[Senate Hearing 117-478]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 117-478

                               SOLARWINDS

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             FIRST SESSION

                               __________

          MARCH 18, 2021, UNDERSTANDING AND RESPONDING TO THE
              SOLARWINDS SUPPLY CHAIN ATTACK: THE FEDERAL
                            PERSPECTIVE AND
      MAY 11, 2021, PREVENTION, RESPONSE, AND RECOVERY: IMPROVING
                 FEDERAL CYBERSECURITY POST-SOLARWINDS

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs




                [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]






                                 ______
                                 

                 U.S. GOVERNMENT PUBLISHING OFFICE

44-785 PDF                WASHINGTON : 2022












        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman

THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
              Celeste M. Chamberlain, Congressional Fellow
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
           Patrick T. Warren, Minority Investigative Counsel
           William H.W. McKenna, Minority Chief Investigator
          Cara G. Mumford, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk









                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters............................................... 1, 75 
    Senator Portman...............................................3, 77 
    Senator Carper...............................................15, 90 
    Senator Hassan...............................................18, 95 
    Senator Rosen...............................................21, 100
    Senator Romney...............................................    23
    Senator Sinema...............................................    27
    Senator Hawley..............................................29, 106 
    Senator Padilla..............................................    31
    Senator Ossoff...............................................    33
    Senator Johnson..............................................    92
    Senator Lankford.............................................    97
Prepared statements:
    Senator Peters..............................................37, 111 
    Senator Portman.............................................39, 113 



                               WITNESSES
                        Thursday, March 18, 2021

Christopher DeRusha, Federal Chief Information Security Officer, 
  Office of Management and Budget................................     5
Brandon Wales, Acting Director, Cybersecurity and Information 
  Security Agency, U.S. Department of Homeland Security..........     7
Tonya Ugoretz, Deputy Assistant Director, Cyber Readiness, 
  Outreach, and Intelligence Branch, Federal Bureau of 
  Investigation, U.S. Department of Justice......................     9

                     Alphabetical List of Witnesses

DeRusha, Christopher:
    Testimony....................................................     5
    Prepared statement...........................................    42
Ugoretz, Tonya:
    Testimony....................................................     9
    Prepared statement...........................................    53
Wales, Brandon:
    Testimony....................................................     7
    Prepared statement...........................................    47

                                APPENDIX

Responses to post-hearing questions for the Record:
    Mr. DeRusha..................................................    58
    Mr. Wales....................................................    59
    Ms. Ugoretz..................................................    72

                               WITNESSES
                         Tuesday, May 11, 2021

Brandon Wales, Acting Director, Cybersecurity and Information 
  Security Agency, U.S. Department of Homeland Security..........    79
Ryan A. Higgins, Chief Information Security Officer, U.S. 
  Department of Commerce.........................................    82
Janet Vogel, Chief Information Security Officer, U.S. Department 
  of Health and Human Services...................................    84

                     Alphabetical List of Witnesses

Higgins, Ryan A.:
    Testimony....................................................    82
    Prepared statement...........................................   123
Vogel, Janet:
    Testimony....................................................    84
    Prepared statement...........................................   126
Wales, Brandon:
    Testimony....................................................    79
    Prepared statement...........................................   117







 
                  UNDERSTANDING AND RESPONDING TO THE
        SOLARWINDS SUPPLY CHAIN ATTACK: THE FEDERAL PERSPECTIVE

                              ----------                              


                        THURSDAY, MARCH 18, 2021

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:15 a.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary C. Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Carper, Hassan, Sinema, Rosen, 
Padilla, Ossoff, Portman, Romney, and Hawley.

            OPENING STATEMENT OF CHAIRMAN PETERS\1\

    Chairman Peters. This Committee hearing will come to order, 
and I would like to first off thank our witnesses for joining 
us today and for their service to the American people.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appear in the Appendix 
on page 37.
---------------------------------------------------------------------------
    This hearing will examine the devastating impact of recent 
cyber attacks against our Federal networks, including the dire 
national security implications of last year's SolarWinds breach 
and other recent online espionage efforts.
    This was one of the most destructive cyber breaches in 
American history, and there are still many unanswered questions 
about how it happened and how it went undetected for far too 
long.
    Both the SolarWinds and recent Microsoft hacks clearly show 
that our Nation is not adequately prepared to tackle this 
persistent and grave threat.
    Foreign adversaries, like China and Russia, continue to 
exploit our cyber vulnerabilities to access confidential and 
classified information, disrupt government operations, and even 
target businesses, schools and critical infrastructure. Unless 
our capabilities are able to match this threat that we face, 
American networks and supply chains remain at risk.
    Last year's SolarWinds hack and the subsequent breach of 
Federal systems was incredibly sophisticated, and the extent of 
the damage is astounding. We must prevent an espionage effort 
like this from ever happening again and ensure that our 
government has the resources to calibrate our response to these 
significant threats.
    After the SolarWinds hack, likely perpetrated by the 
Russian government, our agencies were asked to self-analyze and 
review the effects of the attack when many did not have the 
capability to do so. This haphazard approach made it extremely 
clear that our ability to respond did not match the severity of 
the crisis.
    The process and procedures for responding to cyber attacks 
desperately needs to be modernized, including improving the 
Federal Information Security Modernization Act (FISMA), which 
has not been updated since the creation of the Department of 
Homeland Security's Cybersecurity and Infrastructure Security 
Agency (DHS CISA).
    In order to adapt to the evolving cybersecurity threat, 
both the public and private sector need a centralized, 
transparent, and streamlined process for sharing information. 
In the event of future attacks, this will be critical to 
mitigating the damage.
    This discussion, with our government's foremost cyber 
experts, will be critical to understanding how agencies are 
assessing the damage done by these breaches and what actions 
they took to notify Congress.
    Going forward, the Federal Bureau of Investigation (FBI) 
and the Cybersecurity and Infrastructure Security Agency will 
play a critical role in strengthening our cyber defenses and 
the security of our Federal systems and our supply chains.
    Mr. DeRusha, as the Federal Chief Information Security 
Officer (CISO), you are charged with implementing and 
coordinating these efforts. Based on your strong record in my 
home State of Michigan and your extensive experience, I have 
every confidence that you are up to the task.
    I have long raised concerns about the national security 
threat posed by cyber attacks, but those challenges just seem 
to continue to grow. The pandemic has pushed more of our lives 
and communities online, and foreign adversaries and other bad 
actors continue to target the networks of our research 
institutions and health systems, threatening our ongoing 
pandemic response.
    That is precisely why, as a part of the American Rescue 
Plan (ARP) Act, I helped secure nearly $2 billion to update our 
aging Federal information technology (IT) systems and help 
address cybersecurity threats. However, it is clear from the 
gravity of this threat that we need to examine whether CISA, 
the FBI, and other agencies have what they need to protect the 
American people.
    I am committed to working on a bipartisan basis with my 
colleagues on the Committee, especially Ranking Member Portman, 
and with the Biden administration, to protect our networks 
against future breaches. This hearing is the first of several 
that we are going to be holding on this issue. We must tackle 
this problem. We must do it swiftly, but we must also do it 
comprehensively.
    Thank you, and with that, I will turn it over to Ranking 
Member Portman for his opening remarks.

            OPENING STATEMENT OF SENATOR PORTMAN\1\

    Senator Portman. Thank you, Chairman Peters, and I have 
appreciated our bipartisan work on these issues, even before 
you sat in the chair and I was Ranking Member. We have much 
more to do, clearly.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Portman appears in the 
Appendix on page 39.
---------------------------------------------------------------------------
    We are here today to focus on this massive SolarWinds hack, 
I believe, in the history of our country. We need to analyze 
its impact on the Federal Government and discuss what changes 
are necessary to prevent and mitigate attacks like this in the 
future.
    It has been three months since we learned of this attack, 
and there is still a lot, frankly, that remains unknown. We 
will learn more today, I hope. What we do know is really 
chilling.
    First, according to the FBI, the attackers were ``likely 
Russian in origin.'' That is a quote from them and our 
intelligence services as well. They were also smart and hard to 
detect, apparently. They were patient; they were careful about 
selecting their targets. They disguised their activity and used 
stealth techniques that evaded detection. Because of that, it 
took over a year to detect the attack--a lifetime to do damage 
for sophisticated adversaries like these.
    Second, we know that the attackers used a trusted software 
company, a supplier, to attack the U.S. Government. The attack 
compromised a security update or a ``patch'' for the widely 
used SolarWinds Orion IT management software. It is good cyber 
hygiene to have a security patch updated, and, it is something 
that we preach that those practices ought to be followed. Yet 
applying those updates and security patches is exactly how this 
hack occurred.
    Here they used the security patch meant to better protect 
against hacks to launch the attack. The attacker capitalized on 
our assumption that these patches are safe to install. This 
should be a wake-up call for all of us who are concerned about 
our data being compromised.
    Third, we know that this attack was broad. The Federal 
Government, of course, was hit, we know that, but also the 
private sector. Within the Federal Government, this attack hit 
agencies that hold some of our most sensitive data and national 
security secrets. Based on public sources, this includes the 
State Department, the Department of Homeland Security, the 
National Institutes of Health (NIH), and the National Nuclear 
Security Administration (NNSA), which is the agency charged 
with maintaining our nuclear stockpile.
    The SolarWinds attack also impacted the private sector, 
even cybersecurity firms like FireEye, the company that 
actually discovered the breach in its own systems. FireEye is 
one of the firms folks call when they discover a breach. Here 
the very people we call when we get hacked got hacked itself.
    Fourth, we know that despite all the increased funding that 
has been appropriated for cybersecurity--some of the 
legislation that we have worked on here in this Committee--the 
Federal Government never caught this attack.
    The fact the Federal Government was hacked is not 
surprising to me. In June 2019, as Chair of the Permanent 
Subcommittee on Investigations (PSI), I released a report with 
Senator Carper detailing the extensive cybersecurity 
vulnerabilities of eight different Federal agencies. Many of 
these vulnerabilities had remained unresolved for a decade.
    Over a year later, three of those agencies that we 
highlighted in our report were seriously compromised by the 
SolarWinds attack: DHS, State, and the U.S. Department of 
Health and Human Services (HHS). Those are just the three we 
know of as of today. Unfortunately, this was not a big surprise 
to us.
    The SolarWinds attack was one of the most widespread and 
consequential cyberattacks to date. In response, we have to 
take a hard look at our Federal cybersecurity strategy. What 
are we doing wrong? Why are our defense capabilities not up to 
the task?
    This includes the failures of the Federal Government's 
front-line defense program called ``EINSTEIN.'' EINSTEIN has 
cost approximately $6 billion and is supposed to detect and 
prevent cyber intrusions at Federal agencies. Clearly, it was 
not effective in stopping the SolarWinds breach or even 
recognizing that it occurred. EINSTEIN's authorization expires 
at the end of next year, so it is a good time to consider its 
utility and how it can be improved.
    Any cybersecurity legislation we consider needs to address 
the broad set of risks facing our Federal networks and needs to 
ensure there is proper expertise and accountability in the U.S. 
Government. We will talk about that today and the legislation 
that was recently passed to establish more accountability 
within the Executive Office of the President (EOP). When those 
networks are breached, as in the case of SolarWinds, there also 
have to be consequences.
    I appreciate the witnesses being here today. I appreciate 
their service, and I look forward to their testimony on these 
important questions and getting solid ideas as to how we can 
better defend our Federal networks.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Ranking Member Portman.
    It is the practice of the Homeland Security and 
Governmental Affairs Committee (HSGAC) to swear in witnesses, 
so if you will stand, please, and raise your right hand. Do you 
swear that the testimony you will give before this Committee 
will be the truth, the whole truth, and nothing but the truth, 
so help you, God?
    Mr. DeRusha. I do.
    Mr. Wales. I do.
    Ms. Ugoretz. I do.
    Chairman Peters. You may be seated.
    Our first witness today is Chris DeRusha. Mr. DeRusha is 
the U.S. Government's Chief Information Security Officer within 
the Office of Management and Budget (OMB). Prior to being named 
Federal CISO, Mr. DeRusha was the Chief Security Officer for my 
home State of Michigan. Mr. DeRusha also has over eight years 
of Federal Government experience working at the White House and 
the U.S. Department of Homeland Security. He served as a Senior 
Cybersecurity Adviser in the Obama Administration, where he led 
the implementation of the President's Cybersecurity National 
Action Plan and advised White House leadership on cybersecurity 
programs, investments, and policy decisions.
    Welcome back to the Committee. It is good to see you again. 
I now recognize you for your five-minute opening statement.

     TESTIMONY OF CHRISTOPHER J. DeRUSHA,\1\ FEDERAL CHIEF 
 INFORMATION SECURITY OFFICER, OFFICE OF MANAGEMENT AND BUDGET

    Mr. DeRusha. Chairman Peters, Ranking Member Portman, and 
Members of the Committee, thank you for the opportunity to 
testify today on the Office of Management and Budget's role in 
setting the Federal cybersecurity agenda, including our 
response to the SolarWinds supply chain incident.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. DeRusha appears in the Appendix 
on page 42.
---------------------------------------------------------------------------
    I believe we are at a crossroads for our Nation's 
cybersecurity. The SolarWinds incident has exposed gaps in our 
cybersecurity to identify and manage critical risks, not just 
in the Federal Government, but in some of the most mature and 
well-resourced companies in the world. This incident should 
serve as both a wake-up call and a galvanizing opportunity for 
the Federal Government and industry to tackle these problems in 
partnership with renewed resolve. As the Federal Chief 
Information Security Officer, I am responsible for developing 
the strategy to protect Federal information systems and data 
and oversee its implementation.
    Immediately after agencies detected the SolarWinds 
incident, OMB began coordinating with the Cyber Unified 
Coordination Group (UCG), which is leading the overall response 
to this incident. OMB continues to work with the UCG and agency 
executives to collect data on the impact of the event and 
identify capability and resourcing gaps for response and 
recovery efforts at the agencies. My office is leveraging its 
partnerships with Chief Information Officers (CIOs) and CISOs 
across the Federal Government, leading regular Council meetings 
where we identify common challenges, sharing best practices and 
coordinating a consistent approach to Federal cybersecurity.
    After decades of underinvestment in Federal IT, this 
administration is committed to investing in the infrastructure, 
systems, and people needed to build back better. We greatly 
appreciate the support from Members of this Committee on the 
American Rescue Plan, which has laid the foundation for a 
renewed investment in our cybersecurity. With the additional 
$650 million in funding for CISA, the Federal Government is 
going to be able to provide enhanced monitoring of our networks 
and faster response times when incidents do occur.
    The additional $1 billion provided to the Technology 
Modernization Fund (TMF) will expand our opportunities to 
resolve cybersecurity challenges posed by aging Federal IT 
systems. The TMF is an innovative funding vehicle. It has 
already enabled several priority modernization programs across 
the government while providing transparency and accountability 
in implementation. We look forward to demonstrating what else 
this model can achieve with this new opportunity that you have 
given us.
    At OMB we are also working to ensure that agency budgets 
are aligned to immediate response needs to the SolarWinds 
incident while identifying opportunities to harden IT 
infrastructure against future attacks. We fully acknowledge 
that security is expensive when done properly, but it is even 
more costly when it is neglected.
    In addition to funding, we must also invest in our IT 
workforce. Today Federal agencies struggle to attract 
competitive talent, keep pace with private sector pay, and hire 
quickly enough to replace departing employees. This 
administration will rely on programs that work, such as the 
Scholarship for Service CyberCorps which brings promising 
talent into the Federal Government at the start of their 
careers. We will also continue to grow the U.S. Digital Service 
(USDS) and Technology Transformation Service (TTS) at the 
General Services Administration (GSA). These are two programs 
that recruit individuals with highly sought after skills from 
the private sector. In a world of constantly evolving 
technology and threats, government has to bring together the 
brightest talent to tackle these most pressing challenges.
    In my role as Federal CISO, I also chair the Federal 
Acquisition Security Council (FASC). This body is responsible 
for coordinating efforts to identify and address risks to the 
Federal Government's technology supply chain. I look forward to 
working with my Council partners to identify opportunities to 
use these authorities to effectively address supply chain 
risks.
    Finally, I would like to highlight OMB's role in leading 
agencies to transition to what we are calling ``Zero Trust 
Paradigm.'' Zero Trust moves us away from the historic approach 
of protecting IT networks at the perimeter and instead assumes 
that a network may be compromised at any given time. In this 
new model, real-time authentication tests users, blocks 
suspicious activity, and prevents adversaries from the kind of 
privilege escalation that was demonstrated in the SolarWinds 
incident. Many of the tools we need to implement this model 
already exist within industry and agency environments, but 
successful implementation will require a shift in mind-set and 
focus at all levels within Federal agencies.
    The activities I just described are essential for improving 
Federal cybersecurity, but they are not enough. To maintain our 
defense in the long run, we must direct resources where they 
are most needed across government. The cybersecurity funding in 
the American Rescue Plan is extremely important, but it is just 
a downpayment. We have decades of technical debt to pay off, 
and the pace of modernization must accelerate.
    I commit to bringing agencies together in a coordinated 
approach to become more resilient and prepared for future 
challenges, and I look forward to working with Congress on 
updates to legislative authorities, securing the necessary 
funding, and building on lessons learned to enhance Federal 
cybersecurity.
    Thank you for the opportunity to testify before this 
Committee, and I look forward to taking your questions.
    Chairman Peters. Thank you, Mr. DeRusha.
    Our second witness is Brandon Wales, the Acting Director of 
the Cybersecurity and Infrastructure Security Agency. Prior to 
becoming Acting Director, Mr. Wales was CISA's first Executive 
Director. Mr. Wales has also served in multiple positions 
within the Secretary's Office for DHS, including Senior 
Counselor to the Secretary for Cyber and Resilience, Acting 
Deputy Chief of Staff, and Acting Chief of Staff for the 
Department. Prior to joining the Department, Mr. Wales served 
as the National Security Aide to United States Senator Jon Kyl 
and as a senior associate at a Washington-based foreign policy 
and national security think tank.
    Welcome, Mr. Wales. You may now proceed with your opening 
five-minute statement.

 TESTIMONY OF BRANDON WALES,\1\ ACTING DIRECTOR, CYBERSECURITY 
 AND INFORMATION SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Wales. Good morning, Chairman Peters, Ranking Member 
Portman, and Members of the Committee. Thank you for the 
opportunity to testify today regarding the Cybersecurity and 
Infrastructure Security Agency's response to the SolarWinds 
supply chain compromise.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wales appear in the Appendix on 
page 47.
---------------------------------------------------------------------------
    CISA leads the Nation's efforts to advance the 
cybersecurity, physical security, and resilience of our 
critical infrastructure. We share information and enable 
operational collaboration between the Federal Government, State 
and local governments, the private sector, international 
partners, and law enforcement, intelligence, and defense 
communities. This role has proven invaluable in managing recent 
cyber incidents, and I cannot understate the importance of 
collective defense for cybersecurity. But we also know that 
more work must be done.
    Today we will focus primarily on the SolarWinds supply 
chain compromise, but much of what I discuss can be applied to 
other incidents, such as the recently announced exploitation of 
vulnerabilities in Microsoft's Exchange product. These 
incidents highlight the necessity of modernizing our 
cybersecurity and network infrastructure in order to truly 
defend today and secure tomorrow.
    Late last year, CISA became aware of a broad cyber 
intrusion campaign largely, but not exclusively, associated 
with the supply chain compromise of SolarWinds Orion network 
management software. More than 16,000 entities were potentially 
exposed to the malicious SolarWinds software, but the U.S. 
Government estimates that a much smaller number were 
compromised when the threat actor activated the malicious back 
door they had installed in the SolarWinds product and moved 
into exposed networks.
    Once inside of a network, the actor was able to use their 
privileged access to abuse the authentication mechanisms, the 
systems that control trust and manage identities, ultimately 
allowing them to access and exfiltrate email and other data 
from compromised networks and Microsoft Office 365 cloud 
environments. The primary objective of this threat actor 
appears to be gaining access to sensitive but unclassified 
communications and to identify opportunities to compromise 
additional IT supply chains.
    In response, on December 13th the Cyber Unified 
Coordination Group, was formed, composed of CISA, the FBI, and 
the Office of the Director of National Intelligence (ODNI), 
with support from the National Security Agency (NSA). The UCG 
coordinates both the investigation and remediation efforts for 
the Federal Government. As the lead for asset response in the 
Federal civilian space, CISA is providing technical assistance 
to affected entities who request it as they identify and 
mitigate potential compromises.
    CISA's work in response to this campaign falls under four 
primary lines of effort: one, helping to scope the campaign; 
two, sharing information and detections; three, supporting 
short-term remediation; and, four providing guidance and 
assistance in long-term network recovery. While these lines of 
effort are a response to this intrusion, they form the 
framework around which we think about our response to any cyber 
incident.
    Additionally, even as we respond to and mitigate the 
impacts of both the SolarWinds and Microsoft incidents, we are 
already looking ahead to ensure that CISA is appropriately 
postured to defend today and secure tomorrow. To this end, we 
are focused on urgent improvements across four areas of 
strategic growth that I would be happy to discuss in more 
detail.
    First, we must increase CISA's visibility into 
cybersecurity risks across the Federal civilian Executive 
Branch and, where feasible, across non-Federal entities.
    Second, we must expand CISA's incident response capacity.
    Third, we must improve our ability to analyze large volumes 
of cybersecurity information in order to rapidly identify 
emerging risks and direct timely mitigation.
    And, fourth, we must drive adoption of defensible network 
architectures, including by progressing toward zero trust 
environments, as Chris laid out.
    I want to thank this Committee for their hard work on 
prioritizing cybersecurity investments in the American Rescue 
Act. That funding is an important downpayment on the 
cybersecurity capabilities that I have just described.
    But we are not stopping there. We are still responding 
aggressively to this campaign. For example, just last week we 
rolled out a new website that consolidates information and 
resources on best practices for remediating compromised systems 
and preparing Federal departments and agencies for long-term 
actions to build more secure, resilient networks. This week we 
provided Federal agencies compromised during this campaign with 
detailed guidance on evicting the adversary from networks.
    We also released the CISA Hunt and Incident Response 
Program (CHIRP), a multi-function forensic scanning tool to 
assist network defenders with detecting threat actor activity 
on vulnerable SolarWinds devices.
    Before I close, I want to address a more fundamental 
question. What does this all mean? The SolarWinds campaign as 
well as the most recent Microsoft Exchange vulnerability 
exploitation highlight the lengths to which sophisticated 
adversaries will go to compromise our networks. They will use 
never seen before tradecraft, exquisite techniques, and zero-
day vulnerabilities to defeat our current cybersecurity 
architecture. Knowing that, we must raise our game. We need 
modern cybersecurity governance and capabilities. We need 
cybersecurity tools and services that provide us a better 
chance at detecting the most sophisticated attacks, and we need 
to rethink our approach to managing cybersecurity not only 
across the Federal civilian Executive Branch agencies but also 
across our most critical infrastructure.
    Thank you again for the opportunity to testify on this 
important subject, and I welcome your questions.
    Chairman Peters. Thank you, Mr. Wales.
    Our final witness today is Tonya Ugoretz, Acting Assistant 
Director for the FBI's Cyber Division, which has primary 
responsibility for the Bureau's efforts to counter national 
security-related cyber intrusions. Prior to her current role, 
Ms. Ugoretz was the Deputy Assistant Director (DAD) overseeing 
national-level cyber policy, analysis of cyber criminal and 
national security threats, and partner engagement. Before 
joining the FBI, she spent 3 years at the Office of the 
Director for National Intelligence as the first Director of the 
Cyber Threat Intelligence Integration Center (CTIIC) for which 
she received the National Intelligence Distinguished Service 
Medal.
    Congratulations on that, Ms. Ugoretz. Please, you are 
welcome to offer your five-minute opening remarks.

