[Joint House and Senate Hearing, 118 Congress]
[From the U.S. Government Publishing Office]




 
                      COMBATING RANSOMWARE ATTACKS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

               SUBCOMMITTEE ON CYBERSECURITY, INFORMATION
                 TECHNOLOGY, AND GOVERNMENT INNOVATION

                                AND THE

 SUBCOMMITTEE ON ECONOMIC GROWTH, ENERGY POLICY, AND REGULATORY AFFAIRS

                                 OF THE

               COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 27, 2023

                               __________

                           Serial No. 118-68

                               __________

  Printed for the use of the Committee on Oversight and Accountability
  
  
  
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
  
  
  
  
  


                       Available on: govinfo.gov
                         oversight.house.gov or
                             docs.house.gov
                             
                             
                             
                            ______

                  U.S. GOVERNMENT PUBLISHING OFFICE 
 53-719                  WASHINGTON : 2023 
                          
                             
                             
                             
               COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY

                    JAMES COMER, Kentucky, Chairman

Jim Jordan, Ohio                     Jamie Raskin, Maryland, Ranking 
Mike Turner, Ohio                        Minority Member
Paul Gosar, Arizona                  Eleanor Holmes Norton, District of 
Virginia Foxx, North Carolina            Columbia
Glenn Grothman, Wisconsin            Stephen F. Lynch, Massachusetts
Gary Palmer, Alabama                 Gerald E. Connolly, Virginia
Clay Higgins, Louisiana              Raja Krishnamoorthi, Illinois
Pete Sessions, Texas                 Ro Khanna, California
Andy Biggs, Arizona                  Kweisi Mfume, Maryland
Nancy Mace, South Carolina           Alexandria Ocasio-Cortez, New York
Jake LaTurner, Kansas                Katie Porter, California
Pat Fallon, Texas                    Cori Bush, Missouri
Byron Donalds, Florida               Jimmy Gomez, California
Kelly Armstrong, North Dakota        Shontel Brown, Ohio
Scott Perry, Pennsylvania            Melanie Stansbury, New Mexico
William Timmons, South Carolina      Robert Garcia, California
Tim Burchett, Tennessee              Maxwell Frost, Florida
Marjorie Taylor Greene, Georgia      Summer Lee, Pennsylvania
Lisa McClain, Michigan               Greg Casar, Texas
Lauren Boebert, Colorado             Jasmine Crockett, Texas
Russell Fry, South Carolina          Dan Goldman, New York
Anna Paulina Luna, Florida           Jared Moskowitz, Florida
Chuck Edwards, North Carolina        Rashida Tlaib, Michigan
Nick Langworthy, New York
Eric Burlison, Missouri

                       Mark Marin, Staff Director
       Jessica Donlon, Deputy Staff Director and General Counsel
             Raj Bharwani, Senior Professional Staff Member
                 Lauren Lombardo, Senior Policy Analyst
                      Peter Warren, Senior Advisor
             Jeanne Kuehl, Senior Professional Staff Member
      Mallory Cogar, Deputy Director of Operations and Chief Clerk

                      Contact Number: 202-225-5074

                  Julie Tagen, Minority Staff Director

                      Contact Number: 202-225-5051
                                 ------                                
 Subcommittee on Cybersecurity, Information Technology, and Government 
                               Innovation

                 Nancy Mace, South Carolina, Chairwoman
William Timmons, South Carolina      Gerald E. Connolly, Virginia 
Tim Burchett, Tennessee                  Ranking Minority Member
Marjorie Taylor Greene, Georgia      Ro Khanna, California
Anna Paulina Luna, Florida           Stephen F. Lynch, Massachusetts
Chuck Edwards, North Carolina        Kweisi Mfume, Maryland
Nick Langworthy, New York            Jimmy Gomez, California
Eric Burlison, Missouri              Jared Moskowitz, Florida
Vacancy                              Vacancy

 Subcommittee On Economic Growth, Energy Policy, And Regulatory Affairs

                      Pat Fallon, Texas, Chairman
Byron Donalds, Florida               Cori Bush, Missouri, Ranking 
Scott Perry, Pennsylvania                Minority Member
Lisa McClain, Michigan               Shontel Brown, Ohio
Lauren Boebert, Colorado             Melanie Stansbury, New Mexico
Russell Fry, South Carolina          Eleanor Holmes Norton, District of 
Anna Paulina Luna, Florida               Columbia
Chuck Edwards, North Carolina        Raja Krishnamoorthi, Illinois
Nick Langworthy, New York            Ro Khanna, California
                                     Vacancy
                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on September 27, 2023...............................     1

                               Witnesses

                              ----------                              
Mr. Grant Schneider, Senior Director of Cybersecurity Services, 
  Venable, LLP
Oral Statement...................................................     7
Dr. Lacey Gosch, Assistant Superintendent of Technology, Judson 
  Independent School District
Oral Statement...................................................     8
Dr. Stephen Leffler, President and Chief Operating Officer, The 
  University of Vermont Medical Center
Oral Statement...................................................    10
Mr. Sam Rubin (Minority Witness), Vice President and Global Head 
  of Operations, Palo Alto Networks
Oral Statement...................................................    12

Written opening statements and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              

  * Report, SOPHOS, ``The State of Ransomware 2023''; submitted 
  by Rep. Connolly.

  * Letter, September 25, 2023 from Ercot to Committee; submitted 
  by Rep. Mace.

  * Memo, November 16, 2021, re: ``Supplemental Memo on 
  Committee's Investigation into Ransomware''; submitted by Rep. 
  Norton.

Documents are available at: docs.house.gov.


                      COMBATING RANSOMWARE ATTACKS





                              ----------                              


                     Wednesday, September 27, 2023

                        House of Representatives

               Committee on Oversight and Accountability

 Subcommittee on Cybersecurity, Information Technology, and Government 
                               Innovation

                                and the

 Subcommittee on Economic Growth, Energy Policy, and Regulatory Affairs

                                           Washington, D.C.

