[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]
PREPARING THE PIPELINE: EXAMINING THE STATE OF AMERICA'S CYBER
WORKFORCE
=======================================================================
HEARING
before the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINETEENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 5, 2025
__________
Serial No. 119-2
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
60-649 PDF WASHINGTON : 2025
COMMITTEE ON HOMELAND SECURITY
Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas, Vice Bennie G. Thompson, Mississippi,
Chair Ranking Member
Clay Higgins, Louisiana Eric Swalwell, California
Michael Guest, Mississippi J. Luis Correa, California
Carlos A. Gimenez, Florida Shri Thanedar, Michigan
August Pfluger, Texas Seth Magaziner, Rhode Island
Andrew R. Garbarino, New York Daniel S. Goldman, New York
Marjorie Taylor Greene, Georgia Delia C. Ramirez, Illinois
Tony Gonzales, Texas Timothy M. Kennedy, New York
Morgan Luttrell, Texas LaMonica McIver, New Jersey
Dale W. Strong, Alabama Julie Johnson, Texas, Vice Ranking
Josh Brecheen, Oklahoma Member
Elijah Crane, Arizona Pablo Jose Hernandez, Puerto Rico
Andrew Ogles, Tennessee Nellie Pou, New Jersey
Sheri Biggs, South Carolina Sylvester Turner, Texas
Gabe Evans, Colorado Vacant
Ryan Mackenzie, Pennsylvania Vacant
Brad Knott, North Carolina
Eric Heighberger, Staff Director
Hope Goins, Minority Staff Director
Sean Corcoran, Chief Clerk
C O N T E N T S
----------
Page
Statements
Honorable Mark E. Green, a Representative in Congress From the
State of Tennessee, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 1
Prepared Statement............................................. 3
Honorable Bennie G. Thompson, a Representative in Congress From
the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Oral Statement................................................. 11
Prepared Statement............................................. 14
Witnesses
Mr. David J. Russomanno, PhD, Executive Vice President of
Academic Affairs and Provost, University of Memphis:
Oral Statement................................................. 16
Prepared Statement............................................. 17
Mr. Robert Rashotte, Vice President, Global Training and
Technical Field Enablement, Fortinet:
Oral Statement................................................. 21
Prepared Statement............................................. 23
Mr. Chris Jones, President and Chief Executive Officer, Middle
Tennessee Electric Membership Corporation:
Oral Statement................................................. 28
Prepared Statement............................................. 29
Mr. Max Stier, President and Chief Executive Officer, Partnership
for Public Service:
Oral Statement................................................. 32
Prepared Statement............................................. 34
For the Record
Honorable Bennie G. Thompson, a Representative in Congress From
the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Article by Cyberscoop.com...................................... 78
Letter to U.S. Office of Personnel Management.................. 79
Letter to Office of Management and Budget...................... 81
Honorable Elijah Crane, a Representative in Congress From the
State of Arizona:
Article From NextGov/FCW....................................... 57
PREPARING THE PIPELINE: EXAMINING THE STATE OF AMERICA'S CYBER
WORKFORCE
----------
Wednesday, February 5, 2025
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC.
The committee met, pursuant to notice, at 10:03 a.m., in
room 310, Cannon House Office Building, Hon. Mark Green
[Chairman of the committee] presiding.
Present: Representatives Green, McCaul, Higgins, Pfluger,
Garbarino, Greene, Gonzales, Luttrell, Strong, Crane, Ogles,
Biggs, Mackenzie, Knott, Thompson, Swalwell, Correa, Thanedar,
Magaziner, Goldman, Ramirez, McIver, Johnson, Hernandez, and
Turner.
Chairman Green. The committee will come to order. Without
objection, the Chair may declare the committee in recess at any
point.
The purpose of this hearing is to examine the severity of
America's cyber work force gap and assess how the shortage of
skilled cyber professionals leaves our homeland vulnerable to
evolving global threats in cyber space.
Specifically, we will delve into the challenges that the
public and private sectors face in recruiting, training, and
retaining skilled cyber talent. We will also discuss possible
solutions to mitigate this shortfall.
I now recognize myself for an opening statement. Good
morning, everyone. Today we are focused on the top cyber
challenge we face and that is the cyber work force gap.
This issue has been a top priority for me and other Members
of this committee since the last Congress, and I know it is for
many of you in this room as well. There isn't a city or a State
in this country not affected by this cyber work force gap.
Currently, our Nation lacks about 500,000 cyber
professionals. That is a deficit of 1 million eyes and this
means that many of our networks and critical infrastructure are
going unwatched even while malicious nation-state actors like
Volt and Salt Typhoon target them daily.
At a time when we need to go on the offensive we can barely
play defense. We simply don't have enough people in the right
jobs with the right skills to stay on top of the significant
cyber challenges our homeland faces. We covered many of those
threats in our first committee hearing 2 weeks ago and you can
get a glimpse of the magnitude of these threats yourself. We
captured them in the committee's cyber threat snapshot. You can
see a little bit of that here.
Whether we are dealing with China, Russia, North Korea,
Iran, or criminal actors, one thing is clear. Our
vulnerabilities span from our heartland's hardware to our
cities' software. Sometimes we are dealing with targeted
attacks like ransomware and sometimes our vulnerabilities stem
from poor cyber hygiene or economic models that do not
prioritize cybersecurity.
But whatever the case, we need to do better and we need to
do better now. Our Nation's security and prosperity depend upon
a resilient cyber posture, something that can only be assured
by adequately preparing our pipeline of cyber professionals.
Over the years, there have been many initiatives to address
the cyber work force gap. Our witnesses here today have been at
the forefront of some of those efforts. We applaud those
efforts and hope they will continue.
However, it is clear we need a new but complementary
approach, one that brings together the public and private
sectors to fill gaps at all levels of Government and industry,
one that creates quick pathways for individuals who want to
pivot in their careers without having to complete a 4-year
degree, one that provides hands-on experiences for cyber
professionals and training and then supports them throughout
their careers, one that cultivates a sense of community and
service to the country like the ROTC program, one that's
accessible to all Americans, and one that will finally change
the decades-long narrative around the cyber work force gap.
I believe that bill is my bill, the Cyber PIVOTT Act. It
directly addresses all of these issues in a meaningful way and
that is why I reintroduced my bill today alongside
Representatives Guest, Gimenez, Higgins, Strong, Biggs, Evans,
Moolenaar, Ezell, and Rogers.
We've received significant support for the bill, including
the American Association of Community Colleges. I want to thank
our stakeholders and would like to submit the following
statements for the record: Advocacy Blueprints; Business
Software Alliance; Cyber Innovation Centers and their academic
initiative cyber.org; Darktrace; Forescout Technologies;
Foundation for Defense of Democracies; Information Technology
Industry Council; the Internet Security Alliance, ISC2 or
squared; Avanti; the McCrary Institute; Microsoft; National
Rural Electric Coop Association; Palo Alto Networks; Peraton;
the R Street Institute; SentinelOne; Special Competitive
Studies; the U.S. Chamber of Commerce, and without objection,
so ordered.
It is time to sign the Cyber PIVOTT Act into law, and I
look forward to working across the aisle to ensure that we can
do so in a bipartisan manner.
Last year we held a full committee hearing on the
cybersecurity work force gap with Government witnesses. Today
we will examine the perspective of the private sector. Thank
you to our expert panel for joining us.
Your diverse experiences in academia, critical
infrastructure, cybersecurity, and nonprofits will give us a
holistic understanding of the complexities we face in
bolstering our cyber work force and the strategies we must
consider for reducing the work force gap once and for all. I
look forward to this very important discussion.
[The statement of Chairman Green follows:]
Statement of Chairman Mark E. Green, MD
February 5, 2025
Good morning, everyone.
Today, we're focused on the top cyber challenge we face: the cyber
workforce gap. This issue has been a top priority for me since last
Congress, and I know it is for many of you as well. There isn't a city
or a State in the country not affected by this cyber workforce gap.
Currently, our Nation lacks about 500,000 cyber professionals--
that's a deficit of 1 million eyes. This means that many of our
networks and critical infrastructure are going unwatched, even while
malicious nation-state actors like Volt and Salt Typhoon target them
daily.
At a time when we need to go on the offense, we can barely play
defense. We simply don't have enough people in the right jobs with the
right skills to stay on top of the significant cyber threats our
homeland faces.
We covered many of those threats in our first committee hearing 2
weeks ago. And you can get a glimpse of the magnitude of these threats
for yourself--we captured them in the committee's ``Cyber Threat
Snapshot''.
Whether we're dealing with China, Russia, North Korea, Iran, or
criminal actors, one thing is clear: our vulnerabilities span from our
heartland's hardware to our cities' software.
Sometimes we are dealing with targeted attacks like ransomware. And
sometimes our vulnerabilities stem from poor cyber hygiene or economic
models that do not prioritize cybersecurity.
Whatever the case, we need to do better--now. Our Nation's security
and prosperity depend upon a resilient cyber posture--something we can
only assure by adequately preparing our pipeline of cyber
professionals.
Over the years, there have been many initiatives to address the
cyber workforce gap. Our witnesses here today have been at the
forefront of some of those efforts. We applaud those efforts and hope
they will continue.
However, it is clear we need a new but complementary approach:
One that brings together the public and private sectors to fill
skill gaps at all levels of Government and industry.
One that creates quick pathways for individuals who want to pivot
in their careers without having to complete a 4-year degree.
One that provides hands-on experiences for cyber professionals in
training and then supports them throughout their careers.
One that cultivates a sense of community and service to country,
like the ROTC.
One that is accessible to all Americans.
And one that will finally change the decades-long narrative around
the cyber workforce gap.
I believe that my bill, the Cyber PIVOTT Act, directly addresses
all of these issues in a meaningful way. That is why I re-introduced my
bill today, alongside Reps. Guest, Gimenez, Higgins, Strong, Biggs,
Evans, Moolenaar, Ezell, and Rogers.
We have received significant support for the bill, including from
the American Association of Community Colleges. I want to thank our
stakeholders and would like to submit the following statements for the
record:
Advocacy Blueprints
Business Software Alliance (BSA)
Cyber Innovation Center and their academic initiative,
CYBER.ORG
Darktrace
Forescout Technologies
Foundation for Defense of Democracies (RADM Mark Montgomery
and Jiwon Ma)
Information Technology Industry Council (ITI)
The Internet Security Alliance (Larry Clinton)
ISC2
Ivanti
The McCrary Institute (Frank Cilluffo)
Microsoft
National Rural Electric Coop Association (NRECA)
Palo Alto Networks
Peraton
The R St Institute (Brandon Pugh)
SentinelOne
Special Competitive Studies Project
The U.S. Chamber of Commerce
Without objection, so ordered.
It is time to sign the Cyber PIVOTT Act into law, and I look
forward to working across the aisle to ensure we can do so in a
bipartisan manner.
Last year, we held a full committee hearing on the cybersecurity
workforce gap with Government witnesses. Today, we will examine the
perspective of the private sector.
Thank you to our expert panel for joining us. Your diverse
experiences in academia, critical infrastructure, cybersecurity, and
non-profits will give us a holistic understanding of the complexities
we face in bolstering our cyber workforce, and the strategies we must
consider for reducing the workforce gap once and for all.
I look forward to this important discussion.
Support Statements Submitted by Chairman Mark E. Green
r st institute
Chairman Mark Green's Cyber PIVOTT Act provides an innovative and
meaningful way to address the cyber workforce shortage in the United
States, which has been a challenge for many years. This shortage
negatively impacts the cybersecurity posture of our Nation in the
public and private sectors while the threat landscape continues to
evolve. This legislation is designed to address these challenges in
both the short and long term and recognizes that a 4-year degree is not
the only path one can take to enter the cyber workforce. Given R
Street's long-time commitment to studying and addressing the cyber
workforce shortage, we are pleased to support the Cyber PIVOTT Act.
Brandon Pugh,
Director and Senior Fellow,
Cybersecurity and Emerging Threats, R Street Institute.
isc2
On behalf of ISC2 and its global community of nearly 275,000
certified members, and associates, we strongly support the PIVOTT Act.
This legislation represents a crucial step toward strengthening the
cybersecurity workforce and addressing the growing demands of an
increasingly digital world. By recognizing certification as a viable
and valuable pathway for professionals in the field, this legislation
acknowledges that expertise in cybersecurity is not solely defined by
traditional academic degrees, but by demonstrable skills and practical
experience.
In today's ever-evolving cyber landscape, certifications provide a
globally-recognized, standardized method of assessing an individual's
technical proficiency and readiness for the challenges organizations
face. The PIVOTT Act empowers individuals to validate their knowledge
through legitimate industry certifications, giving them greater
opportunities to advance their careers, contribute to organizational
security, and ultimately help protect national critical infrastructure
from cyber threats.
The PIVOTT Act is a critical investment in the future of
cybersecurity, aligning with industry needs and providing a clear path
for those passionate about living in a safe and secure world. This
approach will enhance the resilience of both public and private sectors
against emerging cyber threats.
forescout technologies
``The cybersecurity workforce shortage in the United States leaves
OT networks that underpin our critical infrastructure increasingly
vulnerable to attack. The Cyber PIVOTT Act takes a crucial and
necessary step toward addressing this challenge by expanding hands-on,
skills-based training to develop a stronger pipeline of cybersecurity
professionals. At Forescout, we believe that equipping the workforce
with the expertise to protect the systems that power our economy is
vital to strengthening our national resilience. We support the Cyber
PIVOTT Act and urge swift passage to bolster cyber defenses where they
matter most.''
Alison King,
VP Government Affairs.
palo alto networks
Palo Alto Networks applauds Chairman Green on the reintroduction of
the Cyber PIVOTT Act. To build a cybersecurity workforce capable of
tackling the evolving challenges of modern cyber threats, we must
invest in engaging and skills-based cybersecurity workforce development
practices that can attract untapped talent and expand pathways into
cybersecurity roles, especially in the public sector. The bill's
recognition of the importance of collaboration between the Government,
community colleges, and industry and the power of hands-on, skills-
based exercises will help build a pipeline of skilled professionals
capable of protecting our digital way of life.
Daniel Kroese,
Vice President, Public Policy & Government Affairs at Palo Alto
Networks.
ivanti
Ivanti welcomes the introduction of Chairman Green's Cyber PIVOTT
Act in the 119th Congress. At a time when highly-resourced nation-
states are proliferating their cyber attacks against U.S. companies and
critical infrastructure, one of the most urgent needs is to develop a
well-trained, sophisticated cyber workforce within the U.S. Government
to protect Government agencies and to assist private companies in
preventing and responding to cyber attacks.
``As a software developer and vendor that works closely with U.S.
Government, Ivanti has seen first-hand the need for the development of
a skilled cyber workforce pipeline that can strengthen security for the
U.S. Government and create a safer cyber environment for critical
industries in the U.S. The Cyber PIVOTT Act is the right approach to
developing this talent,'' said Brooke Johnson, senior vice president
and chief legal counsel at Ivanti.
Ivanti applauds Chairman Green for his leadership on this issue,
and we look forward to working with him and his office to enact this
legislation.
business software alliance (bsa)
``BSA appreciates Congressman Green's leadership in introducing the
Cyber PIVOTT Act, which addresses the cyber workforce shortage that is
occurring in the U.S. According to the Cybersecurity Supply and Demand
Heat Map, there are currently over 450,000 cybersecurity job openings
in the U.S. that could be addressed with meaningful legislation such as
this.
``With the current workforce shortage, the U.S. is exposed to
economic and national security risks. Creating a cyber pathway for
those amid a career change or at the beginning of their careers
increases the accessibility of cyber training by mobilizing American
workers to fill the cyber workforce gap. BSA identified upskilling
American workers and building a cyber workforce in its 2025 Cyber
Legislative Agenda and the 2025 Global Cyber Agenda, one of the many
ways that the U.S. Government can improve cybersecurity and resilience
while engaging the U.S. workforce.
``The programs outlined in the bill will take the meaningful steps
needed to address the critical cyber shortage and secure the U.S.
Government with a beneficial partnership with the Cybersecurity and
Infrastructure Agency. BSA is looking forward to working with Rep.
Green to ensure that building a cyber workforce remains a priority for
policy makers.''
u.s. chamber of commerce
``The U.S. Chamber of Commerce welcomes Rep. Mark Green's (R-TN)
Cyber PIVOTT Act. Inspired by ROTC scholarship programs, this bill
would help build up more talent to defend our networks against foreign
threats and criminal organizations. Last year, the House Homeland
Security Committee unanimously reported the Cyber PIVOTT Act. The
Chamber urges Congress to swiftly pass this important legislation.''
The Hon. Rodney Davis,
Senior Vice President for Government Affairs, U.S. Chamber of
Commerce.
information technology industry council (iti)
ITI is encouraged by the introduction of Chairman Green's Providing
Individuals Various Opportunities for Technical Training to Build a
Skills-Based Cyber Workforce Act (Cyber PIVOTT Act). With over 500,000
cybersecurity jobs open, and increasing cybersecurity attacks, it is
imperative to bolster the Nation's cybersecurity workforce. The need
for a skilled U.S. cybersecurity workforce is evident, and this bill
would create opportunities for those to obtain the skills needed takes
a crucial step in expanding the workforce pipeline. ITI applauds the
Homeland Security Committee and Chairman Green's emphasis on finding a
long-term solution to training and maintaining a qualified
cybersecurity workforce.
microsoft
``The Cyber PIVOTT Act takes important steps to bolster our
Nation's cyber defense. By investing in education and technical
training at America's community colleges, this legislation will help
tap into a wider talent pool, cultivate a skilled workforce, and equip
workers with the skills to combat new and evolving threats. Thank you
to Chairman Green for his leadership on this issue,'' said Fred
Humphries, Corporate Vice President of U.S. Government Affairs at
Microsoft.
advocacy blueprints
Nicole Tisdale, Founder and Principal
As the founder of Advocacy Blueprints, cybersecurity attorney, and
a native of rural Mississippi, I strongly support Chairman Green's
Cyber PIVOTT Act, which addresses critical cybersecurity workforce
needs in America, especially our rural communities. Our recent threat
analysis found that when compared to urban cities, the 66.3 million
Americans living in rural areas are facing the same escalating cyber
threats to their hospitals, water systems, schools and critical
infrastructure.
The Cyber PIVOTT Act takes a practical approach by creating
accessible pathways through 2-year degrees and technical certifications
at community colleges. We're especially excited about the Act's
emphasis on Government service and practical training through
internships to ensure these skills directly benefit rural communities
through roles at local utilities, schools, emergency services, and
critical infrastructure operators.
This model recognizes that rural communities need home-grown cyber
talent who understand local systems and can protect essential services
where they live.
We look forward to working with Chairman Green, additional Members
of the House Committee on Homeland, the U.S. Senate, and stakeholders
to advance this important workforce development initiative that
strengthens our national security.
darktrace
Marcus Fowler, CEO of Darktrace Federal, said: ``At Darktrace, we
see first-hand the urgent need for a stronger cybersecurity workforce.
There are vast numbers of unfilled cybersecurity roles across the
United States, leaving businesses and Government agencies vulnerable.
The Cyber PIVOTT Act is a critical step toward closing this gap by
creating smarter workforce development pathways, expanding access to
hands-on training, and building a skills-based cybersecurity talent
pipeline that meets the demands of today's economy. To achieve this
goal, we'll also need to ensure security teams are trained on the most
advanced tools, to ensure that technology fulfils its potential to
augment the workforce and act as a true force multiplier. Darktrace
believes that a smarter Federal cyber workforce policy when combined
with greater adoption of AI-powered cybersecurity technologies, marks
the best path forward toward meeting America's skills and capabilities
needs and building a more resilient national cyber defense.''
special competitive studies project
The Cyber PIVOTT Act will strengthen America's cybersecurity by
expanding technical training and workforce development. Expanding
access to cybersecurity education through community colleges and
technical schools fills critical gaps and prepares the next generation
of professionals to defend our Nation's critical infrastructure. This
bill is a strategic step toward a more secure and resilient digital
future.
Ylli Bajraktari,
CEO, SCSP-Action Program.
ibm
IBM commends Chairman Green for introducing the Cyber PIVOTT Act
that would help more Americans seeking cybersecurity skilling pathways
through programs at community colleges and technical schools through a
new scholarship program. ``IBM has long recognized the importance of
closing the skills gap across technology, including cybersecurity,
which is essential for AI innovation. Our company has a commitment to
skill 30 million learners world-wide by 2030. As part of this work,
recently we unveiled a new IBM SkillsBuild certificate in
cybersecurity, which was piloted and designed with community colleges.
We look forward to working with Congress to expand cybersecurity
pathways and help more Americans pursue cybersecurity jobs.''
Lydia Logan,
VP of Global Education and Workforce Development, IBM.
______
November 7, 2024.
The Honorable Mark Green, M.D.,
Chairman, House Committee on Homeland Security, H2-176 Ford House
Office Building, Washington, DC 20515.
The Honorable Bennie G. Thompson,
Ranking Member, House Committee on Homeland Security, H2-117 Ford House
Office Building, Washington, DC 20515.
Chairman Green and Ranking Member Thompson:
Thank you for your leadership on cybersecurity issues and
commitment to protecting our Nation's critical infrastructure. I am
writing today on behalf of the National Rural Electric Cooperative
Association (NRECA) in support of H.R. 9770, the Cyber PIVOTT Act. This
legislation will promote the development of a skilled cyber workers in
rural America. NRECA applauds the strong bipartisan support for this
bill as it passed the Homeland Security Committee.
NRECA is the national trade association representing nearly 900
not-for-profit electric cooperatives. America's electric cooperatives
are owned by the people they serve and comprise a unique sector of the
electric industry. From rapidly growing regions of the country to
remote farming communities, electric cooperatives serve as engines of
economic development for 42 million Americans across 56 percent of the
Nation's landscape.
Electric utilities can be targets for cyber attacks because of
their pivotal role in generating and distributing electricity to
support our national security and our daily life. Defending our
critical infrastructure requires a skilled workforce capable of
implementing strong cybersecurity measures to safeguard against
challenging and ever-evolving threats. In 2023, the National Institute
of Standards and Technology reported that only 20 percent of business
leaders at energy utilities felt confident they had the cyber talent
they needed. The Cyber PIVOTT Act is a positive step toward filling our
Nation's nearly 500,000 open cybersecurity jobs by developing a robust
and skilled workforce ready to meet the challenges of the cyber
landscape.
NRECA is particularly pleased with the inclusion of language that
would extend cybersecurity internship opportunities to critical
infrastructure in rural communities. While no sector or region is
immune to the challenges of recruiting and retaining skilled cyber
professionals, these challenges are exacerbated by the unique and
inherent characteristics of rural areas. The Cyber PIVOTT Act will
bridge the skills gap, enabling rural communities to strengthen their
cyber defenses and secure their critical infrastructure.
The investments made by the Cyber PIVOTT Act in cybersecurity
education and training are crucial to building a workforce capable of
protecting our critical infrastructure. We appreciate the bipartisan
support for addressing these issues and urge Congress to pass this
legislation.
Sincerely,
Jim Matheson.
______
INTERNET SECURITY ALLIANCE STATEMENT OF SUPPORT FOR THE PIVOTT ACT
The Internet Security Alliance (ISA) thanks and congratulates
Chairman Mark Green on the introduction of the PIVOTT Act.
If enacted this bill would be the most impactful piece of
cybersecurity legislation ever passed by the U.S. Congress.
It would be the most impactful because, for the first time, it
addresses the USA's most basic cybersecurity need--the lack of an
adequately trained cybersecurity workforce--at scale.
None of our country's cybersecurity programs can operate properly
without an adequately-trained workforce. The technology can't work, the
standards can't work, the frameworks can't work, the regulations can't
work. Nothing can work effectively without an adequately trained
workforce.
Currently we have a workforce shortage of between 500,000 and
750,000 people--an estimated 35,000 people short in the Federal
Government alone--and the gap is growing at up to 10 percent a year.
When fully operational, the PIVOTT Act will be the first
legislation that addresses this fundamental issue from its appropriate
national perspective and at 10,000 new recruits a year, at a scale that
will begin to make a dent in this gap.
The PIVOTT Act addresses a core problem with traditional cyber
workforce programs by focusing on recruiting previously under-targeted
groups such as certification programs and community colleges by
expanding the traditional military academy model of providing free
security training in return for Government service. In doing so PIVOTT
recognizes that cybersecurity is a matter of critical national and
homeland security equivalent to traditional military defense.
The graduates of the PIVOTT program will also become available to
the badly underfunded cybersecurity programs in State and local
governments, which, due to their interconnections with the Federal
Government currently represent a major--and currently unsecured--
vulnerability to our national cyber systems.
PIVOTT is also a cost-effective approach to the cyber workforce
problem since the PIVOTT graduates will be able to replace the high-
priced independent contractors the Government currently needs to hire
from the open market at vastly inflated costs.
