[Senate Hearing 117-410]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 117-410

                     NOMINATIONS OF ROBIN CARNAHAN,
                    JEN EASTERLY, AND JOHN C. INGLIS

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             FIRST SESSION
                               __________

           NOMINATION OF ROBIN CARNAHAN TO BE ADMINISTRATOR,
          GENERAL SERVICES ADMINISTRATION, JEN EASTERLY TO BE
          DIRECTOR, CYBERSECURITY AND INFRASTRUCTURE SECURITY
            AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY AND
JOHN C. (CHRIS) INGLIS TO BE NATIONAL CYBER DIRECTOR, EXECUTIVE OFFICE 
                            OF THE PRESIDENT

                               __________

                             JUNE 10, 2021

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                  


                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
46-566 PDF                WASHINGTON : 2022           
        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
                      Claudine J. Brenner, Counsel
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
       Kirsten D. Madison, Minority Director of Homeland Security
              Amanda Neely, Minority Deputy Chief Counsel
           William H.W. McKenna, Minority Chief Investigator
       Jeffrey A. Post, Minority Senior Professional Staff Member
          Cara G. Mumford, Minority Professional Staff Member
           Andrew J. Timm, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk


                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Portman..............................................     2
    Senator Carper...............................................    18
    Senator Lankford.............................................    21
    Senator Padilla..............................................    24
    Senator Hassan...............................................    27
    Senator Hawley...............................................    29
    Senator Ossoff...............................................    32
    Senator Scott................................................    35
    Senator Sinema...............................................    40
Prepared statements:
    Senator Peters...............................................    45
    Senator Portman..............................................    47

                               WITNESSES
                        Thursday, June 10, 2021

Hon. Roy Blunt, a U.S. Senator from the State of Missouri........     3
Hon. Mike Gallagher, a Representative in Congress from the State 
  of Wisconsin...................................................     3
Hon. Angus S. King, Jr., a U.S. Senator from the State of Maine..     5
Robin Carnahan to be Administrator, General Services 
  Administration
    Testimony....................................................     7
    Prepared statement...........................................    49
    Biographical and professional information....................    52
    Letter from U.S. Office of Government Ethics.................    72
    Responses to pre-hearing questions...........................    76
    Responses to post-hearing questions..........................   101
Jen Easterly to be Director, Cybersecurity and Infrastructure 
  Security Agency, U.S. Department of Homeland Security
    Testimony....................................................     8
    Prepared statement...........................................   108
    Biographical and professional information....................   110
    Letter from U.S. Office of Government Ethics.................   130
    Responses to pre-hearing questions...........................   136
    Responses to post-hearing questions..........................   169
    Letters of support...........................................   172
John C. (Chris) Inglis to be National Cyber Director, Executive 
  Office of the President
    Testimony....................................................    10
    Prepared statement...........................................   189
    Biographical and professional information....................   191
    Letter from U.S. Office of Government Ethics.................   212
    Responses to pre-hearing questions...........................   219
    Responses to post-hearing questions..........................   250
    Letters of support...........................................   261

                                APPENDIX

Mission Needs Chart..............................................   265
HSGAC Letters....................................................   266

 
                     NOMINATIONS OF ROBIN CARNAHAN,
                     JEN EASTERLY, AND CHRIS INGLIS

                              ----------                              


                        THURSDAY, JUNE 10, 2021

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:16 a.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary C. Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Carper, Hassan, Sinema, Rosen, 
Padilla, Ossoff, Portman, Lankford, Scott, and Hawley.

            OPENING STATEMENT OF CHAIRMAN PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appear in the Appendix 
on page 45.
---------------------------------------------------------------------------
    Today we are considering three nominations: Robin Carnahan, 
who is joining us remotely, to be Administrator of the General 
Services Administration (GSA); Jen Easterly, to be Director of 
the Cybersecurity and Infrastructure Security Agency (CISA), 
within the Department of Homeland Security (DHS); and Chris 
Inglis, to be the first-ever National Cyber Director (NCD). 
Welcome to each of you, and welcome to your family members who 
are joining us here today.
    Congratulations on your nominations, and thank you for your 
previous service and for your willingness to take on these 
important new roles.
    The agencies or offices you have been nominated to lead, 
each play a critical role in strengthening our national 
security and ensuring the Federal Government is operating both 
effectively and efficiently.
    The General Services Administration provides a wide range 
of support to Federal agencies, including managing Federal 
property and the Federal fleet and offering cost savings, 
acquisition programs, and technology services. In short, GSA 
helps ensure agencies can deliver for the taxpayer and for the 
American people.
    Ms. Carnahan, if confirmed, you will lead GSA at a pivotal 
moment. The Coronavirus Disease 2019 (COVID-19) pandemic 
changed how workplaces operate across the government and across 
the Nation. The Biden administration is charting a course to 
make Federal buildings, vehicles, and operations more energy 
efficient, and agencies must do more to modernize and secure 
their information technology (IT) systems and their networks. I 
look forward to hearing more about how you plan to lead GSA to 
tackle these and other challenges.
    The next two nominations are both firsts for this 
Committee. Ms. Easterly, you are the first person nominated to 
lead CISA since it was created by this Committee in 2018 and 
charged with protecting and defending Federal networks and 
securing critical infrastructure. This Committee worked closely 
with Chris Krebs, who led the transformation from its 
predecessor agency, and CISA has made a lot of progress in a 
very short period of time. But we all know there is a whole lot 
more to do.
    The recent SolarWinds hack and the Colonial Pipeline 
ransomware attack are only the latest reminders of what the 
Federal Government must do to secure its own networks and to 
work with and support our private sector, nonprofit, State, 
local, tribal, and territorial (SLTT) governments.
    Mr. Inglis, you have been nominated to be the first-ever 
National Cyber Director, a position this Committee created last 
year to lead a new office within the Executive Office of the 
President (EOP) and coordinate national cybersecurity policy 
and strategy. The National Cyber Director will be central to 
ensuring a cohesive, whole-of-government approach to 
cybersecurity.
    These are all vital roles, and I am pleased we have three 
highly qualified nominees here today who each bring a wealth of 
government and private sector experience. I look forward to 
hearing from each of you today.
    With that, I will turn it over to Ranking Member Senator 
Portman.

              OPENING STATEMENT OF SENATOR PORTMAN

    Senator Portman. Thank you, Chairman Peters, and I thank my 
colleagues for being here. Senator King, I just left you a few 
moments ago on a Zoom call. Senator Blunt, you and I have spent 
a lot of quality time together recently.
    Senator Blunt. That is our lives these days.
    Senator Portman. Yes. I have a very long, articulate and 
important statement to make that I am going to submit for the 
record\1\ and instead just say welcome to Ms. Carnahan, Ms. 
Easterly, and Mr. Inglis. I have spoken to all of you. I have 
had the opportunity to get to know you a little bit. These are 
really important positions, and the leadership deserves careful 
consideration, which it will get at this hearing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Portman appears in the 
Appendix on page 47.
---------------------------------------------------------------------------
    With that, Mr. Chairman, I will again submit my full 
statement for the record and look forward to hearing from my 
colleagues in the Senate.
    Senator Peters. Next we have some guests joining us today 
to introduce the nominees.
    First, we are joined by our colleague Senator Blunt, who 
will be introducing Ms. Carnahan. Senator Blunt, thank you for 
being with us. Good to see you, and you are recognized for your 
introduction.

STATEMENT OF HONORABLE ROY BLUNT, A UNITED STATES SENATOR FROM 
                     THE STATE OF MISSOURI

    Senator Blunt. Thank you, Chairman Peters. As Senator 
Portman pointed out, the three of us, along with Senator 
Klobuchar, have spent a lot of time together over the last 
month. I am glad to be here on this topic as well as I was 
pleased to work on the other issues we have been working on.
    Thanks for holding this hearing. I am glad to be able to 
speak to the Committee regarding the nomination of Robin 
Carnahan to be the Administrator of the General Services 
Administration. I am honored to welcome her to the Senate today 
even if it is only over video.
    Robin Carnahan was born and raised in the great State of 
Missouri. Throughout her life, she and her family have served 
our State and our country in many roles and with distinction.
    After graduating from William Jewell College in Liberty, 
Missouri, and the University of Virginia Law School, she 
practiced law in St. Louis and held positions with the National 
Democratic Institute and the Export-Import (EXIM) Bank of the 
United States. From 2005 to 2013, she served as the Secretary 
of State of Missouri. In this role, she utilized innovative 
technology to save money and improve government service for 
residents of Missouri, I probably should add here following the 
example of her great predecessor, my son, Matt Blunt, who held 
that job right before Robin did. It is a job I held as well, 
and the three of us have common appreciation for that 
particular place to serve Missourians. In 2016, she joined the 
Office of 18F at the General Services Administration. This 
office provides technology consultation to State and local 
governments.
    I think the bottom line here, Mr. Chairman and Senator 
Portman, is that Robin Carnahan understands the GSA and she 
understands the importance of the GSA to the country. I have no 
doubt that, if confirmed, she would be a successful and an 
effective Administrator of the General Services Administration. 
I understand this to be a job of major significance in the 
daily operations and decisions of the government that fall 
within the purview of the General Services Administration. I 
look forward to supporting her confirmation. Of course, before 
I can do that, your Committee needs to recommend that that 
confirmation move forward, and I hope you do.
    Chairman Peters. Thank you, Senator Blunt.
    Next we have a video from Representative Gallagher 
introducing Ms. Easterly.

  STATEMENT OF HONORABLE MIKE GALLAGHER, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF WISCONSIN

    Mr. Gallagher. Thank you, Senator Peters, Senator Portman, 
and distinguished Members of the Committee, for allowing me to 
introduce Jen Easterly for her nomination to be the Director of 
the Cybersecurity and Infrastructure Security Agency.
    It is an honor to be here to introduce Jen. As the Co-Chair 
of the Cyberspace Solarium Commission (CSC) with my good friend 
Senator Angus King, I cannot overstate what a crucial role the 
President has nominated Jen to fill. Our bipartisan public-
private commission assessed that CISA is the most important 
agency in the execution of Federal network security and the 
development of an effective public-private collaboration to 
protect our national critical infrastructure.
    CISA is quite simply on the front lines of ensuring the 
Federal departments and agencies, the private sector, and the 
American people have the resources to detect, withstand, and 
respond to cyberattacks. Thanks in large part to the work of 
your Committee, we have made significant progress on 
strengthening the agency so that it can perform this crucial 
mission.
    For example, we authorized CISA to perform threat hunting 
on Federal networks to more proactively identify cyber threats 
to Federal assets and systems and begin any necessary 
mitigation processes sooner. We also elevated the role of CISA 
Director so that the position is equivalent to that of the 
Transportation Security Administration (TSA) Administrator in 
order to emphasize the importance and stature of the agency and 
its leader. When we did that, when we amended the law to 
elevate the position of CISA Director, we stipulated that a 
qualified CISA Director would be someone who has extensive 
knowledge of cybersecurity, infrastructure security, and 
security risk management and has at least 5 years of experience 
fostering multistakeholder coordination and collaboration on 
these issues.
    Jen Easterly's qualifications are well above and beyond 
those stipulated by the law. Her background is incredible. She 
is currently the head of Firm Resilience and the Fusion 
Resilience Center at Morgan Stanley. In this capacity, she is 
responsible for ensuring preparedness and response to business-
disrupting operational incidents and risks. Jen joined Morgan 
Stanley in February 2017 to build and lead the firm's 
Cybersecurity Fusion Center, which is the operational 
cornerstone of its entire cyber defense strategy. Prior to 
joining the private sector, Jen served for three decades in the 
Federal Government. She was the Special Assistant to the 
President and Senior Director for Counterterrorism, where she 
led the development and coordination of U.S. counterterrorism 
and hostage policy. Prior to that, she was the Deputy for 
Counterterrorism at the National Security Agency (NSA), where 
she was responsible for leading operations to detect and 
disrupt terrorist attacks against the United States and our 
allies.
    Jen is a two-time recipient of the Bronze Star. She retired 
from the U.S. Army after more than 20 years of service in 
intelligence and cyber operations. She was responsible for 
setting up the Army's first cyber battalion. She was also 
instrumental in the design and creation of U.S. Cyber Command 
(USCYBERCOM).
    She is a distinguished graduate of the United States 
Military Academy (USMA) at West Point. She holds a Master's 
degree in philosophy, politics, and economics from the 
University of Oxford, where she studied as a Rhodes scholar. 
She is a real overachiever. I could go on. But Jen's accolades 
and accomplishments are so numerous that we might never 
actually get to the hearing itself. She was a critical member 
of our Red Team on the Solarium Commission, and I want to say 
what an honor it is to be at the same hearing where Senator 
King, my Co-Chair, will introduce our fellow Commissioner Chris 
Inglis for his nomination as our country's first National Cyber 
Director.
    Jen and Chris are great cybersecurity experts, to be sure, 
but more than that, they are also great Americans. They embody 
what it means to put politics aside and serve the Nation. They 
will be a great team that introduces the speed and agility into 
cybersecurity and critical infrastructure protection that I 
believe is needed to protect our country against the malicious 
cyber activity that we are seeing.
    I look forward to this hearing and to the Committee's 
progress on putting Jen to work as quickly as possible as our 
next CISA Director. Thank you again, Senator Peters, Senator 
Portman, and the distinguished Members of this Committee, for 
your time and for your consideration of Jen's nomination.
    Chairman Peters. Now we are joined by the Co-Chair of the 
Solarium Commission. Senator King, great to have you before our 
Committee. Senator King will recognize Mr. Inglis. Senator 
King, you are recognized for your opening statement.