TESTIMONY OF TONYA UGORETZ,\1\ ACTING ASSISTANT DIRECTOR, CYBER 
 DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. DEPARTMENT OF 
                            JUSTICE

    Ms. Ugoretz. Thank you, and good morning, Chairman Peters, 
Ranking Member Portman, and Members of this Committee. Thank 
you for the opportunity to be here today and to testify on 
behalf of the FBI on the Federal perspective on the SolarWinds 
supply chain compromise.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Ugoretz appear in the Appendix on 
page 53.
---------------------------------------------------------------------------
    As you know, this hearing comes at an important time, as 
the cyber community addresses not only this incident, but also 
the recent exploitation of previously unknown Microsoft 
Exchange vulnerabilities. While each cyber intrusion is unique, 
these two incidents and the thousands of computer intrusions 
the FBI addresses every day illustrate the persistence and 
determination of our adversaries to use cyber means to achieve 
their goals, whether that is for personal profit, theft of 
intelligence or intellectual property, or contingency planning 
for more disruptive or destructive attacks.
    That is why the FBI's role in disrupting and responding to 
cyber intrusions is vital and unique. As a member of both the 
intelligence community (IC) and the law enforcement community, 
we integrate our view of adversary plans and intentions with 
information we obtain through a variety of means, including 
criminal legal process and national security tools like Foreign 
Intelligence Surveillance Act (FISA); human intelligence, using 
confidential sources and undercover operations; consent and 
cooperation from victims; strong local relationships built and 
maintained by our hundreds of domestic offices; and foreign 
partnerships through our legal attaches around the world.
    We do this in order to understand who the threat actors 
are, where and how they operate, and who supports them. We 
share that intelligence with many partners, including network 
defenders and our colleagues at CISA, in order to harden 
networks with Treasury, to build sanctions packages, and with 
our military-intelligence community and foreign partners who 
are able to take the fight to our adversaries overseas.
    The magnitude and seriousness of this threat is part of why 
we are so committed to working with partners. The FBI's cyber 
is to impose risk and consequences on our cyber adversaries, 
and to do using the best tools available, whether those are the 
FBI's or someone else's. The FBI will continue to innovate to 
address cyber threats in much the same way as we have adapted 
to emerging threats over more than a century.
    For the SolarWinds incident, the FBI has led threat 
response activities focusing on identifying the following: 
first, known victims and others who may be targeted; second, 
who conducted the activity and how; and, third, opportunities 
to pursue, disrupt, and hold accountable those responsible.
    We have conducted this work as part of the cyber Unified 
Coordination Group established on December 13th under 
Presidential Policy Directive 41 (PPD-41), which balances 
concurrent lines of effort focused on national security and 
investigative requirements, which the FBI leads, with 
restoration and recovery, which CISA leads.
    We have leveraged our assets around the country and around 
the world in the response to this incident, to triage the data 
and exploit evidence, to provide assistance to victims, and to 
work with industry victims and partners to gather information. 
I want to take a moment to emphasize that last point.
    Stitching together a complete picture of a cyber threat or 
incident requires information from many sources. The SolarWinds 
incident and the current incident involving the Microsoft 
Exchange server vulnerability underscore the essential value of 
using law enforcement authorities, voluntary sharing by third 
parties, and victim cooperation.
    As a government, we would not know the identities of most 
of the affected entities without using all of these tools, 
including legal process and the information we learn from our 
incident response engagements. Our pre-established 
relationships with the public and private sectors throughout 
the country are critical to identifying the threat, 
understanding its scope, and investigating its origin in order 
to protect others. This sharing and collaboration across 
agencies does not just happen at the moment of an incident, but 
requires trust-based relationships built over time. By leaning 
into those partnerships, all of us together who are combating 
malicious cyber activity become stronger when we weaken the 
perpetrators together.
    In that vein, I want to say that I truly appreciate the 
proactive cooperation of the private sector in this incident 
and all the victims who have come forward. We also appreciate 
congressional engagement on our mission of imposing risk and 
consequences on those who seek to harm the American people and 
who undermine safety, security, and confidence in our digitally 
connected world.
    These incidents drive home what we already know: that only 
a whole-of-society approach will be effective against these 
threats. The FBI, with our fellow UCG members, will continue 
taking every necessary action to investigate this incident, 
identify and hold accountable those responsible, and share 
information with our partners and with the American people.
    Thank you again for the opportunity to speak with you 
today, and I look forward to your questions.
    Chairman Peters. Thank you, Ms. Ugoretz, for your opening 
statement. To each of you, thank you once again for being here 
today, and thank you for the work that you are doing on this 
issue each and every day.
    Mr. Wales, the recent attacks on SolarWinds and Microsoft 
Exchange, as you mentioned in your opening comments very 
clearly, show that our adversaries are growing increasingly 
adept at infiltrating our Nation's sensitive networks. I want 
to just cut right to chase here. What, in your opinion, was the 
core reason for these security failures? As the lead 
cybersecurity agency, what specific steps are you taking now to 
address those failures?
    Mr. Wales. Sure, thank you, Senator. Getting right to the 
heart of it, part of the challenge is that you can only secure 
what you can see. Over the past decade, our system of 
protection that has largely relied upon sensors deployed at the 
perimeters of networks that is designed to be fed by 
intelligence, by information from the private sector, has 
relied upon detecting known malicious activity, and our 
adversaries have advanced. They are no longer using the same 
infrastructure to target us repeatedly. They move quickly from 
server to server, mostly located in the United States. This is 
all designed to ensure that we do not know where they are 
coming from, and our traditional systems, our traditional 
protection systems, are unable to stop them. What that means is 
that we need to look at new ways of understanding the nature of 
how those threats are emanating, where they are coming from, 
and it means that we need to deploy different types of systems 
to make sure that we have the right level of insight in terms 
of where the activity is happening.
    As I pointed out, one of the main areas that we plan on 
focusing, including with the resources provided through the 
American Rescue Act, is looking inside of networks, moving from 
the perimeter, from the network, inside of networks to the 
endpoint, to the critical servers and work stations deployed 
throughout the Federal Government to ensure that we have the 
right level of insight.
    Now, again, there needs to be a right balance. Those 
perimeter security sensors are still valuable. We use them to 
both protect as well as to forensically look back and see where 
activity may have been so we can conduct investigations. But 
that balance was too far out of whack in the past. It is too 
focused on the network and not enough inside of networks at the 
host. That is one key aspect, but there are a variety of others 
that the Federal Government is working through now, including 
ways in which we can enhance our ability to provide--we can 
enhance our supply chain security for the critical software and 
products that the Federal Government purchases.
    There is a lot of work to do across the board, and I think 
both in the openings that Chris provided and myself, we have 
outlined a number of areas that we believe the Federal 
Government needs to move to, to provide us the level of 
security that we now expect in the face of these more 
sophisticated adversaries.
    Chairman Peters. I am going to get to the supply chain 
issues in a moment, but a final question to you, Mr. Wales. You 
mentioned how you are taking a deeper look in the systems. How 
can we have assurance that the SolarWinds malware has now been 
removed from all of our Federal systems? How confident is CISA 
that the hackers are still not out there lurking in our 
agencies' networks?
    Mr. Wales. Sure. The majority of agencies have been 
progressing in their initial response and remediation work. 
Many of them have enlisted CISA as well as third-party agencies 
to assist them in that effort. As I indicated in my opening 
remarks, we have also provided them very detailed eviction 
guidance that they can work through or checklists to make sure 
that that was already done. CISA is working with each of them 
collectively and individually to ensure that they have executed 
the remediation of their networks. That provides us a degree of 
confidence that the adversary is no longer present.
    That being said--and I have said this before--our response 
to an incident of this significance is going to take time. In 
many cases agencies are going to want to put in place stronger 
protections and better harden their systems and improve their 
defenses. As they do that, over time we will gain increasing 
confidence that the adversary no longer has the ability to 
access and is no longer present inside of those systems.
    Chairman Peters. Thank you. Ms. Ugoretz, I understand that 
most of the agencies hit by the SolarWinds hack have completed 
security audits, as we have heard. But can we consider 
ourselves in the recovery phase now in this incident? When 
should Congress expect the FBI to provide an after-action 
report to us?
    Ms. Ugoretz. Thank you, Senator. As part of Presidential 
Policy Directive 41, which guided the establishment of the 
Unified Coordination Group that addresses this incident, there 
is an after-action provision built into that directive by which 
every time we stand up one of these coordination groups to 
address a significant cyber incident, that automatically 
triggers an after-action report once that is completed, and we 
would certainly be happy to discuss with this Committee how the 
results of that might be shared.
    In terms of how to consider what phase of this we are in, 
as I mentioned in my opening statement, when we look at the 
incident response to an incident such as this, there are really 
concurrent lines of effort, so it is not exactly one phase ends 
and another begins, but the national security and investigative 
steps that the FBI is taking are running in parallel with that 
mitigation and recovery effort that CISA leads.
    I would say both of those efforts are continuing. For our 
part, the purpose of those efforts that we are leading is 
attribution, understanding who conducted this activity, why and 
how, so that we can create the widest possible range of 
responses for policymakers to consider. Law enforcement actions 
might be part of that response, such as indictments or 
disruption of infrastructure or other such actions. But we find 
that it is most powerful when we are able to say with detail 
and as transparently as possible how exactly adversaries 
conducted this activity and ultimately who was behind it. The 
effort to develop that information investigatively continues.
    Chairman Peters. Thank you.
    Mr. DeRusha, I am sure many of my colleagues will ask more 
questions related to supply chain issues, but I just want to in 
my remaining time here ask you about legislation that I 
introduced last Congress, the Supply Chain Counterintelligence 
Training Act, which will ensure that appropriate officials are 
trained to identify counterintelligence threats. We were not 
able to get that across the finish line last session. We plan 
to reintroduce it and move forward. I know you are familiar 
with the legislation. Would you support that? Why is it 
important?
    Mr. DeRusha. Yes, Senator, I absolutely commit to working 
with your staff on that bill. It is an important bill. It 
focuses on one of the things that I mentioned, which is 
constantly ensuring that our workforce is trained to follow the 
trends of our adversaries. For that reason, of course, we fully 
commit to working with you on that bill.
    Chairman Peters. Great. Thank you.
    Ranking Member Portman, you are recognized for your 
questions.
    Senator Portman. Thank you, Chairman Peters.
    Thank you all for your testimony this morning and your hard 
work on this. One of the concerns that I mentioned in the 
opening statement is accountability, and, in particular, we 
have been more active up here on the legislative side as well 
as within government to try to figure out how to push back 
against these attacks. As a result, I am concerned that there 
are new entities and there is the opportunity for duplication, 
confusion in leadership, and just lack of accountability. I saw 
this with regard to SolarWinds. When it happened, there was 
some pointing of fingers, and the fact is the private sector 
found it, not even government.
    So the question is: As we look at legislation to try to 
reform some of the existing laws, including FISMA, which is the 
legislation that requires that the agencies have better cyber 
defenses and practices--and I mentioned earlier we had an in-
depth investigation in that and found that a number of agencies 
were not keeping up. But as we look at reforming that, the 
question is, how do we do it?
    Mr. DeRusha, between you and the Federal Chief--in your 
role as the Federal Chief Information Security Officer, and, 
Mr. Wales, you are head of CISA, and, Ms. Ugoretz, you are the 
Assistant Director for FBI's Cyber Division, and then we have 
the newly created National Cyber Director position within the 
White House, there are a lot of people responsible.
    So I guess, Mr. DeRusha, I would start with you. When a 
cyber attack happens, who do we hold accountable
    Mr. DeRusha. Senator, as Brandon described earlier, for 
significant incident response we leverage currently the UCG, 
which is led by National Security Council (NSC) staff, DHS, 
FBI, DNI, and then others as appropriate, so for this 
particular incident several other agencies are brought in. 
Because everyone has a key role to play, it is really about 
ensuring we have the appropriate governance structures in place 
to manage these events together in that we are keeping clear 
lines of communication as we work through these things.
    Senator Portman. So no one is accountable?
    Mr. DeRusha. Senator----
    Senator Portman. By the way, you added another wrinkle to 
this, which is there is someone on the National Security 
Council apparently who has been designated as a coordinator in 
addition to what CISA is doing, in addition to what OMB is 
doing, in addition to this new role in the national defense 
authorization bill, which is called the ``National Cyber 
Director position.'' Is that accurate?
    Mr. DeRusha. Senator, I would characterize it somewhat 
differently. I believe that, again, as I said, everyone has a 
key role to play here in their authorities, and we work quite 
well together. I do not believe that is an issue. Because we 
have these type processes, we are coordinating and streamlining 
all of our response efforts.
    Senator Portman. If everyone is in charge, no one is in 
charge, right? So exactly who is accountable?
    Mr. DeRusha. Senator, again, just to say, every agency has 
its own role and responsibility in cyber incident response, 
and----
    Senator Portman. OK. That was the answer you gave me last 
time, and that is great. But let me ask you a direct question 
about this new National Cyber Director position. It has not 
been filled yet by the administration, but it was in the 
National Defense Authorization Act (NDAA). Do you think that 
position is necessary given the fact that you have four or five 
different entities now, you say, working all together?
    Mr. DeRusha. Senator, we are working carefully on looking 
about the roles and responsibilities across all the different 
agencies and equities, and I know the administration is 
committed to filling that and other critical positions. So that 
is being worked on.
    What I will say is absolutely there is a need to continue 
to improve and enhance our coordination, and this role will 
help us do that.
    Senator Portman. OK. I wonder if maybe the other panelists 
have thoughts on this. It seems to me somebody needs to be in 
charge, right? For over a year, this attack when unnoticed, and 
when it was finally discovered, it was discovered not by 
government but by the private sector. It was not even 
SolarWinds. It was FireEye, which was another supplier.
    Mr. Wales, you look like you might be interested in saying 
something. Who should be in charge? Again, why don't you tell 
me what you think about the National Cyber Director position? 
It sounded like what Mr. DeRusha was saying is it is just 
another responsibility--he said there are several important 
responsibilities to be filled. I mean, shouldn't this be the 
one that actually coordinates everything and has the ultimate 
accountability?
    Mr. Wales. I would kind of highlight a couple of areas----
    Senator Portman. I know you will not just protect your own 
CISA jurisdiction because you are a broad-minded person.
    Mr. Wales. Absolutely. I will say a couple of things.
    One is Congress has provided us, to the various agencies, 
responsibilities, authorities, and accountability. For example, 
under FISMA every agency head is responsible for the security 
and the cybersecurity of the systems that they operate. I think 
that is one area that we need to----
    Senator Portman. They have failed. I am sorry. I just have 
to throw that out there because those eight agencies that we 
identified have not met the basic requirements of FISMA. Yet 
who is accountable?
    Mr. Wales. I think ultimately under FISMA agency heads are 
accountable. There is certainly accountability for CISA for the 
role that we play in helping to protect and secure and support 
those agencies in the management of the Federal civilian 
Executive Branch networks.
    I think the idea that Congress had for the National Cyber 
Director was a way to drive coordination at the White House, 
particularly related to coordinating on incident response. But 
the position does not exist yet, and so I think a lot of this 
will be determined by once it is established, how the 
identification of roles and responsibilities for its office.
    What I will say is that the ability for the government to 
work together on cybersecurity incidents I would argue has 
never been stronger, in part based upon a lot of work from our 
career officials at the FBI, CISA, DNI, and NSA. We are working 
more collaboratively; there is more joint engagement with the 
private sector, with our Federal agency partners, to ensure 
that there is not duplication of effort, that we are all 
bringing our unique expertise, skills, and abilities when we 
have cybersecurity incidents or we need to help agencies 
prepare ahead of time. I think we would hope that any new 
addition to that is additive and is strengthening that 
collaboration that currently exists and making it stronger.
    Senator Portman. OK. I am glad to hear that, and it was a 
relative description saying it has never been stronger. You did 
not say it is as strong as it needs to be. Obviously, we had 
the most massive attack in the history of our government, and 
it went undetected for over a year, and then it was detected by 
the private sector, not by government, and has incurred 
tremendous damage, we believe. Let us continue the 
conversation. We will come back in the second round. But I do 
think better coordination is part of the answer, as you say, 
but also accountability. Since you mentioned FISMA, sorry, but 
I had to talk about the fact that we know FISMA is not working. 
Let us figure out how we can find the entity or the person in 
particular who is responsible and, therefore, accountable.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Portman, and I cannot 
agree with you more. There needs to be lines of authority, 
lines of accountability. That is something we will definitely 
be drilling deeper into. I think it is an important topic. 
Thank you for raising that.
    I now recognize Senator Carper for your questions, Senator 
Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you, Mr. Chairman. Good morning, 
colleagues. Good morning to our witnesses.
    I want to say to Brandon Wales, thank you for having an 
easy name to pronounce, and thank you for speaking so slowly 
and it is easy to follow your testimony also.
    I would say to Christopher, I want to pronounce your name 
``DeRusha.'' Is that the way you pronounce it, ``DeRusha''?
    Mr. DeRusha. Yes, Senator, ``DeRusha.''
    Senator Carper. ``Dee-Rusha.'' Double ``E,'' ``Dee-Rusha.'' 
Is that the way your parents pronounce it?
    Mr. DeRusha. Yes, sir.
    Senator Carper. Just checking. Now, I want to say to Tonya, 
to my staff I said, ``How in God's name does she pronounce her 
last name?'' They tell me it is ``you-GO-retz,'' with the 
pronunciation--the emphasis on the second syllable. Is that 
true?
    Ms. Ugoretz. Thank you for asking, Senator. It is ``YOU-
gur-etz.''
    Senator Carper. I am glad I asked. The pronunciation is on 
the first syllable, right?
    Ms. Ugoretz. Yes, sir.
    Senator Carper. All right. I will never make that mistake 
again.
    Thank you all for your testimony, and thank you for 
presenting it in a very understandable way. Sometimes we have 
people who rush through issues like this. These are not issues 
that come naturally to a lot of us, and thank you for making it 
almost understandable for even a guy like me.
    I have been privileged to be on this Committee for a long 
time, almost since--even before it was the Homeland Security 
Committee. I have worked for years with our colleagues, 
Democrat and Republican, including some of the ones that are 
here today who just preceded me. We worked across the aisle on 
Federal data security and breach notification legislation that 
would require companies to have a comprehensive information 
security program to protect our country's sensitive 
information, our citizens' sensitive information. We have had a 
hard time moving legislation that provides really guidance for 
protection and investigation and notification and when we have 
breaches. I think one of the reasons why we have had a hard 
time moving legislation is there are about three or four 
committees of jurisdiction, and our Committee is one of them; 
Judiciary is another one. But there are bunch of committees 
that have jurisdiction. The Commerce Committee has 
jurisdiction. It is kind of hard to actually get on the same 
page. It is not so much about a partisan issue, but it is just 
a jurisdictional issue, which is unfortunate.
    I believe that as we move to a more sophisticated cyber 
threat landscape and face increased ransomware attacks across 
our critical infrastructure, protectors of national data, a 
security and breach notification standard is more important 
than ever.
    According to our friends at SolarWinds, nearly 18,000 
entities received a malicious version of their software with 
estimates stating that roughly 100 private sector companies 
were compromised.
    Director Wales, do you have any suggestions on what we 
should include in Federal data security and breach notification 
legislation that would enhance the cyber posture of the private 
sector? Please.
    Mr. Wales. Thank you, sir, and that is an extremely 
important issue, and I have mentioned this before. Our ability 
to ensure broad protection against cyber incidents requires and 
relies upon being provided information from victims about what 
has happened. If victims do not provide information on their 
breaches, on how they were compromised, the tactics that the 
adversary used, the adversaries can continue to reuse those 
tactics and victimize additional companies and public sector 
entities. We are eager to work with Congress on legislation 
that would strengthen our ability to have the right level of 
insight into the tactics that our adversary uses and what is 
happening from a cybersecurity perspective at private sector 
companies.
    I am not here today to prescribe what that might look like, 
but we do believe that it is essential going forward. Tonya may 
have some additional points she wants to raise on this.
    Ms. Ugoretz. Thank you.
    Senator Carper. Tonya Ugoretz, go ahead.
    Ms. Ugoretz. Yes, sir. Thank you for the question. We also 
agree that the current regime of what I think are 54 
inconsistent and overlapping regimes for the private sector 
companies to report breaches causes confusion for the industry 
and makes it more difficult for the Federal Government to have 
a consistent, consolidated picture of the threats we are facing 
and how they are affecting our private citizens.
    There has previously been legislation introduced, and I 
know this was a topic taken up by the Cyberspace Solarium 
Commission (CSC) of which the FBI's Director, Director Wray, 
was a member, that also emphasized mandatory data breach 
notification and looking not just at what I think the original 
focus of such legislation was, which was protecting personally 
identifiable information (PII) of our citizens when it is 
breached, but also looking at how can we receive consistent 
reporting on breaches of critical networks such as those owned 
by the private sector in our critical infrastructure sectors, 
as well as any breaches affecting Federal Government 
information. We would certainly be supportive without, again, 
specifying any specific piece of legislation.
    Senator Carper. All right. Thank you, ma'am.
    Maybe another question, if I could, for Director Wales. I 
believe that CISA, an entity that a bipartisan group that was 
on this Committee helped to create in previous years. But CISA 
has an indispensable role to play in enhancing our Nation's 
cybersecurity. In your testimony, Director Wales, I believe you 
state that we must increase CISA's visibility into 
cybersecurity risks across the Federal civilian agencies, 
especially after nine Federal agencies have been compromised 
through the SolarWinds attacks.
    I often talk about the importance of the three C's--
communicate, compromise, collaborate--really the keys, if you 
will, to a democracy. But in working with Federal agencies that 
have requested CISA assistance in responding to the SolarWinds 
attack, are there any agency communications or collaboration 
issues that we should maybe work to improve?
    Mr. Wales. Sure, Senator. We work in a voluntary way with 
those agencies. We believe we are a resource to them, and I 
think one of the good-news stories is that over the past 
decade, Federal agencies across the board have enhanced their 
ability to respond to cyber incidents. They have developed 
their own organic capability, they have put in place contracts 
with third-party cybersecurity firms--all designed to give them 
enhanced capacity to detect and respond to cyber incidents. 
CISA is there to supplement those capabilities.
    Our work is tailored for each agency, depending on the 
types of support and requirements they have. I would say during 
SolarWinds the majority of our work or one of the more 
substantial parts of our work was providing cloud-based 
forensics, helping agencies examine what had happened inside of 
their cloud environments that had been targeted by this 
adversary. And, that I think is a positive story both about 
where the agencies are in terms of the maturation and about our 
ability to deploy tailored, customized support for each of 
those agencies based upon the requirements and skill. I think 
we are very happy with the degree of collaboration we are 
getting and what that relationship looks like between CISA and 
the organic host agency when it comes to those types of 
compromises.
    Senator Carper. Thank you, Director.
    Mr. Chairman, thanks for giving me a few extra seconds. For 
the record, I am going to be asking the Director how we can 
make our cyber posture more preventive and less reactionary. I 
will ask that one for the record, if I could.
    Thanks so much. Thank you all for your testimony and for 
your service.
    Chairman Peters. Great. Thank you, Senator Carper.
    Senator Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you very much, Chairman Peters and 
Ranking Member Portman. I want to thank the witnesses not only 
for appearing today to talk about this important national 
security issue but for your service. I appreciate it very much.
    I want to focus on discrete areas where I think we need to 
do more to improve the cybersecurity of our Nation. The first 
question is to Acting Director Wales and Mr. DeRusha. Acting 
Director Wales, you testified at a hearing last week that 
CISA's Continuous Diagnostics and Mitigation (CDM) program, is 
the foundation upon which we can build further capabilities to 
secure the Federal network and be able to detect a breach 
similar to SolarWinds. It is clear that we need to improve the 
CDM program and build additional layers of protection on top of 
it. But before we can make those much-needed enhancements, we 
need CDM to be fully implemented in the first place. That is 
why Senator Cornyn and I introduced a bill last Congress to 
codify CDM. However, last August a report issued by the 
Government Accountability Office (GAO) found that some agencies 
were encountering problems deploying CDM.
    Acting Director Wales and Mr. DeRusha, what are CISA and 
OMB doing to ensure that CDM is deployed as quickly as possible 
across all civilian agencies and the deployments accurately 
detect and monitor all devices on the network? We can start 
with either one of you, however you want to----
    Mr. Wales. Sure, so I will start and then turn it over to 
Chris. We believe, as I stated last week, that CDM is really 
the foundation to ensure that we can get capabilities out to 
102 Federal civilian Executive Branch agencies and have a 
common baseline of sets of tools and capabilities. I would say 
we are very focused on the small number of agencies that have 
had challenges with deploying some of the tools. This is a 
suite of different capabilities that provide asset management, 
software and development management and configuration and patch 
management. There are different capabilities that they are 
deploying, and we have had success in getting almost all 
Federal agencies and all part of all Federal agencies to a 
common baseline.
    There are obviously some outliers when you are talking 
about the scale and scope of the Federal Government. We are 
working hard to close out the first two phases of CDM, Phase 1 
and Phase 2, this year so that we can move into Phases 3 and 4 
and build additional capabilities, the types of capabilities 
that we need to get us better, deeper insights into what is 
happening at Federal agencies.
    The one additional point that I will add is that when CDM 
was initially created, there was a division. Agencies had 
object-level view, meaning they could see into the individual 
devices on their networks, but CISA was not able to. I think we 
are now seeing the limitation that that poses on our ability to 
have a comprehensive understanding of the cyber risk picture of 
the dot-gov, and we are hopeful that new guidance will come out 
of the administration soon that will move us toward CISA having 
broader and deeper insights into that level of detail and allow 
us to have the right level of visibility to execute our role 
when it comes to securing the dot-gov.
    Senator Hassan. OK, thank you.
    Mr. DeRusha.
    Mr. DeRusha. Yes, Senator, I think Brandon's description is 
very accurate. We are aware of some challenges at certain 
agencies in implementation. I think, the vision and the goal of 
CDM is right. In certain instances we will continue to look at 
implementation and make sure that the program is successful in 
those agencies. So at OMB, in my office we are discretely 
attuned to that. This is a priority for both CISA and OMB to 
ensure that CDM is effectively delivered and that we can get to 
the full vision, which is getting that data back to CISA so 
that we can get away Excel spreadsheet data calls and into 
live, real-time monitoring and action from CISA, which is the 
goal of the program. So we look forward to continuing to 
enhance it and learn from the past.
    Senator Hassan. Well, thank you for those answers. Let me 
just check in on a couple of things. Are there additional 
authorities or other assistance that you need from Congress to 
ensure timely deployment of CDM? Do you have the tools you 
need, or what can we do to help further
    Mr. Wales. I do not believe we need additional authorities 
at this time.
    Senator Hassan. OK. Mr. DeRusha?
    Mr. DeRusha. I agree, Senator. I do not believe we need 
additional authorities at this time.
    Senator Hassan. OK. What capabilities are you planning on 
building on top of CDM to help ensure Federal networks are 
protected into the future, especially as agencies increasingly 
adopt cloud products?
    Mr. Wales. Sure. I think one of the significant ones that 
we highlighted that is critical and we believe will be a key 
part of our implementation of the funding under the American 
Rescue Act is better endpoint detection and response tools that 
would give us the ability to understand what is happening on 
critical servers and work stations. It would give us the 
ability to detect more malicious activity, to respond more 
quickly, and working with agencies to block anomalous behavior 
before it moves broadly into a network. That is just one 
example of ways in which we are looking to use CDM to deploy 
that. Ten years ago, we could not move right there because 
agencies did not even understand their full suite of assets on 
their network, so you could not have endpoints when you did not 
know how many endpoints you had.
    Senator Hassan. Right.
    Mr. Wales. I think we have now come to the point where 
those kinds of more sophisticated tools are not within our 
reach.
    Senator Hassan. Thank you.
    Let me go on to another issue, again, to Acting Director 
Wales. You testified last week that the Microsoft Exchange 
attacks have heavily impacted State and local governments, 
which do not have the same resources or capacity to respond to 
cyber attacks as the Federal Government does. I am concerned 
about the impact of these attacks on State and local entities, 
particularly when there are reports of China-based threat 
actors exploiting this vulnerability pretty much at will.
    Based on what you have seen from these two recent 
incidents, why do you think it is a national security 
imperative for the Federal Government to strongly support State 
and local governments in improving their cyber capabilities?
    Mr. Wales. Ma'am, we could not agree more, and Secretary 
Mayorkas spoke about this publicly as well. We want to work 
with Congress on ways in which we can identify how do we 
sustain the level of investment that State and locals need to 
put in place the cybersecurity architecture at the State and 
local level that is commensurate with the level of threat that 
they are facing. We know there are proposals for grant programs 
floating around both Houses of Congress. Without prescribing 
one, we are eager to work with you on what those look like and 
how they can build capabilities. Also on the response end, 
another proposal out of the Cyberspace Solarium Commission was 
for a Cyber Response and Recovery Fund that would allow--that 
States could tap into when they are facing significant 
cybersecurity incidents. I think that is another area where we 
would love to work with this Committee and others to make sure 
that we have the right whole-of-nation architecture in place 
and we do not have weak points, whether at the Federal level, 
the State and local level, or in the private sector.
    Senator Hassan. I appreciate that very much, and I am one 
of the advocates of a stand-alone cybersecurity grant program. 
When you have as many small communities as I do who have been 
subject to attacks, despite their best efforts, and the State 
Chief Information Officers are all really advocating for this, 
they want to work with us, but finding the resources and the 
expertise to do it is tough. I would look forward to working 
with you on that. Thank you.
    Thank you, Mr. Chair.
    Ms. Ugoretz. Senator or Mr. Chairman, would it be all right 
if I just added briefly to that answer?
    Chairman Peters. Yes, go ahead.
    Ms. Ugoretz. I just wanted to note that, in addition to 
CISA's very important cybersecurity efforts with State and 
locals with regards to defensive networks, we are also working 
quite a bit with State and local officials from the FBI as well 
as local law enforcement at that level in coordination with the 
U.S. Secret Service (USSS) to see how we can buildup capacity 
and capability of State and local officials to respond to cyber 
incidents and cyber threats, obviously we are always there to 
lend that assistance. But, for example, with Secret Service, 
through their National Training Center (NTC), we are jointly 
providing training to State and local officials. We are hosting 
police executives at our National Cyber Investigative Joint 
Task Force to provide them the national-level insight into 
cyber threats. We are also inviting State and local law 
enforcement to be part of our cyber task forces in our field 
offices, which are similar to our Joint Terrorism Task Forces 
(JTTF) where they can actually work those threats jointly and 
thereby kind of grow their capacity to respond.
    Senator Hassan. Thank you for that, and I know in New 
Hampshire how deeply our law enforcement and State and local 
officials appreciate their partnership with the FBI and the 
support you are all providing. I look forward to continuing 
that relationship, too.
    Thank you.
    Chairman Peters. Thank you, Senator Hassan.
    Senator Rosen, you are recognized for your questions.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Mr. Chairman. Thank you to all 
the witnesses for being here today.
    I want to talk a little bit about supply chain risk 
management (SCRM). Our agencies are growing more reliant on 
information and communications technologies. The Federal 
Government is increasingly vulnerable to cyber attacks. I do 
not have to tell any of you that. The breach of the SolarWinds 
Orion system really revealed the risk of the Federal 
Government's dependence on widely used commercial software. If 
a product could be compromised and go unnoticed for months--for 
months--how many more software supply chain compromises are out 
there at this very moment? I would like to go to Mr. Wales, 
because in October CISA directed agencies to create 
vulnerability disclosure policies (VDPs), which describe how an 
organization handles reported vulnerabilities. Are you 
considering extending the directive to cover third-party 
vendors, especially those that provide IT products or services 
to the Federal Government?
    Mr. Wales. Ma'am, we have not considered that at this time, 
but it is an interesting idea, one that I think we will want to 
work through. It is not clear that we would necessarily need to 
do that through directive. There is a lot that we need to do 
through the Federal contracting process to ensure that the 
vendors that are providing IT products and services for the 
Federal Government have the appropriate level of cybersecurity 
in place based upon the information and their place within the 
networks that they are supporting.
    That is certainly an area that we are actively working with 
OMB on and with other Federal agencies to ensure that we put 
that in place.
    Senator Rosen. It seems like there are still some 
vulnerabilities out there, so I hope we continue to work on 
that. But I wonder if consistent dictate to Federal agencies, 
other Federal agencies, how quickly, if we find a 
vulnerability, they must fix it. If they cannot dictate to 
Federal agencies, is this an authority you need? Then if it is 
something you do, how do we ensure that those agencies actually 
have the workforce and expertise that they need to respond 
quickly and effectively to what you may require?
    Mr. Wales. Sure, so I will answer that, and then I will ask 
Chris--I think there may be some additional points from OMB he 
may want to raise.
    First is in many cases we have done that, so one of the 
first binding operational directives that CISA executed back 
when we got this authority several years ago was to close 
critical vulnerabilities within 30 days. Actually, what we saw 
over the past several years is that agencies have gotten better 
and better, faster and faster at closing critical 
vulnerabilities that are identified, and we have now lowered 
the amount of time they have from 30 days to 15 days. We are 
seeing real progress using our directive authority when it 
comes to closing critical vulnerabilities that agencies or CISA 
identify.
    But you are exactly right. One of the areas that I have 
continued to push, which is while CISA needed additional 
resources through the American Rescue Act, while we want to 
ensure that we continue to build our capabilities, deploy more 
tools and capabilities to agencies, there needs to be sustained 
investment across the board so that the agencies themselves can 
continue to leverage those enhanced capabilities and can take 
the appropriate actions in a timely manner.
    Chris, anything else you want to add?
    Mr. DeRusha. I would just add that the VDP programs are 
extremely important. They bring in a very discrete skill set to 
the Federal Government, and discrete capabilities. We have 
other efforts that I mentioned in testimony where we are going 
to expand U.S. Digital Service, Technology Transformation 
Service (TTS) at GSA. Again, the goal here is to get a lot of 
these highly skilled people into government, and whether that 
is using flexible vehicles to have them come for shorter 
periods of time as opposed to being full-time feds. Then we are 
also going to be focused, working with Federal CIO Clare 
Martorana, Director of Office of Personnel Management (OPM), we 
will be developing new initiatives to ensure that the career 
working is reskilled and ready to face these challenges.
    Senator Rosen. Thank you. I would like to move on to our 
infrastructure cybersecurity, like our electric grid, our water 
grid, power grid, those kinds of things. When we think about 
what we learned from the SolarWinds attack, it is worth noting 
that the Cybersecurity Solarium Commission last year 
recommended significantly increasing supply chain risk 
management for critical infrastructure. Last Congress I 
introduced the Cyber Sense Act. That is bipartisan legislation 
that would create a voluntary cyber sense program at the 
Department of Energy (DOE) to test the compromise of products 
and technologies used in our bulk power systems.
    So, Mr. Wales, what other areas or what other ways can 
electric or other utilities, how can they reduce their cyber 
risk? And would decreasing our reliance on international supply 
chains decrease our cybersecurity concerns?
    Mr. Wales. I think it is not necessarily a question of 
international versus domestic supply chains, but it is a matter 
of what is the supply chain risk management approach that we 
are taking to identify potentially problematic vendors or 
critical products or services that need an enhanced level of 
scrutiny.
    There was a bulk power Executive Order (EO) that was signed 
out at the last administration that continues to work along--
the Department of Energy is the lead. It is designed exactly to 
your point, to further scrutinize across the Federal Government 
the critical products that are going into the bulk power grid 
to make sure that if we have any information that would 
indicate a security risk, that we are able to take action on 
that.
    We have a similar Executive Order focused on the 
communications sector that the Department of Commerce is 
working, and all the Federal agencies involved in this are 
working together to ensure that there is a consistent 
understanding for how we are approaching supply chain risk 
management and bring it to bear, in addition to other efforts 
like the FASC managed by OMB.
    There is a lot of work in supply chain security happening 
across the Federal Government. There is a lot of coordination 
happening, and hopefully over time it pays the level of 
dividends that we need.
    Senator Rosen. Thank you. I look forward to seeing some of 
the reporting that has been required by the GAO as we look to 
see what you are doing to block new, unknown malware, how you 
are coordinating with other agencies. We have a lot of work to 
do in this area, and I appreciate what you are doing so far, 
and continue to work with us.
    Thank you. I yield back.
    Chairman Peters. Thank you, Senator Rosen.
    Senator Romney, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR ROMNEY

