[Senate Hearing 117-62]
[From the U.S. Government Publishing Office]




                                                         S. Hrg. 117-62
 
            ADDRESSING EMERGING CYBERSECURITY THREATS TO STATE 
                            AND LOCAL GOVERNMENT

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                EMERGING THREATS AND SPENDING OVERSIGHT

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             JUNE 17, 2021

                               __________

        Available via the World Wide Web: http://www.govinfo.gov
        
        

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
        
        
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]         






                  U.S. GOVERNMENT PUBLISHING OFFICE 
45-441 PDF                  WASHINGTON : 2021 
 

        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk


        SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT

                 MAGGIE HASSAN, New Hampshire, Chairman
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                     Jason Yanussi, Staff Director
                            Peter Su, Fellow
                 Greg McNeill, Minority Staff Director
                Adam Salmon, Minority Research Assistant
                      Kate Kielceski, Chief Clerk
                      
                      
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Hassan...............................................     1
    Senator Paul.................................................     3
    Senator Ossoff...............................................    17
Prepared statements:
    Senator Hassan...............................................    31
    Senator Paul.................................................    33

                               WITNESSES
                        Thursday, June 17, 2021

Karen J. Huey, Assistant Director, Ohio Department of Public 
  Safety.........................................................     4
Hon. B. Glen Whitley, County Judge, Tarrant County, Texas........     6
Hon. Stephen M. Schewel, Mayor, City of Durham, North Carolina...     8
Russell E. Holden, Superintendent, Sunapee School District, New 
  Hampshire......................................................     9
Dan Lips, Vice President for National Security and Government 
  Oversight, Lincoln Network.....................................    11

                     Alphabetical List of Witnesses

Holden, Russell E.:
    Testimony....................................................     9
    Prepared statement...........................................    93
Huey, Karen J.:
    Testimony....................................................     4
    Prepared statement...........................................    35
Lips, Dan:
    Testimony....................................................    11
    Prepared statement...........................................    95
Schewel, Hon. Stephen M.:
    Testimony....................................................     8
    Prepared statement...........................................    47
Whitley, Hon. B. Glen:
    Testimony....................................................     6
    Prepared statement...........................................    40

                                APPENDIX

Statement submitted by the American Public Gas Association.......   101




                   ADDRESSING EMERGING CYBERSECURITY

                 THREATS TO STATE AND LOCAL GOVERNMENT

                              ----------                              


                        THURSDAY, JUNE 17, 2021

                                     U.S. Senate,  
                       Subcommittee on Emerging Threats and
                                        Spending Oversight,
                    of the Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:15 a.m. via 
Webex and in room 342, Dirksen Senate Office Building, Hon. 
Maggie Hassan, Chairman of the Subcommittee, presiding.
    Present: Senators Hassan, Sinema, Rosen, Ossoff, Paul, 
Scott, and Hawley.

             OPENING STATEMENT OF SENATOR HASSAN\1\

    Senator Hassan. The hearing will now come to order. Good 
morning. The Subcommittee on Emerging Threats and Spending 
Oversight (ETSO) convenes today's hearing to discuss the 
threats to State and local entities from cyberattacks and the 
consequences of those attacks on national security, the 
economy, and the lives of our citizens. We will discuss what 
State and local entities need in order to be able to 
effectively respond to cyber threats, and how the Federal 
Government can best support State and local authorities as they 
work to combat the growing wave of cyberattacks.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Hassan appears in the 
Appendix on page 31.
---------------------------------------------------------------------------
    While the SolarWinds, Colonial Pipeline, and JBS 
meatpacking cyberattacks rightly received a lot of attention in 
recent months, State, local, and Tribal entities have also 
faced serious cyberattacks that can cripple services for 
citizens and decimate local budgets.
    The cybersecurity firm, Emsisoft, estimated that the total 
cost of publicly known ransomware attacks on State and local 
governments in 2020, including cost to restore functionality 
and services, was nearly $1 billion. A report from 
cybersecurity firm, BlueVoyant, found that there was a 50 
percent increase in the number of cyberattacks against State 
and local entities from 2017 to 2019. At the same time, the 
average ransom demanded in these attacks increased 10 times, 
and the average cost to taxpayers to clean up after a single 
cyberattack rose to the millions of dollars.
    Today's hearing sheds a light on the impact of attacks like 
the one we saw on the Sunapee School District in my home State 
of New Hampshire, which is represented here today by 
Superintendent Russell Holden. Luckily for the Sunapee 
community, the district had a plan in place, including a 
separate backup system, so it was able to resume operations 
soon after the attack was discovered, without paying ransom. I 
thank you, Superintendent Holden for your leadership on 
cybersecurity for school districts.
    Amid the coronavirus disease 2019 (COVID-19) pandemic, we 
have also seen more than ever the importance of shoring up our 
cybersecurity. State and local agencies depend on digital 
delivery of services to Americans, and many State and local 
employees are also connecting to central networks from home in 
order to do their work remotely. More investment at all levels 
of government is needed to strengthen cyber defenses.
    A 2020 survey of State chief information security officers 
(CISOs) found that most States only spend 1 to 3 percent of 
their overall information technology (IT) budgets on 
cybersecurity, compared to about 16 percent for Federal 
agencies, and many local governments, with their smaller 
budgets, are even worse off. Cybersecurity risks will continue 
to rise if State and local entities are not able to strengthen 
their cyber resilience.
    I am working across the aisle to help State and local 
officials address cyber threats and increase information-
sharing at the Federal, State, and local level. I am pleased 
that the most recent National Defense Authorization Act (NDAA) 
included my provision to provide each State with a federally 
funded cybersecurity coordinator. These coordinators will 
provide each State and local governments within them with a 
local contact who can provide support and technical knowledge, 
and act as a bridge to the Federal Government. I was very happy 
to recently learn that New Hampshire's coordinator came on 
board in the last week.
    In addition, in this Congress I introduced a bipartisan 
bill with Senator Cornyn to better enable the National Guard to 
support State and local government cybersecurity. But we need 
to do more. That is why I am also working with my fellow 
Senators to craft a dedicated cybersecurity grant program for 
State and local governments.
    I am excited to discuss these ideas and more with our five 
insightful witnesses today. Four of them represent a State, a 
county, a city, and a school district, and can help us better 
understand the unique environment that each have to operate 
within. They can also help us better understand which types of 
Federal support may be the most effective. The fifth witness is 
an expert in Federal cybersecurity policy and notably a former 
senior staffer for the Homeland Security and Governmental 
Affairs Committee (HSGAC). To all of our witnesses, I 
appreciate your willingness to testify. I want to thank you all 
for the role you play in helping to keep all of us safe, and I 
look forward to learning from you today.
    With that I will now recognize Ranking Member Paul for his 
opening remarks.

              OPENING STATEMENT OF SENATOR PAUL\1\

    Senator Paul. Thank you, Chair Hassan, and thank you to our 
panelists today for your time. I look forward to hearing from 
each of you.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Paul appears in the Appendix 
on page 33.
---------------------------------------------------------------------------
    I would like to begin my remarks with an observation, which 
is that the recent wave of ransomware attacks seems to have 
broken through into the public consciousness. I traveled to my 
home State of Kentucky recently, and was asked more questions 
about cybersecurity in those 10 days or so than in the previous 
10 years. Of course, we as policymakers have been concerned 
about this malicious activity for some time, and at the Chair's 
request the Subcommittee held a hearing on this last December, 
and I am glad that we are still continuing to look at this 
issue.
    From what I saw and heard from the people I represent, 
there is now a much more widespread appreciation for how 
disruptive these attacks can potentially be. Obviously, the 
Colonial Pipeline interruption and the spectre of gas shortages 
was a major concern. The Kentuckians I spoke to were also 
concerned about the ransomware attacks affecting North American 
meatpacking facilities owned by JBS, which may not have 
received quite as many headlines as the pipeline but which was 
also alarming.
    Clearly we have a problem on our hands. The nation must be 
able to secure its food supply and deliver fuel where it is 
needed. Recent cyberattacks have also targeted hospitals, 
school systems, water systems, and other essential services.
    How can we combat this? As the old saying goes, an ounce of 
prevention is worth a pound of cure. Cybersecurity must be 
prioritized in the same way that any other essential services 
are prioritized. As we will hear, recovering from cyber events 
such as ransomware attacks and data breaches, is several orders 
of magnitude more costly than what it takes to implement and 
maintain good cybersecurity practices on the front end.
    Finally, I believe Congress needs to make sure that the 
Federal Government's role in detecting and responding to 
cyberattacks is limited and clearly defined, and that Federal 
cybersecurity personnel are focused, first and foremost, on the 
security of Federal information networks. The government can 
and should share information on threats and best practices with 
the private sector, State, local, Tribal, and territorial 
(SLTT) authorities. However, Congress must keep critical 
infrastructure operators and State, local, Tribal, and 
territorial in the proverbial driver's seat. One size fits all 
is not always the answer. Centralization is also not always the 
answer to cybersecurity.
    I am particularly worried about a proposal that recently 
passed the House of Representatives which would create a new, 
multibillion-dollar grant program to subsidize State and local 
cybersecurity. The Washington solution seems to be throw money 
at every problem, with the result being a $28 trillion national 
debt.
    As Americans, we face cybersecurity concerns that involve 
the availability of gasoline, the food supply, the electric 
grid, water, sanitation systems, and our communication 
networks. Some of these are the very fundamental building 
blocks of our society.
    I look forward to the conversation, and I think we can all 
be open to what the solutions are, but I think we also need to 
be conscious of the fact that many of these things can be done, 
and are being done, in the private sector.
    Thank you.
    Senator Hassan. Thank you, Ranking Member Paul.
    It is the practice of the Homeland Security and 
Governmental Affairs Committee to swear in witnesses. Mr. Lips, 
if you could please stand, and all the witnesses who are 
joining us virtually could stand as well, and please raise your 
right hand.
    Do you swear that the testimony you give before this 
Subcommittee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Ms. Huey. I do.
    Mr. Lips. I do.
    Mr. Whitley. I do.
    Mr. Schewel. I do.
    Mr. Holden. I do.
    Senator Hassan. Thank you. Please be seated.
    Our first witness today is Ms. Karen Huey, Assistant 
Director of the Ohio Department of Public Safety. As Assistant 
Director, Ms. Huey manages the department's six divisions, 
including Ohio Emergency Management and Ohio Homeland Security. 
Ms. Huey was previously the Assistant Superintendent of the 
Ohio Bureau of Criminal Investigations, and she has nearly 25 
years of experience in State government. Ms. Huey also 
currently serves as the homeland security advisor to Ohio 
Governor Mike DeWine.
    Welcome, Ms. Huey. You are recognized for your opening 
statement.

