[Senate Hearing 117-266]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 117-266

                    NATIONAL CYBERSECURITY STRATEGY:
       PROTECTION OF FEDERAL AND CRITICAL INFRASTRUCTURE SYSTEMS

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             FIRST SESSION
                               __________

                           SEPTEMBER 23, 2021
                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        

                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                  
                  
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
47-628PDF                  WASHINGTON : 2023                     




        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
              Michael A. Garcia, Professional Staff Member
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
           William H.,W. McKenna, Minority Chief Investigator
           Patrick T. Warren, Minority Investigative Counsel
          Cara G. Mumford, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk



                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Portman..............................................     3
    Senator Carper...............................................    13
    Senator Hassan...............................................    15
    Senator Ossoff...............................................    23
    Senator Lankford.............................................    26
    Senator Scott................................................    29
Prepared statements:
    Senator Peters...............................................    37
    Senator Portman..............................................    39

                               WITNESSES
                      Thursday, September 23, 2021

Hon. Chris Inglis, National Cyber Director, Executive Office of 
  the President..................................................     5
Hon. Jen Easterly, Director, Cybersecurity and Infrastructure 
  Security Agency, U.S. Department of Homeland Security..........     7
Christopher DeRusha, Federal Chief Information Security Officer, 
  Office of Management and Budget................................     9

                     Alphabetical List of Witnesses

DeRusha, Christopher:
    Testimony....................................................     9
    Prepared statement...........................................    54
Easterly, Hon. Jen:
    Testimony....................................................     7
    Prepared statement...........................................    47
Inglis, Hon. Chris:
    Testimony....................................................     5
    Prepared statement...........................................    42

                                APPENDIX

Portman chart....................................................    58
Portman CISA Alert...............................................    59
Portman Communications Association Letter........................    65
Portman Financial Associations Letter............................    70
Portman Multi Association Letter.................................    73
Portman Pipeline Letter..........................................    76
Additional statements for the Record:
    AAI..........................................................    80
Responses to post-hearing questions for the Record:
    Mr. Inglis...................................................    83
    Ms. Easterly.................................................    88

 
                    NATIONAL CYBERSECURITY STRATEGY:
     PROTECTION OF FEDERAL AND CRITICAL INFRASTRUCTURE SYSTEMS

                              ----------                              


                      THURSDAY, SEPTEMBER 23, 2021

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:15 a.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Carper, Hassan, Sinema, Rosen, 
Padilla, Ossoff, Portman, Johnson, Lankford, Romney, Scott, and 
Hawley.

            OPENING STATEMENT OF CHAIRMAN PETERS\1\

    Chairman Peters. The Committee will come to order. I want 
to thank our witnesses for joining us here today and for their 
service to the American people. Your agencies and offices are 
vital to protecting Federal cyber networks and critical 
infrastructure systems.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 37.
---------------------------------------------------------------------------
    Although it can often be difficult to understand the 
complexity and severity of many cyberattacks, they are only 
increasing in sophistication and frequency, and have a 
significant cost on our national security.
    The Federal Bureau of Investigation (FBI) reported that 
there were 2,474 ransomware attacks in 2020, though experts 
believe that that number is actually much, much higher.
    Just last month, in my home State of Michigan, about 1,500 
patients were notified that their information had been exposed 
as a result of the breach of a file-sharing service used by 
their hospital. This breach, like the SolarWinds attack, is yet 
another example of how our adversaries target vendors and 
contractors, including small businesses, to find the weakest 
link and exploit our greatest vulnerabilities.
    In order to prevent these types of attacks, potential 
victims, from the public sector to the private sector, must be 
aware of these ever-changing threats, and have the right 
information to safeguard their networks. Whether it is 
widespread spyware or a ransomware attack, the Federal 
Government needs to know when cyber incidents have occurred so 
they can determine if there are patterns, also future potential 
targets, and help seal up vulnerabilities.
    This information is especially vital when it comes to our 
nation's critical infrastructure, 85 percent of which is 
privately owned and operated. Despite this vulnerability there 
is currently no national requirement for all critical 
infrastructure owners and operators to report to the Federal 
Government when they have been hit with a significant attack, 
and that needs to change.
    As we have seen from recent attacks on an oil pipeline, 
water treatment plants, food processing facilities, and 
hospitals, these breaches can cause serious economic and 
national security concerns, and disrupt our daily lives. If 
multiple critical infrastructure entities, like energy 
companies for example, are reporting similar attacks, then 
Cybersecurity and Infrastructure Security Agency (CISA) and 
other Federal entities should be able to warn others, prepare 
for potential impacts to that sector or other related sectors, 
and help prevent further widespread attacks.
    Ranking Member Portman and I are currently working on 
legislation that we plan to introduce soon, to require critical 
infrastructure companies that experience cyber incidents, and 
other entities that make ransomware payments, to report this 
information to CISA. This requirement will ensure CISA and 
other Federal officials have better situational awareness of 
ongoing cybersecurity threats, who those targets are, how the 
adversary is operating, and how best to protect the Nation.
    I am looking forward to hearing from our witnesses today 
about how an incident reporting law could help each of your 
organizations assist victims in recovering from an attack and 
prevent them from happening in the first place. But we also 
need to ensure the Federal Government is sharing this same 
information in a timely manner.
    The last time Congress substantially addressed Federal 
cybersecurity was in 2014, when this Committee, led by then 
Chairman Carper, passed the Federal Information Security 
Modernization Act (FISMA). Since then, our technology has 
developed rapidly, along with the sophisticated threats that we 
face. When that legislation was passed, CISA had not yet even 
been created.
    We need to pass updated legislation that clarifies CISA's 
roles and responsibilities in Federal information security, 
improves how incidents on Federal networks are reported to 
Congress, and ensure that our cybersecurity resources are 
effectively aligned with emerging threats. Ranking Member 
Portman and I are also working on legislation that would help 
achieve these goals.
    We also need a better understanding of how the Federal 
Government is balancing its responsibility to bring 
cybercriminals to justice and helping victims recover from an 
attack.
    We learned earlier this week that in one instance, the FBI 
withheld a digital key that could have aided victims for 
several weeks to pursue its investigation. In order to conduct 
thorough oversight, this Committee needs to know more about the 
Federal Government's processes for assisting the victims of 
attacks and how your agencies weigh investigative, national 
security, and economic needs.
    Finally, I want to acknowledge the important actions the 
Biden administration has already taken to bolster our 
cybersecurity defenses, improve information sharing, and apply 
the lessons learned from previous breaches to avoid future 
attacks. The President's Executive Order (EO) ``On Improving 
the Nation's Cybersecurity,'' for example, is paramount to 
securing our Nation.
    This is a top priority for both myself and Ranking Member 
Portman, and I look forward to today's discussion and working 
productively with these vital Federal agencies to ensure we are 
addressing this threat.
    Ranking Member Portman, you are now recognized for your 
opening comments.

            OPENING STATEMENT OF SENATOR PORTMAN\1\

    Senator Portman. Thank you, Mr. Chairman, and thanks for 
convening this critically important hearing. I look forward to 
the dialog and it is great to have people in place who are now 
in charge of our cybersecurity system at the Federal Government 
level. Our strategy for protecting our cyber networks and 
critical infrastructure is something that we have been 
struggling with, frankly, and to have the leadership in place 
is very important to get that strategy right.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Portman appears in the 
Appendix on page 39.
---------------------------------------------------------------------------
    One important part of that, in my view, is accountability, 
and I hope to have a conversation about the appropriate roles 
and responsibilities for the many different cybersecurity 
positions within the Federal Government, who is in charge, who 
is making decisions, who is accountable. I also look forward to 
discussing how cyber incident reporting legislation might 
better inform that strategy, as the Chairman has just said. I 
think that is very important, and if we can get that right and 
if we can get a bipartisan product on that.
    In recent years, hostile cyber adversaries, both foreign 
and domestic, have executed some of the most damaging 
cyberattacks ever, and we all know about these. We have had 
hearings about them, Colonial Pipeline most recently. Both the 
Federal Government and private sector companies have been 
targeted. We held hearings on SolarWinds, Colonial Pipeline, 
and others. These events are stark reminders of the wide-
ranging and real-world impacts of sophisticated cyberattacks 
and impacts on people.
    These attacks have become more and more common, and so it 
is important that we work to protect ourselves and our 
networks. One of the best strategies for preventing these 
attacks, of course, is to improve baseline cybersecurity 
practices, basic cyber hygiene. We also know that Federal 
agencies have failed to make meaningful progress on the 
implementation of these practices, as is actually required by 
law under FISMA.
    In August, just last month, Chairman Peters and I released 
a report detailing the significant cybersecurity 
vulnerabilities of eight key Federal agencies: the Departments 
of Homeland Security (DHS), State, Transportation (DOT), 
Housing and Urban Development (HUD), Health and Human Services 
(HHS), Agriculture (USDA), Education, and Social Security 
Administration (SSA). This report follows a 2019 report I 
released with Senator Carper as Chair of the Permanent 
Subcommittee on Investigations (PSI), evaluating the same eight 
agencies.
    In this year's report, only DHS had an effective 
cybersecurity program. Every other agency featured in the 
report failed to meet this standard. We also found the average 
grade across all government agencies was a C minus, close to 
failing. The report identifies several common agency 
vulnerabilities, including the failure to adequately protect 
personally identifiable information (PII); maintain an accurate 
and up-to-date list of the agency's information technology (IT) 
assets; install security patches in a timely fashion; and 
retire vulnerable legacy technology that is no longer secure.
    Securing fragmented networks against increasingly 
sophisticated attackers is not an easy or trivial task. It 
would be unfair to suggest otherwise. Yet, in the nearly seven 
years since FISMA was last updated in 2014, agencies still have 
the same vulnerabilities, year after year.
    Accountability is a critical aspect of any strategy. All 
three witnesses with us here today have heard me discuss the 
importance of it for Federal cybersecurity in particular. At 
all of your confirmation hearings and in our conversations we 
talked about the need to ensure that we have appropriate 
accountability for these Federal networks and the agency 
systems. Among the three of you and the Deputy National 
Security Advisor for Cyber, I believe that we will continue to 
see these inconsistencies or vulnerabilities, because of the 
question about accountability, unless we are clear about who is 
in charge, who is in charge to better prevent, who is charge to 
better respond to cyberattacks. I look forward to continuing 
that discussion today again of how we can best achieve that 
accountability.
    We are also here to discuss another important topic of 
overarching strategy, and particularly, cyber incident 
reporting. As I said, recent attacks on critical 
infrastructure, particularly through ransomware, demonstrate 
how prompt notification to the government can benefit both the 
government and its victims. In the case of Colonial Pipeline, 
the FBI was able to recover part of the ransom paid by Colonial 
to the attackers. There is a balance between getting 
information quickly, letting victims respond to an attack 
without imposing onerous requirements on them, and getting 
accurate information. We understand that balance and we want to 
try to reach the right balance to be sure that we are actually 
doing what we intend to do, which is to help the private sector 
and government agencies deal with cyberattacks. I look forward 
to the witnesses' perspectives on how to balance those 
competing priorities.
    Again, Mr. Chairman, I appreciate the witnesses being 
here--glad you are in place--and I look forward to the dialog.
    Chairman Peters. Thank you, Ranking Member Portman.
    It is the practice of this Committee to swear in witnesses, 
so if each of you would please stand and raise your right 
hands.
    Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Inglis. I do.
    Ms. Easterly. I do.
    Mr. DeRusha. I do.
    Chairman Peters. You may be seated.
    Our first witness today is National Security Director (NSD) 
Chris Inglis. Director Inglis has over 41 years of Federal 
service and has held a variety of senior leadership assignments 
at the Department of Defense (DOD) and the National Security 
Agency (NSA). He initially began his career at NSA as a 
computer scientists within the National Computer Security 
Center, eventually serving seven and half years as a senior 
civilian and deputy director. His work included tours in 
information assurance, policy, time-sensitive operations, and 
signal intelligence operations.
    In addition to his civilian work, Mr. Inglis' military 
career includes over 30 years of service in the U.S. Air Force 
(USAF), nine years on active duty, and 21 years in the Air 
National Guard (ANG), from which he retired as a brigadier 
general in 2006.
    Mr. Inglis, thank you for all of your service to the 
American people. I know this is the first time you have come 
before this Committee since your confirmation, and we expect 
you will be here many times in the time ahead.
    So welcome. You may proceed with your opening comments.

