashioned Government assistance and letting the private 
sector be partners with them?
    I am informed by what I saw in my time as a prosecutor when 
terrorism, 9/11 happened, I was a prosecutor. Instead of a 
whole new realm of regulations, we had partnerships. That is 
what the Joint Terrorism Task Force is. That is my view of CISA 
is, is a partnership. A partnership with the private sector, 
right? Then to give them the tools they need to work with the 
private sector. By the way, if you want an incentive to secure 
your systems, if there is technology out there and you are not 
securing your systems with that technology that is reasonably 
attainable for you, and you get hacked, you are going to be 
vulnerable to lawsuits from your shareholders, and damn well 
you should.
    So, there is a state-of-the-art component to this that is 
here that we need to talk about as well. So, I think it is 
incumbent upon CISA to be not the regulator, but to be the 
facilitator and the partner with the private sector. I think 
what is going on lately with the Log4j and some of these other 
things, we are seeing that partnership really kind-of blossom 
and is being very productive. So, I am excited for that.
    But, you know, Mr. Yoran and, you know, Mr. Morley, you 
talked about it a little bit the water sector. But I want to 
ask you, Mr. Yoran, where do you think the water sector and 
wastewater systems fall within the realm of critical 
infrastructure and as well as their cybersecurity defenses?
    Mr. Yoran. It is a great question, Congressman. You know, I 
think the water sector as--and within each sector, there is, 
you know, varying degrees of sophistication and capability. It 
is true in the financial services sector. It is true in the 
electric sector. It is true in the water sector. So, some are 
much more sophisticated than others.
    I do think the financial services sector, as an example, 
the IT sector, as an example, have been much more forward-
leaning about cybersecurity and stand today much better 
prepared. They have been facing, and their understanding of the 
risk they have been facing for years now is more sophisticated.
    I think, the, you know, the water sector and a lot of the 
industrial heavy sectors are much more deliberate. Their 
infrastructures move much more slowly, but they have been 
interconnecting their operational technologies with their IT 
technologies. So, the pace of risk that these sectors are 
facing has really increased over recent years. So, I think a 
lot of work remains to be done in some of these sectors.
    Mr. Katko. OK. Now, for all of you, I only have about a 
minute left. So, I will ask this open-ended question. We have 
got identified it is a systemically important critical 
infrastructure within a critical infrastructure sector. Then we 
have got to do something about it, right? We understand it is 
going to be a partnership and we got to work with the private 
sector. What is it that we can do to help CISA be better at 
working with you and strengthening those partnerships in 
addressing those vulnerabilities? Mr. Morley or Mr. Meyers, how 
about you go first?
    Mr. Meyers. Thank you. Having worked with CISA through JCDC 
on the Log4j and now in the most recent escalations in Eastern 
Europe, I think information sharing has been absolutely 
critical. CISA has done a phenomenal job of not only sharing 
information but standing up systems for rapid information 
sharing between partners and CISA to have more tactical type 
communications. I think that fostering those types of 
environments in that information sharing is absolutely 
critical. I also think from a defensive perspective, the 
vulnerabilities that CISA has highlighted as being critical to 
fix, the Shields Up program, as well as some of the other 
initiatives that they have rolled out, have been very effective 
and I would like to see that continue.
    Mr. Katko. I know I am out of time, Mr. Chairman. So, I 
appreciate your indulgence. I have a lot more to ask you all. 
Please keep coming to me and talking to me because I want to 
hear more about it going forward. This is very important. Thank 
you and I yield back.
    Mr. Torres. I now recognize the gentleman from Rhode 
Island, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman, and I want to 
welcome our witnesses today. I appreciate your testimony and 
your expertise in cyber. A particular hello to Amit. Good to 
see you again.
    So, let me begin on this question. The elevated cyber 
threats to our critical infrastructure systems illustrate that 
while we have come a long way in improving the Nation's 
cybersecurity over the last few years, much work still remains 
to be done. In particular, I believe that we must develop a 
better understanding of the vulnerabilities present within key 
technologies that underpin our networks in critical 
infrastructure.
    So, one of the Cyberspace Solarium Commission's 
recommendations currently reflected in an amendment to the 
America Competes Act would establish critical technology 
security centers through grants to universities and FFRDCs to 
create a comprehensive and centralized security testing 
ecosystem for foundational critical technologies like network 
industrial control systems and open-source software. So, if 
could, for Mr. Yoran, I will start with you, how might such an 
initiative to identify, report, and in some cases support 
through mediation of vulnerabilities in these critical 
technologies, inform and improve risk mitigation efforts for 
critical infrastructure?
    Mr. Yoran. Good to see you, Congressman, and thank you for 
your tremendous leadership on cyber issues over the course of 
so many years. I think it is important when we talk about these 
efforts, to remember that there are such distinct differences 
between these critical infrastructures and such distinct 
approaches which make more or less sense. For instance, in the 
electric sector, in the financial services, or in IT sector, 
you see a very rapid pace of change. You see a high degree of 
cyber sophistication and agility to address issues as they 
might be highlighted by CISA or other Government partners.
    As you move to more industrial systems and you connect IT 
and OT systems, you see the IT side of the house sometimes able 
to deal with these vulnerabilities and advance notice from 
Government partners. You see, in many cases, the OT side of the 
house as much more slow moving and deliberate. While that may 
sound bad from a cybersecurity practitioner's standpoint, and 
it does mean that systems will be vulnerable, those deliberate 
processes are in place for very specific reasons to make sure 
that, you know, we don't create accidental outages and things 
of that nature. So, I think there really needs to be a very 
different approach to protecting critical infrastructures when 
we join IT and OT systems together.
    Mr. Langevin. Thanks. I am hoping that these critical 
technology centers would do just that to identify those 
problems and help to remediate them ahead of time before there 
is a problem.
    Let me continue on with you, Amit, to last week the SEC 
proposed a rule requiring companies to disclose policies and 
practices for identifying and managing cybersecurity risks, 
management's role in implementing cyber policies and 
procedures, and cyber expertise across the board of directors. 
On the Solarium Commission we also called for an increased 
level of reporting on cybersecurity from publicly-traded 
companies because cyber risk is a business risk and 
shareholders, I believe, should be able to discriminate between 
companies that take cybersecurity seriously and those that 
don't.
    So, in your testimony, you referenced this proposed rule 
as, and I quote, ``the single action that would most 
dramatically improve our cybersecurity preparedness as a 
Nation.'' I agree with that statement, but could you talk about 
this proposed rule and why you feel it could make such an 
impact?
    Mr. Yoran. You know, and I think there are two critical 
components to transparency. No. 1, I think, you know, the 
recent legislation when it was terrific in requiring breach 
notification to CISA so that action can be taken, information 
can be shared, and our critical infrastructure is better 
protected. The second piece of that is having greater 
transparency starting with public companies around what their 
cybersecurity risk management practices look like. That type of 
transparency will cause corporate leadership to pay closer 
attention, will cause boards of directors to pay closer 
attention to cybersecurity. By paying closer attention, I am 
fairly certain that that would cause improved focus on and 
improvement in cybersecurity practices.
    That is critically important for shareholders to make 
informed decisions about their investments. It is critically 
important for customers to make important decisions about whose 
technologies they trust and don't trust. So, I think it is 
absolutely critical for the free market to work that we have 
that level of transparency of both cybersecurity practices, 
risk management, and transparency around breaches.
    Mr. Langevin. OK. Thank you very much. I know my time has 
expired. I do have one more question I will submit for the 
record for Dr. Morley. But unless we go for a second round, Mr. 
Chairman, I yield back.
    Mr. Torres. Absolutely. I now recognize the gentleman from 
North Carolina, Mr. Bishop, for questions.
    Mr. Bishop. Thank you, Mr. Chairman. Mr. Meyers, 
CrowdStrike was the firm that diagnosed the alleged Russian 
hack of the DNC server in 2016. Is that correct?
    Mr. Meyers. Yes, sir.
    Mr. Bishop. Has CrowdStrike been contacted by the Office of 
Special Counsel, Mr. Durham's office?
    Mr. Meyers. I am not sure.
    Mr. Bishop. CrowdStrike, I understand, the FBI concluded 
that there had been a Russian hack based on a report provided 
by CrowdStrike that was provided for the Perkins Coie law firm. 
Do you know that to be true?
    Mr. Meyers. Yes, we published our findings in a blog post 
in 2016.
    Mr. Bishop. My understanding is that the report, the 
version of the report provided to the FBI was heavily redacted. 
Are you aware of that?
    Mr. Meyers. I am not aware of that.
    Mr. Bishop. Do you know of any reason that CrowdStrike 
cannot publish or release to the public or release to this 
committee a complete and unredacted version of that report?
    Mr. Meyers. I am not exactly sure which report you are 
referring to, but happy to follow up with you and get anything 
that we can.
    Mr. Bishop. All right, thank you. I yield back.
    Mr. Torres. I now recognize the gentlewoman from Texas, Ms. 
Jackson Lee, for questions. I now recognize the gentleman from 
California, Mr. Correa, for questions. I now recognize Mr. 
Cleaver for questions. I now recognize Mr. Green for questions. 
Herein lies the challenge of the hybrid model. I now recognize 
Ms. Clarke for questions. She is gone too. I now recognize Mrs. 
Watson-Coleman for questions. I actually see Miss Rice. So, I 
recognize Miss Rice for questions, yes? See, by process of 
elimination.
    Miss Rice. Thank you, Chairman Torres. Thank you so much, 
Mr. Chairman. Thank you all so much for coming here today. This 
is such a critically important issue that we are discussing.
    Software and application code are known attack vectors for 
bad actors in critical infrastructure operators, especially 
those that rely on third-party vendors or open-source code to 
develop software or applications. They need to be constantly on 
guard against vulnerabilities in their code. But it is harder 
than ever for industry and Government alike to defend 
themselves. There was a recent report by Rapid7 that found that 
the average time for known vulnerabilities to be exploited 
dropped from 42 days last year to 12 days this year. So, 
attackers are getting faster and it is harder to patch code in 
real time.
    At the same time, a State of Software Security report 
released last week found that 8 in 10 software applications 
owned and operated by the public sector had a security flaw. 
So, critical infrastructure only faired slightly better. The 
same study found that 73 percent of financial service apps and 
77 percent of health care apps contained security flaws.
    So, Mr. Silberstein, you mentioned the importance of CISA's 
Shields Up webpage and ramped-up communications since the war 
in Ukraine began. When a new vulnerability is discovered and 
posted to the known exploited vulnerabilities catalog, how do 
you disseminate that information to your members? If one of 
your members on their own discovers a flaw in open-source or 
vendor developed code that may be used by other financial 
institutions, do they share that information with you and their 
peer institutions?
    Mr. Silberstein. Thank you, Congresswoman, for that 
question. We first try to--any public releases about 
vulnerabilities from any reputable source, we attempt to 
rapidly amplify to our whole membership with a minimum delay, 
with a focus in pointing to the immediate mitigations that can 
be put in place to prevent access to the vulnerability because 
the challenges of patching can be large. We saw that with the 
Log4J where the time span--this was embedded in many systems--
the time span for particularly larger organizations to get to 
every instance took days, and maybe more.
    So, we put a focus on rapid mitigation. We are also working 
with our partners in the whole supply chain to emphasis that as 
the headline in any disclosure of vulnerability. What do you do 
at this instant to shut that door while you then go fix the 
inside of the house?
