b"<html>\n<title> - ADDRESSING EMERGING CYBERSECURITY THREATS TO STATE AND LOCAL GOVERNMENT</title>\n<body><pre>[Senate Hearing 117-62]\n[From the U.S. Government Publishing Office]\n\n\n\n\n                                                         S. Hrg. 117-62\n \n            ADDRESSING EMERGING CYBERSECURITY THREATS TO STATE \n                            AND LOCAL GOVERNMENT\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                EMERGING THREATS AND SPENDING OVERSIGHT\n\n                                 of the\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                    ONE HUNDRED SEVENTEENTH CONGRESS\n\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 17, 2021\n\n                               __________\n\n        Available via the World Wide Web: http://www.govinfo.gov\n        \n        \n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n        \n        \n        \n        \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]         \n\n\n\n\n\n\n                  U.S. GOVERNMENT PUBLISHING OFFICE \n45-441 PDF                  WASHINGTON : 2021 \n \n\n        \n        \n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                   GARY C. PETERS, Michigan, Chairman\nTHOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio\nMAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin\nKYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky\nJACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma\nALEX PADILLA, California             MITT ROMNEY, Utah\nJON OSSOFF, Georgia                  RICK SCOTT, Florida\n                                     JOSH HAWLEY, Missouri\n\n                   David M. Weinberg, Staff Director\n                    Zachary I. Schram, Chief Counsel\n                Pamela Thiessen, Minority Staff Director\n    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director\n                     Laura W. Kilbride, Chief Clerk\n                     Thomas J. Spino, Hearing Clerk\n\n\n        SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT\n\n                 MAGGIE HASSAN, New Hampshire, Chairman\nKYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky\nJACKY ROSEN, Nevada                  MITT ROMNEY, Utah\nJON OSSOFF, Georgia                  RICK SCOTT, Florida\n                                     JOSH HAWLEY, Missouri\n\n                     Jason Yanussi, Staff Director\n                            Peter Su, Fellow\n                 Greg McNeill, Minority Staff Director\n                Adam Salmon, Minority Research Assistant\n                      Kate Kielceski, Chief Clerk\n                      \n                      \n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Hassan...............................................     1\n    Senator Paul.................................................     3\n    Senator Ossoff...............................................    17\nPrepared statements:\n    Senator Hassan...............................................    31\n    Senator Paul.................................................    33\n\n                               WITNESSES\n                        Thursday, June 17, 2021\n\nKaren J. Huey, Assistant Director, Ohio Department of Public \n  Safety.........................................................     4\nHon. B. Glen Whitley, County Judge, Tarrant County, Texas........     6\nHon. Stephen M. Schewel, Mayor, City of Durham, North Carolina...     8\nRussell E. Holden, Superintendent, Sunapee School District, New \n  Hampshire......................................................     9\nDan Lips, Vice President for National Security and Government \n  Oversight, Lincoln Network.....................................    11\n\n                     Alphabetical List of Witnesses\n\nHolden, Russell E.:\n    Testimony....................................................     9\n    Prepared statement...........................................    93\nHuey, Karen J.:\n    Testimony....................................................     4\n    Prepared statement...........................................    35\nLips, Dan:\n    Testimony....................................................    11\n    Prepared statement...........................................    95\nSchewel, Hon. Stephen M.:\n    Testimony....................................................     8\n    Prepared statement...........................................    47\nWhitley, Hon. B. Glen:\n    Testimony....................................................     6\n    Prepared statement...........................................    40\n\n                                APPENDIX\n\nStatement submitted by the American Public Gas Association.......   101\n\n\n\n\n                   ADDRESSING EMERGING CYBERSECURITY\n\n                 THREATS TO STATE AND LOCAL GOVERNMENT\n\n                              ----------                              \n\n\n                        THURSDAY, JUNE 17, 2021\n\n                                     U.S. Senate,  \n                       Subcommittee on Emerging Threats and\n                                        Spending Oversight,\n                    of the Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10:15 a.m. via \nWebex and in room 342, Dirksen Senate Office Building, Hon. \nMaggie Hassan, Chairman of the Subcommittee, presiding.\n    Present: Senators Hassan, Sinema, Rosen, Ossoff, Paul, \nScott, and Hawley.\n\n             OPENING STATEMENT OF SENATOR HASSAN\\1\\\n\n    Senator Hassan. The hearing will now come to order. Good \nmorning. The Subcommittee on Emerging Threats and Spending \nOversight (ETSO) convenes today's hearing to discuss the \nthreats to State and local entities from cyberattacks and the \nconsequences of those attacks on national security, the \neconomy, and the lives of our citizens. We will discuss what \nState and local entities need in order to be able to \neffectively respond to cyber threats, and how the Federal \nGovernment can best support State and local authorities as they \nwork to combat the growing wave of cyberattacks.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Hassan appears in the \nAppendix on page 31.\n---------------------------------------------------------------------------\n    While the SolarWinds, Colonial Pipeline, and JBS \nmeatpacking cyberattacks rightly received a lot of attention in \nrecent months, State, local, and Tribal entities have also \nfaced serious cyberattacks that can cripple services for \ncitizens and decimate local budgets.\n    The cybersecurity firm, Emsisoft, estimated that the total \ncost of publicly known ransomware attacks on State and local \ngovernments in 2020, including cost to restore functionality \nand services, was nearly $1 billion. A report from \ncybersecurity firm, BlueVoyant, found that there was a 50 \npercent increase in the number of cyberattacks against State \nand local entities from 2017 to 2019. At the same time, the \naverage ransom demanded in these attacks increased 10 times, \nand the average cost to taxpayers to clean up after a single \ncyberattack rose to the millions of dollars.\n    Today's hearing sheds a light on the impact of attacks like \nthe one we saw on the Sunapee School District in my home State \nof New Hampshire, which is represented here today by \nSuperintendent Russell Holden. Luckily for the Sunapee \ncommunity, the district had a plan in place, including a \nseparate backup system, so it was able to resume operations \nsoon after the attack was discovered, without paying ransom. I \nthank you, Superintendent Holden for your leadership on \ncybersecurity for school districts.\n    Amid the coronavirus disease 2019 (COVID-19) pandemic, we \nhave also seen more than ever the importance of shoring up our \ncybersecurity. State and local agencies depend on digital \ndelivery of services to Americans, and many State and local \nemployees are also connecting to central networks from home in \norder to do their work remotely. More investment at all levels \nof government is needed to strengthen cyber defenses.\n    A 2020 survey of State chief information security officers \n(CISOs) found that most States only spend 1 to 3 percent of \ntheir overall information technology (IT) budgets on \ncybersecurity, compared to about 16 percent for Federal \nagencies, and many local governments, with their smaller \nbudgets, are even worse off. Cybersecurity risks will continue \nto rise if State and local entities are not able to strengthen \ntheir cyber resilience.\n    I am working across the aisle to help State and local \nofficials address cyber threats and increase information-\nsharing at the Federal, State, and local level. I am pleased \nthat the most recent National Defense Authorization Act (NDAA) \nincluded my provision to provide each State with a federally \nfunded cybersecurity coordinator. These coordinators will \nprovide each State and local governments within them with a \nlocal contact who can provide support and technical knowledge, \nand act as a bridge to the Federal Government. I was very happy \nto recently learn that New Hampshire's coordinator came on \nboard in the last week.\n    In addition, in this Congress I introduced a bipartisan \nbill with Senator Cornyn to better enable the National Guard to \nsupport State and local government cybersecurity. But we need \nto do more. That is why I am also working with my fellow \nSenators to craft a dedicated cybersecurity grant program for \nState and local governments.\n    I am excited to discuss these ideas and more with our five \ninsightful witnesses today. Four of them represent a State, a \ncounty, a city, and a school district, and can help us better \nunderstand the unique environment that each have to operate \nwithin. They can also help us better understand which types of \nFederal support may be the most effective. The fifth witness is \nan expert in Federal cybersecurity policy and notably a former \nsenior staffer for the Homeland Security and Governmental \nAffairs Committee (HSGAC). To all of our witnesses, I \nappreciate your willingness to testify. I want to thank you all \nfor the role you play in helping to keep all of us safe, and I \nlook forward to learning from you today.\n    With that I will now recognize Ranking Member Paul for his \nopening remarks.\n\n              OPENING STATEMENT OF SENATOR PAUL\\1\\\n\n    Senator Paul. Thank you, Chair Hassan, and thank you to our \npanelists today for your time. I look forward to hearing from \neach of you.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Paul appears in the Appendix \non page 33.\n---------------------------------------------------------------------------\n    I would like to begin my remarks with an observation, which \nis that the recent wave of ransomware attacks seems to have \nbroken through into the public consciousness. I traveled to my \nhome State of Kentucky recently, and was asked more questions \nabout cybersecurity in those 10 days or so than in the previous \n10 years. Of course, we as policymakers have been concerned \nabout this malicious activity for some time, and at the Chair's \nrequest the Subcommittee held a hearing on this last December, \nand I am glad that we are still continuing to look at this \nissue.\n    From what I saw and heard from the people I represent, \nthere is now a much more widespread appreciation for how \ndisruptive these attacks can potentially be. Obviously, the \nColonial Pipeline interruption and the spectre of gas shortages \nwas a major concern. The Kentuckians I spoke to were also \nconcerned about the ransomware attacks affecting North American \nmeatpacking facilities owned by JBS, which may not have \nreceived quite as many headlines as the pipeline but which was \nalso alarming.\n    Clearly we have a problem on our hands. The nation must be \nable to secure its food supply and deliver fuel where it is \nneeded. Recent cyberattacks have also targeted hospitals, \nschool systems, water systems, and other essential services.\n    How can we combat this? As the old saying goes, an ounce of \nprevention is worth a pound of cure. Cybersecurity must be \nprioritized in the same way that any other essential services \nare prioritized. As we will hear, recovering from cyber events \nsuch as ransomware attacks and data breaches, is several orders \nof magnitude more costly than what it takes to implement and \nmaintain good cybersecurity practices on the front end.