    TESTIMONY OF KAREN J. HUEY,\1\ ASSISTANT DIRECTOR, OHIO 
                  DEPARTMENT OF PUBLIC SAFETY

    Ms. Huey. Good morning. Chair Hassan, Ranking Member Paul, 
and Members of the Subcommittee, we appreciate the opportunity 
to share Ohio's specific concerns and information with you this 
morning. The topic of today's hearing is of great importance, 
and although I speak with you today from the State of Ohio, I 
know many of my colleagues from across the country would echo 
these comments.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Huey appears in the Appendix on 
page 35.
---------------------------------------------------------------------------
    Today I would like to share our concern that a small carve-
out for cybersecurity in the current Homeland Security funding 
does not meet the needs of our State and local governments. The 
current challenge of cyberattacks, as the Federal Bureau of 
Investigation (FBI) Director Wray recently said, is equal to 
the challenge we faced by the September 11th terrorist attack.
    Preventing cyberattacks takes dedicated resources, 
coordinated strategies, and local commitment. Ohio is investing 
in and making strides in our efforts to strengthen 
cybersecurity. The Ohio National Guard has taken the lead and 
brought together more than 30 public, private, military, and 
educational organizations to form the Ohio Cyber Collaboration 
Committee (OC3). Its mission is to develop a stronger 
cybersecurity infrastructure and workforce.
    Two major accomplishments of the OC3 are the Cyber Range 
Institute and the Ohio Cyber Reserve. As the Subcommittee is 
aware, States have been receiving Homeland Security Grant 
funding since 9/11. It has allowed us to build fusion centers, 
harden targets, identify critical infrastructure, and form 
relationships across sectors that never worked together before.
    A great example of this occurred last week in Ohio. Ohio 
Homeland Security was alerted by a Federal Department of 
Homeland Security (DHS) intelligence officer who shared 
information about two Chinese video surveillance companies 
whose products have been banned by the Federal Government since 
2018. Despite that Federal ban, dozens of these systems were 
purchased in Ohio, including some school districts and at least 
one hospital.
    Ohio Homeland Security immediately distributed a 
situational awareness bulletin to alert those Ohio entities 
that these companies are likely providing U.S. customer data to 
the Chinese government for espionage and surveillance 
operations. Almost immediately we started receiving concerned 
calls from Ohio entities that had purchased these products. We 
were able to provide high-level technical mitigation 
information and CISA personnel are working on a more detailed 
risk management solution.
    With the inclusion of cyber as a priority in the Homeland 
Security Grant, Ohio's local governments are struggling to 
address traditional preparedness needs while also prioritizing 
cyber projects. As the seventh-largest State, with a population 
of over 11 million, Ohio currently receives $6.7 million in 
Homeland Security funding. The current carve-out for 
cybersecurity is less than $340,000. I would assert that 
continued use of a small portion of Homeland Security Grant 
dollars both takes away from the needs of the traditional 
Homeland Security efforts and minimizes the importance of 
cybersecurity that we are talking about today.
    We would urge Congress to consider a dedicated grant 
program that will enhance Ohio's and other States' ability to 
focus on cybersecurity capabilities. We would focus on three 
main areas for dedicated funding. The State would share 
industry standards with its local governments and small 
businesses; the State would also offer assessments of current 
systems to identify gaps and direct local governments to 
resources. We would provide education and training that 
includes cyber exercises, end user training, and resources and 
guidance documents.
    The State would make improvements to existing secure 
communication platforms that would be used to gather and 
disseminate important, timely cyber threat information to our 
trusted partners.
    The last piece I would mention, if there is dedicated 
funding, we would like to see that future funding require a 
condition that recipients share indicators of compromise and 
intrusion with the State in a confidential manner. Adding a 
requirement of after-action reporting will allow us to learn 
from and be better prepared for incidents in the future.
    In closing, many States like Ohio recognize the importance 
of responding to cyber incidents and building a level of 
preparedness with our local governments. Our hope is that a 
dedicated cyber grant program will help ensure that we remain 
prepared for both the traditional terrorist event and the cyber 
threat, without having to choose between the two.
    We appreciate the Subcommittee's commitment to addressing 
cybersecurity. On behalf of the Ohio Department of Public 
Safety, thank you for the invitation to testify.
    Senator Hassan. Thank you very much, Ms. Huey, for that 
excellent testimony.
    We now turn to our second witness, Judge Glen Whitley, 
County Judge for Tarrant County in Texas. Judge Whitley has 
served as Tarrant County Judge since 2007, and previously 
served as Tarrant County Commissioner since 1997. Judge Whitley 
presides over the Tarrant County Commissioners Court and 
provides leadership on issues related to policy and county 
services for the 15th-largest county in the United States. He 
was also a board member of the National Association of Counties 
and one of its past presidents. As County Judge, Judge Whitley 
also serves as the head of Emergency Management for Tarrant 
County.
    Welcome, Judge Whitley. You are recognized for your opening 
statement.

 TESTIMONY OF THE HONORABLE B. GLEN WHITLEY,\1\ COUNTY JUDGE, 
                     TARRANT COUNTY, TEXAS

    Judge Whitley. Thank you, Chairwoman Hassan, Ranking Member 
Paul, and Members of the Subcommittee. My name is Glen Whitley 
and I serve as County Judge for Tarrant County, Texas. I also 
serve on the Board of Directors for the National Association of 
Counties, and it is an honor to participate in today's hearing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Judge Whitley appears in the Appendix 
on page 40.
---------------------------------------------------------------------------
    In just the past year, we have seen several cyberattacks 
cause major disruptions across the United States. These attacks 
all demonstrate the vulnerability of our nation's cyber 
infrastructure. At a local level, Pinellas County, Florida 
recently experienced an attack on their water treatment 
facility that allowed hackers to manipulate their water supply. 
As county reliance on technology increases, these attacks will 
likely increase as well.
    To better understand how local government can respond to 
cyber threats, it is important to start with an understanding 
of the underlying challenges to the local revenues and 
resources. General revenue from local property taxes are the 
backbone of county funding, because they are not restricted to 
a particular activity. Currently, though, 43 States are 
imposing some type of limitation on a county's ability to 
increase local taxes.
    Restrictions on Federal and State resources also remain a 
challenge. Locally collected general revenues are not 
restricted to a particular activity. Unfortunately, about 93 
percent of State and Federal funding used by county governments 
is restricted to a specific function. Matching requirements for 
Federal grant and loan programs also make leveraging Federal 
resources impossible for many counties.
    We applaud Congress for providing $61.5 billion to county 
governments in the American Rescue Plan (ARP) Act. However, 
local governments are prohibited from using these dollars as a 
non-Federal match for grant and local programs. Without 
relieving these pressures, counties will struggle to invest in 
the cybersecurity infrastructure they need.
    Collectively, counties own or operate thousands of 
hospitals, public health departments, water and waste 
management centers, jails, and emergency operations centers, 
all of which create significant cyber vulnerabilities. Without 
robust and reliable funding, these local assets expose our 
communities and these critical programs and services.
    It is important to note that cybersecurity needs are not 
only driven by exposures and vulnerabilities but also by the 
need to meet national standards. In Tarrant County, we adhere 
to the four principles of the NIST Cybersecurity Framework. 
Achieving and maintaining the core principles require an 
Information Security Program that includes policies, 
procedures, and resources. While policies and procedures can be 
downloaded and customized, resources require continuous 
funding.
    More generally speaking, county cyber resources are 
typically directed to three main areas: education, 
infrastructure, and preparedness.
    An organization's greatest cyber weakness is the end user 
or the employee. A recent cybersecurity survey found that 70 
percent of the employees polled said they had recently received 
training from their employers, yet 61 percent failed their 
basic quiz.
    One of the best cybersecurity practices is the 
implementation of multi-factor authentication. Counties must 
also update and replace network devices and vet cloud software 
and supply chains, all of which require time, money, and 
skilled personnel.
    Preparedness depends on the county's ability to effectively 
monitor cyber threats. Counties must develop, test, and retest 
security policies and incident procedures or hire trusted, 
expensive third-party contractors.
    As the Committee considers how to best allocate 
cybersecurity investments, it is imperative that Federal 
resources reach their intended targets as quickly as possible. 
We applaud Chairwoman Hassan's work to provide local 
governments with reliable and flexible cybersecurity resources 
in the State and Local Cybersecurity Improvement Act.
    In closing, counties need a strong Federal partner that can 
provide direct and flexible resources that allow local 
governments to adopt resources to meet the unique needs of 
their communities. This is especially true for cybersecurity 
resources. Again, local governments own and operate some of our 
nation's most critical infrastructure.
    Thank you for allowing me to be here today.
    Senator Hassan. Thank you very much, Judge. Now we will 
move on to our third witness, Mayor Steve Schewel of Durham, 
North Carolina. Mayor Schewel has served as mayor since 2017, 
and previously served 6 years on the Durham City Council and as 
Vice Chair of the Durham Public School Board. He is a long-time 
member of the Durham community and a visiting professor at the 
Sanford School of Public Policy at Duke.
    Welcome, Mayor Schewel. You are recognized for your opening 
statement.