    Second, to your question on when members discover 
vulnerabilities, yes, we rapidly share across the full 
community and also to whatever source. Additionally, a lot of 
our membership are actively involved in the Alpha-Omega program 
of the Open Software Federation, which is focusing on a 
proactive discovery of vulnerabilities and improving the open-
source community.
    Miss Rice. Thank you for that. Dr. Morley, I only have 
about a minute-and-a-half left. But you have emphasized the 
diversity of the water sector and the wide variety of cyber 
capabilities within it. When CISA announces a newly-discovered 
vulnerability or issues recommendations on how to mitigate 
cyber threats from malign actors, are these understandable and 
actionable for your smallest members? I mean, how does the AWWA 
help its least-cyber-capable members build up their defenses?
    Mr. Morley. That is a excellent question, Congresswoman. We 
do our best to retransmit that ourselves and with our partner 
organizations, including the WaterISAC. However, as I 
mentioned, certain advisories in some cases have a certain 
level of technical sophistication that probably require a 
little bit of contextualization and that is why we would 
encourage a little more front-end engagement between EPA and 
CISA to ensure that that information is actionable to our 
members at the smallest level.
    Miss Rice. Thank you all very much. Mr. Chairman, I yield 
back.
    Mr. Torres. I now recognize the gentleman from Louisiana, 
Mr. Higgins.
    Mr. Higgins. I thank the Chairman and Ranking Member Katko 
for holding this hearing today. Our critical infrastructure has 
certainly shown vulnerabilities across the United States and, 
indeed, the world. The lessons that we learn increasingly are 
troubling regarding our own posture and strength resiliency in 
our American critical infrastructure. So, the position of this 
committee must be to calmly seek solutions for the American 
people. You gentlemen are going to be asked some challenging 
questions today because it is an emerging understanding of just 
how vulnerable we can be to attack when we thought perhaps we 
were not.
    I have noted through the years as new projects have been 
developed in my own district in the oil and gas industry, or 
petrochemical industry, L&G. I represent south Louisiana. These 
massive projects have had the capacity to be off the grid. They 
have their own electrical supply, massive generators should 
power be lost. They can continue running. They have their own 
water, deep water wells. They have on-premise servers and 
hardware systems. I recall a study from as recently as 2019, 
that somewhere over 90 percent of American businesses had some 
level of on-premise servers.
    Therefore, it seems to me as a regular American with no 
background in cybersecurity until I came to Congress, and 
gentlemen like Ranking Member Katko and others have made it a 
priority to push into the American narrative that we must 
strengthen our critical infrastructure and our cybersecurity, 
is certainly going to be an increasing area of vulnerability 
should we lose our grid, for instance, or just a large portion 
of our grids, 15, 20 percent of our grid. It is difficult to 
see how we would recover from that. So, Mr. Yoran, am I 
pronouncing your name correctly?
    Mr. Yoran. Yes, sir.
    Mr. Higgins. Thank you, sir. Mr. Yoran, what would be your 
opinion regarding, as we move forward from the Federal level, 
to encourage private business and local Government entities to 
develop off-grid capabilities to insulate themselves from 
attack and to decrease their vulnerability?
    Mr. Yoran. Congressman, that is a great question. I think, 
you know, one very important responsibility and opportunity 
that exists for the Federal Government is through sharing of 
information with the private sector around the threat and what 
actions they can take to better protect themselves and mitigate 
risk. My greatest concern is that examples like the one you 
were sharing from your district where you have got very remote 
pieces of equipment, are increasingly moving on grid--well, and 
I shouldn't say on grid, not power grid--onto the internet in 
some form or fashion. While there might not be an internet 
line, they are deploying cellular or other communications 
mechanisms so they can get real-time telemetry from those 
remote sites. They can troubleshoot and they can identify where 
the equipment may be failing or may----
    Mr. Higgins. So, you would see that connection as a 
vulnerability that we need to watch?
    Mr. Yoran. Exactly. So is----
    Mr. Higgins. I would concur. In the interest of time, I 
have one more question for you, sir. In America, we have 
codified into law the right to strike back if we come under 
fire. If you are fired upon, you identify the threat and you 
can return fire. Yet, in the cyber realm, that is not codified 
into law. Mr. Yoran, what is your opinion about what Congress 
should do about that? Should we make it legal to strike back in 
the cyber realm?
    Mr. Yoran. It should be----
    Mr. Higgins. It is a legitimate question.
    Mr. Yoran. Yes, sir, a legitimate question. I think it 
should remain illegal for private industry or private citizens 
to strike back. But there is an important role that is one of 
the critical functions for the U.S. Government.
    Mr. Higgins. Under advisement. Mr. Chairman, I yield.
    Mr. Torres. Thank you. I now recognize the gentlewoman from 
Texas, Ms. Jackson Lee, for questions.
    Ms. Jackson Lee. I thank you and good morning to all of 
you. This is a very important hearing. I would like to submit 
three articles into the record. First, the excerpts from the 
House Intelligence Committee hearing on Russia. It is in The 
New York Times. As I do that, let me read an excerpt from that 
article. I have been authorized this was the FBI Director by 
the Department of Justice to confirm that the FBI, as part of 
our counter-intelligence mission, is investigating the Russian 
Government's efforts to interfere in the 2016 Presidential 
election and that includes investigating the nature of any 
links between individuals associated with the Trump campaign 
and the Russian Government and whether there were any 
coordination between the campaign and Russia's efforts.
    I ask unanimous consent to submit that into the record.
    Mr. Torres. Without objection.
    [The information follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    Ms. Jackson Lee. I ask unanimous consent to ``Here We Go 
Again'' article, ``Russia Gears Up to Interfere in 2020 
Election'', April 30, 2020, and The Atlantic ``Russia is Co-
opting Angry Young Men'' from The Atlantic, from the periodical 
seemingly, Center for Diplomacy and Global.
    I ask unanimous consent, Mr. Chairman.
    Mr. Torres. Without objection.
    [The information follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
                                ------                                

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Ms. Jackson Lee. Let me ask questions to Mr. Silberstein, 
Mr. Yoran. Mr. Silberstein, we are in a very difficult time. 
Again, I offer my deepest concern and sympathy to the people of 
Ukraine who are feeling the sting, the siege, the violence, the 
viciousness, the murderous behavior of Vladimir Putin. I can 
see him not taking any prisoners as it relates to the United 
States in his angst and anger against us.
    As it relates to your testimony, page 4, line 11, that the 
consistent message and realistic context provided by the 
Federal Bureau of Investigation, other governments, has allowed 
your sector to prepare for and institute necessary security 
precautions. Are there industry best practices regarding 
regional personnel evacuation plans? Why don't you answer this 
last question first: Which industries would consider evacuation 
plans as a core component of a cyber incident response if it 
came particularly from really a established enemy at this time 
like Russia?
    Mr. Silberstein. Thank you, Congresswoman. If I may ask for 
a little clarification referring to evacuation in the conflict 
zone or in another locale?
    Ms. Jackson Lee. In the United States. If we are being 
attacked here.
    Mr. Silberstein. Well, I think we have fairly good 
resiliency plans that unfortunately have been practiced around 
both natural disaster and COVID over the last 10 years, which 
would deal with suitable physical issues as far as personnel. 
Through COVID, we had wide-spread dislocation out of offices to 
the work from home model as everyone is aware. The sector was 
able to pretty successfully weather that.
    Ms. Jackson Lee. I will bypass the first question I asked. 
Do you all have a sense of preparation from foreign intrusion 
such as Russia? It has been known that the intrusion before had 
been established as outside groups. Suppose it was 
governmental, are you prepared for that?
    Mr. Silberstein. I believe the financial sector is. It does 
not differentiate in general between private enterprise against 
the sector versus nation-state attempts against us. But also 
realizes that nation-state potentially comes with more power. 
An important aspect of the sector's preparation is a very 
distinct let's not be complacent where there is no good enough 
cybersecurity. It is a continued attempt to keep up with 
adversaries. Just as technology evolves, the technology of the 
adversaries as well as the technology and----
    Ms. Jackson Lee. Thank you.
    Mr. Silberstein [continuing]. Capability you need is in 
place.
    Ms. Jackson Lee. Thank you. Mr. Yoran, you spoke about 
infamous Colonial Pipeline was hit with ransomware 
particularly, allegedly by criminal element. They went to great 
lengths to appear legitimate. But my question would be if you 
can combine the answer as to those intrusions that try to 
appear legitimate that the CEO of Colonial Pipeline one, did 
not tell the United States timely, the Government, paid $4.4 
million in ransom to its Russian-based attacker, DarkSide. Do 
you agree with Colonial's position that paying the ransom was, 
in that case, the right thing to do? Are we expecting more of 
this, and particularly as Russia continues to act in 
terroristic manner? Mr. Yoran.
    Mr. Yoran. That is a great question. I am not familiar with 
the details of the decision-making process for Colonial. But, 
you know, assuming that their first and foremost objective was 
to get the pipeline up and operational, we all saw the 
challenges in getting gas and the supply shortages, which were 
resulting. I do think that the important legislation which 
Congress has enacted now would require timely notification to 
CISA of that ransomware payment, which is commendable.
    Ms. Jackson Lee. Do you think there is a credible fear of 
Russia's continued attempts to attack our local assets, our 
National assets?
    Mr. Torres. I just want to say your time has expired. So, 
yes, we are going to move on.
    Ms. Jackson Lee. Thank you, Mr. Chairman. Thank you.
    Mr. Torres. I now recognize the gentleman from New Jersey, 
Mr. Van Drew, for questions.
    Mr. Van Drew. Thank you, Chairman and Ranking Member Katko. 
Thank you to the witnesses for testifying to the committee 
today. Unfortunately, we are here again addressing the 
exponential rise in cyber threats. Last year, 14 of the 16 
critical infrastructure sectors experienced a ransomware attack 
of some type. These threats are real and they are still 
increasing.
    A few years ago in my district, the Atlanta County 
Utilities Authority located in Egg Harbor Township, New Jersey, 
was the victim of a cyber attack. The utilities authority 
reported an incident in which perpetrators gained unauthorized 
access to sensitive data of their customers. Additionally, 
operational information was withheld as the criminals demanded 
ransom. Fortunately, the overall function of the authority was 
minimally impacted, but the fallout could have been far worse. 
Services like utility authorities are vital to day-to-day life 
and it is imperative that Congress and the administration 
continue to invest in protecting critical infrastructure 
everywhere, small or large, in every way. It affects every 
aspect of our life.
    Mr. Adam Meyers, you may be aware, part of the Colonial 
Pipeline runs through my district. The pipeline and several 
other companies and industries have been victims of ransomware 
attack in the recent years. I am concerned about the 
proliferation of these attacks. Why have they become more 
rampant and what can Congress do? I know you have outlined some 
of this, but to really get to the rub, what could we do or do 
you think we should do? What more can we do to help 
organizations mitigate them? This is going to be the great 
challenge for the next how many years, I don't know. But for 
many, many years and it is something that we need to do even 
better with. What more would you, if you were the President or 
you could control everything, what would you do right now?
    Mr. Meyers. Thank you. That is a good and challenging 
question to answer. The increase in these attacks, I think 
first and foremost, is occurring because these adversaries are 
making money. In the course of 2021, we observed somewhere 
around 50 or so ransomware incidents per week. The average 
ransom demand was around $6.1 million. So, in any given week, 
we were looking at around $300 million in potential ransom 
demands that were being issued to victims.