  OPENING STATEMENT OF HONORABLE ANGUS S. KING, JR., A UNITED 
             STATES SENATOR FROM THE STATE OF MAINE

    Senator King. Mr. Chairman and Senator Portman and Members 
of the Committee, America is under attack. We are under attack 
today. This is one of the most serious conflicts, one of the 
most serious challenges that this country has faced in the 
post-World War II period.
    The two positions that we are really talking about today 
are the equivalent of the Secretary of Defense and the head of 
the Joint Chiefs of Staff (JCS). These are people who will be 
charged with defending this country in what is an ongoing and 
serious conflict.
    I am taking time out now from an Armed Services Committee 
hearing with the Secretary of Defense and the head of the Joint 
Chiefs, and cyber is one of the things that we will be talking 
about. It is a ubiquitous challenge not only to the government 
but especially to the private sector, and that is one of the 
really significant challenges in how we respond.
    We have to reimagine conflict. We think of conflict in 
terms of armies and battleships and air forces, but we are 
really now talking about the front line of this conflict can 
take place in a server farm on Wall Street, in a pipeline 
company, or in an electric company, or in a water service 
utility anywhere in America.
    Chris Inglis served with Mike Gallagher and me on the 
Solarium Commission, which was created by this Congress in 2019 
to devise a national cyber policy. This was a unique Commission 
that had four Members of Congress, four members from the 
executive, and six members from the private sector, a totally 
nonpartisan process and a very intense process. In fact, next 
Monday will be our 43rd meeting of the Solarium.
    Sitting next to me through most of those meetings was Chris 
Inglis, who I had never known before, but have gotten to know 
very well during this process. His credentials are impressive. 
In fact, when I first looked at it, I thought this guy has had 
two full careers; he must be 100 years old. He has 30 years of 
service in the Federal Government, particularly as Deputy 
Director of the National Security Agency, but also 28 years in 
the United States Air Force (USAF), active duty and also in the 
Air Force Reserve, retiring as a general. He has degrees in 
computer science. He has immense knowledge and experience in 
this field.
    Beyond that, however, and the reason I am so enthusiastic 
about his nomination, is his leadership qualities which I 
observed during the course of our deliberations as the 
Cyberspace Solarium Commission. He has a quiet but persuasive 
leadership style. All of us have been in meetings where there 
is one person when they begin to speak, you lean over and say, 
``Now, what are they going to say? Because this is going to be 
important.'' That is Chris Inglis.
    This is an immensely important job because of the 
intersection between the private sector and the Federal 
Government and the complexity of the challenge throughout the 
Federal Government. The fundamental purpose of the National 
Cyber Director is to coordinate Federal cyber policy among all 
these different agencies that have a piece of it, but also to 
coordinate cooperation between the Federal Government and the 
private sector. He will be working with Jen Easterly and Anne 
Neuberger in the National Security Council (NSC), which I think 
represents three of the absolute perfect combination to lead 
this effort to defend our Nation.
    I am very proud to be able to introduce Chris Inglis to the 
Committee. I honestly believe, based upon 3 years of extensive 
engagement in this issue with people across the country, he is 
the single best person to fill this role, and a particularly 
important role as the first leader of the Office of National 
Cyber Director in the Executive Office of the President.
    Mr. Chairman, I cannot recommend Chris Inglis more highly, 
and I am delighted that he is willing to reenlist, if you will, 
in Federal service and service to the country.
    Thank you, Mr. Chairman. I look forward to Chris' 
testimony.
    Chairman Peters. Thank you, Senator King, for the 
introduction. Thank you for your amazing leadership in terms of 
dealing with this incredible threat. You have been a real 
leader on cybersecurity issues. We appreciate all the work of 
the Commission and appreciate you being here today and your 
continued involvement on this issue. Thank you.
    It is the practice of this Committee to swear in witnesses, 
so if each of our witnesses could stand and raise their right 
hands? Even on video, stand there and raise your right hands. 
Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Ms. Carnahan. I do.
    Ms. Easterly. I do.
    Mr. Inglis. I do.
    Chairman Peters. Please be seated.
    We will now hear from each of our nominees. Ms. Carnahan, 
you may proceed with your opening remarks.

 TESTIMONY OF ROBIN CARNAHAN,\1\ NOMINEE TO BE ADMINISTRATOR, 
                GENERAL SERVICES ADMINISTRATION

    Ms. Carnahan. Good morning, Chairman Peters, Ranking Member 
Portman, and Members of the Committee. I appreciate the 
opportunity to be here today, and I am honored to be President 
Biden's nominee for Administrator of the General Services 
Administration. I am also grateful to Senator Blunt, my home-
State Senator, for that kind introduction. We have known each 
other for more than 30 years and our families even longer. I 
value Senator Blunt's leadership, his passion for public 
service, and his commitment to the people of Missouri. Senator, 
thank you so much for your service.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Carnahan appears in the Appendix 
on page 49.
---------------------------------------------------------------------------
    Even though we are joining virtually today, I would like to 
acknowledge my family: my husband, Juan Carlos, for his 
unwavering love and encouragement; my mother, Jean, who has 
been a role model and hero all my life; and my brothers, Russ 
and Tom, and their wonderful families. They have been a 
tremendous source of love and strength.
    Public service, as Senator Blunt said, runs in my family, 
much of that serving the people of Missouri. My grandfather and 
brother served in Congress. My father was Governor, and my 
mother was the first woman from Missouri in the U.S. Senate. 
But my mother's parents were also public servants, though they 
never ran for office. You see, mom was born in Washington, D.C. 
She grew up across the river in Anacostia. Her father was a 
farmer and plumber at St. Elizabeths Hospital, and her mother 
worked at the Navy Department during the war.
    So growing up, the government did not seem like a faraway 
or abstract concept. For me, it was about the people who worked 
on behalf of their community and country, folks who went to 
work every day to improve the lives of children and families, 
to help businesses thrive and keep the country safe. I grew up 
believing that public service was a noble calling, worthy of 
our lives. I still do.
    I have had the privilege of serving in elected office 
myself, as well as in appointed and staff positions in State 
and Federal Government. No matter what the role, I always 
understood my job was to deliver effective service for people 
and be a wise steward of taxpayer money.
    I will never forget the first day on the job as Missouri 
Secretary of State. I was being introduced around the office, 
and I met more people who were manually opening mail and 
preparing checks to be deposited than we had in the entire IT 
department. That was the moment in 2005 that crystallized how I 
came to view the challenge ahead for government--to adapt 
modern technology tools to streamline operations and to serve 
people better.
    So during my tenure, we invested time and money in 
modernizing our IT infrastructure in order to do better service 
for 400,000 businesses, 4 million voters, and millions of 
others who needed something from their government.
    One lesson I learned was that digital infrastructure 
investments pay off, both in better service and lower costs to 
taxpayers. But I also learned that without serious attention, 
these tech modernization projects can go wrong. The truth is 
there was nothing I did when I was in office that caused me to 
lose more sleep than the rollout of one of those new tech 
platforms.
    So diving in to learn more about technology and procurement 
policy is what led me to GSA, where I served 4 years during the 
Obama and Trump administrations. I joined the digital 
consulting team 18F whose job was to help government partners 
more effectively buy and build modern software systems and 
train non-technical leaders on how to set their teams up for 
success.
    Now, this past year has shown the importance and the 
fragility of our Nation's digital infrastructure. As the 
pandemic swept through the country, Congress responded fast 
with programs to meet the challenges. But yet too often the 
help was slow getting to the families and businesses that 
needed it most.
    The bottom line is no program passed by this Congress can 
be effective without smart investments in an effective, secure 
digital infrastructure to deliver it. And GSA is uniquely 
positioned to support that mission across government.
    Of course, I know GSA is about a lot more than technology, 
but I see similar opportunities to improve the way it delivers 
value to partners in real estate management and acquisition. If 
confirmed, I look forward to exploring creative, practical ways 
to right-size the Federal real estate portfolio to serve the 
changing needs of agencies and local communities.
    In acquisitions, I look forward to working with 
stakeholders, including agency partners and companies, to 
streamline and simplify how they interact with GSA. I want to 
provide easy access and great value to those who buy through 
GSA and an easier on-ramp for businesses, especially small 
businesses, interested in selling through GSA.
    As President Biden recently said in his speech to Congress, 
``We have to prove democracy still works. That our government 
still works--and can deliver for the people.''
    For me, helping our government, our democracy, effectively 
deliver for the people and taxpayers is why I am so excited 
about the opportunity to lead GSA.
    Thanks for the chance to testify today. I am humbled, and I 
look forward to answering your questions.
    Chairman Peters. Thank you, Ms. Carnahan, for your opening 
remarks.
    Ms. Easterly, you are now recognized for your opening 
remarks.

     TESTIMONY OF JEN EASTERLY,\1\ NOMINEE TO BE DIRECTOR, 
    CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. Easterly. Chairman Peters, Ranking Member Portman, 
distinguished Members of the Committee, I am honored to appear 
before you to discuss my nomination for Director of the 
Cybersecurity and Infrastructure Security Agency. I want to 
thank the President for nominating me, Secretary Mayorkas for 
his confidence in me, and Congressman Gallagher for his very 
kind introduction, and, more importantly, for his and Senator 
King's absolutely superb leadership of the Cyberspace Solarium 
Commission.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Easterly appears in the Appendix 
on page 108.
---------------------------------------------------------------------------
    I also want to thank my family and, in particular, my 
parents: my father, Noel Koch, a Vietnam veteran whose 
forebears fought in the Civil War to ensure that the Nation 
experienced ``a new birth of freedom''; and my mother, Dr. June 
Koch, an English professor and the daughter of immigrants from 
Russia and Poland who came to America to enjoy that freedom. 
Both led lives of public service, instilling in me the 
importance of service and of actively participating in our 
great democratic project, to form, continuously, a more perfect 
union. Their example inspired me to commit 27 years of my life 
in service to the Nation, including more than two decades in 
the United States Army, leading soldiers in peacetime and in 
combat. It also motivates my return to public service after 
4\1/2\ years in the private sector at one of our Nation's 
leading financial institutions.
    Additionally, I want to thank my husband, Jas, for his love 
and support over the past 17 years, through multiple moves and 
four separate deployments. As a fellow U.S. Army combat 
veteran, I also want to thank him for his service to our 
country. I especially want to recognize our son Jet, the light 
and joy of our life, who aspires to one day be President.
    Twenty years ago, the attacks of 9/11 fundamentally altered 
the course of my life, as it did for so many. As noted by Tom 
Kean, the Co-Chairman of the 9/11 Commission, ``We were 
unprepared. We did not grasp the magnitude of a threat that had 
been gathering over a considerable period of time. This was a 
failure of policy, of management, of capability, and, above 
all, a failure of imagination.'' If the past year has taught us 
anything, it is the obligation we have as leaders to anticipate 
the unimaginable.
    While the digital revolution of the past several decades 
enabled unprecedented growth and innovation, the increasing 
connectivity also introduced great peril: nation-states and 
non-state actors alike now leverage cyberspace with near 
impunity to threaten our security, our privacy, and our 
physical and digital infrastructure. Our adversaries combine 
hacking with malign influence operations to interfere in our 
democratic processes. They breach major corporations to steal 
capital and intellectual treasure, target industrial control 
systems to disrupt critical infrastructure, and incapacitate 
entities large and small with the scourge of ransomware. Even 
as we contend with the billions of daily intrusions against our 
networks by malicious actors, I believe that as a Nation we 
remain at great risk of a catastrophic cyber attack.
    Congress established CISA in 2018 as the country's 
operational entity for managing and mitigating such risk, 
working closely with partners at the State, local, tribal, and 
territorial level, as well as with the private sector to ensure 
the security and resilience of our critical infrastructure.
    Within the Federal cyber ecosystem, CISA is the 
``quarterback,'' charged with protecting and defending Federal 
civilian government networks; leading asset response for 
significant cyber incidents; and ensuring that timely and 
actionable information is shared across Federal, non-Federal, 
and industry partners.
    In this context, I also thank the Committee for your 
leadership in establishing CISA, my good friend Chris Krebs for 
his absolutely superb work in standing up and leading the 
agency, and Acting Director Wales and the dedicated men and 
women of CISA for their tireless efforts defending our 
infrastructure against a myriad of significant and serious 
threats, and ensuring secure, interoperable emergency 
communications. If confirmed, it will be the greatest honor of 
my career to join their incredible team, to continue building 
the culture and the workforce of CISA, and to strengthen its 
capacity and capability to defend today and secure tomorrow.
    The best quarterback, however, cannot win a game alone; 
cyber is and must always be a team sport. CISA fulfills its 
lead operational role for national cyber and infrastructure 
resilience in collaboration with other agencies at every level 
of government and with our industry and international partners. 
A critical element of this ecosystem is the National Cyber 
Director, who will ensure a coherent and unified Federal effort 
as the President's principal cyber adviser. If we are both 
confirmed, I look forward to working, once again, with Mr. 
Inglis. I also look forward to a productive and transparent 
partnership with this Committee.
    I thank the Committee for considering my nomination and 
look forward to your questions.
    Chairman Peters. Thank you, Ms. Easterly, for your opening 
remarks.
    Mr. Inglis, you are now recognized for your opening 
remarks.