    The Subcommittee met, pursuant to notice, at 1:03 p.m., in 
room 2154, Rayburn House Office Building, Hon. Nancy Mace 
[Chairwoman of the Subcommittee on Cybersecurity, Information 
Technology, and Government Innovation] presiding.
    Present from the Subcommittee on Cybersecurity, Information 
Technology, and Government Innovation: Representatives Mace, 
Timmons, Burchett, Edwards, Langworthy, Connolly, and Lynch.
    Present from the Subcommittee on Economic Growth, Energy 
Policy, and Regulatory Affairs: Representatives Fallon, Fry, 
Brown, and Norton.
    Ms. Mace. Good afternoon, everyone, and welcome. This is a 
joint hearing of two Subcommittees of the Committee on 
Oversight and Accountability. One is a Subcommittee I chair, 
the Subcommittee on Cybersecurity, Information Technology, and 
Government Innovation. The other is a Subcommittee on Economic 
Growth, Energy Policy, and Regulatory Affairs, which is chaired 
by my esteemed colleague from Texas, Mr. Fallon. Since this is 
a joint hearing, we will have opening statements from the Chair 
and Ranking Member of both Subcommittees. That is a total of 
four opening statements, so I will attempt to keep mine brief.
    Cybersecurity has been a major focus of ours. Since I 
became the Subcommittee Chair, I am concerned that we, as a 
Nation, are not prepared for the increasingly sophisticated 
cyberattacks that will be fueled by AI. Businesses and 
government entities in my district and across the country have 
faced cyberattacks and been forced to pay huge sums of money in 
ransoms. The Federal Government itself still stores a sensitive 
data of tens of millions of Americans on half-century-old 
legacy systems running on COBOL, of all languages, which I 
learned at the age of 21, over 20 years ago, a coding language 
decades older than myself and Chairman Fallon. And we have got 
a shortage across the country of 700,000 cybersecurity 
professionals with job vacancies strewn across the public and 
private sector. We need all hands on deck to fill the gap. That 
is why I have sponsored legislation eliminating unnecessary 
degree hurdles to Federal cybersecurity jobs. The government 
cannot be turning away people with much-needed cyber skills 
just because they lack a 4-year degree.
    Cyberattacks come in different forms, but today we are 
focusing on ransomware attacks. These are intended to deny 
users access to files or entire computer systems. The 
perpetrators pledge to restore access if a ransom is paid and 
often charge an additional ransom for not disclosing sensitive 
stolen data. These sorts of attacks are nothing new. They have 
existed for decades, but back then they were unsophisticated 
and often unsuccessful in locking down systems. Amateur hackers 
were trying to squeeze small ransoms from individual users. The 
field has now matured and grown. That became clear in May 2021 
when the hackers, likely based in Russia or Eastern Europe, 
brought one of the major gas pipelines in this country to a 
standstill. The Colonial Pipeline went entirely offline 
briefly, causing the Federal Department of Transportation to 
declare an emergency in 17 states and here in D.C. in order to 
keep fuel supply lines open.
    In fact, when that hack happened was when we saw in the 
Southeast and in my home state of South Carolina, that is when 
gas prices really started to increase, and then they just never 
went back down. The problem shows no signs of going away. 
Malicious actors are constantly searching for areas of 
vulnerability. At the height of COVID, truly demented actors' 
favorite targets, like hospitals and schools, even the 
ransomware supply chain has expanded. Hackers now offer 
ransomware as a service to other criminal enterprises.
    The bottom line is that it is too easy today for malicious 
actors to do too much damage and make too much money with too 
few consequences. So, we need to engage in this fight at all 
levels. Schools, hospitals, and businesses cannot fight a 
battle alone against adversaries launching attacks from enemy 
nation-states like Russia and China and elsewhere. It is going 
to take effective partnerships, including with Federal law 
enforcement, and that includes figuring out how to better 
collect and share information about these attacks and the 
attackers.
    As we will hear today, the institutions victimized by 
ransomware have options, but all of them are bad. They either 
pay ransom or they are unable to restore their normal 
operations. Attackers threaten to release sensitive personal 
data that has been stolen. In the case of schools and 
hospitals, that includes school children's education records 
and patient medical records. We will hear today from 
representatives of a school and a hospital victimized by 
ransomware attacks. We will also hear from a cybersecurity 
expert whose current work includes counseling companies that 
are targets and victims of these attacks.
    I hope this hearing today will help educate us on the 
problem and that it will serve as a step toward better 
addressing it. With that, I yield to the Ranking Member of this 
Subcommittee, Mr. Connolly.
    Mr. Connolly. Thank you, Madam Chairwoman. Thank you for 
having this hearing. Welcome to our witnesses.
    Though we are discussing the threats of ransomware, we 
cannot ignore the much greater danger caused by some, a 
government shutdown. The Cybersecurity and Infrastructure 
Security Agency, for example, will be forced to furlough more 
than 80 percent of its workforce.
    As we say, we are concerned about cyber hacking and 
cyberthreats. Without funding, our crucial Federal cyber 
defenses will be reduced to a skeleton crew and yet still hold 
responsibilities to respond to attacks in our networks and 
critical infrastructure. We cannot allow this to happen when we 
already know of the innumerable malware attacks constantly 
threatening our economy, schools, public health, critical 
infrastructure, and national security.
    Ransomware is a burgeoning multibillion dollar criminal 
industry. In 2021, the estimated cost of ransomware damage 
globally hovered around $20 billion. This year, that number is 
$30 billion, a 50-percent increase in just 2 years. The United 
States is a major target. Between January and December 2022, 
known ransomware attacks on public and private networks in the 
United States increased by 47 percent. More troubling, these 
tallies include only those incidents victims report.
    While the recent MGM Resorts International hack received 
considerable public attention, these kinds of ransomware 
attacks also target critical infrastructure. In 2021, for 
example, the U.S. Government had to declare a regional 
emergency, as you noted, Madam Chairwoman, after the Colonial 
Pipeline was taken down, the largest fuel pipeline system in 
the country. That incident was just one frightening reminder of 
what is at stake. State and local governments are particularly 
vulnerable because they are responsible for storing much of our 
personally identifiable information, but they lack the 
cybersecurity resources and protections and funding as billion 
dollar conglomerates. Criminals also do not discriminate 
between large metro areas and small towns. Communities of all 
sizes have been victims, including Dallas, Texas; Oakland, 
California; and Lowell, Massachusetts.
    A 2023 ransomware report from Sophos found that nearly 70 
percent of the surveyed IT leaders in state and local 
governments reported ransomware attacks. Just as troubling, the 
report found that educational systems are the most likely to be 
targeted.
    I ask unanimous consent, Madam Chair, to insert this report 
into the hearing record.
    Ms. Mace. Without objection.
    Mr. Connolly. I thank the Chair. I know this firsthand from 
when a ransomware attack in 2020 targeted the Fairfax County 
Public School system, the 10th largest school system in 
America, which I represent.
    Members of this Committee are well aware of how the 
coronavirus pandemic abruptly revealed how ill-prepared many of 
our state and local governments were in delivering vital public 
services securely and remotely through their IT platforms. 
Criminals took advantage of that in unemployment systems, in 
direct checks payments to families and small business loans, 
and on and on.
    That is why during my tenure as Chairman of the Government 
Operations Subcommittee, which included this Subcommittee, we 
held hearings on the outdated IT infrastructure and rising 
cyberattacks on state and local governments. The hearing 
examined the role of Congress and the Federal Government in 
accelerating IT modernization initiatives. In response to the 
hearing, we introduced House companion to the Senate's State 
and Local Digital Service Act. This important legislation 
provided guidance and, critically, funding for state and local 
governments to form digital service teams focused on delivering 
fair, effective, and secure public services. I certainly hope 
this Congress will continue that work.
    Furthermore, we helped to champion the Bipartisan 
Infrastructure Bill, providing more than a billion dollars in 
vital investments to assist both public and private entities 
who fall victim to cyberattacks every year. Earlier this year, 
the Biden-Harris Administration also published its National 
Cybersecurity Strategy, which addresses these, among other 
issues, head on by laying out an action plan to disrupt 
ransomware criminals. It lays out four key pillars to disrupt 
them by, one, leveraging international cooperation to disrupt 
their ransomware ecosystem and isolate those countries that 
provide safe havens; two, investigating ransomware crimes and 
using law enforcement and other authorities to disrupt it and 
them; and third, bolstering critical infrastructure resilience 
to withstand such attacks; and fourth, addressing the abuse of 
virtual currency to launder ransom payments.
    The Department of Justice also continues to hold ransomware 
criminals accountable, and most recently dismantling the Qakbot 
or CrackBot network and seizing more than $8.6 million in 
cryptocurrency profits. That is great, but it is a modest 
start. While these are important first steps, much more has to 
be done, and I know we are going to hear that from our 
witnesses today. I look forward to hearing the testimony and 
working with you, Madam Chairwoman and Mr. Fallon and others, 
and, of course, Ms. Brown, in trying to craft thoughtful 
solutions to deter and ultimately prevent ransomware attacks, 
and I thank you. I yield back.
    Ms. Mace. Thank you. I will now recognize Chairman Fallon 
for the purpose of making your opening statement.
    Mr. Fallon. Thank you, Chairwoman Mace, and I want to thank 
everybody for being here today as well. I am grateful that the 
EER Subcommittee and Subcommittee on Cybersecurity are teaming 
up to talk about a very important problem.
    America relies on technology, of course, every day, and 
when you rely on something, when it goes down, you become very 
vulnerable when it is gone, but, you know, it has a far-
reaching consequences when it is jeopardized. While ransomware 
attacks our digital files and hold, you know, data hostage 
until ransom is paid, the true cost of cyberattacks go well 
beyond simply the money surrendered to perpetrators. Frozen 
systems wreak havoc on normal operating procedures of a 
company, a school, a hospital, and forcing reallocation of 
staff, lost revenue, and damaged reputations.
    Following an attack, institutions may have to completely 
re-outfit their entire IT infrastructure, very costly, and 
scrambling to redirect funds earmarked for other investments, 
or more investment, say, in personnel. Mountain Dew could get, 
you know, in a cyberattack, and then where would our colleague 
from Tennessee be? But, you know, you might be making 
investments in teachers and other personnel. I mean, it is our 
most valuable natural resource, but that is going to be 
preventing new hires and make you more efficient because you 
have to deal with these ransomware attacks, and Congress should 
be very concerned about these attacks and where they are 
originating from. The vast majority are coming from Russia, a 
country that clearly does not have our best interests at heart.
    When these sorts of attacks target essential sectors, like 
the electric grid or the hospital system, what we saw with 
Colonial Pipeline or JBS a couple of years ago, they endanger 
public health, safety, and, quite frankly, put American lives 
at risk. And we saw that they can even have impacts that spiral 
well beyond the original attack into the larger economy, again, 
with Colonial Pipeline, that reverberated, and it was very 
dangerous and very chilling.
    As our world becomes more reliant on technology, 
unfortunately, the opportunities for bad actors to use that 
technology for their own monetary and political gain become 
more and more abundant. But no matter what the size of the 
attack, we must prevent hackers from being able to use 
ransomware to upend American institutions and risk our Nation's 
prosperity and health and American lives. I am grateful for our 
witnesses who are here today to share their stories and help us 
examine the ongoing threat of ransomware attacks. And during 
this hearing, I hope to explore the role of government in 
helping prevent further attacks and punishing those that would 
go after our critical infrastructures. Whether the government 
is providing resources for private organizations undergoing 
attacks or learning how to better protect our own systems, I 
look forward to discussing potential ways Congress can enable 
the Cybersecurity and Infrastructure Security Agency, or CISA, 
the FBI, and other Federal agencies to better protect the 
American people and our data. Thank you, Madam Chair, and I 
yield back.
    Ms. Mace. Thank you. I would now like to recognize 
Congresswoman Brown for the purposes of an opening statement.
    Ms. Brown. Thank you, Madam Chair Mace, Mr. Chair Fallon, 
and Ranking Member Connolly, and thank you to the witnesses for 
joining us today.
    Our hearing today addresses an issue threatening Americans 
far too frequently: ransomware attacks. Criminals, both foreign 
and domestic, use ransomware to target everything and everyone: 
private businesses, state and local governments, hospitals, 
school districts, and critical infrastructure. We have seen 
these attacks disrupt access to primary healthcare and safety 
net services for our Nation's most vulnerable.
    But before I go any further, we cannot sit at this hearing 
without addressing the terrible dangers we face with an 
impending Republican Government shutdown. A government 
shutdown, much like a ransomware attack, would be dangerous, 
destructive, and disastrous. The Cybersecurity and 
Infrastructure Security Agency, the Agency that leads Federal 
cybersecurity efforts and serves as the national coordinator 
for critical infrastructure security and resilience, would have 
to furlough 80 percent of its employees as a result of the 
Republican shutdown. We are talking thousands of critical 
workers, people with families, and that is just one agency. The 
Department of Justice, the Agency responsible for investigating 
and taking down criminal ransomware networks, would also be 
forced to furlough thousands of employees. With a shutdown, 
extreme Republican members would undercut organizations and 
state and local governments relying on Federal funds to prevent 
the crippling ransomware attacks we are discussing in this very 
hearing.
    All over the country, ransomware attacks directly affect 
people's lives. Hospitals have to turn away patients. Nine-
eleven call centers would have been unable to dispatch 
ambulances and fire trucks. Small businesses have to close 
down. In some instances, people have been unable to pay their 
water bills because a city website had been paralyzed by a 
hacker demanding ransom, and those late fees, they add up. In 
my home state, ransomware thieves targeted the Ohio 
unemployment system in July, preventing thousands of Ohioans 
from receiving benefits. And in March, the Lakeland Community 
College in Ohio, just next door to my district, was the victim 
of a cyberattack that compromised the personal data of nearly 
3,000 individuals.
    Now, the Biden-Harris Administration has made defending 
against these kinds of attacks a top priority. Thanks to the 
Bipartisan Infrastructure Bill, the Administration is currently 
providing $1 billion in cybersecurity grants to state, local, 
and territory governments to build the cyber capabilities they 
need. But on Sunday at 12:01 a.m., these dollars are at risk of 
not making it out at all. It is just one more reason the MAGA 
shutdown is harmful to everyday people, our national security, 
and our standing in the world. And with that, Madam Chair, I 
yield back.
    Ms. Mace. Thank you. I am pleased to introduce our 
witnesses for today's hearing. Our first witness is Mr. Grant 
Schneider, Senior Director of Cybersecurity Services at 
Venable. Our second witness is Dr. Lacey Gosch, Assistant 
Superintendent of Technology at Judson Independent School 
District. Our third witness is Dr. Stephen Leffler, President 
and Chief Operating Officer of the University of Vermont 
Medical Center. And our last witness today is Mr. Sam Rubin, 
Vice President and Global Head of Operations at Palo Alto 
Networks Unit 42. Welcome, everyone. We are pleased to have you 
this afternoon.
    Pursuant to Committee Rule 9(g), the witnesses will please 
stand and raise their right hands. All right.
    Do you solemnly swear or affirm that the testimony you are 
about to give is the truth, the whole truth, and nothing but 
the truth, so help you God?
    [A chorus of ayes.]
    Ms. Mace. Let the record show the witnesses all answered in 
the affirmative. Thank you.
    We appreciate all of you for being here today and look 
forward to your testimony. Let me remind the witnesses that we 
have read your written statements, and they will appear in full 
in the hearing record.
    Please limit your oral introductory statements to 5 
minutes. As a reminder, please press the button on the 
microphone in front of you so that it is on, and Members can 
hear you. When you begin to speak, the light in front of you 
will turn green. After 4 minutes, the light will turn yellow. 
When the red light comes on, your 5 minutes has expired, and we 
would ask you to please wrap it up.
    So, I will first recognize Mr. Schneider to please begin 
your opening statement.