PIVOTT will be the ISA's No. 1 legislative priority in the
Congress, and we urge all entities who care about our Nation's
cybersecurity to join in aggressively supporting PIVOTT's passage in
the House, Senate, and eventually receive President Trump's signature.
______
Letter From Scott Cooper, Vice President, Government Relations, Peraton
Corporation
February 3, 2025.
Chairman Mark Green, (R-TN),
House Homeland Security Committee, U.S. House of Representatives, Ford
House Office Building, Washington, DC 20515.
RE: Letter of Support for the Cyber PIVOTT Act
Dear Chairman Green:
We write to express our strong support for your cyber workforce
bill, the Providing Individuals Various Opportunities for Technical
Training (PIVOTT) to Build a Skills-based Cyber Workforce Act of 2025.
We look forward to the House acting on the Cyber PIVOTT Act in the near
term so that we focus on building a robust and resilient cyber
workforce to confront the cyber threats that our country faces.
The cyber threats to our country have only increased over the last
few years, particularly to the U.S. critical infrastructure and
civilian networks. On January 22, 2025, the Committee held a hearing
entitled, ``Unconstrained Actors: Assessing Global Cyber Threats to the
Homeland'' to examine the threats we face, which highlighted the need
to build a robust cyber workforce. As you said in the hearing, ``the
American economy, our government and the military depend upon the
resilience of our networks and our infrastructure. It's past time for
us to get a step ahead of the typhoons, a list of actors that seem to
grow every day.'' You continued saying, ``to do this, we need prepared
cyber professionals.'' To that end, we appreciate that you have made it
a top priority to enact the Cyber PIVOTT Act to grow the cyber
workforce.
The Cyber PIVOTT Act provides access to cyber training and
education with a scholarship program for 2-year degrees at community
colleges and technical skills in exchange for Government service. This
program will encourage technical training, and education needed to
ensure the Government has the cyber workforce necessary to defend the
homeland.
As a Federal contractor and a company with more than 3,000 military
veterans, we at Peraton recognize the importance of ensuring the U.S.
Government has the best and brightest cyber workforce on duty to defend
the homeland against increasing cyber threats.
Peraton is a national security company that drives missions of
consequence spanning the globe and partners regularly with the U.S.
Government to fulfill its cybersecurity mission. We are the world's
leading mission capability integrator and transformative enterprise IT
provider, delivering trusted, highly differentiated solutions and
technologies that protect our Nation and allies from threats across the
digital and physical domains.
We strong support the Cyber PIVOTT Act and look forward to
continuing to partner with you to build a robust, capable, and
resilient cyber workforce ready to confront the cyber threats of today.
Sincerely,
Scott Cooper,
Vice President, Government Relations.
______
Statement of RADM (Ret.) Mark Montgomery and Jiwon Ma, Foundation for
Defense of Democracies
February 5, 2025
the pivott act is pivotal to securing the future of the federal cyber
workforce
Last week, a number of experts testified to the significant threat
that the United States faces in cyber space, especially from the
aggressive and malicious cyber behavior of the Chinese Communist Party.
Addressing this cyber threat will require efforts across all the
dimensions of cybersecurity, including technology, policy, and
processes, and--most importantly--personnel. The committee's decision
to next look at the cyber workforce issue is an astute one, as this is
the dimension that can most rapidly and effectively address the
shortfalls in Federal, State, and local government cybersecurity
efforts.
We are confident that the committee will read and hear a number of
good ideas in the upcoming hearing, but Congress already holds the most
important tools needed to move forward--legislation that was introduced
in the 118th Congress and that needs to be passed in the 119th
Congress. Specifically, the Providing Individuals Various Opportunities
for Technical Training to Build a Skills-Based Cyber Workforce (PIVOTT)
Act provides an excellent vehicle to identify, recruit, and train the
next generation of the cyber workforce by utilizing proven techniques
and leveraging existing Governmental programs to identify supporting
institutions. Similarly, the Federal Cyber Workforce Training Act
provides a blueprint of how to properly onboard and continue to develop
the graduates of the PIVOTT Act programs as they enter the Federal
cyber workforce. Passing both of these provisions would make 2025 a
banner year for the cyber workforce.
workforce challenges at the federal, state, and local levels
The United States is grappling with a shortage of cybersecurity
professionals, with estimates placing the cyber workforce gap at over
500,000 unfilled positions nationwide. This deficit has a cascading
impact on the public sector, where Federal, State, and local government
agencies struggle to compete with private-sector compensation and
streamlined hiring processes.
These vacant cybersecurity roles weaken the Federal Government's
ability to defend against national security threats. State and local
governments face an equally acute challenge, operating with an
unsustainable defense model constrained by budget shortfalls and
limited cybersecurity personnel. Many local governments have just a
handful of dedicated staff protecting multiple disparate systems,
leaving locally-operated critical infrastructures such as water
utilities, transportation systems, and energy facilities vulnerable to
ransomware attacks and cyber intrusions.
Outdated hiring frameworks further compound the issue. Federal
agencies continue to prioritize 4-year degrees, overlooking highly-
skilled professionals with in-demand industry certifications and real-
world expertise that do not fit traditional academic criteria for
hiring.
on-going federal efforts
Over the past 2 decades, the Federal Government has implemented
initiatives across multiple agencies to expand and sustain its
cybersecurity workforce, including flagship programs like CyberCorps:
Scholarship for Service and the Cyber Excepted Service at the
Department of Defense.
For 25 years, the CyberCorps: Scholarship for Service, modeled
after ROTC programs, has placed graduates into Federal cybersecurity
roles by offering scholarships in exchange for Government service. The
program now places approximately 450 graduates annually into Federal
cybersecurity positions. Similarly, for nearly a decade, the Defense
Department's Cyber Excepted Service has attracted and retained more
than 15,000 defense civilian employees with cyber skills, providing the
Department with critical workforce agility. The program continues to
grow, offering enhanced hiring flexibility for cyber and IT personnel,
strengthening the U.S. military's readiness and ability to win wars.
While these programs have successfully grown Federal cybersecurity
talent over the years, they remain limited in accessibility for
individuals who pursue non-traditional degree pathways. Without
additional Federal initiatives to diversify recruitment and hiring
efforts, cyber roles will remain unfilled.
opportunities for congress
Addressing this crisis requires bold workforce reforms, and the
119th Congress has a unique opportunity to expand the reach of
successful programs. Introduced by Chairman Green, the PIVOTT Act is
intended to recruit into Government highly-skilled individuals trained
through vocational schools, community colleges, and industry
certification programs. Like CyberCorps, the PIVOTT program would
provide scholarships, training, and internships to students at
community colleges and technical schools in exchange for a 2-year
service commitment to Federal, State, or local government. The PIVOTT
Act therefore provides a scalability and speed currently lacking in
Federal programs. This new program would provide expanded opportunities
for motivated Americans to acquire a great skill, secure a great job,
and serve a great country.
Additionally, Congress must focus on the retention of the Federal
workforce by establishing a complementary initiative that improves on-
boarding and incentives for newly-hired and existing Federal
cybersecurity employees. The Federal Workforce Development Institute,
which is the centerpiece of the Federal Cyber Workforce Training Act,
would help modernize hiring by streamlining processes, improving
initial training and orientation for junior employees, and expanding
training pathways to better compete with the private sector. By
improving initial onboarding, the Federal Government can get a head
start on an improved development and retention process.
Cyber threats have proven to be persistent risks, disrupting the
essential systems Americans rely on every day. With a strong
foundation, individuals who are properly trained, on-boarded, and
empowered to serve their country will play a vital role in reinforcing
public trust in our Government and go on to strengthen national defense
against cyber threats throughout their careers.
conclusion
A healthy and robust cyber workforce is the backbone of U.S.
national security. As cyber threats evolve, so must our strategy to
defend against them. Opportunities through the PIVOTT Act and the
Federal Cyber Workforce Training Act are not just workforce solutions--
they are strategic investments in protecting America's critical
infrastructure and Government systems. Without a steady influx of
talented individuals serving our country, adversaries will continue to
exploit vulnerabilities in Federal networks. Developing and sustaining
a strong talent pipeline of cybersecurity professionals are critical to
ensuring the Nation has the capacity to detect, prevent, and respond to
evolving cyber threats before they cause irreparable harm.
______
Letter From Kevin Nolten, President, Cyber Innovation Center
February 4, 2025.
The Honorable Chairman Mark E. Green, MD,
Committee on Homeland Security, H2-176 Ford House Office Building,
Washington, DC 20515.
Dear Chairman Green: On behalf of the Cyber Innovation Center (CIC)
and our academic initiative, CYBER.ORG, I am writing to express our
support of the ``Providing Individuals Various Opportunities for
Technical Training to Build a Skills-Based Cyber Workforce Act of
2024'' or the ``Cyber PIVOTT Act.''
Based in northwest Louisiana, the CIC is a 501(c)(3) nonprofit,
economic, and workforce development organization that provides
communities and schools in all 50 States with cybersecurity curricula
and content, technology resources, and training that supports over
38,000 educators and 5.3 million students.
Additionally, CYBER.ORG is the current recipient of the
Cybersecurity and Infrastructure Security Agency's Cybersecurity
Education and Training Assistance Program (CETAP), a competitively-
awarded, multi-year grant focused on building a workforce pipeline to
address our national cybersecurity workforce shortage.
We believe the Cyber PIVOTT Act will provide valuable incentives,
resources, and opportunities to students pursuing cybersecurity
education and training, encouraging more individuals to serve our
Federal, State, local, Tribal, and territorial governments in cyber or
cyber-relevant roles. Filling these critical cybersecurity workforce
gaps will enable our Nation to defend its critical infrastructure and
ensure our national and economic security. For these reasons, we are
pleased to support the Cyber PIVOTT Act.
Sincerely,
Kevin Nolten,
President, Cyber Innovation Center.
______
Letter From Frank Cilluffo, Director, McCrary Institute for Cyber and
Critical Infrastructure Security
Tuesday, February 4, 2025.
Committee on Homeland Security, H2-176 Ford House Office Building, U.S.
House of Representatives, Washington, DC 20515.
Chairman Green, Ranking Member Thompson, and Members of the
Committee: As the committee embarks on its important legislative and
oversight work in the 119th Congress, my colleagues at the McCrary
Institute and I look forward to engaging on a bipartisan basis with you
all to advance our shared objectives of securing U.S. critical
infrastructure from a severe and persistent cyber threat environment.
In the 118th Congress, I testified before the Subcommittee on
Cybersecurity and Critical Infrastructure Protection about the
importance of ensuring the resiliency of critical infrastructure
sectors. Investing in the current and future cyber workforce, as this
bill does, is a vital component of building and maintaining such
resiliency.
Our Nation's adversaries, particularly the People's Republic of
China (PRC), Russia, Iran, and North Korea, continue to pose a major
threat to U.S. critical infrastructure and the American way of life.
PRC-backed adversaries like Salt Typhoon, Volt Typhoon, and Flax
Typhoon, have infiltrated OT and IT systems across several sectors
including telecommunications, energy, Government, high education,
transportation, and health care. In order to combat current and future
threats to our critical infrastructure, the Federal Government must
invest in the development of our cyber workforce via our educational
institutions, as outlined in this legislation.
I was pleased to see the Cyber PIVOTT Act pass the committee with
an overwhelmingly bipartisan vote in the 118th Congress. The truth is
we need everyone rallying to our cyber defense, from K-12 schools to
technical and trade institutions and 4-year colleges and universities.
This updated version of the bill will allow universities like Auburn to
potentially advance the goals of the legislation, just as we have from
previous cybersecurity legislation coming out of this committee, such
as the State and Local Cybersecurity Improvement Act, which is
currently supporting McCrary's work to stand up the Alabama
Cybersecurity Intelligence Center (ACIC) with the Alabama Office of
Information Technology. Now, more than ever, it is a national security
imperative that Congress provide CISA with the resources and
authorities needed to secure critical infrastructure sectors from cyber
threats, and this legislation aligns with that imperative.
I thank Chairman Green for his leadership on this legislation, and
urge the committee to, once again, pass this bill in a bipartisan
manner.
Sincerely,
Frank Cilluffo,
Director.
Chairman Green. I now recognize the gentleman from
Mississippi, our Ranking Member Mr. Thompson for his opening
statement.
Mr. Thompson. Thank you. Thank you very much, Mr. Chairman.
Good morning.
I would like to thank our witnesses for agreeing to testify
today. I appreciate your expertise and your input is valuable
to the committee's work on cyber work force policy.
Just over 2 weeks ago, President Trump was sworn into
office. Nearly every day since then there's been a White House
directive undermining the Federal Government's ability to serve
the American people. There is confusion about which Federal
grant funds President Trump froze last week and whether the
funds are still frozen. The administration refuses to give
Americans a straight answer about that.
Disaster victims recovering from hurricanes in North
Carolina and Florida and wildfires in California are wondering
whether FEMA will still be standing after the President made
clear he would like to shut down the agency.
Now an unelected millionaire from South Carolina--South
Africa, Trump's co-president Elon Musk, has gotten into Federal
networks and is assessing American's sensitive personal data.
God only knows what he's doing with Americans' data or what he
plans--his plans are for our information.
He is inside the Treasury Department system where he is not
only assessing information but has the ability to change it.
These systems have American's Social Security numbers and
payment information.
Trump gave Musk control of our Nation's checkbook of a bank
account funded by American's hard-earned tax dollars. We don't
know what he is doing with any of it.
His DOGE team also allegedly bought a commercial server,
set it up in the Office of Personnel Management, and began
assessing intimate details about American's personal lives from
home addresses to medical histories.
Musk is demanding access to the information systems across
the Federal Government to collect even more data about millions
of Americans for reasons that are yet unclear. These actions
violate a host of Federal laws and policies intended to ensure
data privacy and security and protect Federal networks, leading
one security expert to describe DOGE access to Federal data as
an absolute nightmare.
Nevertheless, neither the White House nor my Republican
colleagues in Congress have shown any inclination to force Elon
Musk and his DOGE underlings to follow the law, adhere to
security practices, or justify their unprecedented access to
Government systems and American's data access to Government.
It is not clear who is, in fact, running the country
because it seems the President is either unable or unwilling to
control Musk. Either way, Americans will be paying the price.
To be honest, Mr. Chairman, it is also not clear why the
committee would hold a hearing on cyber work force at this
time. Make no mistake. Addressing cyber work force challenges
is a critical security priority but holding a hearing on cyber
work force while letting Elon Musk root around in Government
systems is like worrying someone might break in through the
back door of your home while swinging the front door wide open.
I am afraid the committee is failing to address this urgent
security issue and our adversaries like China, Russia, and Iran
are watching the administration do nothing.
Having said that, I would be remiss if I did not point out
that one of the biggest obstacles to growing a robust cyber
work force are the Trump-Musk policies.
As I speak, the Federal work force is in a tailspin. All of
us are hearing from Federal employees not knowing should they
stay or should they go. There is no policies that has been
outlined as to why I am receiving this e-mail telling me that I
am somehow not useful or valued.
I can understand where CISA and other agencies fall in this
tailspin. President Trump's nominee to head the Office of
Management and Budget has said, and I quote, ``We want the
bureaucrats to be traumatically affected. When they wake up in
the morning we want them to not want to go to work because they
are increasingly viewed as villains. We want to put them in
trauma.''
Hiring freezes are delaying the onboarding and recruitment
of top cyber talent. Secretary Noem, who with little
explanation, has said she wants to shrink CISA. Deferred
resignations, offers the administration has no authority to
issue, accompanied by insults about productivity and warnings
of layoffs sent a clear message that the administration does
not value its work force. It is not loyal to it and does not
prioritize developing expertise within Government. In short,
the work force is expendable.
Moreover, the President is openly hostile to a diverse work
force that reflects the American people. In just 2 weeks, he
has directed Federal departments and agencies to strip
references to diversity from their website and blame diversity
for a national tragedy.
Mr. Chairman, I appreciate your commitment to addressing
the cyber work force challenge by expanding Scholarships for
Service for Community College, but under these circumstances
who would want to commit to working for the Government?
Until the administration begins to treat its work force
with more respect and turn a page on his cruel and dismissive
attitude toward diversity, I cannot support new efforts to tie
tuition assistance to employment with the Federal Government or
to an employer the administration must approve.
Despite what the President might think, cyber jobs are
black jobs, Asian jobs, Hispanic jobs, and jobs for women. I
wish I were more hopeful that the committee would work to
correct course on the Trump-Musk policies that are causing
chaos and undermining security.
Toward that end, today I will introduce two resolutions of
inquiry to ensure that the committee has the information
necessary to evaluate whether Donald Trump and Elon Musk have
adequately considered the security implications of their
terrible policies.
The first resolution of inquiry directs the Secretary to
provide the committee documents related to security assessments
associated with efforts to freeze payment of critical homeland
security programs that, among other things, support cyber work
force training and cybersecurity efforts at the State and local
level.
The second resolution of inquiry directs the Secretary to
provide the committee documents related to the impact of the
hiring freeze on the cyber work force, as well as any of the
security policies related to providing DOGE access to DHS
information systems and data.
Additionally, today committed Democrats are sending a
letter to OPM requesting information about the impact of
President Trump's hiring freeze and deferred resignation offers
on the cyber work force in a letter to OMB raising our grave
concerns about Elon Musk's unfettered access to Federal
networks and American's data.
This information is necessary to the committee's oversight
obligation and Democrats will not stand by while the Trump-Musk
administration rips off the American people.
With that, I again thank the witnesses for participating in
today's hearing, and I yield back the balance of my time.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
February 4, 2025
Just over 2 weeks ago, President Trump was sworn into office.
Nearly every day since then, there has been a White House directive
undermining the Federal Government's ability to serve the American
people.
There is confusion about which Federal grant funds President Trump
froze last week, and whether the funds are still frozen. The
administration refuses to give Americans a straight answer about that.
Disaster victims recovering from hurricanes in North Carolina and
Florida and wildfires in California are wondering whether FEMA will
still be standing after the President has made clear he would like to
shut down the agency.
And now, an unelected billionaire from South Africa, Trump's co-
president Elon Musk, has gotten into Federal networks and is accessing
Americans' sensitive personal data. God only knows what he is doing
with Americans' data or what his plans are for our information.
He is inside the Treasury Department's systems where he is not only
accessing information but has the ability to change it. These systems
have Americans' Social Security numbers and payment information. Trump
gave Musk control of our Nation's checkbook, of a bank account funded
by Americans' hard-earned tax dollars. We don't know what he's doing
with any of it.
His DOGE team also allegedly bought a commercial server, set it up
at the Office of Personnel Management, and began accessing intimate
details about Americans' personal lives--from home addresses to medical
histories. Musk is demanding access to information systems across the
Federal Government to collect even more data about millions of
Americans for reasons that are unclear.
These actions violate a host of Federal laws and policies intended
to ensure data privacy and security and protect Federal networks,
leading one security expert to describe DOGE's access to Federal data
as ``an absolute nightmare.''
Nevertheless, neither the White House nor my Republican colleagues
in Congress have shown any inclination to force Elon Musk and his DOGE
underlings to follow the law, adhere to security practices, or justify
their unprecedented access to systems and Americans' data across the
Government. It is not clear who is, in fact, running the country.
Because it seems the President is either unable or unwilling to control
Musk. Either way, Americans will be paying the price.
To be honest, it's also not clear why the committee would hold a
hearing on cyber workforce at this time. Make no mistake, addressing
cyber workforce challenges is a critical security priority. But holding
a hearing on cyber workforce while letting Elon Musk root around in
Government systems is like worrying someone might break in through the
back door of your home while swinging your front door wide open.
I am afraid the committee is failing to address this urgent
security issue, and our adversaries--like China, Russia, and Iran--are
watching the administration do nothing. Having said that, I would be
remiss if I did not point out that one of the biggest obstacles to
growing a robust cyber workforce are the Trump-Musk policies. As I
speak, the Federal workforce is in tailspin.
President Trump's nominee to lead the Office of Management and
Budget has said: ``We want the bureaucrats to be traumatically
affected. When they wake up in the morning, we want them to not want to
go to work because they are increasingly viewed as the villains . . .
We want to put them in trauma.''
Hiring freezes are delaying the on-boarding and recruitment of top
cyber talent. Secretary Noem, with little explanation, has said she
wants to shrink CISA.
Deferred resignation offers the administration has no authority to
issue, accompanied by insults about productivity and warnings of
layoffs sends a clear message that the administration does not value
its workforce, is not loyal to it, and does not prioritize developing
expertise within Government. In short, the workforce is expendable.
Moreover, the President is openly hostile to a diverse workforce
that reflects the American people. In just 2 weeks, he has directed
Federal departments and agencies to strip references to diversity from
their websites and blamed diversity for a national tragedy.
Mr. Chairman, I appreciate your commitment to addressing the cyber
workforce challenge by expanding scholarships for service for community
college, but under these circumstances, who would want to commit to
working for the Government?
Until the administration begins to treat its workforce with more
respect and turn the page on its cruel and dismissive attitude toward
diversity, I cannot support new efforts to tie tuition assistance to
employment with the Federal Government or an employer the
administration must approve. Despite what the President might think,
cyber jobs are Black jobs--and Asian jobs, and Hispanic jobs, and jobs
for women.
I wish I were more hopeful that the committee will work to correct
course on the Trump-Musk policies that are causing chaos and
undermining security.
Toward that end, today I will introduce two Resolutions of Inquiry
to ensure that the committee has the information necessary to evaluate
whether Donald Trump and Elon Musk have adequately considered the
security implications of their terrible policies.
The first Resolution of Inquiry directs the Secretary to provide
the committee documents related to security assessments associated with
efforts to freeze payments of critical homeland security programs that,
among many other things, support cyber workforce training and
cybersecurity efforts at the State and local level.
The second Resolution of Inquiry directs the Secretary to provide
the committee documents related to the impact of the hiring freeze on
the cyber workforce as well as any of the security policies related to
providing DOGE access to DHS information systems and data.
Additionally, today committee Democrats are sending a letter to OPM
requesting information about the impact of President Trump's hiring
freeze and deferred resignation offers on the cyber workforce and a
letter to OMB raising our grave concerns about Elon Musk's unfettered
access to Federal networks and Americans' data.
This information is necessary to the committee's oversight
obligations, and Democrats will not stand by idly while the Trump-Musk
administration rips off the American people.
Chairman Green. The gentleman yields.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
I am pleased to have a distinguished panel of witnesses
before us today, and I ask that our witnesses please rise and
raise their right hand. Do you solemnly swear that the
testimony you will give before the Committee on Homeland
Security of the U.S. House of Representatives will be the
truth, the whole truth, and nothing but the truth, so help you
God?
Let the record reflect that the witnesses have answered in
the affirmative. Thank you. You may be seated.
[Witnesses sworn.]
Chairman Green. I would now like to formally introduce our
witnesses. Dr. David Russomanno currently serves as the
executive vice president for academic affairs and is the
provost at the University of Memphis. Prior to his current
role, he served for 13 years as dean of the Purdue School of
Engineering and Technology and as professor of electrical and
computer engineering at the collaborative campus of Indiana
University and Purdue University.
Throughout his career Dr. Russomanno has spearheaded the
growth of numerous initiatives to improve the recruitment,
retention, and overall success of STEM students.
Mr. Robert Rashotte. Mr. Robert Rashotte serves as vice
president of global training and technical field enablement at
Fortinet where he is responsible for creating award-winning
training and education programs for cybersecurity. He also
previously served as the director of world-wide education
services at that organization.
Before joining Fortinet, he served as the director of
Global Training and Enablement at Trend Micro, director of the
Canadian Standards Association Learning Institute, and senior
manager of training and certification programs at Entrust.
Mr. Chris Jones. Mr. Jones serves as the president and
chief executive officer of Middle Tennessee Electric, an
electric cooperative where he spent the past 26 years. Mr.
Jones also serves as a board member for United Communications,
the Tennessee Electric Cooperative Association, and the
Tennessee Chamber.
He previously served as chair of the Chamber of Commerce in
both Rutherford and Williamson Counties as an advisory member
of the Tennessee Nuclear Energy Advisory Council.
Mr. Max Stier. Mr. Stier serves as president and chief
executive officer of the Partnership for Public Service. He
previously worked in all 3 branches of government.
Prior to his current role, he served as deputy general
counsel for litigation at the Department of Housing and Urban
Development. Mr. Stier also previously served as a clerk for
the U.S. Supreme Court and U.S. Court of Appeals for the Second
Circuit. In addition, he previously worked as special
litigation counsel at the Department of Justice and as a staff
member in the office of a United States representative.
I thank the witnesses for being here today, and I now
recognize Mr. Russomanno for 5 minutes to summarize his opening
statement.
STATEMENT OF DAVID J. RUSSOMANNO, PH D, EXECUTIVE VICE
PRESIDENT OF ACADEMIC AFFAIRS AND PROVOST, UNIVERSITY OF
MEMPHIS
Mr. Russomanno. Chairman Green, Ranking Member Thompson,
and distinguished Members of the committee thank you for the
opportunity to appear before you today. I express my gratitude
to Chairman Green for your overall leadership on cybersecurity
work force and for introducing the Cyber PIVOTT Act.