TESTIMONY OF JOHN C. (CHRIS) INGLIS,\1\ NOMINEE TO BE NATIONAL 
       CYBER DIRECTOR, EXECUTIVE OFFICE OF THE PRESIDENT

    Mr. Inglis. Thank you, sir. Chairman Peters, Ranking Member 
Portman, and distinguished Senators, I am honored to appear 
before you. I thank this Committee for its support in the 
creation of this new role and your strategic leadership on 
cybersecurity. I thank the President for nominating me and 
Senator King for his generous introduction. I also want to 
thank both Senator King and Congressman Gallagher for their 
work leading the Cyberspace Solarium Commission's efforts to 
improve our Nation's ability to fully realize its aspirations 
in and through the critical realm of cyberspace.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Inglis appears in the Appendix on 
page 189.
---------------------------------------------------------------------------
    I also want to recognize my family. I thank my parents, 
Robert and Kathleen Inglis, who gave their children the 
priceless gift of a home where service to others, respect, and 
accountability was expected and freely given as the foundation 
of life. I want to thank my wonderful wife, Anna, who is with 
me here today, and our children, Luciana, Paul, and George, for 
their love and support, which has inspired and sustained me 
through all of my adult life.
    I am humbled by the privilege and the opportunity to 
reenter public service. While the position of National Cyber 
Director may be new, I am mindful that the team that I would 
join, should I be confirmed, is one that is already on the 
field, impressively diverse, and broadly engaged. It is a team 
that includes public servants at Federal, State and local 
levels, and private sector professionals whose collective 
efforts build, operate, innovate, and defend the digital 
infrastructure upon which the delivery of critical services 
increasingly depends. I am particularly pleased to testify 
alongside Jen Easterly, the prospective Director of CISA, and 
Robin Carnahan, the prospective Administrator of GSA. Should we 
be confirmed, our collaboration will be an important element of 
any Federal cyber strategy going forward.
    If confirmed, I expect that I should and will be held 
accountable to add context, leverage, and strength to the 
distributed work of that full cyber team. To that end, the 
enabling legislation for the National Cyber Director has 
clearly laid out its core responsibilities. These include 
forging a coherent and unified Federal effort; developing and 
overseeing the implementation of the National Cyber Strategy; 
ensuring the coordination of appropriate Federal budgets, 
policies, and plans; fostering mutually beneficial public-
private collaboration; and, more importantly than all of those, 
demonstrable improvements in the resilience, the robustness, 
and the defense of the cyber ecosystem.
    As the legislation acknowledges, these duties require 
robust engagement with both the private sector, which is on the 
front lines of this effort, and with the Congress, to whom the 
National Cyber Director owes regular updates on cyber risk and 
the status of U.S. cybersecurity efforts. Additionally, the 
National Cyber Director occupies a highly visible position 
within the U.S. Government--one that should be expected to 
offer a clear, unified voice in public communications and 
advocacy.
    Supporting lines of effort must necessarily address the 
fact that cyberspace is not built and operated as a single, 
centralized organization and that it is comprised of far more 
than technology. Essential collaboration and integration will 
heavily depend on how roles and responsibilities are defined 
and executed, while the success of a national strategy will 
depend as much on the skills of our people as on the 
technologies that they employ.
    Given those realities, we must ensure that our technology 
is built and deployed with security foremost in mind; that the 
supply chains that support them are free from security risk; 
that our people are cyber literate; and that roles, 
responsibilities, and attendant accountability are sufficiently 
well defined that we remove the fissures and seams in cyber 
defenses that offer adversaries opportunities to find and 
exploit weakness.
    As this Committee and recent witnesses before you have so 
frequently discussed, SolarWinds, Hafnium, Colonial Pipeline, 
JBS, and other incidents all signal the urgent need to secure 
our national critical infrastructure. The pace of events and 
our adversaries deny us the luxury of biding our time before we 
seize back the initiative that has too long been ceded to 
criminals and rogue nations who determine the time and manner 
of their transgressions.
    If confirmed, I will work closely with the Congress, the 
Executive Branch, the private sector, and State and local 
entities to stand up, harness, and realize the expected 
benefits of the Office of the National Cyber Director (ONCD).
    I thank the Committee for considering my nomination, and I 
look forward to your questions.
    Chairman Peters. Thank you, Mr. Inglis, for your opening 
comments.
    There are three questions that this Committee asks of every 
nominee, and I will ask each of you to respond briefly with a 
yes or no to these questions.
    First, is there anything you are aware of in your 
background that might present a conflict of interest with the 
duties of the office to which you have been nominated? We will 
start with Ms. Carnahan and then go to Ms. Easterly and then 
Mr. Inglis. Ms. Carnahan?
    Ms. Carnahan. No, sir.
    Ms. Easterly. No, sir.
    Mr. Inglis. No, sir.
    Chairman Peters. Second, do you know of anything, personal 
or otherwise, that would in any way prevent you from fully and 
honorably discharging the responsibilities of the office to 
which you have been nominated?
    Ms. Carnahan. No, Senator.
    Ms. Easterly. No, sir.
    Mr. Inglis. No, sir.
    Chairman Peters. Last, do you agree without reservation to 
comply with any request or summons to appear and testify before 
any duly constituted committee of Congress if you are 
confirmed?
    Ms. Carnahan. Yes, sir.
    Ms. Easterly. Yes, sir.
    Mr. Inglis. Yes, sir.
    Chairman Peters. Great. Thank you.
    Mr. Inglis, if confirmed, you will be in a very challenging 
position of being the first National Cyber Director. Your 
authorities have never been utilized, your role has never been 
performed, and many other leaders in government have cyber and 
security responsibilities as well.
    So my question to you, sir, is: If confirmed, how would you 
see your role as being unique and different from that of the 
Director of CISA?
    Mr. Inglis. Senator Peters, thank you for the question, and 
thank you again for the work that this Committee did to invest 
the National Cyber Director with the authorities and the 
accountability that we are discussing here today. I think that 
if you stand back and read the very detailed language of the 
National Cyber Director authorization, what it really is 
pushing for is to create coherence, unity of effort, unity of 
purpose across what are already impressive, deep, and sharp 
capabilities within the Federal enterprise and a partnership 
with the private sector where most of cyber gets built, 
operated, innovated, and defended.
    I think that the primary purpose of the National Cyber 
Director must be to add value, coherence, leverage, connection 
to all of those other pieces and to identify, when necessary, 
when something is missing and to ensure that the national 
strategy and that our implementation of that strategy 
ultimately creates a coherent effort. I think that the premise 
for us within the United States and like-minded nations must 
increasingly be that if you are an adversary in this space, you 
have to beat all of us to beat one of us. The National Cyber 
Director needs to make that true.
    Chairman Peters. Thank you.
    Ms. Easterly, a similar question for you. CISA is the lead 
cybersecurity agency for operational Federal cybersecurity and 
supporting critical infrastructure. So my question to you is: 
If confirmed, where would you see the boundary between your 
work and that of the National Cyber Director?
    Ms. Easterly. Thank you very much for the question, Mr. 
Chairman. As we know, CISA is the operational entity charged 
with managing and mitigating risk to digital and physical 
infrastructure working closely with partners at the State, 
local, tribal, and territorial level, and then, of course, with 
the private sector to be able to ensure the resilience and the 
security of our critical national infrastructure. I see CISA's 
role within the Federal cyber ecosystem as the quarterback, if 
you will, responsible for protecting and defending Federal 
civilian government networks in close partnership with the 
Office of Management and Budget (OMB), which, is responsible 
overall for Federal cybersecurity, also leading asset response 
for significant cyber incidents, and then, finally, for 
ensuring that timely and actionable information is shared 
across Federal and non-Federal and private sector partners. 
Within that ecosystem, I see the National Cyber Director as a 
critical partner, essentially the coach of the team responsible 
for overseeing the implementation of cyber strategy and policy 
and really bringing that sense of coherence and unity of effort 
to the Federal cyber ecosystem. If confirmed, I would look 
forward to working closely and collaboratively with Mr. Inglis.
    Chairman Peters. This next question will be to both of you 
as well. Ransomware attacks are nothing new, but they have been 
increasing in their impact, particularly the recent attacks 
that we have seen of our critical infrastructure. We had the 
Chief Executive Officer (CEO) of Colonial Pipeline in this room 
a short while ago. If confirmed, you each will play a 
significant role in helping us address this ever growing 
threat.
    Ms. Easterly, my question for you is: How do you view the 
role of CISA in fighting back against these ransomware attacks?
    Ms. Easterly. It is a very important question, Mr. 
Chairman. Thanks for asking it. Ransomware is clearly a 
scourge, clearly a national security threat, 2,400 incidents 
last year alone, $350 million in cryptocurrency. This requires 
an all-hands-on-deck effort that leverages the talents and 
capabilities across the interagency, from law enforcement to 
the intelligence community (IC) to diplomacy to Treasury.
    Very importantly, CISA's role in this ecosystem is to 
prevent people from having to make the really difficult 
decision about whether they end up paying the ransom or not. 
CISA's role is to provide the technical assistance, the threat 
information, the guidance, the educational resources to ensure 
that entities across the Federal Government, the non-Federal 
Government, and, of course, the private sector are prepared to 
defend themselves in this very complex cyber threat 
environment.
    Chairman Peters. Mr. Inglis, what role should the National 
Cyber Director play?
    Mr. Inglis. Thank you for the question. I would complement 
Ms. Easterly's answer by saying that the National Cyber 
Director needs to be an advocate and a connector for those 
various capabilities represented in places like CISA, but also 
the Department of Justice (DOJ), Department of Treasury, within 
the private sector that can systematically attack the system 
that today is the scourge known as ``ransomware.'' When you 
think about how that system works, there are weaknesses in our 
technology and oftentimes in the knowledge of the people who 
are on the front lines. There are sanctuaries that give safe 
harbor to the transgressors. There are other transgressors who 
must be dealt with. We must bring them to justice. There are 
financial systems, there are a great many things that we need 
to knock the legs out from under, and that will require a team 
effort. The National Cyber Director has to ensure that there 
is, in fact, a strategy that connects all those pieces and that 
that is being implemented in a concurrent, unified way, such 
that we might take this down using all instruments of power.
    Chairman Peters. I am currently working on legislation that 
would help illuminate this threat and get more information on 
ransomware attacks into the government so that we can both warn 
potential victims and also work to dismantle these criminal 
networks that are engaged in these activities. My question to 
both of you: Would you commit, if confirmed, to working with me 
on this important legislation so that we can enhance our 
ability to fight against this threat? Ms. Easterly?
    Ms. Easterly. Absolutely, Mr. Chairman. I would look 
forward to that if confirmed.
    Mr. Inglis. If confirmed, absolutely, sir.
    Chairman Peters. Great. Thank you.
    Ms. Easterly, the threat of foreign disinformation is real 
and has had particular impacts on our elections and on our 
ability to combat COVID-19. CISA has recently stood up a mis-, 
dis-, and malinformation team to help address this threat. If 
confirmed, what role would you see CISA playing to help us 
address this issue?
    Ms. Easterly. Thanks very much for the question. It is a 
very important one, Mr. Chairman. First I would say I 
absolutely agree with you about misinformation and 
disinformation. It is a particular worry of mine. You need to 
have the best information, the facts, to be able to make the 
best decision, and so I think that is absolutely critical. I am 
aware of CISA's work stood up during the 2020 elections in 
particular known as ``Rumor Control'' to deal with some of the 
misinformation and disinformation efforts and then the MDM team 
that now sits under the National Risk Management Center.
    If I am confirmed, I would take a very hard look at that 
effort to see what CISA's role can be and should be in 
misinformation/disinformation, and I would also want to make 
sure that CISA is continued to be seen as a nonpartisan and 
apolitical agency in all of the actions that it took.
    Chairman Peters. Absolutely, and I appreciate your focus on 
this.
    I am also currently working on legislation to codify CISA 
and DHS' authorities in this area, so my question to you is: If 
confirmed, do you commit to working with me on this bill to 
ensure that the Department has the proper authorities and 
limits to combat this threat?
    Ms. Easterly. Absolutely, Mr. Chairman.
    Chairman Peters. Thank you.
    Ranking Member Portman, you are recognized for your 
questions.
    Senator Portman. Thank you, Mr. Chairman. I look forward to 
working with you on that legislation, and we will talk about 
accountability in a moment and the importance of having clear 
lines of accountability in what is an increasingly concerning 
issue, which is not ransomware but cyber attacks generally.
    With regard to our oversight role here, in order to do it 
properly, we need to have information. One of the congressional 
complaints sometimes is about responsiveness. This is 
particularly true, unfortunately, in this area, and so I want 
to ask you some questions about that.
    Ms. Carnahan, I will start with you on the video. I will 
ask you, do you agree to promptly provide the Committee with 
documents and information that we request?
    Ms. Carnahan. Certainly, Senator.
    Senator Portman. Thank you.
    Ms. Easterly, yes or no would suffice.
    Ms. Easterly. Absolutely, sir.
    Senator Portman. Mr. Inglis?
    Mr. Inglis. Yes, sir.
    Senator Portman. Let me give you an example of this. Ms. 
Easterly, the authorization for CISA's flagship cybersecurity 
program, the EINSTEIN program, as you know, is expiring. It 
expires next year, so we have been working on a reauthorization 
bill. I hope to work with Chairman Peters and all Members of 
this Committee on that. It has to be reauthorized. And yet we 
are having a really hard time getting information.
    On April 5th, Chairman Peters and I sent to CISA a letter 
requesting information about EINSTEIN to inform our legislative 
efforts. Until earlier this week, the only response we received 
were documents previously provided to Congress, so nothing new, 
and a lot of the documents we received this week were heavily 
redacted. Let me give you an example of that. We will put it up 
here behind me.
    This is the document where everything apparently describing 
the mission needs of EINSTEIN is redacted. Not terribly useful 
and not helpful in order for us to give you the key tool that 
you would need, should you be confirmed, to be sure that DHS is 
effective at combating cybersecurity.
    So my question for you would be, understanding you were not 
involved in this decision, but should you be confirmed, would 
you agree that the Chair and Ranking Member of an authorize 
committee should be allowed to review the mission needs of a 
program before attempting to reauthorize it?
    Ms. Easterly. Thanks for that question, Ranking Member 
Portman. I would say that I absolutely believe in the strong 
oversight role that this Committee has, and if confirmed, I 
would 100 percent commit to doing everything I possibly can to 
make sure that you get all of the information that you need to 
perform those important oversight roles.
    Senator Portman. Thank you. We will hold you to that.
    Mr. Inglis, we also sent a letter to the Federal Chief 
Information Security Officer (CISO), as opposed to CISA--this 
is OMB--on April 5th, which asked about the accountability for 
Federal cybersecurity, an issue, as you know from our 
conversation, I have a lot of interest in. All we have received 
to date is a list of public websites. That is it. Does that 
seem like a timely and sufficient response to you?
    Mr. Inglis. Senator, I similarly, if confirmed, commit to 
providing the Committee with all of the resources and insight 
required for them to do their duty. We know that the Senate is 
a principal source of authorization and resources necessary. 
Without insight into that specific kind of request, not knowing 
what the question is, I am unable to comment on that, but only 
to say that it does not sound correct and that, if confirmed, I 
will work to accommodate----
    Senator Portman. Thank you. I ask unanimous consent (UC), 
Mr. Chairman, that we submit for the record the letters\1\ we 
have sent and the redacted page behind me.
---------------------------------------------------------------------------
    \1\ The letters submitted by Senator Portman appears in the 
Appendix on page 266.
---------------------------------------------------------------------------
    Just personally, I need to know from all three of you, you 
are going to be more responsive. We are trying to work with you 
and do our work.
    Ms. Carnahan, GSA has a lot of responsibilities. One, of 
course, is with regard to procurement. If confirmed, how would 
you increase Federal agency usage of GSA schedules and 
governmentwide acquisition contracts for procurement?
    Ms. Carnahan. Yes, thanks for that question, Senator. I am 
very interested in making GSA's services more user friendly. I 
know and I have talked to businesses that have tried to get on 
GSA's schedules. They have told me about how difficult that 
process is. I am interested in learning more about how we can 
streamline that. It creates more competition, and it creates 
good jobs in our country if we can get more people able to sell 
through the government and GSA schedules. Likewise, we need to 
make it easier for agencies to be able to buy through GSA 
schedules and make sure we are getting them the best price and 
the best value.
    I am very interested in this topic, Senator, and look 
forward to working with you more on----
    Senator Portman. Good. I appreciate that. I think you are 
absolutely right; improving the user experience is key, and 
your commitment to it is appreciated.
    During COVID-19, as you know, the government had waived 
certain requirements in order to move more quickly to acquire 
goods and services to respond to the pandemic. My question is 
for you: Why shouldn't we continue to waive these requirements 
for the urgent and critical non-pandemic contracts?
    Ms. Carnahan. Thanks for that question. I will tell you, 
Senator, I am not familiar with all of the waiver requirements 
and waiver rules that were put in during the pandemic. But I 
think it is worth figure out how we can streamline and speed up 
the process. I think it is cumbersome now. I think it can be 
better. We know what good marketplaces look like. There are 
security and other kinds of implications that we have to think 
about all the time, but I am very committed to trying to make 
this work better.
    Senator Portman. We would appreciate working with you on 
that, particularly given the opportunity we have post-COVID. We 
have had this experience during COVID that worked pretty well 
and would help in terms of that responsiveness.
    On accountability, again, this is an issue that I think is 
a deep concern of not just mine but a lot of Members of this 
Committee. In the Federal Government, we have CISA and Jen 
Easterly is up for the CISA confirmation. We have CISO at OMB. 
We haven't had the National Cyber Director. Mr. Inglis is the 
nominee for that job. We also have the Deputy National Security 
Adviser for Cyber. All have not just roles in cybersecurity but 
coordinating roles in cybersecurity.
    I am concerned about the overlap. I am concerned about the 
duplication leading to a lack of accountability. I noticed in 
the conversation earlier, Mr. Inglis, you talked about the job 
is one of encouraging coherence, unity of purpose, partnership 