                      STATEMENT OF GRANT SCHNEIDER

               SENIOR DIRECTOR OF CYBERSECURITY SERVICES

                              VENABLE, LLP

    Mr. Schneider. Thank you very much. Chairwoman Mace, 
Chairman Fallon, Ranking Member Connolly, Ranking Member Bush, 
Members of the Committee and your staff, thank you for the 
privilege to appear before you today.
    I have spent my entire 30-year career focused on our 
Nation's security. This includes over 20 years at the Defense 
Intelligence Agency, 7 of which I served as the Chief 
Information Officer and 6 years at the Executive Office of the 
President, serving as a Senior Director for Cybersecurity 
Policy on the National Security Council staff, and most 
recently as the Federal Chief Information Security Officer. For 
the past 3 years, I have been a Senior Director of 
Cybersecurity Services at Venable, a law firm, where I help our 
clients, both large and small from all sectors, enhance their 
cybersecurity programs through the development and 
implementation of risk management strategies.
    Between my time in government and at Venable, I have 
supported numerous organizations with the preparation, 
response, and recovery from various cyber incidents, including 
ransomware attacks. Some of these include leading the response 
and recovery for a regional healthcare delivery organization 
that was the victim of ransomware, creating playbooks and 
decision matrices to help clients consider the actions they may 
need to take in the event of a significant incident, and 
working with law enforcement, CISA, and the intelligence 
community and other interagency partners on ways to disrupt 
malicious cyber actors.
    I want to thank the Committees for taking up the important 
issues related to ransomware. As has been mentioned, ransomware 
is a form of cyberattack where a malicious actor typically 
steals sensitive information, encrypts a victim's files and 
systems, and then demands a payment, a ransom, in order to 
return services to operation. To be clear, ransomware is a 
means for malicious actors to make money. It is rarely about 
foreign policy or espionage objectives like those we see from 
nation-state actors. However, policy discussions are 
complicated by the fact that many ransomware actors are 
protected and sometimes endorsed and encouraged by the nations 
from which they operate.
    While malicious cyber activity and ransomware have been 
around for decades, several factors, which have been mentioned, 
have come together in recent years to expand the frequency, 
scale, and public awareness of ransomware events. Organizations 
today are dependent on technology to develop and deliver their 
services. This includes organization and education, healthcare 
delivery, financial services, energy, and every other critical 
infrastructure sector. These enhancements provide increased 
productivity, convenience, and broad delivery of services to 
customers. At the same time, more critical services and 
sensitive data have moved to an internet-accessible environment 
and are at risk.
    Concurrently, ransomware actors have increased access to 
malicious tools, anonymous payment systems, and safe havens 
from which to operate. Government organizations have published 
alerts and guides to help educate private organizations and 
individuals on defensive cybersecurity controls they can put in 
place. Some of these include implementing phishing-resistant 
multi-factor authentication to protect users' digital identity, 
a robust set of system backup and recovery tools and 
procedures, encryption of data at rest and in transit, and 
training for employees to recognize phishing emails and social 
engineering attempts.
    Policymakers cannot lose sight of the fact that ransomware 
has devastating operational, economic, and reputational impacts 
on its victim organizations. During a ransomware event, 
government organizations, including law enforcement, can 
provide a very limited amount of support. Victims are left with 
an unsavory set of options, having to choose between restoring 
services quickly by paying a ransom or working to reconstitute 
their systems and restore operations on their own. Often, 
paying a ransom can be the most time-and cost-effective 
approach to getting an organization up and running again. Given 
these dynamics for victims, ransomware remains a prevalent 
threat to large and small businesses, public sector entities, 
and critical infrastructure organizations. In short, it is bad, 
but there is hope.
    The United States and international partners have invested 
heavily in disrupting ransomware activities across the globe, 
including the takedown of the Hive ransomware group earlier 
this year. Cybersecurity experts have partnered with policy 
professionals to propose legal and policy updates that will 
empower law enforcement officials and other cyber defenders to 
pursue these malicious actors and build resilience across our 
digital ecosystem. We must continue to develop these ideas 
while working with companies and public sector entities to 
harden their networks and protect their data.
    Thank you again for the opportunity to speak with you 
today, and I look forward to your questions.
    Ms. Mace. Thank you, Mr. Schneider. I will now recognize 
Dr. Gosch for her opening statement.

                        STATEMENT OF LACEY GOSCH

                 ASSISTANT SUPERINTENDENT OF TECHNOLOGY

                   JUDSON INDEPENDENT SCHOOL DISTRICT

    Ms. Gosch. Thank you, Chairwoman Mace, Chairman Fallon, 
Ranking Member Connolly, Ranking Member Bush, Committee 
Members, and staff, for allowing me to speak with you today. I 
represent the Judson Independent School District as the 
Assistant Superintendent of Technology, and I am here to share 
our experience with ransomware. My primary professional role 
and the events related to the testimony are from my experience 
as the leader of the technology department serving over 24,000 
students and 4,500 employees across seven municipalities in the 
San Antonio, Texas area. I also serve as an elected school 
board member for the Navarro Independent School District. 
Therefore, my passion for seeking school support and combating 
cybercrime runs very deep.
    On June 17, 2021, I received a call from Matthew Fields 
stating that our system had been affected by ransomware. He 
briefly investigated the depth of the attack and confirmed the 
ransom note's content. The ransom note stated that all data on 
all devices and all servers was encrypted, including our backup 
systems. We immediately contacted law enforcement and Federal 
Bureau of Investigations. The threat actors were identified as 
PYSA, a variant of the Mespinoza strain of malware, commonly 
leveraged in high-paying assaults and victim selections based 
on their ability to pay. In 2021, PYSA was the third most 
prevalent ransomware strain with primary targets of higher 
education and K-12 schools. The group was most notably known 
for their double extortion involving publicizing stolen 
information should victims refuse to comply with their demands.
    The attack initiated from a single vector with two pivot 
points. The entry vector and first pivot point was one of my 
employee's computers. The second pivot point was a video 
streaming server that was designed to have no outside 
connectivity and was used for internal video streaming only. 
From these points, the threat actors were able to penetrate the 
backup systems, data stores, and devices connected to the 
network. From the full investigation, a total of 428,761 
individuals were affected, and those individuals are living in 
all 50 states.
    The recovery of our network was not our primary concern. We 
had ample resources to restore our systems. Our concern was the 
security of the data by the threat actors and preventing the 
release of that personally identifiable information of our 
constituents. Consequently, the district made the difficult 
decision to pay the negotiated amount of ransom totaling 
$547,000 on June 29. Our recovery took more than a year, and 
the district continues to make improvements. The restoration of 
the network was only possible through the efforts of my 
technology team's perseverance, key vendor partners, and some 
school district friends that assisted us in communications and 
business operation functions when others were too scared to 
even take our calls. Thankfully, there are companies and school 
district partners who saw our situation as an opportunity to 
learn. We learned that the cavalry does not come, and we must 
rely on our own resources. No state or Federal agency ever 
visited or offered recovery assistance to us.
    Insurance coverage was helpful, but those go predominantly 
to attorney's fees, data mining, and identity protection. It 
does not cover ransom payments or cost for upgrades to mitigate 
that damage. The cost for repair exceeds the limits of the 
policy, forcing districts to make difficult decisions about 
funding allocations. And the costs are not limited to data loss 
or data breach, but they extend to monetary loss and recovery 
and replacement efforts, security efforts, and mental and 
physical health effects that are rarely discussed or considered 
because of these events.
    I was hired only 34 days prior to this attack in the school 
district. The state of the district's technology was not unlike 
thousands of school districts across the Nation. It was 
outdated, out of support, and included antiquated systems and 
hardware that included outdated infrastructure that could not 
support the changes brought about by COVID-19. These factors 
attributed to our vulnerability and in the continued concern 
for many K-12 leaders.
    Schools are often forced to balance the needs for student 
curriculum, personnel resources, facilities, and other 
operations on limited budgets. Therefore, funding for solutions 
to prevent attacks and protect data and upgrade equipment is 
pushed aside for more visible and tangible items. Recovery and 
mitigation programs for cybersecurity have not been formally 
developed for schools, but we would recommend potentially 
discount programs similar to things like E-Rate and other 
federally supported programs. Additionally, there are other 
measures, such as standards for network security, requirements 
for making Social Security numbers masked in all systems, 
training educational programs, and social-emotional programs 
for affected individuals is also needed.
    I would like to thank the Committee today for providing the 
structure to hear these issues. I am honored to be able to 
present this information to you and to have you hear our story 
and recommendations. Thank you, Chairwoman Mace, Chairman 
Fallon, Ranking Member Connolly, and all the staff involved. I 
am honored and privileged to be here.
    Ms. Mace. Thank you, Dr. Gosch. I would like to recognize 
Dr. Leffler for his opening statement.

                      STATEMENT OF STEPHEN LEFFLER

                 PRESIDENT AND CHIEF OPERATING OFFICER

                THE UNIVERSITY OF VERMONT MEDICAL CENTER

    Dr. Leffler. Thank you. The University of Vermont Medical 
Center is the tertiary care hospital and academic medical 
center for the state of Vermont. We are the only one in 
Vermont. We care both for local patients in Chittenden County, 
but for all Vermonters across the state who have life-
threatening illnesses.
    On October 28th of 2020, we were 7 months into the pandemic 
when we suffered a ransomware cyberattack. We are extremely 
fortunate that when that attack first started, before our IT 
team even knew what was occurring, they made the decision to 
shut down our system. That was a critically important move. 
They did that before contacting the leaders because they 
realized something was wrong. That single move protected any 
patient care information from being released, any employee 
information being released, and was key to our overall action 
during the pandemic.
    Over the next month, we had two major initiatives. The 
first one was an IT initiative to restore our network back to 
normal. The cyberattack, while it did not affect our patient 
information, did infect 1,300 servers at the University of 
Vermont Medical Center and 5,000 desktop computers. Every 
single computer needed to be wiped clean and then reimaged. 
Every server had to be wiped clean and reimaged. It was a 24-
hour-a-day, 7-day-a-week job for our IT staff. We were very 
fortunate the state of Vermont realized how important this was 
and gave us National Guard workers to help with that reimaging.
    The second major focus for us was patient care. We are the 
sole tertiary care hospital in our state. We did not have the 
option of stopping care, shutting down, going on diversion. We 
knew we would have to take care of people. The cyberattack 
impacted our electronic medical records for more than 28 days, 
and so on day two of the cyberattack, we set up two incident 
command teams. An IT incident command team focused on restoring 
our IT systems--there were 600 applications that had to be 
cleaned and brought back online--and a clinical incident 
command team that was completely focused on how we provide care 
on paper.
    The extent of the attack was broad. We did not have 
internet. We did not have phones. It impacted radiology 
imaging, laboratory results, and because the EMR had been shut 
off appropriately, we did not have the EMR for 28 days. We were 
back to paper. For an older doctor like me, paper was pretty 
familiar, but many of our young new doctors had never written 
paper orders. We had to go back and teach them how to do that. 
We brought together our clinical leaders from surgery, 
anesthesia, trauma, emergency medicine, obstetrics medicine, 
and they met sometimes twice a day, 7 days a week for 28 days 
to decide how they could safely provide care for patients who 
we knew would be showing up, what care could be safely delayed, 
and what care could be transferred out of state to other 
academic medical centers who could help us.
    Over the course of that month, we delivered hundreds of 
babies, did trauma surgery. We did heart surgery. We did 
multiple other cancer staging operations all safely with high 
quality on paper. We did have to delay care for some patients. 
We used those extra providers to provide an extra set of eyes 
and hands to make sure that paper system was working. Over the 
course of the month that we did not have our EMR, every day we 
were focused on what needed to come up first and how. A major 
issue that we faced is that in 2020, best practice was to save 
3 days of forward-looking information in your electronic 
medical record. Our cyberattack happened on a Thursday. On 
Monday morning, our clinics did not know who were going to show 
up in the clinic that day, did not have their medical 
information, did not have their problem list, did not know what 
time they were coming or for what. I had to go on the news and 
say if you are coming for an appointment today, bring 
everything you have with you to help us take care of you.
    Early in the cyberattack, the first 2 days, we did not have 
a phone system because our phone is on the internet. We 
literally went to Best Buy and bought every walkie-talkie they 
had, and I asked our administrators all to basically run lab 
results to the floors. Our critical lab results system was 
down. On day two, we had a pile of paper lab results in our 
pathology conference room about 6 inches thick of lab results 
for our patients. We used our medical students to actually file 
all those results.
    Over the course of our month, we took care of hundreds of 
patients safely, but it was hard. I have been an emergency 
medicine doctor for 30 years. I have been the hospital 
president for 4 years. The cyberattack was much harder than the 
pandemic by far. Thank you very much.
    Ms. Mace. Thank you, and I would now like to recognize Mr. 
Rubin for your opening statement.