    This is something that I think we need to attack on 
multiple fronts. We need to think about it in terms of the 
financial viability. If we disrupt the financial viability of 
these operations for these threat actors and make it more 
expensive for them to operate, it is going to potentially 
reduce the incentive for them to conduct these types of 
operations.
    Employing the right technology. Many organizations, 
particularly across the United States in critical 
infrastructure, are relying on legacy tools and software that 
were conceptualized in the late 1990's for security today. The 
threats have advanced, the technology also needs to advance. 
So, organizations need to invest in security to appropriately 
defend against these attacks.
    From a Government perspective, I think that both law 
enforcement has been making tremendous strides. CISA, through 
JCDC and partnerships, have been able to share information. I 
think that the information sharing between the public and 
private sector is absolutely critical to ensure the success and 
the ability for us to defend these infrastructures.
    Finally, I think the legislation that was passed recently 
in terms of the reporting requirements, is a step in the right 
direction and will enable us to more effectively martial our 
forces to fight against these types of attacks.
    Mr. Van Drew. Yes, we still do need to do better, correct? 
When you mention that we have legacy, you know, infrastructure 
in place to deal with this, that tells me that you think we 
should be doing more and should be more on the cutting edge.
    Mr. Meyers. Absolutely. I think that the Executive Order 
that was issued regarding employing things like endpoint 
defense and response technology, zero trust. One of the things 
that we have observed over the last year, is that organizations 
that were impacted by these ransomware actors and criminal 
actors, and also state-sponsored actors, those that employed 
zero trust and strong identity management, had very different 
outcomes than those that did not.
    Mr. Van Drew. OK. So, that tells us that hopefully if we 
are here again in a year, another year, that we hopefully can 
say, hey, we have done more, we are doing better in those areas 
that you just mentioned.
    Finally, do we have the smartest, best, most knowledgeable 
people on the Government side working on this, candidly?
    Mr. Meyers. I believe so. I think that particularly working 
with CISA over the past several months it has been, and having 
spent years in Government prior to CrowdStrike, I think that we 
are absolutely moving in the right direction. That the work 
force has become much smarter and much more capable, and we are 
continuing to train and operationalize that.
    Mr. Torres. The gentleman's time has expired.
    Mr. Van Drew. Thank you for your answers.
    Mr. Torres. I now recognize the gentleman from California, 
Mr. Correa, for 5 minutes.
    Mr. Correa. Thank you, Mr. Chairman. I want to welcome our 
witnesses today and thank you for being a part of the very 
important hearing. We talk about incentives for these attacks, 
cyber attacks. We talk about the financial. People make money 
off of this. I think all of us at one time or another, have had 
our credit cards hacked. In my district, I had a tax preparer 
who was a victim of cyber ransom attack. He did 5,000 clients 
he had, he lost 1,000 of them to cyber--to a cyber attack.
    This stuff is getting more and more common. Yet, I believe 
it pales to the potential damage of a terrorist attack on one 
of our systems, a water system. Back home, in June 2021, our 
large-scale cyber espionage campaign included the Metropolitan 
Water District of Southern California, Anaheim and Santa Ana in 
my district. About 19 million, 19 million water consumers were 
affected. You just hate to think about the potential for loss 
of life if somebody intentionally attacked us with more serious 
and deadly intentions.
    We talk today about minimum standards, mandatory standards, 
liability. I would like to focus on trying to prevent this from 
happening, not trying to figure out who is to blame after the 
aftermath of an attack like this. So, my question would be what 
else can we do to coordinate? Instead of mandating, instead of 
talking about minimum standards, being up-to-scrub, up-to-date 
on the latest technology, how can CISA work to make sure that 
we are actively talking to these agencies on a daily basis to 
make sure they are anticipating it is a, you know, cross-
discussion back and forth? Are we doing that? Can we do better? 
Mr. Morley.
    Mr. Morley. Excellent question, sir. I would frame that in 
terms of the conversations today, in terms of partnership, 
right? Obviously, the critical infrastructure owner-operator is 
a key piece of the equation. In addition, the information 
shared by our Federal partners, as I mentioned earlier, the 
sooner we can get that into an operational setting, un-
Classified, that the utility owner-operator can take action on 
that, that is great. In addition, similar to the activities of 
these gentlemen and technology providers, they are key----
    Mr. Correa. Can I ask, you say the sooner----
    Mr. Morley [continuing]. Key element----
    Mr. Correa [continuing]. The better.
    Mr. Morley [continuing]. Of the partnership.
    Mr. Correa. Mr. Morley, you said the sooner the better. 
That doesn't feel good right now. How fast can we get up and 
running and begin to establish a process where we can be there?
    Mr. Morley. I think the----
    Mr. Correa. In terms of CISA----
    Mr. Morley [continuing]. I think the agency, CISA, in 
particular, is working toward that end. Programs like JCDC are 
designed to try to support that activity. I am hopeful that we 
can get there as expediently as you suggest we should.
    Mr. Correa. Other comments from our witnesses here today? 
Mr. Yoran, any thoughts?
    Mr. Yoran. No, sir. I think, you know, CISA is doing a 
tremendous job. They are, you know, I think we have talked 
about JCDC and Shields Up as important initiatives. Even 
outside of those, and in addition to those, the control systems 
program. I know the name is iterated a few times. They do have 
active engagement with a lot of the critical infrastructure 
operators and we have seen increased pace of communication, and 
I think also, the quality of content of those communications 
has improved in recent periods.
    Mr. Correa. Gentlemen, I just want to be clear that this 
Member here is not looking for a got-you kind of a situation 
with my questions. Because again, 19 million customers, that is 
a lot of lives at stake. So, my goal, and I think the goals of 
Members on this committee are how we can help you help us to do 
a better job of protecting our constituents? Mr. Chairman, I 
have 25 seconds. With that, I yield.
    Mr. Torres. Thank you. I now recognize the gentlewoman from 
Iowa, Mrs. Miller-Meeks, for questions.
    Mrs. Miller-Meeks. Thank you, Mr. Chair. Mr. Yoran, cyber 
attacks, hacking, ransomware is not new. In the State of Iowa, 
we have had several municipalities who in fact were hacked and 
paid ransomware in order to get back their data, which prompted 
us at the State level to put through legislation that provides 
for disclosure and then communications with our, you know, 
public intelligence and investigations, investigative division, 
in order to address that. So, it is an extraordinarily 
important topic.
    I think, Mr. Yoran, if I am not mistaken, you are a 
graduate of the U.S. Military Academy at West Point. So, as a 
fellow army veteran, thank you for your service. In your 
testimony, you mentioned that knowing what the threat is is far 
more important than knowing who is behind the threat. It seems 
that there are some high maturity organizations that could 
adequately action the ``who'' information, but those are 
extremely limited. Could you provide some color into where that 
line lies?
    Mr. Yoran. I am sorry, Congresswoman, the line, could you 
just clarify again, the line between----
    Mrs. Miller-Meeks. Between the ``who'' and the ``what''.
    Mr. Yoran. Well, I think for most operators and I think, 
you know, Dr. Morley and other panelists might be able to also 
articulate this, I think for most operators, it isn't critical 
to know the ``who'' is behind the attacks. I think knowing 
where they have the greatest exposures is absolutely critical 
so that they can address them. Getting high-priority threat 
intelligence, whether it is from private-sector partners or 
from CISA and public-sector partners, helps to prioritize which 
vulnerabilities are being leveraged by the threat actor of the 
day.
    Today, that might be Russia. The purpose of this hearing is 
Russia. Clearly, while the activity is happening in Ukraine, 
and all eyes are on Russia, you could see other threat actors 
taking advantage of the situation. So, I think knowing where 
you have exposures and know which exposures to prioritize 
through threat intelligence is absolutely critical to success.
    Mrs. Miller-Meeks. Thank you. This is for all of you. As 
you know, the committee raised concerns with the White House's 
decision to place the Department of Energy as the lead response 
agency to the Colonial Pipeline ransomware attack last year. In 
this case, DOE is not the lead sector risk management agency, 
rather the Department of Homeland Security, via the 
Transportation Security Administration, is the co-lead for the 
pipeline sector. As you can appreciate, and I have heard this 
from numerous entities, consistency in how the Federal 
Government responds to cyber incidents is of utmost important. 
We have policies, procedures, and statutes for a reason, and 
they should be followed.
    At a time like now, we simply can't afford similar missteps 
should something like this happen again. Can you all speak to 
the importance from a private-sector perspective of the 
consistent and clear Federal Government response procedures?
    Mr. Morley. I will take a run at that, Congresswoman. I 
think it is absolutely critical that the sector risk management 
agencies with leadership in our case, the EPA, are directly 
involved in that engagement with CISA as the risk management 
agency given the understanding that, you know, in our case, EPA 
has in water utility operations in the critical elements that 
in some cases CISA may not have some of that direct 
understanding. So, I think that collaborative approach is most 
appropriate.
    Mrs. Miller-Meeks. Mr. Meyers.
    Mr. Meyers. Thank you. I think that each one of these 
incidents is going to have different merits, different threat 
actors, different impact and so, consistency is absolutely 
important. But I think that we should recognize that there are 
different agencies that might be more suitable or different 
organizations that might be suitable to assist in some of these 
incidents. So, you know, I wouldn't want to limit our ability 
to respond by trying to have the same response each time, but 
knowing that we have to get the right partners involved and the 
right Federal agencies involved to address whatever that 
incident might be.
    Mrs. Miller-Meeks. Mr. Yoran, do you have any comments or 
Mr. Meyers?
    Mr. Yoran. I think Mr. Meyers has it right. You know, in 
different incidents you will have different agencies involved, 
but it is absolutely critical that Homeland Security take the 
lead across all agencies. When an incident happens, Log4j, 
Log4Shell, whatever it is, the private sector is already 
connected to JCDC. It is already connected to CISA. They can 
work together there. They can engage there. Then you can pull 
in each sector's specific agency as appropriate as required 
versus every private-sector entity, you know, CrowdStrike, 
Tenable, whoever, trying to connect to all the different, you 
know, the 16 different departments and agencies is just 
extremely inefficient--would be extremely inefficient.
    Mr. Torres. The gentlewoman's time has expired. I now 
recognize the gentlewoman from New York, Ms. Clarke, for 
questions.
    Ms. Clarke. I thank you very much, Mr. Chairman Ritchie 
Torres, and let me thank our Ranking Member Mr. Katko. On a 
call with stakeholders, 2 weeks ago, CISA Director Easterly 
urged owners and operators to report data on cyber incidents, 
as well as an anomalous--excuse me--anomalous activity that 
falls short of an incident to CISA so it can help detect any 
Russian cyber campaigns very early. Fortunately, Congress 
passed legislation, which I authored, requiring this type of 
reporting. But it will take some time for these requirements to 
go into effect.
    Mr. Silberstein, financial institutions are a rich target 
for Russian hackers on a normal day, to say nothing of the 
unique role they play in, for instance, the context of 
sanctions. Is the FS-ISAC doing anything to encourage financial 
institutions to voluntarily report this information to CISA?