with the private sector. CISA talked about partnership with the 
private sector. You talked ensuring a national strategy. You 
talked about this being sort of like a coach, Ms. Easterly, the 
role that Mr. Inglis would play, if confirmed, and that you 
were the quarterback. What is CISO? Is CISO the running back? 
What is the Deputy National Security Adviser? Is that a 
defensive player, a linebacker?
    I mean, really, all joking aside, I think we have a real 
opportunity here with real experts coming into these jobs to be 
able to be sure we are not duplicating efforts and, frankly, 
without accountability, no one is in charge. So ultimate 
accountability, if everyone is in charge, no one is in charge. 
So can you speak to that briefly, Ms. Easterly?
    Ms. Easterly. Yes, Ranking Member Portman. Thank you very 
much for that question because I do think it is incredibly 
important.
    As I said in my opening statement, cyber is and has to be a 
team sport, but I 100 percent agree with you that 
accountability is critical. I come before you as the nominee 
for Director of CISA. If I am confirmed, I would expect you and 
Secretary Mayorkas and the Committee to hold me accountable for 
the very specific operational mission that CISA has to manage 
and mitigate risk to our digital and physical critical 
infrastructure and resilience, working with all of our 
partners. So that is what I would expect to be held accounts 
for.
    Senator Portman. OK. In the wake of the Colonial Pipeline 
hack, we have a lot to talk about. They did not even manage to 
work with you guys. They reached out to the Federal Bureau of 
Investigation (FBI). The FBI reached out to your prospective 
new agency. I mean, if that is your responsibility at CISA, 
should you be confirmed, it does not seem to be working very 
well. We have lots to talk about, and I know, Mr. Inglis, you 
and I talked about having a whiteboard exercise where we can 
actually see all these different roles. That does not include 
all the roles at the agencies where there is also 
accountability. We look forward to working with you on that, 
but I would like a commitment from you all today that you will 
help us to ensure that we have the right people in the right 
place and that we are not overlapping responsibilities so that 
we can more effectively provide both the defense and the 
offense on cybersecurity.
    Thank you.
    Ms. Easterly. I commit to that.
    Senator Portman. Thank you.
    Mr. Inglis. I do as well, Senator.
    Senator Portman. Thank you.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Portman.
    The Chair recognizes Senator Carper for your questions.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman. Can you hear me?
    Chairman Peters. I can hear you just fine.
    Senator Carper. I just want to say a special welcome to 
each of our witnesses, and especially to Robin Carnahan, with 
whose father I served as a Governor together. We were Governors 
together. We actually ran for the U.S. Senate together. He was 
killed in a fatal plane crash, very sadly, during the course of 
that campaign. Her mother went on to become a Senator from 
Missouri for a period of time, and so I have had the pleasure 
of serving with Robin's Dad as Governor and with her mom as a 
U.S. Senator, and we are thrilled that you have been nominated 
for this position. I look forward to being able to support your 
nomination.
    Robin Carnahan and I discussed, colleagues, the 
intersection between GSA and the Government Accountability 
Office (GAO), and how GAO puts out at the beginning of every 2 
years, at the beginning of a new Congress, the High-Risk List, 
high-risk ways of wasting money, and gives us a whole laundry 
list of things that we can do to save taxpayers' money and draw 
on bipartisan support for doing so. The High-Risk List includes 
things like real property management, IT acquisition 
management, just to name a couple of things on the GAO High-
Risk List.
    Ms. Carnahan, would you please take a moment to discuss 
your plans for working with the Comptroller General, who is now 
Gene Dodaro--I call him ``Comptroller General for Life''--to 
address these and other high-risk areas where GSA can make 
meaningful progress? Please go ahead.
    Ms. Carnahan. Yes, thank you, Senator, for those kind words 
about my father and mother and also for that question. I have 
lots of respect for the GAO and the oversight role that they 
play in all of these things. I think more eyes on these 
projects and thoughts about how they can be improved make 
sense.
    I know with respect to some of the high-risk topics that 
you mentioned, GSA has made some progress by following some of 
the GAO recommendations and getting the leasing segment off the 
GAO High-Risk List. But there are more that are left. My 
interest would be sitting down with the GAO to talk about how 
we can implement some of these recommendations and, frankly, 
understanding what the blockers have been to getting that done 
sooner.
    Senator Carper. Let me just interrupt and say I think that 
is a great idea. When I was privileged to chair this Committee, 
Senator Tom Coburn I think was the Ranking Member, there was a 
woman named Jane Holl Lute, who was the Deputy Secretary of 
Homeland Security, and that was at a time when Homeland 
Security led the hit parade in things, we were wasting money, 
badly managed, bad morale, and Jane Holl Lute, the Deputy 
Secretary for Janet Napolitano, who was the Secretary, she 
would go meet with Gene Dodaro and the team at GAO literally 
every month and say, ``How do we get off your High-Risk List?'' 
They would just literally go through the list. It was sort of a 
personal approach, but a very deliberate approach. And you know 
what? They got off the High-Risk List before the end of this 
administration. It actually worked.
    I like to say find out what works and do more of that, so I 
would urge you to--if you do not know Gene Dodaro already, get 
to know him. He and his team do great work. I think you will 
find him a good partner.
    Ms. Carnahan. Thank you, Senator.
    Senator Carper. For Colonel Easterly, I am a Navy guy. Navy 
salutes Army, and they are proud of your history and your 
service, two Bronze Stars, as I recall. Not many people I know 
can claim that. But as I was going through your written 
statement, I came across something where you referred to Tom 
Kean. I am a former Governor of Delaware; he is a former 
Governor of New Jersey. I have huge respect for him, and he was 
the Co-Chair, of the 9/11 Commission. But I think you mentioned 
in reference to the 9/11 Commission a quote from him. Former 
Governor Tom Kean said, ``We did not grasp the magnitude of a 
threat that had been gathering over a considerable period of 
time. This was a failure of policy, of management, of 
capability, and, above all, a failure of imagination.'' That is 
his quote, the Co-Chair of the 9/11 Commission, Republican from 
New Jersey.
    In light of that quote, Ms. Easterly, I want to ensure our 
country is adequately addressing the magnitude and the severity 
of the increased cyber and ransomware attacks we are grappling 
with today. I would ask you, Ms. Easterly, how would you 
propose to work to improve our Nation's cyber posture in the 
role of CISA Director to ensure we have strong policy 
management and capabilities to address the increased cyber 
threats we are facing?
    Ms. Easterly. Thanks very much for that question, Senator, 
and thank you for your service to the Nation, particularly your 
time in the Navy.
    If confirmed, I would focus initially on three major things 
to ensure that CISA has the capacity and capability to execute 
its very complicated mission. First, I would ensure that CISA 
has the right resources to execute that mission, and that is 
people, its authorities, and its budget. Most importantly, I 
would say people. I think the quality of the workforce is 
incredibly important to be able to effectively execute the 
mission.
    Second, I would ensure that CISA has the operational and 
technical visibility that it needs to be able to effectively 
defend Federal Government networks. We know if you cannot see 
it, you cannot defend it. So that is absolutely critical.
    Third, I think it is absolutely fundamental for CISA to 
have the right partnerships to make it successful. We know that 
CISA is really an agency of partnerships, and its success is 
highly dependent on the quality of those partnerships, whether 
that is State and local, tribal, territorial, whether that is 
partnerships within DHS, across the Federal Government, or the 
very important partnerships that CISA has with the private 
sector. So incredibly important to focus on resources, on 
visibility, and on those partnerships if I am confirmed, 
Senator.
    Senator Carper. Good. Thanks for that response.
    Mr. Inglis, Ms. Easterly, same question for both of you, 
and that would be: How will each of you work to select, 
recruit, and retain a talented cyber workforce? How do you 
believe your past working experiences will serve you well in 
your new roles, if confirmed? Mr. Inglis, would you go first? 
Then Ms. Easterly. Just be fairly brief, if you would, Mr. 
Inglis.
    Mr. Inglis. Senator, thank you for the question. I think, 
first, in order to recruit to a workforce, you need to inspire 
them to come to a mission. You need to be very clear about what 
the purpose is and how they can make a difference to that. That 
culture is absolutely essential.
    You need to then make sure that that workforce is not 
simply fit for purpose, but that broadly across that workforce 
it is sufficiently diverse that you will have the benefit of 
all the perspectives that are necessary.
    Finally, you need to give them a viable career path. You 
need to ensure that you have accounted for their aspirations to 
do something more than what perhaps might be the opportunity of 
the moment. And to the extent that they can have agility and 
longevity in that career and you give them that feedback and 
you give them those investments, they will come and they will 
stay, and they will exceed your expectations.
    Senator Carper. Mr. Chairman, could I have 30 seconds maybe 
for Jen Easterly to respond to the same question, please?
    Chairman Peters. Without objection, yes.
    Ms. Easterly. Thanks, Senator. A very important question 
and a personal passion of mine. Three things.
    One, culture, as Mr. Inglis mentioned. Leaders need to 
create a culture that prizes collaboration and innovation and 
inclusion and ownership and empowerment. A good culture is key 
to being able to attract the best talent.
    Second, you have to look at this not as a one-off position 
but as part of a talent ecosystem from recruiting to onboarding 
to integration to training and certification to rewards and 
recognition and promotion as part of a whole ecosystem to allow 
you not just to attract the best talent but also to retain the 
best talent.
    Finally, you need to be relentlessly creative in using 
various different approaches to tap into a diverse pipeline of 
cyber talent, whether that is through internships, through 
apprenticeships, through expanding the cyber corps program, 
through reserve programs, through rotational programs, and then 
creating corridors with the private sector to enable easier 
passage so that you can bring in more private sector people to 
help to strengthen the connective tissue between the private 
sector and the government.
    Senator Carper. Very thoughtful responses from both of you. 
Thank you so much.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Carper.
    I am going to need to step away briefly. The Senate Armed 
Services Committee (SASC) has a hearing with the Secretary of 
Defense and others that I need to go to to ask a few questions. 
Senator Padilla, you will be taking the gavel and the Chair. As 
the Senator comes up here to take the gavel, Senator Lankford, 
you are recognized for your questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Chairman, thank you very much.
    Thanks to all of you from going through the process on 
this. I want to first say about the workforce issue that you 
were just talking about with Senator Carper as well, Senator 
Sinema and I spent a lot of time working on this issue, on the 
hiring. We obviously have great complications in the process. 
We are still over 100 days in hiring in the Federal workforce. 
There are lots of issues with bringing interns on as interns 
and then moving them to actually hire. What is common in the 
workplace is uncommon still in the Federal workplace. All those 
issues, as you rise up and start to reach out to people, please 
stay engaged with us and with our Committee in the days ahead. 
It will be essential that we make sure that we are removing 
barriers from the process.
    Senator Peters and I have even worked for a while on 
dealing with some of the specialists in NASA and trying to 
figure out how to get a pilot project there so they can 
continue to be able to tap into some of the scientists. You 
will run into barriers in trying to get some of these 
professionals. We make sure that we are clearing as many of 
those as possible. But that is going to require communication 
among our teams to be able to do that. We invite that kind of 
communication so we can make sure that we are clearing the 
path.
    I do want to ask a question that involves all three of you, 
and it is a point of connection for all three of you. Ms. 
Carnahan, I want you to be able to answer this first. I am 
going to take you back 7 years ago. This Committee was working 
with GSA to identify a vendor that was on the GSA approved list 
named ``Kaspersky.'' At the time the GSA had approved them as a 
software package and said this is approved software. Many 
agencies were using it. More and more evidence came out that 
Kaspersky was housing the information that they were harvesting 
from users in Russia and were filtering those, and it became a 
pretty rapid issue of how do we actually get Kaspersky out of 
our system.
    This is an intersection of all three of you in this process 
to deal with a vendor on multiple agencies to be able to 
identify who is a qualified vendor, who is a hostile vendor 
that is out there like Kaspersky clearly was, and how do we 
actually make sure that that does not happen that they get into 
the system, because at the time we were then trying to figure 
out with GSA how they would unwind, how agencies would switch 
virus protection to a different one, and how we could actually 
pull that out and replace and what is a decent vendor in this.
    All three of you would have to be engaged in that at some 
level to make sure we do not get vendors like that. I would 
like to ask how we are going to deal with the integration to be 
able to deal with it? Ms. Carnahan, you are up first.
    Ms. Carnahan. Thank you, Senator, for that question. I will 
tell you that I see GSA's role here as really twofold: one, 
staying very tightly and closely coordinating with CISA and the 
National Cyber Director as they set policy and identify these 
threats. The main thing we all need to understand is that 
threats are not static. They are going to be changing all the 
time. And GSA's role in all of this is to be the implementing 
partner. We are the ones who will be helping agencies get the 
secure tools that they need and the services that they need, 
and they have to be always evolving with the evolving threats.
    So my interest is making sure that GSA is using the best 
practices for the private sector and changing with those 
threats not being static and automating as much as we can to be 
able to continue to monitor the threats. I look forward to 
working with you more on that, but that would be my general 
approach to this.
    Senator Lankford. Ms. Carnahan, I would say one of the 
challenges we will face will be trying to be able to go through 
that process in a timely manner, because we do not want every 
one of our agencies to all just have 3-year-old software by the 
time we actually get through all the approval process as well. 
So it is going to be the coordination, I completely agree, but 
also a timely process as well.
    Ms. Easterly.
    Ms. Easterly. Yes, Senator, thanks for the question. Hugely 
important. Could not agree with you more on the need to have 
rigorous and accelerated processes in place to ensure the 
security of the supply chain from foreign nation-state threats.
    Two things that CISA does in this space that I am aware of. 
First, it hosts an Information and Communications Technology 
(ICT) supply chain risk management effort between the public 
and the private sector to work on recommendations for ensuring 
the supply chain. I think more importantly, though, CISA is a 
member of the Federal Acquisition Security Council (FASC) that 
was, of course, created by this Committee in 2018. That is a 
hugely important capability that I think came out of the 
Kaspersky piece to enable dangerous products that could present 
security threats to be excluded or removed from software.
    I agree with you that as that is done, it needs to be done 
in a way that keeps up with the pace of technology. If 
confirmed, I look forward to advancing both of those efforts 
along with the GSA Director as well as the National Cyber 
Director and other key stakeholders.
    Senator Lankford. OK. Thank you.
    Mr. Inglis.
    Mr. Inglis. Senator, if confirmed, the National Cyber 
Director, I believe, must be committed to advocating the 
techniques, the mechanisms you have already heard described I 
think thoughtfully and well from the prospective head of GSA 
and the prospective Director of CISA. Also, these issues 
transcend cyber. I think you have thoughtfully pointed out some 
of the cyber relevant issues and would argue in some cases 
against the use of this technology within either the Federal 
enterprise or the kind of U.S. larger cyber enterprise. But 
there are issues of economic fairness as to whether these are 
level playing fields that foreign competitors are playing on 
and whether we should stand in to perhaps adjudicate and render 
a perhaps level playing field for the benefit of U.S. industry.
    There are issues of legal perils that might not be directly 
injected into these systems because of some back door but, 
rather, because a legal system in another country that has 
access to this information can access it under something that 
we do not find suitable for our probable cause standard. That 
then moves this to a higher level where the National Cyber 
Director would be expected to participate in the National 
Security Council to bring to bear all the instruments of power 
to understand how do we render a level playing field for these 
systems and remove them when they are not in the U.S. interest.
    Senator Lankford. OK. Thank you.
    Ms. Carnahan, quickly, I want to be able to bounce a very 
complicated question off of you, and I am sorry for the short 
time on it. We can talk at greater length at another time also, 
but that is the issue of real property and our moving out of 
COVID-19 time period where we will have the Federal workforce 
returning back to buildings, but we will also have a 
significant number of the Federal workforce that will start 
working remotely permanently. We found a lot of flexibility in 
a lot of offices, and they are going to find ways to be able to 
say we could hire more people in more places and we will need 
less footprint of actual space.
    You are in the difficult position, if confirmed in this, to 
have to manage that transition of work space while agencies are 
trying to also figure out how many more people they are going 
to have remote. How are you planning for that, thinking through 
that?
    Ms. Carnahan. Thanks for that question, Senator. It is a 
very big deal for the Federal Government, just as it is a big 
deal in the private sector. The pandemic changed the way all of 
us did business and really is going to, I am sure, cause 
agencies to be rethinking how they want longer term to 
implement remote work and what the options are. That is going 
to impact their physical space needs.
    I think as you said it is a great opportunity to think 
about how to right-size the Federal footprint of real estate 
and do that at a time where we can be smart about understanding 
the marketplace and where it is going and what future needs are 
going to be. I look forward to this. I, like you, think this is 
a big opportunity to rethink what our Federal Government looks 
like, what the future is going to look like. I know that there 
are task forces that are underway right now with OPM and OMB 
and GSA to think about all of these issues, and I look forward 
to seeing what they come up with and talking to you and other 
Members of the Committee about this, because I think this 
really is a long-term issue that we are going to be dealing 
with in the government, and we need to get it right.
    Senator Lankford. It is exceptionally important, but the 
real property management has been a problem for GSA for quite a 
while. This is a fixable problem, but it has definitely been a 
problem. Another one I will talk about and put in a question 
for the record is the relationship between GSA and Customs and 
Border Protection (CBP) on those Ports of Entry (POE), because 
that has been a point of frustration for a long time because 
CBP is pretty frustrated how the ports of entry are managed. 
They will say, ``We are not a courthouse. We are not an agency 
building the same way that we are a port of entry.'' That is a 
relationship we have to be able to work out in the days ahead.
    Thank you, Mr. Chairman.