  TESTIMONY OF THE HONORABLE CHRIS INGLIS,\1\ NATIONAL CYBER 
          DIRECTOR, EXECUTIVE OFFICE OF THE PRESIDENT

    Mr. Inglis. Thank you, sir. As do I. With your permission, 
I will remove my mask for the duration of my remarks.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Inglis appears in the Appendix on 
page 42.
---------------------------------------------------------------------------
    Chairman Peters. Certainly.
    Mr. Inglis. Chairman Peters, Ranking Member Portman, 
distinguished Members of the Committee and staff, thank you for 
the privilege to appear before you today and the honor to 
appear alongside Director Easterly and Mr. DeRusha. I am eager 
to update you on the Biden-Harris administration's progress in 
standing up the new Office of the National Cyber Director 
(ONCD) and to discuss the administration's approach to 
cybersecurity.
    I am mindful of the history of this moment, and appearing 
before you as the first National Cyber Director (NCD), a 
position that you created last year and confirmed me for 
following my nomination by President Biden. I am grateful for 
the confidence that the President and the Congress have placed 
in this role, for the opportunity to bring it to fruition, and 
for the cybersecurity and critical infrastructure investments 
that you have made and are proposing in follow-on vehicles like 
the Infrastructure Investment and Jobs Act. I remain committed 
to engaging with you as we take on these critical, shared 
imperatives.
    To that end, I am pleased to tell you that the Office of 
the National Cyber Director is making progress in standing up 
as a full-fledged contributor to the various initiatives we 
will discuss today. While we are anxious to receive 
appropriations needed to implement our strategy fully, no 
resource in this business is more valuable than our people. As 
you well realize, cyber talent is in high demand everywhere, 
but we are pleased with the quality and the experience of the 
people we have recruited thus far, and we will continue to work 
with Congress to secure the resources we need to bring on key 
staff.
    In the coming months, I expect our contribution from the 
Office of the National Cyber Director to the President's 
cybersecurity agenda to grow and focus on a few key challenges: 
accountability and follow-through on the implementation of 
cybersecurity policy and investments; securing technology 
supply chains and the broader cyber ecosystem; fostering 
collaboration across the public and private sectors; 
coordinating closely with the Office of Management and Budget 
(OMB) and CISA on the security, resilience, and coherence of 
the Federal network enterprise; and ensuring defensive cyber 
operation and planning we are equipped and postured for 
success.
    I will also be working with my colleagues to continue 
implementing crucial initiatives, directed by President Biden, 
including working with my counterparts on the implementation of 
Executive Order 14028, on improving the nation's cybersecurity; 
initiatives to strengthen and proactively defend critical 
infrastructure cybersecurity; and the central challenge of 
building a cyber workforce to meet our needs well into the 
future.
    To these ends, the Office of the National Cyber Director 
will endeavor to drive the Federal Government's efforts through 
the following priorities. First, the office will champion 
coherence across the Federal cyber enterprise, ensuring we 
speak with one voice, and more importantly, operate with unity, 
purpose and effort.
    Second, we will zero in on improving public-private 
collaboration, supporting and building on the work of CISA and 
others.
    Third, we will carefully analyze the cyber maturity of 
Federal agencies and chart a path for ambitious cybersecurity 
goals against which the U.S. Government can effectively 
execute. We look forward to close partnership with OMB to align 
resources and authorities together with these ambitions.
    Finally, the office will work to increase present and 
future resilience, not only within the Federal Government but 
across the American digital ecosystem. That is a big task for 
which we have started by exercising incident response and 
planning processes from which we have already learned much 
regarding how to evolve those processes into the future.
    Through these and other efforts, we are working to ensure 
that our workforce, our technologies, our organizations, and 
our relationships are not only fine-tuned for today's needs but 
are futureproofed for service in an ever-changing world. These 
are daunting undertakings. While the Office of the National 
Cyber Director is young and small, once expected funding is in 
place, and with the partners we have today, along with the 
support of Congress, it will be in a strong position to succeed 
in delivering the expected returns.
    Thank you for the opportunity to testify before you today. 
I look forward to your questions.
    Chairman Peters. Thank you, Mr. Inglis.
    Our next witness is Jen Easterly, Director of the 
Department of Homeland Security's Cybersecurity and 
Infrastructure Security Agency. As Director, Ms. Easterly leads 
CISA's efforts to protect and defend the security of the 
nation's cyber and physical infrastructure. Ms. Easterly has an 
established record of public service, including two tours at 
the White House, most recently as Special Assistant to 
President Obama and Senior Director for Counterterrorism, and 
previously as Executive Assistant to National Security Advisor 
Condoleezza Rice in the George W. Bush Administration.
    She is a veteran of the United States Army, with more than 
20 years of service in intelligence and cyber operations, 
including tours of duty in Haiti, the Balkans, Iraq, and 
Afghanistan.
    Ms. Easterly, I know this is also your first time you have 
been before this Committee since your confirmation, and we 
expect to see you here on numerous occasions in the time ahead 
as well. Welcome, thank you for your service. You may proceed 
with your opening comments.

     TESTIMONY OF THE HONORABLE JEN EASTERLY,\1\ DIRECTOR, 
    CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. Easterly. Thank you Chairman. I look forward to it.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Easterly appears in the Appendix 
on page 47.
---------------------------------------------------------------------------
    Chairman Peters, Ranking Member Portman, distinguished 
Members of the Committee, thanks for the opportunity to testify 
on behalf of CISA on what I believe is the most important 
national security imperative, our nation's cyber defense. I am 
grateful for your trust in confirming me to this position, and 
as I have shared with my team on each of my first 73 days in 
this office, I have the best job in government.
    As I always say, cybersecurity is a team sport, so I am 
truly honored to testify today alongside Chris Inglis and Chris 
DeRusha, my teammates and partners in cyber defense.
    I have spent the past two and half months getting to know 
my teammates within CISA and engaging with partners across the 
Federal Government at the State and local level, in private 
industry, and across the globe. Based on those observations, I 
want to outline my priorities for CISA and thoughts for how to 
move forward collectively to raise our cybersecurity baseline.
    As the Director of CISA, I am focused on building our 
workforce, strengthening the resilience of our Federal civilian 
enterprise, and elevating the security of our nation's cyber 
ecosystem. First, people are CISA's No. 1 asset, and I am 
intently focused on making CISA the world's premier cyber and 
infrastructure defense agency, the place where the best network 
defenders want to work.
    When I arrived at CISA I found a dedicated, innovative, and 
inspiring team. I intend to expand upon that foundation to 
build a culture of excellence and a talent management ecosystem 
that prizes teamwork and collaboration, innovation and 
inclusion, trust and transparency, ownership and empowerment. I 
am equally focused on building a workforce that reflects the 
diversity of our Nation, not just because it is the right thing 
to do but because it is the smart thing to do. Diversity of 
experience, background, and thought enables better problem-
solving.
    Incidents like SolarWinds and Colonial Pipeline, JPS Foods, 
and the scourge of ransomware attacks that you mentioned on our 
schools and hospitals and small businesses illustrate how 
cybersecurity impacts our daily lives. They also highlight the 
need to address shared cybersecurity risk, and it truly is 
shared. Together we have to focus on strengthening our cyber 
defenses, investing in new capabilities, and fundamentally 
reimagining how we think about cybersecurity for the Nation.
    To that end, CISA is pursuing capabilities that increase 
visibility into cybersecurity risks across Federal agencies and 
critical infrastructure. One such capability, CyberSentry, 
helps identify sophisticated threats to critical networks. We 
are excited about the results from the pilot and appreciate 
Congress' efforts to fully resource it.
    CISA, as an agency, as you know, was designed to be 
something different and special, built on the foundation of 
collaboration with partnerships at the core of our mission. 
Recognizing that no single entity has all the answers, my goal 
is to shift the paradigm, transform public-private partnerships 
into operational collaboration, transformation information-
sharing into information-enabling, making sure that the data we 
deliver to network defenders is timely, relevant, and most 
importantly, actionable.
    We are going to do this, in part, through the newly 
established Joint Cyber Defense Collaborative (JCDC), and I 
want to thank you for authorizing it. JCDC harnesses the power 
of the Federal cyber ecosystem and the private sector to create 
a common operating picture. Our goal is to be able to see the 
dots, to connect the dots, and then to drive action to enable 
collective defense.
    All of these efforts align with the imperatives conveyed in 
the President's Executive Order, as you mentioned, as well as 
the last year's National Defense Authorization Act (NDAA). They 
seek to further CISA's implementations of those requirements, 
and with respect to the EO in particular, I am pleased to note 
that CISA has fully met the highly aggressive deadlines for 
each of the 35 unique implementation efforts we were charged to 
lead.
    That said, we have a lot of work ahead of us and we need 
Congress' help. As you know, there is no single mandatory 
Federal requirement for the reporting of cyber incidents, and 
without timely notification to CISA critical analysis, 
mitigation guidance, and information-sharing is severely 
delayed, leaving infrastructure vulnerable. Incident reporting 
must be timely, broad-based, and not limited by incident type 
or sector impacted. It also has to provide enforcement 
mechanisms to drive compliance.
    Finally, legislation should provide CISA with the 
flexibility to define the scope of requirements in consultation 
with our partners, including importantly, the Department of 
Justice (DOJ) and FBI, balancing the benefit of reporting 
against the burdens to industry and government.
    Finally, I would like to thank the Committee for the 
efforts on FISMA reform. As you said, FISMA is outdated. The 
status quo clearly is not working. A modernized FISMA should 
shift the spotlight from compliance and docs checking to true 
risk management. It also should recognize and codify CISA's 
role as the operational lead for Federal cybersecurity. As 
these efforts move forward, I really look forward to working 
with the Committee and our partners on it. It is hugely 
important.
    Our nation faces an unprecedented array of cyber risks. Now 
is the time to act to deepen our collaboration, to strengthen 
our ability to defend the government's network to drive 
targeted action. We must address this risk collectively to 
defend today and secure tomorrow.
    Thanks for the opportunity to appear before you. I look 
forward to your questions.
    Chairman Peters. Thank you, Director Easterly. Thank you 
for being here.
    Our final witness is Chris DeRusha. Mr. DeRusha has broad 
experience managing cybersecurity and critical infrastructure 
programs, plans, and operations in both the Federal Government 
and private sector. He has held roles at the Department of 
Homeland Security and at the White House, where he served as 
Senior Cybersecurity Advisor in the Obama Administration. He 
also previously served as the State of Michigan's Chief 
Information Security Officer (CISO).
    Mr. DeRusha, as the Federal Chief Information Security 
Officer, you are charged with implementing and coordinating 
many of the efforts that we will be discussing here today, and 
based on your strong record in my home State of Michigan and 
your extensive experience, I have every confidence that you are 
up to this challenging task.
    Welcome, Mr. DeRusha. You may proceed with your opening 
remarks.