 TESTIMONY OF THE HONORABLE STEPHEN M. SCHEWEL,\1\ MAYOR, CITY 
                   OF DURHAM, NORTH CAROLINA

    Mr. Schewel. Thank you very much, Chair Hassan, Ranking 
Member Paul, and Members of the Subcommittee. On behalf of the 
city of Durham and the National League of Cities, thank you for 
convening this important discussion today. I am Steve Schewel, 
mayor of the great city of Durham, North Carolina, home to more 
than 280,000 residents, and home to Duke University, North 
Carolina Central University, and North Carolina's Research 
Triangle region.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Schewel appears in the Appendix 
on page 47.
---------------------------------------------------------------------------
    Cybersecurity is a top priority for the city of Durham. Our 
city has experienced recent cyberattacks, including a 
ransomware attack in March 2020, at the start of the COVID-19 
pandemic. During that attack, our city was fortunate to 
maintain functioning of critical systems, including our 911 
call center, and we did not pay a ransom. This was due to the 
city's prioritization of cybersecurity planning and preparation 
in the wake of an extremely disruptive attack on Durham Public 
Schools in 2009, and a smaller malware attack on city networks 
in 2018. Our city was able to resume full network functioning 
in less than a week after the attack. This was thanks to our 
advanced planning, our robust system of cloud backups for city 
data, and our partnerships with our vendors, the FBI, and the 
North Carolina National Guard.
    However, this preparation is costly for our city, and too 
many cities, towns, and villages are not as well prepared as 
the city of Durham. It is not a matter of if another 
devastating attack will paralyze critical municipal networks 
and infrastructure, but when.
    The United States has thousands of municipal governments 
which operate water systems, gas and electric utilities, 911 
answering centers, transportation systems, and countless other 
critical services. Most of these municipal governments are 
small with limited budgets. Cybersecurity is competing directly 
with direct services such as providing safe, quality drinking 
water, maintaining infrastructure, such as replacing 100-year-
old water pipes or repaving pothole-ridden streets, and 
employing first responders to keep our communities safe.
    Meanwhile, cybersecurity has become more complicated and 
expensive every year. Criminal organizations, including State-
backed criminals, continue to develop sophisticated methods for 
penetrating public networks and disrupting city functions. Even 
small-town networks are attractive targets for these bad 
actors, and we can no longer rely on security through 
obscurity.
    Relatively basic steps, such as implementing multi-factor 
authentication, conducting cyber hygiene training for city 
staff and elected leaders, and maintaining up-to-date hardware 
and software can be very costly for a city. Many 
municipalities, including the vast majority of smaller towns, 
lack sufficient budget for cybersecurity and outsource most IT 
functions. We depend on our partnerships with vendors, the 
State, and Federal agencies to keep our networks safe and 
recover from an attack.
    Congress has the opportunity to bolster these partnerships 
and provide cities, towns, and villages with new resources to 
strengthen our collective security posture. We recommend three 
principles for any new cybersecurity program in support of 
State and local governments.
    First, Congress should provide sustainable new funding 
without cannibalizing existing public safety grant programs. 
Cybersecurity measures are ongoing expenses, and while a one-
time grant will help get some efforts off the ground, network 
monitoring, training, and upkeep must be budgeted for every 
year.
    Second, Congress should prioritize intergovernmental 
partnership. Closer collaboration between city, county, State, 
and Federal agencies on things like planning, procurement, 
training, and incident response will help reduce the impact of 
attacks experienced by local governments and the time needed to 
recover.
    Finally, Congress must be careful not to impose a one-size-
fits-all solution on local governments. Cities and towns come 
in all shapes and sizes. Some would benefit most from a direct 
grant, while smaller communities may prefer that Federal 
support be administered by the State.
    Again, I thank you so much for your attention on this 
important and timely issue, and I look forward to your 
questions. Thank you very much.
    Senator Hassan. Thank you so much, Mayor. I really 
appreciate the testimony.
    Now we will go to our fourth witness today, Superintendent 
Russ Holden, of Sunapee School District in my home State of New 
Hampshire. Superintendent Holden has worked as a public school 
administrator in New Hampshire for the last 26 years. As 
superintendent, he is responsible for evaluation of all 
administrators and directors for the school district, and for 
managing all Federal and State grants. He is also the Vice 
President of the New Hampshire School Administrators 
Association, where he serves as the chair of the Policy 
Committee.
    Welcome, Superintendent Holden. I am looking forward to 
when I can see you again in person, and you are recognized for 
your opening statement.

  TESTIMONY OF RUSSELL E. HOLDEN,\1\ SUPERINTENDENT, SUNAPEE 
                 SCHOOL DISTRICT, NEW HAMPSHIRE

    Mr. Holden. Thank you, Senator Hassan, and thank you to the 
Subcommittee. I appreciate the opportunity to speak to you 
today, and I will keep my comments brief because you have my 
written testimony.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Holden appears in the Appendix on 
page 93.
---------------------------------------------------------------------------
    In October 2019, we came in after a weekend and found out 
that our data had been held for ransom, and everything that we 
had in our school district was kept from us. Sunapee is a small 
district in the western part of the State. We have about 430 
students, Pre-K through 12, and about 120 faculty members. Our 
IT department consists of 1.3 people. We are basically the 
biggest employer in our town.
    Upon finding that we were held for ransom we quickly 
notified our local police and State police and our insurance 
carrier. Unfortunately, neither our local police or State 
police at the time really did not have much assistance that 
they could give us, and the assistance really came from our 
insurance carrier, putting us in touch with professionals and 
lawyers that had dealt with these situations in the past.
    Fortunately enough we had a backup system in place, and the 
interesting piece about our backup system was prior to this 
incident, a week prior, we realized that our backup system had 
failed, and if we had not recognized that at that time and 
instituted a new backup system, we would have lost information 
going back 6 months. With the backup system in place, we were 
able to recover our data, without paying the ransom.
    The long and short, we accumulated fees and materials 
totaling more than $40,000, and it took over 9 days for our IT 
department to get us back up and running fully.
    While 9 days may not seem like a lot, fortunately 
technology has really integrated itself into education, and 
education into technology, and really having our teachers pivot 
very quickly and go back to some of the older ways that we 
learned how to educate our students, using more paper, pencil, 
and traditional materials. Our ability to do that really 
allowed us to continue and not to have to cancel school and 
allowed us to stay in school and educate our children, which is 
our primary task.
    We have about a $12.5 million budget here in Sunapee, and 
about $500,000 of that is dedicated to technology. After going 
through this ransom situation, we invested last year $10,000 to 
go through an audit that looked at our entire security system. 
Through that audit, much of what other folks are presenting 
here today have said, we found out that we quickly needed to 
put things in place, like disaster recovery plans, business 
continuity plans, backup systems particularly that can be held 
offsite or in the cloud, enabled multi-factor authentication, 
and train ourselves in phishing drills and help educate staff 
and students on outside threats, including looking at dry 
sprinkler systems within our IT server closets.
    Again, as I mentioned, our IT department consists of 1.3 
people. Going through that audit process we quickly realized 
that we were completely understaffed, but hiring a new person 
would add at least one percent to our overall budget.
    I am also a member of the American Association of School 
Administrators (AASA), and was completing my national 
certification program in February 2020, and I had the 
opportunity to share this incident with 20 colleagues from 
across our country, from States of California, Pennsylvania, 
Illinois, and Virginia. At that point in time, little old 
Sunapee represented the smallest school district in the cohort, 
Bakersfield, California, with 260,000 students. When speaking 
to my colleagues they all said, ``We are not prepared to know 
what we would be able to recover the data potentially that was 
lost and get ourselves back on our feet.''
    I would echo again what some of the other folks said here 
today. I think there are ways that we can look at Federal 
monies, either using Homeland Security or Title IV monies that 
are given to school districts, try to free up some of the 
restraints and constrictions that are on those so they can be 
sent to help us look at more appropriate ways and more 
sufficient ways to help educate our students and staff and 
community of these security and ransom attacks.
    I would again thank the Senate Subcommittee and Senator 
Hassan for representing the State of New Hampshire and by 
continuing to bring this topic forward. Thank you.
    Senator Hassan. Thank you, Superintendent Holden.
    Now I am going to turn to our final witness who is joining 
us in person in the hearing room today, Mr. Dan Lips, Vice 
President for National Security and Government Oversight at the 
Lincoln Network. At the Lincoln Network, Mr. Lips focuses on 
research and advocacy between technology, government oversight, 
and national security.
    Mr. Lips began his career as an intelligence analyst with 
the FBI. He also served as a staff member of the Senate 
Homeland Security and Governmental Affairs Committee, where he 
worked on cybersecurity policy and served as Homeland Security 
Policy Director.
    Welcome, Mr. Lips. You are recognized for your opening 
statement.