              OPENING STATEMENT OF SENATOR PADILLA

    Senator Padilla [presiding]. Thank you.
    For Members watching, it is my opportunity to ask questions 
next, followed by Senator Scott. Thank you to the witnesses and 
folks before us today.
    I want to start by talking about my experience for the 
prior 6 years before my appointment to this body in January. I 
think we all agree that our right to vote is indeed the 
foundation of our democracy. Prior to joining the Senate, I 
served as California's Secretary of State and helped oversee 
the 2020 election, and not just in that cycle but in prior 
years I saw firsthand CISA's commendable work, particularly 
through the Project 2020 Campaign. Election cybersecurity, like 
all cybersecurity in all sectors, is certainly a work in 
progress.
    In 2020, we learned about specific vulnerabilities 
highlighted in the 2016 election and were able to take actions 
to defend against those. But from this last election cycle, we 
learned specifically how dangerous it can be for election 
security to become politicized.
    My first question is for Ms. Easterly. How are you thinking 
about CISA's election security work and the challenge of 
ensuring the agency's work is viewed as apolitical?
    Ms. Easterly. Thank you for that question, Senator, and 
thanks again for your incredible leadership during 2020. As we 
know, fair and free elections are critical to the fabric of 
democracy, really foundational, and the American people's 
belief that their vote is going to be counted is largely 
reliant on the security and resilience of election 
infrastructure.
    As we know, State and local officials administer those 
elections. CISA's role is to be a strong partner in this space 
to ensure that election officials have the resources, the 
technical guidance, the threat information sharing, and the 
assessment support that they need to be able to ensure the 
security of those elections.
    I have had conversations with folks at CISA that worked as 
a part of that effort in 2020, and I think it was a real bright 
spot, as you pointed out. I have also had an opportunity to 
speak with some of the executive board of the National 
Association of Secretaries of State and know how important it 
is that CISA is seen as a nonpartisan, apolitical agency 
because CISA needs to be seen as an enabler for all Secretaries 
of State and all officials, regardless of party.
    I would make it a very early priority to start building 
those relationships off the back of the superb relationships 
that Chris Krebs developed as the Director and would make that 
a significant area of focus.
    Senator Padilla. Thank you.
    Mr. Inglis, a similar question. Your position is a new one, 
and so how would you see the role of National Cyber Director 
when it comes to election security specifically?
    Mr. Inglis. Senator, thank you for the question and for the 
opportunity to follow Ms. Easterly in answering that question. 
I think she gave an excellent answer. I think first and 
foremost I would fully support all of what she said in terms of 
the nature of the Federal Government's relationship with the 
States and locales who actually conduct those elections.
    The National Cyber Director needs to make sure that at any 
moment in time that we have a viable strategy to effect that 
support that we can render the support, the assistance that is 
necessary and appropriate to those who conduct these elections, 
who execute these elections. That needs to ensure that not 
simply CISA has the resources necessary to do their job, but 
that the FBI, the intelligence community, the other resources 
the Federal Government can bring to bear can detect threats to 
those election systems, both in the technology and perhaps in 
the constitution of that threat from perhaps foreign entities, 
and that all of that is provided so that we can render the 
social contract between the Federal Government, the States, and 
the locales on something that is intact and sustained.
    Senator Padilla. And that actually anticipates my next 
question. We know that in order to defend our networks, we need 
both a robust community of cybersecurity professionals in 
government as well as a shared sense of responsibility to 
practice good cyber hygiene. Research points to a gap between 
the cybersecurity capabilities we need in the United States and 
those we currently have. According to the 2020 ISC 
Cybersecurity Workforce study, the U.S. cybersecurity gap is 
still a staggering 359,000 employees. When the Federal 
Government does hire, we have a lot of work to do to be able to 
retain cyber talent.
    I want to pose a question to all three of you, and the 
question is this: What has been your experience in recruiting 
talent? How do you plan to recruit and retain cybersecurity 
professionals? We will start with Ms. Easterly, then Mr. 
Inglis, and then Ms. Carnahan.
    Ms. Easterly. Thank you, Senator. Very important question 
and a real passion of mine. As you point out, the cyber 
workforce is lacking in a significant number of personnel, both 
within the Federal Government as well as within society, writ 
large. The approach that I would take is very similar to what I 
have been doing over the past 4\1/2\ years, building a team 
virtually from scratch to help defend Morgan Stanley in this 
very complex cyber threat environment.
    A couple key pieces that I think we need to recognize.
    First, culture is foundationally important. You have to 
build a culture of excellence that prizes inclusion, 
innovation, collaboration, empowerment, and ownership so that 
people wake up in the morning and they love what they do and 
they enjoy their teammates and they like who they work for. 
That is how you attract the best talent and retain the best 
talent.
    Second, you need a talent ecosystem that treats a job not 
as one-off but as part of a career development strategy, so you 
look at recruiting all the way to training, certification, 
promotion, retention, all of those things together as part of 
the ecosystem.
    Finally, creative approaches, all different approaches to 
be able to tap into highly diverse pipelines of talent.
    I think those are the three tenets that I would leverage if 
I am confirmed.
    Senator Padilla. Thank you.
    Mr. Inglis.
    Mr. Inglis. Sir, I would only add to Ms. Easterly's very 
thoughtful answer and I think comprehensive answer that we have 
found that the pipelines are not generating enough, either in 
the diversity or in the literal numbers. We need to actually 
work those pipelines. We need to start as early as possible, K 
through 12, in creating awareness on the part of those up-and-
coming students about what the possibilities are to take on 
very viable careers. If we meet their needs with the qualities 
that Ms. Easterly described, then I think we will find a 
greater number kind of come into those systems.
    I think we also need to revisit what the fundamental 
qualifications are to take one of these jobs. Not all of them 
require a Bachelor of Science (BS) in computer science. Many of 
them simply need good, critical thinkers, people who have a 
good work ethic, and we need to open the doors for them to make 
their way into these jobs such that they can make an immediate 
and positive difference.
    Finally, we need to have some flexibility such that if you 
are hired into a job in one place, you are a candidate to take 
in any number of other places, and you see yourself as part of 
a larger community, an ecosystem where you can flow back and 
forth and everyone benefits from the diversity of experience 
that we then accrue.
    Senator Padilla. Ms. Carnahan.
    Ms. Carnahan. Yes, thank you for that question, Senator. I 
worked actually on a tech team inside the government, and it 
was fascinating to watch how they were able to recruit talent. 
I think that there are ways we can do this just by being 
smarter.
    One is we need to streamline human resources (HR) practices 
to make it so we are actually defining jobs as they are defined 
in the private sector, not as how they are defined in 
government, so people know what roles might make sense for 
them.
    No. 1, we need to make use of remote work. That is a thing 
that is attractive to lots of people in the technology 
industry, not to have to pick up and move to another city or to 
move to Washington in order to do the important work.
    No. 2, if we promote this as tours of duty in government so 
that they can get good experience and serve their country, it 
turns out that folks in technology and cybersecurity are 
patriotic and want to figure out ways to serve their government 
as well. So we should give them that opportunity.
    Finally, I think the way you recruit is you talk about the 
impact. We often hear in government that you cannot afford 
people, but it turns out people will do a lot to serve their 
country, and if they know it has an impact on people, they are 
willing to do that as well.
    I think there are some very practical things that we can do 
to recruit talent, and we need to get on it right away.
    Senator Padilla. Thank you very much.
    Senator Scott has yet to arrive, so we will turn to Senator 
Hassan followed by Senator Hawley.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you so much, Senator Padilla. Good 
morning to all three of our nominees. Thank you. I thank your 
families for your willingness to serve. Thank you for your 
expertise and your patriotism.
    I want to start with a question to you, Mr. Inglis. I would 
like to follow up on a discussion we had in our prior meeting. 
It is clear that we have to work together to strengthen public-
private cybersecurity information sharing, especially in light 
of the recent SolarWinds, Microsoft Exchange, and Colonial 
Pipeline attacks.
    In your view, what are the biggest barriers inhibiting 
effective cybersecurity information sharing in both directions 
between the private and public sector? If confirmed, are there 
changes to the current information sharing framework that you 
would recommend?
    Mr. Inglis. Senator, thank you for the question, and thank 
you especially for the conversation we had, which I found quite 
enriching to my own understanding of some of these challenges.
    With respect to information sharing, I think that that is a 
very important dimension of public-private collaboration, but 
often that fails because that is all we do, is share 
information. We do not share perspectives. We do not share what 
perhaps might be a hunch or an insight on one side of an 
otherwise stovepiped organization to another and, therefore, 
not feeling we have common cause, not sharing insight as 
opposed to simply information. We find that we disappoint one 
another. What you give me or what I give you is not as useful 
because I lack the context.
    I think, therefore, we need to create common cause. We need 
to lower the boundaries, share at the lowest possible level, 
not after we have a well-formed idea but to put people shoulder 
to shoulder on floor plates where they can co-discover and co-
mitigate threats on the fly. To the extent that we do that and 
we provide mutual advantage, the government to the private 
sector and vice versa, I think you will find that those 
relationships will take off and that they will then be self-
sustaining and they will grow.
    Senator Hassan. Thank you. I really look forward to working 
on that with you.
    Ms. Easterly, FBI Director Chris Wray recently indicated 
that the Bureau would be escalating the fight against 
ransomware and stated that disrupting and preventing ransomware 
attacks is a shared responsibility all across government 
agencies. However, the Federal Government only successfully 
prosecutes a small fraction of cyber criminals each year.
    If confirmed, how would CISA work with law enforcement 
agencies such as the FBI to increase costs and deterrence for 
cyber criminals?
    Ms. Easterly. Thanks for that question, Senator. I think as 
we heard earlier this week from the CEO of Colonial in dealing 
with that incident, they reached out to the FBI, and the FBI 
immediately brought in CISA. I know some people look at that 
and say, ``Well, the company did not call CISA,'' but I 
actually think it is a tribute to those very strong 
collaborative relationships within the Federal Government that 
the FBI immediately brought in CISA. I think those 
relationships have actually evolved over the past couple years, 
and if confirmed, I would look to strengthen them.
    We understand that the FBI's role is, of course, from an 
investigation and a pursuit perspective. CISA's role is to 
ensure that all the key stakeholders at the State, local, 
Federal, non-Federal, private sector have the guidance and 
information and resources that they need to be able to prevent 
such attacks.
    We know at the end of the day a lot of this comes down to 
the basics of cyber hygiene, passwords, multifactor 
authentication, and so these basics are absolutely critical to 
be able to get out the information that is needed so that folks 
know how to protect themselves.
    Senator Hassan. Thank you. It is also important to note 
that Colonial said that it had not actually planned for a 
ransomware attack. It had planned for some other things, but 
not that, so we have some work to do.
    Ms. Carnahan, when we met a few weeks ago, you remarked 
this is, I think, a quote from our conversation ``The future of 
service is digital.'' But the COVID-19 pandemic revealed just 
how many Federal agencies are not equipped to offer digital 
services due to their use of expensive outdated technology and 
paper-based data systems.
    For Granite Staters, this meant significant delays in 
delivery of stimulus checks and the inability to access 
emergency funding to support their small businesses.
    How will you proactively assist agencies in achieving their 
IT modernization goals and in turn save taxpayer dollars by 
reducing their reliance on outdated legacy IT systems?
    Ms. Carnahan. Yes, that is a great question, Senator, and I 
enjoyed our conversation. I have lots of thoughts about this. 
As you know, I come from a State government perspective as 
well, and I watched, just as all of us did, horrified, that so 
much of the quick policy work and appropriation that was done 
by Congress was not able to get to the people that needed it 
because of outdated or not-working technology systems; and, 
likewise, that cyber criminals were able to take advantage of 
that and steal money.
    Bottom line, if we cannot implement government policy, if 
we cannot make the damn websites work, I think that is my 
bottom line. We have to get that right. I want to ensure that 
we both serve people well and do that in a way that is a smart 
investment of money. I will also add that many times people 
think, if we are going to upgrade technology systems, it is 
going to cost a fortune, and it is going to take forever. What 
we know is that you can incrementally improve these systems, 
and you can do it for less money. It really is about focusing 
on the value that we are giving to users and also doing that in 
a way that is smart for taxpayers. I am very interested in 
getting your thoughts on this and getting started.
    Senator Hassan. I thank you, and I think one of the reasons 
to do this, too, is to your point about making sure that people 
understand that their government can work for them. They need 
to be able to get the same level of service from their 
government that they get from the private sector digitally. I 
look forward to working on this issue with you as well.
    Ms. Easterly, I have been particularly concerned about 
cyber attacks against State and local governments and entities. 
In your view, should the Department of Homeland Security 
provide more resources to State and local governments to 
improve their cyber posture?
    Ms. Easterly. As a private citizen, I do not have a good 
sense of the resources that are being provided right now, but I 
absolutely agree with you on the importance of partnering 
closely with State and local so that they do have the resources 
to protect themselves. I think the addition of a cybersecurity 
coordinator at the State level was an important enabler there, 
and if I am confirmed, I will make that a priority to develop, 
continue to develop those partnerships.
    Senator Hassan. Thank you. Would you support creating a 
stand-alone cybersecurity grant program for State and local 
governments?
    Ms. Easterly. At this point in time, Senator, I do not know 
much about that, but it certainly seems to make sense. I think 
grants are a very important vehicle to allow State and local to 
have the resources that they need to defend themselves. If 
confirmed, I would love to be able to learn from you more about 
that and to work with you on it.
    Senator Hassan. Thank you. Mr. Chair, I will turn my time 
back, but I would look forward to a deeper conversation with 
both Ms. Easterly and Mr. Inglis, too, about the 
appropriateness of apprenticeship programs as a way to really 
build our cyber workforce, and I look forward to that 
conversation.
    Thank you, Mr. Chair.
    Senator Padilla. Senator Hawley.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you, Mr. Chairman. Thanks to all the 
witnesses for being here. Congratulations on your nominations.
    Ms. Carnahan, if I could just start with you, I enjoyed 
your conversation, I guess it has now been a couple of weeks 
ago. Congratulations on your nomination. I want to follow up on 
this important issue--you and I talked about it--of Federal 
procurement, so important to what GSA does and the Federal 
Acquisition Service, which is an important part of GSA's work.
    Give me a sense of what role you see for GSA in ensuring 
that we protect our procurement process from security risks. 
What I am thinking here specifically--and we talked a little 
bit about his--is the threat from Chinese-based 
telecommunications products in government networks. What is 
your view on how to protect our procurement process from those 
kind of risks?
    Ms. Carnahan. Thank you, Senator. I share your urgency 
about this issue and understand that Congress has been very 
clear about the dangers from both telecommunications equipment 
and other things under the National Defense Authorization Act 
(NDAA). I think it is important that GSA get on with, as the 
chief buyer, strengthening the supply chain to ensure that it 
is complying with Section 889. My understanding is that it has 
worked on that, but in the end, there is no excuse for not just 
getting it done.
    I do not know what the blockers are currently to having 
this fully implemented and enforcing these rules, but if I am 
confirmed, I am going to be interested in, as quickly as 
possible, getting to bottom of that issue.
    Senator Hawley. Great. Thanks very much. I look forward to 
working with you on that.
    Switching topics, I have been a big advocate of reopening 
the Federal agency field offices to ensure that our fellow 
Missourians and other folks around the country can get the 
services that they rely on and that they need. GSA, of course, 
operates a huge property portfolio that include many of those 
field offices.
    Give me a sense of what role you see for remote work going 
forward. You have mentioned this a time or two today in your 
testimony, but what role do you see for remote work? What kind 
of balance do you think we need to strike between in-person 
work so folks can come in and ask their questions, get the 
information they need, get answers, and then the remote work 
for Federal employees. Tell me how you would strike that 
balance and what your view is there.
    Ms. Carnahan. Yes, it is a great question, and I think it 
is something that the government is trying to get a handle on 
as well as private businesses. I think the pandemic has changed 
the way a lot of people are thinking about this, and it is 
certainly changing the way how government is thinking about it.
    I know that GSA is currently in the mix with a task force 
on both reopening, but also the future of work and what that is 
going to look like. I will look forward to learning more about 
what that task force comes up with. I am not privy to that 
right now, but my sense is a lot of these agencies are going to 
be rethinking how many people need to be onsite, how many 
people need to be in buildings, and it is all going to be based 
on the mission. I think that is going to be different from one 
agency to the next, and our job at GSA is going to be just 
responding to agencies' needs as their workplace needs change.
    I know it is a big topic, and I will be spending a lot of 
time on it, and I look forward to getting started.
    Senator Hawley. Very good. Thanks very much.
    Ms. Easterly, let me turn to you, if I could. We had the 
CEO of Colonial Pipeline before the Committee earlier this 
week. I was troubled, to be honest with you, about his lack of 
transparency over how much Colonial has invested in 
cybersecurity and just the steps that they were taking 
proactively before the most recent crisis in cybersecurity.
    Do you think that we have currently adequate accountability 
for private sector companies in place?
    Ms. Easterly. It is a great question, Senator. Thank you. I 
do not have a sense across the board in terms of 
accountability. I currently work in the financial services 
sector, and I think there is strong accountability there 
because of our regulatory framework. But I do think 
accountability is incredibly important for cybersecurity 
standards across the board.
    Senator Hawley. Do you think that the Federal Government 
needs to require more of companies that operate critical 
infrastructure? For example--and I asked the Colonial CEO about 
this--until last month, I think the TSA reviews were optional, 
were voluntary. Do you think we need to impose new 
cybersecurity standards for companies that, again, in 
Colonial's case really are almost public utilities, serve 100-
million-plus Americans; 16,000 different service stations were 
fueled, or not, by Colonial Pipeline fuel. What is your view 
about the level of standards that we may need to require?
    Ms. Easterly. I think that is a great and important issue. 
I do not have a sense across the board, but it seems to me that 
voluntary standards are probably not getting the job done and 
that there probably is some sort of role for making some of 
these standards mandatory, to include notification. I do think 
it is important that if there is a significant cyber incident, 
critical infrastructure companies have to notify the Federal 
Government, in particular CISA. We have to be able to warn 
other potential victims.
    Senator Hawley. Yes. Mr. Inglis, you were nodding your head 
there. Do you want to add to this? I would be curious as to 
your view.
    Mr. Inglis. Yes, Senator, I would simply add I strongly 
agree with the premise of your question, which is that this is 
an important question and that at the end of the day we have to 
ensure that our critical services, our critical functions, that 
we have confidence that they will be delivered. There are 
generally three ways that the standards kind of can come about. 
One is enlightened self-interest. That is apparently not 
working. The second is market forces. That is apparently not 
working. The third is some imposition of standards or 
regulation on top of that. We begin to take some steps in that 
direction. It remains to be seen how we can achieve kind of the 
full flowering of the innovation that we still need in the 
private sector while imposing an expectation in the standards 
that go with that to ensure that those critical services can 
and will be delivered, even under duress.
    I am a big fan on market forces as the primary way to 
essentially drive the economy, but we have to kind of examine 
that. If confirmed, I would be happy to work with this 
Committee. I certainly will within the Federal branch or the 
Executive Branch to consider the problem.
    Senator Hawley. Very good. Let me just ask you, Mr. Inglis, 
here in the brief time remaining how you would assess the 
current organizational structure around cybersecurity 
governance within the Federal Government. There are lots of 
agencies, dozens that are involved in cybersecurity. Congress 
created CISA obviously in order to drive coordination. Is the 
current structure working, in your view? If not, what do we 
need to do differently?
    Mr. Inglis. Senator, thank you for the question. I think it 
is the question of the moment. I think that is in part why the 
National Cyber Director, by virtue of the work of this 
Committee, has been created, that we want coherence, we want 
unity of effort, unity of purpose. Without kind of detailed 
knowledge, having not been on the job--and, if confirmed it 
will be my first question--I cannot give you a detailed answer. 
I would simply observe the following: that we have plenty of 
diversity, we have some deep and sharp strengths. We have 
strength in places like CISA, the FBI, the national agencies 
that do intelligence, and GSA. But it is not entirely clear 
that they are coherent, that we have achieved unity of purpose, 
that they are all operating according to a single strategy that 
would connect that diversity such that it becomes a strength.
    I think that we can and should become greater than the sum 
of our parts. I am not sure that we are yet there.
    Senator Hawley. Very good. Thank you very much for your 
testimony. Thanks to both of you and Ms. Carnahan.
    Thank you, Mr. Chairman.
    Chairman Peters [presiding]. Thank you, Senator Hawley.