TESTIMONY OF CHRISTOPHER DeRUSHA,\1\ FEDERAL CHIEF INFORMATION 
       SECURITY OFFICER, OFFICE OF MANAGEMENT AND BUDGET

    Mr. DeRusha. Thank you, Chairman Peters and Ranking Member 
Portman, distinguished Members of the Committee. Thank you for 
the invitation to testify about the administration's 
cybersecurity priorities. I am pleased to be here today with 
Directors Easterly and Inglis. The three of us work closely 
together in service of a common mission, to build a more secure 
Federal enterprise.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. DeRusha appears in the Appendix 
on page 54.
---------------------------------------------------------------------------
    This Committee took decisive action earlier this year by 
supporting $1 billion in emergency funding to the Technology 
Modernization Fund (TMF). I would like to provide a brief 
update. To date, we have received more than 100 project 
proposals, requesting over $2.3 billion. Seventy-five percent 
of those proposals are focused on cybersecurity improvements. 
The need is clear. As the board prepares to release its first 
round of awards for this emergency funding, we are focused on 
learning what works well for one agency and translating that 
into successful outcomes for all.
    These are challenging times to manage cybersecurity for any 
enterprise. It is not the time for us to maintain a steady 
course. We need to embrace bold ideas. We need to form enduring 
partnerships. Above all, we must act with a sense of urgency.
    I would like to now highlight three areas of focus where 
the administration is taking decisive action on Federal 
cybersecurity. The first is zero trust. Earlier this month, we 
released, for public comment, a draft strategy to move the U.S. 
Government toward zero trust principles. This term, ``zero 
trust,'' refers to a security model where every person, device, 
and network is considered untrusted and potentially 
compromised. This is a significant shift from the traditional 
model we have used throughout the public and private sector.
    We have proposed an ambitious, multiyear plan that 
establishes a new baseline for government security and will 
require us to iterate and adjust over time. Our strategy 
directs agencies to adopt known, trusted technologies and 
practices that make harder for even sophisticated adversaries 
to defeat our defenses. The approach is purposeful and 
specific, yet flexible, for agencies to learn and adjust along 
the way. OMB will require agencies to develop funding and 
implementation plans to demonstrate earlier iterative progress, 
and, most importantly, to work together as one community in 
implementation.
    The second area I would like to highlight is the Executive 
Order on improving the nation's cybersecurity. In May, the 
President issued Executive Order 14028, with the intent of 
dramatically improving the nation's cybersecurity, by deploying 
critical capabilities governmentwide, by improving information-
sharing between U.S. Government and the private sector, and by 
strengthening the United States' ability to respond to 
incidents when they do occur.
    We recently passed the 120-day milestone since the EO was 
issued. Over that time, OMB, National Security Council (NSC), 
and now the NCD have been working closely with agencies to 
execute key deliverables, which include a definition of 
critical software as well as accompanying security guidance 
from National Institute of Standards and Technology (NIST); the 
recommendation of new contract causes that will enhance how the 
Federal Government aims to work together to address cyber 
threats; OMB memoranda to help agencies identify and secure 
their most critical software; and set requirements for storing 
and sharing security data to support incident detection and 
response activities.
    Finally, as I described a moment ago, it drives zero trust 
strategy and key supporting technical guidance developed by 
CISA designed to raise the security baseline of the entire 
Federal civilian government.
    The final area I would like to highlight is FISMA reform. 
The Federal Information Security Modernization Act of 2014 
describe the roles and responsibilities that underpin much of 
the policy and oversight work that my office does today. We 
appreciate the opportunity to work with Congress in reforming 
this flagship piece of legislation to improve the government's 
ability to manage risk. We share Congress' view that we should 
be more clearly oriented toward security outcomes, and we are 
actively updating guidance to agencies in support of this goal.
    In conclusion, this administration is dedicated to making 
cybersecurity the immediate priority in Federal IT. Since 
January, we have been balancing a national response to a series 
of significant cyber events, well weighing the strategic 
groundwork for the future. As we move forward, we are focused 
on supporting agencies as they work to implement these 
priorities with diligence and that sense of urgency.
    As I have said today, none of us can do this alone. It is a 
partnership where collaboration is key, with my colleagues here 
today, but more importantly with the personnel across the 
Federal Government that work tirelessly every day to safeguard 
our nation's digital assets. I appreciate this Committee's 
leadership in this field, and I am confident that with your 
partnership and frank discussions, we are going to build a more 
secure and resilient Federal enterprise together.
    I thank you for the opportunity to testify today and I look 
forward to your questions.
    Chairman Peters. Thank you, Mr. DeRusha.
    All of you are well aware that Ranking Member Portman and I 
are working together on an incident reporting bill that would 
require specific companies to report to CISA regarding cyber 
intrusions and when they make ransomware payments as well. 
Certainly after thousands of cyberattacks, including 
SolarWinds, the Microsoft Exchange, and the Colonial Pipeline 
ransomware attack, I think it is probably well past time for us 
to have some sensible legislation put forward to make sure that 
we are getting timely information about these incidents.
    My first question is for Director Easterly. If our incident 
reporting bill were enacted, what would CISA do with this 
information, and how would you be able to help victims?
    Ms. Easterly. Thanks very much for your question, Chairman. 
First of all, we really appreciate this effort. We absolutely 
agree it is long past time to get cyber incident reporting 
legislation out there, and we are excited to work with you on 
this.
    CISA plays a critical role as the national coordinator for 
critical infrastructure resilience and security. As I think 
about CISA's superpower that we use on behalf of the Nation and 
the American people is our ability to share information rapidly 
to enable us to protect other potential victims.
    What we could do with this information is not only render 
assistance to the victim and help them remediate and recover 
from the attack but we can use that information, we can analyze 
it, and then we could share it broadly to see whether, in fact, 
evidence of such intrusions were found across the sector or, 
frankly, across other sectors, or across the Federal civilian 
Executive Branch.
    We think that timely and relevant reporting of cyber 
incidents is absolutely critical to help us raise the baseline 
and protect the cyber ecosystem.
    Chairman Peters. Mr. Inglis, my next question is for you. 
Would the type of information being collected by CISA, as laid 
out in the draft legislation that we are working on, help NCD 
formulate a national strategy and develop policies to prevent 
these attacks from happening in the first place? Clearly we 
want to be a deterrent for them to occur. Would this be 
helpful?
    Mr. Inglis. Thank you for the question, Mr. Chairman. I 
wholeheartedly support what Director Easterly just said, and do 
believe that information would be profoundly useful for the 
determination of an appropriate strategy. To reprise, that 
information is useful to help us be more efficient and to 
prioritize our response in the moment, to inform investments 
that we should make to get left of the event, to prevent these 
from happening in the future, and ultimately as a foundation of 
true knowledge, factual-based knowledge, such that we can 
create strategies that cover the gamut of cybersecurity 
activities.
    Chairman Peters. Mr. DeRusha, the incident reporting data 
from the bill that we are talking about, as well as a FISMA 
reform bill that we are also working together on would help 
protect Federal networks by indicating when intrusions have 
occurred on both private and government-owned systems, much 
like we saw after FireEye announced the SolarWinds attacks.
    Is there anything else from the OMB's perspective that we 
should consider as we are developing the text in both of these 
bills?
    Mr. DeRusha. Senator, I believe it is crucial that Federal 
civilian agencies are included. We need to ensure that we have 
one common standard that everyone is following. That has been 
my experience, both at the State and Federal level, that there 
is patchwork of reporting requirements and they need to come 
together. It is really burdensome, and we are not focused on 
the right security outcomes.
    The other thing I would say, though, is we have a really 
good partnership with CISA sharing threat information in a 
timely way to Federal agencies, and what we need is we need to 
increase the pipeline of information and getting it faster.
    Those are the things that I would be really focused on.
    Chairman Peters. This next question is for all three of 
you, and I will start with you, Director Easterly. We will go 
in the same order that we just went through.
    Each of you has a lot of experience in the private sector, 
and part of what we are looking at here is mandating companies 
to submit these reports, but we have to make sure they actually 
comply with that to get this information. I would love to hear 
your thoughts, and the Committee would love to hear your 
thoughts on the right enforcement mechanism to make sure that 
that information actually gets submitted. What should we be 
focused on. Director Easterly.
    Ms. Easterly. Yes, thanks for the question, Chairman. As I 
mentioned in my opening remarks I do think a compliance and 
enforcement mechanism is very important here. I know some of 
the language talks about subpoena authority. My personal view 
is that is not an agile enough mechanism to allow us to get the 
information that we need, to share it as rapidly as possible, 
to prevent other potential victims from threat actors.
    I think that we should look at fines. Fines are obviously 
used across industries. I just came from four and half years in 
the financial services sector where fines are a mechanism that 
enable compliance and enforcement. I realize this is a 
complicated issue, and I really look forward to working through 
it with you, because I think it is important that we are able 
to get the information that we need in a timely way.
    Chairman Peters. Thank you. Mr. Inglis.
    Mr. Inglis. Mr. Chairman, I support that view strongly. I 
would observe that most of the 50 States have reporting 
requirements of a similar sort, and the vast majority of those 
have an enforcement mechanism. Many of those use fines. There 
may be some best practices in there, if we do a thoughtful 
survey of how they have actually addressed this and how that 
has worked, and whether that has imposed an unfair burden on 
the victims.
    We, of course, do not want to impose an unfair burden on 
the victims, but this information is essential for the welfare 
of the whole. There should be rewards for good behavior. If you 
have performed well and thoughtfully in this, the benefit 
should obvious, which is that we can provide better services, 
both in response and in preventing this in the future.
    Chairman Peters. Mr. DeRusha.
    Mr. DeRusha. Yes, Senator. I also agree, enforcement is 
needed, and I share the views of my colleague, and I would be 
happy to work with this Committee.
    Chairman Peters. Thank you. Before I recognize Senator 
Carper for his questions I need to step aside and attend 
another committee. As you can see from attendance we have 
committees. We are actually in the middle of a vote, so Members 
will be coming and going as this hearing continues. Senator 
Hassan, will chair in my absence. But as I leave, Senator 
Carper, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Senator Peters, can you hear Ms. Easterly?
    Chairman Peters. I can hear you.
    Senator Carper. All right. That is great. I can hear you 
too. Welcome to all of our witnesses today and thank you for 
your leadership and what you do with your lives.
    My first question is for Director Inglis. Have I pronounced 
your right name correctly?
    Mr. Inglis. Yes, sir. Precisely correct. Thank you.
    Senator Carper. That is great. I have worked with 
colleagues, not just Democrats but colleagues on the other side 
of the aisle for many years on Federal data security and breach 
notification legislation that would protect the consumers' 
sensitive personal information. As you know, Director Inglis, 
each State as well as the District of Columbia and several 
territories have some form of their own breach notification 
law. There is, however, as has been said, there is no national 
standard.
    In 2019, while I was privileged to lead the Permanent 
Subcommittee on Investigations, Senator Portman and I released 
a report dealing with Equifax's repeated failures to protect 
sensitive information for 145 million Americans, a lot of 
people. Director Inglis, can you take a moment to speak to the 
importance of having Federal data being breached standard and 
whether or not it would help covered entities have consistency 
in cyber-best practices and places to protect Americans' 
personal information?
    Mr. Inglis. Thank you for the question, Senator. As you may 
well know, the administration has no formal position on that at 
the moment, but I would observe the following, which is that 
given that 50 States have essentially addressed this, each one 
in their own way, if you are a company that operates across 
those 50 States you then have 50 challenges in terms of doing 
breach notification. I imagine that most of those companies are 
trying to get it exactly right, so they have to do it 50 times.
    To the degree that we can harmonize and standardize that 
essential requirement to provide the breach notifications so 
that we can assure that the victims are properly notified and 
the recovery efforts address their needs at that moment of 
vulnerability, I think that Federal legislation would be 
useful.
    Senator Carper. All right. Thank you for those comments.
    Next, Jen Easterly, how are you?
    Ms. Easterly. I am great, sir. How are you?
    Senator Carper. Good. How are things at CISA?
    Ms. Easterly. They are awesome. Best job in government.
    Senator Carper. That is good. Would you work for nothing?
    Ms. Easterly. Yes. I almost do.
    Senator Carper. All right. We are looking for ways to bring 
down the deficit. I will pass that on. [Laughter.]
    Seriously, as we saw from the Colonial Pipeline ransomware 
attack earlier this year, when disaster strikes in the cyber 
world folks do not always know who to call. In fact, the Chief 
Executive Officer (CEO) of Colonial Pipeline, Joseph Blunt, was 
actually before our Committee earlier this year. He placed his 
first call, he told us he placed his first call to the FBI, but 
the FBI did not put him in touch with CISA. This incident, I 
think, makes clear that we need a plan for who to contact when 
a cyber incident occurs, and we need to better communicate that 
plan with not just our Federal partners but with State and 
private partners too.
    Director Easterly, is there a clear and well-communicated 
plan in place for the Federal Government and for critical 
infrastructure entities to implement should they be subject to 
a cyber, or in the case of Colonial Pipeline, to a ransomware 
attack?
    Ms. Easterly. Thanks so much for the question. A hugely 
important issue.
    Senator Carper. Who are you going to call? Ghostbusters. 
How are you going to call? They are not around these days, so 
who are we going to call?
    Ms. Easterly. I think we are the new Ghostbusters, 
actually, Senator.
    It is a hugely important question, and I would just say, I 
watched the hearing with Mr. Blunt from Colonial and I think it 
was great that FBI immediately reached out to CISA. We have a 
fabulous partnership with FBI, and that has only been confirmed 
over my last two and half months how important and how strong 
that partnership is.
    But I think your point speaks to the larger issue and why 
this cyber incident reporting legislation is so important, 
because we need to get reports both about breach, as you were 
just talking to Director Inglis about, about ransomware, but 
really about all flavors of cyber incident. Because it is very 
important for us to both be able to render assistance to any 
entity that suffers an attack but to be able to analyze that 
information and to share it more widely, because we know that 
in today's world everything is connected, everything is 
interdependent, and everything is vulnerable.
    So having that information in a timely way so that CISA can 
share it both with our partners across the Federal Government 
but, importantly, with our partners across critical 
infrastructure, and then, of course, at the State and local and 
tribal and territorial (SLLT) level, so that we can 
collectively raise the baseline of the cyber ecosystem. I think 
it is incredibly important to instantiate that in legislation, 
sir.
    Senator Carper. I agree. Thanks for that response.
    I have a question, as well, if time will allow, to ask of 
all three witnesses. Let us start with you, Director, and then 
we will go to the other witnesses. As I believe you know, each 
of you mentioned, I think, in your testimony, in May 2021, 
earlier this year, President Biden signed the Executive Order 
aimed at strengthening our cybersecurity as well as our 
authority to respond to cyber incidents when they occur. I am 
pleased to see that we are shifting to a more proactive as 
opposed to a reactive posture in the cybersecurity space.
    My question would be this for the three of you. To that 
end, could each of you take a moment to share with us how you 
are working in concert with one another to implement President 
Biden's Executive Order and what you need from Congress in 
order to implement these changes?
    Director Easterly, why don't you go first.
    Ms. Easterly. Great. Thanks so much, sir. Yes, I agree, it 
was a very significant Executive Order and I think it will 
really help make a difference for both the Federal cyber 
ecosystem as well as the broader ecosystem.
    We have been working very closely with all of our partners, 
in particular our partners with Federal CISA, with my good 
teammates, Chris DeRusha here, and Chris Inglis, to make sure 
that we are implementing all of the tasks that were assigned to 
us. I think we had 35 total, and we have met all the deadlines 
to date.
    As you said, this is about a paradigm shift and how we 
protect the Federal cyber ecosystem, improving information-
sharing from Federal contractors, modernizing the 
infrastructure to move to zero trust architecture, as Mr. 
DeRusha already talked about, making sure we have cloud-secure 
instantiations, and then making sure that we are implementing 
what we call endpoint detection and response (EDR) technology, 
which allows us to not just focus on the perimeter but really 
to focus in depth, all the way down to the host level, at the 
workstation, at the server, to ensure that we can see what 
threats are out there, detect suspicious activity, and ensure 
that we are able to mitigate and remediate it as soon as 
possible.
    So those aspects of it, plus all we are doing about secure 
software, software bill of materials, and then finally, 
everything we are doing to improve detection around logging.
    So a lot of work done. I look forward to keeping the 
Committee updated, sir, on the important work. Thank you.
    Senator Carper. Thank you, ma'am. Mr. DeRusha, really the 
same question. Talk to us a little bit about----