My name is David Russomanno. I'm a computer engineer by
training and have the privilege of serving as provost at the
University of Memphis. The University of Memphis is a Carnegie
R1 university, which is a designation meaning we are a high-
performing, comprehensive research university.
I have devoted a significant portion of my career as an
engineering professor, department chair, and dean of
engineering and technology to advance STEM education focused on
initiatives to grow the student pipeline and produce successful
student outcomes aligned with work force needs.
For example, I have served as principal or co-principal
investigator on National Science Foundation-administered
scholarships for STEM and CyberCorps Scholarship for Service
projects.
Rightly so, prior testimony to this committee has focused
on cyber threats to our Nation presented by a variety of threat
actors. A parallel threat is the loss of human intellectual
capital that could be marshalled toward strengthening our
cybersecurity work force.
The Cyber PIVOTT Act is an important contribution toward
mitigating these threats by expanding support for students,
including those pursuing education and training at 2-year
community colleges and technical schools. To my knowledge,
these institutions are currently only eligible as sub-awardees
of the partnering 4-year CyberCorps institutions.
There are significant challenges to forming comprehensive
cybersecurity readiness, including data that shows many
colleges are struggling to align education with work force
needs. For example, a recent American Society for Engineering
Education publication referenced a Forbes article by Perna in
which he states, ``Historically, institutions of higher
learning have been slow to pivot their offerings to meet
current work force needs. The inertia is real.''
The article also cites a survey in which 85 percent of
recent college graduate respondents state ``I wish my college
had better prepared me for the workplace.''
In high-demand areas, most notably and critically in
cybersecurity, the private sector may prefer to recruit
experienced employees from other companies rather than creating
entry-level positions and hiring new graduates of post-
secondary institutions.
Such an approach alone contributes to an unsustainable race
for talent rather than developing highly-collaborative
partnerships with educational institutions and the public
sector to grow the talent pipeline at scale and in a
sustainable manner. A race-for-talent scenario may also have
unintended consequence of presenting significant barriers to
entry to the cybersecurity profession.
A service commitment proportional to student sponsorship,
as incorporated into CyberCorps and the PIVOTT Act, serves as
an important model for the private sector. The Federal
Government is encouraged to incentivize such a private-sector
service commitment, especially given the dependence of the
United States, including the U.S. military, on private-sector
infrastructure maintained with insufficient levels of cyber
resilience, as noted by Rear Admiral Montgomery in his recent
testimony to this committee.
When private companies invest in collaborative education
programs they help the skills gap, easing the financial burden
on taxpayers. Consideration of the Cyber PIVOTT Act also
highlights the urgency for 4-year institutions, including
comprehensive R1 institutions to develop and align a portion of
their STEM baccalaureate degree portfolio to facilitate smooth
pathways from applied technology programs.
Per a report from the Education Commission of the States,
31 States have policies for transferring lower division core
courses and a State-wide guaranteed transfer of an associate
degree.
However, in many instances, these articulations may exclude
or not optimally articulate courses, knowledge, and skills
acquired through applied technology programs creating a barrier
to baccalaureate degree completion, which is a focus of the
Polytechnic Initiative at the University of Memphis and is
described in my written remarks.
Thank you again for the opportunity to have this
conversation today.
[The prepared statement of Dr. Russomanno follows:]
Prepared Statement of David J. Russomanno
February 5, 2025
introduction
Chairman Green, Ranking Member Thompson, and distinguished Members
of the committee, thank you for the opportunity to appear before you
today. I express my gratitude to Chairman Green for your overall
leadership on cybersecurity workforce priorities and for introducing
the Cyber PIVOTT Act.
My name is David Russomanno. I am an electrical and computer
engineer by training and have the honor of serving as executive vice
president for academic affairs and provost at the University of
Memphis. The University of Memphis is a Carnegie R1 university, which
is a prestigious designation meaning we are a high-performing,
comprehensive research institution. Before becoming an academic more
than 30 years ago, I worked as an engineer for corporations in the
defense, automotive, and computer sectors.
I have conducted fundamental research with support from various
sponsors, including the National Science Foundation (NSF), Army
Research Laboratory (ARL), State and local governments, and the private
sector to advance the state-of-the-art in some areas and apply the
state-of-the art in other areas. Most importantly, I have devoted a
significant portion of my career as an engineering professor,
department chair, and dean of engineering and technology, before
assuming my role as provost, to advance Science, Technology,
Engineering, and Mathematics (STEM) education focused on initiatives to
grow the student pipeline and produce successful student outcomes
aligned with workforce needs. For example, I have served as principal
investigator or co-principal investigator on NSF-administered
Scholarships for STEM (S-STEM)\1\ and CyberCorps Scholarship for
Service (SFS) Defending America's Cyberspace \2\ projects.
---------------------------------------------------------------------------
\1\ NSF Scholarships in Science, Technology, Engineering, and
Mathematics Program (S-STEM): https://new.nsf.gov/funding/
opportunities/s-stem-nsf-scholarships-science-technology-engineering-
mathematics (link active as of February 1, 2025).
\2\ NSF CyberCorps Scholarship for Service (SFS): https://
new.nsf.gov/funding/opportunities/sfs-cybercorps-scholarship-service
(link active as of February 1, 2025).
---------------------------------------------------------------------------
Per the U.S. Department of Commerce, about 500,000 cybersecurity
positions are open. Those vacancies place our Nation's digital
infrastructure, intellectual property, and privacy at significant risk
from threat actors who are looking to exploit our vulnerabilities.
The Cyber PIVOTT Act is an important contribution toward addressing
this deficiency.
In addition, we at the University of Memphis are implementing an
additional and needed contribution so that 4-year universities are
doing even more by strengthening pathways from applied technology
programs, including applied cybersecurity, to appropriate baccalaureate
programs.
background
Rightly so, prior testimony to this and other Congressional
committees has focused on various cyber threats to the United States
presented by a variety of threat actors, including nation-states,
criminal organizations, and individuals. A parallel threat, which has
been noted in prior hearings, is the loss of human intellectual capital
that could be marshalled toward strengthening our cybersecurity
infrastructure. I am pleased that this 119th Congress is considering
steps to address this threat through the Cyber PIVOTT Act, which will
expand support for education and training programs at community
colleges and technical schools. These institutions, to the best of my
knowledge, are eligible only as sub-awardees of the partnering 4-year
CyberCorps (SFS) institutions. Therefore, the Cyber PIVOTT Act will
broaden and strengthen the workforce and contribute toward forming a
panoply of cybersecurity readiness at scale desperately needed by our
Nation.
challenges
There are significant challenges to forming that comprehensive
cybersecurity readiness to which I just referred, with many
opportunities for post-secondary education, as well as the public and
private sector to work collaboratively to address the challenges.
Higher Education
As summarized last week in the American Society for Engineering
Education's (ASEE) First Bell publication,\3\ data shows that many
colleges are struggling to align education with workforce needs. As
referenced by ASEE First Bell and described in Forbes by Perna:\4\
``Historically, institutions of higher learning have been slow to pivot
their offerings to meet current workforce needs. The inertia is real.
The problem is, Gen Z is smart enough to know it.'' I add that with
respect to our cybersecurity readiness, adversaries are smart enough to
know it too.
---------------------------------------------------------------------------
\3\ ASEE First Bell: https://www.asee.org/publications/NEWSLETTERS/
First-Bell (link active as of February 1, 2025).
\4\ M.C. Perna, ``New Data Reveals Just How Deep The College Crisis
Goes,'' Forbes, January 28, 2025: https://www.forbes.com/sites/
markcperna/2025/01/28/new-data-reveals-the-depth-of-college-crisis/
(link active as of February 1, 2025).
---------------------------------------------------------------------------
Although the focus of the Perna article is Artificial Intelligence
(AI), many of the highlighted issues are relevant to the applied
cybersecurity workforce. For example, Perna cites a survey conducted by
Hult International Business School in which 85 percent of recent
college graduates who participated in the survey agreed with the
statement:\4\ ``I wish my college had better prepared me for the
workplace.'' The Perna article goes on to state:\4\ ``The call here is
simply for the higher education system to better align with what
today's students and employers need--before it's too late.''
The Perna article could understandably be interpreted as the higher
education system is solely responsible for preparing its graduates to
meet workforce needs. However, in high-demand areas, most notably and
critically in cybersecurity, the private sector may prefer to recruit
experienced employees from other companies rather than creating entry-
level positions and hiring new graduates. Such an approach contributes
toward an unsustainable ``race for talent'' rather than developing deep
and sustained partnerships with educational institutions and the public
sector to grow the talent pipeline at scale and in a sustainable
manner. Such a ``race for talent'' scenario may also have the
unintended consequence of presenting significant barriers to entry to
the profession for new graduates who may have interest but limited
experience in cybersecurity.
Examples of sustained private sector and higher education best
practices include ``invested'' program advisory boards that provide
input to academic programs to guide their educational objectives,
curriculum, and student learning outcomes. The advisory input is then
supplemented with ample opportunities for students to augment their
program of study with compensated and meaningful experiential learning
opportunities, including internships sponsored by advisory board
members, to become better-prepared applicants upon graduation.
A service commitment proportionate to student sponsorship as
incorporated into CyberCorps (SFS) and the Cyber PIVOTT Act should
serve as an important model for the private sector to strengthen its
commitment toward contributing to a sustainable cybersecurity workforce
at scale. Opportunities for incentivizing such a private-sector
commitment at the Federal and State levels are encouraged, especially
given the dependencies of the United States, including the U.S.
military, on private-sector infrastructure maintained with insufficient
levels of cyber resilience as noted by Rear Admiral (Ret.) Montgomery
in his recent testimony to this committee.\5\
---------------------------------------------------------------------------
\5\ RADM (Ret.) Montgomery, ``Unconstrained Actors: Accessing
Global Cyber Threats to the Homeland,'' A House Committee on Homeland
Security hearing, January 22, 2025, https://homeland.house.gov/wp-
content/uploads/2025/01/2025-01-22-FC-HRG-Testimony.pdf (link active as
of February 1, 2025)
---------------------------------------------------------------------------
By focusing on retaining cybersecurity professionals, the Federal
Government can avoid the high costs of continually recruiting and
training new employees. Cybersecurity experts in critical
infrastructure roles are costly to train, and turnover disrupts
operations while forcing taxpayers to bear the expense of new hiring
and training processes.
Additionally, when private companies invest in collaborative
training programs, they help bridge the skills gap, easing the
financial burden on the Federal Government by sharing the
responsibility for workforce development.
Traditional Pathways to and Barriers Preventing Joining the
Cybersecurity Workforce
Although many comprehensive universities across the United States
offer a 4-year program of study in cybersecurity and closely-related
fields, there are often barriers for student entry into such programs.
For example, rigorous computer science and engineering programs, which
incorporate cybersecurity education into their curricula, require
extensive mathematics and basic sciences preparation, such as including
Calculus in the first year of a 4-year program of study. These programs
are based on foundational knowledge acquired through courses with
substantial prerequisite chains. First-principle-based programs are
critically important to our Nation to prepare students to advance the
state-of-the-art in a variety of fields. However, these types of
programs may not always be the most appropriate educational pathway for
students interested in applying the state-of-the-art versus acquiring
foundational knowledge at the baccalaureate level, which may be
required for graduate programs in computer science and engineering
focused on research to advance the state-of-the-art.
Moreover, the time required to earn a 4-year degree, particularly
for students who may be working during their program of study, may also
present a hurdle that is too high.
Therefore, the opportunity to earn cybersecurity credentials
through community colleges and technical schools will present an
attractive option to both traditional students and those who may be
considering career change. The Cyber PIVOTT Act is appropriately
focused on community colleges and technical schools as a component for
increasing the cybersecurity workforce at scale.
Given the appropriate focus of the Cyber PIVOTT Act on community
colleges and technical schools, it is important for 4-year
institutions, including comprehensive R1 institutions, to strengthen
pathways from applied technology programs, including applied
cybersecurity, to appropriate baccalaureate programs.
A vitally important aspect of the Cyber PIVOTT Act is the DELAYED
SERVICE clause in which students who immediately after completion of
their community college or technical school program enroll in a 4-year
program may delay their service obligation until after receiving the 4-
year degree. This clause will be an attractive incentive for many
students as they are considering career goals. I encourage that both
the public and private sectors be incentivized in some appropriate
manner to consider continued support of Cyber PIVOTT Act recipients to
pursue a 4-year degree at a later stage of their career if students do
not pursue a 4-year degree immediately after completing their community
college or technical school program.
By partnering with universities, community colleges, and technical
schools, the Federal Government can create tailored cybersecurity
programs that build upon students' prior learning experiences such as
military service and technical certifications. This collaborative
approach allows the Government to leverage existing skills and
expertise without having to start from scratch, ultimately maximizing
the return on its investment in workforce development.
Although significant progress has been made in many States with
articulation agreements from community colleges to 4-year universities,
especially for general education courses, arguably the same progress
has not been made with respect to articulation agreements with programs
offered by technology schools.
Per a report by the Education Commission of the States, at least 31
States have policies requiring a transferable core of lower-division
courses and State-wide guaranteed transfer of an associate degree.\6\
However, my experience is that these articulations primarily focus on a
general education core, which is a component of most associate of
science (AS) and associate of arts (AA) degrees or very similar
programs, and may exclude or not optimally articulate courses,
knowledge, and skills acquired through associate of applied science
(AAS) programs creating a barrier to baccalaureate degree completion.
For example, within the State of Tennessee, there are limited
articulation agreements between programs offered by Tennessee Colleges
of Applied Technology (referred to as TCATs) to baccalaureate programs
offered by 4-year universities.
---------------------------------------------------------------------------
\6\ Education Commission of the States: ``50-State Comparison:
Transfer and Articulation Policies--Education Commission of the
States,'' https://www.ecs.org/50-State-comparison-transfer-and-
articulation/ (link active as of February 1, 2025).
---------------------------------------------------------------------------
However, progress is being made, especially with articulations from
AAS to Bachelor of Applied Science (BAS) programs. The University of
Memphis (UofM) is striving to be a national leader to accelerate the
AAS-to-BAS transfer pathway through The Polytechnic @ UofM initiative.
supportng workforce growth at scale
The Polytechnic Model
A polytechnic \7\ may be regarded as an educational institution or
unit within an institution that primarily focuses on applied sciences,
applied technology, and career pathways.
---------------------------------------------------------------------------
\7\ ``Polytechnic,'' Merriam-Webster.com Dictionary, Merriam-
Webster, https://www.merriam-webster.com/dictionary/polytechnic (link
active as of February 1, 2025).
---------------------------------------------------------------------------
Although polytechnic has several definitions and a variety of
implementations, some recurring themes are as follows:
Offer real-world experiences and industry partnerships
Provide hands-on training with emphasis on practice and
applying the state-of-the-art versus advancing it
Serve as a complement to first-principle-based curricula
(e.g., traditional computer science and engineering programs)
in which the fundamental concepts or assumptions on which a
theory, system, or method is based \8\ are foundational to
progression in the curriculum.
---------------------------------------------------------------------------
\8\ ``First Principles,'' Oxford Learner's Dictionary, https://
www.oxfordlearnersdictionaries.com/us/definition/american_english/
first-principles (link active as of February 1, 2025).
---------------------------------------------------------------------------
To attain their ideal definition, polytechnic programs must align
with workforce needs and demonstrate the ability to pivot to meet
rapidly changing knowledge and skillset demands by the workforce
(arguably requiring a more rapid feedback loop with respect to
assessing student and workforce needs for continuous improvement than
programs that have strong foundations in first principles).
While dean of the Purdue School of Engineering and Technology at
Indiana University--Purdue University Indianapolis (now part of Purdue
in Indianapolis), I enthusiastically supported the development of an
application-oriented Bachelor of Science degree in Cybersecurity and a
Master of Science degree in Cybersecurity and Trusted Systems.
Distinguishing features of these programs included: (i)
minimization of extensive course prerequisite chains; (ii) team-based
and project-based courses and labs; (iii) ``invested'' advisory boards
as previously mentioned; (iv) significant student participation in
experiential learning opportunities, including paid internships; and
(v) flexibility in accommodating transfer from 2-year institutions for
the BS program and accommodating a variety of undergraduate BS degrees
in preparation for admission to the MS program. Moreover, both the BS
and MS programs incorporated student participation in NSF CyberCorps
(SFS), which served as a model to enhance partnerships with the
programs' advisory board and other entities from the private sector.
Now as Provost at the University of Memphis, with strong support
from the President of the University and our Board of Trustees, we are
launching The Polytechnic @ UofM as an important component of the
UofM's Ascend strategic plan \9\ to better prepare our students for
workforce needs with emphasis on a successful outcome for every
student.
---------------------------------------------------------------------------
\9\ Office of the President of the University of Memphis, Ascend
strategic plan 2023-2028, https://www.memphis.edu/president/strategic-
plan/index.php (link active as of February 1, 2025).
---------------------------------------------------------------------------
The Polytechnic @ UofM will serve as the organizational sub-unit
within our Herff College of Engineering to host several existing
applied technology programs, as well as to launch new applied
technology programs to rapidly respond to workforce needs.
Implementation includes a Bachelor of Applied Science (with
concentrations such as Applied Cybersecurity, Applied AI, and Advanced
Manufacturing Supervision) to expand support for student matriculation
pathways from the following: (i) Tennessee Colleges of Applied
Technology; (ii) Community Colleges with associate of applied science
programs; (iii) private-sector training and certification programs;
(iv) credit for prior learning, including experience gained through
military service; and (v) other applied technology and vocational
institutions across the United States, all of which are well-positioned
to benefit from the Cyber PIVOTT Act and to contribute to building a
cybersecurity workforce at scale.
conclusion
I am honored to testify today in strong support of the Cyber PIVOTT
Act under consideration by the 119th Congress as it will broaden and
strengthen the workforce toward forming the panoply of cybersecurity
readiness at scale desperately needed by our Nation. Moreover,
consideration of the Cyber PIVOTT Act highlights the urgency for 4-year
institutions to develop and align a portion of their STEM academic
portfolio to provide a seamless pathway to baccalaureate programs for
students pursuing applied technology programs, including applied
cybersecurity, from community colleges and technical schools.
The Polytechnic @ UofM is an important new initiative leveraging
partnerships within the State of Tennessee and beyond to contribute
toward a national model for addressing workforce needs in applied
technology areas and as an important complement to first-principle-
based baccalaureate and graduate programs in computer science,
engineering, and closely related fields of study.
Chairman Green. Thank you, Dr. Russomanno.
I now recognize Mr. Rashotte, and am I pronouncing your
name correctly----
Mr. Rashotte. Yes.
Chairman Green [continuing]. Perfect--for 5 minutes to
summarize his opening statement.
STATEMENT OF ROBERT RASHOTTE, VICE PRESIDENT, GLOBAL TRAINING
AND TECHNICAL FIELD ENABLEMENT, FORTINET
Mr. Rashotte. Chairman Green, Ranking Member Thompson, and
distinguished Members of the committee, my name is Rob Rashotte
and I serve as vice president of Fortinet's training institute.
I've spent my career focusing on empowering others with the
skills to successfully enter and advance within the
cybersecurity work force. I appreciate the opportunity to
testify before you today on the state of America's cyber work
force.
Fortinet is a U.S. company that is one of the largest
cybersecurity companies in the world. While we manufacture over
half of the firewalls sold world-wide, our portfolio extends
across nearly 60 different integrated cybersecurity and
networking solutions. This reflects our commitment to
innovation as cyber threats continue to evolve.
In addition, Fortinet operates an award-winning training
institute focusing on making training, cybersecurity training,
available to everyone. We believe teamwork across the public
and private sector is critical to ensure strong national cyber
resilience.
A robust and skilled work force is foundational to this
resilience, making today's discussion both about jobs and our
national security.
The demand for cybersecurity professionals continues to
outpace supply with over 500,000 unfilled positions in the
United States. We annually conduct a skills gap survey
surveying IT and cybersecurity decision makers with our
findings compiled into an annual cybersecurity skills gap
report.
Our latest research found that 75 percent of U.S.
organizations believe that the work force gap is escalating
cyber threats and nearly 90 percent have experienced a breach
they attribute in part to lack of cyber skills. While companies
are working to recruit and retain talent, more than half
struggle to find qualified professionals.
The cybersecurity work force gap has been exacerbated by
several interconnected challenges, the most significant
challenge being the persistent reliance on traditional 4-year
degrees as a primary requirement for most roles. We've observed
a growing number of technical schools, colleges, and
universities launching 2-year degree programs that effectively
prepare students for a range of cybersecurity roles.
Waiting until high school or college, however, to influence
career decisions is often too late. Just as kids talk to their
parents about becoming doctors or firefighters, we need to
ensure that cyber threat hunter, for example, becomes part of
that conversation.
To help create that spark, Fortinet has developed
cybersecurity awareness training for K to 12 schools nationwide
and has made it available at no cost. The curricula introduces
cybersecurity concepts as early as kindergarten. Today, the
program operates in 43 States by engaging students, teachers,
and parents who are sparking interest in cybersecurity careers
early.
We must also do more to attract existing underutilized
talent pools. A key example is military veterans moving into
civilian roles. Many veterans possess highly relevant skills
that are invaluable to cybersecurity.
Our veteran partner organizations, though, often note that
their members lack awareness or the confidence in how their
military experience translates into cybersecurity careers. We
must unlock this wealth of talent that is both capable and
well-suited for the field.
We must also focus on reskilling and upskilling. Cyber
professionals often face high stress and burnout and many
organizations lack clear career progression paths.
Strengthening training, mentorship, and career mobility will
help grow a sustainable work force.
Industry, academia, and Government are making progress but
we must scale our efforts. If enforced, the proposed Cyber
PIVOTT Act would have a positive impact across both the public
and private sector with its emphasis on cybersecurity
scholarships for students in partnership with technical
schools, colleges, and universities, as well as developing
internships and Federal job opportunities for graduates.
In conclusion, I'm confident that with the right tools,
incentives, and partnerships we can ensure the cyber work force
pipeline is strengthened and that today's work force gap
becomes yesterday's issue. To achieve this we need bold,
consistent action that can scale, ranging from early training
of our children on cyber awareness through to technical career
training and efforts like the PIVOTT Act.
Thank you for the opportunity to be part of today's
discussion and I look forward to your questions.
[The prepared statement of Mr. Rashotte follows:]
Prepared Statement of Robert Rashotte
February 5, 2025
Chairman Green, Ranking Member Thompson, and distinguished Members
of the committee, I appreciate the opportunity to testify before you
today on ``the state of America's cyber workforce''. My name is Rob
Rashotte and I serve as vice president of the Training Institute at
Fortinet.
Fortinet \1\ is a U.S. company that is one of the largest
cybersecurity companies in the world. While we manufacture over half of
the firewalls sold world-wide, our portfolio extends across nearly 60
different integrated cybersecurity and networking solutions and
services, reflecting our commitment to innovation as information
technology (IT) and cyber threats continue to evolve. In addition to
our products and services, Fortinet operates a robust cybersecurity
training institute \2\ focused on helping to address the significant
global cyber workforce and skill gaps and preparing the next generation
of cybersecurity professionals. Our ultimate goal is to enable a more
digitally secure society.
---------------------------------------------------------------------------
\1\ https://www.fortinet.com/corporate/about-us/about-us.
\2\ https://training.fortinet.com.
---------------------------------------------------------------------------
We believe teamwork is key to best defend against cyber threats. To
that end, Fortinet is part of numerous collaborative activities between
industry and the U.S. Government, ranging from participation in the IT
sector's coordinating council to collaboration on technology
development through NIST's National Cybersecurity Excellence
Partnership \3\ and coordinated cyber threat analysis and response via
the Joint Cyber Defense Collaborative \4\ (JCDC) run by the
Cybersecurity and Infrastructure Security Agency (CISA). Reflecting the
fact that cyber crime does not stop at country borders, Fortinet also
participates in global initiatives such as the World Economic Forum
Centre for Cybersecurity \5\ and the Cyber Threat Alliance.\6\
---------------------------------------------------------------------------
\3\ https://www.nccoe.nist.gov/news-insights/ncep-mechanism-
partnering-nccoe.
\4\ https://www.cisa.gov/topics/partnerships-and-collaboration/
joint-cyber-defense-collaborative.
\5\ https://centres.weforum.org/centre-for-cybersecurity.
\6\ https://www.cyberthreatalliance.org/.