              OPENING STATEMENT OF SENATOR OSSOFF

    Senator Ossoff, you are recognized for your questions.
    Senator Ossoff. Thank you, Mr. Chairman. And 
congratulations to these nominees. Thank you for your 
attendance today.
    We have rightfully spent a significant amount of time in 
this hearing discussing cybersecurity given recent events. I 
want to turn to that in a moment, but first, Mr. Inglis, given 
your long tenure at the National Security Agency (NSA), I would 
like to ask you, how do you view the role of National Cyber 
Director and what is your understanding from the White House 
about this role as it pertains to surveillance, as it pertains 
to decisions that you may have to make or weigh in one that 
balance privacy and national security needs domestically?
    Mr. Inglis. Senator, thank you for the question. I will 
just start by saying that in the context of surveillance, if by 
that you mean kind of surveillance by national agencies of 
various activities that we would want to know something about 
in order to defend networks of interest, we have authorities in 
place that restrict surveillance conducted by the government to 
very narrow lanes, and I think that is appropriate, and we 
should not take those walls down.
    To the extent that that surveillance can be of a more 
general sort, which is can we combine the insights that the 
private sector might have, the network owners might have, the 
commercial providers who run analytics across these networks 
might have, with the knowledge the government has about, say, 
foreign threats, I think that is where we can make some 
progress and we can put those together. But we never, ever take 
down the barriers that have provided protection for privacy, 
for proprietary information, for classified information at the 
same time we pursue collective security.
    Senator Ossoff. Mr. Inglis, I appreciate that answer. I 
just want to drill down a little bit more on what I mean by 
surveillance here. Do you anticipate that in your capacity, 
should you be confirmed, as National Cyber Director that you 
will be involved in decisions regarding, for example, 
collection of phone records or meta data of U.S. persons or 
other data pertaining to U.S. persons under, for example, but 
not limited to, Foreign Intelligence Surveillance Act (FISA) or 
PATRIOT Act authorities?
    Mr. Inglis. Sir, as I understand the National Cyber 
Director's responsibilities, as the law lays it out, I would 
not expect to be in those conversations. But I would be happy 
to answer questions based on my prior experience about those.
    Senator Ossoff. Thank you, Mr. Inglis. On that note, what 
is your personal view of the balance that the Federal 
Government has tried to strike between national security and 
privacy interests? If you could comment specifically on what 
has been referred to as the bulk collection of phone records 
and meta data under Section 215 of the USA PATRIOT Act.
    Mr. Inglis. Yes, sir, I think that is a very important 
question. I think we go back to the Preamble of the 
Constitution, which does not use the word ``or'' when it 
describes the aspirations of this Nation. We have to defend 
privacy at the same time we pursue collective security. We 
cannot choose between them. We then have to work harder to 
deliver both of them. Those are difficult policy issues each 
generation has to face. How do we reconcile the technology, the 
threats, to the aspirations that endure? So in my view, privacy 
needs to be on the table up front. It is not something we can 
deliver as an afterthought.
    Senator Ossoff. Do you believe that there has been 
overreach in the collection of data pertaining to U.S. persons 
since the enactment of Section 215 of the PATRIOT Act and other 
similar authorities?
    Mr. Inglis. Sir, if by that you mean the collection of 
telephone meta data that would have occurred in the early 2000s 
and say up through perhaps the middle-2000-teens, I think that 
looking back over our shoulder with hindsight as our experience 
that we have decided as a Nation that that program is no longer 
necessary and, therefore, no longer appropriate. My 
understanding of the program at the time--and I was responsible 
for implementing that program--was that it worked very hard to 
align the interests of privacy at the same time pursuing 
security, and there were any number of controls that were 
imposed on it in deference to privacy as opposed to the simple 
pursuit of security.
    Senator Ossoff. Thank you, Mr. Inglis.
    Ms. Easterly, when we met prior to this hearing, you and I 
discussed our shared desire, I believe, to help promote a 
culture of privacy, attention to the protection of personally 
identifying information (PII), and cybersecurity more broadly 
through American society to increase our resilience and the 
responsibility we take as individuals to protect our data and 
data that could impact the privacy of our fellow citizens.
    What role do you see for CISA in helping to build that 
broader culture of privacy and cybersecurity and good data 
hygiene? Will you commit to engaging with my office to 
determine how Congress can support such efforts?
    Ms. Easterly. Thanks for that question, Senator. It is a 
very important one. CISA is an agency of partnerships with the 
Federal Government, non-Federal, and then with our private 
sector partners. I believe that CISA can play a very important 
role working with partners at every level to ensure that they 
have the information that they need to be able to strike that 
very important balance between privacy and security and, 
importantly, to deal with some of the malicious cyber attacks 
that we are seeing at every place in society to have that 
critical information that they need to ensure that they have 
good practices of cyber hygiene that are well implemented.
    I would really enjoy the opportunity, if confirmed, to be 
able to work closely with your office on how to make this a 
culture of national resilience because it has to be more than 
the Federal Government. It has to really be a societal level 
that, frankly, starts at the youngest of levels so that folks 
understand at the end of the day what it means to be a good 
digital citizen.
    Senator Ossoff. Thank you, Ms. Easterly.
    Ms. Carnahan, my office has been inundated with requests 
for assistance from Georgians who, through no fault of their 
own, experienced job loss due to the COVID-19 pandemic and, 
despite meeting eligibility criteria to receive unemployment 
benefits from Georgia's Department of Labor (DOL), have 
experiences, long delays in the processing and payment of their 
approved claims, which has sent them and their families into 
financial distress in the midst of a pandemic. These payment 
delays involving Georgia's Department of Labor were detailed in 
a report released by the Georgia Budget and Policy Institute in 
February of this year, and according to that report, a reliance 
on outdated technology at Georgia's Department of Labor is one 
of the key factors contributing to these ongoing delays, which 
is leaving Georgians in hardship.
    So will you please commit to working with my staff and 
using the authorities and expertise of the GSA to assist State 
and local governments in improving these processes, including 
specifically supporting improvement of Georgia's Department of 
Labor's unemployment claims processing system so that so many 
Georgians are not left without vital support in a crisis?
    Ms. Carnahan. Thanks for bringing that issue up, Senator. 
This is something that has happened across the country. Georgia 
is not alone in this. I know it feels like it sometimes, but 
every State has had similar issues because these unemployment 
systems were, frankly, not invested in for so many years and 
then were overwhelmed. But that is no excuse, and now we have 
to think of this as an opportunity to rebuild better.
    What we know is that these unemployment systems from one 
State to the next are very similar. They are more similar than 
they are different, and so the key here, Senator, I believe, is 
to help figure out how to think about shared services that do 
not have to be reinvented and rebuilt and paid for by taxpayers 
over and over again in every State and if there are things that 
we can do to help that collaboration.
    I am very interested in this topic. I know GSA has the 
ability to have technical talent and some resources that can be 
supportive of both the Department of Labor and, to a lesser 
degree, States. I would like to be able to expand our ability 
to work with State and local governments because, frankly, 
Senator, from a citizen's perspective, they do not care which 
part of government serves them. They just want good service. 
From a taxpayer's point of view, if it is tax money from the 
Federal Government or State government, they want it well 
spent. I think it is GSA's responsibility to try to work on 
that.
    Senator Ossoff. Thank you, Ms. Carnahan.
    Mr. Chairman, I yield.
    Chairman Peters. Thank you, Senator Ossoff.
    Senator Scott, you are recognized for your questions.