TESTIMONY OF DAN LIPS,\1\ VICE PRESIDENT FOR NATIONAL SECURITY 
           AND GOVERNMENT OVERSIGHT, LINCOLN NETWORK

    Mr. Lips. Thank you. Good morning, Chairwoman Hassan, 
Ranking Member Paul. Thank you for the opportunity to testify.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Lips appear in the Appenidx on 
page 95.
---------------------------------------------------------------------------
    My name is Dan Lips. I am the Vice President for National 
Security and Government Oversight at Lincoln Network. As a 
former HSGAC staffer, it is a real honor to testify. I 
sincerely respect the Members and staff of this Committee and 
the work that is done in this hearing room.
    We have heard sobering testimony this morning. State and 
local governments face growing cyber threats that warrant a 
proactive response by the Federal Government. But Congress 
should be thoughtful about the resources currently available to 
spend on cybersecurity. The Government Accountability Office 
(GAO) has warned that the Nation is on an unsustainable fiscal 
path, including that the growing Federal debt could cause a 
large drop in the value of the dollar and limit Congress' 
ability to respond to future emergencies.
    With that context, what should Congress and the Committee 
do to help State and local governments manage growing cyber 
risks? I will offer four recommendations.
    First, Congress should streamline Federal rules to reduce 
State governments' compliance costs to allow more resources to 
be spent on improving security. For years, the National 
Association of State CIOs and the National Governors 
Association (NGA) have urged Congress and the White House to 
harmonize agencies' information security rules, which are often 
contradictory and duplicative.
    In 2018, the Oklahoma State CIO testified that his office 
spent 10,000 personnel hours complying with Federal rules and 
audits. That is a year's worth of work for five employees, 
full-time, and that is time that could be spent otherwise on 
improving security.
    GAO has reported that the Office of Management and Budget 
(OMB) has issued guidance to agencies, encouraging them to 
harmonize rules, but did not require them to do so. Congress 
and the Committee could pass legislation to require agencies to 
harmonize Federal rules and audits to fix this problem.
    Second, Congress should prioritize cybersecurity and 
existing Homeland Security Grant programs, and States should 
use available Federal funds for cybersecurity. I appreciate 
that Members of Congress have proposed creating a new 
cybersecurity grant program, but DHS, through the Federal 
Emergency Management Agency (FEMA), already awards more than $1 
billion in annual Homeland Security Grants. Secretary Mayorkas 
recently announced the Department would require grant 
recipients to spend 7.5 percent of grants on cybersecurity. 
Congress could further increase that amount.
    But States and localities do not need to wait on Congress. 
They already have billions in unspent DHS grants and other 
funds that could be used for cybersecurity. According to OMB, 
States had not spent 50 percent of the Homeland Security Grants 
that have been awarded since 2015, and $2.7 billion was still 
available as of 2020. After receiving $340 billion in 
additional funds through the American Rescue Plan, State and 
local governments should have resources to improve 
cybersecurity.
    Third, the Federal Government should share meaningful 
threat information and security recommendations to help 
organizations manage cyber risks. Over the past decade, 
Congress has passed bipartisan laws to establish Federal 
programs to facilitate information sharing. But watchdogs have 
identified limitations and opportunities to improve DHS' 
information-sharing programs. Congress should press the 
Department to implement these recommendations.
    The Federal Government should also better leverage its 
expertise to help State and local governments and other 
partners implement best practices. For example, NIST provides 
valuable guidance through its Cybersecurity Framework. But the 
framework includes a checklist of more than 100 
recommendations, which are difficult for many organizations to 
fully implement.
    The White House recently issued a memo to American 
companies with five specific recommendations to prevent and 
prepare for ransomware attacks. This is exactly the kind of 
specific and focused security recommendations that are needed 
to help organizations manage cyber risk.
    Fourth, Congress and the Subcommittee should conduct a 
strategic review of cyber threats and assess current and future 
resource needs to manage long-term risks. The intelligence 
community (IC) recently assessed that technological innovations 
will likely result in increasing competition in the cyber 
domain in the future. Congress should forecast what resources 
are needed moving forward.
    President Biden proposed spending $9.4 billion on Federal 
civilian agency cyber programs in his recent budget, or a 14 
percent increase. In comparison, he proposed spending $750 
billion on national defense. Congress should consider whether 
these resource allocations are appropriately balanced to 
address current and future threats.
    There is also significant waste in the Federal budget, such 
as the $75 billion that is lost annually on improper payments, 
according to GAO, which is much larger than what Congress 
currently spends on cybersecurity. Given the Subcommittee's 
mandate, you are uniquely positioned to review and forecast 
what Federal spending resources are needed to counter emerging 
threats.
    Again, thank you for the opportunity to testify. I look 
forward to your questions.
    Senator Hassan. Thank you so much, Mr. Lips, for that 
testimony. We now will turn to our rounds of questions. I will 
start and then move to Ranking Member Paul.
    To Ms. Huey and Mayor Schewel, a functioning government 
depends on functioning computer systems, and we have seen this 
more than ever during the COVID-19 pandemic. A cyberattack on a 
State or local entity can easily disrupt services to people or 
hamper the functioning of a government entity.
    Ms. Huey and Mayor Schewel, can you outline what the 
consequences might be of a cyberattack on your organization? 
What data do you have that would potentially be at risk? What 
critical services might be disrupted? We will start with you, 
Ms. Huey.
    Ms. Huey. Thank you. At the Ohio Department of Public 
Safety we have, obviously, several large systems under the 
Bureau of Motor Vehicles. You can picture the driver's license, 
vehicle registration, all of that citizen data would be 
impacted if we sustained an attack.
    In addition to that, we also operate the Law Enforcement 
Automated Data System (LEADS), and this is the system that 
collects all local law enforcement arrests, criminal justice 
information. It is shared throughout the State, and it is also 
shared with our Federal partners.
    We feel that we have very robust security measures around 
this, but it obviously would be a very big blow to public 
safety at the State, local, and Federal level if something were 
to happen to LEADS.
    Finally, we use a confidential information management 
system for Homeland Security to communicate with our trusted 
partners, and we would hate to see something happen to that, 
that would disrupt services to our citizens.
    Senator Hassan. Thank you. Mayor Schewel.
    Mr. Schewel. Thank you very much. Our 911 center is 
absolutely crucial. We receive 300,000 calls a year to our 911 
center, and any disruption in that service would be a terrible 
blow to our residents. In addition, we operate a water system 
that has 90,000 customers, and 25 million gallons a day of 
water. Any disruption to that would also be an absolutely 
terrible blow.
    There are other systems as well, but I think those are the 
two most crucial systems that we operate that could potentially 
be devastatingly impacted by a cyberattack.
    Senator Hassan. Thank you very much, Mr. Mayor.
    The next question is for Superintendent Holden, again Mayor 
Schewel, and Judge Whitley. Superintendent Holden, Mayor 
Schewel, and Judge Whitley, you all experienced a cyberattack 
within the last few years. Would each of you highlight the 
actions your organizations took to limit the impact of these 
attacks on your operations? What can other local entities learn 
from your example? We will start with you, Superintendent 
Holden.
    Mr. Holden. Thank you, Senator. I think first and foremost 
I have to say what will win at that is your personnel. Having 
dedicated IT professionals that are willing to spend the time 
and energy to continue to be up to date and put not only 
systems in place but to stay current on what is going on in the 
world around us, when it comes to these matters. Making sure 
that the appropriate training is in place, making sure that you 
have the proper amount and rightly placed backup systems I 
think are also a key part of ensuring these things did not 
happen and preventing them from happening.
    Again, the last piece I think, again going back to the 
training, we are only going to be as good as our users. At 
Sunapee we have about 650 end users, and that is what it is 
going to come down to, how well we can train our end users.
    Senator Hassan. Thank you. Mayor Schewel.
    Mr. Schewel. We had a terrible attack, devastating attack 
on Durham Public Schools network in 2009, and after that we 
established plans and policies and procedures to ensure that 
the city would not experience a similar costly disruption. We 
established a comprehensive plan and budget for improvements 
over time. We established working relationships with the FBI, 
State leaders in North Carolina, the Multistate Information 
Sharing and Analysis Center, and these plans were tested in 
2018, when a second attack occurred, this time impacting the 
city's fleet vehicle network.
    We established a war room, once we were attacked in 2020, 
with representatives from our staff, contractors, other 
governmental partners, including the North Carolina National 
Guard, to respond to and recover from the attack. I will say 
this was made particularly challenging, because we were 
navigating this with the new social distancing protocols that 