---------------------------------------------------------------------------
Our commitment to collaboration is also reflected in our training
initiatives, where we've established meaningful partnerships with
leading tech-focused non-profits across the globe to expand the talent
pool and awareness of jobs in the field. We established a Veterans
Program Advisory Council, comprised of veteran non-profit
representation from across the Five Eyes, given the strong correlation
between skills gained by veterans during their time in service to the
needs of the cyber workforce. This council helps us gain deeper
insights into the needs of the veteran community and enables us to
continually evolve our programs to better serve them. These
collaborations are essential to broadening our impact and ensuring we
attract enough talent to close the industry gap. The individuals we
support will enter the cyber field across a variety of industries, like
the energy or education sectors, working to safeguard corporate
networks and critical infrastructures--ultimately ensuring a more
secure and resilient Nation. Our training could be utilized by all
organizations represented here today. No one is immune and
cybersecurity is all our responsibility.
state of the cyber workforce
As the cybersecurity landscape becomes increasingly complex, the
demand for skilled professionals continues to grow with more than
500,000 cybersecurity professionals required to address the workforce
gap within the United States.\7\ As part of our training initiatives,
we place a strong emphasis on direct engagement with key stakeholders.
Each year, we conduct a skills gap report, surveying 1,850 IT and
cybersecurity decision makers across 29 countries, with the United
States contributing a significant 300 respondents. The findings are
compiled into our annual Cybersecurity Skills Gap Global Research
Report, now in its fourth year of publication. Our latest 2024 report
revealed that 70 percent of global organizations believe the shortage
of skilled cybersecurity professionals is escalating security risks.
That statistic rises to 75 percent for U.S. respondents.\8\
---------------------------------------------------------------------------
\7\ https://homeland.house.gov/2024/09/24/chairman-green-
introduces-cyber-pivott-act-to-tackle-government-cyber-workforce-
shortage-create-pathways-for-10000-new-professionals/.
\8\ https://www.fortinet.com/content/dam/fortinet/assets/reports/
2024-cybersecurity-skills-gap-report.pdf.
---------------------------------------------------------------------------
In the past year, nearly 90 percent of organizational leaders said
their enterprise experienced a breach that they can partially attribute
to a lack of cyber skills. Despite many organizations adopting creative
strategies to recruit, hire, and retain qualified cybersecurity
professionals to fill positions, 51 percent of leaders say the talent
pools for their needed skill sets are generally lean. These on-going
recruitment challenges represent a significant and dangerous supply
problem for the industry, with 54 percent of enterprises noting that
they continue to struggle to recruit cybersecurity talent.
While there are numerous hurdles associated with recruitment and
hiring, leaders also noted that the retention of skilled cybersecurity
practitioners is also a challenge. Half of respondents said that
offering employees sufficient training and upskilling opportunities was
the biggest hurdle to keeping qualified practitioners on staff.
barriers to entry
The cybersecurity workforce gap has been exacerbated by several
interconnected challenges ranging from lack of standardization and
awareness of cybersecurity roles to competition for skilled
professionals in adjacent fields. Among the most significant
challenges, however, are the barriers to entry for both newcomers to
the field and existing professionals seeking career advancement. Based
on our research and insights from numerous partnerships, the most
pressing and wide-spread issue in this regard is access to education
and training. While financial constraints are often a factor for those
looking to start a career in the field, a major obstacle remains the
persistent reliance of companies and Government agencies on traditional
4-year degrees as a primary requirement for cybersecurity roles. This
outdated requirement should no longer serve as a default filtering
mechanism in the hiring process.
Through our collaborations with hundreds of academic institutions,
we have observed a growing number of technical schools, colleges, and
universities launching 2-year degree programs that effectively prepare
students for a range of cybersecurity roles. Additionally, many
industry stakeholders have made significant strides in providing high-
quality cybersecurity industry training at little or no cost to
aspiring professionals. Since the beginning of 2020, Fortinet has been
offering its entire catalog of self-paced cybersecurity certification
training free of charge to all individuals looking to enter the field
or advance their careers. Other organizations, both within and beyond
the cybersecurity sector, have taken similar steps to expand access to
industry-recognized training.
While not a substitute for formal academic education, industry
training and certification play a crucial role in equipping new
entrants with the practical knowledge and hands-on skills-based
experience that isn't always available through traditional degree
programs. Our top level of certified professionals, who have earned the
title of Fortinet Certified Experts (FCX), tell us repeatedly that
their expertise was mostly obtained through hands-on experience. To
address the cybersecurity workforce gap effectively, we all need to
remove as many barriers to education as possible, while hiring
organizations must recognize and embrace alternative pathways to
competency and expertise.
the needed ``spark'': awareness of cybersecurity as a career
Cybersecurity has evolved from an obscure technical concept to
become part of our household vocabulary, often happening for all the
wrong reasons. However, we must seize this newfound visibility and use
it as an opportunity to inspire young students to pursue careers in
cybersecurity. Just as children come home from school and talk to their
parents about becoming a doctor, firefighter, or police officer, we
must challenge ourselves to make ``Cyber Threat Hunter'' a part of that
conversation. In many instances, waiting until high school or college
to influence career decisions is too late.
This goal is not only achievable but already yielding results. We
have seen first-hand the impact of early engagement through our
extensive work with K-12 schools across the United States. In 2022
Fortinet participated in the White House's National Cyber Workforce and
Education Summit. This initiative brought together Government and
private industry leaders to discuss how we could collectively address
the pressing issue of workforce development in cybersecurity. We were
grateful for this opportunity to participate, as it challenged us to
rethink the approach and responsibility of the Fortinet Training
Institute.
In response, our experienced team of cybersecurity curriculum
content developers began adapting our enterprise security awareness and
training service for the education sector with a focus on equipping K-
12 staff and faculty with the knowledge to become more cyber aware. We
offered this training at no cost to school districts and private
schools across the United States, and the feedback was overwhelmingly
positive.
To demonstrate the selfless nature of the educators in this
country, many asked if we could also develop a curriculum to teach
cybersecurity directly to K-12 students. Recognizing the urgent need
for this type of education, we once again were tasked with evolving our
role and responsibility at the Fortinet Training Institute. We
immediately hired a dedicated team of K-12 curriculum developers--
former educators--who now focus exclusively on creating age-appropriate
cybersecurity content for students, teachers, and parents while
leveraging the expertise of the cybersecurity professionals in our
organization.
Our programs now introduce cybersecurity concepts as early as
kindergarten and evolve into more career-oriented content as students
progress through later grades. To date, this program is active in 43
States, and has issued more than 700,000 licenses to our content.
Taking a holistic approach--engaging students, teachers, parents, and
staff--is critical to fostering a cybersecurity-aware culture and
sparking interest in cyber careers at an early age.
We are seeing many States across the United States take a
leadership role in this as well. States, such as Nevada, Nebraska,
North Carolina, Rhode Island, South Carolina and Tennessee, are
bringing cyber education to younger students by requiring a credit in
computer science to be eligible for high school graduation. Tennessee
has taken it a step further by including a credit in cybersecurity as
an alternative to the requirement. We believe these efforts are highly
appropriate and necessary to expand awareness, and hope additional
States take similar action.
Beyond inspiring the next generation, we must also do more to
attract existing underutilized talent pools, particularly individuals
transitioning into new careers. A key example is military veterans
moving into civilian roles. Many veterans possess highly relevant
skills--including situational awareness, leading in a crisis, and the
ability to perform under pressure--that are invaluable in
cybersecurity. While technical skills can be taught, these innate
attributes are critical in many cyber roles. However, our partner
organizations that support veterans, such as VetSec Inc. and Hire
Heroes USA, frequently report that their members lack awareness or
confidence in how their military experience translates into
cybersecurity careers. Addressing this gap is essential to unlocking a
wealth of talent that is both capable and well-suited for the field.
lack of clarity on career paths and roles
While some traditional cybersecurity roles--primarily technical
roles--are relatively well-defined, the field has evolved to encompass
a vast and increasingly complex range of roles and required skill sets.
This rapid evolution has led to significant ambiguity, making it
challenging for individuals seeking education and training to navigate
their path into a cybersecurity career.
Organizations such as NIST and the National Initiative for
Cybersecurity Education (NICE) have made great strides in developing
cybersecurity career pathways. As cybersecurity roles evolve at a rapid
pace, these efforts must continue and evolve to ensure these frameworks
remain current and, more importantly, that they serve as a benchmark
for standardizing cybersecurity roles across Government and industry.
Clearly-defined career pathways are not only essential for
individuals entering the field but also for current professionals
looking to advance. Establishing standardized career pathways is
crucial in efficiently upskilling the existing workforce and creating a
pipeline of experienced professionals for senior and leadership roles
as part of long-term succession planning. By creating greater clarity
and consistency in cybersecurity career paths, we can better equip both
new entrants and seasoned professionals to meet the growing demands of
the industry. At Fortinet, we have seen increasing interest over the
last few years in courses in security operations (SecOps) and cloud-
based security architecture. In response, we updated our entire
certification program in 2023 to meet the needs of the rapidly-evolving
threat landscape and job market needs.
recruitment and retention
Recruiting and retaining cybersecurity professionals remain
significant challenges in addressing the cyber workforce shortage.
Unlike well-established fields such as accounting--where hiring for a
CPA, for example, follows a clear and standardized process--
cybersecurity is still a relatively young profession with roles and
responsibilities that are constantly changing. This on-going evolution
makes the recruitment process uniquely difficult.
Many recruiters struggle to develop accurate job descriptions or
identify the appropriate skills needed for cybersecurity roles. As a
result, they often rely on arbitrary requirements, such as mandating a
traditional 4-year degree, which unnecessarily excludes a large pool of
highly-qualified candidates. This underscores the critical importance
of efforts by organizations like NIST and the NICE \9\ initiative,
which is making significant strides in standardizing cybersecurity
roles and career pathways. Establishing clearer role definitions and
hiring frameworks will be essential in improving both recruitment and
retention across the industry.
---------------------------------------------------------------------------
\9\ https://www.nist.gov/itl/applied-cybersecurity/nice/about.
---------------------------------------------------------------------------
Retention efforts are just as critical as recruitment in addressing
the cybersecurity workforce gap. Attracting new talent is only part of
the solution--organizations must also focus on keeping skilled
professionals engaged, motivated, and growing within their careers.
High turnover rates not only exacerbate the workforce gap but also lead
to knowledge loss, increased training costs, and disruptions in
cybersecurity operations, all of which can weaken an organization's
security posture.
Moreover, cybersecurity professionals often face high levels of
stress, burnout, and job dissatisfaction due to long hours, intense
workloads, and the ever-evolving threat landscape. Without clear career
pathways, opportunities for advancement, and continuous upskilling,
many professionals may leave for better-defined roles in other
industries.
Investing in retention strategies, such as competitive compensation
and professional development, ensures that organizations maintain a
strong, experienced cybersecurity workforce.
Ultimately, addressing retention challenges is key to building a
sustainable and resilient cybersecurity talent pipeline.
on-going progress to address the cyber workforce gap
While there is work to be done to develop the future cybersecurity
workforce, it's encouraging that there are significant efforts already
under way across industry, academia, and Government to address this
challenge. Many industry-leading organizations are working to meet the
challenge head on. Fortinet, for example, has committed to training 1
million people over a 5-year period (2021-2026) through our Fortinet
Training Institute. We are slightly ahead of our goal with more than
630,000 trained as of Dec. 31, 2024.\10\ By providing free, self-paced
cybersecurity training and working with academic institutions, non-
profits, global organizations and Government agencies, Fortinet is
helping to equip individuals with the skills needed to enter and
advance in the field.
---------------------------------------------------------------------------
\10\ https://www.fortinet.com/corporate/about-us/newsroom/press-
releases/2024/fortinet-announces-progress-towards-mission-to-tackle-
cybersecurity-skills-shortage.
---------------------------------------------------------------------------
Additionally, through our many academic partnerships, Fortinet has
seen several innovative post-secondary institutions recognize the
importance of alternative education pathways. Some of our academic
partners, such as Northeast State Community College in Tennessee,
Sinclair Community College in Ohio, and Mohave Community College in
Arizona have introduced 2-year cybersecurity degree programs that
provide students with skills-based, relevant knowledge and hands-on
training and industry certifications. These programs are effectively
preparing students for entry-level cybersecurity roles. Effective
degree programs, along with Government-backed workforce initiatives,
apprenticeship programs, and veteran transition efforts, are making
cybersecurity careers more accessible to a broader talent pool. While
these initiatives represent meaningful progress, continued investment
and collaboration will be essential to closing the cybersecurity
workforce gap at scale.
what more can be done?
Despite on-going efforts to close the cybersecurity workforce gap,
more comprehensive solutions are needed to address systemic challenges.
First, organizations and policy makers must expand and embrace
alternative pathways into cybersecurity roles beyond traditional 4-year
degrees. Increased investment in shorter degree programs, vocational
training, industry-recognized certifications, and apprenticeship
programs can help individuals enter the field quickly and transition
from adjacent fields into cybersecurity. Additionally, upskilling and
reskilling of existing employees must be prioritized. This is necessary
in order to provide clear career progression opportunities to retain
critical talent and ensure robust succession planning.
Stronger partnerships between industry, academia, and Government
agencies can also enhance workforce development. Businesses should
collaborate with educational institutions to ensure curricula align
with real-world cybersecurity needs. Governments should continue to
provide incentives for companies and academic institutions that invest
in cybersecurity training, education, and workforce development. These
public-private partnerships can help to ensure portability of
experienced cybersecurity professionals between Government and private-
sector roles and help to bridge the workforce gap at scale.
The work of this committee is also key to expanding awareness of
cyber roles in the workforce and closing the cyber workforce gap. If
enacted, the proposed Cyber PIVOTT Act would have a positive impact
across both the public and private sector with its emphasis on
cybersecurity scholarships for students in partnership with community
colleges and technical schools, as well as developing internships and
Federal job opportunities for graduates of this program.
Finally, the cybersecurity profession must improve awareness and
branding. Many potential candidates are unaware of the range of
cybersecurity careers available. Public awareness campaigns, starting
at the high-school level, can help attract more individuals to the
field, ensuring a sustainable and resilient workforce for the future.
conclusion
Our digital ecosystem is constantly under attack by hackers, cyber
criminals and nation-state actors. Teamwork across the public and
private sector is crucial to ensure strong national cyber resilience. A
robust and skilled workforce is foundational to this resilience--making
today's discussion both about jobs and our national security.
I have spent my career focusing on empowering others with the
skills to successfully enter or advance within the cybersecurity
workforce. I am confident that with the right tools, incentives, and
partnerships we can ensure the cyber workforce pipeline is strengthened
and that today's skills gap becomes yesterday's issue. To achieve this,
we need bold and consistent action that can scale--ranging from early
training of our children on cyber awareness through to technical
training on secure coding practices. Efforts like the Cyber PIVOTT Act
are critical examples of how private and public-sector collaboration
can ensure this workforce pipeline is strengthened.
Thank you for the opportunity to be part of this hearing and I
stand ready to assist the committee on this important topic. I look
forward to today's discussion and I welcome your questions.
Chairman Green. Thank you, Mr. Rashotte.
I now recognize Mr. Jones for 5 minutes to summarize his
opening statement.
STATEMENT OF CHRIS JONES, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, MIDDLE TENNESSEE ELECTRIC MEMBERSHIP CORPORATION
Mr. Jones. Chairman Green, Ranking Member Thompson, and
distinguished Members of this committee, thank you for the
opportunity to testify before you today. My name is Chris Jones
and I serve as president and CEO of Middle Tennessee electric.
I am testifying to provide my perspective as an electric
co-op leader but also to represent the National Rural Electric
Cooperative Association and the 900 electric cooperatives
across the country. In all these respects, it is quite an honor
to be before you today.
MTE is the largest electric cooperative in the TVA region
and the second-largest in the United States, serving more than
750,000 Tennesseans. Our service territory includes 15,000
miles of distribution lines across 11 Middle Tennessee
counties.
NRECA is the national trade association representing 900
electric cooperatives. Electric co-ops are not-for-profit
electric providers and are focused on delivering affordable,
reliable, and secure electricity to more than 42 million
Americans in 48 States. We are unique in the electric sector in
that we operate without profit incentives and are owned and
governed by the very people we serve.
Electric co-ops were created with the mission to address
the distinct challenges associated with providing electric
service to rural communities, which typically have lower
population densities, are more residential, and less affluent
than the industry average. This means cooperatives are
constantly asked to do more with less and they deliver.
Electric co-ops are owners and operators of some of the
Nation's most critical infrastructure, including providing
power to more than 150 military facilities and installations in
the United States. We also serve as economic drivers and life
lines for critical industries and services in our communities
like hospitals, schools, emergency services, energy, and food
and agricultural production.
Protecting America's electric grid from cyber and physical
threats is a top priority for our electric co-ops and the
communities they serve. Accomplishing this important task as
at-cost entities presents its own set of challenges.
The same circumstances that made it difficult to invest in
electrifying rural America nearly 100 years ago, including
being isolated from larger customer bases and diverse talent
pools available in urban areas, persist in some places today.
I address these issues in more detail in my written
testimony, but electric cooperatives struggle for cyber
professionals against more competitive salaries and benefits
offered by larger urban-based firms. It is also often difficult
to attract skilled talent to rural areas because of a perceived
lack of professional development or career progression
opportunities.
However, electric co-ops are identifying innovative ways to
overcome these obstacles through partnerships and smart
investments.
I would be remiss if I did not take this opportunity to
thank Chairman Green for his leadership with the Cyber PIVOTT
Act to help tackle some of these issues. Electric cooperatives
were pleased with the inclusion of language that would extend
cybersecurity internship opportunities to critical
infrastructure in rural communities.
Creating a talent pipeline that includes pathways into
rural areas will foster a local, skilled cybersecurity work
force to safeguard critical infrastructure in these regions.
We have a saying that if you have met one electric co-op
then you have met exactly one electric co-op. We come in all
different shapes and sizes. But many of our challenges share
similar themes.
MTE is fortunate to not have to wrestle with some of the
more intense challenges of the rural cybersecurity work force
issue. However, with my 26 years working for the cooperative I
have seen the lengths MTE has had to go to tackle those issues
and can share many challenges that are impacting other co-ops
across the broader community.
Thank you for this opportunity. I hope to be helpful, and I
look forward to responding to any questions.
[The prepared statement of Mr. Jones follows:]
Prepared Statement of Chris Jones
Wednesday, February 5, 2025
introduction
Chairman Green, Ranking Member Thompson, and Members of this
committee: Thank you for the opportunity to testify before you today.
My name is Chris Jones, and I serve as president and CEO of Middle
Tennessee Electric (MTE). I am testifying today to provide my own
insights as a co-op leader, but also representing the National Rural
Electric Cooperative Association (NRECA) and nearly 900 electric
cooperatives across the country.
MTE is the largest electric cooperative in the Tennessee Valley
Authority (TVA) region and the second-largest in the United States,
serving more than 750,000 Tennesseans. Our service territory includes
15,000 miles of distribution lines over 2,200 square miles--or more
than double the landmass of Rhode Island--across 11 Middle Tennessee
counties, primarily Rutherford, Cannon, Williamson, and Wilson. MTE
employs around 540 people in 6 local offices and its Murfreesboro
headquarters.
NRECA is the national trade association representing nearly 900
rural electric cooperatives across the country. Electric co-ops are
not-for-profit, at-cost electric utility providers focused on
delivering affordable, reliable, and secure electricity to over 42
million Americans in 48 States. We are unique in the electric utility
sector in that we are private-sector, operate without profit
incentives, and are owned and governed by the people we serve.
Electric co-ops were created with a mission to address the distinct
challenges associated with providing electric service to rural
communities, which typically have lower population densities, are more
residential, and less affluent than the industry average. This means
that cooperatives are constantly asked to do more with less, and they
deliver. Cooperative members give their utilities the highest customer
satisfaction scores, on average, in the electric sector.
Electric co-ops are owners and operators of some of our Nation's
most critical infrastructure, such as power plants, electrical
substations, and transmission and distribution lines. This also
includes infrastructure to generate or provide power for more than 150
military facilities and installations across the United States. We also
serve as economic drivers and lifelines for critical industries and
services in rural communities, including hospitals, schools, emergency
services, and food and agriculture production.
Protecting America's electric grid from cyber and physical threats
is a top priority for the Nation's electric cooperatives. Accomplishing
this important task presents its own set of challenges. The same
circumstances that made it difficult to invest in electrifying rural
America nearly a hundred years ago, including being isolated from the
larger customer bases and diverse talent pools available in urban
areas, persist today. These challenges add difficulty in investing in
the people, processes, and technologies needed to secure the grid in
rural communities.
We have a saying in our industry: If you have met one electric co-
op, then you have met exactly one electric co-op. The nearly 900
electric co-ops across the country all come in different shapes and
sizes. Although MTE does not fit the profile of the typical electric
cooperative, all our challenges share similar themes. MTE is fortunate
to not have to wrestle with some of the more intense challenges of the
rural cyber workforce issue. However, with my over 2 decades of
experience working for the cooperative, I have seen how MTE has tackled
those issues and can share how co-ops are impacted across the broader
community.
I will share some of the challenges electric co-ops face in
securing the grid, specifically in recruiting, retaining, and
developing cybersecurity professionals. I also will highlight how
electric cooperatives are overcoming these challenges through the help
of resources developed by NRECA and the smart investment of Federal
dollars.
threat landscape
Cyber threats jeopardize electric reliability and pose a
significant risk to the Nation's safety, security, and economic well-
being.
The cybersecurity threat landscape for electric utilities is
increasingly complex and perilous. Electric utilities are prime targets
for cyber attacks due to their pivotal role in both national security
and daily life. Threat actors, ranging from state-sponsored groups to
cyber criminals, exploit vulnerabilities for geopolitical or monetary
gains. These attacks have the potential to disrupt the power supply,
causing wide-spread outages and economic damage. The rise of
sophisticated malware, ransomware, and phishing attacks further
exacerbates the risk.
Additionally, smart grids, distributed energy resources (DER), and
internet of things (IoT) devices--while improving efficiency--introduce
new targets. Defending our infrastructure against new challenges and
evolving cybersecurity threats requires strong cybersecurity measures,
continuous monitoring, proactive threat intelligence, and a skilled
workforce capable of safeguarding these critical assets against
increasingly sophisticated attacks.
workforce challenge
As cyber threats grow more complex and prevalent, particularly
those targeting critical infrastructure like electric utilities, the
demand for cybersecurity professionals will continue to grow. In 2023,
the National Institute of Standards and Technology (NIST) reported that
only 20 percent of business leaders at energy utilities surveyed felt
confident that they had the cyber talent they needed. These experts are
essential for developing and implementing advanced security measures,
conducting threat assessments, and responding to incidents swiftly and
effectively.
Despite the evolving and complex threat environment, there are
still around 450,000 cybersecurity vacancies in the United States. We
need more cyber professionals to safeguard critical infrastructure
across the country. While no sector or region is immune to the
underlying difficulties of recruiting and retaining skilled cyber
professionals, these challenges are exacerbated by the unique and
inherent characteristics of electric cooperatives and rural areas.
Electric cooperatives are not-for-profit, at-cost utility
providers, meaning we operate without a profit incentive. This model
allows co-ops to serve more remote areas with low population density,
averaging only 25 percent of the customers and revenue per mile of
line, compared with the rest of the industry. Unlike investor-owned
utilities, electric cooperatives operate without shareholders. Because
of this, financing costly investments often requires reliance on debt,
which must be approved by each cooperative's Board of Directors and
ultimately paid back through rates paid by their members. Boards are
careful stewards of their members' resources and mindful of the
economic impact of rate increases to end-of-line consumer-members,
particularly given that cooperatives provide service to 92 percent of
the Nation's persistent poverty counties.
Therefore, investing in the most sophisticated security
technologies and competing for skilled cyber professionals can be a
challenge. Recruitment and retention for these professionals are
complicated by competitive salaries and benefits offered by larger,
urban-based firms, which can lure away skilled workers. Cooperative
staff, whether in IT, cyber, or non-technical roles, often wear
multiple hats within the organization.
Since electric cooperative service areas are often largely rural,
they can be seen as less attractive to professionals seeking vibrant
social and professional networks, further complicating recruitment
efforts. Rural areas also face significant challenges in developing a
robust cybersecurity talent pool. One of the primary issues is the
limited access to specialized education and training programs. Many
rural regions lack institutions that offer advanced cybersecurity
courses, making it difficult for residents to acquire, and keep up to
date on, the necessary skills and changing techniques and tactics
locally. Additionally, the overall awareness of cybersecurity careers
is often lower in these areas, leading to fewer individuals pursuing
this field.
cyber pivott act
We want to thank and acknowledge Chairman Green's leadership on
introducing the Cyber PIVOTT Act during the last Congress. This
proposed legislation was a positive step toward addressing the complex
and multifaceted difficulties surrounding the cyber workforce in
general, and particularly in rural areas.