\n    Finally, I believe Congress needs to make sure that the \nFederal Government's role in detecting and responding to \ncyberattacks is limited and clearly defined, and that Federal \ncybersecurity personnel are focused, first and foremost, on the \nsecurity of Federal information networks. The government can \nand should share information on threats and best practices with \nthe private sector, State, local, Tribal, and territorial \n(SLTT) authorities. However, Congress must keep critical \ninfrastructure operators and State, local, Tribal, and \nterritorial in the proverbial driver's seat. One size fits all \nis not always the answer. Centralization is also not always the \nanswer to cybersecurity.\n    I am particularly worried about a proposal that recently \npassed the House of Representatives which would create a new, \nmultibillion-dollar grant program to subsidize State and local \ncybersecurity. The Washington solution seems to be throw money \nat every problem, with the result being a $28 trillion national \ndebt.\n    As Americans, we face cybersecurity concerns that involve \nthe availability of gasoline, the food supply, the electric \ngrid, water, sanitation systems, and our communication \nnetworks. Some of these are the very fundamental building \nblocks of our society.\n    I look forward to the conversation, and I think we can all \nbe open to what the solutions are, but I think we also need to \nbe conscious of the fact that many of these things can be done, \nand are being done, in the private sector.\n    Thank you.\n    Senator Hassan. Thank you, Ranking Member Paul.\n    It is the practice of the Homeland Security and \nGovernmental Affairs Committee to swear in witnesses. Mr. Lips, \nif you could please stand, and all the witnesses who are \njoining us virtually could stand as well, and please raise your \nright hand.\n    Do you swear that the testimony you give before this \nSubcommittee will be the truth, the whole truth, and nothing \nbut the truth, so help you, God?\n    Ms. Huey. I do.\n    Mr. Lips. I do.\n    Mr. Whitley. I do.\n    Mr. Schewel. I do.\n    Mr. Holden. I do.\n    Senator Hassan. Thank you. Please be seated.\n    Our first witness today is Ms. Karen Huey, Assistant \nDirector of the Ohio Department of Public Safety. As Assistant \nDirector, Ms. Huey manages the department's six divisions, \nincluding Ohio Emergency Management and Ohio Homeland Security. \nMs. Huey was previously the Assistant Superintendent of the \nOhio Bureau of Criminal Investigations, and she has nearly 25 \nyears of experience in State government. Ms. Huey also \ncurrently serves as the homeland security advisor to Ohio \nGovernor Mike DeWine.\n    Welcome, Ms. Huey. You are recognized for your opening \nstatement.\n\n    TESTIMONY OF KAREN J. HUEY,\\1\\ ASSISTANT DIRECTOR, OHIO \n                  DEPARTMENT OF PUBLIC SAFETY\n\n    Ms. Huey. Good morning. Chair Hassan, Ranking Member Paul, \nand Members of the Subcommittee, we appreciate the opportunity \nto share Ohio's specific concerns and information with you this \nmorning. The topic of today's hearing is of great importance, \nand although I speak with you today from the State of Ohio, I \nknow many of my colleagues from across the country would echo \nthese comments.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Huey appears in the Appendix on \npage 35.\n---------------------------------------------------------------------------\n    Today I would like to share our concern that a small carve-\nout for cybersecurity in the current Homeland Security funding \ndoes not meet the needs of our State and local governments. The \ncurrent challenge of cyberattacks, as the Federal Bureau of \nInvestigation (FBI) Director Wray recently said, is equal to \nthe challenge we faced by the September 11th terrorist attack.\n    Preventing cyberattacks takes dedicated resources, \ncoordinated strategies, and local commitment. Ohio is investing \nin and making strides in our efforts to strengthen \ncybersecurity. The Ohio National Guard has taken the lead and \nbrought together more than 30 public, private, military, and \neducational organizations to form the Ohio Cyber Collaboration \nCommittee (OC3). Its mission is to develop a stronger \ncybersecurity infrastructure and workforce.\n    Two major accomplishments of the OC3 are the Cyber Range \nInstitute and the Ohio Cyber Reserve. As the Subcommittee is \naware, States have been receiving Homeland Security Grant \nfunding since 9/11. It has allowed us to build fusion centers, \nharden targets, identify critical infrastructure, and form \nrelationships across sectors that never worked together before.\n    A great example of this occurred last week in Ohio. Ohio \nHomeland Security was alerted by a Federal Department of \nHomeland Security (DHS) intelligence officer who shared \ninformation about two Chinese video surveillance companies \nwhose products have been banned by the Federal Government since \n2018. Despite that Federal ban, dozens of these systems were \npurchased in Ohio, including some school districts and at least \none hospital.\n    Ohio Homeland Security immediately distributed a \nsituational awareness bulletin to alert those Ohio entities \nthat these companies are likely providing U.S. customer data to \nthe Chinese government for espionage and surveillance \noperations. Almost immediately we started receiving concerned \ncalls from Ohio entities that had purchased these products. We \nwere able to provide high-level technical mitigation \ninformation and CISA personnel are working on a more detailed \nrisk management solution.\n    With the inclusion of cyber as a priority in the Homeland \nSecurity Grant, Ohio's local governments are struggling to \naddress traditional preparedness needs while also prioritizing \ncyber projects. As the seventh-largest State, with a population \nof over 11 million, Ohio currently receives $6.7 million in \nHomeland Security funding. The current carve-out for \ncybersecurity is less than $340,000. I would assert that \ncontinued use of a small portion of Homeland Security Grant \ndollars both takes away from the needs of the traditional \nHomeland Security efforts and minimizes the importance of \ncybersecurity that we are talking about today.\n    We would urge Congress to consider a dedicated grant \nprogram that will enhance Ohio's and other States' ability to \nfocus on cybersecurity capabilities. We would focus on three \nmain areas for dedicated funding. The State would share \nindustry standards with its local governments and small \nbusinesses; the State would also offer assessments of current \nsystems to identify gaps and direct local governments to \nresources. We would provide education and training that \nincludes cyber exercises, end user training, and resources and \nguidance documents.\n    The State would make improvements to existing secure \ncommunication platforms that would be used to gather and \ndisseminate important, timely cyber threat information to our \ntrusted partners.\n    The last piece I would mention, if there is dedicated \nfunding, we would like to see that future funding require a \ncondition that recipients share indicators of compromise and \nintrusion with the State in a confidential manner. Adding a \nrequirement of after-action reporting will allow us to learn \nfrom and be better prepared for incidents in the future.\n    In closing, many States like Ohio recognize the importance \nof responding to cyber incidents and building a level of \npreparedness with our local governments. Our hope is that a \ndedicated cyber grant program will help ensure that we remain \nprepared for both the traditional terrorist event and the cyber \nthreat, without having to choose between the two.\n    We appreciate the Subcommittee's commitment to addressing \ncybersecurity. On behalf of the Ohio Department of Public \nSafety, thank you for the invitation to testify.\n    Senator Hassan. Thank you very much, Ms. Huey, for that \nexcellent testimony.\n    We now turn to our second witness, Judge Glen Whitley, \nCounty Judge for Tarrant County in Texas. Judge Whitley has \nserved as Tarrant County Judge since 2007, and previously \nserved as Tarrant County Commissioner since 1997. Judge Whitley \npresides over the Tarrant County Commissioners Court and \nprovides leadership on issues related to policy and county \nservices for the 15th-largest county in the United States. He \nwas also a board member of the National Association of Counties \nand one of its past presidents. As County Judge, Judge Whitley \nalso serves as the head of Emergency Management for Tarrant \nCounty.\n    Welcome, Judge Whitley. You are recognized for your opening \nstatement.\n\n TESTIMONY OF THE HONORABLE B. GLEN WHITLEY,\\1\\ COUNTY JUDGE, \n                     TARRANT COUNTY, TEXAS\n\n    Judge Whitley. Thank you, Chairwoman Hassan, Ranking Member \nPaul, and Members of the Subcommittee. My name is Glen Whitley \nand I serve as County Judge for Tarrant County, Texas. I also \nserve on the Board of Directors for the National Association of \nCounties, and it is an honor to participate in today's hearing.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Judge Whitley appears in the Appendix \non page 40.\n---------------------------------------------------------------------------\n    In just the past year, we have seen several cyberattacks \ncause major disruptions across the United States. These attacks \nall demonstrate the vulnerability of our nation's cyber \ninfrastructure. At a local level, Pinellas County, Florida \nrecently experienced an attack on their water treatment \nfacility that allowed hackers to manipulate their water supply. \nAs county reliance on technology increases, these attacks will \nlikely increase as well.\n    To better understand how local government can respond to \ncyber threats, it is important to start with an understanding \nof the underlying challenges to the local revenues and \nresources. General revenue from local property taxes are the \nbackbone of county funding, because they are not restricted to \na particular activity. Currently, though, 43 States are \nimposing some type of limitation on a county's ability to \nincrease local taxes.\n    Restrictions on Federal and State resources also remain a \nchallenge. Locally collected general revenues are not \nrestricted to a particular activity. Unfortunately, about 93 \npercent of State and Federal funding used by county governments \nis restricted to a specific function. Matching requirements for \nFederal grant and loan programs also make leveraging Federal \nresources impossible for many counties.\n    We applaud Congress for providing $61.5 billion to county \ngovernments in the American Rescue Plan (ARP) Act. However, \nlocal governments are prohibited from using these dollars as a \nnon-Federal match for grant and local programs. Without \nrelieving these pressures, counties will struggle to invest in \nthe cybersecurity infrastructure they need.\n    Collectively, counties own or operate thousands of \nhospitals, public health departments, water and waste \nmanagement centers, jails, and emergency operations centers, \nall of which create significant cyber vulnerabilities. Without \nrobust and reliable funding, these local assets expose our \ncommunities and these critical programs and services.\n    It is important to note that cybersecurity needs are not \nonly driven by exposures and vulnerabilities but also by the \nneed to meet national standards. In Tarrant County, we adhere \nto the four principles of the NIST Cybersecurity Framework. \nAchieving and maintaining the core principles require an \nInformation Security Program that includes policies, \nprocedures, and resources. While policies and procedures can be \ndownloaded and customized, resources require continuous \nfunding.\n    More generally speaking, county cyber resources are \ntypically directed to three main areas: education, \ninfrastructure, and preparedness.\n    An organization's greatest cyber weakness is the end user \nor the employee. A recent cybersecurity survey found that 70 \npercent of the employees polled said they had recently received \ntraining from their employers, yet 61 percent failed their \nbasic quiz.\n    One of the best cybersecurity practices is the \nimplementation of multi-factor authentication. Counties must \nalso update and replace network devices and vet cloud software \nand supply chains, all of which require time, money, and \nskilled personnel.