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan [Presiding.] Senator Carper, I am going to 
ask each witnesses to respond to your question, but you are 
over by about a minute, and so we need to move along.
    Senator Carper. OK. Thank you. All right. I will yield. 
Thank you.
    Mr. DeRusha. Yes, Senator. Look, it was a very large, 
aggressive action plan, which we felt completely appropriate 
for the moment. We are focused, and made a lot of progress 
already on baseline hygiene measures. Director Easterly just 
described some of those.
    We have also set in place a multi-year strategy and plan, 
and, what we are going to need from Congress is, we are going 
to need some new resources to implement this plan. But what we 
have done is we have really laid out, in pretty descriptive 
detail, what we need to do to become more secure as a Federal 
enterprise. We really look forward to working with Congress on 
those priorities.
    Mr. Inglis. Senator, I will answer quickly. I am largely in 
agreement with all of those remarks. I was impressed with the 
audacity of the plan--very aggressive. I am pleased with the 
performance. We have met or exceeded the objectives that were 
established. I am sobered by the idea that it is simply a down 
payment. To Mr. DeRusha's point, we have much more work to do, 
and we, therefore, need to redouble our efforts to do that.
    Senator Carper. Thank you all very much.
    Senator Hassan. Thank you, Senator Carper. Because Senator 
Portman is not back yet I am going to recognize myself for a 
round of questions, and I want to thank Chair Peters and the 
Ranking Member for this hearing, and I also want to thank the 
three of you not only for your service but for your testimony 
today and your commitment to improving the country's 
cybersecurity.
    My first question goes to Directors Easterly and Inglis, 
and I will start with Director Easterly. One of the biggest 
impediments to improving cybersecurity is the shortage of 
qualified cybersecurity professionals at Federal, State, and 
local level. I have introduced, along with Senator Cornyn, the 
Bipartisan Federal Cybersecurity Workforce Expansion Act. The 
act would authorize a registered cybersecurity apprenticeship 
program at CISA, and it would also create a veteran 
cybersecurity training program at the Department of Veterans 
Affairs (VA).
    Director Easterly, how would an apprenticeship program help 
address workforce challenges at CISA?
    Ms. Easterly. Thanks for the question. I love that. I love 
apprenticeships. We have already started talking about how we 
could implement apprenticeships at CISA. I would love to work 
with you on that legislation.
    I think we need to be as creative as possible in all our 
approaches to deal with the deficit that we have across the 
country and then across the Federal cyber workforce. So 
programs like rotational programs, apprenticeships, 
internships, and I am very excited, in particular, about 
implementing our Cyber Talent Management System (CTMS), 
finally, to enable us to more flexibly hire people from all 
walks of life, basically based on their aptitude, not based on 
certifications or degrees.
    So anything to do with workforce, Senator, I would love to 
work with you and your team and this Committee.
    Senator Hassan. Great. I would look forward to that.
    Director Inglis, what do you think of cyber apprenticeships 
and a veterans' training program, and are there other ways we 
can increase the talent pipeline to build a larger 
cybersecurity workforce?
    Mr. Inglis. Senator, once again I am in that position where 
happily I agree strongly with both the premise that you have 
established and Director Easterly's remarks. I think 
apprenticeships are essential, not simply because they provide 
experience for its own sake, but they bridge the gap between 
aspiration that is often supported by training and education 
and the real experience that employers need or want when you 
show up at that door. It helps to transition from one phase to 
another, in terms of one's work life.
    To the extent that that is something we can pilot, at CISA 
or within the Veterans Administration or other places, I would 
hope that we make that broadly available to the rest of 
government.
    As to what else we can do, I think that it falls into three 
broad buckets, which are not unrelated. We need to increase 
awareness, so that every citizen, every person who experiences 
cyberspace has what is necessary to cross the digital cyber 
street in the same way that we teach children to cross actual 
streets, and that they are aware of the opportunities in this 
space.
    It would be to make sure that we invest some more training 
and education in those who make decisions that implicate 
cybersecurity but they do not know it, whether they are lawyers 
or logisticians or system engineers.
    Then, of course, we need to double down on filling the jobs 
that have cyber and IT in their job title. I think we need to 
be as broad-based as possible. To Ms. Easterly's point, we need 
to encourage diversity, because that is a mission-essential 
strength. But at the same time let us relook those jobs skills 
to make sure we are asking for the right things. You do not 
need a bachelor of science in computer science for every one of 
those jobs.
    Senator Hassan. Thank you very much.
    Director Easterly, the Office of Management and Budget 
recently released a draft zero trust strategy, and it was nice 
to hear Mr. DeRusha talk about it. It states that the 
continuous diagnostics and mitigation (CDM) program run by CISA 
is a foundational element of the Federal Government's 
cybersecurity. I introduced legislation with Senator Cornyn 
last Congress to codify the program, and we are working on 
reintroducing CDM legislation this Congress.
    When do you expect all civilian Federal agencies to have 
their electronic assets inventoried and continuously monitored 
via CDM?
    Ms. Easterly. Thanks for the question. It is a great one. 
Having a lot of experience in this space, and certainly in the 
private sector, asset inventories and ensuring that you know 
exactly what is in your network is not a trivial endeavor.
    All that said, I am told that we are at about 85 percent of 
an understanding of the Federal endpoints, and so I think we 
will get there in the near term, and I am happy to keep you 
updated on the course of our progress.
    Senator Hassan. OK. A related issue, of course, is whether 
CISA is re-evaluating previously approved CDM tools to ensure 
that they still meet the newest best practices and our zero 
trust strategy. So is that happening as well?
    Ms. Easterly. Yes, ma'am, absolutely, as part of our entire 
modernization effort to make sure that we are able to provision 
the right capabilities through the CDM program, and some of the 
most important ones, as you are aware of, are EDR capabilities.
    Senator Hassan. OK. Another question for you, Director 
Easterly. Next week I am going to lead a Subcommittee hearing 
on the Federal Government's IT management resources. The 
service is available to agencies to modernize their aging 
systems and ways to improve those programs while also saving 
taxpayers money. Mr. DeRusha, I am looking forward to hearing 
from your colleague, Federal Chief Information Office (CIO) 
Clare Martorana on this topic.
    An important aspect of ensuring the cybersecurity of 
Federal systems is modernizing outdated and obsolete IT 
systems, which are difficult, if not impossible to properly 
secure. Director Easterly, how is CISA supporting agency 
efforts to modernize their aging IT systems to improve 
cybersecurity?
    Ms. Easterly. We are taking a very aggressive approach, 
because we understand the urgency here. That said, Senator, 
this is a very complex endeavor, dealing with years and years 
of legacy systems. It is why, as my colleague, Mr. DeRusha, 
mentioned, the TMF fund is so important to enable that 
modernization.
    We are working hand-in-hand with departments and agencies 
to ensure that they have the capabilities that they need to 
enable them to build out networks in a different way, and it 
really goes to zero trust architecture, the secure cloud 
systems, the maturity model. We are pushing as hard as we can, 
Senator. It is a big project, and it is really one of the 
reasons why I am excited about FISMA reform, because we need to 
ensure that we can do this the right way, and secure an 
enterprise, not 102 separate departments and agencies.
    Senator Hassan. Thank you.
    Last question for you. I was delighted to hear your 
testimony and by the recent announcement from CISA about the 
Joint Cyber Defense Task Collaborative.
    Ms. Easterly. Like ACDC.
    Senator Hassan. I know, yes, except not. But yes. It is 
intended to improve planning, information-sharing, and 
collaboration among interagency, intergovernmental, and private 
sector partners. However, several of our critical 
infrastructure sectors, particularly the health care and 
education sectors, are severely under-resourced when it comes 
to cybersecurity, especially compared to the JCDC's initial 
private sector partners.
    What lessons is CISA learning to learn from its initial 
industry collaboration that will help it and the JCDC support 
health care, education, and other sectors that are often under-
resourced? I see that I am over time, so if you can make your 
answer brief. I can follow up with you as well.
    Ms. Easterly. I will do my best. The whole idea of those 
initial plankholders were those who had massive visibility, so 
they can drive action at scale, Senator. The fact that we have 
the Content Security Policy (CSPs), the Internet Service 
Provider (ISPs), the cybersecurity vendors, that see the dots 
so we can connect them, will allow us to have that information 
and provide it to the other critical sectors, so that we can 
help health care and education and all of the, what I would 
call, target-rich, sometimes resource-poor sectors. So they 
will accrue benefit from what we are building in the JCDC.
    Senator Hassan. Thank you very much. Senator Portman.
    Senator Portman. Thank you, Madam Chair. I want to start, 
if I could, by asking unanimous consent (UC) to put something 
in the record that has to do with reporting. This is some of 
the feedback that we have received from industry and government 
with regard to our cyber notification legislation. I think the 
bill is better for this input, and I think it would be 
appropriate to have these letters included in the hearing 
record.\1\ All three relate to the legislation. One is from 18 
trade associations, one is from the financial sector, one is 
from the communications sector, and the fourth is from the oil 
and gas sector, expressing their concerns in that case about 
lack of consultation with the pipeline industry before issuing 
security directives.
---------------------------------------------------------------------------
    \1\ The letters referenced by Senator Portman appears in the 
Appendix on page 65.
---------------------------------------------------------------------------
    Senator Hassan. Without objection, so ordered.
    Senator Portman. Thank you, Madam Chair. Let me start with 
something urgent. I am really eager to get to the 
accountability issue because, as you know, I think that is 
critical for us to be able to organize ourselves properly going 
forward. But unfortunately, we live in a state of constant 
attacks, and we just had another one.
    There is a joint publication by CISA, the FBI, and the U.S. 
Coast Guard (USCG) last week that indicates an advanced, 
persistent threat, meaning right now, timely, a threat, 
targeting a software program used to authenticate users when 
they log onto their computer. According to this publication it 
is widely used by several critical infrastructure sectors. The 
hackers have covered their tracks, much like we saw with 
SolarWinds.
    Again, I would hope we could talk about the important, not 
just the urgent, but the urgent is upon us again. I would ask 
you, Ms. Easterly, can you briefly explain, what this is and 
why it matters?
    Ms. Easterly. Yes. Thanks very much for asking that 
question, Ranking Member Portman, because it does speak to, I 
think, a really good-news story and the collaboration and how 
we use data to help protect other sectors of critical 
infrastructure.
    So you are referring to something called ManageEngine 
ADSelfService Plus, which is this password management and 
