[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
CISA 2025: THE STATE OF AMERICAN CYBERSECU-
RITY FROM A STAKEHOLDER PERSPECTIVE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY AND INFRASTRUCTURE
PROTECTION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
MARCH 23, 2023
__________
Serial No. 118-4
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
52-262 WASHINGTON : 2023
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas Bennie G. Thompson, Mississippi,
Clay Higgins, Louisiana Ranking Member
Michael Guest, Mississippi Sheila Jackson Lee, Texas
Dan Bishop, North Carolina Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida Eric Swalwell, California
August Pfluger, Texas J. Luis Correa, California
Andrew R. Garbarino, New York Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia Shri Thanedar, Michigan
Tony Gonzales, Texas Seth Magaziner, Rhode Island
Nick LaLota, New York Glenn Ivey, Maryland
Mike Ezell, Mississippi Daniel S. Goldman, New York
Anthony D'Esposito, New York Robert Garcia, California
Laurel M. Lee, Florida Delia C. Ramirez, Illinois
Morgan Luttrell, Texas Robert Menendez, New Jersey
Dale W. Strong, Alabama Yvette D. Clarke, New York
Josh Brecheen, Oklahoma Dina Titus, Nevada
Elijah Crane, Arizona
Stephen Siao, Staff Director
Hope Goins, Minority Staff Director
Natalie Nixon, Chief Clerk
Sean Jones, Legislative Clerk
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida Eric Swalwell, California, Ranking
Mike Ezell, Mississippi Member
Laurel M. Lee, Florida Sheila Jackson Lee, Texas
Morgan Luttrell, Texas Troy A. Carter, Louisiana
Mark E. Green, MD, (ex officio) Robert Menendez, New Jersey
Bennie G. Thompson, Mississippi
(ex officio)
Cara Mumford, Subcommittee Staff Director
Moira Bergin, Minority Subcommittee Staff Director
Alice Hayes, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Chairman, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Eric Swalwell, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 7
Witnesses
Ms. Tina Sherman, Director, Critical Infrastructure Protection
and Transportation Security, U.S. Government Accountability
Office:
Oral Statement................................................. 8
Prepared Statement............................................. 10
Mr. Drew Bagley, Vice President and Counsel, Privacy and Cyber
Policy, Crowdstrike:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Ms. Heather Hogsett, Senior Vice President, Technology and Risk
Management, Bank Policy Institute:
Oral Statement................................................. 22
Prepared Statement............................................. 24
Mr. Marty Edwards, Vice President, Operational Technology
Security, Tenable:
Oral Statement................................................. 27
Prepared Statement............................................. 29
Appendix
Question From Chairman Andrew R. Garbarino for Tina Won Sherman.. 53
Question From Chairman Andrew R. Garbarino for Marty Edwards..... 53
CISA 2025: THE STATE OF AMERICAN CYBERSECURITY FROM A STAKEHOLDER
PERSPECTIVE
----------
Thursday, March 23, 2023
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 310, Cannon House Office Building, Hon. Andrew R.
Garbarino [Chairman of the subcommittee] presiding.
Present: Representatives Garbarino, Gimenez, Ezell, Lee,
Luttrell, Swalwell, Jackson Lee, Carter, and Menendez.
Also present: Representatives Green and Thompson.
Chairman Garbarino. The Committee on Homeland Security on
Cybersecurity and Infrastructure Protection will come to order.
The purpose of this hearing is to receive testimony from a
panel of experts and industry leaders who will provide their
perspectives on CISA to the subcommittee through the lens of
its stakeholders. These witnesses will help the subcommittee
explore how the agency has gotten to where it is today and
provide ideas to help mature the agency by 2025 and beyond.
I now recognize myself for an opening statement.
I would like to thank the Members of the subcommittee and
our witnesses for joining us for our first hearing on the
Cybersecurity Infrastructure Protection subcommittee of the
118th Congress. I am honored to continue the great work we
started in the subcommittee last Congress, this time as
Chairman. We are here today to discuss a key agency to our
homeland security, the Cybersecurity and Infrastructure
Security Agency, or CISA, within the Department of Homeland
Security.
CISA has a critical mission set. It is tasked with
administering Federal cybersecurity requirements, supporting
private-sector cybersecurity, engaging with the Sector Risk
Management Agency, and ensuring the physical security of our
critical infrastructure. Today, we will focus specifically on
the cyber aspects of CISA's mission. CISA has a direct impact
on securing critical infrastructure, Federal agencies, and our
way of life. It is an agency built on partnerships, and those
partnerships with stakeholders play an important role in
furthering CISA's mission. So today we will hear from some of
those stakeholders to understand CISA's strengths, weaknesses,
and where it needs to go in the future.
In recent years, the United States has experienced a deluge
of high-profile cyber incidents, from Solar Winds to Colonial
Pipeline, to Log4shell vulnerability. Our cyber defenses, work
force, and processes have been put to the test, and CISA has
been at the center of every response. These incidents have
elevated cybersecurity issues across the country and
highlighted the importance of securing both Federal and
critical infrastructure networks.
As a result of the evolving cyber threat landscape,
Congress has asked a lot of CISA from Day 1 and expected it to
succeed. The reality is that CISA is still a young agency, it
was created in 2018, and since then it has grown exponentially.
Since fiscal year 2019, Congress has nearly doubled CISA's
annual budget from $1.68 billion in fiscal year 2019 to $2.9
billion in fiscal year 2023, and we are now looking at fiscal
year 2024 request of $3.1 billion. This level of funding would
be a lot for even a large, mature department to handle.
Congress has also given CISA significant new authorities,
including the responsibility of establishing a cross-sector
incident reporting rule making and the authority to
persistently hunt for threats on Federal networks without prior
agency approval. Properly executed, these new authorities and
resources will help CISA accomplish its mission.
This Congress, our subcommittee will conduct rigorous
oversight of CISA to ensure those new authorities are
implemented appropriately and CISA is a responsible steward of
taxpayer dollars. We need to take a step back and allow CISA to
get a handle on their new responsibilities and ask pointed
productive questions about its efforts. Like CISA is a
partnered industry to help them improve their cyber posture,
Congress should be a partner to CISA to help the agency mature
and reach its full potential.
We have four distinguished witnesses to kick off our
efforts. Each witness brings a different perspective on CISA
and its partnerships. With these witnesses, we will examine
CISA's role as the Nation's risk manager and how it balances
that role with its responsibilities as a Sector Risk Management
Agency for 8 sectors. We will consider the proper role for
regulation while balancing security and collaboration with CISA
as a partner to industry. We will also delve into CISA's
Federal network programs as well as external efforts as a
partner with private sector to improve critical infrastructure
cybersecurity, particularly through the Joint Cyber Defense
Collaborative.
Sounds like a lot we are doing today.
Additionally, we will discuss CISA's effort to secure
operational technology, or OT, an important aspect of critical
infrastructure mission.
If I did not comment on the need to address the cyber work
force shortage that both the Federal Government and many
industry partners across the 16 critical infrastructures face,
none of these efforts that I have outlined today will be
possible without a fully-equipped cyber work force. I look
forward to discussing the ways in which we can address the over
700,000 cyber work force gap that exists today.
I am looking forward to a thoughtful and productive
conversation about CISA and how it could improve and grow in
the future. It is imperative that CISA succeed in its important
mission. I look forward to working with my colleagues to find
bipartisan ways to ensure that it does.
[The statement of Chairman Garbarino follows:]
Statement of Chairman Andrew R. Garbarino
I'd like to thank the Members of the subcommittee and our witnesses
for joining us for our first hearing of the Cybersecurity and
Infrastructure Protection subcommittee of the 118th Congress. I'm
honored to continue the great work we started in this subcommittee last
Congress--this time, as Chairman.
We are here today to discuss a key agency to our homeland security:
the Cybersecurity and Infrastructure Security Agency, or CISA, within
the Department of Homeland Security. CISA has a critical mission set.
It is tasked with administering Federal cybersecurity requirements,
supporting private-sector cybersecurity, engaging with the sector risk
management agency community, and ensuring the physical security of our
critical infrastructure. Today, we will focus specifically on the cyber
aspects of CISA's mission.
CISA has a direct impact on securing critical infrastructure,
Federal agencies, and our way of life. It is an agency built on
partnerships--and those partnerships with stakeholders play an
important role in furthering CISA's mission. So today, we will hear
from some of those stakeholders to understand CISA's strengths,
weaknesses, and where it needs to go in the future.
In recent years, the United States has experienced a deluge of
high-profile cyber incidents, from SolarWinds, to Colonial Pipeline, to
the Log4Shell vulnerability. Our cyber defenses, workforce, and
processes have been put to the test, and CISA has been at the center of
every response. These incidents have elevated cybersecurity issues
across the country and highlighted the importance of securing both
Federal and critical infrastructure networks.
As a result of the evolving cyber threat landscape, Congress has
asked a lot of CISA from Day 1, and expected it to succeed. The reality
is that CISA is still a young agency; it was created in 2018 and since
then, it has grown exponentially. Since fiscal year 2019, Congress has
nearly doubled CISA's annual budget, from $1.68 billion in fiscal year
2019 to $2.9 billion in fiscal year 2023. We're now looking at the
fiscal year 2024 request of $3.1 billion. This level of funding would
be a lot for even a large, mature department to handle.
Congress has also given CISA significant new authorities, including
the responsibility of establishing a cross-sector incident reporting
rule-making and the authority to persistently hunt for threats on
Federal networks without prior agency approval. Properly executed,
these new authorities and resources will help CISA accomplish its
mission.
This Congress, our subcommittee will conduct rigorous oversight of
CISA to ensure those new authorities are implemented appropriately and
CISA is a responsible steward of taxpayer dollars. We need to take a
step back and allow CISA to get a handle on their new responsibilities
and ask pointed, but productive, questions about its efforts. Like CISA
is a partner to industry to help them improve their cyber posture,
Congress should be a partner to CISA to help the agency mature and
reach its full potential.
We have four distinguished witnesses to kick off our efforts. Each
witness brings a different perspective on CISA and its partnerships.
With these witnesses, we will examine CISA's role as the Nation's Risk
Manager and how it balances that role with its responsibilities as a
Sector Risk Management Agency, or SRMA, for 8 sectors. We will consider
the proper role for regulation while balancing security and
collaboration, with CISA as a partner to industry. We will also delve
into CISA's Federal network programs as well as external efforts as a
partner with the private sector to improve critical infrastructure
cybersecurity, particularly through the Joint Cyber Defense
Collaborative. Additionally, we will discuss CISA's efforts to secure
operational technology, or OT: an important aspect of its critical
infrastructure mission.
Finally, I would be remiss if I did not comment on the need to
address the cyber workforce shortage that both the Federal Government
and many industry partners across the 16 critical infrastructure
sectors face. None of these efforts that I've outlined today would be
possible without a fully-equipped cyber workforce, and I look forward
to discussing ways in which we can address the over 700,000 cyber
workforce gap that exists today.
I am looking forward to a thoughtful and productive conversation
about CISA and how it could improve and grow in the future. It's
imperative that CISA succeed in its important mission and I look
forward to working with my colleagues to find bipartisan ways to ensure
that it does.
Chairman Garbarino. I now recognize the Ranking Member, the
gentleman from California, Mr. Swalwell, for his opening
statement.
Mr. Swalwell. Thank you. I thank the Chairman and
congratulate the Chairman and his staff for taking over this
subcommittee. I look forward to working with you, Mr. Chairman.
There are a lot of topics that come before this committee
where you will see passionate debate between both sides, mostly
earnest, substantive, but here, I don't think there is much
daylight between the two of us as far as what our cybersecurity
threats are and the resolve that the two of us have to meet
them.
For me, particularly in my Congressional district, with so
many people who work in high tech with two national
laboratories, to also make sure that we can deploy awareness
and technologies to small businesses in an affordable way. You
know, 10 years ago, when I first came on this committee, you
had to be this tall to be a target of a serious ransomware
attack. Today, small businesses, thousands of small businesses,
are being hit every single day. So it is part of my goal on
this committee to work with the Chairman to make sure that we
can really harden the defenses, especially for critical
infrastructure, but especially small businesses.
I want to thank the witnesses for participating today and
also our staff who prepared this hearing.
The Cybersecurity and Infrastructure Protection
subcommittee has a strong bipartisan support in bipartisan
collaboration. Just, again, I look forward--as this is the
first committee hearing of the year--to working with the
Chairman and his staff and his Members as we pursue that.
But speaking of CISA, as the Chairman pointed out, we have
nearly doubled since 2019 CISA's budget. When we established it
4.5 years ago, we envisioned the agency as a sophisticated
cybersecurity and infrastructure organization. Thanks to
bipartisan work on this subcommittee and the full committee, it
has matured rapidly and growing more capable of meeting our
Nation's complex and diverse threat environment. All of us have
been impressed by what CISA has been able to accomplish so far.
However, as the Chairman referenced, we need to work to support
the agency as it continues to adapt to the cybersecurity needs
of our Federal Government, critical infrastructure sector, and
private enterprises, especially small businesses.
From election security to ShieldsUP, CISA has demonstrated
an ability to dynamically surge resources to counter emerging
threats and collaborate strategically with the private sector.
Looking ahead, Director Easterly has set ambitious goals to
modernize CISA's Federal network security programs, to
tactically engage with entities whose resilience matters most
to our national security, and to drive adoption of secure by
design and secure by default. At the same time, CISA is in the
process of implementing the Cyber Incident Reporting Bill, is
in the second year of the State and Local Cyber Grants Program,
and is executing on a range of new authorities.
As we speak, this week they are hosting the inaugural
Planning Summit for the Joint Cyber Defense Collaborative, also
known as JCDC, which was established in August 2021. Everyone
who I have spoken to about JCDC has told me and our staff of
its importance to ensuring productive collaboration between
CISA and the private sector. JCDC has enabled rapid information
sharing among Government and private-sector partners following
Russia's invasion of Ukraine, and it was critical to addressing
the Log4j vulnerability. But JCDC has existed for a year-and-a-
half without a charter or concrete criteria for membership, all
of which are essential for the JCDC to provide enduring value.
A number of people have asked me, how do we get into JCDC?
Toward that end, in the coming weeks, I plan to introduce
legislation to clarify the activities of the JCDC to improve on
its successes and increase its impact. CISA is also in the
process of growing its support for operational technology
security by continuing implementation of the Cyber Century
Program and the Industrial Control Systems Cybersecurity
Training Act, which I introduced and was signed into law last
year.
I say this to make the point that while CISA pursues the
ambitious agenda set by its leadership, it must also
effectively execute its existing obligations, including to
promote the great training and educational resources provided
by CISA that are widely utilized across industries.
Two principles drove Congress' work last year in the
subcommittee, an increase to the Federal Government's
visibility of malicious cyber activity, and second, pushing
resources to entities most vulnerable to cyber attacks.
As we approach oversight this Congress, we must ensure the
laws we have enacted deliver concrete security value and
preserve the trust we have built with the private sector to
advance critical cybersecurity policy and work with CISA to
address gaps.
CISA's collaboration with the private sector is essential
to both its Federal network and critical infrastructure
activities. I am glad we are kicking off this Congress by
hearing from some of CISA's most active partners. The testimony
from our witnesses today will play a key role in the on-going
oversight of CISA moving forward.
With that, again, welcome to the witnesses, and thank you,
Mr. Chairman, for convening us.
[The statement of Ranking Member Swalwell follows:]
Statement of Ranking Member Eric Swalwell
March 23, 2022
Good morning. Before I begin, I would like to congratulate my
friend from New York, Mr. Garbarino, on becoming Chairman of the
subcommittee. I am confident that we will be able to continue this
subcommittee's tradition of bipartisanship under your leadership.
The Cybersecurity and Infrastructure Protection Subcommittee has a
strong history of productive collaboration and, as a result, has
enacted meaningful legislation to provide cybersecurity grants to State
and local governments; enhanced cybersecurity education and training
programs; strengthen Federal network security; and improved our ability
to understand and address threats to operational technology.
In short, this subcommittee's commitment to bipartisanship has
increased capacity and reduced risk for both the public and private
sectors. I look forward to building on that record with you this
Congress, Mr. Chairman.
Since 2019, Congress has nearly doubled CISA's budget and expanded
its authorities significantly.
When Congress established CISA 4\1/2\ years ago, we envisioned the
agency as a sophisticated cybersecurity and infrastructure protection
organization. Thanks to bipartisan work on this subcommittee, and the
full committee, CISA has matured rapidly, and growing more capable of
meeting the challenges of our complex and diverse threat environment.
I am impressed by what CISA has been able to accomplish so far, and
will always work to support the agency as it continues to adapt to the
cybersecurity needs of our Federal Government, critical infrastructure
sector, and private enterprises.
From election security to ``Shields Up'' campaign, CISA has
demonstrated an ability to dynamically surge resources to counter
emerging threats and collaborate strategically with the private sector.
Looking ahead, Director Easterly has set ambitious goals to
modernize CISA's Federal network security programs, tactically engage
with entities whose resilience matters most to our national security
and our economy, and drive adoption of secure-by-design and secure-by-
default.
I look forward to learning more about how CISA will work with
Congress, its partners in the Executive branch, and the private sector
to get the buy-in necessary for success.
At the same time, CISA is currently in the process of implementing
the cyber incident reporting bill, is on the second year of the State
and local cyber grants program, and is executing on a range of new
authorities.
As we speak, CISA is hosting the inaugural planning summit for the
Joint Cyber Defense Collaborative (JCDC), which was established in
August 2021.
Everyone I have spoken to about JCDC has told me about its
importance to ensuring productive collaboration between CISA and the
private sector. The JCDC enabled rapid information sharing among
Government and private-sector partners following Russia's invasion of
Ukraine and it was critical to addressing the Log4j vulnerability.
But JCDC has existed for a year-and-a-half without a charter or
concrete criteria for membership--all of which are essential for the
JCDC to provide enduring value.
Toward that end, in the coming weeks, I plan to introduce
legislation to clarify the activities of the JCDC to improve on its
successes and increase its impact.
CISA is also in the process of growing its support for operational
technology security by continuing implementation of the CyberSentry
program and the Industrial Control Systems Cybersecurity Training Act,
which I introduced and was signed into law last year.
I say this to make the point that while CISA pursues the ambitious
agenda set by its leadership--some of which will require this committee
to provide new resources and authorities--it must also effectively
execute its existing obligations, including to promote the great
training and educational services provided by CISA are widely utilized
across industries.
Last Congress, two principles drove the subcommittee's work: First,
an increase to the Federal Government's visibility of malicious cyber
activity and second, pushing resources to entities most vulnerable to
cyber attack. As we approach our oversight this Congress, we must
ensure the laws we've enacted deliver concrete security value, preserve
the trust we built with the private sector to advance critical
cybersecurity policy, and work with CISA to address gaps in capacity.
My district is home to countless technology companies, so I know
the value the private sector adds to the Federal Government's
cybersecurity efforts.
CISA's collaboration with the private sector is essential to both
its Federal network and critical infrastructure activities, and I am
glad that we are kicking off the Congress by hearing from some of
CISA's most active partners.
The testimony from our witnesses today will play a key role in our
on-going oversight of CISA moving forward.
With that, I thank our witnesses for being here today and I look
forward to their testimony.
I yield back.
Chairman Garbarino. Thank you, Ranking Member Swalwell.
I have to say we had a lot of wins on this committee the
last 2 years, and I am really looking forward to working with
you. A lot of bipartisan wins. So I think we're going to be
able do a lot together.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
March 23, 2023
Good morning. I want to congratulate Chairman Garbarino and Ranking
Member Swalwell on their first hearing as the leaders of the
subcommittee.
As Ranking Member Swalwell observed in his opening statement, this
subcommittee has an impressive record of bipartisan action.
I commend former Chairwoman Clarke on everything she accomplished
last Congress with then-Ranking Member Garbarino--from Cyber Incident
Reporting legislation to the State and local cybersecurity grant
program.
I sincerely hope that this Congress the Chairman and Ranking Member
will continue the strong tradition of seeking common ground to advance
critical security policy.
I am proud of the organization CISA has become over the past 4\1/2\
years, thanks in large part to the work of this committee.
It has matured into a powerful convener of public and private-
sector capacity, with an ability to rapidly shift focus in response to
national security dynamics.
Like Ranking Member Swalwell, I am enthusiastic about CISA's
potential, but want to strike the right balance between continuing to
grow CISA's authorities and making sure that it can execute the
missions and objectives Congress has already authorized.
I am also concerned that CISA's important work on cybersecurity may
have come at the cost of a diminished focus on its obligations related
to the physical security of critical infrastructure.
As our world becomes more interconnected and the line between cyber
and physical security continues to blur, we must redouble our efforts
on ensuring our critical infrastructure is resilient to all threats.
In that vein, new goals in one of CISA's divisions cannot come at
the cost of diminishing capacity in another.
I am interested in learning more about Director Easterly's plans to
work with Sector Risk Management Agencies (SRMA) to identify and
provide enhanced support to ``target-rich, cyber-poor'' entities, and I
hope that in doing so, CISA considers the overall resilience.
On a related note, I am concerned about a proposed funding cut for
the Infrastructure Security Division and how it could impact CISA's
ability to effectively serve as an SRMA for 8 critical infrastructure
sectors and partner with other SMRAs across government.
Ensuring that CISA has the resources and expertise to fulfill its
cross-sector and SMRA obligations is essential to building national
resilience, and I will be interested to learn what more this committee
can do to grow that capability at CISA.