    Senator Romney. Thank you, Mr. Chairman.
    Mr. Wales, these things keep happening. We keep having 
hacks of our government systems, of course, also in the private 
sector. Even if you are well organized and you are doing your 
very best to prevent hacks from occurring and intrusions like 
the ones we have described today, is this going to keep 
happening? Is this something that we all expect as a 
government, that, yes, we are going to keep getting hacked and 
they are going to get information, they are going to get into 
military bases, they are going to get in to various other data 
centers? Is this something that we ought to just expect is 
going to be happening going forward?
    Mr. Wales. I would say that our adversaries are showing no 
signs that they will stop using cybersecurity to advance their 
purposes, whether that is criminal, nation-state for intel 
collection, or as Tonya said earlier, to pre-position for 
potentially more disruptive----
    Senator Romney. Are we outgunned just in terms--I 
understand that the Russians have buildings full of people who 
are their very best and brightest, from their very best 
schools, who are devoted to hacking into our systems and 
gathering information. Are we outgunned in this country to be 
able to fight against that? Or is it simply it is almost 
impossible to plan for every possible attack?
    Mr. Wales. It is impossible to plan for every possible 
attack. What I would say is what we want to do is put in place 
both the programs as well as the capabilities that make it more 
likely that we will stop them, make more likely that if they 
are successful, we detect it faster and can respond more 
quickly, and ultimately make our systems more resilient; that 
even if they get inside, there is less damage they can do 
because they cannot move laterally into other parts of the 
networks. There is a variety of things that we need to do on 
the defensive side to ensure that we have cybersecurity that is 
commensurate with the level of threat that we face, which is 
significant.
    Senator Romney. Are you comfortable with the expertise that 
we get from outside of government to be able to devise 
strategies to be able to thwart these kinds of attacks, limit 
the extent of the attacks? I say that in part because my guess 
is that the top graduates from California Institute of 
Technology (CalTech) and Massachusetts Institute of Technology 
(MIT) and others, they tend to go into the private sector or 
their own firms or become hackers themselves, and we are not 
able to attract the same level of talent into government as 
maybe in the private sector.
    Do we have the skill that we need to be able to confront 
what we are facing internationally?
    Mr. Wales. I think this is a question that I think all of 
us can answer in somewhat different ways because we have a lot 
of efforts to ensure that we can recruit and retain the right 
level of talent. There are a lot of interesting things that 
people can only do in the U.S. Government, and that does 
attract some of the best and the brightest. I am happy that I 
lead a workforce of people who are extremely talented, who can 
do things that no one else can do when it comes to hunting 
threats and detecting the adversary.
    But part of our strength is our collaboration from the 
Federal Government with the private sector, with key 
international partners and law enforcement, defense 
communities. That allows us to do things that other countries 
cannot, to bring in that expertise. The fact that we have 
companies like FireEye who were able to detect the SolarWinds 
incident and bring that information to the Federal Government 
early, as soon as they detected it, and allowed us to do 
additional actions to find that activity elsewhere is part of 
the strength of our system, and it is one that we rely upon. We 
are meeting regularly with the private sector to gain their 
insights in what they are seeing, including when we have 
significant incidents.
    The first weekend after the Microsoft Exchange 
vulnerabilities came out, we were on a call with key private 
sector members talking about what they were seeing in the 
United States, what they were seeing globally, and how it could 
in form our protective posture.
    Senator Romney. I just wonder whether we have or whether we 
should engage one or two or three of the top firms in the 
country to look at our systems and to lay out for us a strategy 
for how we are going to deal with what is apparently going to 
be an ongoing threat.
    Let me ask on a different front, are we as good at offense 
as they are? Any one of the three of you can answer this, but 
the Russians and the Chinese, and, well, the North Koreans and 
Iranians to a lesser extent, I believe, but the Russians and 
the Chinese have massive resources devoted to attacking our 
systems. Our corporate systems are attacked thousands upon 
thousands of times a day.
    Are we as good at this as they are on an offensive basis? 
Do we have versions of the same things we are talking about 
here having attacked us? Are we accomplishing the same things 
there, or are we just not up to the same level they are in 
terms of the hacking into systems?
    Ms. Ugoretz. Senator, I think you would need a different 
set of agencies here in order to address the offense question, 
and that would likely need to be in a classified setting.
    Senator Romney. Can you describe which agencies it would 
be, or is that also classified?
    Ms. Ugoretz. I do not think I would want to specify, but--
--
    Senator Romney. OK.
    Ms. Ugoretz. I think members of our intelligence community 
and Department of Defense (DOD) would be chief among those.
    Senator Romney. All right. Thank you.
    Mr. Chairman, I will return the time to you.
    Chairman Peters. Thank you, Senator Romney.
    We are waiting for a couple Senators. I think they are on 
their way right now. Ranking Member, do you have a question?
    Senator Portman. Thank you, Mr. Chairman. Senator Romney, I 
appreciate your line of questioning.
    I want to talk about EINSTEIN for a moment. The statutory 
authorization for the EINSTEIN program expires in December 
2022, so it gives us an opportunity to take a look at this.
    Mr. Wales, I think we can all agree that hackers behind the 
SolarWinds attack were very sophisticated and hard to detect, 
but, clearly, someone was able to detect them, or we would not 
be here today. Unfortunately, it was, again, the private 
sector, not government.
    I think it is important to start by discussing the 
limitations of the Department of Homeland Security's cyber 
intrusion detection program, EINSTEIN, and asking why it did 
not detect this threat and how we can improve it.
    Mr. Wales, could you assess EINSTEIN's current performance?
    Mr. Wales. Sure, and I would say, Senator, that EINSTEIN 
continues to perform, as it was designed, and it can protect 
against the things that it was designed to protect against. I 
will note that EINSTEIN is an intrusion detection system, which 
means it is looking at the perimeter of a network and examining 
traffic that is going from outside the network to inside the 
network.
    Senator Portman. It was not designed to detect unknown 
threats like the SolarWinds attack, correct?
    Mr. Wales. It was not designed on threats. That being said, 
it was also--and, again, EINSTEIN is not just one capability. 
There is a suite of different types of capabilities all at the 
perimeter, all looking at that traffic moving into and out of 
Federal networks.
    Senator Portman. It was not the first to detect this 
threat?
    Mr. Wales. I would say that there was no intrusion----
    Senator Portman. It was not the first to detect this 
threat, correct?
    Mr. Wales. Correct, but I would just point out that there 
was no intrusion detection or intrusion protection system 
anywhere that detected this threat. FireEye did not use an 
intrusion detection system to detect this threat, and they 
could not. It just would not work that way. Part of what I 
indicated earlier was that we need to supplement what EINSTEIN 
does looking at the perimeter of networks with what is 
happening inside the network.
    Senator Portman. Can EINSTEIN scan for intrusions on cloud 
environments like Microsoft Office 365 or Amazon Web Services?
    Mr. Wales. No.
    Senator Portman. Within the government are you seeing 
increased use of cloud environments like Microsoft Office 365 
and Amazon Web Services for IT services?
    Mr. Wales. Yes.
    Senator Portman. What about other encrypted Internet 
traffic? Can EINSTEIN scan all encrypted Internet traffic going 
to and from government agencies?
    Mr. Wales. So it can see where that traffic is coming from 
and going to, but it cannot look inside of that traffic. That 
is one of the key areas why we need to move away from perimeter 
security for that level of intrusion protection and move onto 
the host, because when you are deploying on the host level, on 
those work stations and servers, there the information is 
unencrypted, and those systems can detect whether activity is 
anomalous.
    Senator Portman. So you would say it cannot scan all that 
encrypted data going to and fro. Is that correct?
    Mr. Wales. Correct.
    Senator Portman. And much of the Internet traffic these 
days is encrypted, isn't it?
    Mr. Wales. More than 90 percent of the traffic in the 
Federal Government is encrypted.
    Senator Portman. Yes. I believe the urgency here is clear, 
and I think you have stated it, that the statutory authorize 
for EINSTEIN expiring next year gives us a chance to do this. 
It seems like the significant limitations you have talked about 
means we need to work together to address the next 
authorization. Would you agree with that?
    Mr. Wales. Yes, I think we need to keep the pieces of 
EINSTEIN that continue to work and provide significant value, 
and we need to transition those areas that do not to different 
programs. The American Rescue Act money will provide a 
downpayment to start doing that.
    Senator Portman. Great. Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Portman.
    The Chair recognizes Senator Sinema. Senator Sinema, you 
are recognized for your questions.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Chairman Peters, and thank you 
to Ranking Member Portman for holding this important hearing. 
Thanks to the witnesses for being here today.
    The SolarWinds attack targeted high-value government and 
technology networks, and the more recent attack against 
Microsoft Exchange vulnerabilities victimized many small and 
medium-sized businesses. In Arizona, the city of Kingman is 
still recovering from a criminal cyber attack against its 
computer systems that occurred in late February. This shows how 
expansive cyber attacks have become and how damaging the 
results can be and the amount of time and resources needed to 
recover. So this is a very timely hearing.
    The Federal Government must do more to help communities and 
entities such as Kingman to improve its own systems to ensure 
Federal entities have the tools they need to prepare for and 
respond to future cyber attacks.
    My first question is for Mr. DeRusha. We recently heard 
from the Government Accountability Office about its latest 
High-Risk List. Ensuring the cybersecurity of our Nation was 
listed as needing significant attention. What immediate actions 
will you take as the new Chief Information Security Officer to 
address outstanding recommendations from GAO and any findings 
from the investigations into the SolarWinds attack to help 
agencies better secure Federal systems and protect cyber 
critical infrastructure and sensitive data?
    Mr. DeRusha. Senator, thank you for the question. 
Fortunately, this Committee supported giving us a downpayment 
in the American Recovery Plan to start on this crucial work. 
With the $1 billion of investment in the Technology 
Modernization Fund, we are going to be able to start looking 
top-down at some of the High-Risk IT systems across government 
and start to be really able to tackle some of these persistent 
long-term challenges that we have been aware of but just have 
not had the resources to address.
    Also, the monies that are going toward CISA and GSA, we are 
going to start looking toward developing managed security 
services where valuable and also ensuring that we are making 
investments in the agencies through the annual budget process 
to fill key capability gaps that we have identified through the 
SolarWinds incident.
    We have a lot of work planned, and we are looking forward 
to working collaboratively with CISA to implement across all 
the Federal agencies.
    Senator Sinema. Thank you.
    My next question is for both Mr. Wales and Mr. DeRusha. We 
are increasingly reliant on interconnected devices and networks 
that help manage critical areas such as transportation, health 
care, and energy. How can we avoid concentrating cyber attack 
risk within a more specialized supply chain of manufacturers, 
software providers, and telecommunications firms? If we cannot, 
how do we minimize risks across these critical supply chains?
    Mr. Wales. Thank you. So we do a lot of work--I would say 
at the outset that, changing the market is challenging, and in 
many cases the reason why there is concentrated risk are market 
conditions that are largely outside of the Federal Government's 
ability to control. But we do try to work hard, particularly 
with the vendor community, who makes a lot of those industrial 
control systems (ICS), the systems that manage critical 
infrastructure and operate the systems that we all rely upon. 
We work with the vendor community to strengthen the security 
that is built into those devices, and we actually have a lot of 
work focused in the industrial control system space with the 
owners and operators of those systems to identify what 
additional protections and security they need to have in place, 
because cybersecurity of industrial control systems is 
challenging. It is a unique discipline. Of all the workforce 
challenges we have in the cybersecurity community, it is 
magnified a couple of timefold because of the unique nature of 
industrial control environments, but it is an area that we have 
a focused effort on. CISA released the strategic plan focusing 
on securing ICS systems late last year, and we are working now 
with the White House and DOE and others on additional work to 
see what we can do to get better insights and provide 
additional expertise to help secure those systems.
    Senator Sinema. Thank you.
    My next question is for Mr. DeRusha. OMB's Federal 
cybersecurity reskilling program is meant to bring more 
cybersecurity training to Federal employees. However, placing 
graduates has been a challenge because they often end up 
qualified for cybersecurity jobs a grade lower than their 
current position. What actions do Congress and the 
administration need to take to ensure that employees who gain 
these skills are rewarded with a fair salary and appropriate 
grade level?
    Mr. DeRusha. Senator, I can just say that I am aware of 
that challenge, and it is definitely going to be a priority of 
our office, within the Office of the Federal CIO, to work with 
the Office of Personnel Management to explore all the current 
hiring authorities and incentives that we have in place and 
ensure that agencies are using them and understand how to use 
them. So you can expect that we will absolutely be prioritizing 
this.
    Senator Sinema. Thank you.
    My next question is for Mr. Wales. Mr. Wales, a key way to 
combat a cyber attack is effective information sharing, but we 
continue to hear from some private sector entities about 
frustrations that they are expected to share information, but 
the Federal Government is slow to reciprocate. What are your 
recommendations for incentivizing companies to notify the 
Federal Government when their networks are compromised? How is 
CISA working to improve its information sharing back to the 
private sector?
    Mr. Wales. Sure. Thank you for that. I will start by saying 
that we actually have received a lot of positive feedback from 
companies that have come forward recently to us and to the 
Federal Government, and I want to thank those companies, 
because, frankly, cybersecurity requires a collective defense, 
and we are only successful if people are willing to come 
forward and work with us.
    I would also say that we have worked hard over the past 
year to improve the speed at which we can provide back 
actionable information when we receive information from the 
private sector. Again, it may not be information back to that 
same company, but the information that they provide is going to 
raise everyone else's baseline. When we receive information 
from a company, we are then going to share that in an 
anonymized way more broadly so that other companies are not 
victimized in the same way. I think both the SolarWinds case as 
well as Microsoft Exchange vulnerabilities, the time at which 
we were notified about an incident and provided information 
from potential victims to the speed at which we were able to 
get information out broadly, publicly, is now measured in hours 
and days and not weeks and months.
    And so that is where I am focusing our efforts because I 
think it is the place where we can have the greatest impact, 
and the value proposition back to those companies is that today 
you are sharing this information, but tomorrow you are going to 
want other people to share information so that you can benefit 
from it, so that you are not victimized by the next cyber 
attack because someone else is sharing information with the 
Federal Government allowing us to get it all out, allowing us 
to enable this collective defense.
    Chairman Peters. Thank you, Senator Sinema.
    Senator Hawley, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you, Mr. Chairman. Thanks to the 
witnesses for being here.
    Ms. Ugoretz, could I just start with you? You wrote in your 
testimony that the adversary's goal is not just to compromise 
the network; it is to use that compromise in furtherance of a 
larger objective. In this case, could you give us a sense of 
what we think that larger objective is or was?
    Ms. Ugoretz. Yes, Senator, thank you for the question. I 
think the intelligence community and the Unified Coordination 
Group that is coordinating the response to this incident has 
said in its public statements that we assess that the intent of 
adversary behind this activity was for espionage purposes, to 
obtain information that would further their insight and their 
activities.
    Senator Hawley. Do we have a sense, have other nations been 
targeted as well, or do we think that we were the only ones? 
For instance, is it possible that some of our European partners 
and allies could have been targeted and have yet not discovered 
it and do not know about it? Or do we think that this was a 
stand-alone attack directed at the United States?
    Ms. Ugoretz. So based on what we have seen thus far, the 
majority of the activity appears to have been directed at the 
United States; however, we are aware of instances and 
information shared with us from foreign partners where some of 
their networks were affected as well.
    Senator Hawley. That is interesting. I noticed that in 
February we also uncovered evidence of a separate parallel 
attack on SolarWinds software, but this time from a group of 
hackers in China. Do we think that this was coincidence or was 
it coordinated? Is there anything you can tell us about the 
timing of this, coming from what appears to be a different 
source?
    Ms. Ugoretz. What I can tell you is that some of the press 
reports about SolarWinds-related China-based activity were 
inaccurate. For me to go into those inaccuracies would require 
a classified setting.
    Senator Hawley. Understood.
    Mr. Wales, just on this subject, let me ask you about one 
of the reports about these attacks. Some of the reports 
indicate that hackers targeted the National Finance Center 
(NFC), sort of the processing of payroll information--a center 
which processes payroll information for Federal workers. Of 
course, you can imagine the compromise in personal data that 
that would entail.
    What lessons, I am wondering, should we take from that 
specifically? Do we need to take further steps, for instance, 
to rethink how the government stores and protects personal 
data, especially of that kind?
    Mr. Wales. I will say two things. First is that reporting 
was inaccurate. The National Financing Center was not targeted, 
as far as we know----
    Senator Hawley. At any time? First or second----
    Mr. Wales. Not as part of this campaign or the separate 
campaign, and we have had a number of discussions with the U.S. 
Department of Agriculture (USDA) that manages the National 
Finance Center and do not believe that the NFC was targeted.
    But, second, data loss prevention is one of the key 
capabilities that we are attempting to work through in Phase 3 
and Phase 4 of our Continuous Diagnostics and Mitigation (CDM) 
program. Protecting sensitive government data is among the 
highest priorities we have, and it is certainly kind of on our 
road map for where we want to focus our efforts.
    Senator Hawley. Let me ask you an adjacent question. You 
wrote in your testimony, Mr. Wales, that due to the global 
pandemic, the risk landscape has shifted dramatically over the 
past year. Can you give us a sense of why that is true? What is 
the difference? Is it more remote work? What has led to the 
threat environment?
    Mr. Wales. The digital transformation that we went through, 
where there was much more significant remote work, many 
workplaces have changed their operating environment, they are 
moving more to cloud-based infrastructure. That movement has 
both strengths and weaknesses. In many cases you are moving to 
an environment that is managed by professionals who can spend 
full-time making sure that that is secure. But, on the other 
hand, you need to make sure that you are doing it right, that 
you are configuring those systems. It introduces new 
vulnerabilities that your system administrators may not have 
had experience working with before. This change has increased 
and changed our risk calculus, and it is going to require the 
Federal Government to work with the private sector to adjust.
    Senator Hawley. Just on the question of the 
vulnerabilities, the Wall Street Journal (WSJ) recently 
reported that some of the techniques used by the hackers were 
the equivalent, the digital equivalent of a spy's disguise. Can 
you give us a sense of how the attackers can disguise 
themselves on government networks? What does that amount to?
    Mr. Wales. I am going to defer this one to Tonya. I believe 
this is more referring to them using U.S.-based infrastructure 
as opposed to operating from overseas.
    Ms. Ugoretz. That might be part of it. I think there are 
different ways that adversaries can try to blend into 
legitimate traffic. Some of that is by using, for example, 
virtual private networks (VPN) which might be carrying traffic 
not only from the malicious actors but from legitimate actors 
as well. Brandon also referred, I think, in his testimony to 
the fact that adversaries do try to use domestic infrastructure 
because it is more trusted by network defenders. That is not 
surprising. Adversaries try to avoid detection by our services 
that focus on overseas collection as well as the FBI who 
collects here domestically. But we are always working very 
closely with our IC partners who are involved in both foreign 
collection as well as our focus on the domestic collection to 
try to close that gap and understand how the adversaries are 
trying to evade us.
    Senator Hawley. Understood. Very good. Thank you all.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Hawley.
    Senator Padilla, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR PADILLA