single sign-on capability. We worked with the U.S. Coast Guard 
on a vulnerability at the Port of Houston and found out about 
this. We worked with our FBI partners and our Coast Guard 
partners to better understand that vulnerability, and then to 
be able to get that information out, to see whether, in fact, 
we saw the same vulnerability across the Federal cyber 
ecosystem and in our critical infrastructure partners. This was 
actually one of the early successes for JCDC, because we were 
able to share that information across our JCDC partners to see 
if they could find additional victims to notify.
    To this point in time, we see that the campaign thus far is 
limited, but we are continuing to work through it, and I am 
happy to keep you apprised.
    Senator Portman. I appreciate that. I guess I am glad to 
hear that, that you feel like, in this case, we have a handle 
on it. I did speak to one of your prominent JCDC members 
yesterday, and I support what you are doing there, including 
bringing the private sector expertise in. I think it is 
critically important.
    The alert indicates that this advanced persistent threat 
and these actors have been exploiting vulnerabilities but also 
covering their tracks. What does that mean, and does that mean 
if it is a nation-state actor, as an example, we are not going 
to be able to determine who it is?
    Ms. Easterly. As you know, Ranking Member Portman, 
attribution can always be complicated in terms of being able to 
positively say who that threat actor is. Certainly the most 
sophisticated threat actors go to great winds, as we saw with 
SolarWinds, to be able to cover their tracks and obfuscate 
their presence, so that they can live for long times in 
networks and be able to extract data.
    But we are working very closely with our interagency 
partners and the intelligence community (IC) to better 
understand this threat actor so that we can ensure that we are 
not only able to protect systems but ultimately to be able to 
hold these actors accountable.
    Senator Portman. Right. But in terms of this one, can you 
tell us who you think it is?
    Ms. Easterly. At this point in time I would have to get 
back with my colleagues, but I do think it is a nation-state 
actor, sir.
    Senator Portman. Concerning, yes.
    Ms. Easterly. Yes, sir.
    Senator Portman. OK. We look forward to hearing more as you 
have it, perhaps even in a classified setting, to understand 
what we can do to be able to respond, as you say, to be able to 
push back against these nation-state actors who continue to 
probe and to commit these crimes against our public and private 
sector entities, in this case critical infrastructure.
    OK. Accountability. I am going to show a chart\1\ here. It 
is a chart that tries to explain what the roles are. Maybe it 
is just me, but it seems like there is a lot of overlapping 
responsibility, including, by the way, among the three of you. 
The question is, who is in charge, who is accountable.
---------------------------------------------------------------------------
    \1\ Thge chart referenced by Senator Portman appears in the 
Appendix on page 58.
---------------------------------------------------------------------------
    We talked about this latest hack, and you mentioned that 
you are involved, as the, CISA lead, which is good. But also 
you indicated that there are other entities involved. The 
question is, who is in charge and who will take accountability 
as things happen?
    This chart has, with regard to the strategic side, the 
National Cyber Director, who is here with us today, and the 
Deputy National Security Advisor, who has been with us here 
before. She is not with us today but she has a role that she 
has indicated is, in some ways, quite similar to your role. 
Then we have OMB, of course, the Federal CIO, and the Federal 
CISA role. Then the CISA Director and the FBI CISA Director for 
Cyber are more on the operational side.
    On the strategic side, of course, every agency head has to 
be involved, and should be, and then, of course, the agency 
CIOs and the CISA in the agencies, and that goes to our FISMA 
issue we talked about earlier.
    I guess I would start with you, Mr. Inglis, and again, I am 
glad you are where you are. I wish you had more staff to be 
able to do your job, which is another topic we will discuss. 
Under your authorizing statute, you are the principal advisor 
to the President on cybersecurity and cybersecurity strategy. 
Is that correct?
    Mr. Inglis. That is correct, sir.
    Senator Portman. Does that mean that you are the single 
point of accountability for Federal cybersecurity within the 
Executive Branch?
    Mr. Inglis. I think I am the single point of accountability 
for Federal cybersecurity on owned or leased estates, to 
include the Federal Government and the critical infrastructure. 
When we determine that we need to use instruments of power 
outside of owned or leased estates, then military diplomacy, 
financial instruments of power, the National Security Council 
(NSC) is the natural place to essentially coordinate those 
instruments of power, and, therefore, they would interact to 
determine what that strategy should be to do the rest of what 
is required.
    But for purposes of preparation, synthesis of the big 
picture, defense of owned and leased estates, performance 
assessments, I am the accountable person.
    Senator Portman. So are you accountable, as an example, if 
the Department of Homeland Security does not have proper cyber 
hygiene in place? Probably not a good example because they are 
one of the few agencies that we found, of the eight, that was 
doing some of the right things. But let us say the Department 
of Health and Human Services or the Department of Energy (DOE). 
Are you the one responsible?
    Mr. Inglis. Yes, sir. I am ultimately the accountable 
person. Now, my job is to ensure that that accountability has 
been allocated property to agency and department heads, to CISA 
for being the operational entity coordinating the defense, to 
OMB for issuing the right directives. As the coach--as we have 
used that term before--I need to ensure those roles are 
properly assigned, properly executed, and ultimately to do 
performance assessments to ensure that we are meeting the need.
    Senator Portman. Let me ask you this. This organizational 
chart, again, we have talked about, in the past, the overlap, 
and you just talked about the National Security Council overlap 
with what you are doing. Do you think the Federal Government's 
organizational structure is effective right now, and do you 
think that the lines of responsibility are clear?
    Mr. Inglis. I think it is reasonably effective. Can we make 
it better? We can, and we will. The three of us at this table 
talk on a daily basis about how to actually ensure that these 
roles complement one another.
    I would observe that the chart does not show sector risk 
management agencies. That is a further complication of what 
they on the edge of the enterprise that they represent. All of 
those strengths represent diversity, which properly applied can 
be a huge strength for us. It is perhaps then less complicated 
than the U.S. Department of Defense or an American football 
team, which, if it has the right strategy, if it has the right 
roles, if the life forces that course across it create 
coherence, Unity of Purpose, Unity of Effort, it can, in fact, 
be quite useful. That is our job, is to make sure that the 
video actually makes sense, even if the static picture does 
not.
    Senator Portman. You make the football analogy. There you 
have a coach, who is ultimately responsible. You have a 
quarterback responsible for the offense. The question is, how 
do you have that with this more diffuse structure?
    Is there any thought of issuing an Executive Order or some 
other rulemaking to more clearly delineate what the----
    Mr. Inglis. I think there is, sir. I think that is 
essential. We are actually taking our time, not because we are 
complacent in any way, shape, or form, but taking our time to 
actually let a modest amount of experience drive our efforts to 
then clarify, in writing, what we believe is the right and 
proper way to describe that chart in action.
    I think you would have hopefully seen, over the last three 
or four months, there were several times when we reported 
informally to this Committee not on a major incident but an 
incident we thought was reflective of the work that we do 
together, where we surged to the point of maybe to assist an 
agency that was encountering some difficulty. We checked the 
rest of the enterprise, the Federal enterprise in that case, to 
ensure that that had not been something experienced by others. 
We visited with the investment strategy, using OMB resources to 
ensure that we were making the proper investments to get ahead 
of this, and reworked that according. Then ensure that 
ultimately those best practices became something that everyone 
could benefit from.
    That is complicated. That is hard to do, but it is the 
necessary work of the leadership that you have charged to 
undertake coherence in that diagram behind you.
    Senator Portman. Let us go to one of those points that you 
just made, which is the cybersecurity budget for the agencies. 
Mr. DeRusha is here with us, on the panel, and you are here on 
the panel, yet both of you have that responsibility as I 
understand it. You have responsibility over the agency 
cybersecurity budgets and what they ought to be. Is that true, 
Mr. DeRusha?
    Mr. DeRusha. Sir, OMB does, absolutely.
    Senator Portman. So say it again?
    Mr. DeRusha. I am sorry, sir. Yes, OMB has the 
responsibility. It is a shared responsibility between the 
management side, but largely the budget side, the resource 
management officers.
    Senator Portman. OK. I do not want to put Mr. Inglis on the 
spot here, but would you agree with that, Mr. Inglis, that you 
do not have responsibility for cybersecurity budgets?
    Mr. Inglis. I do not have unique and solitary authority 
over that. I agree.
    Senator Portman. Not unique and solitary, but Mr. DeRusha 
just said that it is OMB who has unique and solitary over that, 
that responsibility, and my understanding is that you believe 
you have responsibility for it too.
    Mr. Inglis. Oh no, sir, I do not. By statute I have the 
responsibility to report on performance. I do not have the 
authority to direct dollars. I do not have the authority to 
move dollars. But I think I have a useful and necessary 
function to report on performance.
    I think by example what we have done has actually joined 
those two responsibilities in a way that it is coherent. Take 
the Technology Modernization Fund in hand, as earlier described 
by Mr. DeRusha. There is $1 billion allocated by the Congress 
for that purpose. There is $2.3 billion in applications. OMB, 
using its authority, has described what the requirements are 
that would allow them to judge the merits of any particular 
application. They have been paneled aboard.
    I have looked at those requirements. I have judged that the 
panel is an appropriate panel to adjudicate this, and I look at 
each of the applications and each of the awards to ensure that 
they are consistent with our overall cyber strategy. I 
therefore am in a place where I am performing my responsibility 
to ensure performance, at the same time allowing OMB to perform 
their statutory responsibility to be accountable for the 
budget.
    Those two nicely, but in a complicated way, intersect at 
this thing we call cyber. I think that is, by statute, where we 
are. We could possibly clarify that to a greater degree in the 
FISMA modernization and other bills, but the things that I 
think that we are enjoying at the moment, we can achieve 
coherence with the roles as they are defined.
    Senator Portman. OK. I am over time already and I apologize 
to my colleagues. Let me read the statute for what you are 
supposed to be doing: ``Reviewing the annual budget proposals 
for relevant Federal agencies and departments and advising the 
heads of such departments and agencies whether such proposals 
are consistent with the national cyber policy and strategy.'' 
It sounds like you are involved in the budgets. But I look 
forward to further conversation in the second round.
    Thank you, Mr. Chairman.
    Chairman Peters [Presiding.] Thank you, Ranking Member 
Portman.
    Senator Ossoff, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR OSSOFF