NRECA was particularly pleased with the inclusion of language that
would extend cybersecurity internship opportunities to critical
infrastructure providers in rural communities. We hope this provision
will raise the visibility of electric co-ops as a viable and rewarding
career path in cyber. Developing a talent pipeline with off-ramps into
rural communities will help grow a local, skilled cybersecurity
workforce to protect critical infrastructure in these communities. The
Cyber PIVOTT Act will bridge the skills gap, enabling rural communities
to strengthen their cyber defenses and secure their critical
infrastructure.
electric cooperatives solutions
Electric cooperatives are identifying innovative ways to address
cyber workforce challenges. Co-ops are increasingly focused on building
local talent through partnerships with educational institutions and
providing opportunities for remote work and professional development.
We are also seeing partnerships between large generation and
transmission cooperatives, State-wide associations, and distribution
co-ops to share tools, equipment, and expertise across shared systems
to bolster cyber defenses. In the Tennessee Valley, we have a long
history of collaboration and partnership among TVA and its 153 local
power companies, which are electric cooperatives and municipally-owned
electric systems. This partnership extends into the cybersecurity
arena. Our State and Valley-wide associations have made cybersecurity a
top priority, from conferences and training to work groups and
webinars.
Additionally, NRECA is leveraging members' fees and Federal dollars
to build a robust cybersecurity program to assist cooperatives in
attracting cybersecurity talent, building professional and mentoring
networks, and providing skill development and training opportunities.
The Rural Cooperative Cybersecurity Capabilities (RC3) Handbook is
a series of comprehensive guides designed for specific roles within
cooperatives to help enhance their cybersecurity posture. Last year,
NRECA published the final handbook in the series targeted toward H.R.
managers to provide practical advice on implementing recruitment and
retention strategies and employing on-going professional development.
NRECA and electric cooperatives are also utilizing funds through
the Department of Energy's (DOE) Rural and Municipal Utility
Cybersecurity Program, or RMUC, to make investments in cybersecurity
technology, training, and educational opportunities. RMUC is a
generational opportunity to improve the cybersecurity posture of
electric cooperatives by providing resources to critical infrastructure
operators with the greatest need of support.
Through RMUC, more than 200 personnel from 123 cooperatives
participated in an intensive, 3-day training program last year, hosted
by DOE. The program was designed to advise attendees on how to improve
cybersecurity for industrial control systems and operational
technology.
Additionally, NRECA was awarded $9 million in RMUC funds to
strengthen peer-to-peer information sharing, boost mutual assistance,
promote cybersecurity awareness, and build internal expertise through
the expansion of the NRECA Threat Analysis Center (TAC) and the
development of the Cyber Champions Program.
Finally, NRECA hosts an annual technical conference, known as Co-op
Cyber Tech, that brings together cybersecurity professionals from rural
electric cooperatives to collaborate, share knowledge, and develop
skills. The event features hands-on content and sessions on the latest
cybersecurity trends and technologies.
conclusion
Cyber threats endanger electric reliability and present a major
risk to the Nation's safety, security, and economic stability. Electric
cooperatives have a mission to safeguard the electric grid of the
communities we serve and live in ourselves.
While electric cooperatives are making smart investments and
building strategic partnerships to develop our cyber professionals,
more work needs to be done. Initiatives like those in the Cyber PIVOT
Act bring much-needed focus to the cyber workforce needs of rural
America. Creating a talent pipeline that includes pathways into rural
areas will foster a local, skilled cybersecurity workforce to safeguard
critical infrastructure in these regions. Co-ops and our rural
communities have a lot to offer in protecting America's critical
infrastructure.
I thank the committee for its bipartisan work on this issue and
look forward to answering your questions.
Chairman Green. Thank you, Mr. Jones, for your testimony.
Mr. Stier is now recognized for his 5 minutes of opening
statement.
STATEMENT OF MAX STIER, PRESIDENT AND CHIEF EXECUTIVE OFFICER,
PARTNERSHIP FOR PUBLIC SERVICE
Mr. Stier. Thank you very much, Chairman Green, Ranking
Member Thompson, and all the Members of the committee, and
especially for the extraordinary way that you have operated as
a committee bipartisan and focusing on this issue over the long
term and being extraordinarily thoughtful.
It is, unfortunately, I think, a little unusual and deeply
appreciated on such a fundamental issue.
We know that it's important when we're thinking about cyber
to be focused on the whole picture. That includes, obviously,
the private sector as well as the public sector. My focus will
be on the public sector.
One important difference in today's world is that our
Government is no longer the market maker. It's a market
participant and so that relationship between the private sector
and the public sector has changed and it's fundamental to think
about what that interrelationship actually needs to be.
In the public sector, we have made progress but the truth
of the matter is that gaps remain. It's extraordinary that GAO
in 1997 identified information security as an item on their
high-risk list. It's still there, human capital issues since
2001.
I think this committee should be asking the question we're
making progress but what more do we really need to do to change
the circumstances? Because the incremental change we're seeing
so far, frankly, isn't good enough.
I'm going to offer 3 categories of opportunities for
improvement, beginning with reforming the broader system. We
often in the Federal Government operate way too much in the
vertical. When you're thinking about something like cyber it
should be a holistic approach. We need to be looking at,
frankly, strategic human capital management across the board,
looking at it as one Government and integrating the efforts so
we have information from all agencies.
We know there's a 2,000-person gap in the cyber work force
at DHS but, frankly, we don't really know what the full picture
is. So, understanding it from a comprehensive view is
fundamental here.
Second, we need to focus on implementation of things you've
already done, in particular the bipartisan Chance to Compete
Act. The notion that we should be focused on skills-based
hiring is a fundamental one, especially in the cyber area.
Getting that implemented effectively so it actually is
making a real difference is going to take work, oversight, and
continued follow-up from this committee.
Third, very important, when you look at the pay system it's
nuts. We have a pay system the Federal Government that was
designed in 1949 and that's basically how we pay Federal
employees. That is when the Federal work force was almost
exclusively clerical and now it's professional.
The world has changed. Our Government has not kept up and,
frankly, we need to change that. The pay system is a very, very
prominent place in which that needs to be done.
Second, we need to go for big swings and partly I mentioned
earlier about strategic human capital and doing that
holistically. We need to see cyber more broadly managed as a
Government-wide asset, not agency by agency. There's enormous
efficiencies that can be generated by that.
We need to improve an entry pipeline.
You know, Mr. Chairman, the PIVOTT Act I think is
fundamental. You forgot one thing when you mentioned the
different agency organizations that were endorsing your
legislation. Please include the Partnership for Public Service.
You know, going forward we've been supporting this notion
in essence of an ROTC-like program for decades. It is such
smart things. We shouldn't build separate institutions. We
should use the institutions that already exist.
Third, we need to look at development of mid-career and
senior talent. On that front, one of the things we need to
think about with the public sector work force is more exchanges
between the public sector and the private sector.
There's too much insulation between those and, frankly,
it's not only the knowledge that needs to be shared but they
need to understand how the different entities work and you do
that by working in different entities. So, having more flow of
talent, I think, is going to be fundamental.
The third piece that I'm going to flag here, and this is
the one that I think is going to be the most challenging, and
that is just bluntly we need to stop the harm that is taking
place right now. You know, there is no truly real damage being
done to the Federal work force, specifically the cyber work
force, and it gets to--the list is in terms of the hiring
freeze the, you know, push for people to resign, the collection
of information about probationary employees.
The best way I can capture this is to read 2 paragraphs of
an e-mail that I received last night from a student in a
CyberCorps scholarship program.
She writes, ``The CyberCorps Scholarship for Service
program provides educational funding for students in
cybersecurity exchange for working in the Federal Government
after graduation. This scholarship has been vital to my career
and academic journey. Without the funding I would have been
unable to attend graduate school and I was thrilled by the
opportunity to work in public service upon graduation.''
``It has been a goal of mine for some time to join the
Federal work force and this program seemed like the perfect
opportunity. In recent weeks, I've had job offers rescinded and
opportunities paused until the hiring freeze is over. The
Executive actions have led to significant uncertainties for me
and my CyberCorps classmates, students who face tremendous
pressure to find a Government job or risk owing the Government
over $170,000.''
``I urge you to speak with the panel about the importance
of ensuring the hiring freeze national security exemptions
apply to all cybersecurity jobs in the U.S. Government.''
Getting this, I felt an obligation to share.
Thank you so much and look forward to the conversation.
[The prepared statement of Mr. Stier follows:]
Prepared Statement of Max Stier
February 5, 2025
introduction
Chairman Green, Ranking Member Thompson, and Members of the
committee, thank you for the opportunity to participate in this
discussion on strengthening America's cyber workforce. My testimony
today will focus on the cyber workforce needs of the Federal
Government.
I am Max Stier, the president and CEO of the Partnership for Public
Service, a nonpartisan nonprofit which, over the last 24 years and
across administrations of both parties, has been dedicated to building
a better Government and stronger democracy.
The Partnership was founded on the premise that any organization's
best asset is its people and that the Federal Government needs
dedicated, skilled talent to deliver on promises to the American
people.
Our organization over the years has produced a number of reports on
cyber talent that speak to the themes relevant to today's hearing--
developing a comprehensive cyber workforce strategy, improving Federal
hiring and developing better pipelines into cyber positions encouraging
the Nation-wide development of technology skills.\1\ We also help place
recent graduates in cyber and artificial intelligence fellowships at
Federal agencies.\2\
---------------------------------------------------------------------------
\1\ Partnership for Public Service, ``Cyber In-Security:
Strengthening the Federal Cybersecurity Workforce'' (July 2009),
``Cyber In-Security II: Closing the Federal Talent Gap'' (April 2015),
``Leading Ambitious Technology Reforms in Government'' (Aug. 2017).
\2\ Partnership for Public Service, Cybersecurity and Artificial
Intelligence Talent Initiative, https://gogovernment.org/fellowship/
cybersecurity-ai-talent-initiative/.
---------------------------------------------------------------------------
We believe that the Federal Government should continually modernize
its practices and earn the trust of the public. We've recently outlined
5 key areas for reform in our Vision for a Better Government:\3\
develop better Government leaders; make it easier to hire and keep
great public servants; hold poor performers accountable; unleash the
power of data and technology to achieve better public outcomes; and
provide efficient, constituent-friendly services to the public.
---------------------------------------------------------------------------
\3\ Partnership for Public Service's ``Vision for a Better
Government'' (Aug. 15, 2024), available at https://
ourpublicservice.org/publications/vision-for-a-better-government/.
---------------------------------------------------------------------------
The Partnership is gravely concerned about escalating actions that
undermine the capabilities of the Executive branch to carry out
mandates from Congress, including protecting our national security with
a skilled cyber workforce. The list is growing by the hour--freezing of
Federal funds, mass firings of Federal employees, threatened coercion
of all Federal employees to leave the workforce and disturbing
decisions on access to Government systems that impact the private
information of your constituents. Collectively, these actions only
increase the cyber threat to our country.
By contrast, the committee's approach today is the right one. With
respect to the Federal cyber workforce, this committee for years has
focused on key workforce issues: How do we identify and fill cyber
skills gaps throughout the Federal Government? What is working and not
working for the numerous efforts across the Federal Government--which
often are carried out in silos--and how do we leverage success stories
across the broader Government-wide cyber workforce? What are ways to
best foster Federal, State/local, and private-sector coordination in
strengthening the cyber workforce?
As Members of this committee have noted in past hearings, the cyber
responsibilities of the Federal Government are vast--not only
protecting the systems of Federal agencies but working in partnership
to protect the cyber spaces of our Nation's critical infrastructure,
the public at large, and all levels of Government. This hearing today
provides a thoughtful forum on how to equip the Federal workforce to
address these urgent challenges.
status of the federal cyber workforce
While attention to cyber needs has increased greatly across the
Federal Government over the last decade, the gaps in agencies' needs
remain vast. The Partnership's analysis of data over the last 5 years
shows that overall, the Federal cyber workforce grew from over 101,000
in 2019 to over 114,000 in 2024.\4\ This is far short, though, in
meeting the Government's overall needs.
---------------------------------------------------------------------------
\4\ Based on Office of Personnel Management's FedScope data from
Sept. 2019 through Sept. 2023, and March 2024, for occupational
categories 0854 (Computer Engineering), 1550 (Computer Science), 2210
(Information Technology Management), and 2230 (DHS Cybersecurity
Specialist).
---------------------------------------------------------------------------
For example, the Department of Homeland Security reported to your
committee last June that the Department had over 8,000 cyber employees
but still had over 2,000 cyber vacancies.\5\ That's exactly the type of
skills gap analysis--updated regularly--that we need from each Federal
department and agency so that we can best determine how to fill those
gaps and how to align Federal efforts with the overall cyber workforce
needs of the entire country.
---------------------------------------------------------------------------
\5\ House of Representatives Committee on Homeland Security,
hearing entitled ``Finding 500,000: Addressing America's Cyber
Workforce Gap'' (June 26, 2024), available at https://
homeland.house.gov/hearing/finding-500000-addressing-americas-cyber-
workforce-gap/.
---------------------------------------------------------------------------
As discussed in your previous hearings on the cyber workforce, we
need skills at all levels--entry-level, mid-level (who either already
have cyber skills or are good candidates for reskilling) and senior
professionals willing to bring their years of expertise into the
Government. I want to call particular attention to the age demographics
in the Federal cyber workforce. The percentage of Federal cyber workers
under age 30 is just under 8 percent, while those age 50 and over
represent 48 percent of the Federal cyber workforce.\6\ My
recommendations today will offer ways to improve the talent pipeline at
all levels, with particular attention to developing the pipeline of
future leaders as so many current cyber employees approach retirement.
---------------------------------------------------------------------------
\6\ Analysis based on Office of Personnel Management's FedScope
data as of March 2024.
---------------------------------------------------------------------------
The committee is well familiar with these challenges and the many
studies on the cyber workforce. Notably, the Government Accountability
Office first designated information security as a Government-wide High-
Risk area in 1997 and subsequently expanded it to include the
cybersecurity of critical infrastructure and the privacy of personally
identifiable information. GAO then identified strategic human capital
management within the Federal Government as a high-risk area in
2001.\7\ In a 2024 High-Risk update, GAO identified the need to address
cybersecurity workforce management challenges as 1 of 10 critical
cybersecurity action areas.\8\
---------------------------------------------------------------------------
\7\ Government Accountability Office, ``High-Risk Series: An
Update'' (Jan 1, 2001), available at https://www.gao.gov/products/gao-
01-263.
\8\ Government Accountability Office, ``High-Risk Series: Urgent
Action Needed to Address Critical Cybersecurity Challenges'' (June
2024), available at https://www.gao.gov/assets/gao-24-107231.pdf.
---------------------------------------------------------------------------
In its most recent report on the cybersecurity workforce, GAO
reviewed the cybersecurity workforce planning efforts of 5 Federal
agencies.\9\ GAO found that the Department of Homeland Security had
fully implemented most practices that are central to effectively
managing the cybersecurity workforce. These practices included (1)
setting the strategic direction for the workforce, (2) conducting
workforce analyses, (3) developing workforce action plans, (4)
implementing and monitoring workforce planning, and (5) evaluating and
revising these efforts. The other agencies reviewed, however, were not
as consistent in their implementation. Importantly, efforts to
destabilize the broader Federal workforce will put these hard-earned
gains and strategic planning efforts at risk.
---------------------------------------------------------------------------
\9\ Government Accountability Office, ``Cybersecurity Workforce:
Departments Need to Fully Implement Key Practices'' (Jan. 2025),
available at https://www.gao.gov/assets/gao-25-106795.pdf.
---------------------------------------------------------------------------
Agencies struggling to implement effective cybersecurity workforce
practices identified several challenges they faced including:
Pay disparity between Federal agencies and the private
sector
Department budget limitations
Maintaining an adequate cybersecurity workforce
Recruiting well-qualified applicants
Time-to-hire cybersecurity personnel for vacant positions
High attrition due to cybersecurity employees choosing
different career paths.
This hearing today is a welcome opportunity to discuss how the
Federal Government addresses these challenges.
recommendations
The Partnership's recommendations on strengthening the Federal
cyber workforce largely mirror our broader recommendations for ensuring
that our Government has the capabilities and capacity to meet its
mission and more effectively deliver services to your constituents. Our
overall recommendations are reflected in the Partnership's Vision for a
Better Government, mentioned above, which highlights 5 priorities:
leadership, Federal hiring and retention, performance management, data
and technology, and constituent experience with Government services.
Much of the Federal Government's civil service legal framework
dates back decades--in the case of our pay and classification system,
over 75 years. The passage of the Civil Service Reform Act of 1978
marked the last broad overhaul of Government-wide laws governing
personnel management. Our overall framework for human capital is built
for a bygone age when a great bulk of the Federal workforce was
clerical, not for this day when highly-specialized skills such as
cybersecurity are critical for protecting the health and safety of the
people our Government serves.
To its credit, Congress--and this committee in particular--has
worked on a bipartisan basis over the years to provide programs and
authorities to bolster our Nation's cybersecurity defenses and attract
cyber talent into Government.
Here are ways Congress can build on those efforts:
Maintain nonpartisanship as a bedrock principle of the civil
service.--Throughout our nearly 25-year history, the Partnership has
highlighted the need for updating the ways that the Government should
manage its workforce, to align with the modern economy. Our 2014
report, Building the Enterprise: A New Civil Service Framework,\10\ is
just as relevant today as when we issued the report over a decade ago.
The report includes recommendations for modernizing the Federal pay
system to attract top talent, streamlining the process through which
agencies deal with poor performers, and strengthening the Senior
Executive Service--all recommendations aimed at increasing the
accountability of civil servants. As I have said many times in the
past, good Government starts with good people, and our Nation is
fortunate to count some of the brightest, most dedicated professionals
among its ranks. But too often they succeed in spite of the current
system, not because of it.
---------------------------------------------------------------------------
\10\ Partnership for Public Service, ``Building the Enterprise: A
New Civil Service Framework'' (April 10, 2024), available at https://
ourpublicservice.org/publications/building-the-enter- prise/.
---------------------------------------------------------------------------
At the same time, the Partnership has staunchly defended the
nonpartisan nature of our civil service. Recent Executive actions take
us farther from, not closer to, a civil service system that prizes
merit, expertise, and professionalism free from political interference.
A civil service staffed by people chosen for their political loyalty
rather than their skill will result in a Government less capable of
serving the public and more likely to become a tool for retribution and
actions counter to democratic principles. A more political Government
is not a better Government for the American people, and it does not
help make our country safer.
We welcome a conversation on improving the effectiveness of the
civil service framework. Politicizing the workforce and freezing
budgets, though, will be extremely damaging to the Federal Government's
current capacity to address our national security needs and to recruit
and retain talent to fill critical skills gaps, including in the area
of cybersecurity.
Create high expectations for leaders within Government.--Good
leaders create the conditions necessary for employees to perform at
their best. In 2019, the Partnership developed the Public Service
Leadership Model,\11\ recognizing the unique nature of leadership in
Government, centered on stewardship of public trust and commitment to
public good. We believe this model should be the standard for all
leaders across the Federal Government.
---------------------------------------------------------------------------
\11\ Available at https://ourpublicservice.org/public-service-
leadership-institute/public-service-leadership-model/.
---------------------------------------------------------------------------
Federal leaders--both political and career--should be held
accountable for the organizational health of the organizations they
helm, including the workforce.--Congress should hold leaders
responsible for recruiting and retaining highly-qualified talent,
developing future leaders, engaging employees, and holding subordinate
managers accountable for addressing performance. The Partnership
recommends Congress require political appointees to have transparent
performance plans to drive this accountability at the highest levels of
leadership.
Congress also should urge agency leaders to use the annual Federal
Employee Viewpoint Survey and the Partnership's Best Places to Work in
the Federal Government� rankings \12\ to drive better results in their
agencies. Employee engagement is not just about happy employees. Higher
scores in employee engagement equate to better performance and higher
quality service, which in turn become valuable recruiting and retention
tools and help agencies better serve the public.
---------------------------------------------------------------------------
\12\ Available at https://ourpublicservice.org/performance-
measures/best-places-to-work-in-the-federal-government/.
---------------------------------------------------------------------------
Undertake a comprehensive analysis of existing tools.--Congress and
the Office of Personnel Management have created a number of tools to
better position the Government to recruit, hire, train and retain the
cyber workforce. These include direct hire authorities, special cyber
personnel authorities at the Departments of Defense and Homeland
Security, a Federal cyber rotation program, the National Institute of
Standards and Technology's National Initiative for Cybersecurity
Education (NICE), and numerous agency programs such as the National
Security Agency's support for cyber clinics in various States and the
Department of Labor's country-wide cyber apprenticeship program.
Within the jurisdiction of this committee, of course, is the DHS
Cybersecurity Talent Management System (CTMS), authorized by Congress
in 2014 and envisioned as a forward-thinking model that would allow DHS
to be more flexible in hiring and managing its cyber workforce. The
program was not officially launched, though, until 2021, and as of the
date of your June 2024 hearing on the cyber workforce, only 189 hires
had been made at DHS under this new authority--a tiny fraction of the
DHS cyber workforce.
While reports such as the Office of the National Cyber Director's
National Cyber Workforce and Education Strategy have put out broad
visions for cyber talent,\13\ we still need a comprehensive review of
existing efforts to give Congress the information it needs to assess
the effectiveness and implementation of these different tools, assess
why some authorities (such as the DHS CTMS) have been challenging to
implement, and determine what adjustments might be warranted. We need a
concerted effort to not only assess the effectiveness of different
programs and authorities but also to know whether special flexibilities
for some agencies put other agencies at a disadvantage in recruiting
cyber talent. And undoubtedly there are many success stories that could
be replicated throughout the Government and with other levels of
Government and the private sector.
---------------------------------------------------------------------------
\13\ For a summary of the National Cyber Workforce and Education
Strategy, see Center for Security and Emerging Technologies,
``Highlights from the National Cyber Workforce and Education Strategy''
(Aug. 10, 2023).
---------------------------------------------------------------------------
For the Federal sector as a whole, this effort needs to be
undergirded by careful, regularly updated human resource planning to
know specifically which cyber skills and positions agencies and their
subcomponents need. Also, as agencies also look to scale the effective
use of AI and other emerging technologies, Congress and the White House
need to make sure these efforts are aligned with cybersecurity efforts.
Continue to promote innovative talent pipelines.--The commitment of
this committee to addressing the Government's cyber workforce needs, as
exhibited by this hearing today, has a profound impact on driving
priorities within agencies. Further actions the committee can take
include:
Focus on getting young people into Government. Members of
Congress routinely use their intern programs as a pipeline for
hiring, and Federal agencies should do the same. In addition to
leveraging and coordinating existing cyber-specific programs,
Congress on a Government-wide basis could make it easier for
agencies to hire young people, including by increasing the cap
on direct hire authority for students and recent graduates.
Congress should also authorize so-called conversion authority
for agencies to hire interns or fellows sponsored by third
parties, so that the Government can move quickly to hire high-
performing interns or fellows and not lose them to other job
offerors.
Promote ROTC-like opportunities to encourage young people to
enter public service--an idea shared by Chairman Green in his
bill in the last Congress, the Cyber PIVOTT Act.\14\
---------------------------------------------------------------------------
\14\ H.R. 9770, 118th Congress. The Partnership has long endorsed a
ROTC-like model as a pipeline for the whole Federal civil service.
---------------------------------------------------------------------------
Use your oversight capacity to ensure effective
implementation of the bipartisan Chance to Compete Act,\15\
passed into law late last year to ensure agencies are
identifying the skills they need, using technical assessments
to identify highly-qualified applicants, and removing barriers
such as degree requirements to open the door to technologists
with alternate qualifications, backgrounds, and experiences.
---------------------------------------------------------------------------
\15\ Pub. L. 118-188 (Dec. 23, 2024).
---------------------------------------------------------------------------
Promote public-private talent exchanges. Providing formal
opportunities for individuals from the private sector to
temporarily work in the public sector, and vice versa, is an
effective way to cross-fertilize knowledge across the sectors
and increase each sector's understanding of the other. Congress
should extend Government-wide the talent exchange authority
already authorized for the Department of Defense.\16\
---------------------------------------------------------------------------
\16\ Section 1104 of the National Defense Authorization Act for
Fiscal Year 2017, Pub. L. 114-328 (Dec. 23, 2016).
---------------------------------------------------------------------------
These types of strategies will better equip Federal agencies to
find and hire cyber talent across the country. This is important
because over 80 percent of the entire Federal workforce is outside the
D.C. area. Moreover, used smartly and with proper oversight, telework
and remote work are strategic business tools used by both the public
and private sectors to enhance an organization's ability to recruit and
retain top talent, increase productivity and reduce the real estate
footprint. Just over 64 percent of the Federal cyber workforce is
outside of D.C., Maryland, and Virginia.\17\
---------------------------------------------------------------------------
\17\ Analysis of FedScope data as of March 2024. We need to ensure
that our policies recognize this is a nationwide effort.