    Senator Padilla. Thank you, Mr. Chair. I just want to thank 
the three of you for your work and your testimony today. I will 
have many questions for all of you. I will raise a couple of 
issues with Mr. Wales.
    My first question is: Can you shine some light on why CISA 
might not always be aware of incidents or issues in agencies or 
with their contractors? I phrase that after reflecting on some 
of your testimony where you shed light on the need for broader 
visibility for CISA across Federal agencies and even non-
government entities. A general question with the precise 
follow-up of is there some reason that contractual restrictions 
might limit our ability to respond to a cyber attack from 
Russia, or any other adversary, for that matter?
    Mr. Wales. Let me first say I want to thank you personally 
for your partnership with our agency during your time as 
Secretary of State in California on our Protect 2020 efforts.
    On your specific questions, so agencies are required to 
provide CISA with information on incidents affecting their 
information or their infrastructure. So whether it is a 
contractor for that agency where their data may have been 
compromised or it is the agency's network itself that has had a 
security incident, they are required under Federal reporting 
guidelines to provide that information to CISA. So we would 
have perspective on incidents.
    What I was referring to in terms of visibility is more what 
is happening on that network, the systems on that network. For 
example--and Chris alluded to kind of Excel-based spreadsheets 
going back and forth--when we want to know how many SolarWinds 
devices are on Federal networks, we have to do a data call and 
ask each Federal agency to tally them up and send them into us. 
They may have their own tools inside the network that gives 
them visibility on what those systems look like, but CISA does 
not have access into those. We do not have that level of detail 
of knowledge into their network.
    When we want to operate and go hunt on their networks, we 
need to have their permission to deploy our sensors, to deploy 
additional agents onto their systems so that we can see the 
cybersecurity information.
    We want to move to an environment where security 
information is available to CISA. We can use that for alerting, 
we can use that for hunting and do that in a way that is 
collaborative and cooperative, because the strength of our 
relationship with those agencies should not be sacrificed.
    There may be some small areas where there are contractual 
requirements that may need to evolve. This is an area that we 
are actually working with the interagency on now about how we 
need to evolve certain contracts to make sure information can 
be shared appropriately, and we expect guidance to come out on 
that in the very near future.
    Senator Padilla. OK. Please let us know how this Committee 
can help you in that regard, and I believe on the sharing of 
information, the data calls you reference may be separate but 
runs parallel to the dynamic of OMB has definitions of ``major 
incident.'' A lot of times it is left up to the specific 
departments and agencies to make the call on their own of 
whether an incident has reached that threshold or not, so 
another area of work----
    Mr. Wales. [Off microphone] [Inaudible]. Reporting to us is 
a lower threshold. The very major incident is different than 
the reporting guidelines for when they need to report security 
incidents to----
    Senator Padilla. Right, so I did not think that is what you 
were referencing, but acknowledging that dynamic.
    A quick comment on supply chain and then another sort of 
40,000-foot question for you. I look forward to working with 
the Chair and other Members of the Committee to follow up on 
the supply chain issues, concerns, and need. I just want to for 
the record state that it is not just a software issue. It is 
also a hardware issue. It is also a middleware issue. You know, 
much higher stakes in this discussion than the toilet paper 
supply chain early in the Coronavirus Disease 2019 (COVID-19) 
pandemic, but I think, given that example, people understand 
what we are talking about here from a national security 
perspective.
    My big question of today is this: Can you speak to the 
broader nature of what we refer to as the ``SolarWinds 
attack''? I mean, it is commonly referred to as the 
``SolarWinds attack,'' but the more we learn about it, the more 
we recognize it was much more sophisticated, much more 
multidimensional, much more pervasive of an incident. What 
other avenues did the Russians use that we have not been 
talking about enough?
    Mr. Wales. Sure. Senator, that is a good question. What I 
can say is the adversary used a variety of techniques to 
compromise networks. The most common was the compromise of the 
SolarWinds devices, but we are aware of their use of other 
techniques. We believe right now that most of those techniques 
are more traditional cyber attacks, password spraying, brute-
force attacks on networks to try to gain access to the inside. 
They may have used vulnerabilities in commonly used VPN 
software and others to compromise networks.
    But what I would say is the hallmark of the campaign was 
their ability to pivot once they gained access inside of that 
network to compromise authentication systems and then use that 
compromised authentication system to gain broad access to data 
stores that they wanted, largely in Microsoft Office 365 cloud 
but at times critical data stores on networks.
    I will talk, just mention as an example, because the 
company itself had talked about this publicly, but when FireEye 
was compromised, the adversary was looking for their red-
teaming tools, the tools they use to test the security of some 
of their client networks. That is kind of an example of where 
they are going after sensitive information, but in other cases 
maybe other stores of data. It was all because they compromised 
those systems that managed trust and identity on networks. They 
had a couple of different pathways to get there, but that was 
really the hallmark of this campaign.
    Senator Padilla. Thank you. I will just end with, other 
members have asked questions and made comments relative to the 
need to continuously improve interagency and intergovernmental 
communication and collaboration, others from our prior 
experience the need for not just Federal but Federal, State, 
local, and private sector communication collaboration. Part of 
what is startling from this SolarWinds incident is techniques 
and tactics that we have not seen before. It truly is an all-
hands-on-deck moment to be able to stay one step ahead of the 
bad guys, if you will. It underscores the need for improving 
our models for centralizing a lot of this review and sort of 
monitoring the bad traffic or, short of that, much better and 
real-time communication collaboration.
    Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Padilla.
    Senator Ossoff, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR OSSOFF

    Senator Ossoff. Thank you, Mr. Chairman, and thank you to 
our panel today. I am grateful for your work and for your 
testimony.
    Ms. Ugoretz, would you say that cybersecurity in this 
context, where it has been reported in unclassified settings, 
including confirmed in this hearing today, that the principal 
objective of the threat appeared to be espionage, that 
cybersecurity in this context is a counterintelligence effort?
    Ms. Ugoretz. Speaking from my perspective, I am a career 
intelligence analyst for almost 20 years, so a lot of my work 
has been focused on not only getting intelligence to the 
decisionmakers who need to act on it, but understanding the 
motives behind various threat actors. When it comes to cyber 
threats, I think it is important to not consider cyber and 
cyber threat intelligence as distinct from the people who are 
actually using it. You are correct that among those who are 
using it, in addition cyber criminals are foreign intelligence 
services and elements of foreign adversary governments who are 
using cyber intrusions as one of many means in order to support 
their strategic objectives, which may be to gain insight and 
information into U.S. policy perspectives and priorities or for 
other purposes.
    So in that context, yes, I would consider how foreign 
adversaries use cyber intrusions to support their ends as a 
counterintelligence concern.
    Senator Ossoff. Thank you, Ms. Ugoretz, for that answer. It 
would be correct, would it not--and, of course, correct me if I 
am wrong--to state that when it comes to counterintelligence in 
the context of human intelligence, the FBI is clearly the 
agency in the lead within the Federal Government, of course, in 
collaboration with elements in the intelligence community and 
collaboration with State and local law enforcement where 
appropriate, but counterintelligence from a human intelligence 
standpoint is the FBI's responsibility. Is that correct?
    Ms. Ugoretz. I believe counterintelligence, writ large, 
here domestically and not only confined to human intelligence, 
yes, is under the FBI's authority.
    Senator Ossoff. Thank you, Ms. Ugoretz. Given the scope of 
the apparent breach and the number of Federal agencies affected 
and vulnerable to this attack, was this a counterintelligence 
failure?
    Ms. Ugoretz. Senator, again, kind of drawing on my 
experience as a career intelligence analyst--and I will just 
note I joined the FBI as an intelligence analyst in November 
2001 when the term ``intelligence failure'' I think became a 
part of our vernacular, so I do understand the context of your 
question and the concern.
    Based on that perspective, when I think of an intelligence 
failure, I think of a few different things. The first is a 
failure of imagination or of forward-leaning analysis that goes 
beyond the fragmentary intelligence that we as the U.S. 
Government have at any point in time in order to be able to 
forecast a specific threat or incident.
    Second, I think about a failure to share. There are many 
different U.S. Government agencies who have pieces of the 
intelligence puzzle, and especially with cyber, the private 
sector has one of the biggest pieces of the puzzle about what 
outcome adversaries are doing against private networks. So that 
is the second way I think about intelligence failures as a 
failure to share what dots we have.
    Third, I think about failure to connect the disparate 
pieces we have that I just described.
    In the case of the SolarWinds incident, none of those three 
things happened. Information that the U.S. Government held on 
this adversary and threat intentions was shared across the 
interagency. There were no assessments that were not shared. In 
fact, publicly both the FBI and CISA have warned of a variety 
of adversaries, including Russia and China, both attempting and 
succeeding to conduct supply chain compromises, including, most 
notably, the Russians with the NotPetya compromise, which is 
still considered the most globally damaging----
    Senator Ossoff. Ms. Ugoretz, if I might, and the reason 
that I am asking this question in this way, if in the human 
intelligence context there were compromise so broadly across a 
range of Federal agencies, I think it is safe to say--and my 
question was: Is this a counterintelligence failure? We have 
established that cybersecurity in this context is a 
counterintelligence mission. If a human intelligence threat 
penetrated this many Federal agencies in order to exfiltrate 
this potentially degree of sensitive data, I think we would 
unambiguously view that as a failure of counterintelligence, an 
operational failure. That is not expecting perfection. We 
recognize that in the cyber context offense is cheaper than 
defense, that the threat is persistent, and that there will be 
breaches of U.S. networks. But I find it troubling that we 
cannot simply establish at this hearing that operationally this 
kind of breach is a counterintelligence failure.
    Ms. Ugoretz. Senator, intelligence and intelligence 
analysis and the prevention of threats requires the integration 
of information from a variety of sources derived not only 
domestically but from our foreign intelligence collection as 
well, which members of the intelligence community other than 
the FBI conduct. As you are likely aware, our insight into 
adversary threat activity, especially among our most 
sophisticated cyber adversaries and foreign intelligence 
services, is fragmentary. The FBI, in order to pursue 
collection on those fragments, requires information on which we 
can predicate that collection. So we cannot, for example, 
conduct wholesale collection on a broader class of U.S. 
domestic infrastructure or U.S. domestic agencies just in case 
we see something. It requires those building blocks of 
intelligence which the entire U.S. intelligence community is 
responsible for in order to be able to direct that intelligence 
and that insight.
    Senator Ossoff. Thank you, Ms. Ugoretz, for engaging in 
this discussion.
    Mr. Chairman, I yield back.
    Chairman Peters. Thank you, Senator Ossoff.
    I would like to thank our witnesses once again for your 
testimony here today and taking our questions. It is clear that 
we are dealing with a major threat, a threat that continues to 
grow but requires a very complex response, and it is also clear 
we are not there yet and have a long ways to go.
    This will be a continuing conversation. We are going to 
continue to hold hearings in this Committee. We are going to 
continue to be meeting directly with folks in all of the 
respective agencies as we look at ways that Congress can 
support your efforts to protect our networks, both with the 
Federal Government and broadly across the economy. I speak for 
all the Members of the Committee. We look forward to your 
engagement in this process because it is a necessary one. We 
are confident we can deal with it, but it is going to take a 
lot of effort. We are going to work together in a bipartisan 
way in this Committee to achieve that end.
    With that, the hearing record will remain open for 15 days, 
until April 2nd at 5 p.m., for the submission of statements and 
questions for the record.
    This hearing is now adjourned.
    [Whereupon, at 12:03 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







                  PREVENTION, RESPONSE, AND RECOVERY:
            IMPROVING FEDERAL CYBERSECURITY POST-SOLARWINDS

                              ----------                              


                         TUESDAY, MAY 11, 2021

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary C. Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Carper, Hassan, Sinema, Rosen, 
Ossoff, Portman, Johnson, Lankford, Romney, Scott, and Hawley.