    Mr. Silberstein. Yes, thank you, Congresswoman. So, we, the 
financial sector I could say benefits from a long history of 
being under attack, as well as a lot of regulation that has 
required reporting. So, there is a pretty good cadence of 
reporting recognition among the U.S.-regulated financial 
community, and both of regulatory requirement and also as a 
civic duty to help out. We facilitate, in certain situations, 
to report on behalf of members. We encourage them also to 
engage directly with law enforcement, CISA, et cetera where it 
is appropriate. So, we are fully supportive of that model.
    Ms. Clarke. Very well. Dr. Morley, is AWWA doing anything 
to encourage or facilitate this type of reporting? Do you think 
that the water sector has the resources it needs to know what 
and how to report?
    Mr. Morley. Yes, Congresswoman, we have very consistently 
encouraged members to report incidents of whether it is 
physical or cyber attacks with the WaterISAC and CISA. 
Recently, just-issued and redistributed an adversary from FBI 
that was focused on municipal communities of which we are 
typically part of on how to report that information to the FBI.
    Ms. Clarke. Very well. Mr. Meyers and Mr. Yoran, are you 
encouraging companies you work with to voluntarily report to 
CISA? Have you seen any uptick in willingness to do so given 
the gravity of the current threat landscape?
    Mr. Meyers. I will take that first. Thank you, 
Congresswoman. I think that a lot of these investigations are 
conducted under the direction of counsel. So, counsel working 
with those victims, those customers, generally is the one that 
is going to provide the guidance about what they should reach 
out and share. But we work closely with law enforcement and 
CISA to ensure that they are aware of threats and that we are 
able to kind-of work together to ensure coordinated response.
    Ms. Clarke. Mr. Yoran.
    Mr. Yoran. Led by counsel sounds suspiciously like not 
going to report to my untrained ears. But I do think that is 
why it is important to have the legislation that exists, 
mandating reporting of incidents and ransomware payments to 
CISA.
    As a company, Tenable, you know, we encourage but we don't 
have an active role in the incident response process. From our 
perspective, we are more frequently taking the information that 
is produced at JCDC and at CISA about these high-priority 
vulnerabilities and making sure that we are able to automate 
the distribution of that information to tens of thousands of 
organizations around the world so that they can take action and 
identify where they have those specific high-priority 
vulnerabilities.
    Ms. Clarke. Very well. Are you planning to engage with CISA 
during the rule-making process? If so, what are some of the key 
takeaways you hope they internalize through that process? Mr. 
Meyers, Mr. Yoran? Anyone want to tackle that? We got 7 
seconds.
    Mr. Yoran. I think both of our companies have teams that 
are working closely with CISA in providing feedback during the 
response time.
    Ms. Clarke. Very well. Mr. Chairman, I yield back. I thank 
you, our distinguished panelists, for your testimony today.
    Mr. Torres. I now recognize the gentleman from Florida, Mr. 
Gimenez, for questions.
    Mr. Gimenez. Thank you, Mr. Chairman, and Ranking Member. I 
have got just a couple questions. Ransomware, and there are in 
Russia we know that there is a bunch of different ransomware 
operators. Does anybody know if some of the proceeds from this 
ransomware ever make it back to the Russian government?
    Mr. Meyers. I will take that. I think that we have seen 
clear indications of Russian criminal threat actors operating 
at a scale that would likely attract the attention of the 
Russian government. Reasonable to assume that they would be 
paying some degree of taxes or something to that effect from 
some of these proceeds. The coordination of these criminal 
actors and the Russian government has been difficult to 
directly correlate. But we have seen nationalistic and 
patriotic postings from some of them in underground forums. 
That has kind-of led to the conclusion that there is some 
coordination.
    Mr. Gimenez. If the Russians wanted them shut down, they 
could shut them down, right?
    Mr. Meyers. Yes.
    Mr. Gimenez. Pretty easy to identify where they are, et 
cetera, how they are operating?
    Mr. Meyers. Yes.
    Mr. Gimenez. OK. Fair enough. So, basically, they are just 
an arm of the Russian government. Thank you.
    The Biden administration said that we should be expecting 
more--there is a potential for increased cybersecurity threats 
from Russia on the United States. Has anybody seen any evidence 
of increased activity, threats, from the Russians on the United 
States?
    Mr. Meyers. Yes. We have been aware and I believe CISA 
actually put out some reporting on this last week of Russian 
threat actors conducting wide-spread scanning, attempting to 
look for vulnerabilities or access into data center 
infrastructure.
    Mr. Gimenez. Yes, but that happens all the time. I mean, 
are we talking about increased activity? Because this--the 
probing, the Russians probing and state actors probing our 
infrastructure, it happens all the time. All the time. Every 
single day. So, is there increased activity like this?
    Mr. Meyers. Yes, and in this case, it was a very specific 
set of activity that was being alerted to.
    Mr. Gimenez. All right. I am going to pivot to something 
else now. Our critical infrastructure, to me, it would seem 
like there is two types of systems. There is an open system 
that is open to the internet, people can hack into, et cetera, 
et cetera. There probably are systems that are closed, right? 
That the operating systems just they communicate within itself. 
There is no way to get into it because it is not attached to 
anything on the outside. Am I mistaken that there is these two 
kinds of systems?
    Mr. Meyers. I think that what you are referring to is a 
perception that there is OT, operational technology, and IT, 
information technology, and that in a perfect world, the OT 
systems are isolated from the internet, the IT facing systems. 
The reality is that that is not always the case.
    As Mr. Yoran pointed out, they establish cellular 
communications for remote telemetry collection. There is 
interconnections for business systems to collect data from the 
operational side. For example, in a pipeline metering and 
billing information might be important business functions that 
necessitate a connection between the two. So, while in theory 
they should be or could be isolated, the reality is there are 
connections between that world.
    Mr. Gimenez. Would it make sense, Mr. Yoran, for us maybe 
to regulate that certain highly-critical infrastructure, 
actually work in the manner where it is physically separated 
from the open infrastructure?
    Mr. Yoran. Congressman, I think it is dangerous to mandate 
or regulate that they remain physically separate. I think as 
Adam points out, there is business reason, efficiency reason 
that you might want to interconnect those. Not just, I mean, 
certainly for billing purposes, but also for being able to 
predict when parts are going to fail, when outages are going to 
occur. So, there are reasons to interconnect. I do think that 
it makes sense to regulate, mandate, remind those operators 
that they are responsible for the cybersecurity risk when they 
are interconnecting those systems.
    Mr. Gimenez. But you could still have those systems inside 
a closed system. You could actually just have all that 
predictability, et cetera, inside a closed system where it is 
not connected to the outside. Isn't that true?
    Mr. Yoran. You could do it. I think the practicality is 
that people will want to connect----
    Mr. Gimenez. Well, I am not talking about every system. I 
am talking about critical infrastructure like water, 
electricity, et cetera, that the United States would be hard-
pressed to survive if somehow our water systems were all hacked 
and we went down. Our entire grid is hacked and we went down. 
Don't you think that is maybe worth the inconvenience of, you 
know, of the business side of it that, hey, maybe these things 
should be a little bit separated and not--because look, the way 
I look at it, and I am sorry, I am out of time. The way I look 
at it, there is software protection and there is physical 
protection. Software protection as good as you guys think you 
may be, you will always get--somebody is going to get around 
you and figure a way around you. So, thank you. I yield my time 
back.
    Mr. Torres. I now recognize the gentleman from New Jersey, 
Mr. Malinowski, for questions.
    Mr. Malinowski. Thank you, Mr. Chairman. I want to thank 
our witnesses for appearing today to speak on this topic. 
Obviously, I think we all wish that were here under very 
different circumstances that the people of Ukraine were not, as 
we speak, suffering attacks by bombs and artillery shells in 
the most horrific possible way. That the American people were 
not, as a result of this war, facing an even greater risk of 
cyber attacks that would disrupt our lives and our economy.
    We have seen first-hand how cyber attacks have become an 
instrument of war on the day that Russia illegally invaded 
Ukraine. They knocked out, among other things, through a cyber 
attack, satellite communication systems that were used by the 
Ukrainian military government, tens of thousands of ordinary 
citizens. Many of us have been briefed on potential scenarios 
under which similar systems in the United States might be 
attacked as part of a war somewhere halfway around the world.
    But the risk, obviously, is not just in times of war. My 
office, for example, recently met with the cybersecurity team 
for a health care provider in my district. Every single day 
this hospital fends off thousands of cyber attack attempts, 
mostly coming from China, Russia, and Iran. Attacks that 
started long before the war in Ukraine and that will last long 
after the war is over. So, we have to do more. Everything we 
can to better protect our hospitals, our schools, our water 
facilities, our power plants, and other critical 
infrastructure. Recognizing that they have to play defense and 
be successful 100 percent of the time. Whereas, our adversaries 
on offense only have to be successful once to hurt our lives 
and our livelihoods.
    On that point, I am very particularly concerned about 
securing water utilities. In my State of New Jersey in my 
district, one water company helps service, one relatively small 
water company, helps to service more than 30 municipalities 
across 5 counties, towns in my district like Millburn, and 
Westfield, Raritan, Roxbury. Many such water companies don't 
have the resources of a large hospital network or investment 
bank.
    So, for any and all the witnesses, I would like to ask how 
can Congress help these critical infrastructure operators 
modernize their IT and reduce the cost and complexity of 
defending their networks? How do we address the cyber poverty 
line and make sure investments in intelligence sharing and 
intelligence sharing are actually useful to Main Street firms, 
not just those on Wall Street? Thanks so much.
    Mr. Morley. Yes, Congressman, I will start off given your 
comment about the water sector. I think it is absolutely 
critical that--and certainly have some excellent resources 
available to--made available to the water sector through the 
recent infrastructure legislation. Some of that is authorized 
and yet to be appropriated, but we appreciate the inclusion of 
cybersecurity as an eligible activity under those programs.
    That being said, as I noted earlier, a number of the 
resources available from CISA are quite exceptional in 
supporting utilities and identifying those vulnerabilities and 
taking--helping them to take action such as the CyHy program. 
We would encourage continued support for that capacity 
development of community water systems and wastewater systems 
as they work with our Federal partners to implement some of 
these great strategies, recognizing that, you know, water 
utilities are a 24/7 operation both under drinking water and 
wastewater side. Some of the utilities I have spoken with here 
in the last several months and years those rehabilitating or 
upgrading those OT systems can often be a 3- or 4-year capital 
improvement project to ensure that the system maintains 
operations during that whole period. So, it is not a rapid 
process, but support from our Federal partners is encouraged.
    Mr. Malinowski. Thank you, sir. Just a few seconds left. 
Let me just, note, I mean, I started with the example of the 
Russians knocking out a satellite communications system. We 
don't have time to ask you all about this, but just to let you 
know that I am going to be introducing a legislation shortly 
that would allow commercial satellite operators to better 
protect themselves against cyber attacks. I would note that a 
number of utilities, including water utilities in the United 
States, rely, as we all do, on satellite, commercial satellite 
technologies to facilitate their operations. So, I see that as 
something that will help the entire sector. Thank you, and I 
yield back.
    Mr. Torres. I now recognize the gentleman from Texas, Mr. 
Pfluger, for questions.
    Mr. Pfluger. Thank you, Mr. Chairman. To all the witnesses, 
thank you for taking part in this today. Obviously, very 
important threats, I believe, are going up exponentially and 
new threats that we haven't seen before I also believe will be 
attacking our critical infrastructure. I have got a couple of 
questions.