---------------------------------------------------------------------------
Elevate the human resource functions of agencies.--There are
outstanding and innovative H.R. professionals across the Government,
but there are also skills gaps in their offices. They are often
overwhelmed by responsibilities and the complexities of Federal human
capital law. Often, H.R. specialists are not familiar with the
authorities they have available to them, and do not have the
technologies, data, and analytical skills that would better enable them
to recruit and hire while also engage in strategic workforce planning
for the future. Ways Congress could strengthen the H.R. function
include ensuring that agencies undertake strategic workforce planning
and that Chief Human Capital Officers have a voice in the strategic and
budget planning processes so that agency leaders will be informed of
the H.R. needs necessary to carry out their policies and programs.
Congress also should jump-start efforts to increase the skills and
professionalism of the Federal H.R. community by requiring OPM to re-
start technical training for H.R. specialists, conduct a review of
overall training needs and how those needs can be met, and fund IT
needs of the H.R. community.
conclusion
Federal agencies face frenetically-growing needs to protect our
Nation's cybersecurity as threats from external actors escalate. To do
so, we need the talent, skills, and capacity to meet these needs. This
calls for a Government-wide strategic human capital planning effort
coordinated between Congress and the White House to ensure agencies
have necessary authorities and resources.
As we enter a period where arbitrary moves to reduce the size of
the Federal workforce are occurring, there is an increased risk that we
lose the exact cyber talent we need. I commend the committee for its
continued focus on this critical issue and look forward to working with
you on reforms to hiring, performance management, leadership
development, and other improvements that will make our Federal
workforce systems modernized to meet the needs of the future.
Chairman Green. Thank you, Mr. Stier.
Members will be recognized by order of seniority for their
5 minutes of questioning. I want to remind everyone to please
keep their questioning to 5 minutes. An additional round of
questionings may be called after all Members have been
recognized.
I now recognize myself for 5 minutes of questioning. First,
I want to thank the witnesses for their support of the PIVOTT
Act. I do think, obviously, it is the right way to go about
solving this issue.
Having served in the military and seeing how the ROTC
program not only benefits the military but then serves the
Nation as those individuals get a college degree and expertise
and then they leave the force and go out and serve the country
working for companies in Government offices elsewhere, that
really I think whoever created that is a legacy for the Nation.
The GI Bill is an excellent example. Men and women came
home from military service and left the military and had a
degree paid for and then went on to serve the country.
So, thank you for all of you for your kind words about
that.
Obviously, this 500,000, and I have heard numbers ranging
from 500,000 to 700,000, so but it is a really big number. It
is our greatest cybersecurity threat without a doubt.
When we look at the issues that create the risk, this is
our No. 1 risk. If we don't have the right people in the right
place defending our networks, we are going to lose.
Let me ask really a question for all of the witnesses. How
has this cyber work force gap affected your organizations? If
we had a broader or more prepared work force how would that
impact your ability to do your job? So, how has the deficit hit
you and if we didn't have this deficit, how would that impact
you?
We will start with you, Dr. Russomanno.
Mr. Russomanno. Well, thank you, and I wish our chief
information officer were here to help answer your question. But
I do know that we have vulnerabilities within the university.
We have very sensitive data, student records, what have you and
so, yes, we do have vulnerabilities. Many of those
vulnerabilities are through, quite frankly, human behavior so
the training aspect is critically important.
A basic level of cybersecurity competency, regardless of
your position within an organization, is critically important.
A fundamental knowledge of cybersecurity for all, if you will,
in terms of basic competencies would go a long way in
mitigating a lot of the attacks we see today.
So, certainly within the university environment we're doing
all we can. I think universities by and large have fared fairly
well compared to the private sector in many instances, but
there are significant gaps to be addressed. We would benefit
directly from the Cyber PIVOTT Act.
Chairman Green. Let me ask Mr. Stier to, kind-of, comment
on that question. Then I am going to, because I only have a few
minutes, but if you could say where, you know, what is the
impact to, you know, not your organization but, you know,
businesses from your perspective?
Mr. Stier. Look, I think the impact is profound and we know
that there are breaches that are going on. There are national
security issues that are very hard to quantify in terms of the
harm we're talking about because we have enemies abroad who are
collecting information about our country and it puts us at risk
in the most fundamental way.
So, you know, look, the reality obviously is that we've
moved away from a world in which we do everything physically to
a world in which we do almost everything digitally and we
haven't kept up with that transformation of our world activity
with the work force that can manage that different threat.
I think the point that was just made earlier that it isn't
just the cyber work force, it's the entire work force that
needs to be sophisticated enough to be able to--and especially
the leaders.
I mean this is one of the things that we see in Government
writ large which is even if you have technical expertise, if
the leaders aren't sufficiently literate the reality is they
don't even know what they should be asking for or how to deploy
resources effectively. So, investing in leadership literacy in
cyber and other things, especially now AI, we think is
fundamental.
Chairman Green. Well, let me ask the other 2 witnesses that
are here. When it comes to recruiting people to come do cyber
training and be cyber, you know, experts, what is the biggest
hurdle to recruitment of those students who would then come or
employees who would then come and be trained on cyber?
Mr. Jones. Mr. Chairman, I would say for the electric co-
ops what we face primarily is the work force shortage and then
attracting with appropriate salary. Of course, we're talking
about a 900 cooperative network, a lot of rural areas that we
serve, so we have some natural limitations there relative to
someone wanting to come to certain places to work but certainly
the talent pool itself is the primary obstacle.
Chairman Green. Well, clearly with the limited supply the
price is going to be high.
Mr. Jones. Yes, sir.
Chairman Green. Mr. Rashotte.
Mr. Rashotte. I think being a cybersecurity vendor we're in
a different situation. The large majority of employees are
cybersecurity professionals within our company so our
competitive nature is a little bit different.
What we do see, though, is a lot of our customers and
partners are coming to us looking to us as a source for
recruitment and I think what they're starting to see now is
it's not just a recruitment issue but a retention issue. So,
they're not able to retain that talent through into their more
senior roles so at the top leadership roles there is starting
to become a significant gap because of the retention.
Chairman Green. Again, it all comes back to supply and
demand, doesn't it? Because that retention, that movement about
the industry is because there are all these openings out there
and people are paying more. So, thank you for that.
I yield to the Ranking Member for his 5 minutes of
questioning.
Mr. Thompson. Thank you, Mr. Chairman.
I thank our witnesses for your presentation. Clearly, we
accept the premise that we are short of people in this space.
The Chairman talked about 500,000. That is probably a good
number and the retention issue associated with it is a big
challenge also.
But, Mr. Stier, you raised some question on the Government
side that I think we need to drill down on. We have for the
last 2 weeks been under significant pressure as a Government
and our employees are being told that there is a hiring freeze,
you have got to go home.
I guess the question would be how does the impact on hiring
freezes have on the ability of Federal agencies to do their
job? I will do that first and then I will go to the other part.
Mr. Stier. Congressman, I think that the answer is very
clear. I read you the e-mail from the student in the cyber, you
know, scholarship program, CyberCorps scholarship program.
The reality, I mean, we all have organizations that we're
running. Our most important asset are our people and creating
environments that enable them to perform at their very best is
essential to our jobs as leaders in our organizations. When you
create an atmosphere, frankly, of fear, you're diminishing your
capacity to perform.
So, whatever else one might say, it's not the way to run an
organization. When we're talking about cybersecurity, which,
obviously, has such a fundamental national security and broad
impact on our society, is dangerous.
So whether it's the hiring freeze or some of the other
actions that are taking place, there's plenty of ways to
improve our Government. We need to actually engage in a massive
reform of our Government. The things we're seeing right now are
taking us the wrong way.
Mr. Thompson. Well, and I appreciate your comment. So, even
a temporary pause can be disruptive. Can you talk about that
temporary pause and delay as it relates to slowing the hiring
process?
Mr. Stier. Well, look, I think that the reality is many new
administrations coming in actually engage in some kind of
hiring freeze, so I think, to me, it's the broader picture that
we need to be looking at right now.
We already have a hiring system in the Federal Government
that is not just ridiculously slow, and that's a big problem,
but even more important is that it doesn't often identify the
best talent or really operate in a strategic fashion. So, you
don't actually have subject-matter experts owning the hiring
process. It's often the H.R. professionals who don't really
know what they should even be looking for.
So, there is a fundamental need to reform the hiring
process. When you do a hiring freeze you layer on top of what
is already not working well and a whole another set of
problems, not only with those people who are already in the
pipeline but, frankly, in your ability to attract people from
the outside who are looking at the hiring freeze and saying how
can I go there? There's no opportunity for me there.
So, it is enormously disruptive. We do need to think about
the brand of the Federal Government as a hiring employer and
that needs a lot of work because right now it is not presenting
itself in a way that is most attractive to the talent that we
need in our Government to serve us better.
Mr. Thompson. Thank you. Right now there is one individual
who is 19 years old working for DOGE who has access to all our
information, employee information. Can you just tell us how do
you protect in your own company employees' Social Security
numbers and other information?
We'll start with Dr. Russomanno.
Mr. Russomanno. Sure. What you've described is, you know,
one of the chief responsibilities of our chief information
officer. Of course, we have obligations around FERPA and
student records so I know that we do all we can to adopt the
latest technology to ensure the safety and security of our
student records.
Moreover, we do, as a research R1 university, we do a lot
of research, a lot of intellectual capital, intellectual
property and what have you. So, once again, our chief
information officer and our IT organization I think they do a
stellar job in terms of protecting our assets given a really
very lean organization, so we have been very fortunate, quite
frankly, that we have not had significant issues with respect
to breaches.
Mr. Thompson. Well, my time is up but I think you have made
my point is just anybody doesn't have access to that kind of
information. You have a defined process that is closed and that
is it. That is how you protect your employees as well as your
organization.
Thank you. I yield back.
Chairman Green. The gentleman yields.
I now recognize the Chairman emeritus of the committee, my
friend from Texas, Mr. McCaul.
Mr. McCaul. Well, thank you. Thank you, Mr. Chairman, a
very important issue. I think STEM education, and I know this
is not in the jurisdiction of this committee, is also very
important.
In 2014, the Ranking Member and I introduced the CyberCorps
Scholarship for Service Program. Since that time we have had
$600 million in funding, 5,000 scholarships, and 3- to 4-year
work requirements.
First of all, Dr. Russomanno, I apologize, and Mr. Stier,
could you touch on the success of the program and what needs to
be done to enhance it?
In addition, how will the PIVOTT Act complement those
efforts?
Mr. Russomanno. Well, thank you, Congressman McCaul, for
that question. As I said in my opening remarks, I've had the
opportunity to be part of CyberCorps at 2 different
universities and have seen the impact on both universities
where urban-serving, drawing, you know, serving students from a
variety of backgrounds.
One of the real strengths of CyberCorps is the internship
component, the career fairs. The national career fairs in the
District of Columbia are a wonderful opportunity for students
to network to learn more about the various Federal agencies
where cybersecurity is, of course, a very important aspect. So
that internship opportunity has really been important.
Now, in terms of improving that, I think more distribution
of those types of affairs across the Nation would be critically
important. If you look at urban-serving universities, many
times students may be reluctant to leave their immediate
geographic area.
There could be family dependencies and so on on that first-
generation student, so I think having opportunities distributed
throughout the Nation, many of those jobs are concentrated in
the D.C. area, I believe that would be a great opportunity and
maybe working additionally with the private sector with regard
to incentives to provide further distribution and penetration
across the United States. We heard about rural-serving areas as
well.
So, I think that could be an opportunity to further
penetrate the great benefits of CyberCorps across our Nation.
Mr. McCaul. Mr. Stier.
Mr. Stier. Well, first of all, thank you for creating the
program. It's done a lot of good. Thank you for looking to how
to make it better because we're, obviously, are going to do
that always.
My thought would be to really think about career pathing. I
think one of the real challenges is you may get entry talent
coming in but how do you retain them?
Can you create something that may be an add-on to the
program that provides a private-sector placement so that
they're getting both the private-sector and the public-sector
experience with the expectation that they'll take that private-
sector experience and return to the Government as a way of
again bringing best practice from the private sector into the
Government?
We need to see more of that flow back and forth as I
mentioned earlier and I think if you think of this as a longer-
term pathway that will be very important.
Then the last thing I would say to your last point, I think
the PIVOTT Act is an improvement. We need to scale. We're
talking about such a huge problem. If we don't scale, you know,
it's a good thing but it's not meeting the need.
Mr. McCaul. Yes. I think marking up and passing the PIVOTT
Act will, I think, complement the success of the CyberCorps
program.
The role of the guard, you know, this is my guardsman. It
is at Camp Mabry in Austin. You know, they have tech jobs in
the daytime and they are weekend warriors in the Cyber Command,
you know, on the weekends. I see that as a great enhancement to
our both Federal work force, but also with the State as well.
My Governor just created a Texas Cyber Command in San
Antonio where the Air Force has its Cyber Command, and I see
that Federal-State partnership really enhancing that. I think
it is very helpful when the States get engaged in this and not
just relying on the Federal Government. Do you have any
thoughts on that?
Mr. Russomanno. Well, I would say once again, CyberCorps
and the PIVOTT Act with that service component is a great
model. The question is how do other entities adopt that model?
Certainly I think there's ample opportunity at the State
and local levels to look at how the CyberCorps project has been
successful and in turn then adopt those best practices in their
local areas, as well as the private sector.
Mr. McCaul. I think, Mr. Russomanno, you mentioned the role
of veterans, too. I mean, they have a skill set that they may
not be aware that the private sector or State or Federal
Service could, you know, enhance their careers beyond the
military. I think that is an area we need to enhance and look
at as well.
Then finally on the exemption issue, I just wanted to close
by saying that it is my understanding that CISA and the DoD are
exempted from the Executive Order. So, for your student who may
be worried about this, that is good for them to know also the
national security and public safety exemption to the Executive
Order as well.
With that I yield back.
Chairman Green. The gentleman yields.
I now recognize Mr. Correa----
Mr. Correa. Mr. Chairman----
Chairman Green [continuing]. For his 5 minutes of
questioning. Good to see you.
Mr. Correa. Thank you very much. May I respectfully have 10
minutes?
Chairman Green. Well, you know how I do this so ask your
question----
Mr. Correa. Seven minutes, you have got a deal. Thank you,
Mr. Chairman.
I want to thank our witnesses for being here today. This is
the most important issue that we have dealt with in Homeland
Security for a number of years now. We all read about those big
hacking situations, Colonial Pipeline. What we don't read about
are those victims, big and small, that actually pay the ransom
and continue to remain quiet.
We also don't read about folks back home on Main Street, my
Main Street, small businesses getting hacked, losing
information, not paying the ransom, and getting hit hard, No.
1, by those people that hacked them and then No. 2 with a
lawsuit. The loss in economic value is high.
Gentlemen, all of you had some great information here today
and my question would be as follows. We are losing personnel.
It is hard to recruit individuals to go into the sector, not
only because it's STEM but because of the pay. The private
sector will always pay more than the public sector.
Yet I look at Government, the FBI, the CIA, and other
Government agencies that are active in this area in critical
ways. How do they compete with the private sector? How do they
recruit to get people to go into those jobs?
I think we have had this discussion in this committee as
well. I think at the end of the day these young men and women
that join the ranks of the public sector are really patriots.
They want to do it because they love this country. They want to
do it because they want to do the right thing.
Right now we pick up the newspapers, we have an FBI hiring
freeze. We have a hunt for FBI agents that were involved in the
January 6th investigation. These men were following orders.
These individuals, men and women, were doing what they thought
was right for this country.
So, I am looking at somebody in college who is maybe
looking at going into the FBI for a career, what are they
saying? What is the motivation here?
Just as I was walking over here, I picked up a report that
says CIA Offers Buyouts to Workforce, similar to those proposed
to other Government agencies, except for those that are in
sensitive areas.
Well, the rookies coming into the CIA like FBI got to learn
the business. Cyber is one of those that you don't walk in and
say, aha, I got it. I got a 4-year degree or a 2-year technical
degree. You have to be there for a number of years.
So, I want going to ask each one of you very quickly how
does this hurt our country's recruitment when you have across
the board Federal agencies asking their workers to actually
resign or take early buyout offers?
Mr. Russomanno. I only have a minute-and-a-half so if you
could be brief?
Mr. Russomanno. Thank you, Congressman Correa. I would say,
you know, our focus really is on providing opportunities for
students and, you know, respect for----
Mr. Correa. OK, got you.
Mr. Jones, how about you?
Mr. Jones. Congressman, I would say that when I think about
electric co-ops and the opportunities we provide I would say
that there's virtue in service and that is an attractor that we
have.
When we have people that come to work for us maybe they're
not making the most money, but the virtue of----
Mr. Correa. Do you have a steady job?
Mr. Jones. Yes, sir.
Mr. Correa. You know what you are doing for the public, for
the community, and that is what it is about. So, if you get a
buyout offer saying you have got to leave, how does that affect
your recruiting?
Mr. Jones. Well, it certainly would impact, sir, but as far
as all the particulars and the----
Mr. Correa. Mr. Rashotte.
Mr. Rashotte. I think you're right in that the majority of
people that are in cybersecurity roles are doing it because
they love it. Creating an environment for those people to
thrive and providing them as much education as we can through
free education----
Mr. Correa. And uncertainty causes what?
Mr. Stier.
Mr. Stier. Of course it hurts. That's an obvious
proposition. I think that it's important to focus on that this
is a purpose-driven work force. It is what enables you to
recruit people even if you're not going to make as much money.
We do need to change the pay scale. It's worth noting as
well that a third of Federal employees are veterans and it's
because they care. They serve their country in their uniform
and they want to serve their country as civil servants.
Mr. Correa. Thank you, Mr. Chairman. I'm out of time.
Chairman Green. The gentleman yields.
I now recognize the former Chairman of the Border
Subcommittee, the gentleman from Louisiana, Mr. Higgins, for 5
minutes of questioning.
Mr. Higgins. Thank you, Mr. Chairman.
In the last Congress I posed a question to this committee.
We discussed the nature of the work force is what we are here
to talk about today.
The historical comparisons of work force participation is a
concerning trend, but perhaps offers us an opportunity as it
relates to the cyber realm and our work force requirements to
address emerging threats to our country and how can we draw
upon the available work force?
We discussed how to prepare and recruit America's cyber
work force and I remarked upon a documented phenomenon of
America's so-called disconnected generation. Just a few stats,
the current labor force participation rate among Gen Z, ages 20
to 24, is 71 percent. That's roughly 4 percent lower than the
millennial generation and 6 percentage points lower than the
preceding generation when they were in the same age range.
This is to me, my perspective is this is a sweet spot that
perhaps in our work force we should focus on and specifically,
according to a recent study among Gen Z, a staggering 73
percent of those young Americans report feeling constantly
alone.
As it relates to the to the disconnect from the labor
force, perhaps there are several factors that contribute to
that, but let's talk about the conceptual nature of this field,
the cyber field.
The cyber battlefield is vast but unseen and the call to
man our cyber defenses, while critical, it lands differently
than, say, a call to serve in uniform or on the front lines in
the traditionally historical perspective like public or
military service.
So, how do we bridge this gap and how do we access this
vast work force that is available of young Americans that are
not engaged? I would like to submit for the record, Mr.
Chairman, a Rand Corporation report entitled, ``How to analyze
the cyber threat from drones.'' I seek unanimous consent to
offer it, Mr. Chairman.
Chairman Green. Without objection.*
---------------------------------------------------------------------------
* The document has been retained in committee files and can also be
found at https://www.rand.org/content/dam/rand/pubs/research_reports/
RR2900/RR2972/RAND_RR29- 72.pdf.
---------------------------------------------------------------------------
Mr. Higgins. Thank you.
This report touches on the things we are discussing and how
we can connect our relevant fields, gentlemen, to this work
force. I ask you, Mr. Russomanno and Mr. Rashotte, how are you
adjusting your particular intersections with the cyber realm to
make cybersecurity attractive to this generation that is
available?
Mr. Russomanno.
Mr. Russomanno. Thank you, Congressman Higgins, for that
question. With respect to Gen Z, I think it's very important to
message early on and glad to hear about these early K through
12 initiatives is how vast the cybersecurity field is. Many
times folks think about computer science, engineering, these
disciplines that have tremendous prerequisite chains, a
mathematical foundation, a basic science foundation. Those are
wonderful programs.
Our Nation needs those programs to advance the state-of-
the-art, but there's ample opportunities to apply the state-of-
the-art and I don't believe we're articulating those
opportunities broadly enough to Gen Z.
So, at the University of Memphis, for example, we have the
Polytechnic Initiative that's really looking at expanding our
cybersecurity degree portfolio to better align with community
college and other training programs.
Mr. Higgins. Are you seeing an engagement from these young
Americans where they appear there is some heightened awareness
of the cybersecurity field and they are attracted to that? Are
we recruiting these young Americans through that program?
Mr. Russomanno. I believe so. The real challenge is for
these students to see themselves in these careers because
oftentimes they may think of the barrier in terms of the
mathematical preparation, basic sciences preparation. So really
that focus on that applied practice, which I think the PIVOTT
bill in particular is addressing to expand the work force
through community college and technical school opportunities.
Mr. Higgins. Thank you. My time has expired but, Mr.
Chairman, could Mr. Rashotte briefly respond to the same
question how is he----
Chairman Green. Absolutely.
Mr. Higgins [continuing]. How is he helping the work force
see their way into the cybersecurity realm?
Mr. Rashotte. I think the public-private partnerships are
critical and from a roles perspective I think cybersecurity
roles can sometimes be quite nebulous. So, someone going into
education in a cybersecurity career what does that career look
like? What is the actual role?
So, we're taking a lot of emphasis around working with
organizations to try to define those roles. What is a SECOPS
analyst, for example? Working with organizations like NIST with
the nice career paths and trying to map it. We've actually
mapped our entire catalog of cybersecurity training courses to
the nice pathways to try to make that more well-defined.
We're also working with hundreds of academic institutions
to integrate our enterprise certifications into academic
programs to make it more relevant and more hands-on.
Mr. Higgins. Thank you, sir.
Thank you, Mr. Chairman, for the indulgence. I yield.
Chairman Green. Absolutely. The gentleman yields.
I now recognize the doctor, Congressman Thanedar from
Michigan for his 5 minutes of questioning.
Mr. Thanedar. Thank you, Chairman Dr. Green and Ranking
Member Thompson. Thank you for having this hearing.
I thank the witnesses to be here and appreciate their
expertise and comments.
Look, in the first week in office, President Trump
illegally fired 17 inspectors general, the independent
watchdogs responsible for providing critical oversight of
Federal agencies. We know that the administration is scared of
anyone tracking what they are doing and this effort is just one
part of their effort to avoid any accountability.
IGs play a critical role in routing out waste, fraud, and
abuse and help protect employee whistleblowers and purging them
reflects a hope in the Trump administration that nobody will
check their abuse of power.
Mr. Stier, why are independent inspector general so
important, and what will be the impact of this most recent
purge?
Mr. Stier. So, the inspector generals are, I think, a
innovation in our governance in our system that came out in
1978 with the response to some of the choices that were made by
President Nixon that looked to exceed his Presidential
authority. Congress acted to create the IGs as a way of making
sure that there was eyes and ears inside agencies to address
waste, fraud, and abuse issues, as you've described.
I'm going to try to bring this back to the cyber issue if
you don't mind? I would just say that, you know, one of the
issues that they have focused on has been this question of
cybersecurity in agencies. I think it's important in terms of
the system that we're talking about here that IGs, while they
are political appointees, they're nonpartisan political
appointees.
They're intended to extend beyond a single term or
administration because the intent is to make sure that you have
somebody who has the expertise and, you know, frankly, the
independence to ensure that you all in Congress are getting the
information that you need to be able to do the oversight that
is required, as well as the agency leadership as well.
So, it is disturbing to see wholesale firings of IGs. It's
actually something that I think will diminish the capacity of
our Government to perform well and for you to do your jobs
well.
Mr. Thanedar. Thank you so much. I want to change the focus
a little bit. I want to look at this shortage of technology
people. I mean, we currently are under threat for cyber
attacks. Many of our agencies, many of our organizations are
under attack.
While we are talking about long-range plans in terms of
academic training and 4-year college programs, weekend
programs, but this needs to be a two-pronged approach. What are
we going to do today now to protect our institutions and then
what are we going to do in the future to be able to recruit the
people that we need?
Now, I ran small technology businesses. Hiring technical
skilled people is always a challenge, and we are always
competing internally, not only in the private sector. So, we
need to be--what kind of employer Federal Government is and
what recent changes that have been done in terms of the cuts.
Was that due to the morale of existing employees, Federal
employees, and those who want to be into the Federal Government
because of patriotic reasons, because of their love for this
country?
What are we doing to attract people and are we a good
employer? Are we also looking at the anti-immigrant bias? With
the current administration there are a lot of cybersecurity
personnel trained outside of United States and what are we
doing to make sure that we are able to hire them and attract
them and compete while Canada and Australia and others are also
competing for the same talent?
Any thoughts? Maybe, Dr. Russomanno, if you can comment on
that?