              OPENING STATEMENT OF CHAIRMAN PETERS

    Chairman Peters. The Committee will come to order.
    First, I want to thank each of our witnesses for joining us 
today for this very important discussion, the second in a 
series of hearings that Ranking Member Portman and I are 
conducting to help bolster our Nation's cyber defenses and 
ensure that the American people are safe from increasingly 
sophisticated online attacks.
    Although it can often be difficult to understand the 
complexity and the severity of some of these attacks from the 
outside, they have a significant cost on our national security. 
In many cases, these attacks can also affect our daily lives, 
as we saw with the recent ransomware attack on the Colonial 
Pipeline that was reported over this weekend.
    Officials are continuing to investigate exactly what 
happened. But the extraordinary measures the company took to 
shut down the pipeline and the possible ripple effects that 
will likely have on gas prices and our economy down the line 
shows that attackers will always look to exploit 
vulnerabilities.
    We must continue working to strengthen our cybersecurity 
defenses and response plans to prevent these types of attacks 
from occurring in the first place and prevent them from having 
catastrophic consequences on our daily lives.
    That is why I will continue to push for common-sense 
legislation to strengthen our response to these hostile 
assaults, whether they come from foreign adversaries or 
criminal actors that seek to harm our country.
    That is why I worked to secure a $650 million investment as 
part of the American Rescue Plan (ARP) to help the 
Cybersecurity and Infrastructure Security Agency (CISA) and the 
Federal Government prevent adversaries and bad actors from 
hacking institutions and Federal agencies that are absolutely 
essential to our pandemic response.
    I have also introduced legislation with Ranking Member 
Portman to provide the Department of Homeland Security (DHS) 
with additional resources and encourage better coordination to 
address attacks that risk the safety and the security of 
Americans.
    While legislation and needed reforms will certainly help 
bolster our national security against these increasingly 
sophisticated threats, we also need to rethink how we approach 
cyber warfare.
    Our foreign adversaries, like the Chinese and Russian 
Governments, do not rest. To successfully thwart their 
relentless assaults on the American system, we need to 
recognize they do not view the Federal Government as separate 
agencies, but as one single target.
    That is what made the SolarWinds hack such a significant 
incident. A foreign adversary was able to infiltrate and spy on 
nine Federal agencies and dozens of private companies all at 
the same time, using the same vulnerability to access troves of 
sensitive data, including the emails of the Acting Secretary of 
Homeland Security at the time.
    An attack like that requires a comprehensive approach, and 
we cannot leave individual Federal agencies to fend for 
themselves against attacks from nation-states.
    Agencies need to better anticipate their individual risk, 
and the Cybersecurity and Infrastructure Security Agency and 
the Office of Management and Budget (OMB) need to take a 
governmentwide approach to assessing cybersecurity threats so 
that we can better prioritize our resources to defend Federal 
information systems.
    Federal agencies must also ensure they are providing 
Congress with timely and relevant information in the event of 
major incidents so that we can work with our Executive Branch 
colleagues to help provide the resources and authorities that 
they need to address these threats.
    That is why I am continuing my push to strengthen the 
Federal Information Security Modernization Act (FISMA), so that 
Congress can ensure our cybersecurity apparatus is working 
hand-in-hand across the Federal Government to support a 
coordinated response to cyber intrusions, while providing 
transparency.
    Today's hearing will focus on the safety and security of 
our Federal agencies and how our government's lead 
cybersecurity experts are working to protect the information 
systems of departments that are critical to safeguarding our 
national security and providing essential services to the 
American people.
    Today's witnesses are uniquely qualified to help the 
Committee understand how agencies are assessing the damage of 
these recent breaches, what we need to do to combat these 
threats, how to improve transparency with Congress, and the 
challenges they have faced in recovering from these attacks.
    Protecting the American people from these ever-evolving 
attacks, especially in the face of a pandemic that has moved 
our lives increasingly online, requires immediate action on a 
bipartisan basis. I know this Committee can work together to 
tackle these enormous challenges.
    With that, I turn it over to Senator Portman, our Ranking 
Member, and thank him for joining me to address cyber attacks 
and to secure our Nation. Senator Portman.

              OPENING STATEMENT OF SENATOR PORTMAN

    Senator Portman. Thank you, Chairman Peters. I have 
appreciated our bipartisan work over the years together on 
improving Federal cybersecurity, and I look forward to 
continuing the partnership. You just mentioned some of the 
efforts that are underway. As many of you know, we are in the 
process of writing legislation right now to address some of 
these issues we will talk about today.
    Today is an opportunity to really focus deeply on some of 
these attacks that have happened over the last several months. 
We already had one hearing on the SolarWinds hack, and today we 
want to continue that oversight with some witnesses from the 
agencies to talk about how we can learn from these incidents to 
improve our cyber defenses in the future. I look forward to 
hearing the perspective of these agency officials on the ground 
as they try to fend off these cyber attacks.
    In the last 6 months, hackers have executed four major 
cyber campaigns against U.S. Government agencies and private 
companies. Those are four that we know of, and I say that 
because many of these attacks occurred months ago, and we only 
learned of them more recently. SolarWinds is one; Microsoft 
Exchange, Pulse Secure, and, most recently, of course, the 
Colonial Pipeline.
    The SolarWinds and Pulse Secure virtual private network 
(VPN) attacks targeted Federal agencies, and yet it was private 
sector companies that discovered them. That should be 
concerning to all of us. Despite all the increased funding 
appropriated for cybersecurity and the bipartisan legislation 
we have worked on here in this Committee, not one of these 
Federal intrusions was discovered by the Federal Government. 
Cyber attacks are going to continue to be a threat, and the 
Federal Government needs to be able to identify those threats 
and defend against them.
    We continue to learn about these attacks. Here are some of 
the details we already know.
    First, after our last hearing, the U.S. Government 
officially attributed the SolarWinds hack to Russia's Foreign 
Intelligence Service (SVR). So we have learned that since our 
last hearing. SVR was very patient and selected its targets 
carefully and compromised a trusted link in the software supply 
chain. It disguised its activity and used stealth techniques 
that evaded detection. Because of that, it took more than a 
year to detect the attack, a lifetime to be able to do damage 
for sophisticated adversaries like these.
    Second, we know that the SolarWinds and Microsoft Exchange 
attacks were broad. Within the Federal Government, the 
SolarWinds attack hit agencies holding some of our most 
sensitive data and national security secrets, including the 
agencies before us today. I look forward to the testimony of 
our witnesses about the impacts of recent attacks on their 
agencies.
    The SolarWinds and Microsoft Exchange attacks also impacted 
the private sector, even cybersecurity firms meant to protect 
our systems. For example, FireEye, the company that discovered 
the SolarWinds hack, was breached itself. FireEye is one of the 
firms folks call on when they discover a breach, so here the 
very people we call on when we get hacked got hacked 
themselves.
    We are still in the very early stages of learning about the 
Pulse Secure attack, but recent reports indicate that at least 
five Federal agencies were compromised in that attack. So we 
are learning as we go, and it is concerning.
    Third, the fact that the Federal Government was hacked is 
not surprising to us. In June 2019, we issued a report from the 
Permanent Subcommittee on Investigations (PSI). I was chair of 
that Committee at the time; Senator Carper was the ranking 
Democrat. That report detailed the extensive cybersecurity 
vulnerabilities of eight specific Federal agencies. Many of 
those vulnerabilities had remained unresolved for a decade. 
More than a year later, three of those eight agencies were 
seriously compromised by the SolarWinds attack: DHS, State, and 
the Department of Health and Human Services (HHS). State is not 
here, but HHS is here, and we look forward to a dialog about 
why HHS did not declare a major incident under the Federal 
Information Security Modernization Act. We talked earlier about 
FISMA and the need to reform it, but under current FISMA it 
seems to me that should have been declared a major incident.
    I am concerned that members of DHS' cybersecurity team who 
hunt threats in foreign countries and the former DHS Secretary 
were compromised in the SolarWinds attack and that we learned 
about this not from DHS, not from CISA, but from news reports. 
Mr. Wales, I look forward to a discussion of how CISA 
specifically, which is part of DHS, was impacted. Again, we 
will refer later in the questions to those specific news 
reports I am talking about.
    Finally, it is clear that cyber attacks are going to keep 
coming. Last week, cyber criminals attacked Colonial Pipeline, 
the company responsible for providing about 45 percent, almost 
half of the east coast fuel. This is potentially the most 
substantial and damaging attack on U.S. critical infrastructure 
ever. It shows that cyber attacks can have tangible, real-world 
consequences.
    Although our witnesses today are here to discuss the 
Federal cybersecurity side, I think it is important that we 
hear from CISA about what we know so far about this attack on 
the Colonial Pipeline and what we should be doing to deter, 
detect, and respond to attacks like this in the future.
    These four recent attacks have demonstrated not only the 
weakness of our defenses, but also the persistence and 
sophistication of our adversaries. In response, we have to take 
a hard look at the Federal cybersecurity strategy, 
capabilities, and leadership and discuss what changes are 
necessary to prevent and mitigate attacks like this in the 
future.
    At our last hearing, I asked our witnesses who is 
ultimately accountable. Who is responsible for Federal 
cybersecurity? The witnesses were not able to give a clear 
answer, which is troubling. Under current law, each agency is 
ultimately responsible for securing its own networks, which is 
why we have asked the agency Chief Information Security 
Officers (CISOs), to give their perspective today. But CISA 
must also have visibility across Federal civilian agencies to 
be able to do what Congress created it to do: secure the 
networks of the Federal Government.
    Congress also created the position of National Cyber 
Director in the White House to coordinate implementation of 
national cyber policy and strategy as recommended by the 
Solarium Commission. The Biden administration has now nominated 
Chris Inglis, and I understand his paperwork is being 
finalized. It appears that the Deputy National Security Adviser 
for Cyber and Emerging Technology, Anne Neuberger, has also 
taken a leading role in handling cyber attacks based on 
briefings we have received.
    I believe that a single point of accountability is 
necessary. I think that single point of accountability for 
Federal cyber attacks overseeing all of this, the individual 
agency efforts and CISA's work to support them, is crucial to 
ensure we have proper responsibility and accountability.
    I appreciate the witnesses being here today. Again, Mr. 
Chairman, I look forward to their testimony on all these 
important issues.
    Chairman Peters. Thank you, Senator Portman.
    It is the practice of the Homeland Security and 
Governmental Affairs Committee (HSGAC) to swear in witnesses, 
so if you will stand and raise your right hand. Do you swear 
that the testimony that you will give before this Committee 
will be the truth, the whole truth, and nothing but the truth, 
so help you, God?
    Mr. Wales. I do.
    Mr. Higgins. I do.
    Ms. Vogel. I do.
    Chairman Peters. You may be seated.
    Our first witness today is Brandon Wales, the Acting 
Director of the Cybersecurity and Infrastructure Security 
Agency. Prior to becoming Acting Director, Mr. Wales was CISA's 
first Executive Director. Mr. Wales has also served in multiple 
positions within the Secretary's office for DHS, including 
Senior Counselor to the Secretary for Cyber and Resilience, 
Acting Deputy Chief of Staff, and the Acting Chief of Staff for 
the Department. Prior to joining the Department, Mr. Wales 
served as a national security aide to United States Senator Jon 
Kyl and as a senior associate at a Washington-based foreign 
policy and national security think tank.
    Welcome back to the Committee, Mr. Wales. Always good to 
see you. I will now recognize you for your five-minute opening 
remarks.

 TESTIMONY OF BRANDON WALES,\1\ ACTING DIRECTOR, CYBERSECURITY 
AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Wales. Thank you. Good morning, Chairman Peters, 
Ranking Member Portman, and Members of the Committee. I 
appreciate the opportunity to testify today regarding the 
Cybersecurity and Infrastructure Security Agency's response to 
the SolarWinds supply chain compromise and our broader efforts 
to enhance the security and resilience of Federal networks 
going forward.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wales appear in the Appendix on 
page 117.
---------------------------------------------------------------------------
    As both of you pointed out in your opening statements, 
cyber attacks on our Nation's infrastructure are growing more 
sophisticated, frequent, and aggressive. Malicious cyber actors 
today are dedicating time and resources toward researching, 
stealing, and exploiting vulnerabilities, using more complex 
attacks to avoid detection, and developing new techniques to 
target information and communications technology supply chains.
    We witnessed this firsthand through the SolarWinds supply 
chain compromise and the exploitation of Microsoft Exchange and 
Pulse Secure vulnerabilities. The SolarWinds supply chain 
compromise should have served as a wake-up call to our 
adversaries' increasing interest in targeting supply chain 
vulnerabilities. This highly sophisticated operation attributed 
to the Russian Foreign Intelligence Service, involved the 
compromise of trusted software updates to inject malicious code 
into thousands of victim organizations. The primary objective 
of the SVR in this Committee appears to be gaining access to 
sensitive but unclassified communications and to identify 
additional opportunities to compromise information technology 
(IT) supply chains.
    In response, on December 13th the National Security Council 
(NSC) staff stood up the Cyber Unified Coordination Group (UCG) 
comprised of CISA, the Federal Bureau of Investigation (FBI), 
the Office of the Director of National Intelligence (ODNI), 
with support from the National Security Agency (NSA). As the 
lead for asset response in the Federal civilian space, CISA 
provided technical assistance to affected entities who 
requested it as they identified and mitigated potential 
compromises.
    CISA's work in response to this campaign fell under four 
primary lines of effort: scoping the campaign, sharing 
information and detection techniques, supporting short-term 
remediation, and providing guidance and assistance in long-term 
network recovery.
    My written statement provides a more detailed outline of 
our response and recovery efforts, so I would like to take this 
opportunity to highlight areas of progress and what we believe 
is the way forward for a more secure Nation.
    First, throughout SolarWinds and the other recent cyber 
incidents, there has been unprecedented and robust 
collaboration between the public and private sector. Industry 
identified the threats and informed us with little delay. In 
the case of the exchange vulnerabilities, we were able to work 
together to take collective action to mitigate potential risks. 
The government provided the forum, but industry partnership 
allowed us to quickly reduce the population of susceptible 
servers and notify potential victims at a scale that the 
government alone could not achieve.
    We must build on this success and adapt to the increasing 
dynamic threat landscape. Since industry often sees malicious 
cyber activity first, we must continue to deepen operational 
collaboration with our industry partners.
    At CISA, one of our top priorities this year is standing up 
the recently authorized Joint Cyber Planning Office (JCPO), a 
recommendation from the Cyberspace Solarium Commission that was 
authorized in the most recent National Defense Authorization 
Act (NDAA). I want to thank this Committee for its support not 
only of this provision, but of all the cyber-focused provisions 
included in the NDAA that will continue to advance and 
strengthen our Federal cyber posture.
    The Joint Cyber Planning Office will build on the success 
of our recent operational collaboration, unifying public and 
private sector cyber incident planning, and integrating the 
execution of the cyber defense operations conducted under 
CISA's asset response mission.
    Second, and echoing some comments from the Chairman, we 
must rethink our approach to cybersecurity. Releasing alerts, 
deploying incident response teams, sharing best practices are 
important tools. But as the pace and scale of cyber threats 
that we face expands, so must our response toolkit. We need 
sustained investment to modernize and protect our most critical 
Federal systems as well as State and local governments 
suffering under budget constraints and increasingly aggressive 
ransomware operators. Part of the solution is dedicated 
preparedness grants for cybersecurity, which Secretary Mayorkas 
has endorsed and Congress is considering.
    Another part of the solution is the establishment of the 
Cyber Response and Recovery Fund (CRRF). I want to thank the 
Committee for introducing S. 1316, the Cyber Response and 
Recovery Act. The establishment of a CRRF will ensure CISA has 
sufficient resources and capacity to respond rapidly to 
catastrophic cyber incidents.
    But investment only goes so far. It is imperative that we 
move to more secure and defensible architectures. We must 
transition zero trust from a buzzword to the baseline standard 
for network design and configuration. It will not be easy, 
smooth, or cheap, but the cost of not doing so is simply too 
high.
    CISA's charge is clear: protect and defend the Federal 
Government's networks through collaborative risk management. To 
accomplish this objective, we continue to drive the collective 
defense model for cybersecurity, apply the lessons learned from 
these recent cyber incidents to improve our capabilities, and 
raise the bar for long-term cybersecurity to be able to truly 
defend today and secure tomorrow.
    Thank you again for the opportunity to testify on this 
important subject, and I look forward to your questions.
    Chairman Peters. Thank you, Mr. Wales.
    Our second witness today is Ryan Higgins, the Chief 
Information Security Officer for the Department of Commerce. In 
this role, Mr. Higgins provides leadership for the Department's 
cybersecurity program, which includes establishing policies and 
procedures for the Department and its bureaus in accordance 
with the Federal Information Security Modernization Act of 
2014, implementing enterprise cybersecurity functions, and 
coordinating incident response activities on behalf of the 
Department. Prior to joining the Department in March, Mr. 
Higgins held a variety of leadership roles in the Department of 
Justice (DOJ), including as Assistant Director for 
Administration at the United States Trustee Program (USTP) and 
several roles in the Justice Management Division Office of the 
Chief Information Officer (CIO). Mr. Higgins has also spent 
several years in the private sector as a practitioner in the 
areas of IT security policy and network security.
    Welcome, Mr. Higgins. Please proceed with your opening 
comments.