                         STATEMENT OF SAM RUBIN

              VICE PRESIDENT AND GLOBAL HEAD OF OPERATIONS

                      PALO ALTO NETWORKS- UNIT 42

    Mr. Rubin. Chairs Mace and Fallon, Ranking Member Connolly, 
and distinguished Members of the Committee, thank you for the 
opportunity to testify on combating ransomware attacks. My name 
is Sam Rubin. I am the Vice President of Global Operations at 
Unit 42, which is Palo Alto Network's Incident Response and 
Threat Intelligence Division.
    For those not familiar with Palo Alto Networks, we are an 
American-headquartered cybersecurity company founded in 2005 
that has since grown to protect tens of thousands of 
organizations around the world. We support critical 
infrastructure operators, the U.S. Federal Government, 
universities and other educational institutions, and a wide 
range of state and local partners. This means that we have a 
deep and broad visibility into the cyber threat landscape. We 
are committed to using this visibility to be good cyber 
citizens and national security partners with the Federal 
Government.
    We look at our role as a cybersecurity leader with great 
humility. We envision a world where each day is safer and more 
secure than the day before, and this takes all of us working 
together. The current cyber threat landscape demands this 
posture. My written testimony includes some concerning numbers 
and trends, many of which we heard here today, and we are 
seeing the ransomware threat grow as well. Attackers are using 
increasingly sophisticated methods to extort money. My written 
testimony also highlights that if we look at our global attack 
surface through the eyes of the adversary, it looks porous and 
far too inviting. Entities of all sizes are struggling to 
understand and manage their digital infrastructure, their 
computers, their servers, their mobile devices, and all the 
rest that they have connected to the internet. Despite this 
sobering backdrop, at Palo Alto Networks, we remain confident 
that we are well-equipped to combat the cyber incursions of 
today and tomorrow for several reasons.
    First, important advances in technology, especially in 
artificial intelligence and automation, are absolutely force 
multipliers in cybersecurity defense. For too long, defenders 
have been inundated with alerts to triage manually, creating an 
inefficient game of Whack-a-Mole, while critical alerts go 
unmissed, and vulnerabilities remain exposed. We sit at a 
strategic inflection point to flip this paradigm. Second, 
cybersecurity is increasingly being recognized by entities of 
all sizes, public and private, as a critically important issue. 
We need to take the next steps now. Every enterprise must 
recognize cybersecurity not just as an IT concern, but as a 
core part of their enterprise risk management strategy. Third, 
policymakers are showing a sustained desire to support cyber 
defenders. Thank you for that. As just one example, the State 
and Local Cybersecurity Grant Program is already showing the 
potential to increase resilience to ransomware attacks across 
all corners of the country.
    Cybersecurity matters to all of us. Ransomware attacks 
impact our daily lives, from disruptions to public services 
like hospitals, to interruptions to supply chains, to critical 
gas pipelines being taken offline. My team at Palo Alto 
Networks specializes in helping organizations respond and 
recover in their darkest hours when they have been hit by a 
cyber incident. Our mission goes beyond just recovery. We aim 
to elevate their cybersecurity posture so when they come out of 
it, they are stronger than before. That is what makes the work 
so fulfilling for me personally.
    That spirit of partnership in the cybersecurity community, 
the notion that we are all in this together must remain in our 
collective DNA. As a company, we are proud to participate in a 
number of forums like CISA's JCDC, not to sell our products, 
but to share our situational awareness and our threat 
intelligence and our understanding of the cyber threat 
landscape. Critically, in forums like these, commercial 
competitors become threat intelligence partners. So, I wanted 
to thank you for the opportunity to testify today, and I look 
forward to your questions.
    Ms. Mace. Thank you, Mr. Rubin. I would now like to 
recognize myself for 5 minutes, and I have a few questions for 
everybody. We only have 5 minutes, so I will try to be as quick 
as possible, and we will just ask for as brief an answer as 
possible as well. Mr. Rubin, I am going to start with you. AI 
and cyber criminals, are they using AI to deploy ransomware 
attacks?
    Mr. Rubin. Thank you, Congresswoman. This is a threat that 
we are watching very closely at Palo Alto Networks. From a 
threat intelligence standpoint, we are also doing testing in 
our own labs to try to recreate some of the potential 
capabilities. At this point, we are not seeing any new or novel 
attack techniques generated by AI.
    Ms. Mace. Do we have defenses, or what kind of defenses do 
we have against AI-powered attacks?
    Mr. Rubin. Right. We have the ability to use AI to our 
benefit to help protect organizations, and that is absolutely 
what we are doing at Palo Alto Networks is to create capability 
that leverages AI to protect----
    Ms. Mace. For our defenses?
    Mr. Rubin. And for our defenses.
    Ms. Mace. And I apologize. I want to run through because I 
want to ask everybody a few questions, but the Atlanta Fed 
published an article earlier this year, saying it was 144-
percent increase in ransomware from 2020 to 2021. That is 
massive. Is this across any specific sectors--government, 
private, large or small, certain industries, or is it spread 
evenly throughout?
    Mr. Rubin. Yes. From our data and from our threat 
intelligence from the incident response work we do, we see 
these primarily as crimes of opportunity where the threat 
actors are leveraging automated scanning capability to find 
vulnerabilities, and then attack those organizations that are 
vulnerable.
    Ms. Mace. And then, Mr. Schneider, you know, in this same 
report, they said that their average ransom payment--I could 
not believe this--was almost $5 million. And given that the 
concentration of some of these attackers are in hostile 
nations, is it safe to assume that some of this money might be 
used by criminal enterprises, you know, to line the pockets of 
our adversaries?
    Mr. Schneider. Well, I think all of it is being used by 
criminal enterprises. And it is, you know, funding and further 
fueling additional ransomware investments in AI and other 
technologies to exacerbate----
    Ms. Mace. What country is the worst? Which one of our 
adversaries is the absolute--leading the world in these kinds 
of ransom attacks?
    Mr. Schneider. I mean, from the research I have seen, 
generally Russia is, you know, is a safe haven and a lot of 
ransomware actors there.
    Ms. Mace. Yes. Thank you. And then I have a few questions 
for Dr. Gosch and Dr. Leffler, although I will just kind of ask 
them evenly if you can both respond. But, you know, in some 
cases, ransom is paid, some it is not, but just if you all can 
sort of generally say--it is not just a ransom fee, if it was 
paid, that would be the cost of this. There is a much larger 
cost to an organization, a school, or a hospital. What do you 
guys estimate cost, when this attack happened, cost the school 
and/or the hospital?
    Ms. Gosch. I would say from our experience, it was very 
similar to what was shared from the hospital side in that we 
had to replace almost everything, upwards of potentially $3 
million, $4 million, $5 million.
    Ms. Mace. Dr. Leffler?
    Dr. Leffler. For UVM Medical Center, it was $65 million in 
cost.
    Ms. Mace. Yes, and for $3 million to $5 million for a 
school, sometimes that is a school's budget, I mean, you know, 
depending on the size, if it is a local school, et cetera. Do 
you feel that what you have seen and experienced that you have 
learned from it, and what kind of steps have you taken that you 
think other people should be aware of that they should be doing 
right now to help protect the organization or institution?
    Dr. Leffler. I am a physician, not an IT expert, but I do 
understand that we have put things in place since that attack 
happened. When the bad actors got into our system, they were 
able to move around at will inside the system. We have added a 
lot of steps to sub-segment our system into pieces and to make 
it harder for our administrators to make changes. We have added 
multifactor authentication to our administrators we did not 
have before, and I have been assured that will make it much 
harder when they get in again. We assume it is going to happen 
again. There are so many people trying.
    Ms. Mace. Dr. Gosch?
    Ms. Gosch. We have done similar. We are using AI to monitor 
all of our email protection systems. We are also using 
multifactor authentication. We have moved to immutable backups 
and a lot of technologies that we did not have before. 
Everything is cloud-based and provides that extra layer of 
protection, extra password pieces, and other components that 
had been told an EDR is one of the big pieces, the endpoint 
protection and recovery. So, we have added those at a high 
cost, and that is always a concern as we look at school budgets 
in terms of maintaining it, but we were able to upgrade to what 
is needed to combat it.
    Ms. Mace. And how long did that take?
    Ms. Gosch. We are still working on some of those 
initiatives now. It took us a full year to get all of our 
systems back online, and we continue to make improvements by 
adding things like port security within our network and 
additional security measures on the back end on the 
infrastructure.
    Ms. Mace. Thank you so much, and I yield back. I yield to 
my colleague from Virginia, Mr. Connolly, for 5 minutes.
    Mr. Connolly. I thank the Chair, and I want to welcome Mr. 
Schneider, in particular, who is my neighbor in Mantua in 
Fairfax County. We live in the same neighborhood, so welcome. 
And speaking of Mr. Schneider, Mr. Schneider, I begin my 
opening statement by noting that, should the government shut 
down, as it almost certainly is going to on Saturday, 80 
percent of the employees of CISA will be furloughed. What could 
go wrong with that?
    Mr. Schneider. Well, certainly, CISA has an extremely 
significant role for the Nation for cybersecurity, both in 
working with critical infrastructure, but also for their 
preparation efforts, but also on being able to get alerts and 
information along those lines out. I do not know which 20 
percent of CISA is going to be retained and what functions. I 
would hope that they are going to continue to be able to do the 
operational pieces and put out alerts as they see emerging 
threats start to evolve.
    Mr. Connolly. But I guess we would both agree 20 percent 
cannot really handle what 100 percent normally handle. 
Something is going to give, and at the very least, there is a 
risk.
    Mr. Schneider. Yes.
    Mr. Connolly. Yes, in terms of our mission. Thank you. Dr. 
Leffler, I was really struck by the story of the hospital in 
Vermont, and I had images. When we were doing healthcare, I did 
a lot of tours of health centers and hospitals. And, you know, 
I had in my mind, like, a dialysis unit where you have many, 
many patients in the round, and you have sort of a central 
computer screen monitoring their progress. Likewise, in an 
oncology unit, same thing with chemo. And so, I was 
particularly thinking, well, those patients and those units are 
particularly vulnerable if you shut that down in a ransomware 
attack because you have got 20 or 30 patients at a time often 
either on dialysis or on chemotherapy. Was your hospital 
affected with respect to those patients?
    Dr. Leffler. So, we kept both those units open because 
those patients needed to stay alive, so dialysis, obviously, 
people are life dependent on dialysis. We added staff is what 
we did. We switched to paper. We added more staff members.
    Mr. Connolly. So, but the ransomware did affect----
    Dr. Leffler. It did affect it.
    Mr. Connolly. It did affect them.
    Dr. Leffler. It affected every single part of our function, 
everything that we do.
    Mr. Connolly. Unbelievable. I think that is really 
important because in addition to the story of schools, and my 
school system also was attacked, but now we are talking life 
and death, and the criticality of a hospital cannot be 
overstated and the vulnerability of hospitals. You said 
something really profound, ``I am not a tech expert. I am a 
doctor,'' and we cannot expect everybody in their field of 
endeavor to be tech experts. And yet, that is the 
vulnerability, and it affects directly your ability to perform 
your functions and to serve your patients.
    So, Mr. Rubin, I was struck by the fact that you used the 
term, ``We are trying to create a new paradigm,'' and what 
strikes me about ransomware is everything about our response is 
reactionary. The paradigm is entirely defensive. Either you do 
or you do not pay the ransom, and then after the fact, we try 
to shore up and buttress our assets and our resources to 
prevent it from recurring. It seems to me if we are going to 
have a new paradigm, it has got to be a lot more proactive and 
preemptive rather than reactive. I would give you the 
opportunity to comment on that.
    Mr. Rubin. Yes. Thank you, Congressman. I completely agree 
with you. We need to move the focus into taking steps ahead of 
time sort of in peace time, so to speak. And organizations, 
public and private, need to invest in their cybersecurity 
posture, in their awareness, and in their, essentially, 
defenses to take steps ahead of time, absolutely.