    Senator Ossoff. Thank you, Mr. Chairman, and thank you to 
our panel. Thank you for your service.
    Mr. DeRusha, you have responsibility as Chair of the 
Federal Acquisition Security Council (FASC) for risk management 
in the supply chain for Federal agencies. We saw Apple rush out 
an iDevide Operating System (iOS) patch a couple of weeks ago, 
an exploit that allowed targeted, remote jailbreaking of iOS 
devices, which it appears had been outstanding for at least 
several months, and was used to target certain individuals, was 
revealed.
    What is your assessment of your capabilities and the 
capabilities of the private sector partners you work with, your 
interagency partners at identifying zero-day exploits that 
could be used to target senior government executives by foreign 
intelligence services or to penetrate public sector or private 
sector networks, and what additional authorities or reforms to 
procedure or law might be contemplated to improve our ability 
to get ahead of that kind of exploit?
    Mr. DeRusha. Senator, I will respond first, but there is 
also a shared equity with this entire group, in particular at 
CISA and FBI and other partners.
    I will speak a little about the role of the FASC. We are 
primarily focused on supply chain risks that have a nexus to 
national security, foreign threats, and others. There is an 
acute focus of the FASC and its responsibilities, however, in 
our ability to make recommendation of exclusion or removal 
orders for the Federal Government.
    We also take on the responsibility, strategically, to 
ensure that we are providing the right guidance and risk 
information to Federal agencies. We are working on some new OMB 
guidance on that front, and we also work closely with NIST to 
ensure that they have the appropriate understanding of the 
standards that sit behind the effective risk management 
programs that they need to build at each Federal agency to 
secure itself. There is partnership there.
    We have efforts to engage all the key stakeholders, both 
industry and other committees, like in Team Telecon and the 
Committee on Foreign Investment in the United States. There are 
a lot of groups and bodies that need to be pulled together to 
address the risks that you have described.
    In particular to what you were talking about, 
vulnerabilities of that sort are, unfortunately, fairly 
pervasive across the entire ecosystem, and, that has not 
traditionally been the explicit focus of the FASC itself. But I 
would be happy to have a discussion regarding that further.
    Senator Ossoff. OK. We will come back to this topic in a 
moment. Mr. Inglis, I want to come to you for a moment and then 
hear from you, Ms. Easterly, on this as well. What changes to 
policy or operational posture of executive agencies have been 
made in response to lessons learned from the Colonial Pipeline 
breach?
    Mr. Inglis. Thank you for the question, Senator. In 
response to the Colonial Pipeline breach, what we have done is 
to shore up our response mechanisms. Ms. Easterly can talk at 
some length about that. We have engaged the CEOs of the 
pipeline sector to ensure that they understand what the Federal 
Government is prepared to do, but at the same time what we have 
an expectation of that they need to do in terms of increasing 
resilience and robustness, and they have responded in kind.
    We have, therefore, kind of articulated what we believe the 
requirements are for the pipeline sector. We will probably do 
that for other sectors as well. We have worked closely with the 
private sector to make sure that that is understood and 
reasonable, and ultimately develop a response plan such that we 
can help them in the moment of need in a way that is timely, 
efficient, and prioritized.
    Senator Ossoff. Thank you. Ms. Easterly?
    Ms. Easterly. Yes. I think as you know, Senator, there were 
security directives that were issued in the wake of the 
Colonial Pipeline incident, one of which, importantly provides 
the requirement to report cyber incidents to CISA. This is a 
way that we are able to gather the information to protect the 
larger sector and also connected sectors, so that is one very 
important thing.
    Also, as part of the White House's Industrial Control 
System (ICS) Initiative, that first looked at energy, it is now 
looking at pipeline. We are actually working with major 
companies about what we can do to help them shore up their 
security to include instantiating technology that will allow 
them to detect more rapidly and to remediate and respond to any 
intrusions, one of those programs being CyberSentry, which we 
appreciate that Congress is focused on permanently authorizing.
    Senator Ossoff. Thank you, Ms. Easterly. I share the 
Ranking Member's concerns about the complexity of this 
bureaucracy. I recognize you are making good-faith efforts 
every day to rationalize it and streamline, apply the right 
authorities through the right agencies.
    But I am curious, Ms. Easterly, based on your experience 
thus far, surely there is room for improvement. What is the 
most significant impediment to operational efficiency or 
effectiveness that you have experienced and observed in your 
time in this position?
    Ms. Easterly. To be honest, Senator, it has been a pretty 
good experience thus far. At the end of the day, I think CISA's 
role is pretty clear. We have two primary roles. We are the 
operational lead for Federal cybersecurity, and I hope that 
gets formally instantiated in FISMA reform, and by statute we 
are the national coordinator for critical infrastructure, 
resilience, and security.
    Both of those missions necessarily are team sports. It 
implicates partners across the Federal Government, as well as 
partners across critical infrastructure. We will never own that 
mission wholly because, as the Chairman said, over 85 percent 
is privately owned.
    I feel very comfortable with the partnerships that we have 
forged to date, across the Federal cyber ecosystem, as well as 
with the private sector. As I said earlier, Senator, I am very 
excited about what we are building with the Joint Cyber Defense 
Collaborative.
    Senator Ossoff. I appreciate that, Ms. Easterly, and yet 
there must be obstacles in efficiencies and impediments to 
effectiveness that you do encounter on a daily basis, and the 
Congress needs to hear them, because we can learn lessons about 
modifications to statute or reforms to policy based upon your 
testimony. I would like to hear from you. What is not working? 
We need to know.
    Ms. Easterly. With respect to Federal cybersecurity, I 
think with FISMA reform I would ask that the Congress do three 
things. First, that we codify CISA's role in Federal 
cybersecurity as the operational lead, that we make sure that 
we are holding departments and agencies specifically 
accountable for the investments that they make in their 
cybersecurity teams. They are making tradeoffs every day. They 
need to take that seriously and invest in cybersecurity and 
give some of those authorities between OMB and NCD and make 
that more explicit. Finally, we need to move from this 
compliance and box-checking to true operational risk 
management. I think instantiating all of that in FISMA reform 
will be incredibly important and helpful for our role.
    Finally, I do think the cyber incident notification 
legislation is incredibly important to establish our ability to 
receive reports and then share them agilely and rapidly with 
the rest of the community so we can raise the baseline on the 
cyber ecosystem. I am sure as I progress in this job I may have 
some more things to come back to you on, Senator.
    Senator Ossoff. In addition to your deep experience in the 
Army, you have also worked in the financial services sector. 
How resilient and robust do you believe that sector's 
cybersecurity is, and what changes, either within the industry 
or at the regulatory level, need to be made to protect our 
markets from what could be a devastating cyberattack that could 
lead to a financial crisis or significant economic damage?
    Ms. Easterly. Thanks for the question. It is a great one. 
Since 2012, when Wall Street was subject to a massive 
distributed denial of service attack there has been significant 
investments made by the financial services sector, billions of 
dollars to ensure that there is the right process, the right 
technology, the right people. That is why I think finance is 
generally in such good shape.
    This is just my experience at Morgan Stanley--I think with 
respect to regulatory regime I always found it necessary to try 
and harmonize that, and I think we need to think about that 
with respect to cyber incident reporting, because it is very 
important that we are not asking a company, a business, that is 
under duress during a cyber incident to report to seven 
different entities, whether it is CISA for cyber incidents or 
to other regulatory agencies. The harmonization piece, I think 
is important.
    But one other really important aspect of this, as good as 
finance can be it does not matter if electricity is not 
working, if the telcos are not working. Even as we look at 
these sector models, sir, we really have to look at this 
functionally, right? We have to look at the national critical 
functions. I think that is a very important lens, because 
everything is interdependent. Everything is connected. 
Everything is vulnerable. At the end of the day that is why I 
think CISA's statutory role as the national coordinator is so 
important because we have to look across the whole critical 
infrastructure ecosystem and make sure that it is as protected 
as it is connected in cyberspace.
    Senator Ossoff. Thank you. Mr. Chairman, I am over time. I 
have a couple more questions, if there is time for it later. 
But I yield.
    Chairman Peters. Very good. Thank you, Senator Ossoff. 
Senator Lankford, you are recognized for your questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Mr. Chairman, thank you. Thank you all 
for the work that you are doing. It is exceptionally important 
for the country, and I am grateful that you are engaging in 
this.
    Mr. Inglis, let me walk back to something that Senator 
Portman was talking about before on the budget issues. You have 
a fairly unique situation here all of a sudden, that your 
office requested about $15 million to be able to stand up the 
office. The infrastructure bill gave you $21 million, and then 
the House Appropriations bill has allocated almost $19 million 
more. So you suddenly went from a $15 million request to, it 
looks like, a $40 million allocation. Is that what you are 
hearing, seeing?
    Mr. Inglis. My understanding is that there are three 
numbers. The $15 million was imagining that we would get a slow 
start in fiscal year (FY) 2022, therefore not be able to 
execute at a flat, high level across the whole year. Therefore 
you might take a $21 million figure, which is probably about 
the right number, and reduce that, because you are not going to 
expend all those resources if you do not have the same number 
of people at the start of the year as you do at the end.
    With respect to the other budgets, my understanding is they 
are not additive, that they are kind of one or the other, those 
will hold sway.
    Senator Lankford. OK. That is helpful, because we are 
trying to be able to track this as well, as you are trying to 
be able to stand this up.
    Ms. Easterly, thanks again for your engagement on this. 
Obviously, after the Colonial Pipeline whole incident a lot of 
pipeline folks awakened to vulnerabilities that were out there, 
and that has been in the long-term conversation for years with 
a lot of the pipeline companies and some areas of vulnerability 
on this.
    They made lots of hard decisions on this, but directives 
came out immediately that were emergency directives. What I am 
hearing now from a lot of the companies, not only pipeline 
companies but in others, saying, ``Will we get to be at the 
table when the final version is done?''
    Help us understand what you think that would mean, for them 
to be at the table, because obviously every single company is 
not going to be able to be there. There is a notice and comment 
period that allows every single entity and company to be able 
to contribute, but what does that look like now in the days 
ahead, when we start getting a finally ruling on this? Because 
there were some really good actors that had additional 
requirements put on them, or had to redo some things, but they 
were doing all the right things already on this. So they got 
consequences even though they were actually doing all the right 
things originally.
    What does this look like, to be able to have more 
cooperation?
    Ms. Easterly. Yes, thanks for the question. You are 
absolutely right. Some companies were doing the right things. 
Some were not. I think the objective of the security directive 
was to set baselines, and I think that is incredibly important. 
As you know, we have been working with pipeline companies for 
many years. Some of those vulnerabilities that we illuminated 
in the security directive had not been remediated for years, 
and we felt it was incredibly important to be able to really 
make aggressive progress on this.
    So we absolutely recognize, and as I mentioned earlier, we 
are working closely with the big pipeline companies. We have a 
task force that has been set up. I was on the phone with them 
earlier this week. Understanding that there was some 
unhappiness from the community, I know that my colleague, 
Administration Pekoske briefed them on the security directive 
the other week and they were quite happy with having that 
opportunity to consult and collaborate on the way forward.
    That is absolutely my approach going forward, Senator. 
Everything we do has to be in partnership, and I am looking 
forward to furthering those conversations.
    Senator Lankford. Great. How do we start proactively 
sharing intelligence information, not just with pipeline 
companies but everybody in the infrastructure world, that 
actually has some context to it, if I can say it that way. 
Because sometimes different reports come out and they look so 
neutral that it really does not look like hair's on fire, do 
something right now. It is just a hey, be aware of, but there 
is no real context to it.
    How do we help provide information to people proactively, 
to say we are hearing this, seeing this, take action 
immediately on this, in a way that has context to it and has 
some clarity to it of what to be able to do?
    Ms. Easterly. Yes, that is a fabulous question. You sound 
like me when I was at Morgan Stanley. What we wanted was not 
just indicators but real context, because you have to take 
action against something, and if it unclear information it does 
not help a network defender. That is why we are so focused on 
timely, relevant, actionable, contextual information. We are 
making improvements on what is called automated indicator 
sharing (AIS). That is a program that has been around for a 
while, and we actually are adding context from things like the 
MITRE attack network that all network defenders use, to give 
more granular information for defense.
    We are also looking to use CSPY, which is our cyber 
information-sharing collaboration platform, about 300 companies 
there, to ensure that we have regular analytic exchanges to 
include classified exchanges, to make sure that everybody has 
the information they need to shore up their networks.
    Then finally, with respect to the JCDC, that is a way to be 
able to share information very rapidly, both within that small 
ecosystem and then within the larger community, to help enforce 
across the board what companies need to do to protect 
themselves in cyber.
    I am optimistic about making progress, exactly as you are 
saying, contextual.
    Senator Lankford. All right. That is helpful. If you are a 
large energy company you have lots of support on that. If you 
are a local co-op, you do not have the same level of support on 
that. As we are communicating with these companies, how are we 
getting to the co-op the same as we are getting to an Edison?
    Ms. Easterly. That is a great question. I would answer it 
two ways. First of all, we are constantly putting out 
information through our platforms. We manage the Critical 
Infrastructure Partnership Advisory Council (CIPAC), which 
reaches all aspects across infrastructure to put out this 
information. We have resources, education, technical guidance, 
and assistance.
    But one of the greatest things about CISA is our field 
force. We are 10 regions, 500 people across the country, 
security advisors that are in touch at the State and local 
level, with some of those smaller businesses, to ensure they 
have what they need to be able to make those changes to improve 
their cybersecurity baseline.
    Senator Lankford. OK. That is helpful. Let me ask a 
question as you walk into this. Just perception at this point. 
Is the IC, the intelligence community, doing enough to be able 
to actually reach into areas for critical infrastructure 
protection, as was discussed earlier, to get left of some of 
these challenges, to be able to make sure that we are seeing 
into it, to see what is actually developing? We do a lot on our 
national security side, as we should, trying to be able to 
protect our larger systems and how we operate as well.
    Are there things that we can do to be able to help engage 
with him more, to be able to raise the level of priority there?
    Ms. Easterly. I think with respect to the intel community, 
in the past two and half months I have had many engagements 
across the board, and I have been, as I always was when I was 
in government, incredibly encouraged and impressed with the 
power and capability of our intel community.
    I would say, though, Senator, with respect to some of the 
more exotic and sophisticated actors that take advantage of the 
blind spots in domestic infrastructure--we saw that with 
SolarWinds, we saw it with Microsoft Exchange--I do not think 
that that should be an IC role. I am sure you agree with me on 
that.
    Strongly, though, that is really the motivating impetus for 
the JCDC. The plankholder partners are those that have 
incredible visibility across the ecosystem, so they are able to 
see into things that the government cannot and alert us to 
trends in malicious cyber actor behavior and suspicious 
activity, to enable us to use that information to make the 
ecosystem safer. I think that is how we solve the dots issue. 
We solve the dots issue by the visibility through our 
partnership construct that we are building out now.
    Senator Lankford. OK. Thank you.
    Ms. Easterly. Thank you.
    Chairman Peters. Thank you, Senator Lankford. Senator 
Scott, you are recognized for your questions.