    Before I get to that, last week I introduced the cyber 
defense, Cyber Deterrence and Response Act to really remove any 
ambiguity for a would-be attacker of American critical 
infrastructure. You know, whether it is the financial sector or 
the energy sector, I have always been very outspoken on energy 
and believe that that is a vulnerability, a target, and 
something that adversaries will target.
    It basically says that any cyber attack on critical 
infrastructure by a foreign state-sponsored actor will be 
responded to by the President of the United States. I will just 
start, Mr. Yoran, a West Point grad, myself being an Air Force 
Academy grad, I think that, you know, we might be able to look 
at these actions a little bit differently. Can you kind-of talk 
through the benefits or even drawbacks of establishing maybe 
more serious red lines that might remove some of the ambiguity, 
but also could, you know, limit some of our, you know, kind-of 
put us in a box, if you will, in some cases. You know, what is 
the value of the deterrence by being a little more overtly 
stating, you know, what we will and how we respond to some of 
these attacks?
    Mr. Yoran. Well, thank you, Congressman. I do think that 
deterrence should play a critical role in the cybersecurity 
paradigm. To date, it is greatly underserved. So, the 
deterrence could be response in kind from a cyber perspective. 
It could be retorts. It could be countermeasures. It could be 
non-cyber responses. I think having those options available to 
us as a Nation and exerting those options more frequently is 
one way to signal to the rest of the international community 
what is OK and what not OK from a cyber perspective.
    Mr. Pfluger. Well, thank you for that. It is obviously a 
difficult problem. We need to have the reporting in order to 
understand, but hopefully, that reporting comes in the way of 
voluntary so that we can really learn the lessons.
    Let me move to the next question for Mr. Meyers. You know, 
talking about the State Department launching the new Bureau of 
Cyberspace and Digital Policy, and given your support 
previously for the Threat Analysis Division, can you talk us 
through how this new agency should stand up, how they will be 
effective, and the steps they need to take to accomplish that 
deterrence that we just talked about with Mr. Yoran.
    Mr. Meyers. Sure. I think information sharing and bringing 
visibility and awareness to what threat actors are doing and 
what that looks like is absolutely critical. If I can turn back 
briefly to the deterrence component, though, I think that there 
is an element which is deterrence through denial that should be 
considered. That is really about, as to borrow from CISA, the 
Shields Up, but bringing the technology together that allows us 
to ensure that these threat actors are not able to conduct 
these operations.
    As Mr. Yoran mentioned in his testimony about lapses using 
pretty limited resources to conduct large-scale attacks against 
pretty significant entities, I think zero trust, identify 
management, multi-factor authentication, all of these 
technologies help us make organizations more resilient and 
stronger. In doing so, enable us to create deterrence through 
denial by denying the threat actor the ability to operate 
inside of our environments and raising the cost of doing 
business to them.
    Mr. Pfluger. Well, thank you for that. Last question for 
anybody on the panel. In the form of personnel, they are able 
to conduct these types of cyber-related activities here. I 
believe we have a shortage of people and experts. How do we at 
the university level or even before, primary education, 
secondary education, how do we target, you know, this problem 
through the training of and the education of personnel? I am 
thinking of my own district, Angelo State University, a cyber 
center of excellence. How do we really make a--move the needle 
and make a dent in this problem, to anybody?
    Mr. Meyers. I will take that first. But I think we need to 
be going at the junior high school level and really encouraging 
the STEM programs, encouraging students from lots of different 
diverse backgrounds to get involved in math and science, and 
build the work force for the future, today. We cannot just 
magically make this work force appear. We need to start at a 
young level and start to train them. CrowdStrike has been 
encouraging that through some of our nonprofit operations with 
Girls Who Code and things like that. So, I strongly encourage 
doing that at an early age.
    Mr. Pfluger. Thank you. I am out of time. I am going to 
have a question to follow up to ask each of you whether we are 
behind on that or not? I appreciate it and yield back.
    Mr. Torres. Thank you. I now recognize the gentleman from 
Kansas for questioning, Mr. LaTurner.
    Mr. LaTurner. Thank you, Mr. Chair. I want to thank each of 
the witnesses for taking part in this hearing today and sharing 
your perspective on this important issue. Not a week goes by 
that I don't hear about the threats and challenges that 
businesses, schools, hospitals, and countless other 
stakeholders in my district face due to increased cyber 
attacks. As we all know, this threat has only increased in 
recent months. We have watched the unfolding tragedy of the 
Russian invasion of Ukraine.
    But Russia's aggression is not limited to their heinous 
attacks and bombings of civilian shelters that we see on 
television. War is also being waged in the cyber space where 
Russian actors are doing all they can to undermine and attack, 
not just Ukraine, but the United States and our other allies 
abroad. These attacks did not just start in the last month. It 
has recently been reported that the Department of Justice 
indicted 3 Russian FSB agents who targeted computer systems at 
the Wolf Creek nuclear power plant in Burlington, Kansas from 
2014 to 2017.
    The Government maintains a consistent expectation that 
utilities and critical infrastructure stakeholders should 
operate as partners for the defense of the Nation. However, in 
order for them to perform that role, as expected by the 
Government, industry needs timely and actionable information 
that they can take and respond effectively. This is a two-way 
street. We need to ensure that industry and Government are able 
to develop a trusting relationship where they are capable of 
freely sharing information with the knowledge that it will 
remain secure and is actually being used to strengthen and 
improve our cyber defenses. I will emphasize, the need for it 
to remain secure.
    My first question is for Mr. Morley. Mr. Morley, given the 
wide-spread disparity of your membership and the wide array of 
needs that they have, do you feel that the assistance you all 
are getting from CISA adequately covers the wide range of needs 
that your members have?
    Mr. Morley. I think to your point about timely and actual 
information, I think we can improve that and ensure that the 
information is actionable. I think some of that information 
does come out at a level that may be beyond some of the 
technical expertise that may be inhouse at a small or medium 
system. Would look forward to the opportunity to work with the 
agency to improve that information-sharing process.
    Mr. LaTurner. I appreciate that. Mr. Silberstein, you 
represent some of the most cyber mature companies in the 
country. I would imagine that some of the services CISA offers 
might not be as useful to your member companies as they are to 
other sectors. Where does CISA need to improve in their 
services for you all?
    Mr. Silberstein. Thank you, Congressman. The largest 
financial institutions, like many of the largest corporations 
in the country, are extremely sophisticated in their 
capabilities. But nevertheless, the information that CISA 
provides is useful because they have a across-the-country view 
and it is valuable. Does it have the same value? Probably not. 
I think we are all challenged as we go down the size rankings 
in any sector of the smaller institutions how they find the 
resources, the money, et cetera, to do what is needed. Moving 
to a--for the future to where we start building more context to 
the individual sectors around the information, about their 
supply chains, is a long-term direction, which could be 
helpful.
    Mr. LaTurner. I appreciate that. This is for everyone. I 
want to give everyone an opportunity here. The Cyber Incident 
Reporting for Critical Infrastructure Act included within the 
Consolidated Appropriations Act, it requires owners and 
operators to report significant cyber incidents and ransomware 
attacks to CISA, which will lead to greater visibility for the 
Federal Government, earlier disruption of malicious cyber 
campaigns, and better information, and threat intelligence 
going back out to the private sector so they can defend against 
future attacks. Several of you mentioned in your testimony that 
you had recommendations for legislation. I would like to 
provide an opportunity for you all to comment on that now.
    Mr. Morley. Are you asking specifically about the incident 
reporting legislation or?
    Mr. LaTurner. Correct.
    Mr. Silberstein. Yes, if I may, Congressman, we don't take 
a stance on suggesting legislation in the future. But will note 
that there seems to be some excellent coordination between 
CISA, U.S. Treasury, and regulators about attempting to 
normalize the already-existing reporting requirements with the 
new reporting requirements.
    Mr. LaTurner. I appreciate that. My time has expired. Mr. 
Chairman, I yield back.
    Mr. Torres. Thank you. I will simply end with a final 
comment that the state of cybersecurity of our critical 
infrastructure runs the gamut from financial services, which is 
richly resourced, to our water systems, which is fragmented and 
poorly funded. We have to ensure that CISA's support is 
sufficiently tailored to the widely varied needs of our 
critical infrastructure, that it is sufficiently need-based.
    I want to thank the witnesses for their testimony and the 
Members for their questions.
    Another Member showed up. Mrs. Cammack, I am sorry.
    Mrs. Cammack. You were going to leave me hanging, Mr. 
Chairman.
    Mr. Torres. You are recognized for questions.
    Mrs. Cammack. Well, I appreciate it. Thank you so much. 
Thank you to our Chairman and the Ranking Member Katko, for 
holding this very important hearing today. Again, thank you to 
all our witnesses for your testimony. I know that these can be 
lengthy, but we appreciate and value your testimony.
    Several weeks ago, I held a call with utilities, 
businesses, city and county leadership, and stakeholders across 
my district, Florida's 3rd Congressional, to discuss cyber 
preparedness and resiliency. Now, during this call, we were 
able to discuss the resources at CISA, specifically Shields Up. 
I am glad that CISA has developed this initiative for 
individuals and organizations across the country to provide 
this critical information on cyber threats mitigation, and best 
practices that must be implemented in the face of growing cyber 
threats.
    However, every organization in the United States, every 
level of government, private, business, ag operation, water 
treatment facility, you name it, it is exposed to cyber 
threats. As we have seen in the last year, cyber attacks can 
have a real and immediate effect on Americans across the 
country. The Colonial Pipeline ransomware attack affected the 
entire East Coast, even Floridians who are not relying on 
getting their fuel from a pipeline, leading to the company 
halting National--normal functions for several days, which led 
to fuel shortages throughout the southeast, leading to at the 
time, the highest gas prices since 2014.
    In February of last year, a water treatment facility in 
Florida, not far from my district, was also attacked. According 
to reports about the attack, the levels of sodium hydroxide at 
the treatment facility were adjusted from 100 parts per million 
to 11,000 parts per million, a deadly level. Fortunately, this 
attack was noticed and stopped by employees who were vigilant.
    Moreover, as a Member of the House Agriculture Committee, I 
am especially worried about cyber threats against another 
critical infrastructure sector, our Nation's food supply. In 
June of last year, a cyber attack that was likely based in 
Russia targeted JBS who has operations in Canada, Australia, 
and the United States. Now, as you all know, JBS makes up 
nearly 19 percent of the Nation's market share for meat 
processing. According to a recent report from the Food and 
Agriculture Organization, the war in Ukraine--global 
agriculture markets face, because of the war, they face 
exposure to vulnerability, to shocks, and volatility from 
fertilizer prices, fuel prices, factor in regulatory and labor 
concerns. In short, it is a mess.
    Due to the potential disruptions in ag production and trade 
in the region, U.S. producers and related agribusiness must 
remain resilient in the face of enhanced cyber threats from 
Russia targeting these industries. Food security is National 
security. It is vital at this time to ensure that there are no 
disruptions to our Nation's food supply or other critical 
infrastructure sectors.
    Mr. Meyers, I would like to just touch on your opening 
statement. You discussed a number of threat actors and the 
various goals of leveraging cyber operations. Can you discuss 
the process by which you were able to determine the intended 
objectives for cyber threat actors and, specifically, I am 
curious, how you can make the determination for the reason for 
these operations when it is not explicitly conveyed or there is 
not a financial aspect to the crime?