Mr. Russomanno. Sure. No, your point is well-taken in terms
of the here and now. You know, some of the things that we're
really focusing on is reaching down to the high schools, you
know, creating dual enrollment curricula to provide not only
the competencies around cybersecurity, but exposure to the
career to get excitement, right, to help build that pipeline in
the high schools and developing that talent that can then
hopefully matriculate to the academic programs, whether they're
at their community college, technical school, or a 4-year
institution.
So, really developing that, that comprehensive pipeline
that's not a bumpy road but a smooth road with roadside
assistance. That's what we're focused on.
Mr. Thanedar. Thank you so much.
Thank you, Chairman, for this extra 38 seconds.
Chairman Green. The gentleman yields.
I now recognize the gentleman from Texas, Mr. Luttrell, for
his 5 minutes of questioning.
Mr. Luttrell. Thank you, Mr. Chairman.
Mr. Rashotte, you said that you are across the continental
United States so I come from a very rural district and there is
an appetite and they are very hungry for everything, if you
will. Can you come out and give an educational course in my K
through 12 schools? K through 12 is in one building. Is that
something do I reach out to your organization? How does that
work?
Mr. Rashotte. Yes, thanks for the question. Absolutely.
We've made our entire curriculum, our entire catalog of
cybersecurity training available on multiple modes so that we
can address these types of challenges.
We've actually hired a team of K to 12 educators within
Fortinet to develop K to 12 education for teachers.
Mr. Luttrell. We just onload the software and----
Mr. Rashotte. Absolutely.
Mr. Luttrell. OK. That is beautiful. The bad part about it
is I have been up here for 2 years and some change and I didn't
even know you guys existed. Therein lies the problem because we
have chatted about we want to recruit out of the military,
which I think is a fabulous idea.
Mr. Jones, you're out in the rural areas. A lot of folks
don't want to live out in the country like we do. If we offer
these job opportunities and we talk about pay and when we--
which is a challenge. It always is.
But the hard part about bringing experience and expertise
into the military, the private sector going to come in and
snatch them and pay them 3 times as much as we can Federally.
So there is the problems, one of the very many problem sets, if
you will.
Mr. Stier, you laid it out. Job well-done. I love the way
you laid everything out because we need to hear that here. You
all are the subject-matter experts.
My first question is there is no portal. There is no
enclave of information where the mass, either whether it is in
the universities, and Mr. Russomanno, you and I spoke about
that.
I have a university in my district that is eagerly trying
to put together an academic profile or a degree plan for
cybersecurity so those folks downstream, whether it is at the
Federal or private, have or can communicate with the
universities like, hey, here is where we are in 2025. This is
the expectation that we have and this is where we need our men
and women to be once they graduate and they will take it from
there.
That is where I need traction. I need you all, however this
is going to work. So, my question is is there an existing
department, whether or not it's CISA or Federal and if it's DoD
and CISA together, where can something live that universities,
private sector can go, as well as lower academics can go and
converge these 2 problems?
Mr. Russomanno, have you got some for me there?
Mr. Russomanno. Yes. I mean, I would, you know, a lot of
our experience is working with the National Science Foundation.
That for me it comes to mind as a facilitator to bring together
institutions toward shared goals.
For example, we'd love to partner and work with, you know,
universities in your district. We're working on a national
model. We welcome other partner institutions.
Mr. Luttrell. Is it actually that easy for me to tell
Willis High School to reach out to the National Science
Academies and say, hey, look, there you go?
Mr. Russomanno. Well, I think it starts with partnerships
among like-minded institutions, I mean, working together and
then influencing potential calls for proposals from the
National Science Foundation to address your goals, as one
approach.
Mr. Luttrell. Is it--OK. But, you know, I hate to--
sometimes doing a lot of work is something that a lot of people
don't want to do. I am trying to ease the movement, if you
will.
Mr. Rashotte, you got anything on that for me? Like, what
specifically in your opinion can, like, if when we have CISA in
here I was, like, all right, hey, here is your role and
responsibility. You are to reach out to every single K through
12 school in the continental United States and see where they
are in the cyber space or whomever.
Mr. Rashotte. I mean, it's something that we've done a lot
of work with at the State level with different--where we have
our K to 12 program operating in 43 different States now and
that has primarily been an effort through State and local
government. But it has been quite successful and I think we can
continue pushing that.
Mr. Luttrell. OK. I will ask this because I am going to
reach out to every single one of you, just if you will, I don't
care if you throw it at the wall or put it on a white board.
In the military we had mission success and we worked our
way back to the starting line and how do we get there? What is
the most streamlined process? Who we taking and where are our
contingency plans at?
That is something that we thrive on in here because
inevitably it is going to come up to either legislation or
dollar bills. Again, you guys are the subject-matter experts so
I appreciate that communication.
Yes, sir, Mr. Jones.
Mr. Jones. Well, Congressman, I would say reach out to your
local electric cooperatives and let us be a facilitator and
part of that process. We want to be drivers with that regard.
We have a national association that can help be a facilitator,
and I'm happy to be a bridge to you as well. So, feel free to
reach out to me.
Mr. Luttrell. Thank you.
Mr. Chairman, I yield back, sir. Thank you.
Chairman Green. The gentleman yields.
I now recognize the Ranking Member on the Cyber
Subcommittee. You are still in that role, right?
Mr. Swalwell. Yes. Yes, I am.
Chairman Green. OK, excellent. I am glad to see you staying
there. We are going to come to your community. I think we are
going to do a field hearing.
Mr. Swalwell. That would be great.
Chairman Green. Yes, in the Palo Alto area----
Mr. Swalwell. On cyber work?
Chairman Green. On cyber, yes. So, I recognize the
gentleman from California for his 5 minutes of questioning.
Mr. Swalwell. Great. Thank you, Chairman.
This committee was stood up to address threats to the
homeland after September 11, something my colleague to the
right knows a lot about being here since its inception. Today,
I just want to briefly address the question as to whether we
are safe today as a country because what I am seeing from this
administration is that we are taking our eye off the ball.
We had a terrorist attack in New Orleans to start the year.
ISIS, al-Qaeda, other terrorist organizations want to hit us
and hit us hard. We've got the Super Bowl this weekend back in
New Orleans. We have the World Cup in 2026, and we have the
Olympics in 2028 in the United States. There are a lot of prime
national security targets.
However, what we are seeing are actions from this
administration that do not make us safe. The most basic job of
Government is for people to feel safe.
So, when President Trump releases 1,600 violent criminals
into our communities, people who brutally attacked police
officers, we should not be surprised that they are already
committing crimes.
One of them just last week in Indiana was pulled over by a
police officer and shocking. Didn't want to obey that officer's
orders, fought the cop, tried to use his own gun on the cop,
and thankfully the cop shot and took that individual down.
Others are committing acts of child pornography who have
already been released.
So, are we safe when 1,600 violent individuals are released
into the community? No, we are not safe.
President Trump is seeking to fire thousands of FBI agents
and has already fired many senior officials. Why? Because these
individuals happened to work on cases that he was involved with
where he was accused of stealing national security secrets and
leading a coup against his own Government.
These Federal agents keep their head down and they go where
they are assigned. It is not a fantasy football draft. They
don't get to pick the cases that they work on. They just do
their job and they follow the evidence.
But what happens when you take thousands of FBI agents out
of the Hoover building? They don't work on terrorism. They
don't work on child trafficking. They don't work on public
corruption. They don't work on violent crimes.
So, are we safe when we take thousands of cops off the beat
to protect us from terrorism? No, we are not safe.
The President is seeking to force resignations at the
Central Intelligence Agency. These are the best spies in the
world who have spent years developing foreign languages, are
assigned all over the world, have taken years to train to get
necessary experience, and they will be taken off the beat to
find the threats that face us as a country.
Are we safe when they are not on their watch? No, we are
not safe.
As we speak, Elon Musk, who no one elected, no one asked
for, is at the Department of Treasury with a cyber gang with
access to every American's tax returns and personal identifying
information. So speaking of cyber vulnerabilities, are we safe
when unvetted individuals have access to your most precious
data, information about your employer, your health care, your
Social Security number? No, we are not safe.
Our job is to make the American people safer and, Mr.
Stier, if we gut and take off the beat the individuals who are
supposed to work at CISA and monitor international cyber
attacks against our local businesses, does that make us more
able to respond to a cyber attack and protect Americans data or
less able?
Mr. Stier. Congressman, as we've covered it already, work
forces are not improved in terms of their capacity to do their
job if they are in crisis. We have a Federal work force that is
in crisis right now.
On the issue of cyber issues, it puts us certainly at
greater risk, both with respect to the specific cyber talent
and more generally the work force at large. So, easy answer is
this is not enabling our Government to do its job in the way
that the civil servants who are there would like to do it.
Mr. Swalwell. I am all for getting rid of waste, fraud, and
abuse. I support any efforts to do that. But when it comes to
national security, you better be pretty damn careful about
where we make cuts because my promise to you is we will be hit
if we take our eye off the ball.
I yield back.
Chairman Green. The gentleman yields.
I now recognize the Chairman of our Terrorism
Counterterrorism Task Force Subcommittee, the gentleman from
Texas, Mr. Pfluger.
Mr. Pfluger. Thank you, Mr. Chairman, and thank you for
having this hearing. I think that is a great point. We have
been hit over the last 4 years. We have seen gaps in our
security.
We have been vulnerable, and I think you holding this
hearing today is an acknowledgement of a new direction that we
are going. We are going to make sure, damn sure, that we are
protected.
So, I thank our witnesses and our panelists and I want to
start--listen, I represent Angelo State University. I have
mentioned this in this hearing room many times. Dr. Russomanno,
I will start with you.
What lessons, and Angelo State is a center of academic
excellence in cyber defense, what lessons should Angelo State
be learning and what programs should they be trying to seek to
help with the shortage of cyber professionals that we have,
especially those that come from places like rural Texas that
want to be a part of our security and defense? Give us some of
the lessons you have learned and those that I can share with an
institution like that.
Mr. Russomanno. You know, I think the key is expanding the
portfolio of training with respect to cybersecurity readiness.
Once again, many folks think of just computer science and
engineering as those pathways, but there's others.
With respect to the national security threats that have
been voiced, I know Gen Z students they want to make a
difference, right? They are looking for meaningful work. That
wasn't necessarily the motivation of an 18-year-old in my
generation, but Gen Z wants to make a difference.
So, a call to this national security threat is something
that Gen Z could rise to, and I will point out the ISC2 study
from last year pointed out that our cybersecurity growth is
flat year-over-year last year. So, as the threat is increasing
our work force growth is flat.
We have to broaden the academic programs and training
programs available to our students and articulate the urgency
and the opportunity for Gen Z to make a difference in this
challenge our Nation faces.
Mr. Pfluger. Are those training programs adequately suited
to address the threat, to meet the threat, or is it Volt,
Typhoon, and some of these things that we have seen recently? I
mean, are they outpacing what we are learning or is it adequate
right now?
Mr. Russomanno. We need more investment and applying the
state-of-the-art to our cybersecurity threats. I think the
Cyber PIVOTT Act is addressing broadening that work force,
focused on applying the state-of-the-art.
Mr. Pfluger. Thank you.
Mr. Jones, I'll go to you and I have 2 questions for you.
No. 1, talk about internships and, kind-of, pick up where Dr.
Russomanno left off. What do those internships look like? What
is most beneficial? How do we take a center of excellence, a
student that comes from rural west Texas and put that
individual into a proper internship?
Mr. Jones. Yes, Congressman, thank you. So opportunity,
obviously, for someone to come in and learn about
cybersecurity, about the techniques that we have in place, but
also to learn about an electric co-op, you know, that we're,
you know, for a place like you're describing a good place to
work with a virtuous mission.
So, there's a good exchange there and we hope to raise the
profile of what electric co-ops do in internship programs like
that.
Mr. Pfluger. Well, that is where I was going with the
second part of the question is how worried are our
cooperatives, which service communities like mine in many, many
cases? How worried are we that that piece of critical
infrastructure is vulnerable to an attack that would shut down
the lights?
Mr. Jones. Well, Congressman, I would relate it this way,
if I may? So, electric co-op managers we have a universal and
always have had a universal item that keeps us at night and
that's the safety of our team members.
We have a dangerous profession, but we have an accompanying
worry that keeps us up at night now and it's certainly
cybersecurity, so this weighs heavy, I can assure you, on every
electric co-op manager across this country.
So, we're taking it seriously. We're working together.
We're collaborating. We appreciate this opportunity to
collaborate with the Federal Government. We want to be the best
partner we can be, but yes, it is top of mind for all of us.
Mr. Pfluger. Thank you.
We have got 45 seconds left. I will leave the time to the
additional or the other two witnesses. What keeps you up at
night? How will the PIVOTT Act help with those threats? You
have got about 20 seconds each.
Mr. Rashotte. I think I'd like to emphasize again this idea
of broadening our scope of cybersecurity training and the roles
and so on where today I think we typically focus on training
people that just have cybersecurity in their job role or in
their job title where I think it's a broader focus than that.
We need to make sure that people coming out of business
schools understand cyber threats. We need to understand that
people coming out of law school understand risk mitigation and
so on.
From a physical cybersecurity perspective we don't just
train people that have security in their job title, and I think
we need to take the same approach here and really broaden our
view of who needs that cybersecurity knowledge.
Mr. Pfluger. My time is expired. I am sorry. If you would
like to enter something for the record please do so.
I yield back.
Chairman Green. The gentleman yields.
I now recognize the gentlelady from Illinois Mrs. Ramirez
for her 5 minutes of questioning.
Mrs. Ramirez. Thank you, Chairman.
Well, let's be serious. We are here talking about preparing
the pipeline. The title of this hearing is laughable. How do we
prepare the pipeline or examine the state of America's cyber
work force when unelected, unaccountable, President Musk and
Trump are asking over half of the Federal work force to resign
and issuing Executive Orders freezing hiring and funding for
Federal agencies? How do you prepare the pipeline?
Under a Musk and Trump Presidency it is clear that the
security of Americans' information is not a priority. I mean,
let's think about this.
A private civilian with no security clearance bullied his
way into the Treasury. He set up private servers and stole
sensitive information from an agency. Let me repeat that
because I think some of my colleagues on the other side need to
hear it again. A private civilian with no security clearance
bullied his way into Treasury, set up private servers and stole
sensitive information from the agency.
Folks, if that isn't a national security crisis, a
cybersecurity crisis, I don't know what is. The true threat to
our homeland security is felon Musk, Trump, and their blatant
misuse of power to steal information and coerce employees to
leave agencies.
The billionaire boss and his puppet, I am going to let you
all decide which is which, are on a mission of privatization
for their own profit. Well, my mission and I think the mission
of a number of members here, is to protect the people.
With that, I want to really turn on to questions, and look.
One challenge the Federal Government has when it comes to cyber
work force recruitment and retention is competing with the
private sector.
We know the Government is not going to be able to pay as
much as tech companies like Google or CrowdStrike pay, but the
Federal Government has relied on offering a strong benefit
package that also includes retirement benefits. That is how you
recruit. It helps recruit and retain workers.
Now, Republicans are proposing to cut Federal employee
benefits to pay for tax cuts for the richest man in the world
and Trump's other billionaire bosses. I worry this will make it
even harder for us to recruit and prepare a pipeline and keep
cybersecurity professionals.
So, Mr. Stier, how have Federal employee benefits played an
important part in recruiting and retaining employees? Let me
give you the second part of that question. How could cuts to
retirement benefits harm efforts to attract new cybersecurity
workers and keep the cyber defenders we currently have? Mr.
Stier.
Mr. Stier. Sure. So, I think returning to why is it that
people come into Government more broadly it's because of
mission more than anything else, but mission alone, people
don't work only for mission alone so compensation is clearly
quite important.
I noted earlier that the pay system we have today across
the Government is based on a 1949 law. It was based on this
notion of everyone could be paid the same at the similar level
of work. In a world in which you have different occupations
like cyber that's foolishness.
So, you know, the answer No. 1 is what should be done is
modernize the Federal pay system so that you actually have some
market sensitivity by occupation, which is something we largely
don't have.
With the cyber work force we have different systems at DoD,
DHS, but there's been no analysis about what is the right
system and why should that system be applied to a single agency
rather against the entire cyber work force?
So, if you want to address how you recruit and retain on
the compensation side a better cyber work force, modernize the
pay system, treat it as a unified work force across the entire
Government so you don't have agencies competing against each
other and you will create better return for the American
taxpayer and a safer country.
Mrs. Ramirez. Thank you, Mr. Stier.
So, let me follow up on that. Upon taking office, Trump
resurrected Schedule F, his attempt to bring back the Gilded
Age spoil system and hire Federal workers based on partisan
loyalties rather than qualifications and merits.
This policy could lead to mass firings of qualified
cybersecurity policy experts across the Federal Government and
would dangerously politicize civil service.
So, Mr. Stier, the last question I have here, in 20
seconds, why is a nonpartisan civil service so important? How
does politicizing the Federal work force undermine national
security?
Mr. Stier. We have a history in our country where we had
the spoil system before in the 19th Century. You wound up with
corruption and incompetence. You see that globally whenever you
have a system move away from merit with respect to the civil
service.
You see poorer performance in the Government and you see
corruption. So, it is not the right way to move. We do need to
reform our Government. That's not the reform we need.
Just a point of order, and I normally don't do this, it's
Stier, just to let everybody know so we can maybe going forward
do it----
Mrs. Ramirez. Thank you, Mr. Stier. I take that very
personally and the Chairman----
Mr. Stier. Yes, I'm sure.
Mrs. Ramirez [continuing]. Knows too, so I apologize for
that.
Mr. Stier. No problem, not at all.
Mrs. Ramirez. Thank you.
With that, I yield back.
Chairman Green. The gentlelady yields.
I now recognize the gentleman from Arizona, one of our
border States, Mr. Eli Crane for his 5 minutes of questioning.
Mr. Crane. Thank you, Mr. Chairman. I appreciate the
opportunity to be here today and talk with some subject-matter
experts about the pipeline of our cyber force and how we are
going to compete with some of the threats as we see some of our
adversaries increasing cyber attacks on the country.
I just came from an oversight committee and now I am back
here and it is really the same nonsense going on in there. I
just want to say to Elon Musk, wow, man, you are really
effective because these guys are completely melting down. You
must be doing something right.
I think we might need to request some of your funds to get
these guys maybe some pallets of tissues, some safe spaces,
maybe a couple therapy dogs, because they are absolutely
melting down. So, good job, Elon.
Now, I want to cover something that Mr. Swalwell said a
couple seconds ago. Mr. Swalwell talks about--he talked about
the responsibilities to protect the American people because
this President pardoned the J6 prisoners, many who had been in
prison for several years.
It is just funny because I didn't hear that same concern
from Mr. Swalwell or many of the Democrats on this committee
when then President Biden was allowing hundreds of thousands of
illegal aliens, many of whom were criminals, rapists, and
murderers and terrorists coming into this country on a monthly
basis. So, my point being is if you want to protect Americans
you can't just do it when it is politically advantageous.
I want to start with you, Dr. Russomanno. As the executive
vice president of academic affairs at Memphis and the former
dean of engineering at Purdue University, I am sure you were
well-versed on developing the cyber work force. My question is
how is the University of Memphis utilizing programs like
CyberCorps Scholarship for Service programs to build out the
pipeline of the Federal cyber warriors?
Mr. Russomanno. Thank you, Congressman Crane, for your
question. I think it's important to remind everyone what
CyberCorps is all about and how it impacts students.
One is covering tuition. Another is providing a stipend
that enables students not to have to work while they're
pursuing their degree. Another is an opportunity to build
social capital through networking, through internship fairs and
other opportunities to learn more about the Federal Government
and a way they can make an impact through cybersecurity.
This is a tremendous enabler, if you will. We've talked
about how do we get more of our youth involved in
cybersecurity? Certainly helping them through their daily
living is a fundamental way so they can focus on their studies
to help our Nation.
Mr. Crane. Thank you.
Next question for Mr. Rashotte. According to the U.S.-China
Economic and Security Review Commission, the cybersecurity
school at the Wuhan-based National Cybersecurity Center, plan
to build 4 to 6 cybersecurity schools by 2027.
The CCP has devoted significant resources to building their
cyber force and while the exact number of cyber warriors isn't
available, it is safe to estimate that if the CCP issued a
directive it could bring a significant cyber force to bear
against the United States, especially given that according to
U.S. Cyber Command there are only 6,200 personnel across 133
teams working on cyber threats in CISA and DHS was roughly
3,100 employees.
My question is how can academia, private industry, and the
Federal Government partner together to ensure our cyber work
force pipeline is able to keep pace with the number of cyber
warriors our adversaries can churn out?
Mr. Rashotte. Thank you for the question. I think that the
partnerships between industry and academia are critical and our
approach has been to break down every barrier we can in terms
of access to training and education.
We've done that at Fortinet by making our entire catalog of
training available free to anyone who needs that training, and
we've challenged others to do the same.
Mr. Crane. Thank you.
My next question is for you, Mr. Jones. How important is it
to utilize American resources within our power grid so that our
adversaries aren't getting a foothold in our critical
infrastructure, similar to Volt Typhoon hack? I was recently
watching the Shawn Ryan show. The topic was we are in an
invisible war with Erik Bethel.
My question is, and I am paraphrasing from the show, how
can companies who have a fiduciary responsibility to their
investors to gain and seek profit balance that financial
responsibility with other factors like patriotism?
Mr. Jones. Well, I think that the electric cooperatives in
our country have a rich history of patriotism, Congressman, so
I think we do take that seriously. You know, the virtues of our
mission service, making sure that we are doing our part to
provide reliable power for now almost 50 million Americans, and
that's always held the line for us.
Mr. Crane. Thank you.
Mr. Chairman, can I enter this into the record? I know
there has been some discussion here about layoffs and buyouts.
This is an article, ``CISA among DHS offices exempted from
taking OPM's deferred buyout offer''.
Chairman Green. Without objection, so ordered.
[The information follows:]
Article From NextGov/FCW Submitted by Hon. Elijah Crane
cisa among dhs offices exempt from taking opm's deferred buyout offer
By David Dimolfetta//January 31, 2025
President Trump's DHS chief said she wants to scale back
the cybersecurity agency's size and mission scope.
At least two offices in the Department of Homeland Security were
told Thursday that they are not allowed to take a deferred buyout offer
from the Office of Personnel Management that was sent to the Federal
workforce earlier this week, arguing that their positions are vital for
national security purposes.
Those bureaus include the Cybersecurity and Infrastructure Security
Agency, as well as Customs and Border Protection, according to multiple
people familiar with the matter and email notifications obtained by
Nextgov/FCW.
The exemptions are not a total surprise. The Trump administration's
deferred resignation offer email sent to Federal workers earlier this
week said the proposal is available to all government employees except
``military personnel of the armed forces, employees of the U.S. Postal
Service, those in positions related to immigration enforcement and
national security, and those in any other positions specifically
excluded by your employing agency.''
Bridget Bean, who's serving as acting director of CISA, told the
cyber agency's employees in an email that ``per guidance from DHS
Management, CISA employees are not permitted to participate in the
Deferred Resignation program.''
Email correspondence to CBP employees sent Thursday showed the
exempted positions are ``considered national security.'' It adds that
relevant staff should ``be aware that no further processing actions
will be completed for a deferred resignation on your behalf'' if they
previously accepted the proposal. It was sent by Acting Commissioner
Pete Flores and Acting Deputy Commissioner John Modlin.
Nextgov/FCW has reached out to DHS spokespeople for comment.
The offer for feds to continue to be paid until Sept. 30--provided
they resign by Feb. 6--was emailed to every Federal worker Tuesday
evening, seemingly via a new email server installed at OPM in recent
days that gave the Trump White House the capability to reach some 2.3
million Federal civilian employees. On Thursday, OPM sent a follow-up
email with a list of Q&A notes encouraging employees to take the offer.
The exemption notices demonstrate how agencies and their leaders
are taking different approaches to the severance program. But CISA
being among them is notable because the Trump administration has vowed
to reduce the size and scope of the cyber agency.
CISA has historically enjoyed bipartisan support from members
aligned on the notion that cybersecurity is a national security concern
and shouldn't be mired in politicization. But some Republican claims
that the agency's misinformation efforts have targeted conservative
voices in the past 2 years, as well as a second election win for Trump,
are setting the agency on a course for potentially far-reaching
reevaluation.
DHS Secretary Kristi Noem recently said the cyber agency needs to
be smaller and more nimble, and that it should cease its work on
calling out misinformation and disinformation that propagates across
social platforms. Trump has not yet nominated leadership for CISA.
The Cyber Safety Review Board--a DHS investigatory body stood up
through a Biden-era cybersecurity executive order to probe major
cybersecurity incidents--was cleared out of at least its non-government
members early last week as part of a DHS-wide push to cut costs under
the Trump administration.
Nextgov/FCW Staff Correspondent Alexandra Kelley contributed to this
report.