we needed in March 2020. We were fortunate that we had regular 
backups from all city data, and that was crucial.
    Senator Hassan. Thank you. Judge Whitley?
    Judge Whitley. Again, I think the backups, we have heard 
this mentioned a couple of times today already. That is very 
important. We have a playbook that we look at, that helps us to 
identify, contain, eradicate, and really begin the recovery 
from that. Then we go back to the education process of trying 
to make sure folks understand and learn from any issues that we 
have, and we looked at that. We always are having tabletop 
discussions and exercises, from that standpoint.
    Senator Hassan. Thank you very much, sir.
    One more question before I turn to the Ranking Member. To 
Superintendent Holden and Judge Whitley, good cybersecurity 
requires up-front investment, but State and local entities 
often have limited resources and they have to balance competing 
priorities. A Federal grant program that focuses on 
cybersecurity can help relieve State and local resource 
constraints and increase investment in cybersecurity.
    Superintendent Holden and Judge Whitley, what are the 
resource constraints that you face when deciding how much to 
invest in cybersecurity, and are there improvements to 
cybersecurity resiliency that you would make if given a 
reasonable amount of additional resources?
    We will start with you, Superintendent Holden.
    Mr. Holden. Thanks, Senator. The answer to your last 
question is yes, absolutely. Our ability to improve our 
resources greatly has an impact on our financial situation. One 
of the first things I think that comes to mind for us would be 
a dual authentication, and that would be allowing you to sign 
in not only on a computer but on another device. That would us 
having another device for every person in our district, so 
basically doubling what it is that we currently have in the 
public sector. That would have a tremendous impact on our 
budget. Thank you.
    Senator Hassan. Thank you. Judge Whitley.
    Judge Whitley. I think as we look through there is always 
the balancing of how do we spend our dollars, and more often 
than not now what we are seeing are attempts, sometimes from 
the State level, to limit the amount of dollars that we can 
raise and to be able to allocate. Flexibility is key as far as 
I am concerned.
    One of our witnesses before talked about how different we 
are among counties, among States, among cities and towns. The 
flexibility really allows the local area to assess the threats 
that they feel most strongly about and to be able to allocate 
that, among personnel or among different programs.
    Senator Hassan. Thank you. I will now turn to the Ranking 
Member for his round of questions.
    Senator Paul. Mr. Lips, the Chairwoman and I have been 
interested in duplication, and I have a bill actually to have 
reports on bills from the Congressional Budget Office (CBO), 
whether or not we already are doing through another program. 
You mentioned that we hand out FEMA grants that already deal 
with cybersecurity. In your opinion, would a new grant program 
just for cybersecurity be a duplication of what we are already 
doing through the FEMA grants?
    Mr. Lips. I believe so, particularly since cybersecurity is 
an allowed use of the existing FEMA grants.
    Senator Paul. I think this is an important question because 
money does not grow on trees. We are institutionally about $1 
trillion short every year, just for Medicare, Medicaid, food 
stamps, and the military. We are short on the ordinary 
expenses, and we have been adding extraordinary expenses of 
trillions of dollars. Last year the deficit was over $3 
trillion, likely over $3, maybe even $4 trillion this year. We 
have to figure out how to most wisely use our resources.
    I was intrigued by your point, though, that even without 
legislation we are giving $1 billion a year--so we have about 
$5 billion over the last 5 years--and yet we have only spent a 
little over half of it. Has that money been given in grants and 
just not spent by the recipient, or it has not yet been applied 
for?
    Mr. Lips. My understanding is that it has been awarded, and 
that it is with the States, and that it could be put to use. 
Why States have not spent that is not fully clear to me.
    Senator Paul. All right. I think that is worth a letter, 
and maybe the Chair might consider that we send a letter asking 
if the money has been allocated, and it is for cybersecurity, 
asking the people who received it to tell us why they have not 
used it yet or what the problem is. Maybe try to figure out 
what is going on with that money.
    Senator Hassan. I am certainly happy to consider that. I 
think this depends a lot on what the overall grant is and how 
much is restricted.
    Senator Paul. Our staffs can work together to figure that 
out. But it is also interesting that even without legislation, 
Secretary Mayorkas has increased the requirement from 5 percent 
to 7.5 percent, so that is a 50 percent increase in the 
funding. Instead of $5 billion it will be $7.5 billion over the 
next 5 years?
    Mr. Lips. My understanding is that it is actually out of 
that pot of funding, so out of $1 billion, 5 percent is 
required to be spent on cybersecurity, and he is increasing it 
to 7.5 percent.
    Senator Paul. OK. The whole $5 billion does not go to 
cybersecurity. It is 5 percent of that, and he is increasing 
that to 7.5 percent of that. OK, I got where we are.
    But the other possibility is you could even go up even more 
significantly. We could either do that through legislation, we 
could say 20 percent of that money needs to go to 
cybersecurity. If we really thought cybersecurity was a 
pressing issue we could try to reallocate or resource that 
money that already exists.
    Mr. Lips. Absolutely, Senator Paul, and I think it would be 
wise for Congress to consider doing that. The FEMA grant 
programs for homeland security were expanded and created after 
9/11, and the intention was for them to be risk-based and to 
focus on existing security threats. Twenty years later, it is 
clear that this has become a serious security threat and it 
should be prioritized. It would make a lot of sense for more of 
those funds to be used to address these problems.
    Senator Paul. While I think we all agree that cybersecurity 
is a problem, putting in perspective of our overall national 
security is important, when you talked about weighing how much 
we spend on national defense. But also there have been remarks 
from even folks within the military community. Admiral Mullen 
said, a few years ago, that the greatest threat to our national 
security was actually our debt.
    I think we cannot, on the one hand, say we are going to 
throw unlimited resources. We have to be careful about where 
the resources are and try to redirect resources to a problem. 
If we think cybersecurity is a pressing issue, which it sounds 
like it is, let's take it from maybe less pressing issues and 
try to force some of the money over toward that without 
necessarily spending more money. I would probably support 
legislation if we had legislation that did what Secretary 
Mayorkas did. We could do it even more, figuring out what the 
appropriate number is. But you could take more of that $5 
billion and push more toward national security simply by 
looking at those percentages.
    I had one other question that kind of a technical question. 
I always ask this because I am somewhat intrigued, without 
being a technological or a computer expert on this. It seems 
like the articles that you read say most of the people get into 
your system through your email. Is that still true? Would half 
the people be getting in through email, or is that a rare way 
they get in?
    Mr. Lips. It is certainly one of the ways that attackers 
get into systems, and certainly it is encouraging to hear some 
of the precautions that are being taken by my fellow panelists. 
There is a lot that can be done to understand best practices, 
to improve cyber hygiene, such as not clicking on suspicious 
emails, and other measures to----
    Senator Paul. It would seem to me that it should not be 
that hard, technologically, to wall off your email, where your 
email has no communication and you cannot get from your email 
to your operating system. Can you make it a wall such that it 
cannot be penetrated?
    Mr. Lips. That is a good question, and I am not sure. I am 
encouraged by what the Biden administration recently put out as 
recommendations to address malware and ransomware. There are 
simple things that can be done, such as backing up systems, 
encrypting data at rest to make it less valuable to ransomware 
attackers. There are some relatively simple things that can be 
done to improve organization security posture, that should be 
prioritized.
    Senator Paul. Twenty years ago, as a physician, we used to 
back up our records every day on a floppy disk, and we would 
put them in a fireproof safe, in case the building burned down 
or in case you had an electrical surge you would not lose all 
your patient data. I know it would not be on a floppy disk 
anymore but it would seem that there would be ways to back this 
up on a daily basis and protect yourself. There has to be ways.
    I think a lot of this stuff is not necessarily rocket 
science. There are available solutions out there, and I think 
it is important that we get that out there for folks to 
prevent.
    The other thing I had heard a lot was that people were 
doing a lot more work from home. They would be working on their 
phone or their computer and they had not done the updates, and 
the updates are pretty sophisticated to protect against 
viruses. I am guilty of it too, not always pushing to accept 
the update, and maybe that has been part of the problem in the 
last year as well.
    Mr. Lips. Absolutely, and those were some of the 
recommendations, sir, that were included in the White House's 
recent memo to companies, to update and patch systems 
regularly. These are basic actions that organizations can take 
to improve their security.
    Senator Paul. Thank you.
    Senator Hassan. I think we are expecting Senator Ossoff 
shortly, but why don't I ask a question until he gets here, 
unless that is him.
    Senator, would you like a minute? You are up, or----