    Mr. Connolly. To what extent would you say that the 
vulnerability today often reflects, because Dr. Gosch put her 
finger on it and really resonates with me after the pandemic 
experience, that an awful lot, especially at state and local 
levels, you know, we are just not investing in the IT platforms 
to keep them robust and cyber secure. To what extent do you 
think that is a big part of the problem?
    Mr. Rubin. I do think that that is a big part of the 
problem. Investing in cybersecurity is an exercise in 
economics. It is the allocation of scarce resources. And we 
heard about operating budgets, and so there is always cost 
benefit decisions being made about where to put money, and 
sometimes investing in a cybersecurity resource or tool might 
mean something else goes unfunded, and so it is hard for state 
and local organizations. So, that is why I think programs like 
the State and Local Cybersecurity Grant Program are a 
phenomenal resource for state and local entities to avail of to 
try and get some more resources to help themselves out there.
    Mr. Connolly. I could not agree with you more, and I think 
it is an overlooked part of the vulnerability spectrum, and we 
saw that reflected in pandemic. Take unemployment insurance, 
vulnerable, 50 different systems, not one, and, you know, lots 
of vulnerabilities. I yield back. Thank you, Madam Chair.
    Ms. Mace. Thank you so much. I would now like to recognize 
Mr. Fallon from Texas for 5 minutes.
    Mr. Fallon. Thank you, Madam Chair. Mr. Schneider, when 
there is a government shutdown, just to clear something up, it 
is up to the Administration, is it not, to use exemptions for 
folks to come into work?
    Mr. Schneider. Yes, there are several exemptions allowed--
--
    Mr. Fallon. Like the Antideficiency Act, there are 
exemptions authorized by law to protect human life, for 
protection of property?
    Mr. Schneider. Correct.
    Mr. Fallon. OK. So, you would not have to furlough 80 
percent of CISA. You could have all of them come into work if 
you so choose.
    Mr. Schneider. I mean, I do not know what decision CISA is 
making about----
    Mr. Fallon. But it is up to the Administration.
    Mr. Schneider. But it is up to the Administration to----
    Mr. Fallon. So, we could have everybody come into work. OK.
    Mr. Schneider [continuing]. To come into work, yes.
    Mr. Fallon. I just wanted to point that out. And as far as 
the shutdown goes, well, we will save that for our close. Dr. 
Gosch, thank you for making the trip all the way from Texas, 
the Lone Star state. You know, your school was hit with a 
ransomware attack, and can you just describe, did you pay the 
ransom?
    Ms. Gosch. Yes, we did.
    Mr. Fallon. OK. And how much did you have to pay?
    Ms. Gosch. Five hundred and forty-seven thousand dollars 
was the final amount.
    Mr. Fallon. Yes. And I think you touched upon this with 
Chairman Mace, but what were your best and greatest takeaways 
from the experience as far as preventing it from happening 
again?
    Ms. Gosch. Our best and greatest takeaway is that it is not 
a matter of if you are going to be hit by some attack. It is 
going to be your ability to mitigate and to defend and to 
recover quickly. In our situation, one of the things that stuck 
out for us was the need to continually maintain the upgrade and 
to make sure that the systems are on the back end, and be able 
to promote that information to other school district leaders 
because in similar situations, I am supposed to be the tech 
expert in this, but in many cases, the leaders of the school 
districts are not the tech experts.
    And so, making sure that that message is heard and how 
important it is to be proactive in the process, and to put in 
multiple ways in which to monitor. And to utilize--I know AI 
can be seen as the danger in terms of ransomware, but at the 
same time, it can also provide so much additional support for 
identifying a potential threat because there are simply not 
enough man hours in the day, and there is not enough people to 
look----
    Mr. Fallon. Sure. Sure.
    Ms. Gosch [continuing]. At all the code that is coming in.
    Mr. Fallon. Mr. Schneider, just let us say on average, 6 
years ago, if a medium-sized company was hit with an attack, 
what was the usual asking price? What was the ransom?
    Mr. Schneider. So, I was in government at the time. I am 
not sure I have a great number, but the numbers have certainly 
increased.
    Mr. Fallon. I think Mr. Rubin is going to help us out.
    Mr. Schneider. That would be Mr. Rubin, yes.
    Mr. Fallon. Mr. Rubin, go ahead.
    Mr. Rubin. Yes. So, we have seen the numbers grow almost 
exponentially year over year. So, I think you said 5 or 6 years 
ago, it was in the, you know, low six figures, if breaking 
$100,000. And the data varies, but right now, you know, our 
average from our data was over $650,000, on average.
    Mr. Fallon. And that is consistent with--we got the idea 
after the Colonial Pipeline, JBS, and then when we were 
appointed to the Subcommittee Chairs, got the idea to have this 
Committee hearing, I reached out to some business people I know 
in Texas. And I found it very interesting that the average ask 
it seems in that neighborhood was about that $50 grand range 
years ago, and now it is 10 times that, 12 times that, and that 
is frightening.
    And then a lot of people, we say, oh, it is, you know, X 
amount of attacks. We do not know really how many because there 
are so many folks that pay and are embarrassed that they paid. 
A friend of mine, who will remain nameless because I do not 
want him to be a continued target, he got hit, but he had a 
backup system that was good enough to where he did not have to 
pay and he just rolled into that. And then they just worked on, 
you know, basically securing the wall, if you will, moving 
forward.
    Dr. Leffler, University of Vermont Medical Center was hit 
in 2020. Is that correct?
    Dr. Leffler. Yes.
    Mr. Fallon. Did you all pay the ransom?
    Dr. Leffler. We did not pay the ransom. We had a good 
backup.
    Mr. Fallon. But you said, you know, the good backup, but it 
still cost you $65 million?
    Dr. Leffler. Sixty-five million dollars.
    Mr. Fallon. And where was most of the loss?
    Dr. Leffler. It was in cleaning and rebooting the system. 
It was in care that was deferred. It was in extra staff to care 
for the patients that we cared for. It was across the board.
    Mr. Fallon. Well, being originally from Massachusetts, 
right down Route 7, you know, I feel for you. You know, go 
Vermont. Mr. Schneider, we have heard from Dr. Leffler and 
about the impacts with ransomware attacks, I mean, $65 million 
bucks. Can you explain how cyberattacks on critical 
infrastructure, like the one we had with Colonial Pipeline in 
2021, can affect the industries and communities beyond the 
victimized operation?
    Mr. Schneider. Yes. Thank you for the question. Certainly, 
Colonial Pipeline is a great example where the pipeline was 
shut down. I think by all reporting, it was not actually 
impacted by the ransomware, but they had to shut it down out of 
an abundance of caution. And then the ripple effect on the 
entire East Coast, if you were trying to get any fuel, you 
could not, there were long lines certainly at gas stations, and 
that just has a trickle-down effect on, or, you know, 
exponential impact or broader impact on the economy, writ 
large.
    Mr. Fallon. My time has expired. Thank you, Madam Chair. I 
yield back.
    Ms. Mace. Thank you. I would now like to recognize 
Congresswoman Brown from Ohio for 5 minutes.
    Ms. Brown. Thank you, Madam Chair. In March of this year, 
the Biden-Harris Administration released the National 
Cybersecurity Strategy, a first-of-its kind effort to combat 
ransomware attacks. This comprehensive government effort 
prioritizes the protection of our Nation's economy, 
infrastructure, national security, and public health.
    The Administration's sophisticated strategy addresses long-
term solutions to cybersecurity challenges, including the need 
for a workforce prepared to deal with these 21st century 
issues, like complex, elaborate, and long-running ransomware 
threats. The next generation of our workforce, those who are in 
college, trade schools or newly reentering the workforce, are 
often our first line of defense against cyberattacks. In 
today's integrated economy, all sectors have critical 
technology components, which are vulnerable to ransomware. That 
is why a prepared workforce is essential to our national 
response. So, Mr. Rubin, in what ways has the Biden-Harris 
Administration's National Cybersecurity Strategy expanded 
educational programs to diversify, grow, and equip the 
cybersecurity workforce?
    Mr. Rubin. Thank you, Congresswoman. We applaud the new 
cybersecurity strategy. There is much in there that really 
aligned with our vision for how to keep organizations safe, 
enhance visibility, focusing on zero trust, talking about 
preparedness in IR plans, but with respect to training and 
educating individuals, there is also a lot there as well, 
something that Palo Alto Networks supports as well. We have a 
program that we call the Cybersecurity Academy that provides 
free curriculum to middle school through college students to 
help train and bring up the workforce of the future.
    Ms. Brown. Thank you for that. Now, when conducting the 
hiring initiatives promoted by the Biden-Harris Administration, 
it is important to highlight the current demographic 
disparities in the cyber workforce this plan rightly seeks to 
address. A 2021 report from the Aspen Institute found only 4 
percent of cybersecurity workers identify as Hispanic, 9 
percent as Black, and 24 percent as women. Mr. Rubin, how can 
we incentivize hiring a more diverse cyber workforce, and what 
best practices have you seen to recruit tech talent from 
communities which are currently underrepresented?
    Mr. Rubin. Thank you, again, Congresswoman. I think, you 
know, one of Palo Alto Network's core values is inclusion, and 
we work hard to make sure that we do have diversity in the 
workforce. And so, I think the first step is awareness and 
being conscious of this as something that is important, and 
that we all do better when we have people from different 
backgrounds and different perspectives. Another program that 
Palo Alto Networks has is recruiting college graduates into a 
program we call the Unit 42 Academy. There are college 
graduates that join our workforce, and I am proud to say that 
this current class is actually 80 percent female, but that 
includes, you know, broad diversity as well.
    Ms. Brown. Thank you for that. Additionally, as a Member of 
the Select Committee on Strategic Competition between the 
United States and the Chinese Communist Party, I am committed 
to working with our international partners to protect the 
United States from malicious foreign cyberattacks. It is 
extremely disturbing we have terrorist groups as well as 
nations like Russia, North Korea, and China, working to disrupt 
our cyber systems and our strategic alliances in the West. So, 
Mr. Rubin or Mr. Schneider, in what ways can the United States 
work more closely with our international partners to combat the 
threat of ransomware attacks and other cybersecurity 
challenges? Thank you.
    Mr. Schneider. I mean, thank you for the question, ma'am. I 
think to your point, we have to have this as an international, 
you know, collaboration in order to put an amount of pressure 
on ransomware actors and on the nation-states from which they 
are operating. And there are a variety of tools that can be 
used for that, whether they are diplomatic tools, but we are 
going to have to work together in order to make any real 
progress on this area.
    Ms. Brown. Thank you. Mr. Rubin?
    Mr. Rubin. I agree. I think that I would put them in the 
categories of disruption and deterrence. On the disruption 
side, it is leveraging that diplomatic pressure, using carrots 
and sticks, where we can influence law enforcement action and 
takedowns, and we have seen some of that more recently, but I 
think there is a long way to go.
    Ms. Brown. And thank you very much. Clearly, the 
President's comprehensive cybersecurity plan, which involves 
everything from an expanded and better trained workforce to 
cooperation with our international partners, is already paying 
off. I am ready to work in a bipartisan manner to strengthen 
and support the President's initiative, and with that Madam 
Chair, I yield back.
    Ms. Mace. Thank you. I would now call on my colleague from 
Tennessee, Congressman Burchett. Do not screw it up.
    Mr. Burchett. Thank you, Chairlady. I will try not to. 
Thank you all for being here. All the good questions have been 
asked pretty much, but let me ask here down the line, what can 
we do to fix this?
    Mr. Schneider. Thank you for the question. I think that is 
the question of the day, right? And it is something that----
    Mr. Burchett. That is not going to get you anywhere, 
complimenting me up here. It is better off if you attack me and 
insult me, and then everybody else will agree with you, but go 
right ahead.
    [Laughter.]
    Mr. Schneider. Well, I probably will not go down that 
route, sir. We have to approach both from a defensive 
standpoint and what defensive measures, cybersecurity controls 
can companies and organization put in place in order to protect 
their systems, to have good backups of their systems, to 
encrypt their own data so they cannot be encrypted by someone 
else and taken from them. And as we were just discussing, we 
need to be able to disrupt and deter actors in cyberspace, and 
we really need to find a way to shift the value proposition for 
ransomware actors. Today, they are able to do this with almost 
impunity and make a lot of money at it, and we have got to find 