  TESTIMONY OF RYAN A. HIGGINS,\1\ CHIEF INFORMATION SECURITY 
              OFFICER, U.S. DEPARTMENT OF COMMERCE

    Mr. Higgins. Good morning, Chairman Peters, Ranking Member 
Portman, and Members of the Committee. Thank you for the 
invitation to appear before you today to provide an update on 
the Department of Commerce's incident response activities.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Higgins appear in the Appendix on 
page 123.
---------------------------------------------------------------------------
    I serve as the Department's CISO and Deputy CIO within the 
Office of the CIO. I joined the Department in March 2020 and 
provide leadership for the Department's cybersecurity program, 
which includes establishing policies and procedures for the 
Department and its bureaus in accordance with FISMA, 
implementing enterprise cybersecurity functions in accordance 
with FISMA and coordinating incident response activities on 
behalf of the Department.
    As Mr. Wales testified at the Committee's previous hearing 
on the SolarWinds attack, a cybersecurity campaign affecting 
multiple Federal agencies, critical infrastructure providers, 
and private sector organizations was identified in early 
December 2020. Within Commerce, National Telecommunications and 
Information Administration (NTIA) identified indications of a 
potential systemic compromise related to this campaign and 
immediately began engaging with the Department's Office of the 
CIO to initiate incident response activities. As a result of 
this engagement, the Department was one of the first Federal 
agencies to identify potential systemic compromise in response 
to SolarWinds, determined that this was a major incident, and 
immediately initiated coordination with CISA to assist.
    FISMA directs OMB to define the term ``major incident'' and 
requires agencies to notify Congress in the event of one. As 
defined by OMB, major incidents include those that are likely 
to result in demonstrable harm to the national security 
interests, foreign relations, or the economy of the United 
States or to the public confidence, civil liberties, or public 
health and safety of the American people.
    Based upon what the Department knew concerning the 
potential systemic compromise, an initial review showed it met 
the definition of a major cybersecurity incident. Within an 
hour of making this determination, the Department notified CISA 
and OMB. Subsequently, the Department, in accordance with 
Presidential Policy Directive-41 (PPD-41), sent a notification 
of a significant cybersecurity incident to the FBI, CISA, and 
the ODNI to request coordinated support. As required by FISMA, 
the Department notified Congress within 7 days and subsequently 
provided more detailed information.
    The Department actively participated in the Cyber Unified 
Coordination Group stood up in response to the SolarWinds 
incident, which supported information sharing and coordination 
across the government for all affected agencies.
    Along with the hands-on assistance with respect to the 
identified compromise, CISA also released Emergency Directive 
21-01, which provided guidance for the Department to further 
investigate and determine the scope of exposure at the 
Department's bureaus beyond NTIA. The Department completed all 
required activities for the energy directive, including the 
three supplementals. Department and bureau representatives also 
regularly participated in CISA-hosted calls, which provided 
updated information about developments related to the incident.
    In addition to CISA, the Department received assistance 
from the FBI and the Microsoft Detection and Response Team 
(DART) to investigate, remediate and recover from the 
SolarWinds incident. We have concluded our initial engagements 
with each of these partners and received recommendations from 
CISA and Microsoft to inform our immediate recovery activities. 
Along with the remediation efforts in process by the Department 
and NTIA, the longer-term recovery plan includes: adopting and 
implementing zero trust for migrating to a modern security 
architecture; conducting Trusted Internet Connection (TIC) 3.03 
pilots for accelerating the adoption of cloud, mobile, and 
other emerging technologies; upgrading security features in 
existing solutions and services to maximize capabilities; and 
transitioning to cloud-centric models and replacing legacy on-
premise infrastructure.
    In closing, I want to emphasize that we remain in close 
coordination with our Federal partners to ensure that we are 
sharing relevant information through established channels and 
continuously identifying opportunities to strengthen our 
cybersecurity posture. While the immediate activities related 
to SolarWinds have moved from incident response to longer-term 
recovery, we must remain vigilant as the threat environment 
continues to evolve and our adversaries learn from these 
incidents just as we do.
    Thank you again for the opportunity to appear before you 
today, and I look forward to answering your questions.
    Chairman Peters. Thank you, Mr. Higgins, for your 
testimony.
    Our final witness today is Janet Vogel, Chief Information 
Security Officer for the Department of Health and Human 
Services. In this role, Ms. Vogel has initiated transformation 
projects related to machine learning, authorization to operate, 
and cybersecurity reporting standardization. Ms. Vogel 
previously served as the Deputy Chief Information Officer and 
Director for Operations for the Office of Information 
Technology for the Centers for Medicare & Medicaid Services 
(CMS). Ms. Vogel joined the HHS Office of the Secretary in 
2018, with more than 25 years of experience. Her experience 
includes implementing the Federal Shared System for human 
resources (HR) management, known as ``HR Connect,'' at the U.S. 
Treasury and directing information technology policy and 
implementing the fee-for-service management of systems at the 
Federal Aviation Administration (FAA).
    Welcome, Ms. Vogel. You are now recognized for your five 
minute opening statement.

    TESTIMONY OF JANET VOGEL,\1\ CHIEF INFORMATION SECURITY 
     OFFICER, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

    Ms. Vogel. Thank you. Good morning, Chairman Peters, 
Ranking Member Portman, and Members of the Committee. Thank you 
for the invitation to appear before you today to provide an 
update on the Department of Health and Human Service's incident 
response activities.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Vogel appears in the Appendix on 
page 126.
---------------------------------------------------------------------------
    I serve as the Department's Chief Information Security 
Officer in the Office of the Chief Information Officer, and I 
have led the security program at HHS since 2018. My office 
establishes policies and procedures for the operating divisions 
and the Department. We also implement and operate enterprise 
cybersecurity functions and coordinate incident response 
activities on behalf of the Department.
    As we know today, the SolarWinds event was an unprecedented 
attack on the SolarWinds Corporation and its public and private 
sector customers. Malicious actors accessed the corporation's 
environment and introduced the malicious code. The code was 
then spread to SolarWinds customers through regular software 
updates. HHS' response to this threat is detailed in the 
written testimony provided to the Committee. I will summarize 
some of those actions here.
    On the evening of December 13, 2020, I received a call from 
a CISA colleague alerting me to malicious activity. We 
immediately engaged all of the components of Health and Human 
Services and joined the CISA-led call. Action was taken 
immediately after that call to begin mitigation of any 
potential impact of the malware. We implemented enterprise 
security tools. We searched for the activity that would match 
the attacker's indicators, tactics, and techniques. We notified 
all operating divisions and began taking a coordinated action 
against the versions of the malicious software. We took all of 
those instances offline immediately and began analyzing the 
results.
    Soon after, we received Emergency Directive 21-01 from the 
CISA, and we were able to begin implementing and responding 
right away. The next day we were able to report out to CISA our 
activities and how we have met the initial version 21-01 
requirements.
    Since that time, we also responded to any supplemental 
guidance, and we utilized the tools provided by CISA to help 
mitigate any of the potential impacts and also block all of the 
network access.
    During the investigation and remediation period, HHS 
identified several lessons learned, and we tested our best 
practices. Several of our practices align with new 
cybersecurity frameworks such as zero trust. One example is 
that network segmentation and other defense in-depth practices 
can limit the degree of which a compromise in one system can 
spread to other systems.
    In summary, HHS will continue to take every necessary 
precaution to address this and other incidents like it in the 
future. We remain mindful that our adversaries are already 
developing other cyber hacking approaches and capabilities. 
With our partners such as CISA, the private sector, and other 
Federal and private organizations, we will remain vigilant. We 
are committed to addressing the unique and ever-changing 
challenges in cybersecurity to ensure all Americans' safety, 
security, and confidence in our digitally connected world.
    Chairman Peters, Ranking Member Portman, Members of the 
Committee, we appreciate the opportunity to testify today, and 
I am happy to answer any questions. Thank you.
    Chairman Peters. Thank you, Ms. Vogel.
    Mr. Wales, I know we are here today to focus on Federal 
cybersecurity, but I think it is important to discuss the 
attack that we have just recently seen on Colonial Pipeline, 
one of the largest attacks on critical infrastructure in our 
history.
    Last month, Ranking Member Portman and I introduced the 
Cyber Response and Recovery Act, which would give the Secretary 
of Homeland Security the authority to declare a significant 
incident and use Cyber Response and Recovery Fund after events 
like this. I know you are familiar with the legislation that we 
have introduced.
    While I understand it is too soon to talk about this in 
relation to the specific situation, we are still learning a lot 
about that, and we will see the impact of that in the days and 
weeks ahead. But if you could answer the question: How would 
this new authority enable CISA to provide more assistance 
during these types of incidents and whether they occur on 
privately owned critical infrastructure or the Federal system? 
What is your assessment?
    Mr. Wales. Sure, sir, and, again, we think that this is an 
absolutely instrumental advancement in the country's ability to 
respond to significant catastrophic cyber incidents. We have 
seen that our adversaries are increasingly focused on broad, 
significant campaigns, campaigns that do not focus on any 
individual sector. They are not limited to just the government. 
In the face of those broad campaigns, we want to ensure that we 
have the resources to surge our support, our incident response, 
and our prevention activities to the scale that they are 
needed, and, in particular, the kinds of entities that most 
often come to CISA for assistance, State and local governments, 
small private sector companies that do not have the resources 
and organic skills to be able to respond to incidents of the 
scale and severity that we have seen. A Cyber Response and 
Recovery Fund will be essential in ensuring that we have those 
resources, we can expand our capacity, and we can support our 
ability to get ahead of catastrophic cyber incidents. So we are 
eager to continue working with Congress on the establishment 
and execution of such a fund.
    Chairman Peters. I appreciate the support of our 
legislation, and you talked about the additional resources from 
the fund. Could you be a little more specific to give folks a 
better appreciation as to how those funds would be used to help 
in situations like we have seen?
    Mr. Wales. Sure. I think there are a couple of different 
ways in which we would potentially use those funds. First is to 
ensure that we can expand and surge CISA's organic incident 
response teams, bringing in additional, for example, contract 
resources to build out our cyber defense teams to allow us to 
go onsite and assist potential victims. It will be used to 
deploy additional sensors and technologies at sites that we are 
responding to. It can also be used to reimburse other agencies 
for assistance, so there are times when we establish agreements 
with the Department of Defense (DOD) to surge activities from 
the cyber--surge resources from U.S. Cyber Command and others. 
And right now we have to take that out of our existing 
resources. We would have the CRRF in the future to be able to 
reimburse those agencies for the assistance that they are 
providing on behalf of CISA to support our partners or the 
potential victims in the field.
    Chairman Peters. Mr. Wales, SolarWinds was a critical 
cybersecurity incident because of the sensitive information 
that was accessed but also the widespread impact that it had 
all across the Federal Government as well as private sectors. 
FISMA, however, does not seem to account for this kind of 
widespread intrusion.
    From your perspective as the lead operational agency for 
Federal cybersecurity, do you agree that we need to consider 
the scope of an incident, how many victims are affected, for 
example, when evaluating its severity?
    Mr. Wales. Yes, and as a point of fact, we score incidents 
ourselves using a scoring schema that was part of the National 
Cyber Incident Response Plan (NCIRP), and one of the factors we 
look at as part of that is the scale and scope of the incident.
    Chairman Peters. When you issued your SolarWinds emergency 
directive, you requested that every agency respond with details 
of their compromise to help determine both the number and the 
severity of which each of the different agencies were affected. 
Is that a correct reading of the directive?
    Mr. Wales. Correct.
    Chairman Peters. Why was it so important for CISA to 
understand the overall severity of the threat? If you could 
explain that for the Committee, please.
    Mr. Wales. Sure, and as I pointed out in my opening 
remarks, one of the lines of effort of CISA's work in 
partnership with the other UCG members like the FBI is 
understanding the scope of the incident, because that is going 
to help us ensure that we are providing support to the right 
places; we understand the objective of the adversary. We could 
look for potential compromises in places that it has not yet 
been detected. And so it is instrumental in any of our 
additional cybersecurity work to understand exactly what 
happened?
    Chairman Peters. So to Mr. Higgins and Ms. Vogel, clearly 
the Departments vary significantly in when and how they declare 
a major cyber incident and share information with Congress. 
While I understand that early on you may not have known all of 
the details of the intrusion, a notification that says, 
``Something happened,'' without any additional details or 
context, quite frankly, prevents Congress from conducting 
effective oversight. The law governing this is FISMA, and while 
agencies may be meeting the letter of the law, they certainly 
are not meeting the intent of the law.
    So my question to both of you: Do you believe that sending 
a notification to Congress simply saying that an intrusion into 
your agency's network occurred but not providing any details is 
sufficient for effective oversight? Mr. Higgins.
    Mr. Higgins. Chairman Peters, with regards to the 
Department of Commerce, when we encountered the incident, we 
took into consideration a few different things: the nature of 
the compromise. We took into consideration the systems and 
information involved. We also took into consideration the 
stakeholders and customers impacted.
    Given what we knew and, more importantly, what we did not 
know, we felt it more than appropriate to notify OMB and CISA 
and subsequently Congress of a major cybersecurity incident. It 
is important to note that given the moment you are not going to 
have all the information that you need but you are going to 
have enough information to share that with CISA and others to 
prevent any further spreading of malicious activity. So with 
respect to Commerce, it is important that we are transparent 
and up front with what we know and what we do not know as soon 
as we can so that all bodies involved can make requisite 
decisions and take the necessary action.
    Chairman Peters. Yes, absolutely.
    Ms. Vogel.
    Ms. Vogel. Yes, thank you, Chairman Peters. When we 
received notice and the details of an incident, we were able to 
respond very quickly with an assessment of whether we had been 
compromised and the impact of that. As we looked at the impact 
against the criteria, we felt that we had not lost any data. We 
had also firewalled everything appropriately, that there would 
not be follow-up activity. We determined right away we did not 
believe this was a major incident--certainly a very 
sophisticated and complicated event, but we confirmed with CISA 
and also our OMB desk officer our determination that we would 
not declare a major incident at that time.
    Again, if we had received more information, if we had 
gotten other signs of activity, we would have revisited that 
decision right away, and we would have conferred with the CISA, 
who have details that they could share with us about what was 
going on in other departments.
    Chairman Peters. Very well. Ranking Member Portman, you are 
recognized for your questions.
    Senator Portman. Great. Thank you, Mr. Chairman.
    I will say I am concerned that agencies just did not 
report. Under FISMA it is pretty clear, when you look at the 
definition, that a report would have been required, any 
incident ``likely to result in demonstrable harm to the 
national security interest, foreign relations, or economy'' or 
a breach involving personally identifiable information (PII). 
So maybe we need to tighten up at FISMA requirement, because 
the CISA requirement and the OMB requirement is far more 
specific. I appreciate the fact that Commerce did report to 
Congress--thank you--and I am concerned that HHS did not.
    Ms. Vogel, I understand that, you all looked at what the 
impact was on HHS, but to me this was definitely a major 
incident, and certainly it was in terms of the relationship 
between the different agencies.
    I would agree with what the Chairman at least implied in 
his questioning, which is that at least, give us the 
opportunity to get notified of these so that we can do our 
proper oversight and be sure that, we are putting together 
legislation that makes sense to respond to these attacks.
    With regard to Colonial Pipeline, I know today's focus is 
about Federal cybersecurity attacks, but this Colonial Pipeline 
one, as I said earlier, is probably the biggest attack ever on 
American infrastructure, certainly the biggest one that we know 
of. Colonial supplies almost half of the oil to the east coast. 
The systems remain offline today as we talk. They have made 
some progress, I understand, opening up some lines, but not all 
the way to the east coast. My hope is by the end of this week, 
that will be improved. But this is a historic example of how 
these cyber attacks can have real, demonstrable impacts on our 
economy and our national security. Ask the people who are in 
east coast States about what they are paying for gasoline today 
at the pump, and they will tell you it has impact.
    There are a variety of tools and guidance to combat 
ransomware at CISA, Mr. Wales, but as we have seen here, we are 
not effectively combating ransomware. Let me ask you a couple 
questions. Did Colonial contact you?
    Mr. Wales. They did not contact CISA directly.
    Senator Portman. So they did not contact CISA. Did CISA 
contact Colonial?
    Mr. Wales. We were brought in by the FBI after they were 
notified about the incident.
    Senator Portman. OK. Would it have been helpful to you if 
Colonial had contacted you immediately to provide information 
so you could respond more effectively?
    Mr. Wales. So we received information fairly quickly in 
concert with the FBI. I think right now we are waiting for 
additional technical information on exactly what happened at 
Colonial so that we can use that information to potentially 
protect other potential victims down the road.
    Senator Portman. So you still do not have the technical 
information you need to be able to be responsive and to provide 
support to critical infrastructure. Is that what you are 
saying?
    Mr. Wales. Yes, but that is not surprising given that, they 
have only been working on the incident response since over the 
weekend and it is fairly early. We have had a historically good 
relationship with both Colonial as well as the cybersecurity 
firms that are working on their behalf. We do expect 
information to come from that, and when we have it, we will use 
it to help improve cybersecurity more broadly.
    Senator Portman. If the FBI had not brought you in, would 
Colonial, do you think, have contacted you to ask for your 
assistance?
    Mr. Wales. No.
    Senator Portman. Do you think that is a problem?
    Mr. Wales. I think that there is benefit when CISA is 
brought in quickly, because the information that we glean, we 
work to share it in a broader fashion to protect other critical 
infrastructure.
    Senator Portman. Right. I think that is the point, that, 
one, you could have helped Colonial; but, two, having that 
technical information enables you to help other critical 
infrastructure. If there is ransomware focused on Colonial, 
there is likely to be ransomware focused on other critical 
infrastructure as well. Isn't that true?
    Mr. Wales. That is true.
    Senator Portman. We appreciate your testimony today about 
the need for more funding, for preparedness funding, for CISA 
funding, the need to transform some of our systems and the cost 
of that. But it seems to me we also have to worry about these 
attacks, whether they are direct cyber attacks in the Federal 
Government or whether they are attacks in the private sector, 
whether they are ransomware attacks, being communicated to CISA 
in that, you have the expertise. We have passed a lot of 
funding already and a lot of bipartisan legislation to help you 
all have the tools that you need. It seems to me we have to be 
sure that communication flow is happening.
    By the way, just a general question, and, I look forward to 
a second round when we can get into more of this. But my sense 
is that we have a number of vulnerabilities at the Federal 
level. One is the systems themselves. In other words, the 
software, in particular, some of the hardware is not updated. 
Is that accurate?
    Mr. Wales. There are legacy systems in the Federal 
Government that require modernization, absolutely.
    Senator Portman. Is that where you would focus most of the 
funding immediately? What would be your top target? Because, 
also, we have a lot of discussion on this Committee about 
personnel and ensuring we have the best and the brightest with 
the Federal Government to be able to protect our personal 
information and national security. We also know that, there is 
concern about practices; in other words, even with the best 
personnel and with the best infrastructure, software and 
hardware, if you are not following the right practices, the so-
called cyber hygiene to be able to protect your systems, to be 
able to provide the appropriate encryption and so on, that it 
is difficult to defend against these attacks. How would you 
prioritize those and where would you prioritize the funding?
    Mr. Wales. Yes, I do not think you can prioritize among 
those three. Those are areas that, as you are deploying new 
technology, those all need to advance in parallel. You need to 
ensure that as you put in place new systems, you have the 
people that are actually capable of utilizing them to improve 
your security. You need to have people who have the ability to 
configure them in the right way. We see this a lot, 
particularly with the move to the cloud. In particular at the 
State and local level, they will deploy on the cloud, but they 
will misconfigure their cloud environment and make it open and 
accessible to potential malicious actors. And so you want to 
ensure that your technology, your people, and your processes 
are being modernized together, because if any one of those lags 
behind, you are going to introduce weaknesses into your overall 
information security program.
    Senator Portman. That is the idea in having CISA have more 
responsibility and more funding and the expertise, and so we 
need to continue to work on that. But, again, we have done a 
lot to provide the tools, and now the question is how do you 
bring those three elements and others together. We have to do 
it yesterday because these attacks continue.
    Mr. Wales. But, sir, I would also add that it is not just 
CISA, because ultimately the agencies are the ones that are 
deploying technology on their environment to support the 
operational needs of their mission. As they do so, they need to 
do it with security in mind. They need to build that kind of 
security and resilience in. They need to build in those kind of 
zero trust principles to ensure that their systems are 
protected. They need to ensure that they have the right people 
and processes in place. We can assist them. We provide best 
practices. In some cases, we provide technology. But, overall, 
managing that information security program at an agency is 
essential, and I think that is why we need to ensure that the 
CISOs like those joining me today are kind of empowered and 
resourced to be able to support the needs and the security of 
their agency.
    Senator Portman. Empowered and resourced and held 
accountable for what happens at those agencies, including the 
reporting we talked about earlier. Correct?
    Mr. Wales. Yes.
    Senator Portman. Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Portman, and 
accountability is critically important. I could not agree more.
    Senator Carper, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you, Mr. Chairman. Can you hear me?
    Chairman Peters. I hear you fine, Senator.
    Senator Carper. All right. Let me start off by saying to 
Director Wales, thank you for serving as our Acting Director in 
this capacity for a number of months. I just want to thank you 
for that and for your continued service. I understand someone 
else has been nominated to succeed you, but you will continue 
in this post for a while, and we thank you for that.
    In your testimony you describe how CISA has the unique 
ability to gather and to analyze information from the Federal 
civilian networks, with data received from the intelligence 
community (IC), from the private sector, and State, local, 
tribal, and territorial (SLTT) partners. Could you take a 
moment, please, and explain how CISA's unique role and its 
ability to access information across various sectors has helped 
the agency respond to the SolarWinds attack?
    Mr. Wales. Sure, thank you, Senator. I appreciate the kind 
words, and your question I think is important, and it gets into 
a bit of the exchange that I was having with Senator Portman.
    CISA's unique responsibility is to help the broad community 
improve their cybersecurity. We are the only Federal agency 
charged with getting information out to support everyone's 
cybersecurity and resilience. But for us to do that, we need to 
be fed the right information from all of our partners. That 
means from the intelligence community, getting an understanding 
of where the adversaries are focusing, the tactics and 
techniques that they are using. It means gaining access from 
our private sector colleagues and our State and local 
governments about what they are seeing on their networks. The 
earlier we have at information and the more information we are 
able to bring together, the better picture that we can provide 
about what is happening, what vulnerabilities our adversaries 
are attempting to exploit, what techniques that they are using, 
what signatures we can load into the defensive systems, what 
new tools we need to deploy. But that all requires to be fed 
and that information coming together in one place, and I think 
that is CISA's focus, enhancing our ability to take that 
information in, to analyze it and get it out, because 
ultimately we have that responsibility of helping to improve 
the cybersecurity baseline across the country, across sectors, 
across the public and private divide, and make our country more 
secure. I think we work hard every day to build that collective 
defense model, but it does require support. It does require 
collaboration from our industry and from our State and local 
governments. I think we have worked hard over the past several 
years to build trust that enables that to happen, but we still 
have a lot of work ahead of us.
    Senator Carper. All right. Thank you for that response.
    I have a follow-up for Mr. Higgins and also for Ms. Vogel. 
Thank you both again for joining us today and for your 
continued service. I frequently say that the two most important 
ingredients to a healthy democracy are the same two ingredients 
that are helpful for a healthy marriage, and they are 
collaboration and communication. I believe that CISA's work to 
protect and defend our Federal Government networks and to help 
agencies respond to cyber incidents requires the same thing--
collaboration and communication.
    Mr. Higgins and Ms. Vogel, could each of you take a moment 
to describe how CISA helps your respective agencies respond to 
and protect against the SolarWinds attack? Go right ahead. Mr. 
Higgins, you go first.
    Mr. Higgins. Certainly, Senator. With regards to the 
support that we receive from CISA, they were instrumental in 
helping us with regards to incident report, threat hunting, 
analysis of logs, analysis of forensic images as well, but also 
information sharing. I think throughout the course of the 
engagement CISA was a partner the whole way. They augmented our 
current capabilities and provided us with very informative 
lessons learned that we can use to fortify our cybersecurity 
defenses moving forward that feed into our long-term objectives 
in terms of our strategies, our policies, our procedures. We 
are very fortunate and appreciative of the support that we do 
receive from CISA.
    Senator Carper. Thanks for that.
    Ms. Vogel, could you describe for us how CISA helped your 
agency respond to and protect against the SolarWinds attack.
    Ms. Vogel. Certainly, and thank you for your words. We were 
able to share information with CISA and our private sector 
partners, our focus being on health and human services for the 
country. We are in multiple organizations that share 
information on cybersecurity, especially in the health care 
sector. CISA is able to give us tools and information that they 
can gather from other sectors that might apply in our 
environment. Not every instance is the same, and our business 
within HHS is much varied over many different types of 
business. CISA has provided information and collaboration 
opportunities for us that have been able to let us engage with 
other departments on specific needs and in specific areas. So 
definitely they have facilitated collaboration and 
communication for us.
    Senator Carper. Thanks. Thanks for that.
    A brief follow-up question, the same question for each of 
you. How can we improve interagency communication and 
collaboration between CISA and other government agencies not 
only after cyber incidents but before one occurs? Ms. Vogel, 
would you go first?
    Ms. Vogel. Certainly. Currently we interact with CISA 
colleagues on a regular basis. I meet with my colleagues. We 
also have multiple work groups, and in those work groups they 
look at the technical environment at the time and what to do. 
They work side by side when solving problems or doing research.
    We have more opportunities for communication and 
collaboration as new events develop. We are also working on 
resiliency to be prepared to be able to mitigate any potential 
threats that come.
    So in our opportunities to engage with CISA, we feel that 
there is an extremely beneficial back-and-forth that we work 
with them on a daily basis.
    Senator Carper. Mr. Higgins, briefly respond to the same 
question, please.
    Mr. Higgins. Yes, Senator. I think collaborating and 
communicating not only when something goes wrong but all the 
time, I think it has to be an ongoing endeavor. With regards to 
the other item, I would say making sure that CISA has the 
requisite visibility within your environment so that they can 
take the requisite actions as opposed to waiting for a data 
call or something to that effect. I think there is a lot of 
technology that we can employ, implement within our environment 
to ensure that CISA has visibility so that when something does 
happen, it lessens the timeframe by which case they can act and 
we can communicate with them.
    Senator Carper. All right. My thanks to both of you. Thank 
you to our Director as well.
    Thanks, Mr. Chairman.
    Chairman Peters. Thank you, Senator Carper.
    Senator Johnson, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR JOHNSON