Finally, this committee passed landmark pieces of cybersecurity
legislation last Congress, and now it is our responsibility to ensure
that they are implemented as Congress envisioned.
Toward that end, I will be interested to understand how the
private-sector witnesses have engaged with CISA as it works to draft
the cyber incident reporting rule and how multiple incident reporting
requirements could impact incident response.
I am also interested in perspectives on the implementation of the
State and local cybersecurity grant program, how it is improving
security across the country, and how we can maintain this progress
moving forward.
Stakeholder perspectives are critical to this committee's work, and
I thank the witnesses for being here today.
I look forward to the testimony, and I yield back the balance of my
time.
Chairman Garbarino. I am pleased to have a distinguished
panel of witnesses before us today on this very important
topic. I ask that our witnesses please rise and raise their
right hand.
[Witnesses sworn.]
Chairman Garbarino. Let the record reflect that the
witnesses have answered the affirmative.
Thank you. Please be seated.
I would now like to formally introduce our witnesses.
Tina Won Sherman is a director in the Government
Accountability's Office Homeland Security and Justice Team. She
oversees work on the protection of the Nation's critical
infrastructure assets and the security of the U.S.
Transportation system. She has also been here quite a few
times. We always enjoy having her. In her over 20 years of
experience--20 years of tenure at--at GAO, she has done
extensive work on CISA's role as the Nation's risk manager and
how it balances that role with its responsibilities as a Sector
Risk Management Agency for 8 sectors themselves.
Ms. Sherman has also led reviews--has also led reviews on a
range of issues including telecommunications, transportation,
and defense, and served in GAO's Office of Congressional
Relations.
Drew Bagley is the vice president and counsel for privacy
and cyber policy at CrowdStrike, where he is responsible for
leading Crowdstrike's data protection initiatives, privacy
strategy, and global policy engagement. He serves on the
Europol Advisory Group on Internet Security, the U.S.
Department of State's International Digital Economy and
Telecommunication Advisory Committee, and the Domain Name
System Abuse and Institute's Advisory Council. Prior to joining
CrowdStrike, Mr. Bagley served in the Office of General Counsel
at the Federal Bureau of Investigation. He will offer an
important perspective on CISA's internal to Federal network
program and value insight as a participant in CISA's Joint
Cyber Defense Collaborative work.
Heather Hogsett is a senior vice president for technology
and risk strategy for BITS at the Bank Policy Institute. In
this capacity, Ms. Hogsett represents a heavily-regulated
critical infrastructure sector, the financial sector. Before
joining BPI, Ms. Hogsett served as staff director for Federal
relations at the National Governors Association, where she
oversaw NGA's Federal legislative agenda and activities on
cybersecurity, homeland security and defense, emergency
management, and Veterans Affairs.
Her experience with Government and within the financial
sector will help us understand the proper role for regulation
and where CISA fits in as a partner to industry.
Finally we have Mr. Marty Edwards, the deputy chief
technology officer for operational technology at Tenable. Prior
to joining Tenable Mr. Edwards served as the global director of
education at the International Society of Automation, as well
as the longest-serving director of the U.S. Department of
Homeland Security's Industrial Control Systems Cyber Emergency
Response Team. He brings a wealth of knowledge about critical
infrastructure and technology security and will be able to
speak to CISA's efforts to support the community as well as
provide a perspective on CISA's JCDC.
I thank all the witnesses for being here today.
I now recognize Ms. Sherman for 5 minutes to summarize her
opening statement.
STATEMENT OF TINA SHERMAN, DIRECTOR, CRITICAL INFRASTRUCTURE
PROTECTION AND TRANSPORTATION SECURITY, U.S. GOVERNMENT
ACCOUNTABILITY OFFICE
Ms. Sherman. Chairman Garbarino, Ranking Member Swalwell,
and Members of the subcommittee, I am pleased to be testifying
before the subcommittee today on this important topic.
As the subcommittee is keenly aware, cyber and physical
attacks on critical infrastructure are on the rise, with
hospitals, schools, and electricity substations all having been
recent targets. Few of us are immune to the impact of these
attacks, which can have debilitating effects on the assets and
systems that underpin our daily lives and also have significant
financial and sometimes life-threatening implications.
Strengthening the public- and private-sector partnership to
address this national security priority, the agency I work for,
GAO, has been reviewing Federal efforts to secure critical
infrastructure for over 2 decades and has placed protecting
cyber critical infrastructure on our high-risk list in 2003.
The Cybersecurity and Infrastructure Security Agency, CISA,
within the Department of Homeland Security, serves as the
national coordinator for critical infrastructure security. In
this role, CISA is responsible for coordinating Federal actions
to protect the Nation against risks to this infrastructure, as
well as foster collaboration between the public and private
sector to share information and respond to incidents. CISA also
defines how sector risk management agencies should carry out
their responsibilities and ensure that they have the guidance
and support needed to effectively engage with owners and
operators, those in State, local, Tribal, and territorial
governments and other stakeholders.
Sector risk management agencies, or SRMAs, are the Federal
departments with subject-matter expertise in one or more of the
16 critical infrastructure sectors and are responsible for
leading, facilitating, and supporting critical infrastructure
programs and activities in coordination with CISA. They are
also uniquely positioned to partner with other government
entities in the private sector. The Fiscal Year 2021 National
Defense Authorization Act codified their responsibilities and
also required GAO to review implementation of these
responsibilities every 4 years through 2034.
The administration's recently-issued National Cybersecurity
Strategy calls on SRMAs to serve as a key player in ensuring
critical infrastructure security and resilience. Yet, several
important efforts to strengthen these agencies' ability to
effectively support their sectors are under way without
completion. This includes the rewrite of Presidential Policy
Directive 21 for Critical Infrastructure Security, along with
updates to the National Infrastructure Protection Plan and all
16 sector-specific plans.
The report GAO issued last month also found that CISA could
assist SRMAs in implementing their responsibilities through
additional guidance as well as improved communication and
coordination. For example, CISA does not have a standardized
approach for agencies to estimate costs or make requests for
resources, does not consistently measure the maturity and
effectiveness of the agencies, has created but not yet filled
liaison positions with them, and does not obtain regular
feedback on their partnerships. We recommended CISA establish
milestones and time lines to complete these steps, which we
believe would help guide and ensure a consistent level of
effort across SRMAs to safeguard our Nation and its people.
I want to thank my team in preparing me for this hearing
and to the subcommittee for including me today in this
important and timely discussion.
[The prepared statement of Ms. Sherman follows:]
Prepared Statement of Tina Won Sherman
Thursday, March 23, 2023
critical infrastructure protection.--time frames to complete cisa
efforts would help sector risk management agencies implement statutory
responsibilities
gao-23-106720
Chairman Garbarino, Ranking Member Swalwell, and Members of the
subcommittee: Thank you for the opportunity to discuss our work on
Sector Risk Management Agencies (SRMAs)--departments or agencies,
designated by law or Presidential directive, with responsibility for
providing institutional knowledge and specialized expertise to a
sector. My testimony today summarizes the findings from our February
2023 report entitled Critical Infrastructure Protection: Time Frames to
Complete DHS Efforts Would Help Sector Risk Management Agencies
Implement Statutory Responsibilities.\1\ That report examined new
responsibilities for SRMAs and the Department of Homeland Security's
role in coordinating SRMA activi-
ties.\2\ \3\
---------------------------------------------------------------------------
\1\ GAO, Critical Infrastructure Protection: Time Frames to
Complete DHS Efforts Would Help Sector Risk Management Agencies
Implement Statutory Responsibilities, GAO-23-105806 (Washington, DC:
Feb. 7, 2023).
\2\ 6 U.S.C. � 665d.
\3\ The William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021 outlined these new SRMA responsibilities.
---------------------------------------------------------------------------
Events have demonstrated how disruption or destruction of the
Nation's critical infrastructure could have debilitating effects. In
particular, the 2021 cyber attack on the Colonial Pipeline disrupted
the Nation's largest fuel pipeline, and an extreme weather event in
Texas caused wide-spread power and water outages.\4\ Such events also
illustrate how the Nation's critical infrastructure assets and systems
are often interconnected with critical infrastructure in other sectors
and the internet, making them more vulnerable to attack. Protecting
critical infrastructure is a national security priority because it
provides essential functions--such as supplying water, generating
energy, and producing food--that underpin American society.
---------------------------------------------------------------------------
\4\ In May 2021, we issued a WatchBlog post addressing the Colonial
Pipeline attack and the Federal Government and private-sector response.
See https://www.gao.gov/blog/colonial-pipeline-cyberattack-highlights-
need-better-federal-and-private-sector-preparedness-infographic.
---------------------------------------------------------------------------
The Cybersecurity and Infrastructure Security Agency Act of 2018
assigned the Cybersecurity and Infrastructure Security Agency (CISA)
the responsibility to coordinate a national effort to secure and
protect against critical infrastructure risks.\5\ As such, the
Secretary of Homeland Security designated the director of CISA as the
national coordinator for critical infrastructure security and
resilience. CISA provides a variety of cyber and infrastructure
security capabilities and services to Federal and non-Federal
organizations, including assessments and analysis, capacity building,
expertise and guidance, and security operations (e.g., incident
response).
---------------------------------------------------------------------------
\5\ Cybersecurity and Infrastructure Security Agency Act of 2018,
Pub. L. No. 115-278, � 2(a), 132 Stat. 4168, 4169 (codified at 6 U.S.C.
� 652). The act renamed the Department of Homeland Security's National
Protection and Programs Directorate as CISA and outlined CISA's
responsibilities.
---------------------------------------------------------------------------
At the Federal level, SRMAs are responsible for leading,
facilitating, or supporting the security and resilience programs and
associated activities within their designated critical infrastructure
sector.\6\ The private sector owns and operates the majority of
critical infrastructure. Therefore, it is vital that the public and
private sectors work together to protect assets and systems.
---------------------------------------------------------------------------
\6\ 6 U.S.C. � 651(5). Presidential Policy Directive-21 (PPD-21)
previously called these agencies Sector-Specific Agencies. The William
M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year
2021 codified Sector-Specific Agencies as SRMAs. In 2013, PPD-21
categorized the Nation's critical infrastructure into 16 sectors with
at least one Federal agency designated as SRMA for the sector, although
the number of sectors and SRMA assignments are subject to review and
modification. Those designations are still in effect. See 6 U.S.C. �
652a(b). Additionally, some sectors have subsectors, such as the
Education subsector within the Government Facilities sector, with the
Department of Education having a lead sector risk management role for
the subsector.
---------------------------------------------------------------------------
The William M. (Mac) Thornberry National Defense Authorization Act
for Fiscal Year 2021 (FY21 NDAA) includes a provision for GAO to report
on the effectiveness of SRMAs in carrying out responsibilities set
forth in the act. Our February 2023 report and my statement today
addresses: (1) How the fiscal year 2021 NDAA changed sector risk
management agency responsibilities, and the actions these agencies
reported taking to address them; and (2) the extent to which CISA
identified and undertook efforts to help sector risk management
agencies implement their responsibilities set forth in the fiscal year
2021 NDAA.
To address these objectives, we analyzed the fiscal year 2021 NDAA
and relevant policy directives, collected written responses from SRMAs
for all 16 sectors using a standardized information collection tool,
reviewed other DHS documents, and interviewed CISA officials.\7\
Additional information about our scope and methodology can be found in
our February 2023 report. Our work was performed in accordance with
generally accepted Government auditing standards.
---------------------------------------------------------------------------
\7\ Three critical infrastructure sectors have co-SRMAs. When co-
SRMAs responded to a question with the same answer, we categorized that
response as one critical infrastructure sector. In cases where the co-
SRMAs for a critical infrastructure sector disagreed, we did not
include either of them in the sector count and noted the disagreement.
---------------------------------------------------------------------------
fiscal year 2021 ndaa expanded srma responsibilities, and agencies have
actions underway to address them
The fiscal year 2021 NDAA expanded SRMA responsibilities previously
outlined in Presidential Policy Directive-21 (PPD-21) and added risk
assessment and emergency preparedness as responsibilities not
previously included in the directive for SRMAs.\8\ Specifically, prior
to the fiscal year 2021 NDAA, PPD-21 included the following four SRMA
responsibilities: (1) Serve as a Federal interface for the
prioritization and coordination of sector-specific activities; (2)
carry out incident management responsibilities; (3) provide, support,
or facilitate technical assistance and consultations for sectors to
support risk management activities; and (4) support the Secretary of
Homeland Security by sharing information on sector-specific critical
infrastructure. The fiscal year 2021 NDAA expanded the sector
coordination, incident management, risk management, and information-
sharing responsibilities found in PPD-21 by adding specific activities
for SRMAs to carry out within these areas. For example, the fiscal year
2021 NDAA requires SRMAs to conduct sector coordination activities,
including serving as the day-to-day Federal interface for the
prioritization and coordination of sector-specific activities; serving
as Federal Government coordinating council chair; and participating in
cross-sector coordinating councils, as appropriate.
---------------------------------------------------------------------------
\8\ CISA and the other SRMAs also have roles related to emergency
preparedness efforts under the National Preparedness Goal and the
National Response Framework. PPD-8 directed the Secretary of Homeland
Security to develop a national preparedness goal, which defines the
core capabilities necessary for emergency response to specific types of
incidents. The National Response Framework is a guide to how the Nation
responds to disasters and emergencies of all types. The most recent
edition of the framework identifies 15 emergency support functions that
serve as the Federal Government's primary coordinating structure for
building, sustaining, and delivering response capabilities. According
to the framework, existing infrastructure plans and coordination
mechanisms such as SRMAs and councils provide strong foundations for
strengthening incident response plans and capabilities. As part of the
National Infrastructure Protection Plan, the critical infrastructure
sectors and SRMAs have developed sector-specific plans. For more
information, see Department of Homeland Security, National Response
Framework, 4th ed. and GAO, Emergency Preparedness: Opportunities Exist
to Strengthen Interagency Assessments and Accountability for Closing
Capability Gaps [Reissued on December 9, 2015], GAO-15-20 (Washington,
DC: Dec. 4, 2014).
---------------------------------------------------------------------------
Expanded responsibilities.--In response to the expanded
responsibilities required by the fiscal year 2021 NDAA described above,
some SRMAs reported having actions under way to address these
responsibilities. SRMA officials for 4 of the 16 critical
infrastructure sectors reported adapting activities related to sector
coordination, incident management, risk management, or information
sharing to address their responsibilities in the act. For example, as
SRMA in the health care and public health sector, Department of Health
and Human Services officials reported coordinating an effort to analyze
the department's existing cyber authorities to identify and mitigate
any gaps, as well as developing a cyber-incident response plan.
Additionally, some SRMA officials also reported that activities
they established prior to the enactment of the fiscal year 2021 NDAA
already address the responsibilities outlined in the act. For example,
SRMA officials from the Department of Energy and the Environmental
Protection Agency, representing the energy sector and water and
wastewater systems sector respectively, reported that they already
address the responsibilities outlined in the fiscal year 2021 NDAA.
Finally, as an SRMA for 8 of the 16 sectors, CISA described
established activities that address sector coordination, incident
management, risk management, and information sharing. Specifically,
CISA officials reported that CISA's Stakeholder Engagement Division
focuses on developing relationships with industry and Government in
CISA's sectors by meeting with Sector Coordinating Councils and issuing
advisories and analysis reports to partners.
Added responsibilities.--To address the added risk assessment and
emergency preparedness responsibilities required by the fiscal year
2021 NDAA, SRMA officials for 5 of the 16 critical infrastructure
sectors described how they plan to take new actions to address the risk
assessment responsibilities outlined in the fiscal year 2021 NDAA. For
example, as SRMA in the communications sectors, DHS officials reported
plans to develop and maintain a communications risk register that
includes cybersecurity risks to emergency communications
infrastructure. SRMA officials for 15 of the 16 critical infrastructure
sectors also stated that they had conducted risk assessment activities
prior to their inclusion in the fiscal year 2021 NDAA.\9\
---------------------------------------------------------------------------
\9\ As the co-SRMAs in the government facilities sector, both DHS
Federal Protective Service and General Services Administration
officials did not describe conducting prior risk assessment activities.
They stated that prior to the fiscal year 2021 NDAA, non-CISA co-SRMAs
were not required to conduct risk assessments for their sector and did
not have the authority to require their Federal and non-Federal
partners to provide responses or submit information for such
assessments.
---------------------------------------------------------------------------
With regard to emergency preparedness responsibilities, SRMA
officials for 6 of the 16 critical infrastructure sectors described how
they plan to take new actions to address the emergency preparedness
responsibilities outlined in the fiscal year 2021 NDAA. For example, as
SRMA in the financial services sector, Department of the Treasury
officials reported enhancing a tabletop exercise program, developing a
functional exercise platform to improve cybersecurity exercises, and
refining incident management and crisis communication tool kits. SRMA
officials for all 16 critical infrastructure sectors also stated that
they had conducted emergency preparedness activities prior to their
inclusion in the fiscal year 2021 NDAA.
Implementation challenges.--SRMA officials cited two challenges in
implementing their responsibilities: (1) The voluntary nature of
private-sector participation in SRMA activities, and (2) limited or no
dedicated resources for SRMA duties. According to SRMA officials, these
challenges pre-dated the enactment of the fiscal year 2021 NDAA.
Additional challenges SRMA officials identified included coordination
issues related to inaccurate SRMA point-of-contact lists and government
coordinating council and sector coordinating council membership lists,
and limited technical cybersecurity expertise. Our past work describing
other DHS functions has highlighted the importance of maintaining
accurate and up-to-date contact information for the sharing of
information.\10\
---------------------------------------------------------------------------
\10\ See GAO, Cybersecurity: DHS's National Integration Center
Generally Performs Required Functions but Needs to Evaluate Its
Activities More Completely, GAO-17-163 (Washington, DC: Feb. 1, 2017).
SRMA officials said they expected CISA to possibly address this
challenge if it established consistent communication mechanisms in
response to the fiscal year 2021 NDAA. According to CISA officials,
CISA has efforts under way to address issues related to inaccurate
points of contact lists.
---------------------------------------------------------------------------
Participation in SRMA critical infrastructure protection efforts is
voluntary, which SRMA officials for 11 critical infrastructure sectors
reported as a challenge to conducting their responsibilities. For
example, they reported that this affected their ability to stay
apprised of issues in the sector and to collect information. SRMA
officials reported that these challenges existed prior to the fiscal
year 2021 NDAA and they generally expected them to continue.
SRMA officials also stated that they face challenges because they
have limited or no dedicated resources to implement their
responsibilities. SRMA officials for 13 of the 16 sectors, including
those with and without dedicated resources for SRMA activities, stated
that they planned to request additional resources to help them
implement their fiscal year 2021 NDAA responsibilities.
cisa has identified and undertaken efforts to help srmas, but does not
have milestones and time lines to complete them
CISA has identified and undertaken some efforts that could help
SRMAs implement their fiscal year 2021 NDAA responsibilities. In
November 2021, CISA reported on several on-going and planned efforts to
help SRMAs implement these responsibilities and to clarify Federal
roles and responsibilities for cybersecurity and infrastructure
security actions across the Federal Government.\11\ In addition, CISA
officials described various efforts to help SRMAs implement their
fiscal year 2021 NDAA responsibilities, including:
---------------------------------------------------------------------------
\11\ In response to the fiscal year 2021 NDAA, CISA reviewed the
framework for securing critical infrastructure and submitted a report
to the President and Congressional committees that made
recommendations. According to CISA officials, they met with and
collected feedback from SRMAs while preparing this report. According to
CISA officials in January 2023, the President officially approved the
recommendations in the 9002(b) report, and initiated the process to
rewrite PPD-21. CISA, Fiscal Year 2021 National Defense Authorization
Act: Section 9002(b) Report, (Nov. 12, 2021).
---------------------------------------------------------------------------
Define maturity and effectiveness metrics.--CISA officials told us
in October 2022 they expect to develop a methodology and metrics to
measure the maturity and effectiveness of SRMAs in implementing
responsibilities outlined in the fiscal year 2021 NDAA. For example, in
its November 2021 report, CISA recommended that the Federal Senior
Leadership Council conduct a sector-by-sector assessment of SRMA
partnership participation.\12\ CISA officials told us in March 2022
that these efforts could include both standardized metrics to measure
effectiveness across all sectors, and sector-specific metrics.
---------------------------------------------------------------------------
\12\ CISA, Section 9002(b) Report, 42.
---------------------------------------------------------------------------
Develop standardized budget guidance.--In its November 2021 report,
CISA officials identified a need to develop a baseline cost estimation
tool for SRMAs.\13\ According to the report, this tool would provide
SRMAs a baseline estimate of resource needs, and could be tailored to
each SRMA. CISA also proposed implementing a consistent resource
request process across the SRMAs, which could help address the
challenges associated with their resource limitations, as previously
discussed. According to CISA officials, this budget formulation tool
would allow SRMAs to request sufficient resources to implement their
fiscal year 2021 NDAA responsibilities.
---------------------------------------------------------------------------
\13\ CISA, Section 9002(b) Report, 5.
---------------------------------------------------------------------------
Create sector liaison positions.--In August 2022, CISA officials
told us they created liaison positions focused on fostering CISA's
relationship with SRMAs. According to CISA officials, these liaisons
will help CISA respond to the responsibilities outlined in the fiscal
year 2021 NDAA by enhancing communication and coordination with SRMAs,
triaging information in response to incidents, and responding to
requests for information.