    Mr. Meyers. Thank you for the excellent question, 
Congresswoman. The intent of a threat actor can be established 
by the targets that they go after, the method by which they 
conduct targeting. By which I mean, if they are conducting 
phishing attacks with malicious attachments, looking at the 
recipients of those attachments, looking at the content of the 
lure that is intended to get the person to click on it or open 
it, are all things that help us understand what the target 
environment looks like or who the targets might be.
    In terms of intent, we look at the tools that they are 
leveraging. This may involve tools that are built specifically 
for espionage, looking for specific files, key words, things 
that will be used by a threat actor for intelligence purposes. 
In the case, the examples I mentioned with regards to Ukraine 
and Russia, they have employed disruptive, destructive tools 
that are meant to overwrite files and to render systems 
inoperable. That is kind-of the two mean differentiations 
between espionage and these disruptive, destructive attacks. 
The threat actors that we are tracking are capable, 
particularly from a Russia perspective, in conducting 
disruptive, destructive attacks against targets in the United 
States, and as I highlighted, critical infrastructure.
    Mrs. Cammack. My apologies for the bell. But thank you for 
your commentary and my time has expired. I yield back.
    Mr. Torres. Thank you. Last, but not least, the gentleman 
from Georgia, Mr. Clyde, is recognized for questions.
    Mr. Clyde. Thank you, Chairman Torres, for holding this 
important hearing. As many of you are aware, far too often in 
our digital age, we do hear of companies, schools, health 
services, or local municipal governments, victimized by 
ransomware attacks. However, what is equally as concerning are 
those entities harmed by cyber crime that we do not hear about 
due to those entities not filing a report with CISA, the FBI, 
or the NSA often because they do not know what law enforcement 
tools are available to them.
    In my home district alone, Jackson County government was 
hit with a ransomware attack demanding $400,000 in 2019. Polk 
County elections infrastructure was hit by a ransomware attack 
in 2020. A major manufacturer, ASI Southeast, was hit in 2021. 
South of my district, one of the most important gas pipelines 
in the southeast, Colonial Pipeline, was hit with a ransomware 
attack in 2021, causing serious fuel supply disruptions.
    Mr. Chairman, I request unanimous consent to have these 
articles reflecting these events submitted for the record and I 
would like to read them.
    Mr. Torres. Without objection.
    Mr. Clyde. Thank you. The first article is a ZDNet, 
``Georgia county pays a whopping $400,000 to get rid of a 
ransomware infection'' from May 9, 2019. October 29, of 2020, 
``Ransomware hits election infrastructure in Georgia county'', 
from CNN. Then from U.S. News and World Report, on May 8, 2021, 
``Major U.S. pipeline halts operations after ransomware 
attack''. Thank you.
    [The information follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
                                ------                                

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                ------                                

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Mr. Clyde. As Russia wages war on Ukraine and more 
countries place economic sanctions on Russia, we have been 
warned about the potential increased cyber attacks against U.S. 
businesses by Russia or Russian assets. These attacks could not 
only hurt the United States on a financial front, but they 
could also interrupt critically important defense, utilities, 
health care, manufacturing, or elections computer network 
systems.
    You know it is vital to our National interests that we 
secure our networks to prevent ransomware and cyber attacks by 
bad actors. Moreover, in shoring up our Nation's defensive 
cyber capabilities, we must also make sure that we maintain 
cutting-edge offensive cyber capabilities. I have always 
believed that the best defense is a good offense. Without a 
strong offense, our Nation will lack the ability to deter and 
respond to attacks conducted against U.S. interests.
    So, my question, especially for Mr. Meyers, first, and then 
for Mr. Yoran, is this an area of focus, is the offensive 
capability an area of focus that any of you can discuss in this 
setting?
    Mr. Meyers. I think that----
    Mr. Clyde. Are you involved in that?
    Mr. Meyers. I think that is best answered by the 
intelligence community and the military law enforcement. 
Private sector does not play a significant role from an 
offensive perspective.
    Mr. Clyde. Would you agree, are you----
    Mr. Yoran. I would agree with Mr. Meyers. There is no role 
for private sector in offensive cyber operations.
    Mr. Clyde. OK. All right, thank you. I am a Member of the 
House Committee on Oversight and Reform, and in January of this 
year, CORE held a hearing on the 13th iteration of the Federal 
Information Technology Acquisition Reform Act, or FITARA. This 
hearing highlighted the grades each Federal agency received in 
different areas of the FITARA scorecard.
    While many Federal agencies passed in many areas, a large 
area of concern was cybersecurity under the Federal Information 
Security Management Act, or FISMA. While most FISMA scores were 
a C or higher, however, there were six D grades. That made me 
question what does this mean for cybersecurity for the agencies 
that scored so low? I want to highlight the Department of 
Energy was one of those agencies that scored a D in the FISMA 
category. The White House placed the Department of Energy as 
the lead response agency to the Colonial Pipeline ransomware 
attack. However, the DOE was not the lead sector risk 
management agency, rather the Department of Homeland Security, 
via the Transportation Security Administration.
    So, can any of you tell me, I think, let's see, Mr. Meyers, 
you were involved in that CrowdStrike, was that not something 
that you were involved in with Colonial Pipeline?
    Mr. Meyers. In what regard?
    Mr. Clyde. As in assisting Colonial Pipeline.
    Mr. Meyers. Not to my knowledge. We covered it from an 
intelligence perspective and investigated the DarkSide group 
that was responsible for it.
    Mr. Clyde. Right. That is kind-of where I am going. So, you 
were involved in investigating the DarkSide of it.
    Mr. Meyers. Yes.
    Mr. Clyde. OK. So, can you tell me, did Russia have a part 
in that, do you think? Or can you elaborate on that with regard 
to Russia?
    Mr. Meyers. I think that in that case we were--there was a 
core group, which was responsible for building the platform. 
This is something that we term ransomware as a service. They 
built that core platform and then there was an affiliate who 
was responsible for conducting the actual intrusion and 
deployment of ransomware. So, it was a criminal group that is 
known that we track as Carbon Spider. Then an unknown affiliate 
who leveraged that infrastructure to conduct the attack.
    Mr. Clyde. OK. All right. Thank you very much. With that, I 
yield back.
    Mr. Torres. Thank you, Mr. Clyde. Without objection, I 
insert into the record a statement from Mandiant, Inc.
    [The information follows:]
Statement of Sandra Joyce, Executive Vice President and Head of Global 
                      Intelligence, Mandiant, Inc.
                             April 5, 2022
                       introduction & background
    Mandiant appreciates the opportunity to provide an official 
statement for the record in response to the committee's recent hearing, 
``Mobilizing our Cyber Defenses: Securing Critical Infrastructure 
Against Russian Cyber Threats.''
    Mandiant assesses with moderate confidence that Russia will conduct 
additional destructive or disruptive cyber attacks connected to the war 
in Ukraine, focusing most certainly on Ukraine but also possibly 
shifting to Western and NATO allies, including the United States. My 
commentary will focus on cyber threat activity observed in Ukraine; 
preparing for threats to the homeland; and recommendations for 
escalating, de-escalating, and maintaining a steady date during a 
global cyber event.
    With the understanding that visibility into the cyber threats that 
matter cannot be surged overnight, Mandiant has made significant 
investments over the years to maintain a window of visibility into such 
threats abroad. Bolstered by partnerships and data collection efforts, 
we have always understood the importance of awareness into Russian 
cyber operations in nations like Ukraine, to proactively put U.S. 
organizations on a better defensive footing when those same actors, 
tools, and techniques are used against the homeland.
    Mandiant employees are on the front lines of the cyber threat 
landscape, currently responding to over 150 active computer intrusions 
at some of the largest companies and organizations in the world. Over 
the last 18 years, we have responded to thousands of security 
incidents. For each incident we respond to, it is our objective to 
figure out what happened and to determine what organizations can do to 
avoid similar incidents in the future. We also maintain over 300 
intelligence analysts, located in more than 20 countries, speaking over 
30 languages, who pursue attribution and identification of the threat 
actors via research and sources.
    We are committed to working with our public and private-sector 
partners to safeguard the Nation from cyber attacks by sharing cyber 
threat information, lessons learned, and best practices, including as a 
plank-holder member of the newly-established Joint Cyber Defense 
Collaborative at the Cybersecurity and Infrastructure Security Agency, 
and a member and contributor to various information-sharing and 
analysis centers.
               cyber threat activity observed in ukraine
    Our long-standing visibility has helped us stay abreast of threat 
campaigns targeting Ukraine, both before the run-up of Russia's 
military invasion through to the present. To date, we have witnessed 
continued cyber espionage campaigns, information operations, and 
destructive cyber attacks by Russian threat actors against Ukrainian 
targets. Multiple instances of wiper malware have impacted Ukraine's 
government, energy, and financial sectors among others. Disinformation 
campaigns have sought to exploit fissures among EU and NATO allies. 
Some of these operations have sought to amplify limited disruptive 
successes through psychological operations targeting the Ukrainian 
populace--something we can learn from in anticipating how cyber attacks 
might be operationalized against our own country and infrastructure.
    Recent cyber operations against Ukraine have not been limited to 
campaigns by Russian threat actors. Mandiant has observed suspected 
Chinese espionage groups target Ukrainian organizations.\1\ The focus 
of international governments and partners on Ukraine likely provides 
China a target-rich environment to opportunistically leverage for its 
own ends. Additionally, we have observed a network of coordinated and 
inauthentic social media accounts push messaging critical of the United 
States related to its actions surrounding Russia's invasion into 
Ukraine. We have been tracking this network since 2019 and have 
observed it promoting pro-People's Republic of China narratives.\2\ 
Mandiant has also identified pro-Iran information operations activity 
promoting content pertaining to the Russian invasion of Ukraine, such 
as the promotion of narratives suggesting that NATO and the West have 
abandoned Ukraine.\3\
---------------------------------------------------------------------------
    \1\ Mandiant Intelligence Report 22-00007807 (24 March 2022).
    \2\ Mandiant Intelligence Report 22-00009927 (13 April 2022).
    \3\ Mandiant Intelligence Report 22-00004849 (7 March 2022).
---------------------------------------------------------------------------
    Meanwhile, ransomware operations continue to impact U.S. 
organizations. The last several years of financially-motivated 
campaigns by an ecosystem of various criminal actors has impacted many 
key sectors of the U.S. economy. Given historic relationships between 
the Russian security services and underground cybercriminal community, 
this is an area of concern as we watch for deviations in patterns of 
activity by known actors within this ecosystem.
                 preparing for threats to the homeland
    In this time of an increased ``Shields Up'' posture, Mandiant 
believes network defenders should prioritize the threats that matter 
during an elevated state of defense. Scale is often an important factor 
in successful cyber attacks, and a particular area of concern is the 
ability of threat actors to leverage access into many organizations or 
affect a destructive outcome that impacts downstream customers of 
critical infrastructure. We are particularly concerned with Russian 
cyber threat actors that appear to have a mandate to carry out 
destructive attacks, such as groups we track as Sandworm Team and 
TEMP.Isotope. These are Russia-based threat actors with a history of 
conducting intrusions into critical infrastructure, some of which have 
resulted in costly outcomes across various industries. Should we see 
escalation of cyber attacks by Russia as a reprisal to sanctions, 
Mandiant assesses that in addition to Government organizations, sectors 
such as financial services, energy, media, and transportation are at 
elevated risk for targeting by Russian threat actors.\4\
---------------------------------------------------------------------------
    \4\ ``Responses to Russia's Invasion of Ukraine Likely to Spur 
Retaliation'' https://www.mandiant.com/resources/russia-invasion-
ukraine-retaliation.