\n    Preparedness depends on the county's ability to effectively \nmonitor cyber threats. Counties must develop, test, and retest \nsecurity policies and incident procedures or hire trusted, \nexpensive third-party contractors.\n    As the Committee considers how to best allocate \ncybersecurity investments, it is imperative that Federal \nresources reach their intended targets as quickly as possible. \nWe applaud Chairwoman Hassan's work to provide local \ngovernments with reliable and flexible cybersecurity resources \nin the State and Local Cybersecurity Improvement Act.\n    In closing, counties need a strong Federal partner that can \nprovide direct and flexible resources that allow local \ngovernments to adopt resources to meet the unique needs of \ntheir communities. This is especially true for cybersecurity \nresources. Again, local governments own and operate some of our \nnation's most critical infrastructure.\n    Thank you for allowing me to be here today.\n    Senator Hassan. Thank you very much, Judge. Now we will \nmove on to our third witness, Mayor Steve Schewel of Durham, \nNorth Carolina. Mayor Schewel has served as mayor since 2017, \nand previously served 6 years on the Durham City Council and as \nVice Chair of the Durham Public School Board. He is a long-time \nmember of the Durham community and a visiting professor at the \nSanford School of Public Policy at Duke.\n    Welcome, Mayor Schewel. You are recognized for your opening \nstatement.\n\n TESTIMONY OF THE HONORABLE STEPHEN M. SCHEWEL,\\1\\ MAYOR, CITY \n                   OF DURHAM, NORTH CAROLINA\n\n    Mr. Schewel. Thank you very much, Chair Hassan, Ranking \nMember Paul, and Members of the Subcommittee. On behalf of the \ncity of Durham and the National League of Cities, thank you for \nconvening this important discussion today. I am Steve Schewel, \nmayor of the great city of Durham, North Carolina, home to more \nthan 280,000 residents, and home to Duke University, North \nCarolina Central University, and North Carolina's Research \nTriangle region.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Schewel appears in the Appendix \non page 47.\n---------------------------------------------------------------------------\n    Cybersecurity is a top priority for the city of Durham. Our \ncity has experienced recent cyberattacks, including a \nransomware attack in March 2020, at the start of the COVID-19 \npandemic. During that attack, our city was fortunate to \nmaintain functioning of critical systems, including our 911 \ncall center, and we did not pay a ransom. This was due to the \ncity's prioritization of cybersecurity planning and preparation \nin the wake of an extremely disruptive attack on Durham Public \nSchools in 2009, and a smaller malware attack on city networks \nin 2018. Our city was able to resume full network functioning \nin less than a week after the attack. This was thanks to our \nadvanced planning, our robust system of cloud backups for city \ndata, and our partnerships with our vendors, the FBI, and the \nNorth Carolina National Guard.\n    However, this preparation is costly for our city, and too \nmany cities, towns, and villages are not as well prepared as \nthe city of Durham. It is not a matter of if another \ndevastating attack will paralyze critical municipal networks \nand infrastructure, but when.\n    The United States has thousands of municipal governments \nwhich operate water systems, gas and electric utilities, 911 \nanswering centers, transportation systems, and countless other \ncritical services. Most of these municipal governments are \nsmall with limited budgets. Cybersecurity is competing directly \nwith direct services such as providing safe, quality drinking \nwater, maintaining infrastructure, such as replacing 100-year-\nold water pipes or repaving pothole-ridden streets, and \nemploying first responders to keep our communities safe.\n    Meanwhile, cybersecurity has become more complicated and \nexpensive every year. Criminal organizations, including State-\nbacked criminals, continue to develop sophisticated methods for \npenetrating public networks and disrupting city functions. Even \nsmall-town networks are attractive targets for these bad \nactors, and we can no longer rely on security through \nobscurity.\n    Relatively basic steps, such as implementing multi-factor \nauthentication, conducting cyber hygiene training for city \nstaff and elected leaders, and maintaining up-to-date hardware \nand software can be very costly for a city. Many \nmunicipalities, including the vast majority of smaller towns, \nlack sufficient budget for cybersecurity and outsource most IT \nfunctions. We depend on our partnerships with vendors, the \nState, and Federal agencies to keep our networks safe and \nrecover from an attack.\n    Congress has the opportunity to bolster these partnerships \nand provide cities, towns, and villages with new resources to \nstrengthen our collective security posture. We recommend three \nprinciples for any new cybersecurity program in support of \nState and local governments.\n    First, Congress should provide sustainable new funding \nwithout cannibalizing existing public safety grant programs. \nCybersecurity measures are ongoing expenses, and while a one-\ntime grant will help get some efforts off the ground, network \nmonitoring, training, and upkeep must be budgeted for every \nyear.\n    Second, Congress should prioritize intergovernmental \npartnership. Closer collaboration between city, county, State, \nand Federal agencies on things like planning, procurement, \ntraining, and incident response will help reduce the impact of \nattacks experienced by local governments and the time needed to \nrecover.\n    Finally, Congress must be careful not to impose a one-size-\nfits-all solution on local governments. Cities and towns come \nin all shapes and sizes. Some would benefit most from a direct \ngrant, while smaller communities may prefer that Federal \nsupport be administered by the State.\n    Again, I thank you so much for your attention on this \nimportant and timely issue, and I look forward to your \nquestions. Thank you very much.\n    Senator Hassan. Thank you so much, Mayor. I really \nappreciate the testimony.\n    Now we will go to our fourth witness today, Superintendent \nRuss Holden, of Sunapee School District in my home State of New \nHampshire. Superintendent Holden has worked as a public school \nadministrator in New Hampshire for the last 26 years. As \nsuperintendent, he is responsible for evaluation of all \nadministrators and directors for the school district, and for \nmanaging all Federal and State grants. He is also the Vice \nPresident of the New Hampshire School Administrators \nAssociation, where he serves as the chair of the Policy \nCommittee.\n    Welcome, Superintendent Holden. I am looking forward to \nwhen I can see you again in person, and you are recognized for \nyour opening statement.\n\n  TESTIMONY OF RUSSELL E. HOLDEN,\\1\\ SUPERINTENDENT, SUNAPEE \n                 SCHOOL DISTRICT, NEW HAMPSHIRE\n\n    Mr. Holden. Thank you, Senator Hassan, and thank you to the \nSubcommittee. I appreciate the opportunity to speak to you \ntoday, and I will keep my comments brief because you have my \nwritten testimony.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Holden appears in the Appendix on \npage 93.\n---------------------------------------------------------------------------\n    In October 2019, we came in after a weekend and found out \nthat our data had been held for ransom, and everything that we \nhad in our school district was kept from us. Sunapee is a small \ndistrict in the western part of the State. We have about 430 \nstudents, Pre-K through 12, and about 120 faculty members. Our \nIT department consists of 1.3 people. We are basically the \nbiggest employer in our town.\n    Upon finding that we were held for ransom we quickly \nnotified our local police and State police and our insurance \ncarrier. Unfortunately, neither our local police or State \npolice at the time really did not have much assistance that \nthey could give us, and the assistance really came from our \ninsurance carrier, putting us in touch with professionals and \nlawyers that had dealt with these situations in the past.\n    Fortunately enough we had a backup system in place, and the \ninteresting piece about our backup system was prior to this \nincident, a week prior, we realized that our backup system had \nfailed, and if we had not recognized that at that time and \ninstituted a new backup system, we would have lost information \ngoing back 6 months. With the backup system in place, we were \nable to recover our data, without paying the ransom.\n    The long and short, we accumulated fees and materials \ntotaling more than $40,000, and it took over 9 days for our IT \ndepartment to get us back up and running fully.\n    While 9 days may not seem like a lot, fortunately \ntechnology has really integrated itself into education, and \neducation into technology, and really having our teachers pivot \nvery quickly and go back to some of the older ways that we \nlearned how to educate our students, using more paper, pencil, \nand traditional materials. Our ability to do that really \nallowed us to continue and not to have to cancel school and \nallowed us to stay in school and educate our children, which is \nour primary task.\n    We have about a $12.5 million budget here in Sunapee, and \nabout $500,000 of that is dedicated to technology. After going \nthrough this ransom situation, we invested last year $10,000 to \ngo through an audit that looked at our entire security system. \nThrough that audit, much of what other folks are presenting \nhere today have said, we found out that we quickly needed to \nput things in place, like disaster recovery plans, business \ncontinuity plans, backup systems particularly that can be held \noffsite or in the cloud, enabled multi-factor authentication, \nand train ourselves in phishing drills and help educate staff \nand students on outside threats, including looking at dry \nsprinkler systems within our IT server closets.\n    Again, as I mentioned, our IT department consists of 1.3 \npeople. Going through that audit process we quickly realized \nthat we were completely understaffed, but hiring a new person \nwould add at least one percent to our overall budget.\n    I am also a member of the American Association of School \nAdministrators (AASA), and was completing my national \ncertification program in February 2020, and I had the \nopportunity to share this incident with 20 colleagues from \nacross our country, from States of California, Pennsylvania, \nIllinois, and Virginia. At that point in time, little old \nSunapee represented the smallest school district in the cohort, \nBakersfield, California, with 260,000 students. When speaking \nto my colleagues they all said, ``We are not prepared to know \nwhat we would be able to recover the data potentially that was \nlost and get ourselves back on our feet.''\n    I would echo again what some of the other folks said here \ntoday. I think there are ways that we can look at Federal \nmonies, either using Homeland Security or Title IV monies that \nare given to school districts, try to free up some of the \nrestraints and constrictions that are on those so they can be \nsent to help us look at more appropriate ways and more \nsufficient ways to help educate our students and staff and \ncommunity of these security and ransom attacks.\n    I would again thank the Senate Subcommittee and Senator \nHassan for representing the State of New Hampshire and by \ncontinuing to bring this topic forward. Thank you.\n    Senator Hassan. Thank you, Superintendent Holden.\n    Now I am going to turn to our final witness who is joining \nus in person in the hearing room today, Mr. Dan Lips, Vice \nPresident for National Security and Government Oversight at the \nLincoln Network. At the Lincoln Network, Mr. Lips focuses on \nresearch and advocacy between technology, government oversight, \nand national security.\n    Mr. Lips began his career as an intelligence analyst with \nthe FBI. He also served as a staff member of the Senate \nHomeland Security and Governmental Affairs Committee, where he \nworked on cybersecurity policy and served as Homeland Security \nPolicy Director.\n    Welcome, Mr. Lips. You are recognized for your opening \nstatement.