               OPENING STATEMENT OF SENATOR SCOTT

    Senator Scott. Thank you, Chairman Peters.
    First off, for all three of you, thank you for your 
willingness to serve. You are not taking easy jobs, and, all 
these jobs are pretty significant. We have seen all these cyber 
attacks, and they can impact hospitals, businesses I used to be 
in, looking at the grid, looking at the Colonial Pipeline and 
all this stuff. I have friends of mine in business, and it has 
never become public, but they have been attacked and paid out 
unbelievable amounts in ransom.
    One, do you think this is going to stop? Either of you, Ms. 
Easterly and Mr. Inglis, do you think there is any reason this 
is going to slow down?
    Ms. Easterly. I agree with you in particular with 
ransomware, but cyber attacks more broadly, we are now at a 
place where nation-states and non-nation-state actors are 
leveraging cyberspace largely with impunity to threaten our 
privacy, our security, and our infrastructure. I think we 
really are at a moment that requires an all-hands-on-deck 
approach that leverages the talents and capabilities across the 
interagency. If I am confirmed at CISA, I will ensure that CISA 
does everything it can within its multitude partners to manage 
and mitigate risk. I think we do have an opportunity to bring 
the government together to work with our partners to make a 
difference in this space.
    Mr. Inglis. Senator, I would add to that. It will not stop 
of its own accord. It is not a fire raging across a prairie 
that, once it has consumed the fuel, it will simply stop and we 
can simply wait for that moment. We must stand in, and there is 
a range of activities that we must undertake. We must create 
resilience and robustness not simply in technology but in 
people. We must align actions to consequences. There should be 
benefits for behaving well and consequences of a negative sort 
for behaving badly. We should make this such that it is not 
simply a cyber-on-cyber problem. We should bring to bear all 
instruments of power in a hugely collaborative way across not 
just the private and public sector but nations, plural. Like-
minded nations need to remove the sanctuary and bring to bear 
consequences on those who hold us at risk.
    Senator Scott. Do you think it is doable? I mean, it sounds 
good----
    Mr. Inglis. I do think it must be doable. I do not think--
so there is a really good discussion that takes place and this 
Committee has participated at length in it about whether 
deterrence is possible in cyberspace, whether we can----
    Senator Scott. Right.
    Mr. Inglis [continuing]. Impact the decision calculus of 
adversaries in this space, and it often gets conflated with 
nuclear deterrence where kind of the job was to keep the 
nuclear weapon off the field. Thank goodness we have been 
successful in that.
    Senator Scott. Right.
    Mr. Inglis. We are not going to be successful in that if 
that is the goal in cyber. What we need to do is to make these 
systems defensible. They will never be secure. We need to then 
defend them. That is a human endeavor such that we can change 
the decision calculus of adversaries so we reduce it by 85, 90 
percent. I am to understand that if we did two-factor 
authentication, something other than a password, if we did 
routine patching every Tuesday, if we built in segmentation 
fire breaks in our networks, 85 percent of the problem goes 
away. If we train our people, which are the vast majority of 
the weakness that adversaries take advantage of, maybe we can 
reduce that still further. Get it down to a reasonable kind of 
fire such that we can then manage that. It will never go away 
completely, but we can bring it down, we can bring it to heel 
significantly.
    Senator Scott. Is there anything that Congress needs to do?
    Mr. Inglis. Sir, I would say Congress is doing it. Your 
investment in the authorities or the resources that we are 
having a discussion about today are an important part of that. 
The consultation between the Congress and the private sector 
that it serves and the Executive Branch that essentially 
derives its authorities and resources, that is important. That 
is vital. I would say that we need to continue that 
consultation. If confirmed, I know that the members at this 
table look forward to that continued consultation.
    Senator Scott. Ms. Easterly.
    Ms. Easterly. Yes, thanks for the question, Senator. I 
suspect there are probably things that Congress needs to do to 
help in this problem set. One of the things that I will look at 
very early on, if confirmed, is whether CISA itself has the 
right resources from a budgetary, a personnel, and an 
authorities perspective. I know that there is some discussion 
about FISMA reform to ensure that accountability is rightly 
structured. I know there is some discussion around whether 
there should be mandatory instant reporting. I think things 
like that are very important discussions to have, and if 
confirmed, I would look forward to working with this Committee 
on it.
    Senator Scott. Who can take the leadership position to have 
the pulpit to get the private sector to do more? Because, I 
mean, Colonial Pipeline, a private company, but it impacted a 
lot of families, right? Who can do that? Whose responsibility 
is that, and who is going to do it, do you think?
    Mr. Inglis. Sir, I will start. I would say the private 
sector first is not a monolithic entity, and so you find great 
variance in terms of what influences the private sector.
    Second, the private sector is influenced by quite a lot of 
activities, influences, or people. As I had indicated earlier, 
the private sector sometimes has enlightened self interest 
where they say that digital infrastructure is our business. It 
is not merely a commodity. And those tend to be leading the 
pack in terms of what they are doing to get ahead of this 
problem.
    There are some that understand the market forces are going 
to drive them out of business if they do not prepare for this. 
Those market forces are beginning to have kind of a duly noted 
effect. But there are some that remain that do not think this 
problem affects them. It affects all of us, right? We are all 
in the boat. You do not need to be the target to be the victim. 
For them, when they are conducting critical activities upon 
which the Nation's interests depend, it may well be that we 
need to step in and we need to regulate or mandate in the same 
way we have done that for the aviation industry and for the 
automobile industry. I think it is going to be a combination of 
all those factors. The influence will come from many places. 
Ultimately, we have put people in place that ultimately are 
going to ensure that the system is working to that purpose. If 
confirmed, the National Cyber Director will have the 
responsibility to ensure to the President and to the Congress 
that the Federal cybersecurity strategy is the right one and 
then to oversee its implementation. We have had a rich 
discussion today here about what CISA's role would be, but 
there are so many other points of influence. We need to 
consider all of them and apply all of concurrently.
    Ms. Easterly. The only thing I would add to Mr. Inglis' 
excellent answer, having spent the past 4\1/2\ years in the 
private sector at one of our critical infrastructure owners, is 
it is very important to have a coherence to the U.S. 
Government. I know sometimes when there is a threat stream or a 
vulnerability, there will be multiple outreach from different 
agencies, and I think it is incredibly important that the 
government is able to speak with one voice and that there is 
coordination across the board.
    In particular, I think CISA as a trusted partner to the 
private sector can serve as a very effective front door. I 
think it then mandates that CISA is able to in near-real time 
share necessary information that comes in with the rest of the 
Federal Government to ensure that these problems can be 
addressed effectively. But those partnerships are incredibly 
important. I appreciate that from a firsthand view, and if 
confirmed, I would look to further cultivate that, working with 
colleagues across the Federal Government.
    Senator Scott. I am almost out of time, but do you think it 
is appropriate to pay ransom? What do you all think?
    Ms. Easterly. I am hesitant to start with that----
    Mr. Inglis. Sir, you have made----
    Senator Scott. I do not know--I mean, I am not telling you 
because I know, but----
    Mr. Inglis [continuing]. Easy question, but as framed, no, 
it is not appropriate to pay ransom. Unfortunately, we get into 
a place where that is the only thing that is the remedy----
    Senator Scott. Feasible, right?
    Mr. Inglis. Feasible to save lives or to bring back 
critical capabilities. It is a really important question, and I 
am not sure that I have the yes-no answer to it kind of out of 
context. We need to attack the problem as a system, make it 
such that we are a hard target, remove the sanctuary, the 
garrisons that give harbor to these transgressors, make it such 
that it is harder to move that money without some visibility, 
hold accountable companies not so much for paying the ransom, 
but for being in a position where they had to pay the ransom in 
the first place--right?--for the failure to prepare for that. 
That is where I think the point of accountability should be 
placed.
    Ms. Easterly. It is an incredibly tough choice to make to 
pay the ransom. I think we heard that from the CEO of Colonial, 
Mr. Blount, and I have great sympathy for that. I think CISA's 
role is to prevent people from being in that position by 
ensuring that they have the technical guidance, the threat 
information, the best practices to protect themselves. If 
confirmed, that is what I would hope to do as the Director of 
CISA.
    Senator Scott. Thanks.
    Mr. Inglis. Thank you, sir.
    Senator Scott. Thank you, Madam Chair.
    Senator Rosen [Presiding.] I want to thank our nominees for 
your time today and for your work in the past and your work 
going forward. But I want to build a little bit on what my 
colleagues have already been discussing with you, and that is 
cyber workforce, because recent attacks like we have been 
talking about, SolarWinds, Colonial Pipeline, they are 
unprecedented, and we know attacks like these are going to 
continue.
    Experts have been warning about this for years, and, of 
course, here we are. Policymakers at all levels in all branches 
of government must recruit and retain qualified IT workers and 
cybersecurity experts in every area across the spectrum to 
prevent--like you said, to prevent and respond to attacks.
    To address the gap, I recently introduced bipartisan 
legislation establishing a Civilian Cybersecurity Reserve 
Corps. The Civilian Cybersecurity Reserve Corps would authorize 
civilian cybersecurity personnel to serve in temporary 
positions at the Department of Homeland Security or at the 
Department of Defense (DOD) to supplement existing agency 
cybersecurity personnel. This bill is based on a recommendation 
from the Cyberspace Solarium Commission.
    I have a two-part question, the first part for you, Ms. 
Easterly, and the second part for you, Mr. Inglis. Ms. 
Easterly, if you are confirmed, will you ensure that DHS can 
mobilize the cybersecurity surge capacity at times of greatest 
need? And then for you, Mr. Inglis, how should the Federal 
Government support State and local governments in recruiting 
and retaining a strong cyber workforce?
    Ms. Easterly. Thanks for that question, Senator. It is 
hugely important, and I really enjoyed our discussion on this. 
You know that workforce development and talent management is a 
particular passion of mine, and I did see your legislation. I 
think it speaks to the fact that we need to use all of the 
creative approaches to be able to attract and retain, 
importantly, talent into the U.S. Government, ensure that we 
are building a culture that people want to be a part of and 
that they feel like they have a career path. But reserve 
programs, apprenticeship programs, internship programs, and 
allowing for opportunities for people who want to come from the 
private sector to serve their country, I think that is where a 
reserve program could be incredibly effective. If confirmed, I 
would really look forward to working with you on this issue.
    Senator Rosen. Mr. Inglis.
    Mr. Inglis. Senator, thank you for the question, and thank 
you for the benefit of our conversation. I, too, enjoyed it 
greatly. My sense is that the greatest contribution we can make 
to making a difference in the cyber ecosystem is to address the 
human factors, the people piece of that.
    You have asked whether or not the Federal Government has a 
role or what that role might look like in aiding and abetting 
States and locals with the creation of the cyber talent. I 
think there is a very strong role for the Federal Government. 
It should not encroach upon the initiatives and the sovereignty 
of the States and locales, but it can help quite a great deal. 
It has the convening power such that we can have the venues 
where we can exchange best practices. It has the power to 
create ideas, initiatives to perhaps inspire people to think 
about talent development in a fundamentally different and new 
way.
    It has the ability to curate and to share how do we create 
critical thinking skills, cyber literacy, at the earliest 
possible level. It has the ability to use the power of its 
purse to encourage the development of talent not simply in the 
old traditional ways of you have to be a computer scientist in 
order to enter into one of these jobs, but there is a role for 
everyone. It can perhaps help us redefine what it means to be a 
cyber-literate society.
    I think there is an all-many-few kind of relationship here. 
There are a few that have the word ``cyber'' and ``IT'' in 
their names. We are critically short of those. There are many 
who need to know more about and do more about cyber than they 
might otherwise have learned from their professional schools. 
Every one of us needs to learn how to cross the cyber street in 
the same way we learned how to cross a physical street when we 
were young. The Federal Government, again, can be helpful in 
all of that, should not take over or perhaps kind of block out 
the initiative that the States and the locales I think are 
generating with great success.
    Senator Rosen. Thank you. I want to build on that because, 
obviously, we have had problems with our pipeline, but we have 
similar challenges with securing our electric grid. Last 
Congress I introduced the Cyber Sense Act, and, again, it is 
bipartisan legislation that would create a voluntary cyber 
sense program at the Department of Energy (DOE) to test the 
cybersecurity of products and technologies intended for use in 
our bulk power system. The bill would also direct the Energy 
Secretary to consider incentives perhaps to encourage the use 
of analysis and testing results when designing products and 
technologies.
    Ms. Easterly, if confirmed, how do you envision CISA 
working with the Department of Energy to ensure the 
cybersecurity of our electric grid?
    Ms. Easterly. Thanks for that question, Senator, and I did 