              OPENING STATEMENT OF SENATOR OSSOFF

    Senator Ossoff. I am ready to go.
    Senator Hassan. You are ready to go? Then I will turn the 
questioning over to Senator Ossoff.
    Senator Ossoff. Thank you, Madam Chair. Thank you to our 
panelists who are here in person and remotely. My first 
question is for Ms. Huey.
    Ms. Huey, in March 2018, the city of Atlanta suffered a 
severe ransomware attack. According to Bloomberg CityLab, the 
hackers encrypted files, locked access to online services, 
blocked the city of Atlanta from processing court cases and 
warrants, and demanded a $51,000 ransom. Just 2 months prior, 
the City Auditor's Office released a report finding that the 
city's information security management system, ``has gaps that 
would prevent it from passing a certification audit,'' and that 
many information security management processes, ``are ad hoc or 
undocumented, at least in part due to lack of resources.''
    Similar issues prevail across major cities. It is not 
unique to Atlanta. A recent study by the National Association 
of State Chief Information Officers found that States spend 
only a fraction of their IT budgets on security, between 1 
percent and 3 percent, compared to about 16 percent for Federal 
agencies.
    Given the budget constraints that States and municipalities 
face, what are the cybersecurity investments that, in your 
view, would have the biggest impact, the highest return on 
investment, when it comes to preventing, for example, 
ransomware attacks and securing State and municipal networks?
    Ms. Huey. Thank you for that question. Senator, I believe 
that State government has done a good job of looking at State 
assets and providing a level of security. Where I think 
dedicated cybersecurity funding that could come into the State 
could help us focus on local governments. As you have heard 
today from the other witnesses, there is a variety of levels of 
preparedness that local governments have been able to do with 
cybersecurity.
    What we would hope to do, at the State level, is those 
standards there already identified in industry, making sure 
that those are communicated across the State, and then provide 
those assessments and those audits so that we can go out and 
help people identify those gaps and then identify resources for 
them to use.
    I think this is always a combination of local, State, 
private investment, along with Federal dollars that will make 
it successful. Thank you.
    Senator Ossoff. Thank you, Ms. Huey, and, of course, we do 
want that strong intergovernmental communication and 
communication and best practices, sharing of threat 
information. Can you drill down in a little more detail, what 
do you think consistently municipal or local governments are 
maybe underinvesting in? What would be the best use of their 
limited resources? Is it data hygiene practices for personnel? 
Is it firewall technology? Is it supply chain checks? Is it 
robust patching practices, hardware, software? How should local 
governments deploy resources that are limited for most effect?
    Ms. Huey. I can tell you that the locals that took 
advantage of the 5 percent cyber set-aside, our first round of 
funding here in Ohio, obtained cyber risk assessments. That is 
what they were looking at, was looking at a contractor, and 
this was a little bit of a regional approach, so maybe 3, 5, 6 
counties went together and were looking at doing a cyber risk 
assessment that would then make recommendations on hardware and 
the issues that you identified.
    Senator Ossoff. OK. Thank you, Ms. Huey.
    Mr. Whitley, you mentioned in your testimony that lack of 
cybersecurity awareness, training, and implementation and best 
practices for employees as well as local government staff is a 
major impediment. I believe you cite a study showing that most 
folks polled had been given cybersecurity training but also 
failed basic quizzes on the topic and best practices.
    Committee-provided information indicated that recent 
cyberattacks in both Tarrant County and Durham, North Carolina, 
were the result of phishing email campaigns, where individuals 
are tricked into clicking links that can load malicious 
software.
    If the Federal Government were inclined to make investments 
in cybersecurity training, how could we be certain those 
investments would have a positive impact and actually address 
the security challenges counties like yours are facing, and 
what do you believe are the best practices for not putting 
personnel through online presentations and then calling it job 
done but actually ensuring that staff understand the underlying 
concepts and best practices.
    Judge Whitley. Thank you for that question. I think the 
best thing is to continuously test, retest, educate. A lot of 
time we will say, OK--in fact, we just finished a program by 
which everyone had to go in and do this training, and if they 
did not we ended up turning their systems off. I know actually 
five elected officials who all of a sudden looked and their 
screens were blank.
    We have to keep pushing and pushing and pushing on the 
education, but even after that, sometimes testing from 
internally and saying, ``OK, we told you about this and now all 
of a sudden we tried you and you still failed,'' that has a 
lasting impression on at least that employee. I think that word 
gets around to other folks, and they begin to realize, OK, this 
really can happen and I need to be a little bit more careful, 
because the last thing in the world you want to do is be the 
reason why our systems were taken over or were shut down.
    It is a combination of things, but it has to be a 
continuous, constant reminder, and emphasizing how important it 
is to be careful about whatever you open and whatever websites 
you may go to.
    Senator Ossoff. Thank you, sir. Mr. Lips, finally, in your 
testimony you emphasized the need to improve information 
sharing about cyber threats and best practices across the 
Federal Government, between Federal agencies, about potential 
vulnerabilities in the information technology ecosystem to 
improve their technology acquisitions and strengthen supply 
chain risk management. Obviously, sharing information is good. 
But can you describe, in a bit more detail, the current 
limitations on information sharing, in particular with respect 
to supply chain risks?
    Mr. Lips. Thank you for the question, Senator. Over the 
past decade it has become clear that the Federal Government has 
focused increasing attention on addressing supply chain risk 
management. We have seen actions to ban the use of certain 
technologies by Federal agencies. From my perspective it seems 
like there is a time delay between when Federal agencies become 
aware of these problems and then when it reaches an 
understanding on Capitol Hill and then when it is implemented 
across the Federal Government.
    In 2018, there was legislation that attempted to address 
this problem by creating a stronger interagency process to 
improve that information sharing across the Federal Government. 
It seems like it would be a productive next step for Federal 
agencies and that interagency task force to also share 
information and specific information, to your point, with State 
governments, municipal governments, and the private sector.
    One of the challenges we have seen over the years with 
cybersecurity best practices is that there is often long lists 
of information provided to organizations. Providing very 
specific and discrete recommendations will help organizations, 
particularly those with limited resources, decide how to 
prioritize and manage risk.
    Senator Ossoff. Making the information that is shared more 
actionable rather than just a bureaucratic dump of data 
perhaps?
    Mr. Lips. Absolutely, Senator.
    Senator Ossoff. OK. Thank you, Mr. Lips. Thank you, Madam 
Chair.
    Senator Hassan. Thank you, Senator Ossoff. I am going to 
start my second round of questioning. I think we are expecting 
Senator Rosen to be available relatively soon, and when she 
gets here let me know and we can let her jump in, and then I 
can finish up with additional questions.
    I want to start with a question to Judge Whitley and Ms. 
Huey, because, again, this is a theme we are hearing, 
cybersecurity is a team effort. We know State and local 
governments often have separate structures for technology and 
security, but working together and sharing resources and best 
practices can improve the cybersecurity of all entities.
    Judge Whitley and Ms. Huey, do you think States should use 
a committee or other structure to bring together State and 
local representatives to help plan and coordinate cybersecurity 
efforts, and if your State already has such a committee, could 
you please elaborate on how effective you think it is? We will 
start with Judge Whitley, please.
    Judge Whitley. I do feel like it is extremely important. In 
this recently adjourned session of our legislature they created 
a committee that will go into effect on September 1st, and I 
think that will be very helpful. We will see how it works 
itself out.
    I really want to say, though, it is important to get our 
dollars back down as much as possible to the end user. 
Committee is OK, but again we are very different, we are very 
diverse, we are a very large State, and the quicker the dollars 
can get from wherever they are coming, whether it be the Feds 
or the State, and get it down to the end user, the better off 
it will be.
    An excellent example that I will use is the ARPA funds, 
which you allocated out. Counties, regardless of their size, 
receive the monies as direct payments.
    Senator Hassan. Right.
    Judge Whitley. In the CARES Act, it was distributed out to 
the State, except for those counties and cities over 500,000. 
Some of that money is still sitting in the States. The quicker 
you can get it down to the local areas, the better off we are.
    Senator Hassan. Thank you. Ms. Huey.
    Ms. Huey. Thank you, Chair. I absolutely believe that using 
an advisory committee, an advisory board, made up of a 
combination of State and locals best help define the strategy 
on how to spend funding and how to address cybersecurity.
    In Ohio, we have two organizations, the OC3, which I had 
already mentioned, which is a combination of public and 
private, is always a resource for any cybersecurity decisions. 
They are very much focused on economic development and 
workforce and sort of prevention. That would be their 
expertise. Then we also have the Homeland Security Advisory 
Council, which actually advises us on how to spend the Homeland 
Security Grant on our strategic goals.
    There are already a couple of systems in place in Ohio, and 
I would hope that many States have this. That would be a help 
with funding decisions.
    Senator Hassan. Thank you both for those answers. I am now 
going to ask another question of Ms. Huey and then Mayor 
Schewel. While the Federal Government can provide some 
resources and support to State and local cybersecurity efforts, 
we also need to encourage more State and local investment in 
cybersecurity, and that is a theme that we have been hearing 
this morning. That is why recent proposals for State and local 
cybersecurity grant programs have included a cost share where 
the grant would supplement funds already provided by the State 
or local entity.
    However, sometimes this cost share can be a barrier to 
State and local entities utilizing the grant program, 
especially during economic downturns, especially because State 
and local governments have to balance their budgets.
    Ms. Huey and Mayor Schewel, do you think that the Federal 
Government should be able to waive the cost share requirement 
in certain limited circumstances, and what would those 
circumstances be? We will start with Ms. Huey.
    Ms. Huey. Thank you for that question, and I appreciate 
having the cost share requirements, the match requirements. I 
think it is important to have skin in the game. But, if that 
can be done on a graduated basis so that things can get stood 
up and get started, and then other sources of funding can 
eventually supplement, I think that is a great approach.
    Are there opportunities to waive that? I think that would 
be interesting and potentially a multi-state project or 
something that is a little bit broader. At that point in time 
if it is a waiver or maybe we could leverage private dollars 
for something like that, I think that would be something 
interesting to pursue.
    Senator Hassan. Thank you. Mayor Schewel.
    Mr. Schewel. Thank you very much, Senator. Durham is lucky. 
We are a fairly large city with really good IT staff. We have 
wonderful staff. But 80 percent of municipalities in the United 
States are small with populations below 50,000 people. Most of 
these municipalities have very little ability to cost share, 
and I think that really needs to be an important consideration.
    The Public Technology Institute found that 65 percent of IT 
officers in municipalities felt that their cybersecurity budget 
was inadequate, and many of these cities are pressed in many 
ways, multiple needs for their budgets. Cost sharing certainly 
can be an impediment to have the adequate cybersecurity 
infrastructure that is needed.
    Senator Hassan. Thank you very much, Mr. Mayor. I now see 
that Senator Rosen has joined us virtually, so I will recognize 
her for her 7-minute round of questions.
    Senator Rosen. Thank you, Madam Chair. I appreciate that. 