\n\nTESTIMONY OF DAN LIPS,\\1\\ VICE PRESIDENT FOR NATIONAL SECURITY \n           AND GOVERNMENT OVERSIGHT, LINCOLN NETWORK\n\n    Mr. Lips. Thank you. Good morning, Chairwoman Hassan, \nRanking Member Paul. Thank you for the opportunity to testify.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Lips appear in the Appenidx on \npage 95.\n---------------------------------------------------------------------------\n    My name is Dan Lips. I am the Vice President for National \nSecurity and Government Oversight at Lincoln Network. As a \nformer HSGAC staffer, it is a real honor to testify. I \nsincerely respect the Members and staff of this Committee and \nthe work that is done in this hearing room.\n    We have heard sobering testimony this morning. State and \nlocal governments face growing cyber threats that warrant a \nproactive response by the Federal Government. But Congress \nshould be thoughtful about the resources currently available to \nspend on cybersecurity. The Government Accountability Office \n(GAO) has warned that the Nation is on an unsustainable fiscal \npath, including that the growing Federal debt could cause a \nlarge drop in the value of the dollar and limit Congress' \nability to respond to future emergencies.\n    With that context, what should Congress and the Committee \ndo to help State and local governments manage growing cyber \nrisks? I will offer four recommendations.\n    First, Congress should streamline Federal rules to reduce \nState governments' compliance costs to allow more resources to \nbe spent on improving security. For years, the National \nAssociation of State CIOs and the National Governors \nAssociation (NGA) have urged Congress and the White House to \nharmonize agencies' information security rules, which are often \ncontradictory and duplicative.\n    In 2018, the Oklahoma State CIO testified that his office \nspent 10,000 personnel hours complying with Federal rules and \naudits. That is a year's worth of work for five employees, \nfull-time, and that is time that could be spent otherwise on \nimproving security.\n    GAO has reported that the Office of Management and Budget \n(OMB) has issued guidance to agencies, encouraging them to \nharmonize rules, but did not require them to do so. Congress \nand the Committee could pass legislation to require agencies to \nharmonize Federal rules and audits to fix this problem.\n    Second, Congress should prioritize cybersecurity and \nexisting Homeland Security Grant programs, and States should \nuse available Federal funds for cybersecurity. I appreciate \nthat Members of Congress have proposed creating a new \ncybersecurity grant program, but DHS, through the Federal \nEmergency Management Agency (FEMA), already awards more than $1 \nbillion in annual Homeland Security Grants. Secretary Mayorkas \nrecently announced the Department would require grant \nrecipients to spend 7.5 percent of grants on cybersecurity. \nCongress could further increase that amount.\n    But States and localities do not need to wait on Congress. \nThey already have billions in unspent DHS grants and other \nfunds that could be used for cybersecurity. According to OMB, \nStates had not spent 50 percent of the Homeland Security Grants \nthat have been awarded since 2015, and $2.7 billion was still \navailable as of 2020. After receiving $340 billion in \nadditional funds through the American Rescue Plan, State and \nlocal governments should have resources to improve \ncybersecurity.\n    Third, the Federal Government should share meaningful \nthreat information and security recommendations to help \norganizations manage cyber risks. Over the past decade, \nCongress has passed bipartisan laws to establish Federal \nprograms to facilitate information sharing. But watchdogs have \nidentified limitations and opportunities to improve DHS' \ninformation-sharing programs. Congress should press the \nDepartment to implement these recommendations.\n    The Federal Government should also better leverage its \nexpertise to help State and local governments and other \npartners implement best practices. For example, NIST provides \nvaluable guidance through its Cybersecurity Framework. But the \nframework includes a checklist of more than 100 \nrecommendations, which are difficult for many organizations to \nfully implement.\n    The White House recently issued a memo to American \ncompanies with five specific recommendations to prevent and \nprepare for ransomware attacks. This is exactly the kind of \nspecific and focused security recommendations that are needed \nto help organizations manage cyber risk.\n    Fourth, Congress and the Subcommittee should conduct a \nstrategic review of cyber threats and assess current and future \nresource needs to manage long-term risks. The intelligence \ncommunity (IC) recently assessed that technological innovations \nwill likely result in increasing competition in the cyber \ndomain in the future. Congress should forecast what resources \nare needed moving forward.\n    President Biden proposed spending $9.4 billion on Federal \ncivilian agency cyber programs in his recent budget, or a 14 \npercent increase. In comparison, he proposed spending $750 \nbillion on national defense. Congress should consider whether \nthese resource allocations are appropriately balanced to \naddress current and future threats.\n    There is also significant waste in the Federal budget, such \nas the $75 billion that is lost annually on improper payments, \naccording to GAO, which is much larger than what Congress \ncurrently spends on cybersecurity. Given the Subcommittee's \nmandate, you are uniquely positioned to review and forecast \nwhat Federal spending resources are needed to counter emerging \nthreats.\n    Again, thank you for the opportunity to testify. I look \nforward to your questions.\n    Senator Hassan. Thank you so much, Mr. Lips, for that \ntestimony. We now will turn to our rounds of questions. I will \nstart and then move to Ranking Member Paul.\n    To Ms. Huey and Mayor Schewel, a functioning government \ndepends on functioning computer systems, and we have seen this \nmore than ever during the COVID-19 pandemic. A cyberattack on a \nState or local entity can easily disrupt services to people or \nhamper the functioning of a government entity.\n    Ms. Huey and Mayor Schewel, can you outline what the \nconsequences might be of a cyberattack on your organization? \nWhat data do you have that would potentially be at risk? What \ncritical services might be disrupted? We will start with you, \nMs. Huey.\n    Ms. Huey. Thank you. At the Ohio Department of Public \nSafety we have, obviously, several large systems under the \nBureau of Motor Vehicles. You can picture the driver's license, \nvehicle registration, all of that citizen data would be \nimpacted if we sustained an attack.\n    In addition to that, we also operate the Law Enforcement \nAutomated Data System (LEADS), and this is the system that \ncollects all local law enforcement arrests, criminal justice \ninformation. It is shared throughout the State, and it is also \nshared with our Federal partners.\n    We feel that we have very robust security measures around \nthis, but it obviously would be a very big blow to public \nsafety at the State, local, and Federal level if something were \nto happen to LEADS.\n    Finally, we use a confidential information management \nsystem for Homeland Security to communicate with our trusted \npartners, and we would hate to see something happen to that, \nthat would disrupt services to our citizens.\n    Senator Hassan. Thank you. Mayor Schewel.\n    Mr. Schewel. Thank you very much. Our 911 center is \nabsolutely crucial. We receive 300,000 calls a year to our 911 \ncenter, and any disruption in that service would be a terrible \nblow to our residents. In addition, we operate a water system \nthat has 90,000 customers, and 25 million gallons a day of \nwater. Any disruption to that would also be an absolutely \nterrible blow.\n    There are other systems as well, but I think those are the \ntwo most crucial systems that we operate that could potentially \nbe devastatingly impacted by a cyberattack.\n    Senator Hassan. Thank you very much, Mr. Mayor.\n    The next question is for Superintendent Holden, again Mayor \nSchewel, and Judge Whitley. Superintendent Holden, Mayor \nSchewel, and Judge Whitley, you all experienced a cyberattack \nwithin the last few years. Would each of you highlight the \nactions your organizations took to limit the impact of these \nattacks on your operations? What can other local entities learn \nfrom your example? We will start with you, Superintendent \nHolden.\n    Mr. Holden. Thank you, Senator. I think first and foremost \nI have to say what will win at that is your personnel. Having \ndedicated IT professionals that are willing to spend the time \nand energy to continue to be up to date and put not only \nsystems in place but to stay current on what is going on in the \nworld around us, when it comes to these matters. Making sure \nthat the appropriate training is in place, making sure that you \nhave the proper amount and rightly placed backup systems I \nthink are also a key part of ensuring these things did not \nhappen and preventing them from happening.\n    Again, the last piece I think, again going back to the \ntraining, we are only going to be as good as our users. At \nSunapee we have about 650 end users, and that is what it is \ngoing to come down to, how well we can train our end users.\n    Senator Hassan. Thank you. Mayor Schewel.\n    Mr. Schewel. We had a terrible attack, devastating attack \non Durham Public Schools network in 2009, and after that we \nestablished plans and policies and procedures to ensure that \nthe city would not experience a similar costly disruption. We \nestablished a comprehensive plan and budget for improvements \nover time. We established working relationships with the FBI, \nState leaders in North Carolina, the Multistate Information \nSharing and Analysis Center, and these plans were tested in \n2018, when a second attack occurred, this time impacting the \ncity's fleet vehicle network.\n    We established a war room, once we were attacked in 2020, \nwith representatives from our staff, contractors, other \ngovernmental partners, including the North Carolina National \nGuard, to respond to and recover from the attack. I will say \nthis was made particularly challenging, because we were \nnavigating this with the new social distancing protocols that \nwe needed in March 2020. We were fortunate that we had regular \nbackups from all city data, and that was crucial.\n    Senator Hassan. Thank you. Judge Whitley?\n    Judge Whitley. Again, I think the backups, we have heard \nthis mentioned a couple of times today already. That is very \nimportant. We have a playbook that we look at, that helps us to \nidentify, contain, eradicate, and really begin the recovery \nfrom that. Then we go back to the education process of trying \nto make sure folks understand and learn from any issues that we \nhave, and we looked at that. We always are having tabletop \ndiscussions and exercises, from that standpoint.\n    Senator Hassan. Thank you very much, sir.\n    One more question before I turn to the Ranking Member. To \nSuperintendent Holden and Judge Whitley, good cybersecurity \nrequires up-front investment, but State and local entities \noften have limited resources and they have to balance competing \npriorities. A Federal grant program that focuses on \ncybersecurity can help relieve State and local resource \nconstraints and increase investment in cybersecurity.\n    Superintendent Holden and Judge Whitley, what are the \nresource constraints that you face when deciding how much to \ninvest in cybersecurity, and are there improvements to \ncybersecurity resiliency that you would make if given a \nreasonable amount of additional resources?\n    We will start with you, Superintendent Holden.\n    Mr. Holden. Thanks, Senator. The answer to your last \nquestion is yes, absolutely. Our ability to improve our \nresources greatly has an impact on our financial situation. One \nof the first things I think that comes to mind for us would be \na dual authentication, and that would be allowing you to sign \nin not only on a computer but on another device. That would us \nhaving another device for every person in our district, so \nbasically doubling what it is that we currently have in the \npublic sector. That would have a tremendous impact on our \nbudget. Thank you.\n    Senator Hassan. Thank you. Judge Whitley.