Enhance the Federal Senior Leadership Council.--The Federal Senior
Leadership Council provides a forum for coordination and communication
among agencies with critical infrastructure responsibilities, including
SRMAs. The council coordinates implementation of SRMA responsibilities
as well as other initiatives related to protecting critical
infrastructure. According to CISA officials, the Federal Senior
Leadership Council is intended to be one of the primary ways CISA will
coordinate actions to implement the fiscal year 2021 NDAA across the
Federal Government.
Develop a standardized feedback process.--CISA officials told us in
June 2022 that they are developing a process to conduct standardized
surveys of critical infrastructure stakeholders and plan to use the
results to conduct assessments. They said surveys allow them to measure
the outcome of sector efforts by collecting information from partners
on their intent to take action based on the information, tools, or
capabilities provided to them, which they said is important due to the
voluntary nature of sector partnerships.
Update the 2013 National Plan and sector-specific plans.--CISA
officials told us in March 2022 that the updated National
Infrastructure Protection Plan (National Plan) will clarify SRMA
responsibilities in response to the fiscal year 2021 NDAA. The National
Plan is a key guidance document that provides the overarching national
approach for critical infrastructure protection. CISA officials stated
that the National Plan will be the ``cornerstone'' to guide SRMAs as
they implement their responsibilities. According to CISA officials, the
updated National Plan will: (1) Include a revised approach to critical
infrastructure protection, (2) provide information on SRMA
responsibilities set forth in the fiscal year 2021 NDAA, (3) clarify
Federal roles and responsibilities for sector risk management, and (4)
outline how Government and industry should coordinate to identify and
mitigate threats to critical infrastructure. The 2013 update of the
National Plan responded to new policy in PPD-21, including an explicit
provision that DHS update the National Plan to implement the new
directive. CISA officials told us they would not make further updates
to the National Plan until the review of PPD-21 is completed.
Further, CISA officials stated in October 2022 they plan to provide
additional guidance to SRMAs on how they should update their sector-
specific plans. CISA officials told us that the updated sector-specific
plans should describe how the sector will implement the updated
National Plan, along with efforts tailored to the sector's unique
characteristics. CISA officials told us they expected to issue an
updated sector-specific plan template 3 to 6 months after the release
of the updated National Plan for SRMAs to use in collaboration with
their sector partners. Further, they told us that the sector-specific
plans would likely take 1 year to develop.
Although CISA has identified and started a number of efforts to
help SRMAs implement their fiscal year 2021 NDAA responsibilities, CISA
does not have milestones and time lines to complete its efforts.
According to selected characteristics from GAO's Key Questions to
Assess Agency Reform Efforts, Government reform efforts should have
milestones and time lines to track implementation progress, which can
also provide transparency about the progress of reforms.\14\
---------------------------------------------------------------------------
\14\ GAO, Government Reorganization: Key Questions to Assess Agency
Reform Efforts, GAO-18-427 (Washington, DC: June 13, 2018).
---------------------------------------------------------------------------
CISA officials said they had not established milestones and time
lines to complete CISA's efforts because the agency has prioritized
defining its own role as national coordinator. For example, as of
October 2022, CISA officials said they were in the process of
developing ways to implement CISA's new authorities under the fiscal
year 2021 NDAA, which requires SRMAs to carry out their
responsibilities in coordination with the CISA director and consistent
with DHS strategic guidance.
We recognize that CISA's efforts to address its fiscal year 2021
NDAA responsibilities are linked to its efforts to mature in its role
as national coordinator. However, SRMA officials for all 16 critical
infrastructure sectors reported that CISA had not yet provided guidance
to help the agencies implement their fiscal year 2021 NDAA
responsibilities. Establishing milestones and time lines, and updating
them when necessary, to accomplish its efforts to support SRMAs, would
help ensure CISA completes them in a timely manner.
We recommended, and DHS concurred, that the director of CISA
establish milestones and time lines for its efforts to provide guidance
and improve coordination and information sharing that would help SRMAs
implement their fiscal year 2021 NDAA responsibilities, and ensure the
milestones and time lines are updated through completion.\15\ As of
March 2023, the agency has not yet implemented the recommendation. CISA
officials stated that the administration's Homeland and Critical
Infrastructure Resilience Interagency Policy Committee is in the
process of updating PPD-21. Once it is completed, CISA will work to
establish the milestones and time lines needed to develop guidance on
improving coordination and information sharing.
---------------------------------------------------------------------------
\15\ GAO-23-105806. GAO has a large body of work examining aspects
of critical infrastructure protection and has made over 80
recommendations to SRMAs relevant to the responsibilities outlined in
the fiscal year 2021 NDAA. These recommendations involved sector risk
management and assessing sector risk, sector coordination and
facilitating the sharing of information regarding physical security and
cybersecurity threats, and incident management and contributing to
emergency preparedness efforts. As of December 2022, agencies had yet
to implement 58 of these recommendations. For more information on these
recommendations, see appendix II in GAO-23-105806.
---------------------------------------------------------------------------
However, as of March 2023, CISA had not developed milestones and
time lines to complete its efforts. CISA officials stated that they
could not provide a specific time line for issuing the updated National
Plan until the administration completes a review of PPD-21. CISA
officials stated that the Federal Senior Leadership Council has started
the Sector Analysis Working Group, which is an interagency consensus-
based group that will recommend a new sector designation structure and
corresponding SRMA designations. CISA officials reiterated that they
plan to issue guidance on improving coordination and information
sharing.
Chairman Garbarino, Ranking Member Swalwell, and Members of the
subcommittee, this concludes my prepared statement. I would be pleased
to respond to any questions you may have at this time.
Chairman Garbarino. Thank you, Ms. Sherman.
I now recognize Mr. Bagley for 5 minutes to summarize his
opening statement.
STATEMENT OF DREW BAGLEY, VICE PRESIDENT AND COUNSEL, PRIVACY
AND CYBER POLICY, CROWDSTRIKE
Mr. Bagley. Chairman Garbarino, Ranking Member Swalwell,
Members of the subcommittee, thank you for the opportunity to
testify.
Today, nation-states, criminal enterprises, and hacktivist
groups use sophisticated means to exploit unsophisticated
vulnerabilities to conduct espionage, breach privacy, and
disrupt infrastructure. This is why it's so important to
continually evolve in how we prevent, detect, and respond to
cyber attacks.
At CrowdStrike we have a unique vantage point on
cybersecurity threats and the innovation necessary to prevent
them. We work with CISA on key programs and initiatives. We
help CISA and other government agencies. We have been involved
with JCDC since its inception. We also consume CISA's
advisories and are a key technology provider for its
stakeholder groups like Critical Infrastructure Entities.
This hearing is timely for several reasons. CISA has
matured within a number of operational and planning functions.
Major transitions are taking place in Federal cybersecurity,
with an emphasis on zero trust adoption. Geopolitical
conditions stemming from Russia's war in Ukraine and heightened
competition with China have worsened the threat environment.
With respect to information sharing and collaboration, the
formation of JCDC in August 2021 was a key development. Since
then, JCDC has created a platform for key players in industry
and Government to voluntarily work toward common goals.
While we defer to CISA leadership to describe key outcomes,
CrowdStrike values best time and expertise in the JCDC
community, and we look forward to continued shared efforts to
promote better cybersecurity.
As JCDC matures, we believe the effort can continue to
improve. First, consider approaches that stratify or segment
membership to maintain trust. Second, strengthen administrative
customer relationship management practices. To their credit,
JCDC leadership and staff have been proactive about seeking
feedback from participants. Like any start-up, we anticipate
continued iteration as the group matures into its full
potential.
Importantly, cybersecurity outcomes vary substantially
across sectors. I've provided a brief overview in my written
remarks.
There remains a gap in cybersecurity performance between
the haves and the have-nots, which threat actors continue to
exploit and which CISA cannot solve alone. To this end, we are
pleased to see reference in the new National Cybersecurity
Strategy to shifting the burden for cybersecurity to those best
positioned to mitigate risks.
As a community, we should no longer tolerate certain
software vendors externalizing the costs of, or worse, nakedly
monetizing insecure software. While this policy concept must be
made more concrete, a reasonable first step is ensuring that
we're not rewarding vendors that cause harm. The Government can
lead by example, leveraging its own procurement power. This is
clearly a productive area for continued Congressional
oversight.
I'd like to offer a few key recommendations.
First, the entire field must become more responsive in
adapting to lessons learned. Unfortunately, cyber attacks with
the potential for systemic implications take place with
increasing regularity. Key lessons of recent breaches include:
Utilize managed security services, adopt cloud-based solutions,
and employ zero trust. We must approach regulation deliberately
and harmonize to the greatest extent possible. We must use care
in advancing new requirements, use formal, open commenting
periods, and use principles-based requirements rather than
compliance-based approaches. And critically, Federal agencies,
particularly regulators, must walk the walk on cybersecurity.
Third, as a community, we must focus more attention on
national incident response capacity. JCDC should continue
developing community response plans, and CISA should
incorporate JCDC contributions and forthcoming revisions to the
National Cyber Incident Response Plan. If the Chinese threat
actors responsible for the Microsoft Exchange hacking campaign
in 2021 had deployed ransomware at scale, large segments of the
American economy could have been paralyzed. A CISA-administered
program to retain outside providers for emergency incident
response had entities of systemic importance.
Last, we must empower defenders with cutting-edge cyber
defense capabilities. Too often, defenders are hobbled with
ineffective technologies. Those with leading solutions are
energized with radically improved morale. Our idea, one idea,
is to consider using tax mechanisms to speed adoption of key
technologies for small businesses.
Ultimately, CISA and its stakeholders must continue working
together collectively to prevent, detect, and respond to cyber
attacks.
Thank you for the opportunity to appear here today, and I
look forward to your questions.
[The prepared statement of Mr. Bagley follows:]
Prepared Statement of Drew Bagley
March 23, 2023
Chairman Garbarino, Ranking Member Swalwell, Members of the
subcommittee, thank you for the opportunity to testify today. We are at
a pivotal moment in the cybersecurity challenges posed to our country.
Today, nation-states, criminal enterprises, and hacktivist groups alike
can leverage sophisticated means to exploit unsophisticated
vulnerabilities to conduct espionage, breach privacy, and wreak havoc
on critical infrastructure, government systems, and businesses
throughout the country. We are at a point where the stakes of defensive
stagnation pose increasing risks in the face of threat actors'
innovation. This is why it's so important to continually evolve in how
we prevent, detect, and respond to cyber attacks.
Throughout my career, I have seen first-hand the challenges and
opportunities of improving American cybersecurity from my work in the
private sector, Government, and academia. For nearly a decade, at
CrowdStrike, a leading cybersecurity company, I have had a front-row
seat to cybersecurity innovation while building our privacy and public
policy programs and advising customers around the globe. Prior to that
I worked at the intersection of law and technology in the FBI's Office
of the General Counsel. I previously taught at universities in the
United States and Europe, and currently serve as an adjunct professor
in American University's cybersecurity policy program. I have been
asked to speak here today from a stakeholder perspective. Accordingly,
my testimony is informed not only from my experience but also by my
continued engagement with Government agencies through formal and
informal advisory roles, including as a member of CISA's Joint Cyber
Defense Collaborative (JCDC).
At CrowdStrike, we have a unique vantage point on cybersecurity
threats and the innovation necessary to stop them. We not only protect
15 of the largest 20 banks in the United States but also provide our
cybersecurity technology and services to thousands of small- and
medium-sized businesses. This means that it is not only possible for
small organizations to leverage the same cybersecurity technologies as
complex multinational enterprises but that it is becoming more common.
Increasingly, fundamental aspects of cybersecurity program design
are applicable everywhere--including for the on-going transformation in
U.S. Federal cybersecurity.
CrowdStrike works with CISA in a variety of ways across key
programs and activities. We were one of the original plank holders of
JCDC and remain active members to this day. We provide cyber threat
intelligence and cybersecurity technology offerings to CISA that help
it defend not only its own networks but those of some other Government
departments and agencies as well. Last, we are a consumer of CISA's
advisories and a key technology provider for its other stakeholder
groups, like critical infrastructure entities.
key developments
This hearing is timely for three key reasons. First, over the past
couple of years CISA has reached its stride across a number of
operational and planning functions (described in more detail below).
Second, major transitions are taking place in Federal cybersecurity
overall, with an emphasis on security program modernization and Zero
Trust Architecture. CISA is a key actor and implementer in these areas.
Third, geopolitical conditions have yielded a worsening cyber threat
environment overall. Russia's war in Ukraine and heightened competition
with China are just two of several active examples where risks are
mounting.\1\
---------------------------------------------------------------------------
\1\ See Adam Meyers, Testimony on Securing Critical Infrastructure
Against Russian Cyber Threats, House Homeland Security Committee (March
30, 2022) (How Russia-nexus adversaries use cyber attacks and
recommendations for U.S. readiness), https://docs.house.gov/meetings/
HM/HM00/20220405/114553/HHRG-117-HM00-WState-MeyersA-20220405.pdf.
---------------------------------------------------------------------------
Now is an impactful time to review the state of cybersecurity
overall and evaluate CISA's considerable progress and contributions.\2\
As DHS and CISA leadership and Members of this committee prepare
jointly to realize the vision of CISA 2025,\3\ we can identify fruitful
areas for continued development, alignment, and investment, where
appropriate.
---------------------------------------------------------------------------
\2\ See CISA Strategic Plan 2023-2025, CISA (September 2022),
https://www.cisa.gov/sites/default/files/2023-01/
StrategicPlan_20220912-V2_508c.pdf.
\3\ See CISA 2025 Overview, Committee on Homeland Security, House
of Representatives (October 13, 2022), https://homeland.house.gov/cisa-
2025/.
---------------------------------------------------------------------------
the state of cybersecurity
Cybersecurity outcomes vary substantially across different sectors.
Different sectors face different threats, have different constraints
and capacities, and have different tolerances to risk or disruptions.
To this end, I'd like to survey the state of cybersecurity across a few
key CISA partner segments.
Federal Civilian Executive branch (FCEB).--Going back 20 years,
Federal Government agencies often had considerable cybersecurity
strengths relative to their private-sector counterparts. However, as
time went on and cyber attacks increasingly occurred without the use of
malware, parts of the private sector met and exceeded FCEB
cybersecurity performance by adjusting to new realities. In some
instances, Government IT standards and controls failed to evolve at the
rapid pace of innovation within the commercial IT and cybersecurity
space. Large Federal Cybersecurity programs (e.g., National
Cybersecurity Protection System (NCPS) or EINSTEIN, and the Continuous
Diagnostics and Mitigation Program (CDM)) set ambitious goals aimed to
standardize and scale approaches to Government cybersecurity, but even
with considerable investment over the years, that aim remains unmet.
Over the past several years, however, the Federal cybersecurity
community has made some significant strides. Recent developments are
trending positively with the embrace of key cybersecurity concepts like
centralized visibility of IT infrastructure to detect and respond to
incidents. Significantly, E.O. 14028 on Improving the Nation's
Cybersecurity \4\ mandated the use across the FCEB of key best
practices, like enhanced logging, as well as now-baseline technical
solutions like Endpoint Detection and Response (EDR). The release of
the Office of Management and Budget's Federal Zero Trust Strategy \5\
in January 2022 was another key decision enforcing the use of sound
approaches, like increased adoption of cloud-based technologies,
credential management practices,\6\ and defensible IT architectures.
Even as implementation continues, these initial efforts are yielding
positive results.
---------------------------------------------------------------------------
\4\ See Executive Order on Improving the Nation's Cybersecurity,
The White House (May 12, 2021), https://www.whitehouse.gov/briefing-
room/presidential-actions/2021/05/12/executive-order-on-improving-the-
nations-cybersecurity/.
\5\ See M-22-09 Memorandum for the Heads of Executive Departments
and Agencies, Executive Office of the President, Office of Management
and Budget (January 26, 2022), https://www.whitehouse.gov/wp-content/
uploads/2022/01/M-22-09.pdf.
\6\ See 7 TYPES OF IDENTITY-BASED ATTACKS, CrowdStrike (January 10,
2023), https://www.crowdstrike.com/cybersecurity-101/identity-security/
identity-based-attacks/.
---------------------------------------------------------------------------
CISA plays an essential role in strengthening FCEB cybersecurity.
As recently as a couple of years ago, CISA had just a few programs
(e.g., NCPS, CDM, Trusted Internet Connections (TIC)) and a few
authorities (e.g., Emergency Directives, Binding Operational Directives
\7\) to meet this mandate. But the Solarium Commission's recommendation
as enacted by Congress to formally elevate CISA to become the
operational CISO of the FCEB, including by providing Government-wide,
proactive cyber threat hunting capabilities, considerably strengthened
CISA's tool kit. Further, actions taken by CISA to implement E.O.
14028, particularly with regard to the EDR program, are helping to
realize this vision.
---------------------------------------------------------------------------
\7\ See Cybersecurity Directives, Cybersecurity and Infrastructure
Security Agency. https://www.cisa.gov/news-events/directives.
---------------------------------------------------------------------------
The stakes are high. The FCEB continues to be a key target of
threat actors that seek to do harm to the United States. Friends and
allies continue to look to the U.S. Government as a model for how to
organize their own Government cybersecurity efforts. Importantly, the
Government must lead by example on cybersecurity. CISA's efforts to
strengthen security across the other entities (e.g., critical
infrastructure or State and local governments) will lack credibility if
the FCEB is poorly secured.
Large Enterprises.--On balance, the most sophisticated large
enterprises in the United States have seen stronger cybersecurity
outcomes in recent years, even as threats evolve and multiply. Over the
past year, we've observed an increase in vulnerability reuse and
increased reliance on access brokers to facilitate initial infiltration
into target organizations. We've also witnessed increased targeting
of--and mounting costs from--breaches of legacy infrastructure.\8\
Supply chain attacks, which can be targeted but also used to breach
many dependent organizations in a single campaign, remain a key
concern.
---------------------------------------------------------------------------
\8\ See 2023 Global Threat Report, CrowdStrike (2023). https://
www.crowdstrike.com/global-threat-report/.
---------------------------------------------------------------------------
Some large commercial enterprises have greater flexibility and
stronger security budgets than other entities, and thus serve as an
important proving ground for new technologies, practices, and
architectures. From this, recent innovations like Zero Trust and cloud-
native EDR have become today's cybersecurity essentials. In the near
future, we should expect more attention from other sectors on emerging
enterprise security concepts like Extended Detection and Response
(XDR), identity threat protection,\9\ as well as continued adoption of
managed security services (discussed in more detail below).
---------------------------------------------------------------------------
\9\ See Andrew Harris, CrowdStrike Falcon Identity Threat
Protection Added to GovCloud-1 to Help Meet Government Mandates for
Identity Security and Zero Trust, CrowdStrike (June 1, 2022), https://
www.crowdstrike.com/blog/how-falcon-identity-threat-protection-helps-
meet-identity-security-government-mandates/.
---------------------------------------------------------------------------
Small- and Medium-sized Businesses (SMB).--These entities include
everything from the family-owned corner store in each of our
communities to start-ups creating new technologies that could change
the world. These companies operate off of very different templates but
nevertheless share two key features. First, resources are scarce.
Second, a multi-day business disruption might well destroy the company.
Resource scarcity means there's no place for complex cyber defenses,
and few if any `spare cycles' for participation in demanding or time-
consuming information sharing initiatives. Sensitivity to disruption
means these organizations are particularly vulnerable to ransomware and
``lock-and-leak'' attacks.
Among the most positive developments in this space in recent years
is the growing affordability and accessibility of managed security
services, as well as managed threat hunting services. Organizations
increasingly look to professional providers to manage the overwhelming
majority of defense actions--under tight service level agreements--24
hours a day, 7 days a week, 365 days a year.
State, Local, Tribal, and Territorial (SLTT) Entities.--Over the
past few years, SLTT entities have faced a withering threat
environment, most notably from criminal ransomware actors. Materially
all SLTT entities face budgetary and personnel constraints, and rely
upon critical legacy applications and IT infrastructure. Nevertheless,
over that same time horizon, cybersecurity outcomes within the sector
have diverged significantly. As Members of this committee know well,
many SLTT organizations faced severe incidents and events, and in some
instances citizens suffered disruption of key services.
Counterintuitively perhaps, over this time frame the most forward-
leaning States and cities were meaningfully further ahead than most of
the FCEB in centralizing and modernizing defenses. This was generally
achieved through a key service provider--typically a Department of
Technology--implementing and managing transformative technologies like
EDR and other important security concepts and practices. In addition to
leveraging a centralized provider, these States often had no inflexible
security program that acted as a barrier to experimentation and
technology adoption. In addition, community-oriented support efforts,
such as those led by the Center for Internet Security, have been a key
part of stronger defenses.
The State and Local Cybersecurity Improvement Act, which passed
into law in the Infrastructure Investment and Jobs Act of 2021 was a
positive step in ensuring State and local governments have the funding
needed to centralize and modernize cyber defenses. We appreciate former
subcommittee Chairwoman Clarke, Chairman Garbarino, and other Members
of the committee for their leadership on this important issue.
Critical Infrastructure.--Most critical infrastructure owners and
operators face the same set of hardships outlined above: Severe threat
environment, personnel and budget constraints, and legacy applications
and IT infrastructure. But they have the added challenges of complex
Operational Technology (OT) that in some instances is obsolete and/or
esoteric. In addition to these conditions there is increased interest
from policy makers in regulatory measures designed to enhance
cybersecurity.