Thank you for chairing this meeting in the absence of Senator 
Peters being here on the loss of his mother. I really 
appreciate you stepping in, and the witnesses, of course, for 
being here today, because cyberattacks can be expensive, they 
are debilitating, especially for small governments. I am really 
glad that we are coming together in a bipartisan way to talk 
about how we are going to protect communities in this really 
challenging time, and it is not going to get any easier.
    Elementary and secondary schools, they remain increasingly 
vulnerable to hostile cyber actors. Last year, the FBI warned 
that K-12 institutions represent an opportunistic target to 
hackers, and many school districts, they lack the budget and 
the expertise to dedicate to network integrity.
    In August of last year, Clark County School District, 
Nevada's largest school district, and our nation's fifth-
largest school district, was the victim of a ransomware attack. 
The hacker published documents online containing sensitive 
information, Social Security numbers, student names, addresses, 
and the like. Of course, this is absolutely unacceptable, and 
the Federal Government must help schools obtain the tools and 
resources to protect their students, their families, their 
teachers, educators, everyone who works there. It is something 
that I have raised with CISA and the Department of Education.
    Mr. Holden, what more could CISA be doing to assist our 
elementary and secondary schools with being sure that they have 
some way to understand how to implement the tools and 
cybersecurity standards and protocols?
    Mr. Holden. Thank you for the question. I think really what 
needs to happen is there needs to be a set of standards 
developed. I think if either Homeland Security took a look at 
cybersecurity and implemented a set of standards that would 
then pass down to us, that we could look at at the local level, 
or even at the State level, to make sure that we have 
implemented those systems to prevent ourselves from what is out 
there.
    I would highly recommend a set of standards that could be 
looked upon, and then a way for either Homeland Security or the 
local or State to test those systems for us, and then to 
identify where we may be weak in those systems so that we can 
implement what needs to be implemented at the local level.
    Senator Rosen. That is a great suggestion, because we need 
to get it out to every school district, large and small.
    Another thing that we may have to do in order to do this, 
is our cybersecurity surge capacity. Ms. Huey, in your 
testimony you note that Ohio has created a civilian Cyber 
Reserve, consisting of a volunteer force of trained 
cybersecurity civilians to assist in a variety of cybersecurity 
needs. Senator Blackburn and I recently introduced the Civilian 
Cyber Security Reserve Act to establish a civilian Cyber 
Reserve at DHS and the Department of Defense (DOD) to call up 
cybersecurity experts at our times of greatest need.
    Ms. Huey, how has the Ohio Cyber Reserve helped reduce 
cyber threats to the State, and what are some lessons you think 
that we could draw on what you have done and apply that to the 
national level in order to supplement DHS's existing personnel 
and add additional cyber capacity?
    Ms. Huey. Thank you, Senator, for that question. The Ohio 
Cyber Reserve operates much in the way that you were pointing 
out. It was introduced by OC3 and then it was authorized by the 
Ohio General Assembly in 2019, and it really does operate like 
a military reserve. It is under the adjutant general. It can be 
activated by the Governor.
    Currently we are in the process of building out ten 
regional teams across Ohio. We have three of those teams 
already stood up and running. They do not publicize when they 
are deployed, but they have been deployed, and they have been 
successful.
    I think there would be a lot of lessons learned and 
information that we could share with the new program at the 
Federal level as to how we identified that expertise, because 
we really wanted a cross-section of expertise, people that know 
the latest but also people that know how to deal with legacy 
systems as well. Thank you.
    Senator Rosen. I think I am going to have my team reach out 
to you and see what some of the lessons learned and best 
practices are, and we can see what we can do with those here.
    I think when we talk about this, what I would like to ask, 
especially to the mayor, as you are dealing particularly at the 
local level, when we are talking about all the cybersecurity 
personnel and implementation and setting standards, and we do 
have to do all of that. But we really have to create a trained 
workforce, not in cyber but really a technologically savvy 
workforce, because there is not an area that someone is not 
going to have to be aware of a phishing scheme, any way that 
the vulnerabilities and multiple ways that people get in.
    Mayor Schewel, can you describe the resource and workforce 
constraints that you may have and perhaps how we might consider 
a career in technical education down at, I guess, the city 
level or school districts, and they could be city or county, to 
try to really increase workforce talent and capacity, because 
at the end of the day, they are the faces on the other side of 
the computer that may be the ones that get taken advantage of 
unknowingly, and that hurts all of us.
    Mr. Schewel. Senator, thank you very much for the question. 
You are absolutely right. I think there are two aspects to 
that. One is--and Judge Whitley spoke to this early--the 
ability to train our young folks within the city to avoid 
phishing attempts, which is the way this successful cyberattack 
happened against our city. We were fortunately backed up, but 
that is the way people got in. I think that kind of training is 
critically important, and we do a lot of that. It cannot only 
be training, though. Multi-factor authentication, those kinds 
of things, are also critical.
    But I also think that there is the issue of having the--we 
live in the Research Triangle region of North Carolina. We have 
highly trained technical workforce, and making sure that we 
have enough of those people on staff is really important. That 
is one of the reasons I think it is really important that we 
have additional funding. It costs us $900,000 a year to do our 
IT security. It is very expensive, and we need support for it.
    Senator Rosen. I guess I have a few second left, but what I 
would like to say is I think--and it is not a question of this 
Committee, but I do think that we have to increase our STEM 
education across the board, I would say pre-K through 12, so 
that they are ready to work right away, in all these areas, to 
protect whatever business, government, whatever they go to do 
as an adult. I look forward to working on some of those things 
in the future.
    Thank you, Madam Chair.
    Senator Hassan. Thank you very much, Senator Rosen.
    I have additional questions, and I am going to check with 
the staff. That is all the Senators we have lined up right now, 
right?
    I thank the panel for so much excellent testimony, and I do 
have a few more questions. I am going to start with a question 
to Ms. Huey.
    Collaboration among States could serve a really important 
role in bolstering cybersecurity, and you have referenced that 
a bit already this morning. Ms. Huey, do you think multi-state 
cybersecurity projects would boost cooperation among States and 
improve cybersecurity beyond what States could achieve alone?
    Ms. Huey. Thank you for that question, Senator. I 
absolutely do, and I do not believe that there has probably 
been enough done at that level. Ohio Homeland Security is 
currently in the process of surveying all of the State's fusion 
centers, just to get a real good feel on what their cyber 
structure looks like. We want to benchmark ourselves and see if 
we are doing well. In the conversations with our surrounding 
States, there is a lot of interest and a lot of communication, 
and I think there is some ability to really work on some 
collaborative projects.
    Additionally, I think the Federal Department of Homeland 
Security has a number of centers of excellence, partnered with 
universities, and I think that would be a real opportunity as 
well, that should be explored.
    Senator Hassan. Thank you for that.
    Mr. Lips, I want to turn to you, obviously, it is something 
you have talked about in your testimony and in the purview of 
this Subcommittee, we have a duty to ensure that taxpayer 
dollars are spent efficiently and effectively. In this case, 
the goal is to efficiently and effectively spend grant funds to 
reduce the cybersecurity risk of State and local entities.
    How do you think the Federal Government should measure how 
effective grants are at reducing State and local cybersecurity 
risk, and how should this be integrated into the grant program?
    Mr. Lips. Senator, thank you for the question. I think that 
is a great issue to be raising, particularly if Congress is 
considering establishing a new, dedicated cybersecurity grant 
program. It is one of the lessons, I think, that we have 
learned over the past 20 years with the FEMA grant program. 
That program was originally intended to be risk-based and 
focused on helping States and urban areas buildup capabilities 
that were needed, particularly after 9/11.
    Unfortunately, over time, my view is that that program has 
become more of a formula-based program that is no longer 
essentially risk-based, and as GAO and others have pointed out, 
FEMA has struggled to measure how States are buying down risk.
    Senator Hassan. Right.
    Mr. Lips. With a cyber grant program, I would urge the 
Committee to be focused on--starting from the beginning, of 
ways to measure that, to not be looking back years later and 
think, this should have been more risk based.
    Senator Hassan. OK. Thank you. I want to turn back to the 
issue that Senator Ossoff was talking a little bit about, which 
is information sharing. To Mayor Schewel, to Judge Whitley, and 
to Mr. Lips, information sharing has been one of the key ways 
that the Federal Government supports State and local 
cybersecurity. However, there are many questions about how the 
information sharing regime could be improved.
    Mayor Schewel and Judge Whitley, how useful has the 
information that the Federal Government shares with you been, 
and are there other types of information that the Federal 
Government could provide that you would find useful? I will 
start with you, Mayor Schewel, and then go to Judge Whitley.
    Mr. Schewel. I will tell you, Senator, I do not honestly 
know the answer to that question in detail. I can tell you that 
we have really needed our Federal Government partners, 
including the FBI at times, during our recent cyberattack. But 
I am sorry, I have to get back to you on real information about 
the usefulness.
    Senator Hassan. Sure. OK. Thank you. Judge Whitley.
    Judge Whitley. I know that our IT folks are in constant 
communication not only with the Federal agencies, also with the 
local. They are meeting on a monthly basis or a quarterly 
basis. Then any time any particular event happens, then they 
are working with one another and helping one another out. Any 
type of collaboration that can occur needs to be encouraged, 
because that is the way that we will keep people up to date on 
what the new style or the hack of the day is, and go under that 
type of a scenario. But the Feds have been very helpful. I know 
our folks are members of just about any organization they can 
become a member of that will assist or will help in identifying 
threats or things that are going on in the community.
    Senator Hassan. Thank you. Mr. Lips, how do you think we 
can improve cybersecurity information sharing between Federal, 
State, local, and Tribal organizations?
    Mr. Lips. Thank you for the question, Senator. Generally I 
think that information sharing programs have been very well 
intended and have been a step forward from where we were a 
decade ago.
    That said, the various watchdogs, like the inspector 
general, have identified challenges within DHS's information 
sharing programs, issues such as timeliness, over-
classification, and frankly, general value of the information 
that is shared has resulted in limited participation from the 
private sector, from what I understand, and from what the IG 
has found. I think addressing these areas and open 
recommendations broadly, both for private sector partners as 
well as State and local governments would be a valuable 
improvement.
    In addition, I think there is valuable information sharing 
that can be provided about security recommendations, from 
supply chain acquisitions risks, also just general best 
practices having recommendations be made in a way that is 
prioritized would be really helpful for organizations across 
the board, including State and local governments.
    Senator Hassan. Thank you. I want to ask a question of all 
the government witnesses now about Homeland Security Grants, 
because there has been a little bit of discussion about what 
already exists, and I want to really try to drill down on the 
effectiveness and usefulness of that.
    The Department of Homeland Security provides grants that 
can be used for a variety of purposes, including, as has been 
pointed out, cybersecurity. The State Homeland Security Grant 