\n    Judge Whitley. I think as we look through there is always \nthe balancing of how do we spend our dollars, and more often \nthan not now what we are seeing are attempts, sometimes from \nthe State level, to limit the amount of dollars that we can \nraise and to be able to allocate. Flexibility is key as far as \nI am concerned.\n    One of our witnesses before talked about how different we \nare among counties, among States, among cities and towns. The \nflexibility really allows the local area to assess the threats \nthat they feel most strongly about and to be able to allocate \nthat, among personnel or among different programs.\n    Senator Hassan. Thank you. I will now turn to the Ranking \nMember for his round of questions.\n    Senator Paul. Mr. Lips, the Chairwoman and I have been \ninterested in duplication, and I have a bill actually to have \nreports on bills from the Congressional Budget Office (CBO), \nwhether or not we already are doing through another program. \nYou mentioned that we hand out FEMA grants that already deal \nwith cybersecurity. In your opinion, would a new grant program \njust for cybersecurity be a duplication of what we are already \ndoing through the FEMA grants?\n    Mr. Lips. I believe so, particularly since cybersecurity is \nan allowed use of the existing FEMA grants.\n    Senator Paul. I think this is an important question because \nmoney does not grow on trees. We are institutionally about $1 \ntrillion short every year, just for Medicare, Medicaid, food \nstamps, and the military. We are short on the ordinary \nexpenses, and we have been adding extraordinary expenses of \ntrillions of dollars. Last year the deficit was over $3 \ntrillion, likely over $3, maybe even $4 trillion this year. We \nhave to figure out how to most wisely use our resources.\n    I was intrigued by your point, though, that even without \nlegislation we are giving $1 billion a year--so we have about \n$5 billion over the last 5 years--and yet we have only spent a \nlittle over half of it. Has that money been given in grants and \njust not spent by the recipient, or it has not yet been applied \nfor?\n    Mr. Lips. My understanding is that it has been awarded, and \nthat it is with the States, and that it could be put to use. \nWhy States have not spent that is not fully clear to me.\n    Senator Paul. All right. I think that is worth a letter, \nand maybe the Chair might consider that we send a letter asking \nif the money has been allocated, and it is for cybersecurity, \nasking the people who received it to tell us why they have not \nused it yet or what the problem is. Maybe try to figure out \nwhat is going on with that money.\n    Senator Hassan. I am certainly happy to consider that. I \nthink this depends a lot on what the overall grant is and how \nmuch is restricted.\n    Senator Paul. Our staffs can work together to figure that \nout. But it is also interesting that even without legislation, \nSecretary Mayorkas has increased the requirement from 5 percent \nto 7.5 percent, so that is a 50 percent increase in the \nfunding. Instead of $5 billion it will be $7.5 billion over the \nnext 5 years?\n    Mr. Lips. My understanding is that it is actually out of \nthat pot of funding, so out of $1 billion, 5 percent is \nrequired to be spent on cybersecurity, and he is increasing it \nto 7.5 percent.\n    Senator Paul. OK. The whole $5 billion does not go to \ncybersecurity. It is 5 percent of that, and he is increasing \nthat to 7.5 percent of that. OK, I got where we are.\n    But the other possibility is you could even go up even more \nsignificantly. We could either do that through legislation, we \ncould say 20 percent of that money needs to go to \ncybersecurity. If we really thought cybersecurity was a \npressing issue we could try to reallocate or resource that \nmoney that already exists.\n    Mr. Lips. Absolutely, Senator Paul, and I think it would be \nwise for Congress to consider doing that. The FEMA grant \nprograms for homeland security were expanded and created after \n9/11, and the intention was for them to be risk-based and to \nfocus on existing security threats. Twenty years later, it is \nclear that this has become a serious security threat and it \nshould be prioritized. It would make a lot of sense for more of \nthose funds to be used to address these problems.\n    Senator Paul. While I think we all agree that cybersecurity \nis a problem, putting in perspective of our overall national \nsecurity is important, when you talked about weighing how much \nwe spend on national defense. But also there have been remarks \nfrom even folks within the military community. Admiral Mullen \nsaid, a few years ago, that the greatest threat to our national \nsecurity was actually our debt.\n    I think we cannot, on the one hand, say we are going to \nthrow unlimited resources. We have to be careful about where \nthe resources are and try to redirect resources to a problem. \nIf we think cybersecurity is a pressing issue, which it sounds \nlike it is, let's take it from maybe less pressing issues and \ntry to force some of the money over toward that without \nnecessarily spending more money. I would probably support \nlegislation if we had legislation that did what Secretary \nMayorkas did. We could do it even more, figuring out what the \nappropriate number is. But you could take more of that $5 \nbillion and push more toward national security simply by \nlooking at those percentages.\n    I had one other question that kind of a technical question. \nI always ask this because I am somewhat intrigued, without \nbeing a technological or a computer expert on this. It seems \nlike the articles that you read say most of the people get into \nyour system through your email. Is that still true? Would half \nthe people be getting in through email, or is that a rare way \nthey get in?\n    Mr. Lips. It is certainly one of the ways that attackers \nget into systems, and certainly it is encouraging to hear some \nof the precautions that are being taken by my fellow panelists. \nThere is a lot that can be done to understand best practices, \nto improve cyber hygiene, such as not clicking on suspicious \nemails, and other measures to----\n    Senator Paul. It would seem to me that it should not be \nthat hard, technologically, to wall off your email, where your \nemail has no communication and you cannot get from your email \nto your operating system. Can you make it a wall such that it \ncannot be penetrated?\n    Mr. Lips. That is a good question, and I am not sure. I am \nencouraged by what the Biden administration recently put out as \nrecommendations to address malware and ransomware. There are \nsimple things that can be done, such as backing up systems, \nencrypting data at rest to make it less valuable to ransomware \nattackers. There are some relatively simple things that can be \ndone to improve organization security posture, that should be \nprioritized.\n    Senator Paul. Twenty years ago, as a physician, we used to \nback up our records every day on a floppy disk, and we would \nput them in a fireproof safe, in case the building burned down \nor in case you had an electrical surge you would not lose all \nyour patient data. I know it would not be on a floppy disk \nanymore but it would seem that there would be ways to back this \nup on a daily basis and protect yourself. There has to be ways.\n    I think a lot of this stuff is not necessarily rocket \nscience. There are available solutions out there, and I think \nit is important that we get that out there for folks to \nprevent.\n    The other thing I had heard a lot was that people were \ndoing a lot more work from home. They would be working on their \nphone or their computer and they had not done the updates, and \nthe updates are pretty sophisticated to protect against \nviruses. I am guilty of it too, not always pushing to accept \nthe update, and maybe that has been part of the problem in the \nlast year as well.\n    Mr. Lips. Absolutely, and those were some of the \nrecommendations, sir, that were included in the White House's \nrecent memo to companies, to update and patch systems \nregularly. These are basic actions that organizations can take \nto improve their security.\n    Senator Paul. Thank you.\n    Senator Hassan. I think we are expecting Senator Ossoff \nshortly, but why don't I ask a question until he gets here, \nunless that is him.\n    Senator, would you like a minute? You are up, or----\n\n              OPENING STATEMENT OF SENATOR OSSOFF\n\n    Senator Ossoff. I am ready to go.\n    Senator Hassan. You are ready to go? Then I will turn the \nquestioning over to Senator Ossoff.\n    Senator Ossoff. Thank you, Madam Chair. Thank you to our \npanelists who are here in person and remotely. My first \nquestion is for Ms. Huey.\n    Ms. Huey, in March 2018, the city of Atlanta suffered a \nsevere ransomware attack. According to Bloomberg CityLab, the \nhackers encrypted files, locked access to online services, \nblocked the city of Atlanta from processing court cases and \nwarrants, and demanded a $51,000 ransom. Just 2 months prior, \nthe City Auditor's Office released a report finding that the \ncity's information security management system, ``has gaps that \nwould prevent it from passing a certification audit,'' and that \nmany information security management processes, ``are ad hoc or \nundocumented, at least in part due to lack of resources.''\n    Similar issues prevail across major cities. It is not \nunique to Atlanta. A recent study by the National Association \nof State Chief Information Officers found that States spend \nonly a fraction of their IT budgets on security, between 1 \npercent and 3 percent, compared to about 16 percent for Federal \nagencies.\n    Given the budget constraints that States and municipalities \nface, what are the cybersecurity investments that, in your \nview, would have the biggest impact, the highest return on \ninvestment, when it comes to preventing, for example, \nransomware attacks and securing State and municipal networks?\n    Ms. Huey. Thank you for that question. Senator, I believe \nthat State government has done a good job of looking at State \nassets and providing a level of security. Where I think \ndedicated cybersecurity funding that could come into the State \ncould help us focus on local governments. As you have heard \ntoday from the other witnesses, there is a variety of levels of \npreparedness that local governments have been able to do with \ncybersecurity.\n    What we would hope to do, at the State level, is those \nstandards there already identified in industry, making sure \nthat those are communicated across the State, and then provide \nthose assessments and those audits so that we can go out and \nhelp people identify those gaps and then identify resources for \nthem to use.\n    I think this is always a combination of local, State, \nprivate investment, along with Federal dollars that will make \nit successful. Thank you.\n    Senator Ossoff. Thank you, Ms. Huey, and, of course, we do \nwant that strong intergovernmental communication and \ncommunication and best practices, sharing of threat \ninformation. Can you drill down in a little more detail, what \ndo you think consistently municipal or local governments are \nmaybe underinvesting in? What would be the best use of their \nlimited resources? Is it data hygiene practices for personnel? \nIs it firewall technology? Is it supply chain checks? Is it \nrobust patching practices, hardware, software? How should local \ngovernments deploy resources that are limited for most effect?\n    Ms. Huey. I can tell you that the locals that took \nadvantage of the 5 percent cyber set-aside, our first round of \nfunding here in Ohio, obtained cyber risk assessments. That is \nwhat they were looking at, was looking at a contractor, and \nthis was a little bit of a regional approach, so maybe 3, 5, 6 \ncounties went together and were looking at doing a cyber risk \nassessment that would then make recommendations on hardware and \nthe issues that you identified.\n    Senator Ossoff. OK. Thank you, Ms. Huey.\n    Mr. Whitley, you mentioned in your testimony that lack of \ncybersecurity awareness, training, and implementation and best \npractices for employees as well as local government staff is a \nmajor impediment. I believe you cite a study showing that most \nfolks polled had been given cybersecurity training but also \nfailed basic quizzes on the topic and best practices.