The Cyber Incident Reporting for Critical Infrastructure Act
(CIRCIA), signed into law in March 2022, which strengthens reporting
obligations for critical infrastructure players, is the most meaningful
step to date.\10\ CIRCIA's authors--notably Members and key staff on
this Committee--recognized these risks and included two key provisions.
The first is a Cyber Incident Reporting Harmonization Council that
should reconcile duplicative or conflicting regulations. The second is
a generous time line for CISA to articulate particulars (like
thresholds) in a clear and straightforward manner. CISA has solicited
stakeholder feedback to those ends, to which we, and many others in the
community, were happy to contribute ideas and suggestions.\11\
---------------------------------------------------------------------------
\10\ See Public Law 117-103, Division Y, Cyber Incident Reporting
for Critical Infrastructure Act--Consolidated Appropriations Act. 117th
Congress (March 15, 2022). https://www.congress.gov/bill/117th-
congress/house-bill/2471/text.
\11\ See CrowdStrike Response to RFI on Cyber Incident Reporting
for Critical Infrastructure Act (November 14, 2022), https://
www.crowdstrike.com/wp-content/uploads/2023/02/RFI-Incident-Reporting-
for-Critical-Infrastructure-Act-of-2022.pdf.
---------------------------------------------------------------------------
International.--Although somewhat beyond the scope of this hearing,
we should take a moment to reflect on international cybersecurity. U.S.
allies' public sector organizations, laws, and policy debates tend to
reflect somewhat developments here in Washington. This is an incredible
leadership opportunity. Efforts like the International Counter
Ransomware Initiative \12\ serve as a good example for how to use this
influence to strengthen the cybersecurity ecosystem globally. Across
relevant areas of law and policy, we should embrace interoperable
approaches that simplify collaboration between governments, NGO's, and
industry players. In addition, the United States should be receptive to
areas where other countries have identified helpful policies. These
include, for example, policies that support the start-up ecosystem, and
national privacy laws that simplify data protection and the cross-
border data flows integral for modern cybersecurity.\13\
---------------------------------------------------------------------------
\12\ See International Counter Ransomware Initiative 2022 Joint
Statement, The White House (November 1, 2022), https://
www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/
international-counter-ransomware-initiative-2022-joint-statement/.
\13\ See Drew Bagley, Data Protection Day 2023: Misaligned Policy
Priorities Complicate Data Protection Compliance, CrowdStrike (January
27, 2023), https://www.crowdstrike.com/blog/data-protection-day-2023-
misaligned-policy-priorities-complicate-data-protection-compliance.
---------------------------------------------------------------------------
public-private collaboration
The Joint Cyber Defense Collaborative (JCDC).--Information sharing
in the cybersecurity space is a complex topic and long-standing policy
priority. For two decades, various information-sharing efforts--narrow
and broad; informal, quasi-official, and official; ad hoc and
enduring--have arisen from a desire within the cybersecurity community
to do more. While the Cybersecurity Act of 2015 sought to address this
problem head-on,\14\ structural impediments to comprehensive sharing
and collaboration remain.\15\ And as a practical matter, we are
unlikely to identify a ``silver bullet'' solution to a problem with
this many complexities. However, the formation of JCDC in August 2021
was a key development in promoting sharing and collaboration. In the
time since, JCDC has created a platform for key players in industry and
Government to voluntarily work toward common goals.
---------------------------------------------------------------------------
\14\ See Public Law 113-113, Division N, Cybersecurity Act of 2015.
114th Congress (December 18, 2015), https://www.congress.gov/bill/
114th-congress/house-bill/2029/text.
\15\ See George Kurtz, Questions for the Record--Hearing on the
Hack of U.S. Networks by a Foreign Adversary, Senate Select Committee
on Intelligence (February 23, 2021) (How the private sector has
promoted practical information sharing), https://
www.intelligence.senate.gov/sites/default/files/documents/qfr-gkurtz-
022321.pdf.
---------------------------------------------------------------------------
While we would generally defer to CISA Leadership to describe key
outcomes, we can say that CrowdStrike values the partnership
opportunity. We continue to invest time and expertise in the JCDC
community, and we look forward to continued, shared efforts to promote
better cybersecurity.
As JCDC matures, we believe the effort can continue to improve. Two
suggestions:
Consider approaches that stratify or segment membership to
maintain trust.--As the group expands, JCDC leadership should
account for the possibility that some members may become less
willing to share details about sensitive issues. JCDC has
addressed this concern by maintaining clear direct channels of
communication with participants, and creating ad hoc working
groups with a subset of members. These are important measures,
but additional subgroup governance may help promote more active
and applied sharing. Articulating long-term aims for membership
composition may also be of value.
Strengthen administrative Customer Relationship Management
(CRM) practices.--This would ensure consistent notification of
participant stakeholders about upcoming opportunities, events,
engagements, etc. A designated partner ``JCDC relationship
owner'' should be able to flexibly add or remove corporate
participants from various JCDC workstreams to facilitate
participation from particular personas (e.g, according to
function, experience, protocol, etc.).
To their credit, JCDC leadership and staff have been proactive
about seeking feedback from participants. We have provided suggestions
along these lines to them directly and believe it is taken seriously.
Like any ``start-up,'' we anticipate continued iteration as the group
matures into its full potential.
Ecosystem.--CISA contributes to the cybersecurity ecosystem in a
variety of other ways. Support to key partners in the SLTT community;
advice and tools for enhancing infrastructure, Industrial Control
Systems (ICS), and OT security; alerts and notifications for IT
security, particularly around emerging vulnerabilities; and leadership
on workforce topics all contribute to better cybersecurity outcomes.
Each of these issue areas is complex and requires specific expertise.
CISA's contributions in this realm continue to mature and become more
valuable over time.
There remains a gap in cybersecurity performance between the
``haves'' and the ``have-nots,'' which threat actors continue to
exploit and which CISA cannot solve alone. To this end, we are pleased
to see reference in the new National Cybersecurity Strategy to shifting
the burden for cybersecurity to those best positioned to mitigate
risks. This includes, where appropriate, holding platform providers
accountable for the security of their products.\16\ As a community, we
should no longer tolerate certain software vendors externalizing the
costs of--or worse, nakedly monetizing--insecure software
applications.\17\ While this policy concept must be made more concrete,
a reasonable first step is ensuring that we're not rewarding vendors
that cause harm. To this end, the Government can lead by example by
using its own procurement power to shape market dynamics. This is
clearly a productive area for continued Congressional oversight.
---------------------------------------------------------------------------
\16\ See National Cybersecurity Strategy, page 20. The White House
(March 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/
National-Cybersecurity-Strategy-2023.pdf.
\17\ For one example of a persistent security issue, see George
Kurtz, Testimony on Cybersecurity and Supply Chain Threats, Senate
Select Committee on Intelligence (February 23, 2021) (Extended
discussion on emerging cybersecurity controls and practices), https://
www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-
022321.pdf p. 5.
---------------------------------------------------------------------------
recommendations
1. The entire field must become more responsive in adapting to
lessons learned. Unfortunately, cyber attacks with the potential for
systemic implications take place with increasing regularity. However,
organizations are uneven in adopting key lessons, from new security
controls and mitigations to more secure architectures. From our vantage
point, key lessons of recent breaches include:
Use managed security services where practical to augment
internal security staff and attain responsive and comprehensive
security coverage.
Adopt cloud-based IT systems and where possible, leverage
cloud-based security tools to achieve scalability and speed.
Employ Zero Trust Architecture, with emphasis on identity
threat protection, to defend an increasingly diffuse IT
infrastructure and radically reduce lateral movement during
breach attempts, bringing us closer to cyber and mission
resiliency.
2. We must approach regulation deliberately and harmonize to the
greatest extent possible. Even as CIRCIA advances through rule making,
independent regulators are pursuing new obligations \18\ and the
National Cybersecurity Strategy foreshadows additional actions at the
sector-level.\19\ Each of these measures is well-intended, but taking
place simultaneously and with different stakeholders. At best, they
will close long-standing gaps and strengthen national resilience.
---------------------------------------------------------------------------
\18\ See TSA issues new cybersecurity requirements for airport and
aircraft operators, Transportation Security Administration (March 7,
2023), https://www.tsa.gov/news/press/releases/2023/03/07/tsa-issues-
new-cybersecurity-requirements-airport-and-aircraft.
\19\ Even prior to CIRCIA and recent efforts, data breach victims
commonly faced more than 50 different reporting requirements in the
United States alone, with additional international obligations in many
cases.
---------------------------------------------------------------------------
At worst, they risk yielding burdensome, distracting, and costly
compliance obligations without additional security gains. Optimizing
for the former is among the most important challenges the cybersecurity
policy community faces at this time. Our hope is that continued
collaboration between potential regulators and/or muscular
harmonization efforts will help avert worse outcomes. The best advice
we can offer is:
Be deliberate about advancing new requirements;
Provide formal commenting periods for stakeholders to
contribute views;
Use principles-based requirements rather than burdensome
and inflexible compliance-based approaches;
Include provisions to regularly review and if necessary
modify, update, or deprecate requirements or controls based on
developments in the threat environment or technology ecosystem;
The DHS Cyber Incident Reporting Council established under
CIRCIA should operate with vigor, and work to clearly identify
and reduce duplicative reporting; and
Set the goal of all Federal agencies showcasing
cybersecurity best practices with a particular emphasis on
those that regulate cybersecurity ``walking the walk.''
3. As a community, we should focus more attention on national
incident response capacity. JCDC should continue coordinating and
developing community response plans and CISA should weigh potential
JCDC contributions for the purposes of forthcoming revisions to the
National Cyber Incident Response Plan (NCIRP).\20\ If the Russian
threat actors responsible for the major supply chain attack or the
Chinese threat actors responsible for the Microsoft Exchange hacking
campaign in 2021 had deployed ransomware or pseudo-ransomware at scale,
large segments of the American economy would have been paralyzed. A
CISA-administered program to retain outside providers for emergency
incident response to attacks at entities of systemic importance could
be of tremendous value in a future contingency.\21\ This could mitigate
crippling impacts and ensure CISA had the ability to orchestrate
response activities and maintain insight into findings in real time.
---------------------------------------------------------------------------
\20\ See National Cybersecurity Strategy, page 12. The White House
(March 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/
National-Cybersecurity-Strategy-2023.pdf.
\21\ See Robert Sheldon, Testimony on Protecting American
Innovation, Senate Select Committee on Intelligence (September 21,
2022), https://www.intelligence.senate.gov/sites/default/files/os-
rsheldon-092122.pdf.
---------------------------------------------------------------------------
4. We must empower defenders with cutting-edge cyber-defense
capabilities. Defenders with leading solutions are energized with
radically improved morale. Too often, defenders are hobbled with
inefficient and ineffective technologies. When these inevitably fail,
they begin to feel like little more than a punching bag for
adversaries, and that their best efforts are for naught. But when
people are empowered, they can see their impact each day and can remain
focused on the importance of their mission. To the extent that this
committee can promote access to better tools, that will absolutely
strengthen cybersecurity outcomes. For the FCEB, this means the full
adoption of technologies mandated in E.O. 14028 like EDR and,
ultimately, better access to managed security services to augment
staff. To highlight another opportunity, we believe it's time to have a
more serious conversation as a community about using tax mechanisms to
speed adoption of key technologies in the SMB space.\22\
---------------------------------------------------------------------------
\22\ See Robert Sheldon, Testimony on Protecting American
Innovation, Senate Select Committee on Intelligence (September 21,
2022), https://www.intelligence.senate.gov/sites/default/files/os-
rsheldon-092122.pdf.
---------------------------------------------------------------------------
5. The community must attract and retain top cybersecurity talent.
The level of talent in our field--across industry and Government--is
deeply inspiring. Based on our experience, the central motivator for
people in the field is a sense of mission. A key challenge we have as a
community is overburdened staff leading to burnout, a concern that
underpins some of my previous comments on leveraging managed services
and mitigating time-consuming and ineffective compliance obligations.
Further, aligning roles to each organization's key missions--and in the
case of Government authorities--helps people recognize the uniqueness
of their contributions. A second challenge is expanding recruitment
efforts to grow additional talent. To this end, I was pleased to
announce during my participation at a White House Summit last month
that CrowdStrike would soon launch an emerging leaders program focused
on diverse candidates.\23\ We must continue efforts to fuel the
cybersecurity talent pipeline.
---------------------------------------------------------------------------
\23\ See Readout: Office of National Cyber Director Hosts
Roundtable on ``The State of Cybersecurity in the Black Community'',
The White House Briefing Room (February 28, 2023), https://
www.whitehouse.gov/oncd/briefing-room/2023/02/28/readout-office-of-
national-cyber-director-hosts-roundtable-on-the-state-of-cybersecurity-
in-the-black-community/.
---------------------------------------------------------------------------
CISA's evolution is the culmination of non-partisan efforts under
four consecutive Presidential administrations, and CISA has received
numerous new key authorities and increases in funding over the past
several years. Ultimately, in each passing year it is important to ask
whether the U.S. Government is better able to prevent, detect, and
respond to cyber attacks. Accordingly, I am pleased to see this
committee has identified key oversight areas in the CISA 2025
initiative to put CISA on track to fully implement those authorities
and fulfill the mission Congress has entrusted it with. CrowdStrike
looks forward to continuing and building upon its trusted relationship
with CISA, and playing our part in empowering it to effectively carry
out its mission.
Thank you for the opportunity to appear in front of you today, and
I look forward to your questions.
Chairman Garbarino. Thank you, Mr. Bagley.
I now recognize Ms. Hogsett for 5 minutes to summarize your
opening statement.
STATEMENT OF HEATHER HOGSETT, SENIOR VICE PRESIDENT, TECHNOLOGY
AND RISK MANAGEMENT, BANK POLICY INSTITUTE
Ms. Hogsett. Chairman Garbarino, Ranking Member Swalwell,
honorable Members of the subcommittee, thank you for inviting
me to testify.
I'm Heather Hogsett, senior vice president of technology
and risk strategy for BITS, which is the technology policy
division of the Bank Policy Institute.
BPI is a nonparty research and advocacy organization
representing the Nation's leading banks. Through our technology
division, we work with our members on cyber risk management and
critical infrastructure protection, as well as fraud reduction,
regulation, and innovation. We greatly appreciate this
committee's leadership and the opportunity to provide
perspective on the role of CISA in defending our Nation.
Financial institutions are increasingly under cyber attack
by foreign nations and criminal groups seeking to undermine the
functioning of the U.S. economy. Our sector takes these risks
seriously and has strong relationships with the Treasury
Department, our Sector Risk Management Agency, as well as CISA,
the National Cyber Director's Office, the FBI, the Secret
Service, and also our regulators.
Since being established, CISA has played a vital
coordination role during the COVID-19 pandemic to keep critical
infrastructure up and running. It also played a key role in the
response to Solar Winds, Log4j, ransomware attacks, and on-
going geopolitical tensions with Russia. Throughout these
efforts, CISA has improved its information sharing and with
faster declassification of threat information, including a
significant increase in publications and threat alerts combined
with recommended mitigation measures, tool kits and other
support services. Importantly, our members want to emphasize
that CISA is also uniquely positioned to address longer-term
strategic planning and cross-sector mitigation that would be
particularly valuable for more mature sectors like financial
services.
As CISA continues to evolve, we encourage a focus on three
areas.
First is implementing the Cyber Incident Reporting for
Critical Infrastructure Act. Last year, this committee led
efforts, which BPI supported, to pass cyber incident reporting
legislation requiring companies to report ransomware payments
and cyber incidents to CISA. Implementing the new law is a
significant undertaking that CISA must get right from the
outset. It requires extensive coordination with critical
infrastructure agencies, other Government agencies, and
independent regulators. As a critical infrastructure sector
that has had mandatory cyber reporting requirements for more
than 20 years, ensuring that the new rules are harmonized with
current requirements is also a key area of focus. As CISA
formulates the new rules, it should ensure that definitions,
time lines, thresholds, and required incident information are
aligned with existing requirements and designed to avoid
interfering with response and mitigation activities at an
affected entity.
Second, CISA should work with industry to identify and
prioritize national systemic risks. Last year CISA received
funding to develop a new systemically-important entity
designation. Financial institutions are very supportive of
efforts to identify and prioritize critical infrastructure
assets that are most important to our national security.
However, it is vital that CISA clarify what it intends to
accomplish with a new designation and how it relates to
existing efforts, including the Section 9 list, national
critical functions, and sector-specific systemic risk
designations like Systemically Important Financial Institutions
or SIFIEs. CISA should avoid duplication and leverage sector-
specific work like ours to create a framework and methodology
for identification of cross-sector risks and critical
dependencies.
Finally, CISA should support cross-sector collaboration and
joint planning. CISA's role as national coordinator puts it in
a unique position to support collaboration between critical
infrastructure sectors and the Government to reduce risk and
disrupt threats. The Joint Cyber Defense Collaborative was
helpful in bringing together industry and Government partners
to improve visibility and communication, particularly in
response to the Russian invasion of Ukraine. This response-
oriented focus, however, has not fulfilled the need for longer-
term strategic planning across Government agencies and with the
private sector. As authorized by Congress, CISA was charged
with creating a Joint Cyber Planning Office to develop plans
for cyber defense operations and coordinated actions that
public and private-sector entities could take to protect,
mitigate, and defend against malicious cyber attacks. We have
not seen the JCDC engage in this type of proactive planning,
but continue to believe this would be beneficial for financial
institutions and other more mature sectors.
Although not addressed to date, but noted in CISA's recent
strategy, we believe that building the organizational
foundation for sustainable cyber defense operations and
focusing on the most critical needs of the Nation is of highest
priority and would be the most critical accomplishment CISA
could undertake at this time.
On behalf of BPI, we look forward to continuing to work
with this committee and with CISA, and I'm happy to answer any
questions you may have.
[The prepared statement of Ms. Hogsett follows:]
Prepared Statement of Heather Hogsett
March 23, 2023
Chairman Garbarino, Ranking Member Swalwell and Honorable Members
of the subcommittee, thank you for inviting me to testify. I am Heather
Hogsett, senior vice president of technology and risk strategy for
BITS, the technology policy division of the Bank Policy Institute
(BPI).
BPI is a nonpartisan policy, research, and advocacy organization
representing the Nation's leading banks. BPI members include universal
banks, regional banks, and major foreign banks doing business in the
United States. BITS, our technology policy division, works with our
member banks as well as insurance, card companies, and market utilities
on cyber risk management and critical infrastructure protection, fraud
reduction, regulation, and innovation.
I also serve as co-chair of the Financial Services Sector
Coordinating Council (FSSCC) Policy Committee. The FSSCC coordinates
across the financial sector to enhance security and resiliency and to
collaborate with Government partners such as the U.S. Treasury and the
Cybersecurity and Infrastructure Security Agency (CISA), as well as
financial regulatory agencies.
financial institutions and cybersecurity
Banks and other financial institutions are increasingly under cyber
attack by foreign nations and criminal groups seeking to disrupt the
financial system and undermine the functioning of the U.S. economy. The
financial sector takes these risks seriously and has a long history of
working across industry and with Government partners to address and
manage these risks.
As one of 16 critical infrastructure sectors, the financial
industry formed and actively participates in the FSSCC \1\ and the
Financial Services Information Sharing and Analysis Center (FS-
ISAC)\2\--both of which have served as leading examples other critical
infrastructure sectors have sought to replicate. We also lead
cybersecurity and operational resilience collaboration through public-
private partnerships with our Sector Risk Management Agency (SRMA)--the
U.S. Department of the Treasury--the Cybersecurity and Infrastructure
Security Agency (CISA), the Federal Bureau of Investigation (FBI), the
U.S. Secret Service, and importantly with our regulators.
---------------------------------------------------------------------------
\1\ https://fsscc.org/.
\2\ https://www.fsisac.com/.
---------------------------------------------------------------------------
A major part of these industry efforts is focused on in-depth
information sharing to accelerate and amplify public-private
cooperation. During the nearly two decades of work, we have established
exercise programs through the FSSCC and FS-ISAC that have covered a
wide range of possible events such as destructive malware, an outage at
a large service provider, or a pandemic and addressed managing public
confidence during a crisis. More than 40 such exercises have been held
to date and have included participants from across the industry, third
parties, regulators, the U.S. Treasury Department, DHS/CISA and law
enforcement agencies.
In addition to Treasury and CISA, we also work closely with
financial regulators to address cybersecurity, third-party, and supply
chain risks and promote operational resilience across the sector. This
work occurs with individual firms, through trade associations such as
BPI, and via joint efforts between the FSSCC and its Government
counterpart the Financial and Banking Information Infrastructure
Committee (FBIIC), which is chaired by Treasury and includes 17 Federal
and State regulators.\3\
---------------------------------------------------------------------------
\3\ www.fbiic.gov.
---------------------------------------------------------------------------
experiences with cisa
Since its establishment in 2018 as an operational component of DHS,
CISA has taken on an increasingly important role protecting Federal
civilian agencies and supporting security and resilience across
critical infrastructure sectors. Following the important coordination
role CISA filled during the COVID-19 pandemic to keep critical
infrastructure working for America, there have been notable
improvements in faster declassification and sharing of threat
information, including a significant increase in publications, alerts,
and joint advisories with other Government agencies such as the FBI and
National Security Agency (NSA). These publications have become more
frequent, timely, and relevant and included recommended mitigation
measures to help critical infrastructure entities better protect
themselves, particularly mid-size and smaller entities where the
assistance is needed most. For example, CISA's recommended mitigations
and tool kits to help entities protect themselves during the response
to Solar Winds, Log4j, and the ransomware attack against Colonial
Pipeline were welcome for their timeliness and actionable nature. By
creating a centralized repository for this information CISA has also
made it easier for companies to quickly find and access relevant
information and resources.