kind of a whole of government and a whole of working with our 
allies to make real progress here.
    Mr. Burchett. Are any of our ally countries have people 
involved in this? I mean, it always seems like every time we 
come out and say you are not going to break into this system, 
then some 12-year-old kid in somebody's garage gets into the 
system.
    Mr. Schneider. Now, I think we have a really good 
international cooperation on this. You know, as this hearing 
notes, it is a really big challenge, and so it does not always 
feel like we are making the progress----
    Mr. Burchett. OK.
    Mr. Schneider [continuing]. But I think we are, you know, 
building those interactions across nations with a lot of our 
key allies.
    Mr. Burchett. All right. Doctor, how do you say your last 
name, ma'am?
    Ms. Gosch. Gosch.
    Mr. Burchett. Gosch. All right.
    Ms. Gosch. Yes, sir.
    Mr. Burchett. Good, I am glad. Go ahead.
    Ms. Gosch. So, from the educational standpoint, I think a 
lot of the things that could help school districts really has 
to do with funding and some discount programs and things like 
that, but additionally, there really needs to be some 
additional standards set for schools. There really is not any 
governing------
    Mr. Burchett. Right, because a lot of this equipment is so 
outdated.
    Ms. Gosch. Correct.
    Mr. Burchett. I mean, you are sitting here talking to us. I 
mean, I remember when Mace asked me to be on this Committee, I 
thought, you know, a bunch of guys up here in powder blue 
leisure suits still listening to the eight-track tape players 
in their 1972 AMC Gremlins, you know, I mean, we are the ones 
going to be making decisions on that, so I can appreciate that.
    Ms. Gosch. And there are other aspects of that. You know, 
we spend a lot of time on emergency operations plans, but at 
least in Texas, there are not any particular guidance or 
requirements to deal with cybersecurity. It is just not talked 
about within education. It is not something that is supposed to 
necessarily happen. I know in our case, a lot of times people 
think that due to lack of backups and things like that is why 
we went the route that we went, and we had all of the backups. 
That was not our issue. And then there are a lot of other 
regulatory things that would help in the cybersecurity piece as 
far as student data, just in having some regulations even on 
software companies.
    Mr. Burchett. Dr. Leffler?
    Dr. Leffler. I agree with my colleague that from a hospital 
perspective, a lot of it is funding and grants. So, in every 
budget that we build, as a doctor, I want to spend all the 
money on patient care, technology, new equipment there. Prior 
to the cyberattack, usually cybersecurity stuff would fall down 
the budget, oftentimes come off. And so, having ways to more 
cheaply buy programs and have those programs be current and new 
and upgraded, or grants to bring your hospital up to standards, 
have a strong backup so you do not have to pay the ransom, 
would make a huge difference, I believe.
    Mr. Burchett. I am surprised quite often how often medical 
records and things, photographs, things like that, are taken 
out of specifically doctors.
    Dr. Leffler. Yes.
    Mr. Burchett. Mr. Rubin?
    Mr. Rubin. Thank you, sir. So, I would break it up into 
what we can do in the public sector side and then, you know, 
within private sector organizations. On the public sector side, 
I think bringing continued awareness to the problem, like we 
are doing today, is very important. I think continued support 
for local and state governments, as we discussed, the grant 
program, programs like that are phenomenal that provide a lot 
of resources.
    On the private sector side, I think it is a lot of the 
adoption of technology that we heard about here today, getting 
visibility across your state, both externally and internally, 
with different tools, leveraging AI and other technology to 
separate the signal from the noise so you can see and respond 
to what is important because no organization can fund the staff 
and the expertise that they need to do that without the help of 
technology. And then it is adopting best practices. There is a 
paradigm called Zero Trust, which is defense in depth and 
aligned with essentially what you need to know, and last, 
having a plan to respond.
    Mr. Burchett. All right. Well, I am about out of time, but 
I would state to the Committee, as elected officials, something 
we ought to be very much aware of, if they are reaching into 
these systems to take something out, they can reach in and put 
something in. And as elected officials, that is something we 
need to worry about, and I worry very much about Ms. Mace 
pointing at her timer and giving me the look.
    Ms. Mace. You are over.
    Mr. Burchett. My time is over. Thank you.
    Ms. Mace. Thank you, Mr. Burchett. I would like to now 
recognize Congresswoman Norton.
    Ms. Norton. Thank you, Madam Chair. Mr. Schneider, every 
year since 1997, information security and cybersecurity has 
been on GAO's governmentwide High Risk List, meaning it is 
extremely vulnerable to waste, fraud, abuse, or mismanagement, 
or in great need of transformation. This year is no different. 
In this year's update, however, GAO noted the Biden-Harris 
Administration's continued commitment to making sure our Nation 
works to remain ahead of ransom attackers. As always, though, 
more work can be done, especially as Federal Agencies remain 
high-value targets for foreign adversaries like Russia and 
China. Mr. Schneider, why are Federal Agencies such ripe 
targets for ransomware?
    Mr. Schneider. So, I think Federal Agencies are ripe 
targets for cyber incidents, in general, because of the 
information that Federal Agencies have. And so, I think nation-
state actors look at Federal, public-sector organizations as 
having the high-value assets, and, therefore, they are high-
value targets as well. And so, they are seeking to get the 
information from those organizations.
    Ms. Norton. Well, if that is so, Mr. Schneider, what steps 
can Federal agency leaders take to mitigate their risk of 
falling victim to ransomware?
    Mr. Schneider. Ma'am, there are certainly defensive steps 
that they can put in place. You know, my colleague mentions 
Zero Trust, which is a movement toward, you know, further 
hardening your infrastructure. I mentioned in my opening 
testimony implementing multifactor authentication, encrypting 
your own data, ensuring you have backups. There are, in a lot 
of ways, some very basic steps that need to be done, patching 
your systems. They just have to be done very, very consistently 
and continuously if Federal agencies are not going to get to a 
point where they are ``done'' or they are safe. They are going 
to have to continue to exercise to stay hopefully one step 
ahead of the malicious actors.
    Ms. Norton. Well, Mr. Schneider, you have previously 
highlighted to this Committee the need to update Federal 
information security and cybersecurity laws such as FISMA. So 
briefly, how could Congress update FISMA or other cybersecurity 
laws to help agencies better defend against ransom attacks?
    Mr. Schneider. Yes. Thank you for the question. I think an 
update to FISMA would be timely. It is certainly something that 
would help drive the Administration to have some updates. I 
think codifying the role of the Federal Chief Information 
Security Officer would be helpful inside of the Office of 
Management and Budget to really help oversee the implementation 
of the various standards that the National Institute of 
Standards and Technology and others put in place. So, there are 
some governance and oversight that I think an update to FISMA 
would be helpful for.
    Ms. Norton. Mr. Schneider, earlier this year, in February, 
the U.S. Marshals Service fell victim to a ransomware attack 
that reportedly required a months-long recovery. In June, 
criminal ransomware perpetrators targeted several other Federal 
agencies, including the Department of Energy. I do not think it 
takes much imagination to envision the detrimental effects of 
an attack on the agency responsible for our nuclear resources. 
So, Mr. Schneider, how can Federal agencies prevent ransomware 
attacks?
    Mr. Schneider. So, ma'am, I think that is the question of 
the day of what both Federal agencies and private sector 
organizations can do to adequately protect themselves, and, 
again, there are a lot of basic cybersecurity controls that 
they need to maintain focus on. All organizations need adequate 
funding to be able to implement those, and they need leadership 
that is highly focused on the risks and threats that their 
technology environment brings to them.
    Ms. Norton. Yes. In the case of the June ransomware 
attacks, I talked about the ransomware criminals were able to 
exploit a commonly used file transfer program called a MOVEit. 
So, Mr. Schneider, why might these criminals target contractors 
and third-party software if their target is the Federal 
Government?
    Mr. Schneider. Ma'am, if a malicious actor is trying to get 
toward whatever their target organization, in this instance, a 
Federal agency, they are going to seek the easiest, quickest, 
most efficient path to that. And so, they are not just going to 
look at the Federal systems, they are going to look at all of 
the systems connected to the Federal systems of where can they 
get into the information that they are trying to get to.
    Ms. Norton. Thank you. I yield back.
    Mr. Fallon. [Presiding.] Thank you. The Chair now 
recognizes my good friend from North Carolina, Mr. Edwards.
    Mr. Edwards. Thank you, Mr. Chair. Mr. Schneider, I 
apologize if this question has been asked before. I just came 
in from another committee meeting, and it is probably so 
obvious, someone has to have asked it. Who is behind the 
majority of the ransomware attacks?
    Mr. Schneider. So, based on the information I am seeing, 
the majority of the threat actors are housed in or coming out 
of Russia.
    Mr. Edwards. Are who coming out?
    Mr. Schneider. Russia.
    Mr. Edwards. Is there any evidence that these attacks are 
government-sponsored, or are they just bad actors inside of 
other countries?
    Mr. Schneider. I think there is mixed on that. I think a 
significant portion of them, probably the majority of them, are 
criminals and criminal actors. Now, I think many of those are 
endorsed by and perhaps even supported by the nation-states 
within where they reside, to include Russia. I think, in 
general, my personal opinion is nation-state actors that are 
looking for espionage or other foreign policy objectives are 
less likely to use ransomware as an attack vector.
    Mr. Edwards. And so, a follow-up to that, I will ask this 
of the panel, if anyone has any information. Is there any 
evidence that you are aware of that these bad actors are 
supported by a government entity of which we should be aware in 
our interaction with other governments? I mean, it seems like 
if they are government sponsored, we should hold them 
accountable or refuse to have different levels of cooperation.
    Mr. Schneider. Well, I think there is certainly evidence of 
some countries supporting ransomware actors. North Korea is 
certainly a very good example where they have, you know, as a 
nation-state, will use ransomware to get around sanctions and 
try to bring money into the economy.
    Mr. Edwards. Does anyone else have an opinion or an insight 
on that question?
    Mr. Rubin. Congressman, I would add that I agree with my 
colleague.
    Mr. Edwards. And thank you. So, my understanding of 
ransomware is, typically, some bad actor is trying to just lock 
up a computer or encrypt information in return for money. Is 
there any evidence that these bad actors are trying to capture 
information, or are they just trying to encrypt someone else's 
information for extortion?
    Mr. Schneider. I think more and more, we are seeing kind of 
multi-extortion events where they will both steal the 
information and try to encrypt it and prevent the owner of the 
information having access, and then they can ransom them on two 
fronts, right? The first ransom is ``pay me money in order to 
have access to your systems again,'' and then a second approach 
is, you know, maybe the organization has good backups and says 
I do not need you to restore my services. Then they will 
threaten the, ``we are going to publicly disclose or sell or 
otherwise compromise the sensitive information.'' So, we were 
seeing more and more actors that are also stealing information.
    Mr. Edwards. And being a part of the private sector and 
also having served on the board of directors of a bank, I know 
that one of the things that keeps us awake at night is 
protecting our data. Have you found that for the private 
sector, there is any commercial software out there that 
adequately protects workstations in offices and at homes? And I 
am not going to ask you for a recommendation. I would just like 
to know your opinion on how well we are prepared with these 
third-party packages to protect Americans.
    Mr. Schneider. I would say, I think, in general, the 
cybersecurity community and cybersecurity tools continue to get 
better and the malicious actors, you know--it is an arms race, 
if you will. And so, as we get better on the defensive side, 
malicious actors are able to leverage new technologies. We 
talked a little about AI earlier as ways to advance and 
increase their capabilities, too, so it is a continuous battle.
    Mr. Edwards. And so, last question for any of you, is our 
government cooperating in any way or interacting with those 
third-party software solutions on what we find to help build 
better packages for the private sector?