program used to require that recipients use at least 5 percent 
of these grant funds for cybersecurity, but that has now been 
increased to 7.5 percent. That was done earlier this year. It 
also requires that a portion of these funds pass through to 
localities.
    My question to all our government witnesses is whether 
these requirements are enough to address cyber needs? Judge 
Whitley, Mayor Schewel, and Superintendent Holden, have any of 
the local entities you represent received funding through the 
State Homeland Security Grants for increasing your 
cybersecurity? I will start with Judge Whitley.
    Judge Whitley. We have received funding but this is one of 
the things that because of the increase in activity we do need 
more funds. I know that that is the standard answer you feel 
like you get any time you ask a governmental entity about any 
particular issue, but I think we all recognize, just as we 
stated earlier, about the very public threats and confidential, 
where they come in and seize operations or stop operations from 
happening. This is an ever-increasing area of threat, and we 
need to be focusing more and more dollars and efforts on that.
    Senator Hassan. Thank you. Mayor Schewel.
    Mr. Schewel. Thank you, Senator. I think it is really 
important that we not be cannibalizing other Homeland Security 
programs to do this cybersecurity work. We are going to need 
all of it. The cybersecurity threats that we are facing, every 
day there are cybersecurity attacks on the city of Durham, and 
we are able to fend them off. But all the actors have to do is 
be successful once. Our needs in this area are going to be 
greater and greater. We are going to need funding that is not 
competitive and not cannibalizing other Homeland Security 
funding. I think that is really going to be critical to us.
    Senator Hassan. Thank you. Superintendent Holden.
    Mr. Holden. I am unaware of any funding that we have 
received at the local level regarding the Homeland Security 
Grants. I have to look, though, past funding. I think really 
what I am looking for is more information. I think the more 
information that can be given to me at the local level from 
Homeland Security or from the State would be much more 
beneficial for me to be able to implement systems that will 
help us from these type of attacks.
    Senator Hassan. Thank you. Ms. Huey, in your view is the 
increase from 5 percent to 7.5 percent enough to improve State 
and local cybersecurity, or is there more assistance needed?
    Ms. Huey. Thank you for your question, Senator. I believe 
that there is more funding needed. I do not believe just 
increasing from 5 to 7.5 percent really recognizes the need for 
cybersecurity funding and the importance of the risks across 
our States. In fact, with Ohio, our total Homeland Security 
award went down, even though the carve-out for cybersecurity 
went up.
    I just think we keep making the pie smaller and then 
putting another priority in that, really does not do justice to 
what we need for cybersecurity across the country.
    Senator Hassan. Do you think a dedicated grant program 
would better ensure that State and local cybersecurity needs 
are met?
    Ms. Huey. I do. I do believe it will, because I believe 
that we could do more planning, more coordination, and really 
work better with the local governments and the small business 
to bring everybody up to a level that we want them to be.
    Senator Hassan. Thank you.
    I have a couple of more questions if the witnesses will 
indulge me. I thank you. The testimony has been terrific, and I 
want to get to a couple of more things and make sure that there 
are not any other Senators who want to pop in and ask 
questions.
    Let me go to this one now, to Superintendent Holden, Mayor 
Schewel, and Judge Whitley. It has become increasingly clear 
how important cybersecurity is for all organizations. However, 
some officials in charge of setting priorities may not fully 
appreciate the vulnerabilities of their cyber systems. You all 
clearly pay more attention to cybersecurity issues than many 
others may.
    Superintendent Holden, Mayor Schewel, and Judge Whitley, do 
you believe that creating a State and local grant program 
dedicated to cybersecurity would encourage officials to focus 
more on it, and how might that increased engagement boost 
cybersecurity beyond just the extra resources that a grant 
program would provide? We will start with you, Superintendent 
Holden.
    Mr. Holden. Thanks for the question. Yes, I think a grant 
program and a committee to look at these things at the State 
level would absolutely highlight the need and the ability to 
continue to focus on these things. New Hampshire votes all 
State, whether it is through the Superintendents Association, 
through the Department of Education. I think the more attention 
that could be given in this small State, where we have a very 
locally committed but yet regionally organized, I think would 
absolutely benefit our ability to address some of these issues.
    Senator Hassan. Thank you. Mayor Schewel.
    Mr. Schewel. Thank you very much, Senator. Yes, definitely, 
we really need such a program, again, when I think about our 
small cities and how this would not just help them with funding 
but help them with the kind of coordination that you talked 
about. Again, 80 percent of cities in this country are below 
50,000 people in population, and their ability to do the work 
that they need to do for cybersecurity, they just simply cannot 
do it on their own.
    A grant program that would encourage the kind of 
cooperation necessary would be an incredible boon to those 
small cities. It would be good for all of us, but I think 
especially for our small municipalities it would be essential.
    Senator Hassan. Thank you. Judge Whitley.
    Judge Whitley. I think anything that helps in the 
coordination and the collaboration of understanding the issues 
and the problems will be very helpful. All too often, anyone 
who is affected is very reluctant to get out there and announce 
that they have been affected. Sometimes you feel like, OK, we 
are small enough, we will slip under the radar, and in today's 
environment that is just not happening.
    I think the more you can bring folks together, whether it 
be on a statewide basis or a regional basis or a county-wide 
basis, to talk about what is going on and to make people aware 
of some of the issues, that is going to be beneficial. That is 
going to maybe result in them allocating a few dollars that 
they have not allocated before, to help address, or to be 
prepared and understand that maybe your backup system was broke 
a week ago, and had you not done that, look at the effect that 
it would have had once you did get hit.
    The more collaboration that we can have with all of the 
entities around us, the better off we will be.
    Senator Hassan. Thank you. Ms. Huey, would you like to 
provide your perspective on this?
    Ms. Huey. I would agree with what the other witnesses were 
talking about. I think this is not an urban issue. When we 
think about criminal justice funding or some of those things we 
focus on big-city problems. This is a problem all across our 
local governments, regardless of size. Having the ability to 
help out the ones, as the mayor pointed out, with the smaller 
budgets, I think is critical. Again, that standard of 
preventive preparedness that we can bring everybody up to.
    Senator Hassan. Yes, I sometimes think people forget that 
coordination and preparedness takes resources. You can be well 
intentioned in it but if you do not have people who can spend 
the time doing it, it gets difficult to actually accomplish.
    Because I have the time, and I know, Ms. Huey, you have 
mentioned this too, I want to ask one more question to you, and 
then in a wrap-up question to all of you. I am going to preview 
the question so you can think about your answer. When we close 
I would like you to think about one piece of advice each of you 
would give to your colleagues working in State, county, local, 
or Tribal government when it comes to cybersecurity. That will 
be the final question.
    But first, Ms. Huey, I want to talk to you a little bit 
about the National Guard's role here. Earlier this year, 
Senator Cornyn and I reintroduced the bipartisan National Guard 
Cybersecurity Support Act. This legislation explicitly 
authorizes the National Guard to provide cybersecurity support 
services at the request of a State Governor, to be performed as 
training duty upon approval by the relevant service Secretary.
    Ms. Huey, can you speak to the role that the National Guard 
plays in Ohio's cybersecurity, particularly as a part of the 
larger plan for how Ohio is improving the cybersecurity of 
State and local systems?
    Ms. Huey. Absolutely. Thank you for that question. As I 
indicated in my comments earlier, the Ohio National Guard 
really took a lead role in cybersecurity early on in Ohio. The 
Cyber Reserve was authorized by our General Assembly in 2019, 
and they really went out and recruited that civilian expertise 
that really existed already in the State, and they were very 
strategic about making sure that each regional team had the 
breadth of experience that could respond to a variety of 
attacks. That has been very successful, and it is wonderful to 
see the Federal Government will be able to support that and 
backs that up. That has been something that we are very proud 
of here in Ohio.
    The Ohio Cyber Reserve, the Cyber Range Institute, is also 
connected to that, and that is in some of our universities is 
really a think tank and a testing site, and it is very 
education focused. We have the existing expertise in the Cyber 
Reserve and the Cyber Range is trying to build that workforce 
development through our K-12 and our universities.
    Senator Hassan. Thank you very much.
    Now the wrap-up question here, the one piece of advice each 
of you would give to your colleagues who are working State, 
county, local, or Tribal government when it comes to 
cybersecurity. Why don't we start with you, Mr. Lips, then we 
will go to Superintendent Holden, the mayor, and the judge, and 
then I will allow Ms. Huey to wrap it up.
    Mr. Lips. Thank you, Senator. One piece of advice I would 
offer to State, local, county, and other government officials 
working at that level is that it is very helpful for Members of 
Congress and congressional staff to hear your perspective about 
some of the challenges you are facing. In my testimony, I 
referenced the issue of compliance costs that the State CIOs 
have raised. It is very helpful to hear directly from State 
officials about what their day-to-day experience is and what 
those challenges are. I recall hearing from NASCIO and State 
CIOS in the anteroom several years ago, bringing that 
recommendation to my attention. There is great interest in 
their perspective, and it is very valuable to hear their view.
    Senator Hassan. Thank you, Mr. Lips. Superintendent Holden.
    Mr. Holden. Yes. I would let my fellow local and State 
folks know to be informed, to provide ongoing training and to 
implement needed systems, and that being proactive is a lot 
cheaper than being reactive.
    Senator Hassan. Thank you. Mr. Mayor.
    Mr. Schewel. Thank you, Senator. With your permission I 
will give two pieces of advice. One is to have an immutable 
backup of all data, including structured, unstructured, and 
binary data, and that is critical for quick recovery. We back 
up in Durham every 2 hours.
    Then second, having an established partnership between 
Federal, State, and private sector parties so that if you are 
attacked, if you quickly define and contain the threat, we were 
able to do that and quickly set up a war room, and that is what 
really contained the cyberattack that we had. Thank you for 
that question.
    Senator Hassan. Thank you. Judge Whitley.
    Judge Whitley. Again I want to thank everybody for the 
opportunity to speak today. The thing that I would say is test, 
train, perpetual, perpetual training and testing, to just keep 
at the front of everyone's minds that every time they are on 
that computer that there is someone trying to get in. The more 
we can do to keep our people thinking in that perspective, the 
better off we will be.
    Senator Hassan. Thank you, Judge. Ms. Huey.
    Ms. Huey. Thank you, Senator. My advice would be know your 
partners. Do not wait for the event to occur before you know 
who your resources are, your partners. Regularly communicate. 
There is a saying in the EMA world, that a disaster is not the 
place to exchange business cards. You need to know who your 
network is, and your partners that are to help in a situation.
    Senator Hassan. Thank you so much. I want to thank all of 
the witnesses this morning for giving us so much of your time 
and sharing your expertise and your perspective and experience. 
It is really invaluable and it really does help inform the work 
of this subcommittee and the U.S. Senate. Thank you.
    Your testimony here today is going to help us craft better 
bipartisan legislation to help State and local officials 
address cyber threats. The hearing record will remain open for 
15 calendar days, until 5 p.m. on July 2nd, for submissions of 
statements and questions for the record.
    The hearing is now adjourned.
    [Whereupon, at 11:51 a.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ---------- 
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]