Its efforts to help raise awareness and promote baseline
cybersecurity practices across all critical infrastructure sectors have
been a welcome focus that will help reduce risk and improve national
resilience. CISA also deserves credit for fostering collaboration and
coordination across Government entities including the banking industry
and other critical infrastructure. Its work to date has built the
foundation for trusted relationships and very importantly created
resources to support those sectors that are resource-constrained and in
the earlier stages of building their cyber risk management programs.
The preparation and response to the Russian invasion of Ukraine
highlight a number of these accomplishments. As tensions rose and the
United States prepared for Russian aggression and the potential for
retaliatory attacks, CISA's senior leadership, along with senior
leaders at Treasury, DHS and the FBI, was in regular communications
with financial institutions and organizations like the FSSCC, FS-ISAC
and the Analysis and Resilience Center for Systemic Risk (ARC). CISA
created the ``Shields Up'' campaign to raise awareness and urge
critical infrastructure companies to shore up their defenses and
actively share suspicious information with the Government to provide an
early warning of attacks. During this time, CISA created a new bi-
directional communication mechanism to provide for near-real-time
information sharing among trusted partners in both industry and
Government that had never previously been done. This coordination role
was invaluable for our industry and others and provided a streamlined
mechanism to exchange threat information and share timely updates to
those operating some of the Nation's most critical infrastructure.
evolving for the future
Looking ahead, it will be important for CISA to establish a clear
path for maturing and scaling its operations, including ensuring these
programs and initiatives have stakeholder input and will continue
despite future changes in leadership. A number of the efforts to date
have been in response to current cyber threats, which was and continues
to be important, but CISA is also uniquely positioned to address
longer-term strategic planning and cross-sector risk mitigation that
will be particularly valuable for mature sectors. As CISA continues to
evolve, we encourage a focus on the following areas:
Cyber Incident Reporting and Harmonization--Supporting
Response and Recovery.--Last year, Congress passed the Cyber
Incident Reporting for Critical Infrastructure Act (CIRCIA) of
2022, requiring critical infrastructure companies to report
ransomware payments and cyber incidents to CISA. BPI supported
this legislation which we believe will help improve national
cyber defense by providing CISA and other Government agencies
with timely and relevant information to assess and analyze
cyber threats across sectors, improve the alerts and security
services CISA provides and ultimately provide earlier warning
of potential attacks so companies can better defend themselves.
Under the law, CISA must conduct a rulemaking process, seek
input from stakeholders, and develop the necessary systems and
processes to collect, analyze, and share reported information
while ensuring strong data security and protection measures are
in place.
As CISA crafts rules under CIRCIA, it is also required to harmonize
the new requirements with existing regulatory reporting to
avoid conflicting, duplicative, or burdensome requirements.
Given the comprehensive set of cybersecurity and incident
notification rules \4\ that financial institutions already
comply with, harmonizing and aligning the new rules will be
important to ensure cyber defenders can maintain focus on
protecting the firm rather than complying with multiple
Government reporting requirements.
---------------------------------------------------------------------------
\4\ https://staging4.bpi.com/cyber-incident-reporting-requirements-
notification-timelines-for-financial-institutions/.
---------------------------------------------------------------------------
This is a significant undertaking that CISA must get right from the
outset and will require extensive coordination with critical
infrastructure entities, SRMAs, other Government agencies and
independent regulators. As a critical infrastructure sector
that has had mandatory cyber reporting requirements for more
than 20 years and has invested significant time and resources
into harmonizing and driving toward regulatory convergence,
this is a key area of focus. CISA should ensure that
definitions, time lines, thresholds, and required incident
information are aligned with existing requirements and designed
to avoid interfering with response and mitigation at an
affected firm.
BPI recommends that CISA build a streamlined reporting system that
accomplishes the following: (1) Allows an impacted firm to
report incident information once and have it shared, as
appropriate, with SRMAs, regulators, and law enforcement
agencies; (2) provides CISA with timely and relevant
information useful to assessing trends, improving analysis, and
the development of alerts, tools, and services that can be
provided to critical infrastructure companies; and (3)
maintains its role as a trusted channel for information and
communications, preserving privacy and confidentiality while
supporting the response and recovery of an impacted entity.
Identification and Prioritization of National Systemic
Risks.--Identifying critical infrastructure assets that are
most important to our national security would help prioritize
resources and guide public-private collaboration to prevent or
mitigate threats and prepare for potential response and
recovery needs.
Financial institutions have existing designations such as the
Systemically Important Financial Institution designation that
stems from the Dodd-Frank Act of 2010 and requires firms to
adopt enhanced measures for security and resilience and
includes additional oversight and examination by financial
regulators. Many of these firms are also included in the
Section 9 process, established by Executive Order 13636 in 2013
and managed by DHS, which recognizes firms where a cyber
incident could result in ``catastrophic regional or national
effects on public health or safety, economic security, or
national security.''
Similarly, in 2019, CISA created a list of 55 National Critical
Functions that are functions ``so vital to the United States
that their disruption, corruption, or dysfunction would have a
debilitating effect on security, national economic security,
national public health or safety, or any combination
thereof.''\5\ CISA is in the process of working with SRMAs to
decompose or analyze these further. At the same time, CISA is
developing a new designation for Systemically Important
Entities (SIEs) and was appropriated an increase of $1.9
million for the creation of an SIE Program Office.
---------------------------------------------------------------------------
\5\ https://www.cisa.gov/national-critical-functions.
---------------------------------------------------------------------------
Financial institutions are very supportive of efforts to better
identify and prioritize cross-sector risks; however, the
current approach appears disjointed and opaque, making it
challenging for industry to provide input or information that
might be helpful. Past proposals to create an SIE or
Systemically Important Critical Infrastructure (SICI)
designation would have duplicated existing designations and
requirements on financial institutions, diverting resources
from defending against threats to regulatory compliance.
As CISA continues this work, we encourage greater transparency and
clarity in the approach, what it intends to accomplish, and how
an SIE designation fits with related areas of work such as the
Section 9 list, NCFs and sector-specific systemic risk
designations such as SIFI. CISA should not only avoid
duplication or overlap with other systemic designations and
their requirements but also leverage work that has already been
done in the more mature critical infrastructure sectors.
Financial institutions have worked through the ARC to analyze
financial sector systemic risks and are ready to work with CISA
to develop a framework for assessing risks and critical
dependencies across sectors.
Fostering Cross-Sector Coordination and Operational
Collaboration.--CISA's role as national coordinator for
critical infrastructure security puts it in a unique position
to support collaboration among more mature sectors and the
Government to reduce risk and disrupt threats. Since 2017, the
financial, energy, and communications sectors have conducted
joint planning and exercises to address cyber threats that
could impact or cascade across the three sectors. CISA
supported the creation of the ``tri-sector'' working group
which is a good example of fostering and enabling collaborative
efforts.
CISA's Joint Cyber Defense Collaborative (JCDC) was helpful in
bringing together industry and Government partners to improve
visibility and communication in response to geopolitical
tensions and the Russian invasion of Ukraine. This response-
oriented focus, however, has not fulfilled the need for longer-
term strategic planning across Government agencies and the
private sector. As originally authorized by Congress,\6\ CISA
was charged with creating a Joint Cyber Planning Office (JCPO)
to develop plans for cyber defense operations and coordinated
actions that public- and private-sector entities could take to
protect, mitigate, or defend against malicious cyber attacks.
To date, we have not seen the JCDC engage in the type of
planning directed by Congress but continue to believe this
would be beneficial for financial institutions and other more
mature sectors.
---------------------------------------------------------------------------
\6\ William M. (Mac) Thornberry National Defense Authorization Act
for Fiscal Year 2021. Pub. L. 116-283, Sec 1715.
---------------------------------------------------------------------------
The recently released National Cybersecurity Strategy recognizes
that the private sector has growing visibility into adversary
activity and calls for enhancing public-private operational
collaboration to disrupt adversaries.\7\ Through our
relationship with Treasury as our SRMA, we have robust
partnership and dialog. Treasury is establishing a cyber
collaboration center to facilitate greater opportunity for
firms to exchange Classified and un-Classified information and
facilitate discussion around threat actor activity and
vulnerabilities. Other parts of Government have created similar
centers such as the NSA's Cybersecurity Collaboration Center.
Plans to create a cross-sector equivalent or otherwise foster
collaboration and exchange among these efforts would be
valuable and CISA could play a helpful role.
---------------------------------------------------------------------------
\7\ National Cybersecurity Strategy, March 2023, p. 15.
---------------------------------------------------------------------------
sustaining progress and building capabilities
We are at a defining juncture in CISA's development, similar to any
start-up at this stage, where achieving scale matters. As Congress
intended and supported with funding, CISA must refine its focus and
apply resources carefully to be successful. Now that CISA has
established its presence, developed communications and outreach
capabilities, and designed tools and services to improve near-term
resilience, it should shift its approach to expand management
capabilities, add operational expertise and establish processes that
will be the foundation for sustained leadership on immediate tactical
response matters as well as longer-term, proactive planning and support
that will benefit even the most cyber-mature sectors like financial
services.
Successful implementation of CIRCIA, including harmonizing its
reporting requirements to optimize protection and response and
streamline coordination, will serve as a cornerstone for the future of
public-private partnerships and should be a top priority. Similarly,
developing the means to identify and prioritize the highest risks by
sector and across sectors will refine CISA's focus and support more
secure and resilient outcomes for the Nation.
This is no small task and requires CISA to focus on building
organizational consistency and rigor, hiring and retaining experienced
staff, and sourcing support from sectors that have well-established
security, resilience and, in the financial services case, regulatory
standards that can be leveraged.
We are committed to working with CISA to support its continued
development and look forward to the opportunity to engage in future
national risk mitigation efforts.
Chairman Garbarino. Thank you, Ms. Hogsett.
I now recognize Mr. Edwards for 5 minutes to summarize his
opening statement.
STATEMENT OF MARTY EDWARDS, VICE PRESIDENT, OPERATIONAL
TECHNOLOGY SECURITY, TENABLE
Mr. Edwards. Chairman Garbarino, Ranking Member Swalwell,
and Members of the committee, thank you for the opportunity to
testify before you today on CISA and the state of American
cybersecurity.
I am Marty Edwards, deputy chief technology officer for
operational technology at Tenable, the leading cybersecurity
exposure management company, with 43,000 customers world-wide,
including just about every Federal department and many critical
infrastructure providers.
From Russia's invasion of Ukraine to the Colonial Pipeline
incident, we're operating in a heightened threat landscape.
CISA, the National Coordinator for Critical Infrastructure
Security and Resiliency, and Congress have recognized the need
to prioritize critical infrastructure security. Under Director
Jen Easterly's leadership, CISA has taken significant steps to
strengthen the U.S. cyber posture, including through
prioritizing public-private partnerships, enhancing strategic
collaboration, and developing new cybersecurity initiatives in
favor of greater security and resiliency, which were emphasized
the recent National Cyber Security strategy.
This includes addressing the security of IT and OT system
Convergence operational technology, or OT, is the hardware used
in manufacturing, utilities, and critical infrastructure
industries. But while today's technology are implemented to
improve efficiencies, the convergence of these technologies
between IT and OT makes OT susceptible to many new threat
vectors. Successful OT attacks can impact human safety and
damage physical equipment, making this a national security
imperative. Public-private-sector collaboration, including
CISA's Joint Cyber Defense Collaborative, of which Tenable is a
proud alliance partner, is essential to building resilient and
robust converged IT-OT environments and enabling collaboration
on a range of issues.
To combat the growing cyber threats, the White House tasked
the President's National Security Telecommunications Advisory
Committee with examining key challenges to securing converged
IT-OT systems. I co-ed this Convergence Subcommittee Working
Group to produce a report to the President which found that
despite having the technology and the expertise to secure these
systems, organizations still lack visibility into their OT
environments.
To strengthen the cybersecurity posture of the U.S.
Government-owned and -operated OT systems with relatively low
risk, the NSTAC report recommends three key steps for the U.S.
Government, including No. 1, issue a binding operational
directive that requires Federal agencies to maintain a real-
time, continuous inventory of all OT systems and assets,
including any interconnectivity to other systems.
No. 2, develop guidance on procurement language for OT
products and services to incentivize and prioritize
cybersecurity capabilities. Existing technology products and
services should be secure by design, especially those that
support critical infrastructure.
And third, prioritize the development and implementation of
interoperable, technology-neutral, vendor-agnostic information-
sharing mechanisms to enable real-time information sharing
between the U.S. critical infrastructure stakeholders. We
should not allow for learned helplessness by Federal Government
agencies or by private industry. There is too much at stake for
organizations to remain negligent and not take the most basic
steps to improve their cybersecurity posture.
From Tenable's perspective, Congress has the opportunity to
enhance U.S. preparedness by establishing baseline
cybersecurity standards of care and ensuring that CISA is
adequately resourced to support its critical mission.
Oh, that's interesting, I don't have the rest of my page
here. Sorry about that.
Many critical operating environments lack a formal,
systemic approach to risk assessments, let alone the continuous
visibility required for critical services and high-value
targets. In these instances, policy guidance can help drive
improved risk management practices and foster innovation.
Thank you again, Chairman Garbarino, Ranking Member
Swalwell, and Members of the subcommittee for your attention to
these important bipartisan issues, your continued assessment of
the work CISA is doing to help keep Americans safe, and for the
opportunity to testify here today.
I look forward to working with you to secure our Nation's
cyber assets and answer your questions.
[The prepared statement of Mr. Edwards follows:]
Prepared Statement of Marty Edwards
March 23, 2023
introduction
Chairman Garbarino, Ranking Member Swalwell, Chairman Green,
Ranking Member Thompson, and Members of the subcommittee, thank you for
the opportunity to testify before you today on the Cybersecurity and
Infrastructure Security Agency (CISA) and the state of American
Cybersecurity.
My name is Marty Edwards and I am the deputy chief technology
officer for operational technology (OT) and internet of things (IoT) at
Tenable, a cybersecurity exposure management company that provides
organizations, including the Federal Government, with an unmatched
breadth of visibility and depth of analytics to measure and communicate
cybersecurity risk. My expertise is in OT and Industrial Control System
(ICS) cybersecurity, and my work with Tenable has focused on furthering
Government and industry initiatives to improve critical infrastructure
security. In collaboration with industry, Government, and academia,
Tenable is raising awareness of the growing security risks impacting
critical infrastructure and of the need to take steps to mitigate those
risks. I also recently served as the staff lead under Tenable co-
founder Jack Huffard in the development of the Report on Information
Technology (IT)/OT Convergence Report \1\ issued by The President's
National Security Telecommunications Advisory Committee (NSTAC). Prior
to joining Tenable, I worked in industry as an industrial control
systems engineer and as a program manager at the U.S. Department of
Energy's Idaho National Laboratory focused on cybersecurity. I was the
longest-serving director of the U.S. Department of Homeland Security's
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT),
which is now part of CISA.
---------------------------------------------------------------------------
\1\ President's National Security Telecommunications Advisory
Committee, ``Information Technology and Operational Technology
Convergence Report,'' https://www.cisa.gov/sites/default/files/
publications/NSTAC%20ITOT%20Convergence%20Report_508%20Compliant_0.pdf.
---------------------------------------------------------------------------
about tenable
Tenable is headquartered in nearby Columbia, Maryland, and has
1,900 employees globally and approximately 43,000 customers world-wide.
Tenable is publicly traded on the NASDAQ and is the world's leading
provider of vulnerability management capabilities. We believe
cybersecurity is foundational to making better and more strategic
decisions. Our goal is to eliminate blind spots and help organizations
prioritize which actions they can take to most efficiently reduce
exposure and loss.
Tenable empowers organizations of all sizes to understand and
reduce their cybersecurity risk. For the Federal Government
specifically, Tenable provides the most widely-deployed vulnerability
management solution, serving just about every department and agency.
Our solutions are also broadly used by State and local governments to
manage cybersecurity risk.
the current state of ot/critical infrastructure/federal cybersecurity
Over the past few years, we have seen a dramatic increase in the
frequency of successful cyber attacks against U.S. public and private-
sector organizations and have experienced new threats targeting our
critical infrastructure. New ransomware and extortion groups routinely
exploit known vulnerabilities to gain access into organizations, with
at least 31 new groups discovered from November 2021 to October 2022,
resulting in ransomware attacks intensifying, exposing reams of data
and accounting for over 35 percent of data breaches.\2\
---------------------------------------------------------------------------
\2\ Tenable, ``2022 Threat Landscape Report,'' https://
static.tenable.com/marketing/research-reports/Research-Report-
2022_Threat_Landscape_Report.pdf.
---------------------------------------------------------------------------
In February 2021, a water treatment plant in Oldsmar, Florida, was
breached when attackers attempted to poison the water supply.\3\ Just
months later, a ransomware attack against Colonial Pipeline shut down
operations for 6 days, prompting the President of the United States to
issue a state of emergency.\4\ Following Russia's invasion of Ukraine
last year, and increased threats of malicious activity against the
United States and our allies, CISA and other law enforcement agencies
took swift steps to warn Governors, public-sector partners and critical
infrastructure providers to harden their cyber defenses, including
through the ``Shields Up'' initiative.\5\
---------------------------------------------------------------------------
\3\ ABC News, ``Florida city's water treatment system hacked by
`intruder,' investigators say,'' https://abcnews.go.com/US/florida-
citys-water-treatment-system-hacked-intruder-investigators.
\4\ NPR, ``What We Know About The Ransomware Attack On A Critical
U.S. Pipeline,'' https://www.npr.org/2021/05/10/995405459/what-we-know-
about-the-ransomware-attack-on-a-critical-u-s-pipeline.
\5\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Shields Up,'' https://www.cisa.gov/
shields-up.
---------------------------------------------------------------------------
Just this month, a breach of D.C. Health Link, the health insurance
exchange which serves Members of Congress and their staff, resulted in
the on-line exposure of personal data of more than 56,000 customers.\6\
While unfortunate, this breach is not surprising as health care was the
No. 1 sector targeted by ransomware attacks last year with 472
breaches, followed by the public administration sector, which includes
governments, towns, and municipalities with 162 breaches.\7\
---------------------------------------------------------------------------
\6\ Roll Call, ``House, Senate members affected in DC Health Link
breach to total 21,'' https://rollcall.com/2023/03/14/house-senate-
members-affected-in-dc-health-link-breach-total-21.
\7\ Ibid 2.
---------------------------------------------------------------------------
When it comes to reducing cyber risk, organizations world-wide find
themselves restricted by deeply entrenched people, process, and
technology issues. An orientation toward reactive, incident-focused
cybersecurity practices means preventive tasks are often relegated to
nothing more than a compliance exercise. Teams are measured by how many
vulnerabilities they've remediated, rather than by how effectively
they've reduced their organization's exposure.
The siloed nature of cybersecurity, especially between IT and OT
teams--each with their own, sometimes contradictory, goals--exacerbates
the problem. It is nearly impossible for cybersecurity leaders to
obtain a unified and contextual view of their exposure using the
existing tools at their disposal. The processes involved--which often
require cybersecurity teams to convince their counterparts in IT,
cloud, and Development Operations (DevOps) to take necessary security
precautions--are fraught with opportunities for error and conflict. The
siloed nature of the many preventive security tools offered by
cybersecurity vendors means there's no way to determine how much
exposure any given weakness actually represents at any given time. The
reason? Security pros using siloed tools are unable to determine the
relationships among users, systems, and software. Without a unified and
contextual view of their environments, security professionals cannot
realistically identify the objective security truths that indicate
their exposure to risk.
These issues are not new. While applying basic cyber hygiene can
reduce exposure, it's long been challenging for organizations to
achieve with existing preventive tools. What is new is the expanding
complexity of the modern attack surface. Modern IT infrastructure
encompasses multiple cloud systems, numerous identity and privilege
management tools, multiple web-facing assets along with operational
technology (OT) and internet of things (IoT) systems and software.
Today's IT environment brings with it numerous opportunities for
misconfigurations and overlooked assets. The lack of a unified and
contextual view of users, systems, and software means security teams
cannot effectively evaluate what's happening across the attack surface.
Competing business interests often mean speed and uptime are favored
over security.
Government officials and private-sector leaders are paying
increasing attention to critical infrastructure vulnerabilities,
particularly those brought on by the convergence of IT and OT
technologies. Since the late 1960's, OT has been part of manufacturing,
utilities, and other critical infrastructure sectors, and has been
considered technology ``safe'' from attacks because most OT devices
were not connected to outside networks. However, in today's modern
facilities, these devices are no longer air-gapped and are now in many
cases exposed to the internet--and to the threat of cyber attacks.\8\
---------------------------------------------------------------------------
\8\ Tenable, ``Operational Technology (OT) Security: How To Reduce
Cyber Risk When IT and OT Converge,'' https://www.tenable.com/source/
operational-technology.
---------------------------------------------------------------------------
The combination of IT and OT systems makes OT systems susceptible
to the same risks of malware and threats that IT systems face today.