               OPENING STATEMENT OF SENATOR SCOTT

    Senator Scott. Thank you, Chairman Peters. Thanks for being 
here.
    How important is the existing satellite system that the 
Federal Government uses to cybersecurity, and how risky do you 
think the satellite system is, as far as its ability to, in any 
time that somebody wanted to have a conflict with us, that it 
would be still viable?
    Mr. Inglis. I appreciate the question, Senator. Without 
having the details in hand, but happy to respond to that in 
further detail, I would say that the question is probably 
equally apt of how important is cybersecurity to those 
satellites. Satellites often perform critical functions for the 
Nation, whether it is weather observations or military command 
and control, and so on and so forth. We need to ensure that we 
have invested as much in them as we have in any other piece of 
critical infrastructure. Cybersecurity is essential for them. I 
think our adversaries would clearly hold those at risk if they 
thought they had the means or the ability to do so, and 
therefore it has to be in scope.
    Senator Scott. Jen, what do you think?
    Ms. Easterly. I would agree with that, Senator. Obviously, 
anything that is critical to our national security is something 
that we need to make sure is protected and secure. In today's 
technology world, we know that many things are connected and 
almost everything is vulnerable. It is why we work so hard to 
ensure that all sectors are raising their cybersecurity 
baseline. I very much agree with the Director on this.
    Senator Scott. The way to think about it is, it is more 
they need you to make sure that they are not damaged rather 
than the other way around.
    Mr. Inglis. I agree. I talked with a gentleman a couple of 
weeks ago and he gave me a wonderful analogy. He says, ``You 
know why race cars have bigger brakes? So they can go faster.'' 
The point he was making is that the reason we have 
cybersecurity, the reason we lay it on, is not for its own 
sake, and that is what we can be proud that we have done that, 
but so that we can enable a critical mission. I think that is 
the case with satellites or any other piece of our critical 
infrastructure.
    Senator Scott. OK. What is the administration doing to go 
after these nation-states that target our critical 
infrastructure? I was Governor of Florida so we had all these 
hurricanes, a lot of them. The first thing you realize is you 
have to get the power back up and you have to get your 
communication back up, because eventually, if you do not get 
that done, you are going to run out and get food and water out 
to everybody.
    What do you think we should be doing to deal with these 
nation-states that are targeting our critical infrastructure 
and central services, and are we doing enough?
    Mr. Inglis. Senator, I will start. I think that the 
administration's strategy, take ransomware as an example but it 
is not the only example where a nation-state would hold us at 
risk, there are four lines of effort currently in that 
strategy. One is you have to disrupt the infrastructure and the 
actors, determine what it is they make use of and try to hold 
that at risk, using all instruments of power, not simply cyber 
instruments of power. But use your legal remedies, your 
diplomatic remedies, your financial remedies, all of that, to 
essentially make it such that they cannot succeed.
    Two, promote resilience, such that we are simply a harder 
target. That is sometimes less satisfying because you do not 
see kind of some flash in the night, but actually if you simply 
avoid the event it is far more meritorious than kind of working 
your way through it.
    Three, address the abuse of virtual currency, which is 
underpinning. It is a huge fuel inside of this fire, and we----
    Senator Scott. Can I interrupt you? Do you think that is 
doable?
    Mr. Inglis. I think it is doable, maybe not to the 100th 
percentile, but I do think it is doable.
    Senator Scott. Good.
    Mr. Inglis. Right. So the sanctioning that occurred, what, 
two days ago, of MUEX, which has shown itself to be involved in 
so many of these transactions of virtual currency turning into 
hard currency, or vice versa, we can essentially kind of lock 
those down if we know that they are engaged in illicit 
activities, and actually try to hold the virtual system 
accountable for the same requirements that the hard currency 
system does.
    Finally, I think that the fourth element, not independent 
of the other three, is to do this in the broadest possible 
coalition. This is an international issue, not a U.S.-only 
issue. We need to, if we are bringing pressure to bear on 
Vladimir Putin because he gives sanctuary or permissive action, 
we need to bring a coalition to bear to hold him at risk, to 
determine what it is he cares about, to use all of our powers 
across nation who have this same problem, who are like-minded 
in their desire to achieve the outcomes in this space.
    Senator Scott. Do you want to add anything?
    Ms. Easterly. I think it is a great rundown. I mean, this 
really is a whole-of-nation effort, where CISA's role, of 
course, is in that promoting resilience phase. We also do 
response and recovery. But I would be failing if I did not take 
this opportunity to just say that, yes, there are sophisticated 
and highly dedicated actors, sir, but much of the attacks that 
we see could be prevented with good cyber hygiene. And so 
incredibly important that all entities do the basics, to 
include, most importantly, in my view, implementing multi-
factor authentication. We are going to spend Cybersecurity 
Awareness Month in October making sure that everybody has what 
they need to implement the basics.
    Mr. Inglis. Sir, if I might jump back in, just to 
complement Jen on this, if you go to StopRansomware.gov, a site 
set up by CISA, you actually learn quite a lot about how you 
can actually be your own best defense.
    Senator Scott. Mr. DeRusha, do you want to add anything?
    Mr. DeRusha. No, sir. I think that it was well stated by my 
colleagues. The only thing I would say is, as the lead for 
Federal civilian we take an approach of anything of value is 
going to be a high target, so we have the high value asset 
approach. Then we prioritize our efforts around looking at the 
threats and vulnerabilities of those assets first. So that 
aligns completely with the concerns you raised and expressed 
here.
    Senator Scott. Good. According to the U.S. Office of the 
Director of National Intelligence (ODNI) 2021 Annual Threat 
Assessment, China presents a prolific and effective cyber 
espionage threat, possesses essential cyberattack capabilities, 
and presents a growing influence threat. I think everybody 
would pretty much agree with that.
    Can you describe some of the risks we face when it comes to 
cyberattacks from--let us pick on one--I would pick on 
Communist China?
    Mr. Inglis. Sir, I can, and I will try to go fast. I think 
we know all of this, and it is just a summary of what I think 
is already out there.
    First and foremost, there is the theft of intellectual 
property that constitutes hard-won competitive advantage of our 
businesses, our industries to aid and abet the development of 
their own industries. That is simply wrong, and it an unlevel 
playing field that we need to challenge.
    Second, kind of stealing some of that materiel, those 
secrets, they can hold our maneuvers, our actions at risk, our 
legitimate actions in the realm of diplomacy or military 
actions, hold that at risk in ways that are inappropriate.
    Finally, they can attack our confidence by making it such 
that we might come to the conclusion that this digital 
infrastructure will not work for us when, and as it should, and 
that perhaps is the most insidious, pernicious threat of all.
    The answer to all of this----
    Senator Scott. I think that is true. Right? Don't you think 
most people believe it will not be there when we need it?
    Mr. Inglis. I think it is possibly true. I think it our job 
to ensure that we have sufficient confidence. I think that we 
can agree that the infrastructure that we make use of can never 
be perfectly secure, and it will not defend itself. So we can 
make it defensible--Jen has described many ways to do that. We 
then must actually defend it, and we must have a transcendent, 
resilient idea of who we are and where we are going such that 
that is the thing that they have to challenge, such that we 
essentially achieve our aspirations through momentum as much as 
more as they are knocking down, right, the efforts that 
somebody else undertakes to hold that at risk.
    Ms. Easterly. I do not think I can say it better.
    Senator Scott. OK. All right. Thank you, Chairman.
    Chairman Peters. Thank you, Senator Scott. Ranking Portman, 
I know you have a question that you would like to ask, you are 
recognized for it.
    Senator Portman. Yes, thank you, and again, thanks for the 
opportunity today to dig into some of these issues, including 
the good dialog we just had with Senator Scott. There is so 
much that needs to be done to tighten up our defenses and 
respond more effectively, but one is this reporting 
requirements legislation we talked about earlier. We would like 
to get legislation passed that is bipartisan, that you all can 
work with. The bottom line is it would require entities to 
report to you, Ms. Easterly, in a more expedited fashion and, 
in some cases, clarifying that that is a responsibility, 
because it is not, as we saw with Colonial Pipeline, when they 
got the FBI and did not contact you, based on our hearing 
testimony.
    So for you to be able to properly disseminate that 
information that you get to the right agencies and, therefore, 
to have the right analysis--I suppose you need to do that--what 
do you need? In other words, if we have a reporting 
requirement, what do you need to make it effective so that CISA 
can take that information and get it out immediately to the 
right actors?
    Ms. Easterly. Thanks for the question, Senator. That is 
what we do every day. We receive a variety of reports across 
the Federal civilian Executive Branch. We receive a variety of 
reports at the State and local level, and then, of course, at 
critical infrastructure. We analyze those reports to ensure 
that if there is information that needs to be shared with other 
entities to help us raise the cybersecurity baseline of the 
cyber ecosystem that we are doing that. That really is what I 
describe as our super power, is to share that information, and 
the authorities that we were given by the Congress to do that, 
I think, are exactly what we need.
    If this legislation goes into place--and I am a huge 
supporter of it and I think, as I said earlier, we need to 
craft it in such a way that it enables enforcement, it is 
timely, but we are going to need to put in place a process to 
be able to handle this information at even greater scale and 
make sure that we can share it as agilely as possible.
    I think that the JCDC that we are standing up will help 
enable that, because again, that gives a construct to share 
many to many. Uniquely, it is the only Federal cyber entity in 
statute that brings together NSA, FBI, CISA, United States 
Cyber Command (CYBERCOM), DOD, ODNI with the private sector, so 
that we can share that many to many. That is the dots 
visibility issue that we are trying to solve, Ranking Member 
Portman, and I am optimistic that we will be able to leverage 
any new legislation to share that information as agilely as 
possible.
    Senator Portman. I appreciate that. My colleagues want to 
ask some additional questions and I want to make sure they get 
the chance to. We will have more follow-up on this as we move 
the legislation through the process. But we want your input. We 
want to make sure that this works right and does not unduly 
burden those who get hacked at a time when they have to be able 
to respond. That is why there is a time period here, to give 
them time where they are not filling out paperwork but they 
are, in fact addressing the attack. So there is a balance 
there, and we understand that, but ultimately we want to have a 