\n    Committee-provided information indicated that recent \ncyberattacks in both Tarrant County and Durham, North Carolina, \nwere the result of phishing email campaigns, where individuals \nare tricked into clicking links that can load malicious \nsoftware.\n    If the Federal Government were inclined to make investments \nin cybersecurity training, how could we be certain those \ninvestments would have a positive impact and actually address \nthe security challenges counties like yours are facing, and \nwhat do you believe are the best practices for not putting \npersonnel through online presentations and then calling it job \ndone but actually ensuring that staff understand the underlying \nconcepts and best practices.\n    Judge Whitley. Thank you for that question. I think the \nbest thing is to continuously test, retest, educate. A lot of \ntime we will say, OK--in fact, we just finished a program by \nwhich everyone had to go in and do this training, and if they \ndid not we ended up turning their systems off. I know actually \nfive elected officials who all of a sudden looked and their \nscreens were blank.\n    We have to keep pushing and pushing and pushing on the \neducation, but even after that, sometimes testing from \ninternally and saying, ``OK, we told you about this and now all \nof a sudden we tried you and you still failed,'' that has a \nlasting impression on at least that employee. I think that word \ngets around to other folks, and they begin to realize, OK, this \nreally can happen and I need to be a little bit more careful, \nbecause the last thing in the world you want to do is be the \nreason why our systems were taken over or were shut down.\n    It is a combination of things, but it has to be a \ncontinuous, constant reminder, and emphasizing how important it \nis to be careful about whatever you open and whatever websites \nyou may go to.\n    Senator Ossoff. Thank you, sir. Mr. Lips, finally, in your \ntestimony you emphasized the need to improve information \nsharing about cyber threats and best practices across the \nFederal Government, between Federal agencies, about potential \nvulnerabilities in the information technology ecosystem to \nimprove their technology acquisitions and strengthen supply \nchain risk management. Obviously, sharing information is good. \nBut can you describe, in a bit more detail, the current \nlimitations on information sharing, in particular with respect \nto supply chain risks?\n    Mr. Lips. Thank you for the question, Senator. Over the \npast decade it has become clear that the Federal Government has \nfocused increasing attention on addressing supply chain risk \nmanagement. We have seen actions to ban the use of certain \ntechnologies by Federal agencies. From my perspective it seems \nlike there is a time delay between when Federal agencies become \naware of these problems and then when it reaches an \nunderstanding on Capitol Hill and then when it is implemented \nacross the Federal Government.\n    In 2018, there was legislation that attempted to address \nthis problem by creating a stronger interagency process to \nimprove that information sharing across the Federal Government. \nIt seems like it would be a productive next step for Federal \nagencies and that interagency task force to also share \ninformation and specific information, to your point, with State \ngovernments, municipal governments, and the private sector.\n    One of the challenges we have seen over the years with \ncybersecurity best practices is that there is often long lists \nof information provided to organizations. Providing very \nspecific and discrete recommendations will help organizations, \nparticularly those with limited resources, decide how to \nprioritize and manage risk.\n    Senator Ossoff. Making the information that is shared more \nactionable rather than just a bureaucratic dump of data \nperhaps?\n    Mr. Lips. Absolutely, Senator.\n    Senator Ossoff. OK. Thank you, Mr. Lips. Thank you, Madam \nChair.\n    Senator Hassan. Thank you, Senator Ossoff. I am going to \nstart my second round of questioning. I think we are expecting \nSenator Rosen to be available relatively soon, and when she \ngets here let me know and we can let her jump in, and then I \ncan finish up with additional questions.\n    I want to start with a question to Judge Whitley and Ms. \nHuey, because, again, this is a theme we are hearing, \ncybersecurity is a team effort. We know State and local \ngovernments often have separate structures for technology and \nsecurity, but working together and sharing resources and best \npractices can improve the cybersecurity of all entities.\n    Judge Whitley and Ms. Huey, do you think States should use \na committee or other structure to bring together State and \nlocal representatives to help plan and coordinate cybersecurity \nefforts, and if your State already has such a committee, could \nyou please elaborate on how effective you think it is? We will \nstart with Judge Whitley, please.\n    Judge Whitley. I do feel like it is extremely important. In \nthis recently adjourned session of our legislature they created \na committee that will go into effect on September 1st, and I \nthink that will be very helpful. We will see how it works \nitself out.\n    I really want to say, though, it is important to get our \ndollars back down as much as possible to the end user. \nCommittee is OK, but again we are very different, we are very \ndiverse, we are a very large State, and the quicker the dollars \ncan get from wherever they are coming, whether it be the Feds \nor the State, and get it down to the end user, the better off \nit will be.\n    An excellent example that I will use is the ARPA funds, \nwhich you allocated out. Counties, regardless of their size, \nreceive the monies as direct payments.\n    Senator Hassan. Right.\n    Judge Whitley. In the CARES Act, it was distributed out to \nthe State, except for those counties and cities over 500,000. \nSome of that money is still sitting in the States. The quicker \nyou can get it down to the local areas, the better off we are.\n    Senator Hassan. Thank you. Ms. Huey.\n    Ms. Huey. Thank you, Chair. I absolutely believe that using \nan advisory committee, an advisory board, made up of a \ncombination of State and locals best help define the strategy \non how to spend funding and how to address cybersecurity.\n    In Ohio, we have two organizations, the OC3, which I had \nalready mentioned, which is a combination of public and \nprivate, is always a resource for any cybersecurity decisions. \nThey are very much focused on economic development and \nworkforce and sort of prevention. That would be their \nexpertise. Then we also have the Homeland Security Advisory \nCouncil, which actually advises us on how to spend the Homeland \nSecurity Grant on our strategic goals.\n    There are already a couple of systems in place in Ohio, and \nI would hope that many States have this. That would be a help \nwith funding decisions.\n    Senator Hassan. Thank you both for those answers. I am now \ngoing to ask another question of Ms. Huey and then Mayor \nSchewel. While the Federal Government can provide some \nresources and support to State and local cybersecurity efforts, \nwe also need to encourage more State and local investment in \ncybersecurity, and that is a theme that we have been hearing \nthis morning. That is why recent proposals for State and local \ncybersecurity grant programs have included a cost share where \nthe grant would supplement funds already provided by the State \nor local entity.\n    However, sometimes this cost share can be a barrier to \nState and local entities utilizing the grant program, \nespecially during economic downturns, especially because State \nand local governments have to balance their budgets.\n    Ms. Huey and Mayor Schewel, do you think that the Federal \nGovernment should be able to waive the cost share requirement \nin certain limited circumstances, and what would those \ncircumstances be? We will start with Ms. Huey.\n    Ms. Huey. Thank you for that question, and I appreciate \nhaving the cost share requirements, the match requirements. I \nthink it is important to have skin in the game. But, if that \ncan be done on a graduated basis so that things can get stood \nup and get started, and then other sources of funding can \neventually supplement, I think that is a great approach.\n    Are there opportunities to waive that? I think that would \nbe interesting and potentially a multi-state project or \nsomething that is a little bit broader. At that point in time \nif it is a waiver or maybe we could leverage private dollars \nfor something like that, I think that would be something \ninteresting to pursue.\n    Senator Hassan. Thank you. Mayor Schewel.\n    Mr. Schewel. Thank you very much, Senator. Durham is lucky. \nWe are a fairly large city with really good IT staff. We have \nwonderful staff. But 80 percent of municipalities in the United \nStates are small with populations below 50,000 people. Most of \nthese municipalities have very little ability to cost share, \nand I think that really needs to be an important consideration.\n    The Public Technology Institute found that 65 percent of IT \nofficers in municipalities felt that their cybersecurity budget \nwas inadequate, and many of these cities are pressed in many \nways, multiple needs for their budgets. Cost sharing certainly \ncan be an impediment to have the adequate cybersecurity \ninfrastructure that is needed.\n    Senator Hassan. Thank you very much, Mr. Mayor. I now see \nthat Senator Rosen has joined us virtually, so I will recognize \nher for her 7-minute round of questions.\n    Senator Rosen. Thank you, Madam Chair. I appreciate that. \nThank you for chairing this meeting in the absence of Senator \nPeters being here on the loss of his mother. I really \nappreciate you stepping in, and the witnesses, of course, for \nbeing here today, because cyberattacks can be expensive, they \nare debilitating, especially for small governments. I am really \nglad that we are coming together in a bipartisan way to talk \nabout how we are going to protect communities in this really \nchallenging time, and it is not going to get any easier.\n    Elementary and secondary schools, they remain increasingly \nvulnerable to hostile cyber actors. Last year, the FBI warned \nthat K-12 institutions represent an opportunistic target to \nhackers, and many school districts, they lack the budget and \nthe expertise to dedicate to network integrity.\n    In August of last year, Clark County School District, \nNevada's largest school district, and our nation's fifth-\nlargest school district, was the victim of a ransomware attack. \nThe hacker published documents online containing sensitive \ninformation, Social Security numbers, student names, addresses, \nand the like. Of course, this is absolutely unacceptable, and \nthe Federal Government must help schools obtain the tools and \nresources to protect their students, their families, their \nteachers, educators, everyone who works there. It is something \nthat I have raised with CISA and the Department of Education.\n    Mr. Holden, what more could CISA be doing to assist our \nelementary and secondary schools with being sure that they have \nsome way to understand how to implement the tools and \ncybersecurity standards and protocols?\n    Mr. Holden. Thank you for the question. I think really what \nneeds to happen is there needs to be a set of standards \ndeveloped. I think if either Homeland Security took a look at \ncybersecurity and implemented a set of standards that would \nthen pass down to us, that we could look at at the local level, \nor even at the State level, to make sure that we have \nimplemented those systems to prevent ourselves from what is out \nthere.\n    I would highly recommend a set of standards that could be \nlooked upon, and then a way for either Homeland Security or the \nlocal or State to test those systems for us, and then to \nidentify where we may be weak in those systems so that we can \nimplement what needs to be implemented at the local level.\n    Senator Rosen. That is a great suggestion, because we need \nto get it out to every school district, large and small.