Between the two: OT has different performance requirements than IT; OT
systems serve a specific purpose while IT systems serve a wide variety
of technologies; and OT systems have a life cycle of a decade or more
while IT systems are much shorter. This creates different priorities
between IT security professionals and OT system operators within
organizations. While IT security practices can inform OT security
requirements, the OT systems require more specialized solutions which
address the performance requirements of the system.\9\
---------------------------------------------------------------------------
\9\ President's National Security Telecommunications Advisory
Committee, ``Information Technology and Operational Technology
Convergence Report,'' https://www.cisa.gov/sites/default/files/
publications.
---------------------------------------------------------------------------
Securing IT and OT systems and their convergence has become a
national security imperative. Public-private-sector collaboration to
address cyber threats is essential to building resilient and robust
converged IT/OT environments. CISA is the national coordinator for
critical infrastructure security and resilience and, as the
administration's National Cybersecurity Strategy emphasizes, it must
enhance strategic collaboration and scale public-private partnerships
in favor of greater security and resiliency.\10\
---------------------------------------------------------------------------
\10\ The White House, ``National Cybersecurity Strategy,'' https://
www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-
Strategy-2023.pdf.
---------------------------------------------------------------------------
Given the heightened threat landscape, CISA and Congress have
started to recognize the need to prioritize critical infrastructure
security and have begun making much-needed investments. CISA is working
to guide the Nation's State and local governments, critical
infrastructure providers, and other private-sector organizations, and
Federal entities, to strengthen their cyber defenses. In Congress, the
House Committee on Homeland Security-led efforts to include a $1
billion State and local cybersecurity grant program in the
Infrastructure Investment and Jobs Act. The program will help State,
local, Tribal, and territorial governments safeguard these vital
systems from future attacks.
cisa 101
CISA was established on November 16, 2018, to defend and secure our
Nation's cyber space and build a resilient and robust critical
infrastructure for the American people. As a relatively new Federal
agency, CISA has made strides in elevating cybersecurity and
infrastructure security as national security issues. Unlike other well-
established Federal organizations, CISA is working at start-up speed to
keep American organizations ahead of growing and constant cyber
threats.
There has been significant activity under Director Jen Easterly's
leadership to strengthen the U.S. cyber posture, including prioritizing
public-private partnerships, developing new cybersecurity initiatives
and implementing cybersecurity policies proposed by Congress and the
administration.
Joint Cyber Defense Collaborative (JCDC)
CISA established the Joint Cyber Defense Collaborative (JCDC) to
lead ``integrated public-private sector cyber defense planning,
cybersecurity information fusion, and dissemination of cyber defense
guidance to reduce risk to critical infrastructure and National
Critical Functions.''\11\ Tenable is a proud Alliance Partner of the
JCDC, which has enabled us to collaborate with CISA across a range of
cybersecurity issues and challenges, to provide strategic insights and
operational response acumen. Managing vulnerabilities is essential to
secure critical IT and OT infrastructure and the work done by JCDC and
CISA promotes the prioritization of network security. In fact, known
vulnerabilities dating as far back as 2017 were so prominent in
Tenable's 2022 Threat Assessment Report findings that they occupied the
top spot in the 2022 list of the top 5 vulnerabilities.\12\
---------------------------------------------------------------------------
\11\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Joint Cyber Defense Collaborative,''
https://www.cisa.gov/sites/default/files/publications/
JCDC_Fact_Sheet_508C.pdf.
\12\ Ibid 2.
---------------------------------------------------------------------------
Cyber Incident Reporting for Critical Infrastructure Act of 2022
(CIRCIA)
Following passage and implementation of the Cyber Incident
Reporting for Critical Infrastructure Act of 2022 (CIRCIA), CISA began
development of cyber incident reporting regulations as required by the
new law.\13\ Timely cyber incident reporting--both from critical
infrastructure entities to CISA and from CISA to its industry
stakeholders--enables rapid identification, remediation, and proactive
defense against these and similar incidents. CISA's commitment to
working with industry stakeholders to develop thoughtful, effective,
and balanced reporting requirements will further strengthen the
cybersecurity of our Nation's critical infrastructure.
---------------------------------------------------------------------------
\13\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (CIRCIA),'' https://www.cisa.gov/topics/
cyber-threats-and-advisories.
---------------------------------------------------------------------------
As part of the regulatory development process, Tenable provided
CISA with input as the agency developed its cyber incident reporting
regulations required by CIRCIA. Among its input, Tenable proposed the
following three primary recommendations to effectively improve threat
and incident situational awareness:
1. That CISA request contextual details about the specific
vulnerability exploited in the cyber incident and actionable
information about the nature of the incident, including
tactics, techniques, and procedures (TTPs), and indicators of
compromise (IOCs).
2. That CISA share this information, utilizing the traffic light
protocol with a trusted group of cybersecurity stakeholders,
such as JCDC Alliance Partners.
3. That actionable information sharing across the critical
infrastructure sectors would enable owners and operators to
help defend their organizations against and respond to cyber
attacks.
Binding Operational Directives (BOD)
CISA also has authority to issue Binding Operational Directives
(BOD), which are compulsory directions to Federal, Executive branch,
departments and agencies for purposes of safeguarding Federal
information and information systems.\14\ In 2021, CISA issued BOD 22-
01, which requires Federal agencies ``to remediate vulnerabilities in
the KEV catalog within prescribed time frames.''\15\ The Known
Exploited Vulnerabilities (KEV) catalog is maintained by CISA and helps
organizations prioritize remediation of listed vulnerabilities and
reduce the opportunities for threat actors to compromise systems.
---------------------------------------------------------------------------
\14\ 44 U.S.C. � 3552(b)(1). U.S. Department of Homeland Security
Cybersecurity and Infrastructure Security Agency, ``Binding Operational
Directive 23-01,'' https://www.cisa.gov/news-events/directives/binding-
operational-directive-23-01.
\15\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Reducing the Significant Risk of
Known Exploited Vulnerabilities,'' https://www.cisa.gov/known-
exploited-vulnerabilities.
---------------------------------------------------------------------------
Following recommendations to conduct asset inventories of OT
systems included in last year's NSTAC Report to the President, CISA
issued BOD 23-01 to require Federal agencies to improve asset
visibility and vulnerability detection on Federal networks.\16\ To
provide additional visibility into the variety of assets that make up
the modern attack surface and help agencies understand the full scope
of their cybersecurity risk, BOD 23-01 mandates continuous and
comprehensive asset visibility. The BOD focuses on two core activities
that are essential to maintaining a successful cybersecurity program:
---------------------------------------------------------------------------
\16\ Ibid 9.
---------------------------------------------------------------------------
Asset discovery
Vulnerability enumeration.
By mandating continuous and comprehensive asset visibility, BOD 23-
01 will ensure that Federal agencies have the necessary foundation to
maintain a successful cybersecurity program.
This directive applies to all IP-addressable networked assets that
can be reached over IPv4 and IPv6 protocols. It builds on BOD 22-01 and
outlines new requirements for cloud assets, IPV6 address space, and
operational technology (OT) in an effort to reduce cyber risk.
Cross-Sector Cybersecurity Performance Goals (CPGs)
In 2021, the Biden administration issued the National Security
Memorandum on Improving the Cybersecurity for Critical Infrastructure
Control Systems, outlining initiatives in the electricity, pipeline,
water, and chemical sectors, and calling for the development of cross-
sector cybersecurity performance goals for critical infrastructure.\17\
---------------------------------------------------------------------------
\17\ The White House, ``National Security Memorandum on Improving
the Cybersecurity for Critical Infrastructure Control Systems,''
https://www.whitehouse.gov/briefing-room/statements-releases.
---------------------------------------------------------------------------
Last October, CISA released its Cross-Sector Cybersecurity
Performance Goals (CPGs), based on relevant categories and
subcategories of the NIST Cybersecurity Framework (CSF), to address
some of the Nation's most frequent and impactful cybersecurity risks.
The CPGs also emphasize OT security and how it is often overlooked and
under-resourced.\18\ By offering IT/OT cybersecurity guidance, CISA's
CPGs create a baseline set of cybersecurity practices and benchmarks
for critical infrastructure operators to measure and improve their
cyber posture. Earlier this week, CISA released stakeholder-based
updates to the CPGs that are more strongly aligned with the functions,
categories, and subcategories of the National Institute of Standards
and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is
widely utilized by critical infrastructure owners and operators and the
greater alignment of the CPGs will make them more accessible to these
entities.
---------------------------------------------------------------------------
\18\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Cross-Sector Cybersecurity
Performance Goals,'' https://www.cisa.gov/cross-sector-cybersecurity-
performance-goals.
---------------------------------------------------------------------------
Pillar One of the administration's new National Cybersecurity
Strategy builds on this notion of establishing cybersecurity best
practices and expanding the use of minimum cybersecurity standards,
such as the adoption of basic cyber hygiene and secure-by-design
principles. This reinforces that IT/OT convergence will continue to be
a security issue for years to come, and organizations need a plan to
address these challenges.\19\
---------------------------------------------------------------------------
\19\ The White House, ``National Cybersecurity Strategy,'' https://
www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-
Strategy-2023.pdf.
---------------------------------------------------------------------------
Tenable was pleased that CISA incorporated input from multiple
critical infrastructure industry stakeholders, including relevant
sector-coordinating councils (SCCs) in the development of the CPGs,
ensuring they were aligned with the NIST CSF. We are also encouraged to
see the administration emphasize similar approaches to mitigate
cybersecurity risk in its National Cybersecurity Strategy. Baseline
cybersecurity requirements or standards of care for critical
infrastructure, which align with CISA's Cross-Sector Cybersecurity
Performance Goals, international standards, and the NIST CSF, drive
better cybersecurity and a more resilient ecosystem.
Secure-by-Default
In recent months, CISA has spearheaded efforts to shift the
security burden from consumers to putting the onus on manufacturers to
ensure built-in security is a feature of all technology products,
especially those that support critical infrastructure. Director
Easterly stated, ``the leaders of technology manufacturers should
explicitly focus on building safe products, publishing a roadmap that
lays out the company's plan for how products will be developed and
updated to be both secure-by-design and secure-by-default.''\20\
Likewise, CISA launched the Ransomware Vulnerability Warning Pilot
program to help identify vulnerabilities in critical infrastructure
systems and inform owners to take action before a potential
cybersecurity incident occurs.\21\ In conjunction with the other
initiatives CISA has developed, these efforts will work to advance the
Nation's cybersecurity resiliency.
---------------------------------------------------------------------------
\20\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``The Cost of Unsafe Technology and
What We Can Do About It,'' https://www.cisa.gov/news-events/news/cost-
unsafe-technology-and-what-we-can-do-about-it.
\21\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``CISA Announces Ransomware
Vulnerability Warning Pilot,'' https://www.cisa.gov/news-events/alerts/
2023/03/13.
---------------------------------------------------------------------------
separation of duties/independent assessments of software
Similar to the Sarbanes-Oxley Act of 2002 requirement for firms to
separate their auditing function from their consulting function,
``separation of duties'' in cybersecurity is necessary to prevent
conflicts of interest, misaligned incentives, and increased security
risks. The U.S. Securities and Exchange Commission states that an
auditor is not capable of exercising objective and impartial judgment
if a relationship with or service provided by an auditor ``(a) creates
a mutual or conflicting interest with their audit client; (b) places
them in the position of auditing their own work . . . ''.\22\ CISA
should apply the Sarbanes-Oxley ``separation of duties'' principles to
cybersecurity and prohibit the provider responsible for developing and/
or running software programs from also testing its security, conducting
security audits, or reporting on its security.
---------------------------------------------------------------------------
\22\ The U.S. Securities and Exchange Commission, ``Audit
Committees and Auditor Independence,'' https://www.sec.gov/oca/
audit042707.
---------------------------------------------------------------------------
what's next: cisa 2025
CISA has worked to enable organizations and critical infrastructure
providers to understand, manage, and reduce their cybersecurity risks,
but there is still much work to be done. Naturally, as the agency
evolves, there is a significant need for continued improvements to
strengthen our cybersecurity efforts and to address the many unique
needs of the critical infrastructure sectors.
While some of the 16 identified critical infrastructure sectors
\23\ have a high degree of cybersecurity preparedness, strong risk
understanding and risk management practices, and very strong security
programs, others are woefully ill-prepared. New technology investments
represent great efficiency opportunities, like the move to smart
factories and smart cities, but these shifts can introduce real gaps in
security. Continued digital transformation, increasingly interconnected
IT and OT systems, and an expanding cyber attack surface will require
enhancements to security and resiliency. Critical infrastructure
providers must be prepared to address tomorrow's cyber threats and it
is CISA's responsibility to support them in that effort.
---------------------------------------------------------------------------
\23\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Critical Infrastructure Sectors,''
https://www.cisa.gov/topics/critical-infrastructure-security-and-
resilience/critical-infrastructure-sectors.
---------------------------------------------------------------------------
Zero Trust Architecture
The White House issued a Federal Zero Trust Architecture (ZTA)
Strategy in January 2022, requiring agencies to implement Attack
Surface Management (ASM) as part of their ZTA by the end of fiscal year
2024. The memorandum states, ``to effectively implement a zero trust
architecture, an organization must have a complete understanding of its
internet-accessible assets so that it may apply security policies
consistently and fully define and accommodate user workflows.''\24\ ASM
enables organizations to identify assets and look for vulnerabilities
from the outside in, from the attacker's perspective, and will give
agencies complete asset discovery, increase awareness of what is on
their networks, and improve vulnerability management.
---------------------------------------------------------------------------
\24\ The White House, ``Federal Zero Trust Architecture (ZTA)
Strategy,'' https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-
09.pdf.
---------------------------------------------------------------------------
The memorandum further states, ``for agencies to maintain a
complete understanding of what internet-accessible attack surface they
have, they must rely not only on their internal records, but also on
external scans of their infrastructure from the internet.''\25\
Ultimately, organizations cannot take a `trust no one' approach on a
device if they do not know the device exists; however, ASM enables that
visibility.
---------------------------------------------------------------------------
\25\ Ibid 24.
---------------------------------------------------------------------------
As agencies look to comply with the White House's ZTA strategy by
moving toward a zero trust architecture and taking a `trust no one'
approach to security, the security of an agency's underlying user
identity and privilege management system itself comes into play. To
ensure identity systems are secure, agencies need to be able to
identify everything in their complex Active Directory (AD) environment,
predict what matters to reduce risk, and eliminate attack paths before
attackers exploit them. Effective management of AD users and privileges
allows agencies to take a proactive approach to address and mitigate
future cyber threats.
NSTAC IT/OT Convergence Report
In response to growing cybersecurity threats to the critical
infrastructure upon which Americans depend, the White House tasked The
President's National Security Telecommunications Advisory Committee
(NSTAC) with conducting a multi-phase study on ``Enhancing Internet
Resilience in 2021 and Beyond.''\26\ The subcommittee for the second
phase of the study was charged with developing the NSTAC Report to the
President on IT/OT Convergence.\27\ I co-led the subcommittee's working
group to produce this report. The report identifies three opportunities
for the Federal Government:
---------------------------------------------------------------------------
\26\ President's National Security Telecommunications Advisory
Committee, ``NSTAC Fact Sheet,'' https://www.cisa.gov/resources-tools/
resources/presidents-nstac-fact-sheet.
\27\ Ibid 9.
---------------------------------------------------------------------------
to help relevant stakeholder communities execute a secure
convergence of IT and OT cybersecurity;
to examine the key challenges of securing converged OT
systems against threats that emerge from IT network
connections; and
to identify emerging approaches to increase OT resiliency to
these threats.
The subcommittee received briefings from more than 30 subject-
matter experts across Government and private industry. First, the
subcommittee heard from Government owners and operators of OT systems
and policy makers focused on IT and OT cybersecurity; second, we heard
from critical infrastructure owners and operators of converged IT/OT
environments and original equipment manufacturers; and third, we heard
from cloud service providers, integrators, and cybersecurity vendors.
NSTAC Report Findings
On August 23, 2022, NSTAC approved the Report to the President. The
report findings revealed several consistent themes highlighting that
the convergence of IT and OT systems is not a new issue. As a Nation,
we have not prioritized securing IT/OT interconnected systems, despite
having the technology and knowledge readily available. Even in 2022,
the report found organizations lack visibility into their OT
environments, which is exacerbated by the traditional silos within
which OT and IT personnel operate. The current siloed approach
demonstrates a need to promote harmonization through a unified
structure to better manage shared responsibility to secure converged
environments.\28\
---------------------------------------------------------------------------
\28\ Ibid 9.
---------------------------------------------------------------------------
Stakeholders also rarely take the opportunity to proactively
``build in'' security where appropriate and opt instead to ``bolt-on''
security in OT environments after the fact, costing organizations
valuable time and resources to recover from cyber incidents and
unpatched vulnerabilities.
Businesses, organizations, and governments need to share the
responsibility of building a more sustainable cybersecurity model to
create ecosystems that take a secure-by-design approach to ensure the
long-term cybersecurity resiliency of our country--a point Director
Easterly and CISA Executive Director Eric Goldstein recently
emphasized.\29\
---------------------------------------------------------------------------
\29\ Foreign Affairs, ``Stop Passing the Buck on Cybersecurity,''
https://www.foreignaffairs.com/united-states/stop-passing-buck-
cybersecurity.
---------------------------------------------------------------------------
NSTAC Recommendations to Improve Critical Infrastructure Security
Based on the findings, the subcommittee developed 15 Presidential,
strategic, and actionable recommendations to address the many concerns
expressed to the subcommittee through the briefing phases. Amongst the
15 recommendations, the subcommittee identified 3 consequential
recommendations for the President to strengthen the cybersecurity
posture of U.S. Government-owned and -operated OT systems that should
be prioritized.
The report first recommends that CISA issue a Binding Operational
Directive (BOD), similar to what Section 1505 of the Fiscal Year 2022
National Defense Authorization Act (NDAA) requires for the Department
of Defense (DoD), that requires Executive civilian branch departments
and agencies to maintain a real-time, continuous inventory of all OT
devices, software, systems, and assets within their areas of
responsibility, including an understanding of any interconnectivity to
other systems. An up-to-date inventory should be required as part of
each department's or agency's annual budget process.
Once Federal agencies clearly understand the vast and
interconnected nature of their OT devices and infrastructure, they can
then make risk-informed decisions about how to prioritize their
cybersecurity budgets to best protect the most consequential of those
assets.
Second, CISA should develop guidance on procurement language for OT
products and services, and for products and services that support
converged IT/OT environments, to incentivize the inclusion of risk-
informed cybersecurity capabilities, including for supply chain risk
management. This guidance should also help organizations understand
best practices for bolt-on security for legacy OT devices that are
difficult or expensive to replace.
CISA should work with the General Services Administration (GSA) to
require the inclusion of risk-informed cybersecurity capabilities in
procurement vehicles for the Federal Government. There should also be a
mechanism for both private-sector users of the procurement guidance and
public sector agencies, which must follow the new requirements, to
provide feedback and lessons learned to aid the community.
Finally, the NSC, CISA, and the Office of the National
Cybersecurity Director (ONCD) should prioritize developing and
implementing interoperable, technology-neutral, vendor-agnostic
information-sharing mechanisms to enable real-time sharing of sensitive
collective-defense information between authorized stakeholders involved
with securing U.S. critical infrastructure. This should include
breaking down the artificial barriers for sharing controlled
unclassified information, both within the U.S. Government and between
Government and other key, cross-sector stakeholders.
Additional recommendations in the report to secure U.S. OT
infrastructure call on CISA and the ONCD to clearly articulate roles
and responsibilities for Federal agencies that support critical
infrastructure and other industry stakeholders. Concurrently, CISA
should work with the Office of Management and Budget (OMB) to develop
key IT/OT convergence cybersecurity performance indicators and
implementation time lines for agencies and hold agency heads
accountable. Furthermore, the ONCD, in partnership with CISA, should
facilitate an interagency study that evaluates conflicting regulations
for OT operators to identify opportunities to streamline OT
cybersecurity regulation.
Based on the subcommittee briefings, it was evident that the
Federal Government has historically underfunded OT cybersecurity.
Fortunately, the Infrastructure Investment and Jobs Act (IIJA) has
created numerous grant programs that include cybersecurity as an
allowable expense, presenting an opportunity for the ONCD and CISA to
collaborate with Sector Risk Management Agencies (SRMA) to ensure that
cybersecurity is a priority item in any grant application. Of note, the
State and Local Cybersecurity Grant Program (SLGCP) appropriates $1
billion in grant funding over the next 4 years to help advance OT
cybersecurity. Tenable has been leading efforts to educate eligible
entities on how to apply for grant funding and implement cybersecurity
solutions that address the growing threats and risks to their
information systems.\30\
---------------------------------------------------------------------------
\30\ H.R. 368--117th Congress (2021-2022): Infrastructure
Investment and Jobs Act. (2021, June 4). https://www.Congress.gov/bill/
117th-congress/house-bill/3684/text.
---------------------------------------------------------------------------
Binding Operational Directive 23-01
As previously mentioned, last October CISA issued Binding
Operational Directive (BOD) 23-01, calling on Federal civilian
departments and agencies to ``make measurable progress toward enhancing
visibility into agency assets and vulnerabilities,'' aligning with
NSTAC's IT/OT Convergence Report recommendations.\31\
---------------------------------------------------------------------------
\31\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Binding Operational Directive 23-
01,'' https://www.cisa.gov/news-events/directives/binding-operational-
directive-23-01.
---------------------------------------------------------------------------
BOD 23-01 mandates continuous and comprehensive asset visibility,
focusing on two core activities essential to maintaining a successful
cybersecurity program: asset discovery and vulnerability enumeration.