    Senator Johnson. Thank you, Mr. Chairman.
    Picking up a little bit with what Senator Carper was 
talking about, the cooperation and collaboration between the 
agencies, I think it is one of the reasons we helped facilitate 
the passage and now hopefully the appointment of a National 
Cyber Director so that we have somebody in charge, somebody who 
can be held accountable, and somebody who can enforce that 
collaboration. i am looking forward to meeting with the nominee 
here shortly, and hopefully we can get that individual 
confirmed and on the job and being held accountable.
    Mr. Wales, there is not a problem, since I have been here, 
10, going on 11 years, that the solution is not always more 
funding. CISA's budget is around $2 billion a year. Correct?
    Mr. Wales. Correct.
    Senator Johnson. DHS total, about 2.6. The Federal 
Government in total for 2021 will spend almost $19 billion on 
cybersecurity. In the real world, that is a lot of money. Have 
you done kind of soup-to-nuts, zero-based budgeting to 
determine how you are already spending the $2 billion? Let us 
face it, whether it is the Office of Personnel Management (OPM) 
hack, the SolarWinds, it just keeps happening. Again, this is 
not an easy issue. I understand that. But, unfortunately, I 
have been in this role now for many years and listened to kind 
of the same bureaucratic explanations, the same, collaboration, 
information sharing, which I think is all important, but these 
problems are still happening. Have you really done a deep dive 
in terms of what CISA does and what these agencies are spending 
all this $19 billion on?
    Mr. Wales. Sure, so I can certainly talk within CISA. We 
have looked hard at our budget to make tradeoff decisions about 
where we need to invest our resources to be smart about 
ensuring that we are applying resources in the areas that need 
it most. I think that the challenge that we face across the 
entire U.S. Government is twofold:
    First is that we are in a bit of a technology and 
cybersecurity deficit, that we have not invested to the degree 
necessary over time, particularly in modernizing legacy systems 
that have vulnerabilities----
    Senator Johnson. Should we maybe, the $1.9 billion COVID 
relief package--maybe put some of that $1.9 trillion toward 
this? Or talking about infrastructure, should we maybe--if we 
are going to spend money on infrastructure, spend it on that? I 
want some short answers here because I have a lot of questions.
    Mr. Wales. Sure. I will say that we believe that any 
infrastructure development should have cybersecurity and 
resilience built in up front. I will leave it to you about how 
best to achieve those goals. But I just want to make one really 
fast point, which is the challenge in cyber is that the threats 
and the technology are advancing substantially, so technology 
that we deployed 15 years ago needs substantial modernization 
today to ensure that it keeps pace with the threats that we are 
now facing.
    Senator Johnson. The Federal Government has a hard time 
keeping pace. Let me just ask you, have you connected the dots 
or are you trying to connect the dots or looking to see if they 
are connected between the SolarWinds hack and what happened 
with Colonial Pipeline? The reason I ask this is my concern 
about what happened with Colonial Pipeline is it is just a shot 
across the bow. These hacks and what was achieved with 
SolarWinds, it is gathering information to be used at some 
point in time. Are we looking seriously in terms of how they 
may use that information and whether or not this might have 
been connected to the Colonial Pipeline?
    Mr. Wales. We are looking hard at the information that the 
adversary gleaned from SolarWinds, looking at reflections and 
intelligence, and the FBI is actively investigating the 
Colonial Pipeline incident. What I can say is they have 
positively attributed this incident to the DarkSide ransomware 
crew, which is a criminal enterprise, and it is not surprising 
that a criminal enterprise is going after increasingly 
important targets for ransomware operations. We have seen this 
over the past 2 years. They are going after bigger players to 
get bigger ransoms. Ransoms last year went up to around 
$300,000 for small ones and millions of dollars for the big 
ones. So it is not----
    Senator Johnson. Right. We understand that is a problem. 
Again, we are trying to figure out how to prevent it.
    I want to shift a little bit in terms of the vulnerable of 
our electrical grid because that is really to a certain extent 
what the Colonial Pipeline hack is about. We saw the Texas 
power outage. As we move toward the Internet of Things (IoT), 
as we become more and more connected, we become way more 
vulnerable. As we move toward this green energy utopia, I am 
highly concerned that we are making our electrical grid even 
more vulnerable to these types of attacks. Again, that is why I 
am saying this is just a shot across the bow. I do not think we 
have even come close to addressing the vulnerability of our 
grid. Again, infrastructure package, I am not hearing anybody 
talk about purchasing in advance these large power transformers 
that could be wiped out in an electromagnetic pulse (EMP), 
geomagnetic disturbance (GMD), or a cyber attack, and they are 
irreplaceable, basically, in a short period of time. We are 
just not thinking through how incredibly vulnerable we are. We 
are shutting down nuclear energy plants. The fact that we are 
allowing homeowners to tie into the grid, to sell back energy 
from their solar panels, address how unbelievably vulnerable we 
truly are in our electrical grid and how a move toward green 
energy is probably making us even more vulnerable. Is that 
something CISA is really looking at? Because you are way more 
than cybersecurity. You are about infrastructure security.
    Mr. Wales. Sure, and we are working very closely with the 
Energy Department as well as the Transportation Security 
Administration (TSA), which is responsible for security of 
pipelines, particularly focused on natural gas pipelines that 
are feeding electric power-generating units across the country. 
We have worked hard to do assessments on pipelines, 
particularly looking at their Supervisory Control and Data 
Acquisition (SCADA) systems, their industrial control systems, 
the operational networks that manage and run these complex 
systems, to provide as much as we can in terms of advice, 
recommendations for improving the network architectures, making 
improvements to their baseline level of cybersecurity, how they 
can improve network segmentation to avoid disruptions on 
business systems impacting operational systems. So that has 
been a significant focus of CISA's work over the past year.
    Senator Johnson. Again, would you agree we are becoming 
more vulnerable?
    Mr. Wales. I would say----
    Senator Johnson. Rather than, creating island grids, we are 
becoming more and more connected and leaving us even more and 
more vulnerable. Isn't that correct?
    Mr. Wales. What I would say is that because of the 
deployment of technology, we are becoming more susceptible to 
cybersecurity risk in more parts of our infrastructure, more 
parts of our manufacturing, more parts of our health care, and 
we need to work hard to ensure that we are providing security 
around those new systems.
    Senator Johnson. Thanks for that answer.
    Mr. Chairman, I would like certainly this Committee and I 
would like this administration to really focus on the 
vulnerable, because we are not. We are not making the 
investments, for example, in those large power transformers. 
They are irreplaceable basically in the short term. We are just 
not recognizing how vulnerable we are.
    Thank you.
    Chairman Peters. Thank you, Senator Johnson.
    Senator Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you very much, Mr. Chair and Ranking 
Member Portman, for holding this hearing. Thank you to our 
witnesses today for being here on this important national 
security issue and for your service.
    I want to start with a question to Ms. Vogel and Mr. 
Higgins. Our other witness, Mr. Wales, has previously testified 
that the Continuous Diagnostics and Mitigation (CDM) program 
will continue to be an integral part of securing the Federal 
Government's network, including through the addition of more 
capabilities such as endpoint detection and response tools.
    I agree with Mr. Wales, which is why Senator Cornyn and I 
introduced a bill last Congress to codify CDM. But I am also 
interested to hear about CDM from the perspective of those 
agencies implementing it.
    Ms. Vogel and Mr. Higgins, how does CDM factor into the 
plans for improving your agencies' cybersecurity? What 
challenges, if any, have you encountered in implementing CDM? 
Ms. Vogel, we can start with you.
    Ms. Vogel. Thank you, and thank you for your comments. CDM 
has been quite a challenge, and that is because it is a huge 
effort. It is looking into all the complexities of our multiple 
operating divisions within HHS. In doing so, we encounter 
different scenarios, different status of modernization, and 
each of those areas has to be tailored to a specific 
requirement, and it means we have to change software, hardware, 
or whatever we do.
    It is a very complex activity. We have found, though, that 
what is provided really helps us as a Department, because as we 
have implemented the different aspects of CDM, we are getting 
more information more timely, and that means we can respond to 
anything that we see going on on our network or anywhere else. 
We see that faster. We can respond faster. That helps mitigate 
any of the potential damage.
    Senator Hassan. Thank you.
    Ms. Vogel. So we are very encouraged by the success of CDM 
so far, and we are looking forward to the expansion to help us 
manage the cybersecurity risks in HHS.
    Senator Hassan. Thank you.
    Mr. Higgins.
    Mr. Higgins. Yes, Senator, so CDM plays an integral role 
within the Department of Commerce in terms of fortifying our 
cybersecurity posture. We as well are working very closely with 
CISA to roll out the various phases.
    With regards to challenges, you are always going to have 
things like integration, duplication, ensuring that you are not 
purchasing things for the sake of purchasing, but purchasing 
those things that are going to give you greater security and 
making sure that, as we purchase things, we can decommission 
other things to achieve cost savings. So suffice it to say CDM 
has been a huge success for us. We have a lot of work to do. 
The challenges may persist, but we look very much forward to 
continuing CDM implementation throughout the Department.
    Senator Hassan. Thank you. And just quickly for each of 
you, would it be helpful to your agencies if additional 
capabilities were made available such as endpoint detection and 
response tools? Mr. Higgins.
    Mr. Higgins. Absolutely, Senator.
    Senator Hassan. Ms. Vogel.
    Ms. Vogel. Yes.
    Senator Hassan. Thank you.
    To Mr. Wales, the Department of Homeland Security recently 
launched its cybersecurity workforce sprint with the goal of 
hiring 200 cybersecurity professionals by July, including 100 
at the Cybersecurity and Infrastructure Security Agency, your 
agency. We all recognize that this is a really short timeframe, 
so how are DHS and CISA going to accomplish this goal?
    Mr. Wales. Sure, thank you, Senator, and I think going to 
Senator Portman's question earlier, the people are 
instrumental. They are critical to all the things that we do in 
CISA to achieve our goals, whether it is program management of 
complex programs like CDM or technical expertise that we are 
providing to agencies.
    We are using a number of different avenues to recruit our 
cybersecurity workforce. Part of that includes using new 
programs that the Department is rolling out, for example, an 
honors program focused on new graduates to bring in new 
professionals into the workforce. Part of it is using our 
existing array of authorities. We are doing a lot of recruiting 
events, particularly at minority-serving institutions, during 
this period. Our goal is to begin to fill our ranks more 
quickly.
    I will say we have made a lot of progress. We have hired 
more people in the first six months of 2021 than we have in the 
previous two years, but we have a lot more work to do. We still 
have vacancies to fill, and we are going to use as many tools 
as we can to fill them.
    Senator Hassan. Thank you. Will DHS use the special hiring 
authorities for cybersecurity positions Congress granted it in 
2014, which has turned into the Cyber Talent Management System 
(CTMS)? When do you expect it to be operational if you are 
going to use that?
    Mr. Wales. So right now the Department is indicating that 
they believe it will be fully up and running in the fall, and 
as soon as it is up and running, we are ready to begin using it 
to hire folks. We have been working to identify the types of 
positions that we think are best filled using the Cyber Talent 
Management System approach. We have worked hard with the 
Department to build out the testing around the specific 
positions, and so we are ready to use it as soon as the program 
is live.
    Senator Hassan. Why has it taken so long to get there? This 
was authority granted in 2014.
    Mr. Wales. Sure. I am not best positioned to talk about the 
length of time, this was a program that was managed by the 
Department's Chief Human Capital Officer (CHCO). However, I 
will say in order for us to do it, we have to roll out a fairly 
significant new human capital system, completely doing away 
with the existing general schedule that we have used since the 
1920s or 1940s. It has required a large-scale rulemaking effort 
that is finishing up now. It has taken longer than I think 
anyone wanted, but it appears that we are on the cusp of 
getting the program live, and we are ready to use it when it 
is.
    Senator Hassan. OK. Then I just wanted to follow up. You 
mentioned that you were also focused in your recruiting on 
minority institutions that serve minority students. Is CISA 
also considering creating cyber apprenticeships that will allow 
people from diverse socioeconomic backgrounds to get trained up 
without the up-front education and credentialing costs 
typically needed for cybersecurity positions?
    Mr. Wales. I am not aware of a specific apprenticeship 
program that we have, but let me talk to the staff and see. 
There may be some things under development in our education and 
training team.
    Senator Hassan. Yes, one of the things--and I will finish 
with this and follow up with more questions on the record. But 
one of the things that I think is really important is to 
understand that sometimes we have job descriptions and 
requirements that are pretty outdated and rigid. When you think 
about the kind of apprenticeship training we could do or 
credentialing that we could do in a much more pathway-focused 
manner, it could really be a big boon here. I would look 
forward to discussing this with you further.
    Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Hassan.
    I need to step out momentarily to ask questions at the 
Armed Services Committee hearing that is going on now, so I 
will pass the gavel to Ranking Member Portman. But before I 
step out, Senator Lankford, you are recognized for your 
questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Chairman.
    Mr. Wales, let me walk through a little bit of a timeline. 
I have a broader question. It was December 8th of last year 
that FireEye notifies everyone, hey, there is a problem. We 
have detected what we consider a foreign actor somewhere that 
is ingrained in our system. A few days later, on December 13th, 
FireEye announced that it was compromised through SolarWinds 
through the Orion platform, and then it starts this chain of 
looking at who has SolarWinds, who has used the Orion platform, 
what does that look like, and it suddenly gets announced a lot 
of Federal entities have that, a lot of private entities have 
that, and it chains down from there.
    My question is: Had FireEye not found this December 8th, 
would it still be operational today?
    Mr. Wales. I do not know that we are capable of answering 
that question fully. There may be other ways in which either 
the public or the private sector could have identified that 
activity. But I have said before that our private sector 
cybersecurity capability in this country is a true asset, one 
that helps the overall security of our country every day, and 
we are lucky to have firms like FireEye and the other 
cybersecurity firms out there who are looking for 
vulnerabilities, looking for potential compromises, making the 
government aware to ensure that we can get ahead of it.
    I will just add one change to your timeline, which is 
FireEye notified us of potential compromises earlier than 
December 8th so that we could begin to understand what 
happened, begin to look at our own networks, and we are really 
appreciative of the partnership that we have with FireEye and 
other players.
    Senator Lankford. The challenge is the vulnerability here 
as we walk through this, because had FireEye not found this and 
said this is in our system, we have experienced an attack on 
it, and then started trying to figure out where it came from 
and realizing that it could be in a lot of other places that 
they had it, it was in other places as well. The challenge that 
we have is: How do we actually get onto this earlier and what 
systems do we have in place? I understand zero day attacks and 
that there are some things that are entirely novel. I get that, 
as this was through the process. But when I go through your 
testimony earlier and what your written testimony is, there is 
a lot of detail about the response, and it seems to be very 
detailed, that CISA's working response to this campaign has 
four lines of effort: scoping, sharing the information, 
detection techniques, short-term remediation, long-term 
strategic recovery. You are very focused on what happens after 
the fact. My question is: Are we that focused on before, on 
detection? Walk me through the process that CISA has in place 
in working with contractors and with government entities to be 
able to help determine things in advance? I know they are 
there. Walk me through those.
    Mr. Wales. Sure. I think that there are approaches that we 
are taking now, and then there are additional ways in which we 
want to improve our ability to detect compromises earlier. 
Right now the Federal Government, as you know, deploys 
technology on the perimeter of the Federal enterprise, looking 
for signatures of known malicious activity. When we get those, 
we then work with the agency where that incident is being 
targeted, to look inside of their systems, what are they 
seeing, because they have deeper insight in terms of what is 
happening on their individual networks.
    In the future, as I have talked about previously, we need 
to move deeper into networks, so an event like SolarWinds you 
are never going to detect at the perimeter, you are never going 
to detect at the edge.
    Senator Lankford. Right.
    Mr. Wales. You need to be looking on individual hosts, on 
individual servers and work stations for when those start to 
behave in anomalous fashions. Should your SolarWinds device all 
of a sudden start talking on an encrypted channel with the 
server outside of your network that it has never spoken to 
before and probably should not, that could get alerted more 
quickly. As Senator Hassan mentioned, the deployment of things 
like endpoint detection and response tools on those critical 
devices inside of networks will give both the agencies and CISA 
deeper insight into what is happening there and to be able to 
alert and cue us more quickly to incidents like this.
    Again, there is no silver bullet, but we believe that 
additional layers of visibility, additional improvements in 
network segmentation, additional improvements in how networks 
are architected and configured continues to drive adversaries 
to more complicated and sophisticated attacks, reduces the 
likelihood that they are successful, and increases the 
likelihood that we will detect them more quickly.
    Senator Lankford. Which agencies are leading in that effort 
right now? Because, obviously, any agency could already do 
that.
    Mr. Wales. Sure, and most agencies have begun to deploy 
things like endpoint detection tools on their network. What we 
are using is the additional money provided through the American 
Rescue Plan Act to really expand that more quickly to more 
agencies. Again, partly this is a funding issue, and then 
partly this is how do you take that information that is coming 
from these new tools and sensors, and how do you integrate it 
into improved visibility and action inside of agencies and with 
CISA? And so that is the work that we are undertaking today.
    Senator Lankford. So individual contractors and 
certification of those contractors, of what they have to 
achieve and then accountability for those contractors when they 
fail to achieve those.
    Mr. Wales. Yes, so there is a lot of work they need to do 
in the supply chain realm. The government is actively working 
on a cyber Executive Order (EO) that will begin to address some 
of that. But we know that the improvements in the supply chain, 
particularly for Federal agencies' software, is critical, and 
we think it will have tangible benefits for the private sector 
as companies who sell to the Federal Government make systemic 
improvements that will benefit everyone.
    Senator Lankford. Right. Six years ago, we were in a 
conversation at a hearing just like this where many Federal 
agencies were using virus protection programs and it was 
discovered that all of their data is routing through Russia. 
And this room was a little stunned by the whole process to be 
realized that we did not verify that, that no one was really 
checking those outside contractors, and that many agencies were 
using materials like that.
    So I guess my question is: Now, six years ago, as we 
continue to make progress this and it has been chipping away 
for several years, at what point do we get to the balance that 
we know we are verifying what Federal computers are actually 
using and the providers that are actually doing that and what 
they are doing with that data? Then also not making this so 
incredibly difficult that we only have one or two primes that 
are out there and expose ourselves to having very few resources 
that are out there and very little innovation? You have to 
strike a difficult balance where we actually are doing 
oversight, but not driving people out of the market.
    Mr. Wales. Yes, and there has been significant improvement 
in both agencies and across the government looking at supply 
chain risk management in a more thorough way, and Congress has 
also provided a number of tools for us like the Federal 
Acquisition Security Council where DHS, DOD, and the ODNI, who 
are looking at it and assessing the potential risk posed by 
vendors for the Federal Government, either on the civilian 
side, the intelligence side, or the defense side, can make 
decisions and promulgate guidance for the rest of the agencies 
to remove high-risk software or hardware from their networks. 
That work is actually just getting started now, but provides us 
a real mechanism and a framework to actually rid our networks 
of anything that we think is high risk.
    CISA has obviously taken action in the past, for example, 
removing Kaspersky software across the civilian Executive 
Branch when we believed that the risk posed by using that 
software was too high. So we will take action in the interim, 
but we now have a more dedicated process to examine the exact 
issue that you are raising and systematically address it across 
the entire U.S. Government.
    Senator Lankford. OK. Thank you.
    Senator Portman. [presiding]. Thank you, Senator Lankford.
    Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Senator Portman, of course, and 
Chairman Peters, for holding this very important hearing. I 
really appreciate the witnesses for your work in this area.
    I would like to move right onto our cyber workforce 
shortage because GAO has identified the consistent shortage of 
cybersecurity personnel at Federal agencies as high risk to our 
national security. So recent unprecedented cyber attacks, of 
course, like SolarWinds, the Colonial Pipeline breaches, they 
really demonstrate the urgency of equipping the U.S. Government 
with the cyber challenge that we need to prevent and respond to 
these attacks.
    So to address this gap, last year I co-led Senator Wicker's 
PACT Act as bipartisan legislation that was included in last 
year's NDAA that increases resources and pathways for an 
expanded cyber workforce. I also recently introduced bipartisan 
legislation with Senator Blackburn to establish a Civilian 
Cybersecurity Reserve at both DHS and DOD.
    Mr. Wales, how can CISA utilize preexisting links between 
the private sector and the Federal Government to mobilize a 
cybersecurity surge capacity at our times of greatest need?
    Mr. Wales. Sure, Senator. It is an important question and I 
think one that was in some respects the basis for our strong 
support for the Cyber Response and Recovery Fund concept. I 
know that it is being considered as part of 1316, but for us it 
is really about how do we ensure we have the right resources, 
and part of the way in which we would obviously use those 
resources is calling upon the significant private sector 
capacity we have in the country to support us when we have 
incidents that are significant and when our capabilities are 
being stretched to the limit. We are lucky we have not actually 
gotten to that point yet, but we know that with our adversaries 
growing more aggressive, it is only a matter of time before a 
catastrophic cyber incident really requires us to expand our 
capabilities beyond those that we have onboard. I think we are 
eager to work with Congress on additional ideas that you might 
have about how to strengthen the additional tools and 
capabilities that might be brought to bear like your concepts 
related to a reserve contingent. But we want to utilize every 