reporting requirement, and we want to make sure that you have 
the resources to be able to properly take that information and 
get it out to the right Federal agencies and others as quickly 
as possible.
    Ms. Easterly. Can I respond to that?
    Senator Portman. Yes.
    Ms. Easterly. I totally agree with you. I mean, we went 
through this in the private sector at Morgan Stanley. What we 
do not want is to have CISA overburdened with erroneous 
reporting, and we do not want to burden a company under duress 
when they are trying to actually manage a live incident. That 
is why I think the rulemaking process that will be consultative 
with industry will really be important to getting this right.
    We do not want to be flooded with reports saying we 
detected something and we are not sure whether there is actual 
impact or not. I think we need to make sure that there is 
determined impact, and then we can get that information and we 
can do something with it that will help ensure the 
cybersecurity baseline is raised. But erroneous noise is not 
what we need. We need signal.
    Senator Portman. Yes, I could not agree more. You noted 
that, at the outset, we introduced into the record letters we 
have received from the private sector, and I think you will 
see, in some of that information, the input that you are 
talking about. It is a balance, and we will try to achieve that 
balance but also provide some discretion so that we get it 
right. We look forward to working with you.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Ranking Member Portman. Senator 
Ossoff, if you have an additional question or two you may 
proceed.
    Senator Ossoff. Thank you, Mr. Chairman. I know time is 
short and there is a vote on the floor. Two final questions for 
you please, Mr. Inglis. The first is, what do we all need to 
do, as public leaders, what would we call upon the private 
sector to do to build a privacy culture in this country such 
that citizens understand the risks associated with engagement 
online with the use of technology so that basic cyber hygiene 
principles, practices like patching and using complex passwords 
and preferring encrypted messaging apps, avoiding reckless 
public disclosure that can put one at risk or one's family at 
risk or invite financial intrusion, what can we all do to make 
that something that is closer to our core understanding of 
citizenship?
    Mr. Inglis. Senator, thank you for that terrific question. 
I would say many things. First, I would say follow the best 
examples of this Committee in two key ways. One, this is, by 
every kind of representation, a nonpartisan and bipartisan 
issue. You all speak with equal fervor about the nature of what 
this means to us and what we should do about that. That is 
extraordinarily important.
    Two, you have taken it seriously such that you have asked 
us questions, you demand that we give you good answers. We will 
continue to work our way through that. This is an issue that 
all of us have as a responsibility, not simply the people that 
have ``IT'' or ``cyber'' in their name.
    Three, to the point that you have mentioned some things 
that people should know, regardless of whether they are Python 
coders or IT experts, I think that we assume too much about 
people raised in the midst of technology that they are digital 
natives. They are generally not. They are app natives. They 
understand how to use this stuff. They have no idea about what 
the security consequences are.
    In as much as we teach our children how to walk across a 
busy street, especially when they are in an environment where 
perhaps the traffic goes the wrong way, we need to spend an 
equal amount of time teaching them something about the basics 
of cyber space--how that works, what happens when you touch a 
link, what perhaps are the responsibilities, who is defending 
your stuff when you store it in whatever the cloud is. We need 
to tell them a little bit more about those. Those are basic, 
fundamental issues.
    Finally, I would say that we need to redouble our efforts 
to imbue critical thinking in our people, because we cannot 
predict all of the situations they are going to encounter. 
They, therefore, need to have foundational abilities to say 
does this make sense, and make a choice based upon some facts 
that are kind of solid underneath them.
    I think if we do all of those things we are in a better 
place.
    Senator Ossoff. Thank you, Mr. Inglis, and let us continue 
the conversation on this subject. My final question, and it is 
a brief one, Mr. Chairman, for you, Mr. Inglis. In your 
capacity you have to consume threat intelligence, work with the 
intelligence community, work with law enforcement agencies. You 
have a background at the National Security Agency. What is your 
involvement, if any, with respect to policy decisions, 
operational decisions, legal interpretation that touches on 
intelligence collection that may be related to or include 
collection of data, information, or anything pertaining to U.S. 
persons?
    Mr. Inglis. Senator, as you indicate I am an avid consumer 
of that, not simply for my own sake, so that on behalf of those 
I represent, the institutions that are charged with cyber 
defense, that we can be properly informed about the true nature 
of threat. That would, in turn, have an effect on what they 
then attempt to collect and how they then produce that. But I 
am not able to direct that with a hands-on ability, as 
appropriate to my limited responsibilities with respect to 
offensive or intelligence capabilities.
    Senator Ossoff. Thank you. Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Ossoff.
    A couple of final questions here for the panel, but I will 
start with Mr. Inglis on this question. I think all of you know 
right now we are in the middle of an investigation into the 
Kaseya hack, so I know you will be limited as to what you can 
say.
    But I think this Committee needs to understand, 
particularly with some of the information that came to light 
just recently regarding the FBI's action, that we need to 
understand how the administration balances the need for 
investigating a cyberattack and providing relief to the victims 
as well.
    As National Cyber Director, could you explain the process 
that the government uses to evaluate investigative needs 
compared to assisting victims in attacks, and do you coordinate 
with the FBI? Give us a better picture of how this happens.
    Mr. Inglis. Yes, sir. Thank you for the question. First I 
would say that the overwhelming bias is to assist the American 
people to essentially provide the government's resources focus 
its time and attention to assist them, as opposed to develop, 
for its own sake, some instrument of power for its own sake.
    The article the other day, that probably showed up first in 
The Washington Post, had a headline that indicated that there 
potentially was an undue delay in the kind of provision of the 
key. But when you read the article, the article itself, 
actually, I think, thoughtfully said that there was, in fact, a 
very strong focus on how do we help Kaseya, how do we help the 
downstream or upstream customers, and that challenge, which is 
the first and foremost priority, has to take into consideration 
how can we do this in a way that is at once time and has the 
most significant impact. Those two things, sometimes when you 
align them, you wind up not trading one for the other, but not 
achieving an optimal effect on both of them at the same time.
    But I would say that the government starts with how do we 
actually assist the private sector in the most impactful way, 
how do we then use all of the instruments at our disposal to do 
that, and how do we then have a full-fledged discussion across 
those instruments of power in as timely a way as possible to 
come up with the strategy, the play.
    I will defer to Jen for the rest of the answer.
    Chairman Peters. Ms. Easterly.
    Ms. Easterly. Yes. Just to add to that, I have to say I was 
not here during those discussions. Certainly having managed 
live incidents in real time it is a very complex process, and 
certainly there are competing goals around doing what you can 
for current victims and then protecting potential victims.
    What I would say is I would expect to be part of any of 
those discussions going forward, and at CISA what I would do 
would be advocating for doing everything that we can to ensure 
that victims have the tools that they need to recover, 
remediate, and get their businesses back up and running, and 
that we have the information that we need to protect future 
victims. That is why your cyber incident legislation is so 
important.
    Chairman Peters. Mr. DeRusha, we will do a final question 
for you. We have been discussing some of the legislation that 
we are working on here in the committee to reform FISMA, and we 
have heard from the other witnesses, some good input related to 
that. I wanted to give you an opportunity to suggest any 
reforms that you think are needed to FISMA to protect our 
Federal networks.
    Mr. DeRusha. Absolutely, Senator, and I appreciate the 
opportunity. As you know, we are working closely with your 
Committee staff on the bill, and we are excited about that 
opportunity. Director Easterly stated a lot of our priorities 
already, but I would reiterate that clarifying roles and 
responsibilities is crucial, and we are committed to that. 
Really moving toward tested security, away from attested 
security so that we can determine, through continuous 
monitoring and testing where the greatest risks are and address 
those first, and having supportive legislation of that.
    Having legislation that ensures that we are not being 
overly burdensome with multiple compliance requirements and 
regimes that are going toward agencies, and so that we can 
streamline some of that and maybe provide some relief on how 
often they need to do that so they can focus on remediating the 
vulnerabilities that they are finding through test and 
mechanisms.
    Also moving toward automation. There is a skills gap in 
this space--we are working to address it--but we cannot do that 
fast enough. We have to an on the technology and integrate that 
into our processes.
    I think those priorities are well aligned and shared, and 
we look forward to the right language to codify this into law.
    Chairman Peters. Thank you for that answer, and once again 
thank you to our witnesses for joining us today. I appreciate 
all of your efforts to strengthen our cybersecurity defenses. 
It is a big challenge. All three of you are certainly up to 
that challenge, and I appreciate you taking the time today to 
discuss these issues with the Committee. I think you can tell 
this Committee is very focused on these issues. All of the 
Members are very engaged, and we understand the seriousness of 
what we are dealing with and we want to support you in your 
efforts each and every day.
    We have to stay vigilant against these breaches and 
ransomware attacks, and effectively addressing these is going 
to require strong coordination between our offices and work in 
a bipartisan way.
    I look forward to continuing my work with Ranking Member 
Portman to introduce bills that will strengthen the cyber 
incident and ransom payment reporting requirements for key 
public and private sector entities and ensure that Federal 
Government networks are also prepared to deal with these 
evolving threats.
    I think we heard today that there is a clear need for our 
offices to get this information, which can help you connect the 
dots and who is behind these attacks, and help prevent 
potential targets from being potential victims. I look forward 
to continuing to work with all of you and my colleagues on this 
Committee to do everything in our power to strengthen our 
cybersecurity defenses.
    The record for this hearing will remain open for 15 days, 
until 5 p.m. on October 8, 2021, for the submission of 
statements and questions for the record.
    This hearing is now adjourned.
    Ms. Easterly. Thank you, Chairman.
    [Whereupon, at 12:05 p.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]