According to BOD 23-01, ``continuous and comprehensive asset visibility
is a basic precondition for any organization to effectively manage
cybersecurity risk. Accurate and up-to-date accounting of assets
residing on Federal networks is also critical for CISA to effectively
manage cybersecurity for the Federal Civilian executive branch (FCEB)
enterprise.''\32\ Federal agencies need comprehensive visibility into
their assets and vulnerabilities across their organizations to protect
against external unknowns.
---------------------------------------------------------------------------
\32\ Ibid 31.
---------------------------------------------------------------------------
Enumerating OT assets, critical infrastructure and vulnerabilities
present unique challenges to Federal agencies. Compared to the IT
environment, where patching, upgrading, and replacing systems is
standard, an OT environment typically requires working with legacy
technologies. To prioritize remediation efforts, agencies need a
detailed view of OT and IT assets in the OT environment and the ability
to map connections between devices and identify high-risk assets.
To ensure FCEB systems and agencies operating those systems meet
said requirements, Congress should appropriate funding to implement
CISA's BOD 23-01, enabling agencies to maintain an updated inventory of
assets, identify software vulnerabilities, track how often an agency
enumerates its assets, and share information with CISA's Continuous
Diagnostics and Mitigation Program (CDM) Federal Dashboard. Pursuant to
BOD 23-01, the scope of this implementation encompasses all reportable
OT as well as IT assets.
policy recommendations
Congressional action should not allow for ``learned helplessness''
by Federal Government agencies or private industry. There is too much
at stake for individuals and organizations to remain negligent and not
take even the most basic steps to improve their cyber posture.
Tenable recommends the following steps that Congress should
implement to enhance the cyber preparedness of U.S. critical
infrastructure:
Establish baseline cybersecurity requirements or standards
of care for critical infrastructure that align with CISA's
Cross-Sector Cybersecurity Performance Goals, international
standards, and the NIST CSF, based on effective cyber hygiene
and preventive security practices.--Basic cyber hygiene for
critical infrastructure operators includes continuous
understanding of what assets are on networks, ensuring strong
identity and access management, scanning for and patching known
vulnerabilities, and implementing incident detection and
response capabilities. Pillar One of the recently-released
National Cybersecurity Strategy calls for baseline
cybersecurity requirements for critical infrastructure
providers. The CISA Cross-Sector Cybersecurity Performance
Goals, based on the NIST CSF, are an excellent resource for
industry and Sector Risk Management Agencies to utilize in the
development of baseline requirements and standards of care.
In its oversight of CISA implementation of CIRCIA, Congress
should ensure that CISA: is adequately resourced to ingest the
wealth of information that will be shared by critical
infrastructure entities; will request and share anonymized data
on the types of vulnerabilities that were exploited and the
attack paths that adversaries followed after infiltrating
target networks; and provides actionable information through
trusted partners, such as JCDC Alliance Partners, to provide
cyber situational awareness to the broader critical
infrastructure ecosystem to enable entities to protect
themselves against on-going and potential attacks.
Require Independent Assessments of IT Management Software.--
CISA should apply the Sarbanes-Oxley ``separation of duties''
principles to cybersecurity and prohibit the provider
responsible for developing and/or running IT management
software from also conducting its exposure management or
otherwise testing its security, conducting security audits, or
reporting on its security.
Continue implementation of the NSTAC IT/OT Convergence
Report policy recommendations.
Direct Federal civilian agencies to inventory their OT
assets and provide OT asset and vulnerability information
to the CDM Dashboard.--CISA has already taken steps to
address this obstacle through BOD 23-01, but Congress
should reinforce the need to gain visibility into these
mission-critical environments so we can understand the
scale of cybersecurity challenges and begin to
systematically address the serious risk. The foundation for
every security framework, whether IT or OT, always begins
with visibility into the assets for which you are
responsible. Achieving this visibility is a significant
step forward for Federal departments and agencies to
protect their critical IT and OT assets against evolving
cybersecurity threats.
Develop enhanced OT-specific cybersecurity procurement
language.--Public- and private-sector OT requests for
proposals and procurement processes seldom require the
inclusion of risk-informed cybersecurity capabilities for
products and services. Updating procurement language
guidance will help asset owners specify that cybersecurity
be built into products and projects rather than bolted on
as an afterthought. Including cybersecurity in both
government and private-sector procurement vehicles will
significantly enhance the resilience of critical
infrastructure systems.
Implement standardized, technology-neutral, real-time
interoperable information-sharing mechanisms to promote the
sharing of sensitive information across agencies and to
break the traditional siloed approach.--Cyber attacks often
target multiple critical infrastructure sectors and
attackers have the ability to move at machine speed to
compromise multiple industrial sectors. Our defenses need
to match this threat and it is imperative for our critical
infrastructure sectors to securely communicate with each
other to get the right information to the right person, at
the right time, in a standardized, technology-neutral way,
in order to leverage cyber threat and vulnerability
information from the broader critical infrastructure
ecosystem.
Ensure CISA and FCEB agencies are adequately resourced to
implement BOD 22-01 and BOD 23-01 policy recommendations.--
Protecting our Nation's cybersecurity means knowing what's on
our networks and maintaining it in good working order, which
includes conducting an inventory of OT assets and prioritizing
remediation of known vulnerabilities. If an organization does
not know an asset exists, it cannot scan it for
vulnerabilities. With the issuance of BOD 23-01, Federal
agencies need comprehensive visibility into their assets and
vulnerabilities across their organization. This includes:
External unknowns
Cloud workload and resources
Operational technology
Network infrastructure and endpoints
Web application
Identity systems.
Ensure sufficient funding for CISA and the Office of the
National Cyber Director to ensure they can meet mission
requirements.--Our company supported the creation of the Office
of the National Cyber Director and applauded efforts to stand
up and staff the new office. The threats to Federal networks
and critical infrastructure are growing at a significant rate,
and CISA must serve as an effective coordinator to strengthen
security in these environments. Congress should see the fiscal
year 2024 appropriations for CISA as a new baseline number,
which should grow at a rate commensurate with the needs of the
mission.
Support and strengthen value-added engagement between the
private sector and public sector.--The JCDC, of which Tenable
is a member, is bringing together representatives from private
industry and key Government agencies to drive strategic
planning and incident response capabilities. This type of
operational Government-industry engagement has been a positive
step forward and we urge Congress to continue supporting and
strengthening the JCDC's alignment.
Accelerate deployment of Zero Trust including Active
Directory and Attack Surface Management.--Congress should
provide Federal agencies with the resources needed to implement
Cyber Executive Order 14028 to modernize and strengthen our
collective cyber defenses, recognizing that Zero Trust is a
philosophy that dictates systems design and operation, not a
singular product.
All Government systems must incorporate Active Directory
security to ensure least privileges for user identities,
and to scan for misconfigurations that can be exploited to
gain access to Active Directory and monitor for on-going
suspicious and high-risk activities within Active
Directory.\33\
---------------------------------------------------------------------------
\33\ U.S Department of Commerce, ``NOAA Inadequately Managed Its
Active Directories That Support Critical Missions,'' https://
www.oig.doc.gov/OIGPublications/OIG-22-018-A.pdf.
---------------------------------------------------------------------------
Attack Surface Management, which continuously scans the
internet to discover, inventory, classify, and monitor an
organization's IT infrastructure, will give agencies
complete asset discovery, increase awareness of what is
actually on their networks, and will improve vulnerability
management.
conclusion
There are fundamental steps all Federal agencies and critical
infrastructure sectors must take--from knowing what's on their network
and how those systems are vulnerable to addressing known exposures, and
from controlling user access and privileges to managing critical
systems that are interconnected--that will make it harder for bad
actors to compromise interconnected IT and OT systems.
Many critical operating environments lack a formal systemic
approach to risk assessments and processes, let alone the continuous
visibility expected for critical services and high-value targets. These
formal processes are desperately needed as rapid increases in access
and interconnectivity dramatically increase risk. In these instances,
policy guidance for transparency and standards of care can help drive
improvements in risk management practices and at the same time foster
innovation.
Thank you Chairman Garbarino, Ranking Member Swalwell, Chairman
Green, Ranking Member Thompson, and Members of the subcommittee for
your attention to these important issues and continued assessment of
the work CISA is doing to keep Americans safe. I appreciate the work
this committee is doing to elevate cybersecurity with bipartisan
support. Thank you for the opportunity to testify today and I look
forward to working with you to secure our Nation's cyber assets.
Chairman Garbarino. Thank you, Mr. Edwards.
Members will be recognized by order of seniority for their
5 minutes of questioning. An additional round of questioning
may be called after all Members have been recognized.
I now recognize myself for 5 minutes.
Ms. Sherman, Congress has increased CISA's budget from
$1.68 billion to $2.9 billion in a couple of years. This is a
big increase, even for a mature department. In your experience
analyzing CISA more broadly since its inception, how has this
increase in budget changed CISA's coordination assistance to
the private sector?
Ms. Sherman. CISA, a few years back as it was stood up and
then subsequently within a couple of years, undertook a
reorganization. As a function of that reorganization, there was
movement within the agency to kind-of reshape different offices
and the roles that they played.
I think GAO, we took a look at the reorganization and at
that time made a number of recommendations with respect to both
coordination within CISA and coordination between CISA sector
risk management agencies, State and local entities, and the
private sector, and a number of those recommendations still
remain open. So, in part, the additional budget that the agency
has been receiving over time and how it's using those funds is
really important as it's thinking about implementing not only
the recommendations that we made, but being able to implement
an effective organization to be able to address cybersecurity
issues and infrastructure security issues, the different parts
of its mission. But it remains a challenge because it has a lot
of priorities on its plate and it also is at, I think, a
difficult position with challenges with respect to the
cybersecurity work force as well and being able to fill
positions within the agency.
So we continue to monitor and watch the efforts that they
have undertaken, but it's a daunting task in a lot of ways.
Chairman Garbarino. I am not going to ask you for the list
of recommendations they haven't fulfilled yet right now, but if
you can get that to us, that would be great to have for the
upcoming hearing we are going to have with Director Easterly.
Ms. Sherman. Absolutely.
Chairman Garbarino. I just want to ask, has CISA's sector
risk management agency capabilities matured at a similar rate
to its budget or budget growth or?
Ms. Sherman. That's an interesting question. We cannot say
for certain. Part of that is with our current review, or the
review that we just recently completed and issued a report on,
we attempted to try to get an understanding and spoke with all
the sector risk management agencies to understand exactly what
their maturity levels are and the extent to which they've been
affected in their roles. But CISA doesn't have a very good
handle on what that looks like. In fact, we heard that directly
also from those agencies themselves. Part of the recommendation
that we made was to be able to establish milestones and time
lines to implement some of the efforts they have under way, one
of which is being able to better understand and assess maturity
and effectiveness of those agencies.
Chairman Garbarino. Thank you very much.
Ms. Hogsett, I want to move over to you now. I am fortunate
to not only to serve as Chairman of this committee, but as a
member of Financial Services. I look forward to working with
BPI and other financial service industry stakeholders on cyber
issues.
But I want to ask you, how has the authorization--I think
you mentioned a little bit in your opening statement--how has
the authorization of new reporting requirements like the Cyber
Incident Reporting for Critical Infrastructure Act, changed
your sector's relationship with CISA?
Ms. Hogsett. Thank you for the question.
So I think our relationship with CISA right now we is have
a very good relationship. CISA has been able to establish
itself as a trusted partner not only for our sector, but a
variety of others. So I think the voluntary information sharing
that they have today will be improved with implementation of
the new Incident Reporting rules. But it is really important
throughout that process that CISA look at the existing
regulations. We within the financial sector have several that
are all sort-of happening at the same time and impacting a firm
in a really challenging way.
So just by way of example, we from a regulatory perspective
have an incident notification rule to notify our primary
regulators within 36 hours that a significant event may have
occurred. Then the reporting to CISA after that with more
detail within 72 hours, which the benefit of that will help
CISA have a better view of the threats and what's happening out
there to improve its ability to support critical
infrastructure. So we very firmly believe that this is
important work. But then for us now and other companies who
fall under the Securities and Exchange Commission, we are also
then potentially facing about a day later a public notification
of those same incidents and challenges which will undermine
some of the work that has been done by our regulators and by
CISA.
So we think that CISA is in an important role to really
move forward and get this right. There is a requirement to
streamline those requirements which we stand ready to assist
and engage with them to help make that happen. It will be a key
challenge and I think most importantly, the fact that CISA is
not a regulator will be helpful in this effort.
Chairman Garbarino. I appreciate that.
My time has expired, so I now call--I will start with other
questions. OK, sure.
I now recognize Representative Carter for 5 minutes.
Mr. Carter. Mr. Chairman, thank you very much, Ranking
Members--Member rather. Thank you all for being here.
Ms. Hogsett, in your submitted testimony you emphasize that
in order for there to be successful implementation of CIRCIA,
it is critically important that these agencies harmonize for
their reporting requirements to optimize protection and
response, a streamlined coordination. Let's take a step back
here and see how private-sector entities, specifically the
banking sector, for which you are an expert, can speak to how
the private sector assesses cyber risk internally, how they
ensure the risk assessments that they utilize are objective,
independent, and reliable.
Ms. Hogsett. So financial institutions have a variety of
different requirements that we need to meet with our
regulators. So we have--just at the Federal level we have, for
instance, the Federal Reserve Board, the Office of the
Comptroller of the Currency, the Federal Deposit Insurance
Corporation, all of whom look at cyber risk management
practices, they look at third-party risk management, they look
at how you architect your systems for operational resilience.
So what firms do internally is we have actually what we refer
to as a three lines of defense model, in essence, where you
have your front-line cyber defenders doing a lot of work, you
will have a second line, which is independent of that and will
look at those policies and programs and challenge them
internally, and then you have a third line internally, which is
internal audit, which will then do all of that same work again
from yet another independent perspective. Then we have for the
largest institutions, they have an on-site examiner sitting in
their headquarters working with them day in and day out. So
there was an on-going oversight relationship there. So it's a
very complex interwoven set of rules and requirements that we
work with every day.
Mr. Carter. What input do you get from outside with that,
do you?
Ms. Hogsett. So firms will bring in outside security
consultants to do additional review, things like penetration
testing, to sort-of test how good their defenses are from a
variety of different angles. They will assess themselves
independently against things like the NIST Cybersecurity
framework. That happens alongside and in addition to the
regulatory oversight that happens. All of that gets reported up
to senior management and the board of directors level for
regular conversation and action.
Mr. Carter. So with technology moving as fast as it does,
as you evaluate the risk, the pace at which the bad guys, if
you will, are getting technology to undermine systems, how are
we doing with keeping pace with the outside forces that we have
to manage?
Ms. Hogsett. It is absolutely a challenge and it is one
reason why you need to ensure that any rules put in place are
flexible and can be adaptable over time, because the threats do
change. So we have layered defense models. Zero trust was
mentioned earlier, that's one of multiple things that we will
employ. The challenge there is in the regulatory structure to
be nimble and get that right and not dictate that something has
to be protected a certain way or with a certain type of
technology. Because I think that's where you can run into
challenges. You need that flexibility and that ability to be
nimble in how you're protecting your organization.
Mr. Carter. Thank you.
Ms. Sherman, presently FISMA requires annual audits of
Federal Government entities to conduct cybersecurity compliance
and risk assessment. Their inspector general or an independent
auditor can conduct this for them. This ensures reliability of
the information that they share with CISA, it ensures
accountability. What can be done to ensure that this
reliability and accountability with private-sector entities as
information-sharing reporting requirements expand?
Ms. Sherman. With respect to the ability to ensure
reliability of the data and information sharing, I think it's
important. We've been talking today so far about the
partnerships and the relationships not only between CISA and
the sector risk management agencies but between the sector risk
management agencies and all of the other critical
infrastructure entities that they rely on the owners and
operators, the SLTTs and others in the private sector. That
partnership is critical in order to be able to bring and be
able to receive reliable information.
But that comes from a place of trust, which can be
challenging sometimes, to be able to acquire that type of
information on a regular basis and again, have that flow of
information in order be able to really kind-of understand what
actions are being taken and also how the specific sectors are
carrying out their work in order to be able to improve
cybersecurity.
The partnerships working to strengthen those partnerships
would help to encourage trust and would contribute to building
the information sharing or improve the information sharing in
order to have more reliable data.
Mr. Carter. Thank you.
Chairman Garbarino. The gentleman yields back.
I now recognize my friend from Florida, Mr. Gimenez for 5
minutes questioning.
Mr. Gimenez. Thank you, Mr. Chairman.
As the Chairman of the committee's Transportation and
Maritime Services Subcommittee, I have a distinct interest in
transportation and maritime cybersecurity.
So in light of what happened in the Colonial Pipeline a
couple of years ago, Mr. Bagley, have you seen any improvements
in our posture, in our ability to stop these kind of attacks,
ransomware, and others in the future in our pipelines?
Mr. Bagley. Thank you for the question.
Vast improvement from a technological standpoint in terms
of the capabilities available, as well as the ability for those
cyber have-nots to be able to acquire sophisticated defensive
cybersecurity technologies in recent years. However, there is
still a great disparity between those who are deploying these
technologies, like endpoint detection and response, zero trust
architecture, identity protection and whatnot and those who are
not.
However, one of the things that we've seen as a positive
development in recent years has been the call to action from
Executive Order 1428, which calls out the very same
cybersecurity technologies that are successful by many large
entities in the private sector. In CISA's efforts to expand use
of these technologies within Federal Government as well as
within critical infrastructure entities, is one where we're
still in the early stages, but so far we are seeing the
technology proliferated more. I think that that's important
because right now we're really in a war of innovation against
adversaries. Adversaries traditionally had to have some sort of
technological ability themselves and now we're in an era in
which literally there are access brokers that sell credential
access to victim organizations, we're in an era in which there
is not only ransomware, but ransomware as a service. Meaning a
threat actor does not actually have to develop the ransomware
themselves or even operate it in many cases in order to deploy
it and target it. So that's where the threatscape has changed
in recent years and yet the defensive capabilities are
fortunately improving.
Mr. Gimenez. So are you saying that you have, like, rent-a-
cyber attack?
Mr. Bagley. That's correct, Congressman. It is now possible
not only for ransomware, but for other types of services, such
as if a threat actor wants to do data leak extortion whereby
they infiltrate a victim organization, exfiltrate data, hold it
ransom, and perhaps leak some of it subject to a ransom or
purely for embarrassment and destruction of that organization's
reputation, they're able to do so without actually being able
to code themselves or even have the infrastructure because they
can rent it in the same way that we use different services
today or the same way we pay for our monthly services as
consumers.
Mr. Gimenez. Where are the vast majority of these companies
for rent? Where are they located?
Mr. Bagley. These threat actors are located throughout the
world. Our reporting certainly shows that naturally there are a
lot of threat actors based in Eastern Europe and in Russia who
run some of these ransomware-as-a-service operations. But
they're proliferated throughout the world.
Mr. Gimenez. The ones that are operating out of Russia, is
it your thought that they are wink, nod, et cetera? They are
allowed to operate in Russia by the Russian government? If the
Russian government wanted to shut them down, could they?
Mr. Bagley. From what we've seen, we've certainly seen use
of nation-states, including Russia, utilizing and leveraging
the capabilities of Ecrime actors to carry out state goals and
means. That's certainly the case with Russia.
Mr. Gimenez. What about China?
Mr. Bagley. China traditionally targets just about every
sector. Recently, we released our Global Threat Report and in
it what we saw from the data that we've analyzed is that China
has targeted just about every sector, not only in the United
States, but also more broadly around the globe for its aims.
Mr. Gimenez. Does anybody attack China?
Mr. Bagley. I imagine there are others who might be able to
answer that on behalf of the U.S. Government, but certainly
cyber attacks are rampant everywhere.
Mr. Gimenez. Look, in a nuclear age, we have mutually
assured destruction, which kind-of kept the peace. So do you
find that the Russians and maybe the Chinese and those bad
actors are operating with impunity? Is that your opinion?
Mr. Bagley. Well, what we see is that you not only have
nation-state actors to contend with in the modern era, but you
also have Ecrime groups which will run by their own rules, as
well as hacktivist organizations, which will be motivated by
specific aims related to issues.
Mr. Gimenez. OK, thank you very much. My time is up. Thank
you.
Chairman Garbarino. The gentlemen yields back.
I now recognize Mr. Menendez for 5 minutes for questioning.
Mr. Menendez. Thank you, Mr. Chairman, for communing us
here today, thank you to our witnesses, and to our Ranking
Member.
In recent years, communities across the country have been
impacted by the spike in ransomware attacks. Last year, as part
of the bipartisan infrastructure law, Congress provided $1
billion over 4 years in new grants to improve the cybersecurity
of State and local governments.
Mr. Edwards, as State and local governments seek to utilize
this new strength in their cybersecurity, how should they
prioritize their cybersecurity investments? Do you believe
additional support for State and local cybersecurity will be
necessary going forward?
Mr. Edwards. Thank you very much for your question.
In general, my perspective is that we should look at those
systems that have the highest risk to society. In my perhaps
not-so-humble opinion, that usually falls to these operational
technology systems that operate things like power grids,
pipelines, and other infrastructure that's critical. I think
that both the U.S. Federal Government and State and local
governments have done a reasonably good job of prioritizing
what I would call information technology, or IT, security over
the years, right. But we certainly are behind in investing in
protection of these critical systems that are investor control
system applications or other operational technology
applications.