\n    Another thing that we may have to do in order to do this, \nis our cybersecurity surge capacity. Ms. Huey, in your \ntestimony you note that Ohio has created a civilian Cyber \nReserve, consisting of a volunteer force of trained \ncybersecurity civilians to assist in a variety of cybersecurity \nneeds. Senator Blackburn and I recently introduced the Civilian \nCyber Security Reserve Act to establish a civilian Cyber \nReserve at DHS and the Department of Defense (DOD) to call up \ncybersecurity experts at our times of greatest need.\n    Ms. Huey, how has the Ohio Cyber Reserve helped reduce \ncyber threats to the State, and what are some lessons you think \nthat we could draw on what you have done and apply that to the \nnational level in order to supplement DHS's existing personnel \nand add additional cyber capacity?\n    Ms. Huey. Thank you, Senator, for that question. The Ohio \nCyber Reserve operates much in the way that you were pointing \nout. It was introduced by OC3 and then it was authorized by the \nOhio General Assembly in 2019, and it really does operate like \na military reserve. It is under the adjutant general. It can be \nactivated by the Governor.\n    Currently we are in the process of building out ten \nregional teams across Ohio. We have three of those teams \nalready stood up and running. They do not publicize when they \nare deployed, but they have been deployed, and they have been \nsuccessful.\n    I think there would be a lot of lessons learned and \ninformation that we could share with the new program at the \nFederal level as to how we identified that expertise, because \nwe really wanted a cross-section of expertise, people that know \nthe latest but also people that know how to deal with legacy \nsystems as well. Thank you.\n    Senator Rosen. I think I am going to have my team reach out \nto you and see what some of the lessons learned and best \npractices are, and we can see what we can do with those here.\n    I think when we talk about this, what I would like to ask, \nespecially to the mayor, as you are dealing particularly at the \nlocal level, when we are talking about all the cybersecurity \npersonnel and implementation and setting standards, and we do \nhave to do all of that. But we really have to create a trained \nworkforce, not in cyber but really a technologically savvy \nworkforce, because there is not an area that someone is not \ngoing to have to be aware of a phishing scheme, any way that \nthe vulnerabilities and multiple ways that people get in.\n    Mayor Schewel, can you describe the resource and workforce \nconstraints that you may have and perhaps how we might consider \na career in technical education down at, I guess, the city \nlevel or school districts, and they could be city or county, to \ntry to really increase workforce talent and capacity, because \nat the end of the day, they are the faces on the other side of \nthe computer that may be the ones that get taken advantage of \nunknowingly, and that hurts all of us.\n    Mr. Schewel. Senator, thank you very much for the question. \nYou are absolutely right. I think there are two aspects to \nthat. One is--and Judge Whitley spoke to this early--the \nability to train our young folks within the city to avoid \nphishing attempts, which is the way this successful cyberattack \nhappened against our city. We were fortunately backed up, but \nthat is the way people got in. I think that kind of training is \ncritically important, and we do a lot of that. It cannot only \nbe training, though. Multi-factor authentication, those kinds \nof things, are also critical.\n    But I also think that there is the issue of having the--we \nlive in the Research Triangle region of North Carolina. We have \nhighly trained technical workforce, and making sure that we \nhave enough of those people on staff is really important. That \nis one of the reasons I think it is really important that we \nhave additional funding. It costs us $900,000 a year to do our \nIT security. It is very expensive, and we need support for it.\n    Senator Rosen. I guess I have a few second left, but what I \nwould like to say is I think--and it is not a question of this \nCommittee, but I do think that we have to increase our STEM \neducation across the board, I would say pre-K through 12, so \nthat they are ready to work right away, in all these areas, to \nprotect whatever business, government, whatever they go to do \nas an adult. I look forward to working on some of those things \nin the future.\n    Thank you, Madam Chair.\n    Senator Hassan. Thank you very much, Senator Rosen.\n    I have additional questions, and I am going to check with \nthe staff. That is all the Senators we have lined up right now, \nright?\n    I thank the panel for so much excellent testimony, and I do \nhave a few more questions. I am going to start with a question \nto Ms. Huey.\n    Collaboration among States could serve a really important \nrole in bolstering cybersecurity, and you have referenced that \na bit already this morning. Ms. Huey, do you think multi-state \ncybersecurity projects would boost cooperation among States and \nimprove cybersecurity beyond what States could achieve alone?\n    Ms. Huey. Thank you for that question, Senator. I \nabsolutely do, and I do not believe that there has probably \nbeen enough done at that level. Ohio Homeland Security is \ncurrently in the process of surveying all of the State's fusion \ncenters, just to get a real good feel on what their cyber \nstructure looks like. We want to benchmark ourselves and see if \nwe are doing well. In the conversations with our surrounding \nStates, there is a lot of interest and a lot of communication, \nand I think there is some ability to really work on some \ncollaborative projects.\n    Additionally, I think the Federal Department of Homeland \nSecurity has a number of centers of excellence, partnered with \nuniversities, and I think that would be a real opportunity as \nwell, that should be explored.\n    Senator Hassan. Thank you for that.\n    Mr. Lips, I want to turn to you, obviously, it is something \nyou have talked about in your testimony and in the purview of \nthis Subcommittee, we have a duty to ensure that taxpayer \ndollars are spent efficiently and effectively. In this case, \nthe goal is to efficiently and effectively spend grant funds to \nreduce the cybersecurity risk of State and local entities.\n    How do you think the Federal Government should measure how \neffective grants are at reducing State and local cybersecurity \nrisk, and how should this be integrated into the grant program?\n    Mr. Lips. Senator, thank you for the question. I think that \nis a great issue to be raising, particularly if Congress is \nconsidering establishing a new, dedicated cybersecurity grant \nprogram. It is one of the lessons, I think, that we have \nlearned over the past 20 years with the FEMA grant program. \nThat program was originally intended to be risk-based and \nfocused on helping States and urban areas buildup capabilities \nthat were needed, particularly after 9/11.\n    Unfortunately, over time, my view is that that program has \nbecome more of a formula-based program that is no longer \nessentially risk-based, and as GAO and others have pointed out, \nFEMA has struggled to measure how States are buying down risk.\n    Senator Hassan. Right.\n    Mr. Lips. With a cyber grant program, I would urge the \nCommittee to be focused on--starting from the beginning, of \nways to measure that, to not be looking back years later and \nthink, this should have been more risk based.\n    Senator Hassan. OK. Thank you. I want to turn back to the \nissue that Senator Ossoff was talking a little bit about, which \nis information sharing. To Mayor Schewel, to Judge Whitley, and \nto Mr. Lips, information sharing has been one of the key ways \nthat the Federal Government supports State and local \ncybersecurity. However, there are many questions about how the \ninformation sharing regime could be improved.\n    Mayor Schewel and Judge Whitley, how useful has the \ninformation that the Federal Government shares with you been, \nand are there other types of information that the Federal \nGovernment could provide that you would find useful? I will \nstart with you, Mayor Schewel, and then go to Judge Whitley.\n    Mr. Schewel. I will tell you, Senator, I do not honestly \nknow the answer to that question in detail. I can tell you that \nwe have really needed our Federal Government partners, \nincluding the FBI at times, during our recent cyberattack. But \nI am sorry, I have to get back to you on real information about \nthe usefulness.\n    Senator Hassan. Sure. OK. Thank you. Judge Whitley.\n    Judge Whitley. I know that our IT folks are in constant \ncommunication not only with the Federal agencies, also with the \nlocal. They are meeting on a monthly basis or a quarterly \nbasis. Then any time any particular event happens, then they \nare working with one another and helping one another out. Any \ntype of collaboration that can occur needs to be encouraged, \nbecause that is the way that we will keep people up to date on \nwhat the new style or the hack of the day is, and go under that \ntype of a scenario. But the Feds have been very helpful. I know \nour folks are members of just about any organization they can \nbecome a member of that will assist or will help in identifying \nthreats or things that are going on in the community.\n    Senator Hassan. Thank you. Mr. Lips, how do you think we \ncan improve cybersecurity information sharing between Federal, \nState, local, and Tribal organizations?\n    Mr. Lips. Thank you for the question, Senator. Generally I \nthink that information sharing programs have been very well \nintended and have been a step forward from where we were a \ndecade ago.\n    That said, the various watchdogs, like the inspector \ngeneral, have identified challenges within DHS's information \nsharing programs, issues such as timeliness, over-\nclassification, and frankly, general value of the information \nthat is shared has resulted in limited participation from the \nprivate sector, from what I understand, and from what the IG \nhas found. I think addressing these areas and open \nrecommendations broadly, both for private sector partners as \nwell as State and local governments would be a valuable \nimprovement.\n    In addition, I think there is valuable information sharing \nthat can be provided about security recommendations, from \nsupply chain acquisitions risks, also just general best \npractices having recommendations be made in a way that is \nprioritized would be really helpful for organizations across \nthe board, including State and local governments.\n    Senator Hassan. Thank you. I want to ask a question of all \nthe government witnesses now about Homeland Security Grants, \nbecause there has been a little bit of discussion about what \nalready exists, and I want to really try to drill down on the \neffectiveness and usefulness of that.\n    The Department of Homeland Security provides grants that \ncan be used for a variety of purposes, including, as has been \npointed out, cybersecurity. The State Homeland Security Grant \nprogram used to require that recipients use at least 5 percent \nof these grant funds for cybersecurity, but that has now been \nincreased to 7.5 percent. That was done earlier this year. It \nalso requires that a portion of these funds pass through to \nlocalities.\n    My question to all our government witnesses is whether \nthese requirements are enough to address cyber needs? Judge \nWhitley, Mayor Schewel, and Superintendent Holden, have any of \nthe local entities you represent received funding through the \nState Homeland Security Grants for increasing your \ncybersecurity? I will start with Judge Whitley.\n    Judge Whitley. We have received funding but this is one of \nthe things that because of the increase in activity we do need \nmore funds. I know that that is the standard answer you feel \nlike you get any time you ask a governmental entity about any \nparticular issue, but I think we all recognize, just as we \nstated earlier, about the very public threats and confidential, \nwhere they come in and seize operations or stop operations from \nhappening. This is an ever-increasing area of threat, and we \nneed to be focusing more and more dollars and efforts on that.\n    Senator Hassan. Thank you. Mayor Schewel.