available mechanism, whether it is to hire people, whether it 
is to have surge capacity, or whether it is to have a reserve. 
So we are looking forward to continuing to work with you on 
that.
    Senator Rosen. Thank you. I would actually like to move 
onto something kind of similar, because the SolarWinds attack 
to me is especially disconcerting because the techniques used 
were novel. They had never been seen before. So can you talk, 
of course, in this setting a little bit about the status of 
your analysis on the specific techniques that were novel used 
in the attack and how that information is being identified to 
help us do threat hunting, identify new vulnerabilities? Where 
are we with understanding this new novel threat assessment and 
trying to plug any gaps there?
    Mr. Wales. Sure, and I think the idea is in many cases it 
was a series of kind of small novel techniques that, when 
coupled together, allowed them to execute an extremely 
sophisticated attack. I think I would divide it into a couple 
of areas. The first, and this was part of my discussion with 
Senator Lankford, is: How do we ensure confidence in the supply 
chain, particularly of software that is provided to the Federal 
Government? There are a number of things that we are doing to 
help improve the work that the Federal Government has to ensure 
the security of software that is developed for us, pushing our 
contractors to use more defensible, secure software development 
processes.
    Inside the government, it makes a huge difference about our 
understanding of how critical systems are configured, the ports 
and protocols that are used, so CISA is looking at kind of the 
full array of our authorities, including resources granted 
under the American Rescue Plan Act to allow us to deploy 
technology to Federal agencies. We are looking at, in addition, 
how do we use our binding operational directive authority to 
focus agencies on closing gaps in their security and 
configuration architecture. Finally, I think one of the real 
lessons out of SolarWinds was the exploitation of cloud 
environments, particularly Microsoft Office 365 cloud 
environments for Federal agencies and the challenges with 
visibility and logging that Federal agencies and CISA had for 
what was happening inside of these cloud environments. So part 
of our additional resources under the American Rescue Plan Act 
is standing up a secure, threat-hardened cloud environment and 
to pilot that out and them promulgate the reference 
architecture across the Federal Government to help improve the 
security of cloud environments for all of our Federal partners.
    And so there is a lot of work based upon the lessons that 
we have learned from SolarWinds and building that into our 
programmatic structure, whether it is technology, whether it is 
processes, whether it is directives, to ensure that we are 
using every capability we have to improve our security.
    Senator Rosen. Thank you. I would like to move on quickly 
to another important area: hospital cybersecurity. We have 
small rural hospitals all over this country. They are 
understaffed medically. They are understaffed in the technology 
area. They may not have all the resources, and so they are 
high-value targets for some of these hackers. I guess we only 
have about a minute left, so to both of you, do you think it 
might be helpful to directly embed CISA cybersecurity advisers 
into HHS regional offices to help some of our rural hospitals, 
our smaller health centers, so they do not become victims, and 
just have a collaborative boots-on-the-ground kind of approach? 
We will start with Ms. Vogel, please.
    Ms. Vogel. Yes, we are looking at how to reinforce the 
capabilities that we have in our regional offices. Each of the 
operating divisions in HHS brings their perspective to our 
regional office for coordination.
    Now, outreach and education is critical, and we support 
that by putting out cybersecurity documentation alerts, 
awareness packages on a regular basis. Last year alone, we sent 
out to the public health sector over 97 documents that help 
them in a situation of cybersecurity vulnerability. So we are 
trying to educate them, and other assistance would really make 
a difference.
    Senator Rosen. Thank you. I will take my other questions 
for the record, but I think this is an area where some better 
collaboration can really help our most vulnerable communities, 
particularly in the health care space.
    Thank you.
    Senator Portman. Senator Rosen, thank you very much for 
your questions.
    I am not sure who we have next. I think Senator Ossoff and 
Senator Hawley might be online. Are you there?
    [No response.]
    OK. In the absence of Senator Ossoff or Senator Hawley, is 
Senator Romney online by chance?
    [No response.]
    OK. We are going to go the second round then, and I will 
start off. My first question has to do with a letter that 
Chairman Peters and I sent to CISA back on April 5th. Mr. 
Wales, I know you are aware of this letter, and we asked that 
by April 20th we have a response. It is important that we have 
the best information possible to be able to deal with two 
things. One is the reauthorization of some of your programs 
that is occurring next year. We want to be smart about that and 
be sure that as we are reauthorizing things like the EINSTEIN 
program, it is done properly. But, second, we are also working 
on legislation, as I said earlier, to ensure that we can 
respond to immediate threats and strengthen your abilities, 
frankly.
    We are concerned that we have not had a response yet except 
for a few documents, all of which had previously been provided, 
I am told, to this Committee and to the Congress. Will you 
commit to providing a complete response to the letter this 
morning?
    Mr. Wales. Yes, we will respond. I know that we are in 
active discussions with your staff and that actually a briefing 
has been set for next week with the Department, who obviously 
has responsibility for DHS systems, including some that support 
CISA, and CISA will provide to the Committee next week that get 
into some of the more details of some of the questions that 
were asked as part of the letter. But we are actively working 
this to ensure we provide as complete a response as possible.
    Senator Portman. Can you give us a timeframe?
    Mr. Wales. I cannot sitting here right now, but we are 
working with your staff to provide as much detail as possible 
as quickly as possible.
    Senator Portman. Let us suggest a timeframe here this 
morning that is appropriate. Two weeks?
    Mr. Wales. We will work in two weeks to provide as much 
information as we can. Again, my one concern is CISA does not 
have all of the information, particularly questions related 
to----
    Senator Portman. If there is something we have asked that 
is inappropriate, let us know. My sense is what we have asked 
is relevant and appropriate to your reauthorization, and, 
frankly, coming up with legislation that is more helpful in 
responding to some of the attacks we talked about today.
    Mr. Wales. My only concern is that I cannot agree on behalf 
of the entire Department because the DHS CIO is the one 
ultimately responsible for DHS systems.
    Senator Portman. Let us set a milestone in two weeks that 
we will have substantially all the answers, at least those that 
you have the ability to answer.
    Mr. Wales. OK.
    Senator Portman. Because I think the sooner the better, 
since we are moving ahead with legislation, even during this 
month before the next congressional recess.
    Mr. Wales. Agreed.
    Senator Portman. Second is we talked a lot about funding 
today, and the American Rescue Plan, as you know, provided $650 
million to CISA for various ways to help modernize cyber 
systems. You mentioned hardening the cloud earlier. Can you in 
one minute or less just tell us precisely how you expect to use 
that $650 million?
    Mr. Wales. Sure, so four primary lines of effort.
    First is beginning to expand our cyber defensive teams so 
that we can spend more time doing persistent hunt activity 
inside of Federal agencies.
    Second is the deployment of new technologies and sensors 
inside of networks, endpoint detection and response tools that 
will give us better visibility for agencies and better 
visibility for CISA into what is happening on those networks.
    Three, the deployment of pilot secure, threat-hardened 
cloud environment for business systems to allow us to test the 
most effective way to secure and defend those and then 
promulgate a reference architecture across the dot-gov----
    Senator Portman. That would be focused primarily on the 
private sector and their ability to use a hardened cloud?
    Mr. Wales. It is primarily focused on testing a private 
cloud for the Federal Government civilian agencies that more 
Federal agencies can then use. Right now there is, I would say, 
a variety of different kind of cloud security environments that 
Federal agencies have adopted, and we want more consistency----
    Senator Portman. Right, more secure than others, OK. But it 
would not respond to the Colonial type----
    Mr. Wales. No. I mean, again, the----
    Senator Portman. What is the fourth one?
    Mr. Wales. The fourth one is additional funding to help 
accelerate the move toward more defensible and secure 
architecture. It is helping agencies move toward zero trust-
based approaches for their security and build more defensible 
and secure network configurations in architecture.
    Senator Portman. OK. I appreciate that. This was part of 
the COVID-19 package, the American Rescue package. I am glad 
the money is being used and used productively. I cannot see how 
it has any connection to COVID-19, by the way, which is 
unfortunately true with much of that legislation. But the money 
has been appropriated. We need the help right now, and we will 
be eager to see how this money is being spent. We will be 
overseeing it, and my sense is that what you are doing is going 
to be helpful to the broader mission of CISA that we are trying 
to work on through legislation.
    My final question has to do with what just happened with 
regard to SolarWinds. There has been a news report that has not 
been confirmed or denied by the Department of Homeland Security 
that the SolarWinds attack not only attacked agencies and, as 
you know, had a major detrimental impact on nine different 
Federal agencies, at least, but specifically it was an attack 
on DHS and that two areas, according to this report, were 
subject to this massive attack. One is DHS' foreign threat 
hunting teams were actually breached. And second is that the 
Secretary of DHS' email account was actually breached.
    Can you confirm that that is true?
    Mr. Wales. Sir, in an opening hearing, what I can say is 
that a small number of accounts at the Department and at CISA 
were compromised during this incident.
    Senator Portman. Are the foreign threat hunting teams part 
of CISA?
    Mr. Wales. We have threat hunting teams--again, I am not 
sure about the use of the term ``foreign'' there, but we do 
have threat hunting teams. Those are the teams that provide 
incident response and hunt support to our Federal agency 
partners. But I will just make one small comment, and that is, 
the compromise at DHS only affected our business email 
networks. It did not affect our operational networks where most 
of our cybersecurity work is done, things that manage our 
EINSTEIN system, the system that our incident response teams 
use as part of when they go onsite and support other agencies. 
So this would be the compromises were limited to business email 
and not to our actual operational work.
    Senator Portman. Can you confirm that the Secretary's email 
account was breached?
    Mr. Wales. I am going to defer that question to the 
Department's CIO who is responsible for it.
    Senator Portman. As you know, former Secretary Wolf 
confirmed publicly that his email account was breached. He said 
so on April 12, 2021.
    I would also like to put the Associated Press (AP) story in 
the record.\1\ I would like to ask unanimous consent (UC), Mr. 
Chairman, to do so. It indicated that the former Secretary and 
that DHS was compromised by this attack. We need to know the 
information, and if it is classified, we understand. We have 
had a classified briefing, by the way, since you and I last 
talked at a public hearing, where we would have had the 
opportunity to receive that information, and we did not. We 
need to know what is going on to be able to legislate properly 
and to provide the proper oversight.
---------------------------------------------------------------------------
    \1\ The AP story appears in the Appendix on page 00.
---------------------------------------------------------------------------
    I want to end by thanking you for your testimony today, for 
your ongoing communication with me and our staff and Senator 
Peters and his staff, and your professionalism. It is an 
impossible task right now. The enemy is moving very quickly, 
both foreign state actors and cyber criminals, and we have to 
move even more quickly. We have to stay ahead of them. And 
whether it is personnel and dragging our feet on having the 
right cyber workforce is a major frustration to me in the 
Federal Government--we talked about the 2014 legislation that 
is still not properly enacted--or whether it is in regard to 
keeping our systems up to speed, and particularly what is going 
on in the cloud, we have to stay ahead of them. I hope you will 
remain committed to this task and provide the leadership to be 
able to respond to this very difficult challenge.
    Thank you, Mr. Chairman.
    Chairman Peters [presiding]. Thank you, Senator Portman. 
You are absolutely right. We need to have the information. We 
will endeavor to make sure that that happens.
    We certainly do not have infinite resources, and we need to 
evaluate the risk facing our most sensitive systems which 
continue to fall victim to these attacks, as we have talked 
about throughout this hearing. As Ranking Member Portman 
brought up, we have at least two Cabinet Secretaries that were 
targeted.
    So my question is first to Ms. Vogel. How does HHS assess 
its risk posture to cyber attacks? And then how do you allocate 
resources against those risks?
    Ms. Vogel. Thank you for the question. When it comes to 
risk, one of the things we have become very engaged in is our 
Enterprise Risk Management (ERM) Council, where we bring 
different risks together, and then we are able to balance them 
and look at what we can all do from different disciplines on 
protecting the Department.
    When we look at our risk, we have a risk score that we look 
through all of the regulations and we apply our current 
assessment of our activities against that. This is a 
continually changing environment, and we have to go back to 
that time and time again.
    As we look at this, some of the things that we recognize 
is, for example, in the past where we looked very strongly 
toward penetration testing to protect us at the perimeter, we 
are now looking more internally to see through threat hunting 
teams how we can think ahead and be creative, because we know 
our adversaries are doing that.
    So as we look at that, we are slightly shifting some of our 
resources, and we are looking at what we can do more toward 
identity and access and restricting to go toward more of a zero 
trust type of environment. In addition, we are trying to 
balance the operational technology with the business 
technology. One would not necessarily work without the other, 
but we are also trying to protect it system by system, 
environment by environment.
    Those are some of the things that we are doing right now, 
and we are doing quite a bit of outreach and education because 
we feel that our employees are our first protection. They will 
notice things and report things. We are trying to get them 
onboard and not think of cybersecurity as something separate or 
something somebody else is supposed to do. So as we incorporate 
that in our work environment, we are also trying to balance the 
risk. That gives us a lot more coverage. Those are some of the 
things that we are doing now.
    Chairman Peters. So those are within the Department. Kind 
of a follow-up question to that is: How did some of the recent 
supply chain compromises of Federal vendors that we have seen, 
how does that change your risk assessment and how dynamic is 
that?
    Ms. Vogel. We take that very seriously. One of the major 
risks that we have addressed as a Department recently is 
acquisition and looking up front at what we can do to build in 
that prevention based on supply chain needs.
    We also have an area that looks just at medical devices and 
keeping them up to date and making sure that we share enough 
information with the health care community that they can be as 
protected at their end as possible. We look internally and we 
look externally.
    Chairman Peters. Very good.
    Senator Hawley, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you very much, Mr. Chairman. And 
thanks to the witnesses for being here.
    Mr. Wales, if I could just start with you. In the first 
SolarWinds attack, it has been publicly reported that there 
were approximately 100 private sector computers that were 
affected. I am wondering if there is anything you can tell us 
about the profile of these companies, if there are any common 
threads. Were they largely, for instance, technology companies 
or finance companies or industrial companies?
    Mr. Wales. Sure. They were largely in the technology space, 
although there were a couple in the nonprofit space. You could 
imagine the kind of entities that a foreign intelligence 
service would want to compromise to gain information about U.S. 
thinking on critical foreign policy questions.
    Senator Hawley. And is that what you think is the common 
thread here in terms of the companies that were targeted, the 
private sector companies that were targeted?
    Mr. Wales. I would say that they would fall under two 
classes: those that had information that the adversary wanted 
to gain access to, and those that were potentially future 
avenues for additional attacks, going after additional 
technology companies. So trying to look for additional 
opportunities to compromise supply chains.
    Senator Hawley. Got it. Following the first attack, the 
Cyber Unified Coordination Group put out a joint statement 
expressing their view that the threat was likely Russian in 
origin and it was predominantly an intelligence-gathering 
effort. That was January. We are about five months on from 
that. Is that attack still largely viewed as an intelligence-
gathering effort? Or do we think there was at this juncture any 
intention to conduct economic espionage or sabotage of any 
kind?
    Mr. Wales. I think right now we understand it to be largely 
a cyber espionage operation, but I think as we have said 
before, once you have this kind of broad access, what you do 
with it can expand greatly. While initially it has been focused 
on cyber espionage, where it may have gone in the future we do 
not know.
    Senator Hawley. Let me ask you about the second publicly 
reported SolarWinds attack that took place in February, early 
February of this year. At the time several nongovernmental 
assessments had attributed that to another State actor, to 
China. In March, you told me and the Committee that much of 
that public reporting was inaccurate, such as the reporting 
that said that the National Finance Center (NFC) had been 
targeted.
    To the extent that you are able to say in this setting, is 
there any update that you can provide us about that second 
attack?
    Mr. Wales. I do not believe that we have changed our stance 
on public attribution. What I can say is that another actor did 
identify a vulnerability in SolarWinds software. So unlike the 
case of the SVR operation where they inserted a vulnerability, 
inserted a back door, in this case there was just a 
vulnerability in the software that was discovered by another 
malicious actor. They did use that to compromise some 
SolarWinds devices in a number of different places, but the 
judgment on the National Financing Center has not changed.
    Senator Hawley. We still believe this is a second state 
actor that carried this out? Are you able to say?
    Mr. Wales. I am not able to say.
    Senator Hawley. Let me ask you about an article in Reuters 
recently. An anonymous cybersecurity expert was quoted--who, by 
the way, had some familiarity with the Pulse Secure attack and 
the Federal response. This person was quoted as saying that 
that attack was a combination of traditional espionage with 
some element of economic theft.
    Let me ask you if you think that that assessment is 
correct. Broadly speaking, did the Pulse attack involve some 
economic theft?
    Mr. Wales. I am not aware of any specific economic theft 
from that operation, but I would say that we are still trying 
to understand the full scope of what happened during the Pulse 
Secure campaign. There may have been targeting of private 
sector entities that we are not aware of that would shed 
further light on the objectives of the adversary in that case.
    Senator Hawley. So is it fair to say that the recent 
attacks that have been attributed to China, like the Pulse 
attack, have been more focused on economic theft than the 
Russian-based intelligence-gathering cyber attacks like 
SolarWinds? Or do you think that that is a mis-assessment?
    Mr. Wales. I would say in general that is consistent with 
our understanding of Chinese targeting objectives.
    Senator Hawley. Very good.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Hawley.
    Mr. Wales, I would certainly hope that CISA as the lead 
operational agency for Federal cybersecurity, you would have a 
real comprehensive understanding of the cybersecurity risk 
across the entire Federal Government, each of the component 
parts of that. So my question is, and please be very frank: Do 
you have the insight that you need into every agency's risk 
posture to form that kind of comprehensive understanding right 
now?
    Mr. Wales. No.
    Chairman Peters. What do you need? What should this 
Committee focus on to give you the tools necessary to have that 
kind of comprehensive understanding, which is clearly 
necessary?
    Mr. Wales. I think this is an area where, to set 
expectations about our ability to fully understand the risk 
profile at 102 different Federal civilian Executive Branch 
agencies, including some large, complex agencies with multiple 
subcomponents like the ones I am testifying with today, fully 
understanding their risk environment is going to be 
challenging. They will use a variety of different systems. 
Those systems will have various different functions. And 
understanding the importance of those different functions, what 
happens if there is a disruption, is always going to be a 
challenge, regardless of level of insight we need, relevance 
that we have.
    That being said, I think that there are critical 
improvements that we want to have, many of which we are already 
starting based upon the resources in the American Rescue Plan 
Act, based upon new authorities that we have had provided to 
us, to expand our ability to understand the cybersecurity 
posture of our Federal partners and where critical improvements 
are needed. I think I want to start there and then build on 
that base, and while, a full understanding of the risk profile 
of every Federal agency and its subelements might be a goal in 
the future, we have some shorter-term goals that I think we 
need to achieve first.
    Chairman Peters. Very good. You can count on us as a 
Committee working closely with you and all of our agencies to 
make sure we get to the place where we need to be.
    I want to take this opportunity to thank again our 
witnesses for testifying here this morning. I think we can all 
agree on our reliance on cyber infrastructure makes 
cybersecurity a higher priority, and it is a higher priority 
each and every passing year. 2021 started with SolarWinds, and 
the incidents have just continued to occur.
    I think we have heard some very interesting things here 
today as we continue to work on this topic in the weeks, 
months, and years ahead. FISMA clearly needs some adjustments 
to ensure agencies and CISA have the information necessary to 
understand our risk and allocate our resources to address those 
risks that have been identified. The law needs to reflect the 
intent of Congress so there is no ambiguity, so there is no 
confusion on when and if an agency needs to declare a major 
incident and notify Congress about those events. We need to do 
this by evaluating the scale and the scope of an attack as well 
as the impact on an individual agency.
    What we heard today I think makes clear that to combat 
today's cyber enemies, we must work at one holistic Federal 
unit. Our enemies' increased sophistication during the 
SolarWinds cyber incident and continued willingness to inflict 
harm on Americans, as witnessed during this weekend's 
ransomware attack on Colonial Pipeline, shows that 
cybersecurity is and is going to remain a national security 
priority for the foreseeable future.
    This Committee will continue to investigate the scope of 
these recent incidents, and we are going to work to address the 
risk and challenges that are critical to helping modernize 
cyber infrastructure. That includes ensuring that our 
government is prepared to respond efficiently and effectively 
during a major cyber incident.
    This Committee is also committed to addressing the cyber 
workforce issues facing the government, as several members 
discussed during their questions. This is something that I have 
worked on and want to continue to work very closely with the 
administration to get done.
    Again, thank you to all of our witnesses, Ranking Member 
Portman, and other Members of the Committee, and with that, the 
hearing record will remain open for 15 days, until May 26 at 5 
p.m., for the submissions of statements and questions for the 
record.
    This hearing is now adjourned.
    [Whereupon, at 11:48 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                               [all]