see that legislation, and I agree with you. One of the biggest 
threats is the threat to our energy grid. I am aware of the 
100-day plan that we saw that brings together CISA and the 
Department of Energy to focus on efforts to help protect the 
energy grid, which I think is incredibly important. CISA, of 
course, works closely with the Department of Energy, who is the 
sector risk management agencies for the energy sector. If 
confirmed, I would look to continue to cultivate that 
relationship and collaborate closely with the leadership of the 
Department of Energy and with Cybersecurity, Energy Security, 
and Emergency Response (CESER) to do everything we can to 
continue to protect and help all of the critical infrastructure 
owners and operators protect the energy grid.
    Senator Rosen. Thank you. I want to move on a little bit 
and continue to talk to you about some of our vulnerabilities. 
Last year I introduced a bill with Senator Cassidy, the PROTECT 
Act, that is going to make permanent the Cybersecurity 
Education and Training Assistance Program (CETAP), as we call 
it. It is going to provide lots of resources--awareness, 
curricular resources, professional development--to elementary 
and secondary schools. The Clark County School District, the 
largest school district in my State, one of the largest in the 
country, had a large ransomware attack recently, and so I want 
to be sure that we keep CETAP funded.
    So if confirmed to the position, do you have any insight 
into the administration's plans to support K through 12 schools 
or soft targets in the ransomware space?
    Ms. Easterly. Thanks for the question, Senator. I have some 
awareness of the CETAP program and some of what CISA does to 
protect schools and other facilities that may be vulnerable 
around the country.
    I absolutely agree with you that starting young is critical 
to building that national societal resilience, providing cyber 
awareness, knowledge of how to protect yourself, even at the 
youngest level, particularly now that kids are using all kinds 
of technology.
    I also think it is important because that helps to create a 
pipeline for the workforce, the earlier piece that we were 
talking about. If, in fact, I am confirmed, I look forward to 
working with you on this issue and also working with partners 
at National Institute of Standards and Technology (NIST) and 
National Science Foundation (NSF) to ensure that there is the 
capability to be able to provide education to the K through 12 
community.
    Senator Rosen. Thank you. I appreciate that.
    And now, via Webex, I would like to recognize Senator 
Sinema.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Chair Rosen. I appreciate the 
nominees joining us today, and I want to thank them for their 
willingness to serve our Nation in these critical positions.
    Now more than ever, we see the importance of enhancing 
cybersecurity efforts and protecting critical infrastructure. 
We need only look to the most recent attacks of SolarWinds, the 
Microsoft Exchange Server, the Colonial Pipeline, and JBS 
Foods, which has a production facility in Arizona, to see how 
expansive cyber attacks have become and how damaging the 
results can be at the Federal, State, and local levels. The 
amount of time and resources needed to recover is daunting, and 
the number of attacks is only increasing.
    The newly established role of the National Cyber Director 
and the office this person will lead is an important step to 
ensure cross-government coordination on cyber strategy and 
policy. The role of CISA Director has also never been more 
important to coordinate security and resilience efforts across 
the public and private sectors. These positions are a critical 
piece to ensuring that the United States can address the 
growing threat of cybersecurity attacks on our critical 
infrastructure.
    My first question is for Mr. Inglis. Many of the recent 
attacks we have seen across the United States come down to a 
lack of standard cyber hygiene practices, for example, weak 
passwords or a lack of two-factor authentication at the user 
level. This is an education issue that I am extremely concerned 
about. There are a number of efforts across and outside the 
Federal Government to enhance cyber education efforts beginning 
in grades K through 12. But as we talk to stakeholders, they 
are asking for a lead entity to coordinate efforts and create a 
strategic plan to organize around.
    Do you believe that the National Cyber Director is that 
entity?
    Mr. Inglis. Senator, thank you for the question, and thank 
you for the benefit of our conversation, which I very much 
enjoyed, on these topics. I do believe the National Cyber 
Director has a role. The Cyber Director by law has a 
responsibility to inform and to ensure the adequacy of programs 
and policies intended to improve the cybersecurity posture of 
the United States. If cyber is a compilation of not simply the 
technology but of the people who live on the front lines of 
this as well as doctrine, what are the roles and 
responsibilities, the National Cyber Director by definition has 
to ensure that our strategy is the right strategy.
    As Ms. Easterly has indicated, we have a number of entities 
within the Federal enterprise that are doing good work in 
curating and delivering cyber curricula, K through 12, 
sometimes in college. Whether that is the National Institute of 
Standards and Technology with their National Initiative for 
Cybersecurity Education (NICE) program, the National Science 
Foundation with their CyberCorps for Service, we need to make 
sure that those are coherent, that they are complementary, and 
that they cover the waterfront. I think the National Cyber 
Director would have a responsibility in that regard, and I 
would commit to working with this Committee and with you, if 
confirmed, on that role.
    Senator Sinema. Thank you.
    Ms. Easterly, what role do you believe that CISA should 
play to enhance cyber education at the national, State, and 
local levels?
    Ms. Easterly. Thanks for that question, Senator Sinema. 
Incredibly important. As I have said, CISA is an agency of 
partnerships, and among the critical partnerships are at the 
State and local level, and a lot of that is through our CISA's 
ten Regional Directors, ensuring that the State and local 
communities have the resources that they need, specifically the 
educational resources, the assistance, the information about 
cyber hygiene to be able to protect themselves I think is 
incredibly important. As I mentioned earlier, I am aware of 
CETAP; I am aware of other efforts being worked at NIST and 
NSF, as Mr. Inglis alluded to. If confirmed, I would look to 
better understand those efforts and really ensure that we can 
help with this issue of K through 12. It is a particular 
interest of mine because I think educating from the youngest is 
critical to ensuring that national resilience as well as 
creating that pipeline of talent that will need to enable our 
Federal cyber workforce and the larger workforce for the 
Nation.
    Senator Sinema. Ms. Easterly, last Congress I introduced 
legislation to establish a Cybersecurity Advisory Committee 
that would advise, consult with, and make recommendations to 
the Director of CISA on development, refinement, and 
implementation of policies, programs, planning, and training 
pertaining to the cybersecurity mission of the agency. The 
language was included and passed into law in the fiscal year 
(FY) 2021 NDAA. Now, recent cyber attacks have highlighted the 
importance of public-private partnerships and working with 
companies to protect against attacks on our infrastructure.
    Do you agree that this Advisory Committee can play a 
critical role in supporting CISA's efforts to defend against 
threats, particularly those to critical infrastructure?
    Ms. Easterly. Thanks for that question, Senator Sinema. I 
am aware of the Cybersecurity Advisory Committee. I think it is 
a terrific entity to help advise the CISA Director, 
particularly leveraging the private sector, but also I know 
that there are entities on there that are supposed to be from 
State and local. I think this can be a very powerful capability 
for the CISA Director to help further promote the public-
private operational collaboration and to ensure that CISA can 
effectively coordinate and continue to cultivate those very 
important public-private partnerships.
    I would very much welcome the opportunity to leverage the 
power of that Cybersecurity Advisory Committee if I am 
confirmed.
    Senator Sinema. Upon confirmation, I would like our staffs 
to stay connected on the progress of establishing this 
committee, so thank you.
    Ms. Carnahan, as part of the 2018 National Defense 
Authorization Act, the GSA was directed to create three e-
commerce marketplace pilot programs. In June 2020, GSA awarded 
proof of concepts to Amazon Business, Overstock Pro, and Fisher 
Scientific. I am hearing from businesses in Arizona that as of 
now only the Amazon model has been tested. If confirmed, will 
you work to ensure that the other models receive adequate 
testing before the conclusion of the 3-year pilot?
    Ms. Carnahan. Thanks for bringing that up, Senator. This is 
not a topic I have been fully briefed on, but I certainly will 
do so and look forward to working with you and your team to 
make sure we get that done.
    Senator Sinema. When I talk to Arizona small business 
owners who depend on government contracts to keep their 
businesses open, they have two major concerns: first, that a 
move to a true e-commerce marketplace will obscure the 
origination of products and leave us vulnerable to the purchase 
of counterfeit products; and, second, specific to the Amazon 
marketplace, the platform provider is also a reseller on the 
platform, which could create a conflict of interest where their 
products are promoted instead of those of small businesses.
    What steps would you take upon confirmation to ensure that 
the purchase of legitimate products and fairness exist in the 
system and to ensure that small retailers are treated equally 
in a system where the platform provider is also a reseller?
    Ms. Carnahan. Yes, thanks for that. I will say that I have 
heard, too, from small businesses about their frustration in 
both getting on GSA's schedules and how hard it is to work 
through that. I am very focused on making sure that these 
marketplaces both serve well the agency partners and give them 
the best possible value and transparency about what they are 
buying, and also for the small businesses and companies in the 
United States that want to sell to the government. So these are 
important issues that you raise. They are things I will look 
forward to looking into once confirmed, if that happens, and 
working with your staff. I think these are worthy of very 
serious consideration, and I think it has long-term impacts for 
our country.
    Senator Sinema. Thank you, Madam Chair. I yield back my 
time.
    Chairman Peters [presiding]. Thank you, Senator Sinema.
    I think we have gone through the list of Senators who have 
questions, but I will have one more questions for you, Ms. 
Carnahan, before we wrap up this hearing. As Chairman of this 
Committee, I am focused on making sure that we use our Federal 
fleet, which consists of well over 650,000 vehicles to manage 
those responsibly and efficiently, and also deal with the 
detrimental impacts of climate change that threaten 
irreversible damage to our climate, and sustainable fleet 
management is clearly critical for both the environment as well 
as from a fiscal perspective.
    So my question to you is--President Biden has recently 
directed GSA to devise a clean and zero-emission vehicle 
procurement strategy for its portion of the fleet. So my 
question is: If confirmed, how would you work to expeditiously 
implement this plan while navigating supply chain and other 
implementation and adoption challenges?
    Ms. Carnahan. Yes, thanks for that question. It is a really 
interesting one. This is a high priority for the Biden 
administration, and, interestingly to me, the marketplace is 
already moving and transitioning toward electric vehicles. I am 
sure you have seen that in your State, and we are seeing it 
across the country.
    This creates all kinds of good opportunities for good-
paying jobs in these sectors, and GSA has this important role 
to play. I think the key here is to make sure that there is a 
close consultation with the industry. There is a limitation now 
on some of the inventory of vehicles because the missions of 
some of the agencies have specific vehicle needs, and they are 
not always available in the marketplace right now. Signaling to 
the market what those needs are is going to be important so 
they can do their planning. Improved battery life is going to 
be an issue that everybody is going to want dealt with, and 
then with the government in particular, charging stations and 
more access to those charging stations is going to be 
important.
    I think this is about closely coordinating with both 
industry, this Committee, and the administration on how to get 
this done, but it is a huge opportunity both to lower costs 
long term for these vehicles and the use of vehicles in the 
government, but also have all kinds of benefits for our 
environment. So this is an exciting opportunity that I really 
look forward to working with you on.
    Chairman Peters. Thank you, Ms. Carnahan. We look forward 
to working with you on it as well, because you are right, it is 
an important and exciting initiative.
    In closing, I want to thank once again each of our nominees 
for being here today and congratulate each of you on your 
nomination for these very challenging positions. When I say 
that, very challenging positions, I also want to thank you for 
your willingness to take on these positions. They are 
incredibly important, incredibly time-consuming, so that means 
I definitely have to thank your families as well for their 
support and love and guidance in the years ahead, as all of 
you, you and your families, are going to be engaged in public 
service, and we certainly appreciate that.
    The nominees have filed responses to biographical and 
financial questionnaires, answered prehearing questions 
submitted by the Committee,\1\ and had their financial 
statements reviewed by the Office of Government Ethics.\2\ 
Without objection, this information will be made part of the 
hearing record with the exception of the financial data,\3\ 
which are on file and available for public inspection in the 
Committee offices.
---------------------------------------------------------------------------
    \1\ The information of Ms. Carnahan appears in the Appendix on page 
52.
    \2\ The information of Ms. Easterly appears in the Appendix on page 
110.
    \3\ The information of Mr. Inglis appears in the Appendix on page 
191.
---------------------------------------------------------------------------
    The hearing record will remain open until 12 p.m. tomorrow, 
June 11th, for the submission of statements and questions for 
the record.
    This hearing is now adjourned.
    [Whereupon, at 12:23 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                 [all]