---------------------------------------------------------------------------
    Mandiant, in partnership with Schneider Electric, recently 
disclosed analysis of a new set of industrial control system (ICS)-
oriented attack tools which we call INCONTROLLER.\5\ The tools can 
interact with specific industrial equipment embedded in different types 
of machinery leveraged across multiple industries. While attribution 
has not been made to a specific sponsor, we assess these tools to be 
the work of a well-resourced nation-state and contain the capability 
for sabotage or physical destruction in operational environments where 
they could be deployed. The capability of these tools is comparable to 
some of the more sophisticated malware families we have observed target 
ICS environments, to include the malware used to disrupt electric 
utilities in Ukraine in 2016.
---------------------------------------------------------------------------
    \5\ ``INCONTROLLER: New State-Sponsored Cyber Attack Tools Target 
Multiple Industrial Control Systems'' https://www.mandiant.com/
resources/incontroller-state-sponsored-ics-tool.
---------------------------------------------------------------------------
    As we have seen abroad, the purpose of destructive operations may 
be as much psychological as kinetic in nature. Mandiant believes that 
attempted deniability of such operations highlights the importance of 
attribution efforts by our organization and others to hold malign 
actors to account. Intelligence and information sharing among private 
and public-sector partners can better enable us all to proactively 
defend the homeland from the latest tactics and techniques of 
operations by such groups as mentioned above.
    The increased risk of cyber attacks against critical infrastructure 
here in the United States is something the Nation must prepare for. 
However, the private sector is in a better position today having 
weathered ransomware attacks for the last several years. Collectively, 
the private sector has learned how to better prepare for, mitigate, and 
respond to disruptive attacks when they materialize, limiting the scope 
of destruction and getting organizations back up and running. To that 
end, Mandiant has issued guidance to organizations on steps they can 
take now to better harden their networks and systems from the types of 
destructive attack we are concerned Russian threat actors could 
launch.\6\
---------------------------------------------------------------------------
    \6\ ``Proactive Preparation and Hardening To Protect Against 
Destructive Attacks''https://www.mandiant.com/sites/default/files/2022-
03/wp-proactive-preparation-and-hardening.pdf.
---------------------------------------------------------------------------
                           beyond the crisis
    Public and private-sector entities have an opportunity to come out 
of this current period of heightened tensions with lessons learned for 
strategic readiness and cooperation across sectors. In a similar manner 
to the challenges of securing elections and responding to ransomware, 
this current crisis can serve as a model for improved coordination 
between industry and Government. Organizations must also realize that 
maintaining a high operational tempo of increased diligence for an 
extended time frame can be costly to network defenders in organizations 
already impacted by staffing shortages and limited resources. Security 
planning by organizations--in critical infrastructure and other 
sectors--should take into account normal, elevated, and high-alert 
states of defense through periods of crisis. This involves considering 
both proactive and strategic measures to take, as well as operational 
changes and constraints at those various stages.
    Mandiant applauds passage of the Cyber Incident Reporting for 
Critical Infrastructure Act as part of the Fiscal Year 2022 
Consolidated Appropriations Act. This is a positive step forward in 
achieving critical long-term goals of enabling early detection of 
malicious cyber attacks, though it will not be officially implemented 
for several more months. In the mean time, it is critical for CI owners 
and operators in all sectors to share cyber threat information and 
report incidents to the Cybersecurity and Infrastructure Security 
Agency, given the on-going geopolitical tensions in Ukraine and the 
threat of cyber attacks to the homeland.
    This reporting framework enhances the Federal Government's 
situational awareness to better partner with and assist private-sector 
entities that become cyber attack victims. Broader, timely cyber 
incident reporting and bi-directional information sharing within and 
across sectors will allow for earlier detection of large, sophisticated 
cyber campaigns that have the potential for significant impacts to 
critical infrastructure or National security implications. More robust 
datasets will lead to faster and more accurate attribution and 
understanding of adversary intent; more impactful responses to attacks, 
including a greater probability of successful countermeasures or 
deterrence; cross correlation and collaboration with international 
partners, thereby enabling a multilateral response to State-sponsored 
or State-sanctioned cyber criminals; and overall, a much more accurate 
cyber risk picture. The significance and necessity of these 
capabilities cannot be overstated during this time of war in Ukraine.
                               conclusion
    On behalf of Mandiant, thank you for the opportunity to share our 
insights and recommendations for preparing and responding to potential 
cyber threats against U.S. critical infrastructure. We stand ready to 
work with you and other interested parties in devising effective 
solutions to deter malicious behavior in cyber space and to build 
better resiliency into organizations' networks.

    Mr. Torres. I thank the witnesses for their testimony, for 
their service to the country, and the Members for their 
questions. The Members of the committee may have additional 
questions for the witnesses. We ask that you respond 
expeditiously in writing to those questions.
    The Chair reminds Members that the committee report record 
will remain open for 10 business days. Without objection, the 
committee stands adjourned.
    [Whereupon, at 12:06 p.m., the committee was adjourned.]



                            A P P E N D I X

                              ----------                              

       Questions From Honorable Nanette Barragan for Adam Meyers
    Question 1. What recommendations do you have to secure our ports 
from cyber threats?
    Answer. Response was not received at the time of publication.
    Question 2. State and local governments often own and operate 
critical infrastructure but may lack the resources to properly invest 
in cybersecurity. In your opinion, what obstacles remain to 
strengthening the security of State and local government-owned critical 
infrastructure and what more could the Federal Government do to assist 
them?
    Answer. Response was not received at the time of publication.
         Questions From Honorable Ralph Norman for Adam Meyers
    Question 1. The National Institute of Standards and Technology has 
increased its focus on detecting and preventing harmful intrusion from 
foreign entities that pose a risk to our critical infrastructure. Among 
these focus areas, application whitelisting is repeatedly flagged as a 
viable security measure for protection against cyber attacks by 
blocking harmful material before it ever gains access to the system. 
How is your organization utilizing tools like application whitelisting 
to meet the demands of the modern cybersecurity climate?
    Answer. Response was not received at the time of publication.
    Question 2. What can be done to incentivize the private sector to 
protect themselves?
    Answer. Response was not received at the time of publication.
    Question 3. A lot of talk today has been about prevention and 
mitigation, but I want to talk about what happens once the enemy 
strikes. When you have an emergency, you call 9-1-1. When your 
organizations are held for ransom by malware, who do you call?
    Answer. Response was not received at the time of publication.
   Questions From Chairman Bennie G. Thompson for Steven Silberstein
    Question 1. How do your international attache offices work with 
host country law enforcement and non-U.S. companies to combat the 
threat of terrorists' use of digital money? Do you have plans to expand 
your international footprints to specifically address your predicted 
growth in this threat area?
    Answer. As a private global association with strong public-private 
partnerships and employees across the world (including regional offices 
in Singapore, United Kingdom, and the United States) we support our 
financial services members as they navigate threats associated with bad 
actors utilizing digital assets. Our focus is on the sharing of 
information that would alert and possibly prevent illegal digital 
transactions before they happen. While we do cooperate with law 
enforcement when contacted, we are not typically involved in anti-money 
laundering issues and/or terrorists' use of digital currencies that 
take place outside the core financial services space. However, as 
digital assets are becoming more prevalent, FS-ISAC is expanding our 
footprint in this evolving area. Specifically, in Q2 of calendar year 
2022 we are establishing a global Cryptocurrency Community of Interest 
to promote threat intelligence and knowledge sharing within our 
membership. This community will receive relevant threat briefings, 
discuss controls, threats and risks, and share useful practices.
    Question 2. To what extent do social media platforms allow for 
terrorists and violent extremists to more easily move funds among each 
other? What gaps or barriers exist to those platforms working more 
closely with your agencies to prevent this movement of money?
    Answer. At this time, social media firms do not share with FS-ISAC 
when fraudulent identities or transactions are suspected on their 
platforms.
    Question From Honorable Nanette Barragan for Steven Silberstein
    Question. The Financial Services Information Sharing and Analysis 
Center specializes on cybersecurity for financial services. Do you have 
any recommendations for how the Federal Government or private sector 
can support our smaller financial institutions' cybersecurity, such as 
for our smaller community banks and minority-owned banks, that may have 
less resources?
    Answer. Response was not received at the time of publication.
      Questions From Honorable Ralph Norman for Steven Silberstein
    Question 1. The National Institute of Standards and Technology has 
increased its focus on detecting and preventing harmful intrusion from 
foreign entities that pose a risk to our critical infrastructure. Among 
these focus areas, application whitelisting is repeatedly flagged as a 
viable security measure for protection against cyber attacks by 
blocking harmful material before it ever gains access to the system. 
How is your organization utilizing tools like application whitelisting 
to meet the demands of the modern cybersecurity climate?
    Answer. Response was not received at the time of publication.
    Question 2. What can be done to incentivize the private sector to 
protect themselves?
    Answer. Response was not received at the time of publication.
    Question 3. A lot of talk today has been about prevention and 
mitigation, but I want to talk about what happens once the enemy 
strikes. When you have an emergency, you call 9-1-1. When your 
organizations are held for ransom by malware, who do you call?
    Answer. Response was not received at the time of publication.
      Question From Honorable Nanette Barragan for Kevin M. Morley
    Question. There are smaller water systems with limited resources 
that serve some of our disadvantaged communities. What cybersecurity 
resources do these smaller water systems in the United States currently 
receive from the Government, nonprofit, and private sectors and what do 
you believe they need to ensure their safety and the safety of their 
customers?
    Answer. Response was not received at the time of publication.
   Questions From Ranking Member Andrew Garbarino for Kevin M. Morley
    Question 1a. The America's Water Infrastructure Act of 2018 only 
requires systems serving more than 3,300 customers to self-certify that 
they have developed risk assessments and emergency response plans. That 
leaves tens of thousands of smaller systems with less than 3,300 
customers unprotected. Long Island has dozens of smaller water 
utilities--my constituents deserve the same level of protection as 
Americans across the country.
    What can the Federal Government do to drive greater cyber 
preparedness for all water systems, regardless of size?
    Question 1b. What are your thoughts on requiring cybersecurity 
plans to be submitted when systems of all sizes apply for Federally-
subsidized loans and grants?
    Question 1c. As the Sector Risk Management Agency for the water 
sector, do you think the EPA has the capacity to handle cybersecurity 
oversight? Are you confident EPA and CISA could appropriately assist 
during an emergency like the incident seen in Florida last February?
    Answer. Response was not received at the time of publication.
       Questions From Honorable Ralph Norman for Kevin M. Morley
    Question 1. The National Institute of Standards and Technology has 
increased its focus on detecting and preventing harmful intrusion from 
foreign entities that pose a risk to our critical infrastructure. Among 
these focus areas, application whitelisting is repeatedly flagged as a 
viable security measure for protection against cyber attacks by 
blocking harmful material before it ever gains access to the system. 
How is your organization utilizing tools like application whitelisting 
to meet the demands of the modern cybersecurity climate?
    Answer. AWWA's cybersecurity guidance is directly aligned with the 
NIST Cybersecurity Framework. In addition, NIST 800-167 provides 
guidance on how an entity can use whitelisting to protect its networks. 