\n    Mr. Schewel. Thank you, Senator. I think it is really \nimportant that we not be cannibalizing other Homeland Security \nprograms to do this cybersecurity work. We are going to need \nall of it. The cybersecurity threats that we are facing, every \nday there are cybersecurity attacks on the city of Durham, and \nwe are able to fend them off. But all the actors have to do is \nbe successful once. Our needs in this area are going to be \ngreater and greater. We are going to need funding that is not \ncompetitive and not cannibalizing other Homeland Security \nfunding. I think that is really going to be critical to us.\n    Senator Hassan. Thank you. Superintendent Holden.\n    Mr. Holden. I am unaware of any funding that we have \nreceived at the local level regarding the Homeland Security \nGrants. I have to look, though, past funding. I think really \nwhat I am looking for is more information. I think the more \ninformation that can be given to me at the local level from \nHomeland Security or from the State would be much more \nbeneficial for me to be able to implement systems that will \nhelp us from these type of attacks.\n    Senator Hassan. Thank you. Ms. Huey, in your view is the \nincrease from 5 percent to 7.5 percent enough to improve State \nand local cybersecurity, or is there more assistance needed?\n    Ms. Huey. Thank you for your question, Senator. I believe \nthat there is more funding needed. I do not believe just \nincreasing from 5 to 7.5 percent really recognizes the need for \ncybersecurity funding and the importance of the risks across \nour States. In fact, with Ohio, our total Homeland Security \naward went down, even though the carve-out for cybersecurity \nwent up.\n    I just think we keep making the pie smaller and then \nputting another priority in that, really does not do justice to \nwhat we need for cybersecurity across the country.\n    Senator Hassan. Do you think a dedicated grant program \nwould better ensure that State and local cybersecurity needs \nare met?\n    Ms. Huey. I do. I do believe it will, because I believe \nthat we could do more planning, more coordination, and really \nwork better with the local governments and the small business \nto bring everybody up to a level that we want them to be.\n    Senator Hassan. Thank you.\n    I have a couple of more questions if the witnesses will \nindulge me. I thank you. The testimony has been terrific, and I \nwant to get to a couple of more things and make sure that there \nare not any other Senators who want to pop in and ask \nquestions.\n    Let me go to this one now, to Superintendent Holden, Mayor \nSchewel, and Judge Whitley. It has become increasingly clear \nhow important cybersecurity is for all organizations. However, \nsome officials in charge of setting priorities may not fully \nappreciate the vulnerabilities of their cyber systems. You all \nclearly pay more attention to cybersecurity issues than many \nothers may.\n    Superintendent Holden, Mayor Schewel, and Judge Whitley, do \nyou believe that creating a State and local grant program \ndedicated to cybersecurity would encourage officials to focus \nmore on it, and how might that increased engagement boost \ncybersecurity beyond just the extra resources that a grant \nprogram would provide? We will start with you, Superintendent \nHolden.\n    Mr. Holden. Thanks for the question. Yes, I think a grant \nprogram and a committee to look at these things at the State \nlevel would absolutely highlight the need and the ability to \ncontinue to focus on these things. New Hampshire votes all \nState, whether it is through the Superintendents Association, \nthrough the Department of Education. I think the more attention \nthat could be given in this small State, where we have a very \nlocally committed but yet regionally organized, I think would \nabsolutely benefit our ability to address some of these issues.\n    Senator Hassan. Thank you. Mayor Schewel.\n    Mr. Schewel. Thank you very much, Senator. Yes, definitely, \nwe really need such a program, again, when I think about our \nsmall cities and how this would not just help them with funding \nbut help them with the kind of coordination that you talked \nabout. Again, 80 percent of cities in this country are below \n50,000 people in population, and their ability to do the work \nthat they need to do for cybersecurity, they just simply cannot \ndo it on their own.\n    A grant program that would encourage the kind of \ncooperation necessary would be an incredible boon to those \nsmall cities. It would be good for all of us, but I think \nespecially for our small municipalities it would be essential.\n    Senator Hassan. Thank you. Judge Whitley.\n    Judge Whitley. I think anything that helps in the \ncoordination and the collaboration of understanding the issues \nand the problems will be very helpful. All too often, anyone \nwho is affected is very reluctant to get out there and announce \nthat they have been affected. Sometimes you feel like, OK, we \nare small enough, we will slip under the radar, and in today's \nenvironment that is just not happening.\n    I think the more you can bring folks together, whether it \nbe on a statewide basis or a regional basis or a county-wide \nbasis, to talk about what is going on and to make people aware \nof some of the issues, that is going to be beneficial. That is \ngoing to maybe result in them allocating a few dollars that \nthey have not allocated before, to help address, or to be \nprepared and understand that maybe your backup system was broke \na week ago, and had you not done that, look at the effect that \nit would have had once you did get hit.\n    The more collaboration that we can have with all of the \nentities around us, the better off we will be.\n    Senator Hassan. Thank you. Ms. Huey, would you like to \nprovide your perspective on this?\n    Ms. Huey. I would agree with what the other witnesses were \ntalking about. I think this is not an urban issue. When we \nthink about criminal justice funding or some of those things we \nfocus on big-city problems. This is a problem all across our \nlocal governments, regardless of size. Having the ability to \nhelp out the ones, as the mayor pointed out, with the smaller \nbudgets, I think is critical. Again, that standard of \npreventive preparedness that we can bring everybody up to.\n    Senator Hassan. Yes, I sometimes think people forget that \ncoordination and preparedness takes resources. You can be well \nintentioned in it but if you do not have people who can spend \nthe time doing it, it gets difficult to actually accomplish.\n    Because I have the time, and I know, Ms. Huey, you have \nmentioned this too, I want to ask one more question to you, and \nthen in a wrap-up question to all of you. I am going to preview \nthe question so you can think about your answer. When we close \nI would like you to think about one piece of advice each of you \nwould give to your colleagues working in State, county, local, \nor Tribal government when it comes to cybersecurity. That will \nbe the final question.\n    But first, Ms. Huey, I want to talk to you a little bit \nabout the National Guard's role here. Earlier this year, \nSenator Cornyn and I reintroduced the bipartisan National Guard \nCybersecurity Support Act. This legislation explicitly \nauthorizes the National Guard to provide cybersecurity support \nservices at the request of a State Governor, to be performed as \ntraining duty upon approval by the relevant service Secretary.\n    Ms. Huey, can you speak to the role that the National Guard \nplays in Ohio's cybersecurity, particularly as a part of the \nlarger plan for how Ohio is improving the cybersecurity of \nState and local systems?\n    Ms. Huey. Absolutely. Thank you for that question. As I \nindicated in my comments earlier, the Ohio National Guard \nreally took a lead role in cybersecurity early on in Ohio. The \nCyber Reserve was authorized by our General Assembly in 2019, \nand they really went out and recruited that civilian expertise \nthat really existed already in the State, and they were very \nstrategic about making sure that each regional team had the \nbreadth of experience that could respond to a variety of \nattacks. That has been very successful, and it is wonderful to \nsee the Federal Government will be able to support that and \nbacks that up. That has been something that we are very proud \nof here in Ohio.\n    The Ohio Cyber Reserve, the Cyber Range Institute, is also \nconnected to that, and that is in some of our universities is \nreally a think tank and a testing site, and it is very \neducation focused. We have the existing expertise in the Cyber \nReserve and the Cyber Range is trying to build that workforce \ndevelopment through our K-12 and our universities.\n    Senator Hassan. Thank you very much.\n    Now the wrap-up question here, the one piece of advice each \nof you would give to your colleagues who are working State, \ncounty, local, or Tribal government when it comes to \ncybersecurity. Why don't we start with you, Mr. Lips, then we \nwill go to Superintendent Holden, the mayor, and the judge, and \nthen I will allow Ms. Huey to wrap it up.\n    Mr. Lips. Thank you, Senator. One piece of advice I would \noffer to State, local, county, and other government officials \nworking at that level is that it is very helpful for Members of \nCongress and congressional staff to hear your perspective about \nsome of the challenges you are facing. In my testimony, I \nreferenced the issue of compliance costs that the State CIOs \nhave raised. It is very helpful to hear directly from State \nofficials about what their day-to-day experience is and what \nthose challenges are. I recall hearing from NASCIO and State \nCIOS in the anteroom several years ago, bringing that \nrecommendation to my attention. There is great interest in \ntheir perspective, and it is very valuable to hear their view.\n    Senator Hassan. Thank you, Mr. Lips. Superintendent Holden.\n    Mr. Holden. Yes. I would let my fellow local and State \nfolks know to be informed, to provide ongoing training and to \nimplement needed systems, and that being proactive is a lot \ncheaper than being reactive.\n    Senator Hassan. Thank you. Mr. Mayor.\n    Mr. Schewel. Thank you, Senator. With your permission I \nwill give two pieces of advice. One is to have an immutable \nbackup of all data, including structured, unstructured, and \nbinary data, and that is critical for quick recovery. We back \nup in Durham every 2 hours.\n    Then second, having an established partnership between \nFederal, State, and private sector parties so that if you are \nattacked, if you quickly define and contain the threat, we were \nable to do that and quickly set up a war room, and that is what \nreally contained the cyberattack that we had. Thank you for \nthat question.\n    Senator Hassan. Thank you. Judge Whitley.\n    Judge Whitley. Again I want to thank everybody for the \nopportunity to speak today. The thing that I would say is test, \ntrain, perpetual, perpetual training and testing, to just keep \nat the front of everyone's minds that every time they are on \nthat computer that there is someone trying to get in. The more \nwe can do to keep our people thinking in that perspective, the \nbetter off we will be.\n    Senator Hassan. Thank you, Judge. Ms. Huey.\n    Ms. Huey. Thank you, Senator. My advice would be know your \npartners. Do not wait for the event to occur before you know \nwho your resources are, your partners. Regularly communicate. \nThere is a saying in the EMA world, that a disaster is not the \nplace to exchange business cards. You need to know who your \nnetwork is, and your partners that are to help in a situation.\n    Senator Hassan. Thank you so much. I want to thank all of \nthe witnesses this morning for giving us so much of your time \nand sharing your expertise and your perspective and experience. \nIt is really invaluable and it really does help inform the work \nof this subcommittee and the U.S. Senate. Thank you.\n    Your testimony here today is going to help us craft better \nbipartisan legislation to help State and local officials \naddress cyber threats. The hearing record will remain open for \n15 calendar days, until 5 p.m. on July 2nd, for submissions of \nstatements and questions for the record.\n    The hearing is now adjourned.\n    [Whereupon, at 11:51 a.m., the Subcommittee was adjourned.]\n\n                            A P P E N D I X\n\n                              ---------- \n                              \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                               \n                              \n\n\n\n                                 <all>\n</pre></body></html>\n"