    Mr. Rubin. Congressman, I can speak to that. I work for 
Palo Alto Networks, and we are a manufacturer of many of these 
software programs. And we absolutely work regularly with the 
Federal Government as well as with CISA and other organizations 
to share the threat intelligence that we see, as well as the 
capabilities of our software to help protect those 
organizations.
    Mr. Edwards. All right.
    Ms. Mace. Thank you.
    Mr. Edwards. Thank you. Madam Chair, I yield.
    Ms. Mace. [Presiding.] Thank you. I would now like to 
recognize Mr. Lynch for his 5 minutes.
    Mr. Lynch. Thank you very much. First of all, I want to 
thank Chairwoman Mace and Chair Fallon, as well as Ranking 
Member Connolly and Ranking Member Bush, for convening this 
joint hearing. I also want to thank the witnesses for your 
willingness to help the Committee with its work. We have been 
at this a while, and I am not sure if things are getting any 
better.
    We recently had a sizable ransomware attack, a very high 
impact in Massachusetts, my home state, on Point32Health, which 
is the second-largest health insurance provider in 
Massachusetts. It is the parent company of Harvard Pilgrim 
Health and Tufts Health Plan, so it affected an awful lot of 
people. In April of this year, the company announced that it 
had been targeted by a ransomware attack that forced a shutdown 
of several critical systems used to service members' accounts, 
brokers, and also healthcare providers. The attack also 
involved the theft of very sensitive information.
    So, as Mr. Schneider was saying, this was one of those 
cases where they could have a denial of service, or they could 
just simply sell the sensitive information. So, it compromised 
the personal information of more than 2.5 million current and 
former subscribers, dependents, or providers, and, 
unfortunately, the stolen data included Social Security 
numbers, medical history data, health insurance account 
information, and taxpayer ID numbers, so a very, very tough 
situation.
    Importantly, the American Hospital Association has since 
warned that the frequency, sophistication, and severity of 
ransomware attacks against our healthcare sector is 
dramatically escalating with organized criminal gangs and 
military units replacing rogue individual actors as the primary 
perpetrators. As a matter of fact, in the first 6 months of 
2023 alone, more than 220 cyberattacks targeted hospitals and 
healthcare systems with over 36 million people affected.
    So, Dr. Leffler, speaking directly, look, healthcare is 
different. In some ways, there is a vulnerability there that is 
not present in some others. The impact goes beyond just the 
institution. It is all those people whose, you know, private 
health information that is out there. From your experience, 
and, you know, from the way you have looked at this, are there 
certain steps that healthcare institutions need to be taking 
right now and that you have taken perhaps through your 
experience in Vermont that might make the system more secure?
    Dr. Leffler. Thank you for the question. First, have a 
strong separate protected backup. Critically important, have it 
separated from your normal system and updated every single day. 
Next, make sure your IT team is empowered to shut down the 
system immediately if necessary. Do not make them go up the 
chain of command. If they see something unusual, shut it down 
immediately. Most importantly, from clinical care to this point 
before the cyberattack, we typically did a drill where we would 
have our EMR down for 2 days, which seemed like a really long 
time. We were down for 28 days. The things you do over 28 days 
are vastly different. So, I would recommend all hospitals or 
healthcare systems at least to a tabletop exercise to imagine 
what it would be like to be down for a month. You did not have 
phones, schedules, no way to get lab results to the floors. How 
would you handle that I think is critically important. Thank 
you.
    Mr. Lynch. Yes. The wider impact is now, in the 
Massachusetts case, we are seeing class action lawsuits against 
the institutions because of the poor handling of the 
information, so there is a follow-on problem there. Given the 
fact that, you know, we are all in the patient gateway system--
that is what mine is called with my hospital, so all my medical 
records--so, we are moving to, you know, mobile applications 
for all this information. Is there some way that we might close 
that gap?
    I mean, there was an article in the Journal of Medicine, 
like, a month ago, 2 months ago, that said we should treat 
these as sort of regional disasters almost because of the 
community-wide impact that it is having, not just on the 
healthcare institution, but on the community in general. I 
would just like to get your thoughts on that and about those 
longer-term impacts on the credibility of the either insurance 
company or the hospital, and then, you know, how you clean that 
up, even though the trend is moving to, you know, greater 
mobility and easier access to this digital information.
    Dr. Leffler. In Vermont, this was a disaster.
    Mr. Lynch. Yes.
    Dr. Leffler. It impacted our entire state, impacted all 14 
hospitals. It affected patients across our region. It was 
clearly a disaster, and we are grateful that our Governor and 
National Guard stepped in to help us. In terms of better 
protection, I really think the best, and once again, I am at 
the edge of my knowledge here, but the best we can do is break 
the system up into lots of little pieces, so if someone gets in 
somewhere, they have a very hard time getting in everywhere. 
And we have added a lot of steps of multi-identification to 
protect the system, and we have done a huge amount of education 
since the attack to make it harder for people to penetrate.
    Mr. Lynch. Thank you. Madam Chair, I appreciate your 
courtesy. Thank you. I yield back.
    Ms. Mace. All right. I would now like to recognize Mr. 
Langworthy for 5 minutes.
    Mr. Langworthy. Thank you very much, Madam Chair, and to 
both of our Chairs and Ranking Members for putting this 
together, and to our witnesses. You know, for the longest time, 
the United States has enjoyed a reputation of being impervious 
to foreign threats on our soil. But cyber-attacks serve as a 
prime example of this contemporary form of warfare and 
espionage that we all have to be ready for and vigilant 
against. Even our wealthiest corporations or financial 
institutions or hospitals or our civic organizations with 
cutting-edge cybersecurity protocols, they can fall prey to 
these cyberthreats. As we witness breaches in our major urban 
centers, we must consider the potential harm that can be 
inflicted on our rural communities, such as those in my 
district, in New York's 23d congressional District. We are home 
to many rural hospitals, school districts, educational 
institutions, and they are very vulnerable to these challenges.
    With that being said, Dr. Leffler, you highlighted in your 
testimony that UVM Medical Center has unfortunately experienced 
several cyberattacks in the past. Can you identify any 
recurring patterns among the perpetrators? Were these incidents 
typically orchestrated by cybercriminals seeking financial 
gain, or are these foreign actors primarily interested in 
obtaining sensitive patient information?
    Dr. Leffler. Thank you. Gratefully, we only suffered one 
cyberattack. It was in October 2020. It did affect every part 
of our system. We did not contact the cybercriminals or pay 
ransom, but I am sure they wanted both payment to reopen our 
system and likely would have sold the information if they got 
it. We are fortunate that they were unable to get into our 
system to gain patient information. So, we suffered one attack. 
At the time, it was during the pandemic. We had many people 
working from home, and we did that very quickly. And so, we 
have added a lot of security around our computer systems, 
laptops, and that was the way they got in. Someone had gone 
home with their laptop and it entered from a home user when 
they plugged it back into our system. That is how it got into 
our network.
    Mr. Langworthy. Thank you. We are all familiar with the 
financial ramifications of ransomware attacks from 
cybercriminals. The losses could be in tens of millions of 
dollars or more. For a major hospital that is perhaps 
manageable, even if it is not ideal, but let us talk about 
situations where perpetrators are seeking data and not dollar 
value. Dr. Leffler, when actors target our constituents' 
medical records and data, what specific purposes do they have 
in mind for acquiring this information, and what threat is the 
data leak to patients?
    Dr. Leffler. It is a very significant threat to patients. 
Patient information is protected by HIPAA. We take that very 
seriously. And if a cybercriminal is able to get into the 
electronic medical record, they can sell that information on 
the internet and access both patient's financial information, 
insurance information, and cause huge issues for our patients.
    Mr. Langworthy. Thank you. There is no doubt that hospitals 
are hurt in these situations. I mean, their reputation and 
their community all get negative public spotlight, but the 
primary focus for any hospital is undoubtedly patient care. I 
understand that ransomware attacks can result in unauthorized 
access to sensitive information, but could you elaborate on how 
such attacks might potentially affect the quality of patient 
care?
    Dr. Leffler. Basically, in healthcare right now, your 
electronic medical record is your connection to everything that 
you do. Everything runs through that. All of your lab 
information, radiology information, patient care, transfers, 
all run through that. When that system goes down, it has a huge 
impact on patient care. Right now, if you are going to order a 
medication for a patient, electronic medical record tells you 
if you have picked the correct dose, the medication is right 
for the intended purpose, if there is an allergy, if it is safe 
to give this particular patient based on their size and age. 
When that system goes down, all those things revert back to a 
system that many of our doctors now are no longer trained on.
    And so, we had to go back to paper and make sure that 
someone, a person, was going through and doing all those steps 
every time we ordered anything. It impacts how you run your 
operating room, how lab results are stored, how imaging is 
done. We had to buy a bunch of drives to store imaging while we 
were down. It has a huge impact on patient care every day, and 
for the University of Vermont Medical Center, the impact was 
greater than the pandemic.
    Mr. Langworthy. It seems like that would have tremendous 
impact on your workforce as well. What resources has the 
Federal Government offered to hospitals that have experienced 
ransomware attacks, and are there any specific recommendations 
or standards that you would propose to this Committee, 
particularly in the context of rural hospitals?
    Dr. Leffler. The FBI was hugely helpful during our 
cyberattack and provided great insight and help. Beyond that, I 
said before hospital budgets are very tough, and typically, 
hospital leaders want to spend money on patient care issues. 
So, grants or funding to help have the most current 
cybersecurity protection would be very useful. Guidance and 
training around how to prepare for a 30-day outage, I think, is 
critically important in helping to make sure that they have the 
most current EMRs, people, training will make a difference.
    Mr. Langworthy. Thank you very much. Thank you for your 
testimony, and I yield back.
    Ms. Mace. Thank you. I will now recognize Congressman Fry 
for 5 minutes.
    Mr. Fry. Thank you, Madam Chair, and thank you to Chair 
Fallon and the Ranking Members for having this hearing today. 
Thank you for being here. You know, ransomware attacks--of 
course we have talked about this today--are becoming 
increasingly frequent in our society, particularly as we rely 
more and more on technology. My home state of South Carolina is 
not immune from that. We were subject to a very serious and 
costly attack in October 2012 when the South Carolina 
Department of Revenue was hacked by cybercriminals who used 
encrypted malware to steal the income tax returns of 6.4 
million South Carolinian residents and businesses. The attacks 
impacted more than three-quarters of our population, 3.6 
million Social Security numbers, 387,000 credit and debit card 
numbers. The financial cost, when I was a member of the General 
Assembly, was over $20 million to protect South Carolinians. At 
the time, this was considered to be the biggest and largest 
attack on a state agency, not only in South Carolina, but 
across the country.
    Just this year, South Carolinians have been subject to 
numerous attacks, and it does not seem to have an end in sight. 
We have all witnessed agencies, hospitals, businesses, people 
individually, who have run into this problem. And so, the 
question that I have, for you, Mr. Schneider, is, of the 
cybercriminals that you have encountered in your 30 years of 
experience, who are these people? Are they young, are they old, 
are they lone wolves, are they domestic, are they foreign 
actors? What type of people do you see, that engage in this 
practice?
    Mr. Schneider. Thank you for the question, Congressman. I 
think it has evolved over time. I mean, sort of the 
stereotypical from 30 years ago was, you know, a kid in their 
garage on a big couch. And, I think what it has really moved on 
to is, you know, what we are seeing today are, you know, 
ransomware actors, cybercriminals, they are thinking like 
business people. They are setting up help desks so that if a 
victim does not know how to, you know, pay them appropriately, 