However, we have observed that the classification level associated with 
some cyber threat intelligence inhibits effective information sharing 
across a sector like water, which includes more than 50,000 community 
water systems. In one recent cyber incident in which a water utility 
was targeted, the associated incident assessment included ``actionable 
information'' including IP address that if shared could be blocked as 
part of a geofencing defense. Unfortunately, that information was not 
shared with the sector for unknown reasons. Most critical 
infrastructure entities are dependent on the intelligence community for 
active threat information. We cannot take action on threats that are 
not communicated in a timely manner.
    Question 2. What can be done to incentivize the private sector to 
protect themselves?
    Answer. Improving information sharing about cyber threats is 
essential. This requires better collaboration to ensure the information 
being provided is properly contextualized and actionable. The Shields 
Up campaign from CISA is an important start, but too often the 
information provided assumes a level of cyber proficiency that may not 
always exist in the field, which impedes the receiver from taking 
action to implement the provided mitigations. Our Federal intelligence 
partners need to provide the ``on ramps'' necessary to ensure that all 
entities can act on the information those agencies generate. This a key 
limiting factor with cyber threat intelligence.
    In addition, we have observed the market responding to the evolving 
cyber threat, specifically insurance underwriters and credit rating 
agencies. The expectations from these entities provide a strong signal 
that supports action being taken voluntarily to mitigate cyber 
vulnerabilities.
    AWWA is an ANSI Standards Development Organization and has prepared 
several voluntary consensus standards that collectively provide an all-
hazards approach to security and preparedness. Currently two standards 
have received SAFETY Act Designations based on the Department of 
Homeland Security's determination that they are effective at mitigating 
the impact or harm that could arise from an Act of Terrorism. The 
designation provides an important market signal to the sector from DHS 
regarding best practice, in addition to the liability protections 
provide to AWWA and the users of these standards.
   ANSI/AWWA G430.--Security Practices for Operations and 
        Management
   ANSI/AWWA J100.--Risk and Resilience Management of Water & 
        Wastewater Systems
    Question 3. A lot of talk today has been about prevention and 
mitigation, but I want to talk about what happens once the enemy 
strikes. When you have an emergency, you call 9-1-1. When your 
organizations are held for ransom by malware, who do you call?
    Answer. We recommend that systems contact law enforcement, 
especially the FBI, when it comes to ransomware incidents. The Internet 
Crime Complaint Center (IC3) has created a reporting form for 
submitting ransomware incidents [https://ransomware.ic3.gov/]. In 
addition, the water sector has been promoting CISA's Shields Up program 
which includes incident reporting resources. The associations and Water 
ISAC frequently distribute advisories issued by ICS-CERT related to 
critical vulnerabilities, often in coordination with EPA and CISA.
    Question 4. The Environmental Protection Agency notes the risk 
posed to utilities and consumer payments by Russian cyber threats. In 
the past year alone, there have been 3 ransomware attacks on Water and 
Wastewater Systems Sector facilities across the country. CISA's Shields 
Up Advisory directs organizations to ``ensure that cybersecurity/IT 
personnel are focused on identifying and quickly assessing any 
unexpected or unusual network behavior.'' Beyond heightened awareness 
based on the recommendations of Federal agencies and regulatory bodies, 
how are your companies working to rapidly address any infiltration from 
malign entities attempting to undermine American security?
    Answer. AWWA's cybersecurity guidance encourages active network/
system monitoring. We recognize that bad actors in the cyber realm are 
constantly seeking opportunities to target systems, including water 
utilities. Network architecture is a critical part of mitigating cyber 
risks in addition to robust access controls for authorized users. These 
are key elements of the AWWA guidance that is designed to support a 
customized application of the NIST CSF, based on the technology 
applications deployed by a utility. This prioritized approach helps 
water systems allocate limited resources to those actions that will net 
the greatest risk reduction.
    AWWA also recognizes that the complexity of the cyber threat and 
the scale of the water sector necessitates a new approach to governance 
for cybersecurity. We have recommended a co-regulatory model that 
provides for a mandatory cybersecurity requirement, leverages the 
sector's subject-matter expertise, and maintains oversight with the 
EPA.
        Questions From Honorable Nanette Barragan for Amit Yoran
    Question 1. State and local governments often own and operate 
critical infrastructure but may lack the resources to properly invest 
in cybersecurity. In your opinion, what obstacles remain to 
strengthening the security of State and local government-owned critical 
infrastructure and what more could the Federal Government do to assist 
them?
    Answer. Thank you for this important question. For years, we've 
heard from State and local government agencies that they lack the 
funding needed to address their cybersecurity needs. State and local 
governments often have very limited IT budgets and must make tough 
choices about how to allocate that spending. In addition, due to the 
expanding attack surface, State and local governments need to address 
cybersecurity risks to not only their IT assets, but to Internet of 
Things (IoT), Operational Technology (OT) and cloud assets as well. 
That's why we've been advocating for a State and local cybersecurity 
grant program, which was included in the recently-enacted 
Infrastructure Investment and Jobs Act.
    The new program provides $1 billion in cybersecurity grants for 
State, local, Tribal, and territorial governments for the full range of 
connected assets. The funding is conditioned upon the submission of a 
State-wide cybersecurity plan that aligns with established best 
practices, covers critical infrastructure, and incorporates the needs 
of local governments, which receive 80 percent of the funding. This 
funding, which will be made available over the next 4 years, is vital 
to ensuring State and local governments have the resources they need to 
address cyber risks and threats and protect their critical 
infrastructure.
    I also applaud CISA's leadership in providing cybersecurity 
guidance, resources, and support for State and local government 
agencies, especially its ``Shields Up'' campaign, which gives 
organizations specific recommendations on threats and how they can 
defend themselves.
    For all organizations, especially those with fewer resources, 
establishing and maintaining a baseline standard of care can thwart the 
majority of attacks which come from known vulnerabilities. This 
includes strong passwords, multi-factor authentication, and risk-based 
vulnerability management. Getting these basics right will go a long way 
in securing State and local government agencies.
    Question 2. Private patient health information has become more 
digital, which makes it an increased target for cyber attacks. Can you 
discuss the importance of hospitals' and health care organizations' 
cybersecurity and available resources?
    Answer. Cybersecurity capabilities vary greatly between 
organizations, and it is important for less cyber mature organizations 
to recognize that cyber is a part of nearly everything we do now as a 
modern society. Health care organizations are a prime target for cyber 
criminals and, unfortunately, tend to have less mature cyber risk 
management practices. Add to that the reality that many health care 
organizations are looking to achieve only the bare minimum for 
cybersecurity compliance with HIPAA or other regulations and nothing 
more. This means they are often not adequately protecting private 
patient information from an increasingly-expanding attack surface.
    Organizations must place cyber risk management as a central focus 
of overall business risk management and invest in the best security 
they can to meet the needs of their patients. Management needs to 
understand the role of cybersecurity in broader organizational risk 
management. Stronger cyber hygiene practices have to play a fundamental 
role in protecting hospital and health care organizations' data, 
devices, and systems. The National Institute of Standards and 
Technology (NIST) provides resources and guidance through the National 
Cyber Center of Excellence that can be leveraged by the health care 
sector to achieve stronger cybersecurity outcomes.
    Question 3. Community health centers and clinics are an important 
safety net for communities of color and underserved groups. These 
facilities have less resources than large hospitals. How can the 
Federal Government and the private sector better support cybersecurity 
for critical community health centers?
    Answer. While community health centers and clinics have fewer 
resources, that doesn't mean they can't take meaningful steps toward 
stopping cyber threats. We know that the vast majority of attacks come 
from known vulnerabilities, and so investing their limited resources in 
a risk-based vulnerability management system will best enable smaller 
health care providers to defend against the most dangerous 
vulnerabilities and stop breaches. Getting the basics right, and doing 
them well, will help small organizations accomplish stronger 
cybersecurity on a smaller budget and keep their networks safe from the 
constantly expanding attack surface that impacts not only critical 
health care infrastructure, but also overall facility operations. As we 
saw with Colonial Pipeline last year, an attack on even just a billing 
system can have major consequences.
    The Federal Government also has a role to play. CISA can provide 
meaningful guidance to help smaller organizations understand what they 
need to defend themselves and offer open-source tools like they've done 
after major breaches to help health care providers defend themselves.
          Questions From Honorable Ralph Norman for Amit Yoran
    Question 1. The National Institute of Standards and Technology has 
increased its focus on detecting and preventing harmful intrusion from 
foreign entities that pose a risk to our critical infrastructure. Among 
these focus areas, application whitelisting is repeatedly flagged as a 
viable security measure for protection against cyber attacks by 
blocking harmful material before it ever gains access to the system. 
How is your organization utilizing tools like application whitelisting 
to meet the demands of the modern cybersecurity climate?
    Answer. NIST has taken steps to move away from terms like 
``whitelisting'' and is moving toward updating its terminology to use 
terms like ``allow list.'' Application allow lists, while another layer 
of defense for cybersecurity, require significant configuration and 
tuning to be truly effective. This is suitable for stable environments 
with minimal change. Given the speed of technology and, more 
specifically, the speed of transformation both to and within the cloud, 
the value of these solutions has diminished. In today's rapidly-
changing technology environment, it is critical to assess web 
applications for common flaws and component vulnerabilities. Tenable 
provides a solution, Tenable.io WebApp Scanning, which provides easy-
to-use, comprehensive and automated vulnerability scanning for modern 
web applications. This allows organizations to quickly configure and 
manage web app scans in a brief period of time with minimal tuning.
    Applying risk-based vulnerability management practices, which serve 
as a foundation to adopting zero-trust strategies, enables 
organizations to have visibility across their entire attack surface 
(IT, IoT, OT, cloud), conduct continuous assessments of vulnerabilities 
and misconfigurations, and prioritize vulnerabilities based on the full 
context of business risk.
    Question 2. What can be done to incentivize the private sector to 
protect themselves?
    Answer. Cyber risk must be viewed and treated as a business risk. 
Too many organizations don't see the risk of not defending themselves, 
but rather only the cost of defending themselves. We must change that. 
The Security and Exchange Commission's (SEC) recently proposed rule on 
cybersecurity risk management, which would require reporting about an 
organization's cybersecurity risk management practices, is a critical 
step in that direction. In addition, critical infrastructure vendor 
procurement processes need to provide stronger incentives for building 
cybersecurity into products and services. And CISA should work with 
stakeholders and different sector risk management agencies to develop 
guidance and a baseline standard of cybersecurity care.
    Question 3. A lot of talk today has been about prevention and 
mitigation, but I want to talk about what happens once the enemy 
strikes. When you have an emergency, you call 9-1-1. When your 
organizations are held for ransom by malware, who do you call?
    Answer. Organizations should have the option to contact either the 
FBI or the Department of Homeland Security's Cybersecurity and 
Infrastructure Security Agency (CISA) and contact information for both 
should be widely disseminated and easy to find. In addition, the FBI 
and CISA should be responsible for ensuring that when one agency is 
notified of an incident, the other is immediately notified as well. The 
FBI can then quickly launch an investigation while CISA can share 
information across the Federal Government and industry on cybersecurity 
attacks to help organizations protect themselves. If you've been hit by 
ransomware or malware, other organizations are at risk of the same 
attack. Getting the word out to other Federal agencies and industry 
quickly is vital, and CISA is able to alert and inform the right 
people.