I think when it comes to funding for the States, that seems
to be a good mechanism that we use in our country to ensure
that the State and local governments have the adequate types of
programs that they need to run. I think that cybersecurity is
going to benefit, for example, from the cybersecurity language
that was inserted into the Infrastructure and Jobs Act and
things like that.
So I see some positive trends with regards to funding at
the State and local level. They do need to, I think, move
beyond--some of the other witnesses talked about going in to do
an assessment of a facility or a system. We used to do that
kind-of on a periodic basis. You'd go in and hire a consultant
and do an assessment once a year or once every 3 years and it
would satisfy your compliance requirements. I don't think that
we can live in that world anymore. We need to move to
continuous visibility so that we know what's happening on those
networks at all times, rather than waiting for somebody to come
in in 2 years to tell us that we were hacked a year-and-a-half
ago.
Thank you for your question.
Mr. Menendez. No, I appreciate your answer.
Mr. Bagley, you have mentioned a couple of times the
cybersecurity have and have-nots. We are still clearly trying
to come up with a cohesive system to address our greatest,
highest-risk assets. Talk to us about some of the challenges in
scaling up cybersecurity protections for all different segments
of our industries, economy, folks of different size who want to
implement cybersecurity best practices, but No. 1, have an
allocation of resource challenge and No. 2, I think the
director also mentioned the cybersecurity work force. Are we
training enough people?
So, sort-of a two-part question, but would love to get your
thoughts on those items.
Mr. Bagley. Thank you for the question.
One of the recent positive developments that we've seen is
that managed service providers are able to augment existing
security programs or sometimes completely replace security in
an organization that would not otherwise be able to afford to
have its own security program. One of the advantages of modern
managed service providers is that managed service providers can
bring the very same sorts of cybersecurity best practices that
are currently called upon in the U.S. Government today, such as
endpoint detection and response as well as proactive threat
hunting.
One of the things that managed service providers can bring
is scale, meaning that a small organization that might not be
as well-resourced, a cybersecurity have-not, could easily
utilize a managed service provider instead of building its own
security program, whereas if we look back not that many years
ago when we looked at the cybersecurity haves and have-nots,
the have-nots would not have the capabilities of building their
own security program. It might not have an alternative, and
today there exists an alternative.
I think that's something that can be highly effective and I
think that that can be highly effective too when we look at the
SLTT space and we look at the broader Federal Government space
and think about shared services models. So for example, with
CISA, with its newer powers as a CISO, CISA is able to bring to
bear cybersecurity capabilities to Government agencies that
traditionally have lacked the same resources as their larger
counterparts. This trend is one that we see in the private
sector as well.
Mr. Menendez. Appreciate it. Four seconds. I will yield
back the remainder of the time, but do want to hopefully
eventually get everyone's thoughts either in writing, but about
the challenges that we are seeing from a work force perspective
and what we could at the Federal Government to ensure that we
are aiding and developing that work force so we can meet these
challenges with a robust system.
I do apologize for going over, Chair.
Chairman Garbarino. Not a problem.
The gentlemen yields back.
I now recognize my friend from Mississippi, Mr. Ezell, for
5 minutes of questioning.
Mr. Ezell. Thank you, Mr. Chairman.
As a former sheriff with decades of experience fighting to
protect the people and communities in Brown, South Mississippi,
I am eager to join the Cybersecurity and Infrastructure
Protection Subcommittee to combat the threat of the malicious
cyber actors.
Mr. Bagley, you have talked today about how JCDC aims to
connect private industry with Federal partners such as DoD, the
intelligence community, and law enforcement. In your role. Can
you describe how JCDC interacts with local law enforcement?
Mr. Bagley. Thank you for the question.
From my perspective as a stakeholder in JCDC, from what
we've seen is we've seen it's very issue-oriented. So, for
example, if there is an issue, such as certainly what we saw
come to bear with Log4j, where CISA was rallying all members to
come together, bring information, share information, and
consume information, we've certainly seen involvement at all
level of government and what--where JCDC can share information.
Specifically, in terms of how local law enforcement is
prioritized within the apparatus of JCDC, I would defer to CISA
leadership, but we've certainly seen involvement across
industry and across government in JCDC.
Mr. Ezell. Do you think the balance between CISA's asset
response and the FBI's threat response activities has been
successful?
Mr. Bagley. I think that there are certainly different
missions at play. One of the strengths of JCDC is that it's not
trying to necessarily define a brand-new mission for all
stakeholders, but instead be a centralized place where
stakeholders with different missions can come and cooperate. So
naturally, the FBI, having an interest in law enforcement and
focusing on seeking justice for victims, is one where the FBI
obviously has ad hoc relationships with partners. But I think
the strength is the FBI can bring its expertise to JCDC and
similarly JCDC and its mission as a civilian agency focused on
cybersecurity for regulated entities as well as a convener of
public and private partnerships, can utilize that expertise and
the expertise of others. I think that naturally strengthens the
dynamic, especially if we think about having the system in
place in the events of big events, such as the Log4shell, Log4j
event.
Mr. Ezell. Thank you.
I want to move on the importance of leveling the playing
field to ensure there is active participation from a mix of
large- and small-sized companies. What can CISA do to be more
business-friendly in order to increase participation?
Mr. Bagley. I think that as JCDC grows in its structure, I
think it's important to put into place different structures so
that as it expands there can be different working groups that
might be well-suited for organizations of different sizes or
organizations focused on different topics in general. So I
think that's one way.
I think also CISA, what we've seen in recent years is CISA
has certainly demonstrated its ability to serve as a
clearinghouse for certain types of information and proliferate
that information to the community. I think that's another one
where there is an awareness component in addition to, of
course, a resource component when we think about the
cybersecurity haves and the have-nots. I think CISA has an
important role to play and that it has been playing in recent
years with regard to raising awareness not only about
cybersecurity threats, but also cybersecurity resources and
capabilities. I would expect that that would continue to grow
and expand and be for the benefit of smaller entities.
Mr. Ezell. Thank you for your answer.
Mr. Chairman, I yield back.
Chairman Garbarino. The gentleman yields back.
I now recognize the Ranking Member for 5 minutes of
questioning.
Mr. Swalwell. Great.
Ms. Sherman, GAO has made a number of recommendations
related to how CISA can improve its support to critical
infrastructure and sector risk management agencies. Can you
just prioritize those recommendations?
Ms. Sherman. What I would want to do is I would want to
highlight actually in our recently-issued report from last
month, we included a section in the report where we outlined
all outstanding open recommendations that we had made to sector
risk management agencies, specific to critical infrastructure,
of which there are many. There are challenges in prioritizing
those recommendations, but what we would say with respect to
CISA is that it's important for CISA to take in the near-term,
a set of following actions. We think that there's gaps in
guidance that the agency could provide. In part, this has to do
with the national plan and being able to update the national
plan and the sector-specific plans. We understand that there's
a pause essentially that's going on with a lot of the sector
management agencies because of the PPD-21 rewrite, but we think
that CISA can be taking action in the interim to position
themselves to be able to update those plans expeditiously once
the rewrite is completed.
We also feel that there could be opportunities, of course,
to be able to standardize the set of approaches in order to
really understand--harking back to what we were talking about a
little bit before, how mature and how effective these agencies
are in their efforts. So we would want CISA to prioritize being
able to collect that information.
I think finally, that feedback loop of really being able to
understand what the relationships are like between the sector
and all of their partners, look at those existing partnerships,
getting a recognition of what's working and perhaps what's not
and where improvements can be made.
Mr. Swalwell. Great.
Exactly the cogent answer I would expect from a fellow
government and politics degree holder from the University of
Maryland.
Ms. Sherman. I noticed that. Thank you.
Mr. Swalwell. Go Terps.
Ms. Sherman. Go Terps.
Mr. Swalwell. Mr. Edwards, can I also ask you, JCDC has a
new dedicated unit focused on industrial control system
security. What should we expect to see from the JCDC ICS?
Mr. Edwards. Yes, thank you for your question.
It certainly is a fairly new initiative that the JCDC has
taken on to build a dedicated group, or a tiger team, I guess,
of sorts, for industrial control systems. I think I agree with
my other witnesses here that have stated that in order to be
successful, the JCDC is going to have to be able to break some
of these topics down in all discussions, rather than having
every discussion happen with the entire group, right. This is
going to be a scalability challenge of sorts, right, where we
can't solve every problem with everybody in every room, we have
to break these into smaller digestible pieces. So I believe
that we will see a lot of good information come out of the JCDC
ICS group or OT group.
The other thing I believe that is important that CISA can
work on here is with regards to the CIRCIA, incident risk
reporting. That information, when it comes in and is analyzed,
needs to be disseminated to technology service providers such
as represented here, so that we can build the coverage to
detect those threats or those weaknesses in those systems in a
timely fashion. So we're eager to work with CISA and the JCDC
construct on how to best make this into a machine-readable,
real-time, information-sharing platform.
Mr. Swalwell. Great.
Building off of Mr. Menendez's point at the end of his
questioning, Mr. Edwards, what is your assessment of the
current state of our Nation's OT cybersecurity work force? What
can the Federal Government do to ensure that OT cybersecurity
skills are prioritized in any work force development training?
Mr. Edwards. Yes, it's a very complex problem, right. So
you have sort-of this overlap between cybersecurity
professionals who typically come from business colleges or
degrees, they've come up through the business side of a
corporation or an enterprise, and the operational technology
people such as myself come from an engineering background, and
many of the engineering schools, the curricula is such that
there's no more room to put in there to talk about
cybersecurity, they're going through the physics and the basics
of an engineering discipline. So I think that in some cases,
the educational institutions themselves are somewhat challenged
with how to put this in.
Another thing that I believe is that we have a little bit
of a chicken or the egg problem, right. As the NSTAC report
stated, we believe that the United States actually has the
technology and actually has the knowledge base to solve these
problems. We just haven't manifested it at scale. So I think
things like the NICE Framework, that are coming out with work
force development, that are focusing more on OT, are good
initiatives, and we should continue to invest there.
Mr. Swalwell. Great. Thank you.
I yield back.
Chairman Garbarino. The gentlemen yields back.
I now recognize Ms. Lee from Florida for 5 minutes of
questioning.
Ms. Lee. Thank you, Mr. Chairman.
In my former role as Florida's secretary of State
elections, I worked extensively with CISA in securing our
elections infrastructure. CISA was a key partner to State and
local elections officials. I look forward to our work together
to ensure that we are advancing cybersecurity across all of the
critical infrastructure sectors.
My questions, I would like to begin with you Ms. Sherman,
and specifically in the subject of elections and election
security, since it has been designated part of our critical
infrastructure. First this, because CISA has become such an
important part of assisting and aiding State and local election
officials, would you describe for me some of the things that
you think are working well there? Or if there are other places
where CISA needs additional support or resources from Congress
to make sure that you can do that job effectively?
Ms. Sherman. So the election security sector is in some
respects, I think, just a little over 5 years old and the
subsector-specific plan that guides it also is somewhat
outdated. So for the last election, guidance was put out by the
Subsector Coordinating Council to ensure that there was a more
kind-of relevant, timely understanding of efforts and to be
able to kind-of fill that gap--or in the absence of an updated
plan.
In the recent review that we carried out, we did hear from
individuals that we spoke with, officials that we spoke with,
and actually as part of the priorities work for last year that
we had carried out with CISA, that the agency has done a good
job of sharing election-specific information that's general, so
kind-of Nation-wide threats to consider, but that there was an
interest and a desire for and a need for more locally-tailored
information. So the information they had was limited along
those lines and they were looking for more.
We also heard that with respect to day-of capabilities and
ability to have kind-of a quick response for incidents that
occur, that CISA should build their capacity along those lines
as well.
Ms. Jackson Lee. You just touched on something that is
another area of interest for me, and that is specifically the
incident response capability. At present is CISA able to meet
the call when that is coming in or are you receiving a larger
number of requests for that more hands-on critical incident
response than you can provide?
Ms. Sherman. I can only speak to the conversations and the
information that we had and collected during the course of our
specific review. But that is something that we had heard from
election officials, that there was a concern that the agency
did not necessarily have those capabilities in place to be able
to quickly address an incident that might occur, and they were
looking to work and partner with CISA to help build that
capacity.
Ms. Jackson Lee. Do you have any thoughts--another feature
I think of the approach to securing infrastructure is a need
for CISA to work collaboratively with other Federal law
enforcement partners. Any feedback for us about how that is
going or any input about how the relationships with other
Federal law enforcement partners are productive or could use
additional enhancements?
Ms. Sherman. We didn't collect any information specific to
the relationship between law enforcement and the election in
the course of our review, so I can't speak in detail to that.
But I can talk to the fact that local officials also pointed to
limited awareness and conversations or dialog at the Federal
level and that they wanted to see more of that as well.
Ms. Jackson Lee. Thank you, Mr. Chairman.
I yield back.
Chairman Garbarino. The gentlelady yields back.
I will now move into a second round of questions.
I recognize myself for 5 minutes of questioning.
Chairman Garbarino. Ms. Hogsett, the Biden administration
released its new National Cybersecurity Strategy. The strategy
rightly emphasizes the need to harmonize regulations to avoid
duplication and overly burdensome requirements, but the
implementation plan will be key to demonstrating how they
actually plan to achieve harmonization.
What sorts of aspects will you look for in the eventual
implementation plan to deconflict requirements?
Ms. Hogsett. We've actually started discussing
implementation with the National Cyber Director's Office
because this is such a critical issue for us to get right.
The challenge that we in financial services face, and
certain other sectors will as well, is the fact that most of
our regulators are independent. So no matter what CISA may put
out, it's still up to them, in essence, whether they will
follow that and align. We are lucky that three of our primary
regulators collaborate with each other and have done a lot of
work to sort-of streamline and align their requirements where
they can. I know they're participating in some of these
Government conversations right now, but that's like 3 out of 9,
for instance, that we have to work with across our sector.
So it's really important for us. Actually something where
Congress could help, I think is encourage when it comes to
cybersecurity. Given the importance of getting it right, given
the work force challenges that we've just been discussing, we
are frankly hearing increasing concern from our member firms
that the regulatory and Government reports are placing a strain
on the existing staff. We have some figures that folks are
spending anywhere from 30 to 40 percent of their time not
focused on the day-to-day protective mission that is so
important that they need to do instead, they're focusing on
compliance matters. That's a challenge and that can't continue
as we layer on new and additional requirements, which, each on
their own, can be very beneficial, but when you layer them
together, it's a real challenge.
So our hope and the discussion that we've started having
with the White House is how can we get to sort-of this idea of
regulatory reciprocity where one regulator might accept
another's work, where can you create even an 80 percent
solution where you align on the core things that various
regulators and Government agencies would want, and then you're
just doing some additional pieces above that. That's the
conversation that we're looking forward to contributing to and
is critically important for us.
Chairman Garbarino. Appreciate that answer.
Then I know everybody talks about we are going to have a
separate hearing just on work force if we need to.
I did want to ask you this before when we were talking
about the incident reporting, the legislation and the rule-
making that is going on, with the implementation we have heard
about how there is no private-sector work force, there are a
lot of people. Does CISA have the proper amount of work force
for a proper implementation of the incident reporting language,
in your opinion?
Ms. Hogsett. It's a very good question. I'm not sure. What
we would hope to see at this point is one or two people are in
an office set-up that we can go to on a regular basis to have a
dialog. That's what we do with our regulators. We would like to
see CISA set that up. It was good that they put out a request
for information. We certainly responded to that. They did a
series of sort-of listening sessions. But there are so many--I
mean, as you know, the 16 critical infrastructure sectors, each
of them is so unique. For those that have regulations, even
those regulations, whether you're talking from an OT or an IT
perspective, they can be very different. So we think and would
love support to have CISA set up more on-going dialog so we can
kind-of help them jointly problem-solve to make sure they get
this right.
Chairman Garbarino. I appreciate that answer.
I just have one final question for Mr. Bagley.
I understand CISA, through the JCDC plans to update the
National Cyber Incident Response Plan. In your view, where does
CISA's role start and stop in terms of incident response and
support of the private sector?
Mr. Bagley. Well, I think we have to think about what the
stakes are today. What we've seen in recent years with some of
the high-profile systemic cyber attacks that JCDC in fact has
responded to, like the Log4j incident, is that they could have
been so much worse. So one of the things we have to anticipate,
and that should certainly be considered in that planning, is
how we as a Nation would deal not just with currently-
designated infrastructure, but how would we deal with some sort
of victim that in a specific context is fundamentally important
and that them being hit by, say, disruptive or destructive
ransomware would be catastrophic for the country. That's where
it's important to be able to have that flexibility to respond,
to rally both the public and private sector together to ensure
that we have the capacity.
One of the things that we see in the private sector is that
the way complex multinational organizations or large U.S.
organizations respond is by ensuring that they have playbooks
ahead of time as well as the actual resources on retainer, such
as incident response firms. I think for CISA to be able to
scale up, they must consider not only their own organic
capacity, but those of private partners as well.
Chairman Garbarino. Thank you.
I am out of time.
I now recognize the Ranking Member, Mr. Swalwell, for his
second round of 5 minutes.
Mr. Swalwell. Great. Thank you, Chair.
Ms. Hogsett, wanted to get the benefit of your wisdom on a
recent banking crisis that especially hit my area, that is
Silicon Valley Bank. We are still taking an MRI to this to see
exactly what happened. But one thing that was different in this
``run on the bank'' than any other was the speed at which it
happened. Of course, in the digital age, the speed at which you
can move money is different than having to wait on the phone or
wait in line in past crises. But we are also looking at the
role that on-line chatter and on-line panic and rumors led to
this run on the bank. I have sent a letter to the SEC with my
colleague Brad Sherman asking them as well to look at whether
there was a short that took place that was followed by any sort
of on-line manipulation of the market.
But have you all at the Bank Policy Institute, just in the
realm of cyber, looked at whether there was a potential cyber
incident around the run on Silicon Valley Bank?
Ms. Hogsett. We have not. I think it's early stages, so I
would be getting ahead of, I think, all of us who want to get
to a better sense for what happened and where were the
deficiencies.
It's an interesting point, though, around the role of
social media. We actually saw this with Colonial Pipeline, to
provide another example, where the initial reports were that
there were going to be sufficient gas supply. But when it hit
the news, human behavior kicked in and you had in essence, like
what we saw with the run on a bank, you had a run on gas
stations. So it's a new era where we need to think about how do
we communicate and involving social media. Treasury is our
sector risk management agency and we have actually recently re-
looked at our communications plans, including among large
banks, the trade associations, our information-sharing analysis
center, and Treasury's role with the regulators as to at
various points in time based on certain scenarios when might it
make sense for the Treasury Secretary to put something out and
do exercise that. So can't respond specifically to the SVB
example, but we are carefully watching that, so.
Mr. Swalwell. Did that incident at Silicon Valley Bank,
though, did it give you concern that a foreign adversary or a
hacktivist could seize on a bank crisis like that and use on-
line information or disinformation to try and manipulate a
result or to cause further chaos?
Ms. Hogsett. We did not see indicators of that with this
recent issue. However, the potential for mis-, dis- and mal-
information is very real and that is something that CISA has
done some work on. We've contributed to that. It is something
that firms need to consider and our firms internally for their
own response playbooks think about those dynamics as they plan
for when do you notify your board internally, if it hits the
media, what then? It makes the response that much more complex,
quite frankly, to think about it that way.
Mr. Swalwell. Great. Thanks, Ms. Hogsett.
Mr. Bagley, how can CISA give JCDC the structure and
clarity it needs to sustain momentum over time and how can we
do that without losing the flexible, agile features that make
it successful today?
Mr. Bagley. Thank you for the question.
I think one of the things that's very important is for CISA
to ensure that as JCDC grows, it's growing with intention, with
deliberation, and with a bit more structure. So that's not to
say that there's one ideal size for JCDC. Certainly there are
strengths to the fact that there are more members bringing more
capabilities, but the more that CISA can actually structure
with purpose and with theme different working groups, I think
that can lead to certain advantages and certain efficiencies.
Just as any organization that's going from start-up to scale
needs to adjust and reorganize, I think that is the case with
JCDC today. So it would be more structure and more working
groups. Great.
Mr. Swalwell. Great.
Chairman Garbarino. Thank you very much.
The gentleman yields back.
I thank the witnesses for the valuable testimony and the
Members for their questions. We got a lot of information today
and we are going to have to digest this and hopefully get some
answers from Director Easterly when she comes in. I talked
about we are going to have, I think, a future hearing on work
force. I think we should have one on IT-OT. I mean, there is
some really important stuff that was brought up to you today.
The Members of the subcommittee may have additional
questions for the witnesses and we would ask the witnesses to
respond to these in writing.
Pursuant to the committee rule VII(D), the hearing record
will be held open for 10 days.
Without objection, this subcommittee stands adjourned.
[Whereupon, at 11:21 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Question From Chairman Andrew R. Garbarino for Tina Won Sherman
Question. From GAO's perspective, are you satisfied with the level
of innovation seen from CISA and its industry partners as they evolve
to meet advanced persistent threats to Federal agency IT systems? Or
are we still doing things the same way as 5 years ago?
Answer. Response was not received at the time of publication.
Question From Chairman Andrew R. Garbarino for Marty Edwards
Question. The NSTAC report discusses the many benefits as well as
risks of IT and OT convergence. Will we always be faced with this
trade-off between efficiency and security? Are there any steps
organizations can take to mitigate the security risks while still
enjoying the benefits of digital transformation?
Answer. Response was not received at the time of publication.
[all]