they can help them, you know, set up an appropriate wallet and 
be able to send them money.
    So, Chairwoman Mace mentioned earlier ransomware as a 
service. So, this is becoming a business enterprise for the 
malicious actors that are very, very organized. They are 
typically, at least, in nation-states that are allowing them 
to, you know, to act pretty freely, and sometimes they are 
probably encouraging them as well.
    Mr. Fry. You know, we hear all the time that cybercriminals 
adapt their tactics to infiltrate. How do, in your eyes, these 
cybercriminals become involved in this activity? How do they 
get engaged in their craft?
    Mr. Schneider. Congressman, I do not have much data or 
information on kind of how they get into this. Part of my 
speculation is that, you know, they are probably in countries 
where, you know, if they have some skills, this is a place 
where they can put their skills, you know, to unfortunately 
work in a malicious manner. We would much rather see them on a 
defensive side of the cyber equation someplace.
    Mr. Fry. Has the approach of cybercriminals changed at all 
in kind of this era of work from home, you know, during the 
pandemic? How has the landscape shifted?
    Mr. Schneider. I think the landscape has shifted in the way 
that our threat surface is connected, and, you know, we have 
discussed earlier, we continue to interconnect more and more 
systems, more and more data. And every time we interconnect 
more systems, we introduce potentially additional 
vulnerabilities that give the actors, you know, more places to 
attack from.
    Mr. Fry. Thank you for that. Mr. Rubin, in your testimony, 
you cite that a recent Unit 42 report found that our security 
teams take nearly 6 days to resolve an alert. According to the 
report, the amount of time it takes adversaries to move from 
compromise to data exfiltration is merely a few hours. Do you 
expect 6 days to remain the average in the future, given that 
cybercriminals are becoming increasingly sophisticated and 
effective?
    Mr. Rubin. Thank you, Congressman. So, our goal is to help 
organizations reduce that time to respond. So, combination of 
training, combination of technology, combination of dedicated 
resources, our goal is to help organizations move that from 6 
days down to hours or even minutes. When a threat actor gets 
into an organization, they might have a foothold on one system, 
and what they are trying to do is to elevate privileges to 
break out of that system and to move into other parts of the 
network. So, if you can catch them when they are on that first 
system, and you can contain it and take what might otherwise be 
a crippling ransomware attack and make that something much 
smaller.
    Mr. Fry. Thank you for that. Within that 6-day period, how 
disruptive is that to businesses and employees?
    Mr. Rubin. Of course, Congressman, it absolutely varies on 
a case-by-case basis. But what I can tell you a recent incident 
response investigation that we did, we saw for a major tech 
company, within a matter of 15 hours, the threat actor went 
from a phishing attack to escalating privileges to moving 
laterally to exfiltrating over a terabyte of information and 
locking up 10,000 systems. Fifteen hours.
    Mr. Fry. Fifteen hours.
    Ms. Mace. All right. Thank you, Mr. Fry.
    Mr. Fry. Thank you.
    Ms. Mace. All right. In closing, I want to thank our 
panelists this afternoon, once again, for their testimony 
today, especially for those who talked about the ransomware 
attack they had. Very few organizations, institutions, and 
agencies will actually speak publicly about these experiences 
out of fear. And I appreciate the collaboration between my 
colleagues on this and for everyone having the courage to be 
here today.
    I would now like to yield to Ms. Norton for closing 
remarks.
    Ms. Norton. Thank you, Madam Chair. First, I want to share 
the concern my colleagues expressed earlier about these attacks 
on critical infrastructure. That is why we conducted a 
comprehensive investigation which provided new insights into 
how ransomware attacks unfold. I would like to submit to the 
record some of the findings we released in a memo to Congress. 
Would you give this to the staff?
    Ms. Norton. Finally, I want to thank my colleagues for 
calling this important hearing on ransomware today, but I want 
to highlight the paradox of their efforts to combat ransomware 
and cyberattacks. At the same time, they are driving us 
headfirst into a government shutdown. A shutdown will have 
real-world effects both in cyberspace and our communities. As 
both Mr. Connolly and Ms. Brown indicated in their opening 
statements, the Cybersecurity and Infrastructure Security 
Agency, the Agency that leads Federal cybersecurity efforts and 
serves as a national coordinator for critical infrastructure 
security and resilience, will furlough thousands of its 
employees, 80 percent of its workforce, in fact. The Department 
of Justice, the Agency responsible for investigating and taking 
down criminal ransomware attacks, will also be forced to 
furlough thousands of employees. Those are just two agencies.
    A shutdown hurts our communities nationwide and at their 
core. While we think all Federal employees are in the Nation's 
Capital here, the congressional Research Service has found that 
every single congressional district is home to at least 2,600 
civilian Federal employees, all of whom do not know when they 
will receive their next paycheck. Our military service members 
will continue working every day to keep our country safe, 
including our 1.3 million active service troops, but they will 
not receive a paycheck until the government reopens. That 
figure includes 11,000 service members in my district, 114,000 
service members in Texas, and 38 service members in South 
Carolina. Many of these military families will struggle to pay 
rent, afford groceries, or get their prescription medications. 
I suppose that is one way to thank those who put their lives on 
the line for their Nation.
    Democrats are not the only ones horrified by the MAGA 
Republicans holding our Nation hostage. Take, for example, my 
colleague, Mr. Bacon, who told reporters that the Republicans 
are currently ``the dysfunction caucus at work.'' My colleague, 
Mr. Graves from Louisiana, said the Republican holdouts on 
appropriation government were ``holding disaster victims 
hostage.'' And Mr. Garcia said of the MAGA extremists that 
``they just handed a win to the Chinese Communist Party.'' If 
my colleagues really cared about national security, 
cybersecurity, and the health of this Nation, they would be 
funding the Federal Government right now. Like the ransomware 
attackers we examine throughout this hearing, our Republican 
colleagues are holding the Nation captive, and I yield back.
    Ms. Mace. Thank you. I now yield to Chairman Fallon for 
closing remarks.
    Mr. Fallon. Thank you, Madam Chair. Just a couple of 
things. One, it is amazing that you think something like 
combating ransomware would not be partisan, and some of our 
colleagues did not make it partisan, some did, calling folks 
MAGA extremist and people that want to shut down. I do not know 
anybody that wants a shutdown. And when you talk about 
resources, there are limited resources, and that is why a CR 
that we are trying to work out to attach some border security 
that we desperately need, and maybe a modest cut of 8 percent 
of discretionary spending when we are spending $663 billion on 
debt service just this year alone. And according to CBO, over 
the next decade, it is going to be $11 trillion additional 
dollars to service the debt, that in a decade from now, the 
interest payments on the debt could equal, if everything stays 
the same, about half of our total of discretionary spending. It 
is time to do something.
    And so, it is sad to see that, but you want to talk truths 
and facts. The Senate, which is controlled by the Democrats, 
had passed all their appropriations bills out of committee 
before the August recess and sat on their hands, Chuck Schumer 
did, for 2 months, and did nothing. So, you want to call it 
something, you can call the Schumer shutdown. Let us hope it 
does not even happen. I am not rooting for it, but it does seem 
some people are, and that is sad, playing politics on something 
like this.
    Now, on ransomware, we want to deal with specificity. I 
have a friend of mine I had mentioned earlier, anonymous 
friend, he has texted me now and he says do not forget to tell 
them to have really good backups, have multifactor 
authentication, and need help from the government to get after 
these guys as well. And one of the things we can do to get 
after them is I filed the bill last Congress, H.R. 3388, which 
is Protecting Critical Infrastructure Act, which would expand 
penalties for fraud and related activities on these kind of 
attacks on our critical infrastructure--Colonial Pipeline, JBS, 
would be something along those lines that would fit into that--
and expand the penalties.
    Now, I know it is hard to get our hands on these folks, 
considering most of them are in countries that would protect 
them or at least look the other way. Russia and China come to 
mind, but sometimes they get careless, and we need to also make 
sure and clearly define in statute that it does not need to be 
physical infrastructure to be critical. It could be cyberspace 
infrastructure. The laws were written 30 years ago when there 
was not even a cyberspace, or 40 years ago. And then also, my 
bill would direct the President to impose sanctions on foreign 
persons who attempt to harm United States' national security 
interests by accessing and compromising our critical 
infrastructure. So, there are those things as well that we can 
do. So, I am glad that we have had the opportunity to have 
partially a bipartisan meeting on these issues.
    Mr. Schneider, you mentioned the battle between hackers and 
the organizations these bad actors are targeting is becoming, 
you know, an arms race and a term that I think we should really 
think about and give a lot of weight to. And while I think that 
is accurate, it also denotes the threat posed upon America by 
Russia. And we have heard that these attacks are originally 
mostly there and something that we need to protect small, 
medium, and large interests.
    So, I hope that in the future, we can have maybe someday, 
maybe I am just naive, but have a hearing that is something 
that has nothing to do with partisanship, that we can look and 
focus directly on the specificity of the threats, and come up 
with some solutions because, believe it or not, ladies and 
gentlemen, we have some smart people in Congress. We got some 
dumb people, too, but we got some smart ones, and maybe we can 
work together because having served for 8 years in the Texas 
legislature, not everything was partisan there, and I think we 
need to bring a little more Texas to Washington, DC. Madam 
Chair, I yield back.
    Ms. Mace. Thank you, and I will now recognize myself for a 
few minutes. In closing, I did want to say that because, you 
know, the White House did such a good job about sending their 
talking points to this hearing this afternoon, that in the 
event that there is a shutdown, that 80 percent figure the 
White House is pushing of CISA employees who will not be 
showing up to work, that is a decision by the President of the 
United States and his Administration to decide what percentage 
of CISA employees are deemed essential and not will be showing 
up to work in the event that there is a shutdown. In the event 
that there is a shutdown, it is up to the President of the 
United States and his Administration to prioritize who is and 
who is not essential. They can make it as painful as they want 
or as painless as they want in this thing. And by law, any 
Federal employees who are furloughed are going to get back pay, 
so, you know, that is something that should be very clear.
    If we could just tell the God's honest truth in this thing, 
we would not be pointing fingers at either side because, guess 
what? Both sides are to blame if there is a government 
shutdown. Just this week, we saw $33 trillion added to our 
Nation's debt, and that sham of a debt ceiling deal that the 
American people were sold a bed of lies on is going to add 
$18.8 trillion to the debt over the next 10 years. We are 
talking about $50 trillion in debt over the next decade, and 
they just want to blame each other. No, both Republicans and 
both Democrats are at fault.
    The last time we balanced a damn budget in this place was 
in the 90's under President Clinton, a Democrat President and a 
Republican-controlled House. They had a decade plan to balance 
the budget. They did it in 4 years because of surplus tax 
revenue. We cannot even get a plan to balance the budget up 
here in the next 20 years. So, when the American people get 
pissed off about a government shutdown, blame Republicans and 
blame Democrats who are at fault and refuse to get to the table 
to make the spending cuts that are necessary to get this 
country turned around in the right direction.
    So, with that, and without objection, I am going to ask 
unanimous consent to enter a letter from the Electric 
Reliability Council of Texas or ERCOT into the record.
    Without objection, it is so ordered.
    Ms. Mace. Now we are back to ransomware--to go off on 
spending--and without objection, all Members will have 5 
legislative days within which to submit materials and to submit 
additional written questions for the witnesses which will be 
forwarded to the witnesses for their response.
    Ms. Mace. And if there is no further business, without 
objection, the Subcommittee stands adjourned.
    [Whereupon, at 2:46 p.m., the Subcommittee was adjourned.]