Mr. Crane. Thank you. I yield back.
Chairman Green. The gentleman yields.
I now recognize the gentlelady from New Jersey, Ms. McIver
for her--oh, wait. Are you--I didn't see this. I didn't see.
Mr. Magaziner snuck in on me so if we will defer is it OK?
I will recognize Mr. Magaziner for his 5 minutes of
questioning, and my apologies.
Mr. Magaziner. Thank you, Chairman. We are here today
because we all care about cybersecurity, or at least I thought
we all did. Last week, Donald Trump's Office of Management and
Budget illegally cut off funding for grants across the Federal
Government, including grants for cybersecurity.
This is a memo that was sent from the Department of
Homeland Security to States that outline DHS grants that were
being cut off for review, including but not limited to the
Cybersecurity Education and Training Grant, cut off; the CISA
Cybersecurity Awareness Grant, cut off; the Cyber Tip Line, cut
off; State and local cybersecurity grant, cut off pending
review per OMB instructions. Review for what?
Is cybersecurity too woke, too green? It was only after an
enormous public outrage and a Federal court order that the
Trump administration pulled back that OMB memo. During those
days when this funding was frozen, China was continuing to put
thousands of people a day in cyber warfare against the United
States, to say nothing of Russia and Iran and criminal gangs.
But that is not all. The Federal funding hiring freeze is
impacting cybersecurity jobs all across the Federal Government,
and I want people to hear this. There are Federal cybersecurity
jobs, not just at CISA or DoD, but in every agency.
So cybersecurity jobs at the U.S. Treasury, hiring freeze,
cybersecurity jobs at HHS, which manages Medicare, Social
Security, CMS, cut off. Critical agencies are impacted by this
hiring freeze.
We heard a letter earlier from Mr. Stier from a CyberCorps
participant whose job in the Federal Government, his
cybersecurity job, was rescinded due to Trump's hiring freeze,
which is still on-going. Agencies all across the Federal
Government are not able to make these crucial cybersecurity
hires across the board almost.
So to my Republican colleagues, if you care about
cybersecurity and I am serious about this, call the White
House. Call the White House right now and tell them to lift the
hiring freeze of cybersecurity roles across the Federal
Government, not just at CISA, not just at DoD, but at every
agency.
Let's address the elephant at the room. This weekend Elon
Musk sent a group of unvetted 20-year-olds to take over the
U.S. Treasury's payment system responsible for tax refunds,
Social Security checks, Medicare benefit payments, and more.
The Treasury's payment system has the names, Social Security
numbers, bank routing numbers, and tax information of every
American, medical information of millions of Medicare
recipients.
We have no idea who these children are that Elon Musk has
working for him who now have access to the private personal
data of every American. We don't know what permissions they
have. Can they just read the data? Can they edit it? Can they
initiate payments? Can they cut off payments at will? Can they
share your personal data with people outside the Federal
Government?
The one thing we know about this army of children that Elon
Musk has poring through your data is that not one of them has
been through a Federal FBI background check. Other than that,
we don't know very much.
Oh, by the way, we just learned through public reporting
that Elon Musk has put a private server in his office and has
downloaded every American's personal data into that private
server.
So, I invite any of our panelists, any of the 4 of you, to
defend this. Are any of you comfortable with Elon Musk and this
staff of untrained, unvetted, unelected, unconfirmed teenagers
having access to every American's personal data with no
transparency or oversight? Does anyone want to take a stab at
defending that?
Well, that silence I think gives us the answer that I was
expecting at least. Does any of our panelists think that the
Trump administration freezing hiring of cybersecurity roles in
agencies across the Federal Government help our national
security? Of course not.
So, listen, if we are going to have conversations about
cybersecurity I welcome it, but it needs to start with the
administration taking steps to protect the private data of
Americans, to lift the hiring freeze of cybersecurity
professionals, and to stop giving our adversaries win after win
after win in the cyber domain, as they have been over the last
2 weeks.
I will yield back.
Chairman Green. The gentleman yields.
I would like to--I don't normally do this and save my
comments on this one until the end, but 19-year-olds aren't
children. We have Medal of Honor winners who have fought and
died for this bleeping country who are 19-year-olds. So, if
you're 19 years old out there I don't consider you a child.
I now recognize Ms. Greene from Georgia for 5 minutes of
questioning.
Ms. Greene. Thank you, Mr. Chairman. Thank you for clearing
that up. There are 19-year-olds that are serving our country
and defending our Nation. We believe in merit. We believe in
people that can do the job.
That is why America elected Donald Trump this past election
and part of his campaign was DOGE and Elon Musk. They were on
the campaign trail together, as a matter of fact, the last 2
months of the campaign and America overwhelmingly voted for
this effort.
I'm so happy that we are talking about cybersecurity and
cyber professionals today.
Mr. Stier, in your testimony you talk about maintaining
nonpartisanship as a bedrock principle of civil service. You
wanted to talk about nonpartisanship meanwhile your $24 million
nonprofit dedicated to attracting talent for the Federal work
force and making the Government more effective is funded by
some of the most progressive benefactors. This includes the
Gates Foundation, the Democracy Fund, and the Ford Foundation.
It also hosts galas to honor people like Lisa Monaco and other
Biden officials.
A goal of your entire organization is essentially de facto
job placement to entrench more DEI hires into the Federal work
force, the opposite of nonpartisan, apolitical, merit-based
civil service.
Diversity, equity, and inclusion is a huge priority for the
partnership, as listed on your website. Listed on the website
is a framework to integrate the principles of diversity,
equity, and inclusion into the partnerships, programs,
initiatives, and strategies.
Since the nonprofit's main initiatives are helping people
apply for Federal roles in advancing career development in the
Federal work force, your nonprofit is aimed at infusing DEI, an
inherently partisan practice into the Federal work force.
I worry about this especially with regards to the
cybersecurity work force who needs high-quality, skill-based
positions such as those serving on DOGE. Cybersecurity is
extremely important. It shouldn't be about race. It shouldn't
be about sexuality. It shouldn't be about identity.
In your testimony you also expressed concerns that
President Trump's administration's recent actions and that they
will counter democratic principles, yet your unwritten goal of
entrenching more woke employees into the swamp is the opposite
of democratic principles.
The Trump administration's actions are the embodiment of
democratic principles. This is what the American people want.
This is what they voted for.
The American people overwhelmingly voted for President
Trump in a decisive landslide victory to reform how our
Government operates, most importantly, how the Federal work
force operates. The mission of your partnership is building a
better Government and stronger democracy. Building a stronger
democracy is allowing the will of the people to take effect,
not actively working to oppose it.
There have been multiple reports that you were in
communication with the officials at the Biden administration
prior to President Trump taking office. Is that true?
Mr. Stier. We run the Center for Presidential Transition so
we've helped the Trump campaign when they were trying to set up
their transition operation in 2016. We've helped every
administration get set up right, both Republican and
Democratic. Yes we've been in contact with the Biden
administration. We've had an open door to everybody.
If you would like to have the facts, I can provide those to
you but let me know because the reality is we do honor civil
servants not political appointees. The program that you
identified on Lisa Monaco, she was presenting an award as smart
political leaders should----
Ms. Greene. Thank you, Mr. Stier. I will reclaim my time.
Mr. Stier. But let me know when you ever want me to----
Ms. Greene. Thank you.
Mr. Stier [continuing]. The facts for----
Ms. Greene. Did you discuss any strategies for how to
prevent President Trump from firing Federal workers?
Mr. Stier. I'm sorry, in what context?
Ms. Greene. Did you discuss any strategies for how to
prevent President Trump from firing Federal workers?
Mr. Stier. In what context? I do not think that it's a good
idea to offer the entire work force non-strategically an
opportunity to resign and to press them to do so because you're
going to lose cybersecurity professionals that you don't want
to lose. If you want to have----
Ms. Greene. DEI? DEI professionals? Are you trying to stop
President Trump's administration from hiring----
Mr. Stier. We are not engaged----
Ms. Greene [continuing]. DEI employees that you placed in
the Federal Government?
Mr. Stier. We are not engaged in trying to stop anyone from
getting fired because that's not the role we play. What we do
say, though, is when civil servants--let me finish the answer.
Ms. Greene. Well, Mr. Stier----
Mr. Stier. Let me finish the answer.
Ms. Greene [continuing]. Let me ask you one last----
Mr. Stier. You asked me a question.
Ms. Greene. I have a few----
Mr. Stier. Excuse me, Mr. Chairman? If I'm asked a question
do I get to answer it?
Chairman Green. It is her time. She can claim it.
Mr. Stier. OK. Then go ahead and go ahead.
Ms. Greene. I would like to reclaim my time. Thank you, Mr.
Stier.
Mr. Stier. Thank you.
Ms. Greene. Does your organization receive taxpayer
dollars?
Mr. Stier. Do we receive taxpayer dollars?
Ms. Greene. Yes.
Mr. Stier. We provide services to the Government so we do
receive taxpayer dollars on the----
Ms. Greene. Right. I have $3.4 million right here from the
American taxpayers. They are not interested in DEI, Mr. Stier.
They are interested in qualified people.
Thank you----
Mr. Stier. And we provide qualified----
Ms. Greene [continuing]. Mr. Chairman. I yield back.
Chairman Green. The gentlelady yields. I now recognize Mrs.
Johnson or wait, Ms. McIver. I didn't get you before. Thank
you.
The gentlelady from New Jersey for 5 minutes of
questioning.
Ms. McIver. That is OK. Thank you, Mr. Chairman. Thank you,
Chairman, thank you Ranking Members, and thank you to the
witnesses for joining us today.
I was a little caught up in that last questioning trying to
bring myself back. So, as we face an evolving and increasingly
sophisticated cyber threat landscape, our Nation's security
relies on a robust, well-trained, and diverse cybersecurity
work force. Unfortunately, the recent decisions, as mentioned
multiple times here, including the harmful hiring freezes and
Federal grant interruptions under the Trump administration,
have weakened the critical pipeline needed to safeguard our
digital infrastructure.
Last time I checked the offering of folks to take a buyout
wasn't just offered to folks of diversity or women or disabled.
It was offered to all employees so it is not about just laying
off DEI or employees that are woke because everyone got this
offer to be able to take a buyout.
These policies have stalled critical recruitment efforts,
delayed hiring of qualified candidates, and created
vulnerabilities that will persist.
Adding to this damage are the extreme rollbacks in
diversity, equity, and inclusion initiatives which are crucial
for addressing the long-standing representation gaps in this
field. By limiting opportunities for women, people of color,
and unrepresented communities to enter and advance in
cybersecurity, we are missing out on a vast pool of talent.
With that being said, Mr. Stier, I would like to go back to
you and give you some time to address some of the things you
were talking about in the previous question, but more so to
talk about how in your opinion these specific hiring freezes
hinder the development and retention of cybersecurity expertise
across all of our Federal agencies?
What steps, in your opinion, can Congress take to reverse
or reduce the long-term impact, because there will be, of these
policies on our national security?
Mr. Stier. Well, look, as we've talked all along here and
as the committee both Republican and Democrat recognize, we're
in a hole and the world is getting more scary, not less. So,
the reality is we need to see more investment in the capacity
of our public sector to respond to the cyber challenges.
When you have hiring freezes that actually encompass the
cyber work force, of course that's going to diminish capacity
of the organization. That's a pure logical proposition.
The reality is that CISA is under a hiring freeze, even
though the offer of, you know, delayed or deferred resignation
is not being presented to them, so it is harming CISA but more
importantly it's harming every organization inside the Federal
Government that needs cyber talent in order to protect vital
interests of our country.
So, this is an issue that is not just about the hiring
freeze. We have to be thinking about the morale more broadly of
the work force and that is not good. In terms of responding, I
just want to say that, you know, I'm invited to testify here.
I'm trying to offer the best information I possibly can to this
committee and, honestly, I'd like to be treated with respect. I
don't think I was.
Ms. McIver. Thank you. Thank you for that and I am sorry
that you were not able to experience that. I think as human
beings and as just grown-ups, what we are supposed to be, we
should be able to treat each other with respect and be
respectful and allow you the time. That is why I wanted to give
you time to talk about that----
Mr. Stier. I appreciate that.
Ms. McIver [continuing]. And I am thankful for your
organization and the work that they are doing and not, you
know--I know it is very hard being in this type of, you know,
situation and addressing some of the things where people want
you to be anti-people of color, anti-women, anti-, you know,
against people with disabilities.
But at the end of the day I commend you for everything that
you are doing and know that the day will be better after this
hearing.
So with that, I yield back my time. Thank you.
Chairman Green. The gentlelady yields.
I now recognize the Chairman of the Subcommittee on Cyber,
the gentleman from New York Mr. Garbarino.
Mr. Garbarino. Thank you, Mr. Chairman. Thank you very much
for having this hearing and very excited to support the PIVOTT
Act. I know you read a couple names off of the co-sponsors. I
guess we didn't put our paperwork in, but we are going to be
filing that right away so we are going to be----
Chairman Green. OK, be glad to have you on the bill.
Mr. Garbarino [continuing]. Co-sponsors so I am sorry we
didn't get that in soon enough. That was our fault.
But thank you all to the witnesses for being here.
Mr. Rashotte, shot, which one is it?
Mr. Rashotte. Rashotte.
Mr. Garbarino. Rashotte. Wonderful, thank you. I wanted to
focus. In your testimony you identified early educational
engagement is essential, not only to growing the cyber work
force but also making students and families aware that these
careers exist to begin with.
Last year I led a DHS Cybersecurity Internship Program Act
with Congresswoman Clark, and we were very proud of that bill.
How do you think we can look to improve outreach to draw
students and the public at large to these opportunities in
cybersecurity?
Mr. Rashotte. Yes, I think we need to start as young as we
possibly can. I know when we started our efforts in providing K
to 12 education and curriculum, we didn't think we'd be able to
start as young as we could. We had teachers coming to us and
say that we could provide cybersecurity awareness training at
kindergarten.
That really surprised us, but it's been incredibly
effective. So, I think there's a long game here where we really
have to focus at that young of an age so that truly when kids
are coming home and talking about becoming doctors, lawyers,
engineers they're also talking about becoming cybersecurity
superheroes.
Mr. Garbarino. So, when you talk about kindergarten, what,
kind-of, is happening at kindergarten to get students in it?
Mr. Rashotte. So, we're providing lesson plans to teachers
so that we're not adding additional lessons but we're taking
existing lessons that teachers are providing and adding
cybersecurity aspects into it, so basically helping kids
understand, you know, what might be a threat, just opening
their eyes.
Mr. Garbarino. Would it be helpful do you think if CISA
validated cybersecurity curricula for K through 12?
Mr. Rashotte. I think our main focus right now is
developing that curriculum by teachers for teachers and that's
been our approach at that level.
Mr. Garbarino. But does CISA have a role in helping develop
that curriculum?
Mr. Rashotte. I think there definitely could be a role for
sure, yes.
Mr. Garbarino. Do you know if currently under the
Department of Education. U.S. Department of Education if there
are any cybersecurity roles that they play in helping States to
develop curriculum for cybersecurity?
Mr. Rashotte. It's not an area that I've focused in. Our
partnerships from within my organization, the training
institute, have been more directly with the academic
institutions and their role.
Mr. Garbarino. OK. So, K through 12 is big but what about
expanding cyber education? What else can we do with expanding
cyber education after K through 12?
Mr. Rashotte. I think we can take programs that have
historically been focused at colleges and universities and
start to move those downstream into high schools and there
we're starting to see a lot of kids now coming out of high
school that are essentially self-taught and are going directly
into the work force.
I think if we take some of those programs that we've
traditionally focused at college and university, they can
definitely be applied at the high-school level and make sure
that those kids coming out and going directly into the work
force are even more prepared than what they are.
We're seeing some of these self-taught kids extremely
capable and qualified.
Mr. Garbarino. That is great. I mentioned that the
Chairman's PIVOTT Act and how that helps with the scholarships
and getting people into the work force but, you know, there are
a half a million open cybersecurity jobs at least now
nationwide.
What can we do to get people into there? Is there training
programs? Is there certification programs that people can start
now that they don't have to wait to do 2 years in college
because that is necessary, but is there something to get people
in the work force now?
Mr. Rashotte. Absolutely. Again, I think this is, we see
this again with kids coming out of high school directly into
the work force, a lot of self-training going on.
A lot of corporate entities, such as Fortinet, we're making
our training and certification freely available so that kids
either coming out of the degree program or coming directly out
of high school can access that training with minimal barriers
and in some cases no barriers at all.
Mr. Garbarino. Thank you very much.
Dr. Russomanno, you talked about in your testimony about
the challenges colleges face in aligning education and work
force needs. Coming from higher education, how can we promote
skills-based training and modernize degree programs to address
this gap?
Mr. Russomanno. Well, thank you for that question. You
know, as part of our Polytechnic Initiative at the University
of Memphis we also have benefit of having our own Independent
School district. We have a pre-K through 12 Independent School
district associated with the university.
So we're working very hard on expanding our dual enrollment
focusing on cybersecurity, applied AI, and advanced
manufacturing. There's a lot of technology that goes into
advanced manufacturing that many students are not aware of, you
know, the advanced robotics, the sensors, the cybersecurity,
the AI.
So trying to get that penetration into the high schools
through dual enrollment is part of a focus for us at the
Polytechnic Initiative at the University of Memphis. Hope to
partner with others.
Mr. Garbarino. Thank you, Chairman. I yield back.
Chairman Green. The gentleman yields.
I now recognize the gentleman from New York, our Nation's
one of our really our financial center, our greatest financial
center, obviously very concerned about cyber, Mr. Goldman for 5
minutes of questioning.
Mr. Goldman. Yes, Mr. Chairman, thank you very much. I
agree those in New York City and around the country are very
concerned about cyber.
We must be operating in la-la land here having a hearing on
``Preparing the Pipeline: Examining the State of America's
Cyber Work Force'' where we have 3 academics who have been
brought in by the majority to talk about the education and
training that we need for more cybersecurity employees, while
at the same time the President and his unelected billionaire
master are gutting every single Executive branch agency. What's
the point of having a pipeline with education if you are taking
away all of the jobs?
If you are sending unvetted teenagers with no security
clearance into our various Executive branch agencies, allowing
them to hack and slash into the Government payment systems, the
Government portals, the Government databases without any regard
to cybersecurity, putting them on private servers and quite
obviously to anyone whether you are an expert on cybersecurity
or not, you understand how that jeopardizes the security of
every single American's personal identification information.
It provides an opportunity for China, who just executed the
largest cybersecurity breach of the Federal Government ever a
couple months ago, to have access to private servers that are
so clearly easier to hack into.
We have no idea whether these people have security
clearances, whether they got their security clearances because
Donald Trump passed an Executive Order saying that he can just
bestow security clearances on anyone for 6 months. So maybe he
did that.
I mean, maybe it is the same thing as Kash Patel saying
that Donald Trump thought about declassifying Classified
information and therefore it is declassified and that is going
to be potentially the new FBI director who is going to oversee
counterintelligence and cybersecurity for the FBI.
This is the guy who supports the purges at the DOJ and the
FBI, who promised the purges at the FBI and DOJ, who lied
right, left, and center during his hearing, who has
circumvented normal protocol and practices when he was with the
National Security Council, when he was with the House
Intelligence Committee, when he was with the Department of
Defense, who every single former Trump administration official
has said is wholly unqualified and dangerous to be in that job,
and you want to talk about cybersecurity and recruiting more
people.
How about we not have heads of Executive branch agencies
who are jeopardizing our own cybersecurity, who are
jeopardizing our own security? How about having some degree of
protection over our personal identification information?
Who on earth would ever want to join the Federal Government
now? If you are associated with a prosecution that the
President of the United States does not like, you will be
fired. You will be fired.
What law enforcement system in a democracy allows or
supports the President of the United States to order the firing
of nonpartisan, highly-trained law enforcement officers simply
because they worked on a case that the President didn't like?
That is banana republic shit, and that does not belong in this
country.
What else doesn't belong in this Congress is this stupid
hearing where we are talking about educating a work force where
there is no demand for that work force anymore because Elon
Musk is destroying that work force.
It is like we are in la-la land, Mr. Chairman. You are
pretending as if reality is not happening down the street and
we need more education for cybersecurity. This is a joke.
I hope at least, Mr. Chairman, if you are going to have
hearings on cybersecurity----
Chairman Green. The gentleman's time has expired.
Mr. Goldman [continuing]. That you will at least----
Chairman Green. I now recognize Mr. Ogles for 5 minutes of
questioning.
Mr. Ogles. I want to thank you, Mr. Chairman.
Thank you to the witnesses, a couple of fellow Tennesseans
there.
Mr. Jones, you know, you represent Middle Tennessee
Electric, who actually services part of my district.
But before we get to that I do want to put you back on
something that you said, Mr. Chairman. One of our colleagues
said somewhat of a disparaging remark about 20-year-olds and so
as we look to bad actors, whether it is nation-states or
criminal activity, the development of applications such as
TikTok which have a back door, the capability of assimilating
data, new technologies such as DeepSeek, you know, we know that
there is a gap. We have half a million openings in the cyber
space that, by the way, that is the equivalent to our standing
United States Army currently.
So the future is 16-, 17-, 18-year-olds, the future work
force. When I say future work force I am just talking about a
year or 2 from now. The work force of today that we need to
engage are those 18-, 19-, and 20-year-olds, right? That is how
we fill this gap.
So to someone to have some disparaging remarks about an age
range that is literally critical to backfilling this need is
really naive and reckless, I would say, Mr. Chairman, but on
point.
Mr. Jones, again, and to all of you for being here. You
know, obviously recruitment is a problem. You have got the
urban versus rural competitiveness, right? You have got private
versus Government. But the reality of the space we are in is
that we have half a million jobs that need to be filled.
Mr. Jones, what can be done to better equip and, quite
frankly, leverage the work force of today as we fill the
pipeline with those 16-, 17- to 20-year-olds, Mr. Jones?
Mr. Jones. Congressman, thank you. So, you know, I'll point
to the PIVOTT Act first. Again, I think that's so fundamentally
important and we're appreciative of what is happening with
regard to that so that's an important part of it.
As far as the work with electric cooperatives, we are
really good at collaborating together and by extension we are
seeking to collaborate with educational institutions at the
local level. So, I think that's important, too.
We can provide, for example, mentorships for people, and
again, the challenge is not quite the same, as you are aware
for Middle Tennessee Electric as it may be for many other
electric co-ops in more rural areas with a few less economies
of scale. So, the challenge is different from place to place.
But I believe that our network, our association of
cooperatives stands ready to provide something like you're
describing to with regard to mentorships, but particularly with
regard to engagement with educational institutions in our
communities.
Mr. Ogles. Well, and I want to focus on that for just a
moment. You know, so your industry, your space there is
collaboration amongst the cooperatives. You are working to fill
your needs in your industry, I think, so the solution here, you
know, the scariest phrase in the English language was from
Reagan. He said that, ``I'm from the Government and I'm here to
help.''
So part of the solution is, obviously, what the Chairman is
bringing forward, the PIVOTT Act. It is industry working
together to work with those educational institutions. So as we
move forward it is us working together to identify the needs
and so this is economic in nature, right, for local
communities, for our greater national economy. Obviously, the
battlefield of the future is cyber.
So, you know, and otherwise benign industries or spaces
such as the electric cooperatives, such as hospital systems, we
see China and bad actors and nation-states wanting that
information, wanting to see if there is a capability to
weaponize that against the American people.
So to play games and to talk about nonsense while this is
an important topic that we have to have, as we see advances
from other countries and nations as they recognize the need for
this and to enhance capabilities, it is really frustrating but
I thank you for what you are doing in your space.
Mr. Jones, you touched on human behavior in your testimony.
So, you have a dynamic scenario where you have students that
can access your system, faculty, young and old, some of them
may not be quite as adept technologically speaking, part-time
employees. So how do you create access whilst having compliance
and security when you are looking at your systems? Of course,
that applies the best practices of the universities and
cooperatives, et cetera.
Mr. Russomanno. Yes, thank you for your question.
Mr. Ogles. Mr. Russomanno, it is for you.
Mr. Russomanno. Even though the CIO is really primarily
responsible for this area, I would say that we are doing a lot
with a variety of phishing drills and other internally
generated vulnerability scenarios to try to improve internally
the knowledge base of our faculty, our staff, and our students
to ensure this critically important data, whether it's student
data, research data, the comprehensive mission of the
university, that we're doing all we can internally with a
variety of mock drills to ensure we are employing best
practices.
Mr. Ogles. Yes, sir.
Mr. Chairman, I exceeded my time. I yield back and thank
you, sir.
Chairman Green. The gentleman yields.
I now finally get to recognize the gentlelady from Texas,
Mrs. Johnson. You are recognized for 5 minutes for questioning.
Mrs. Johnson. Thank you, Mr. Chairman. I just want to say
it's an honor to be on the committee.
We have a great panel. You are all very impressive in your
comments. What I am hearing from you is we are in a
cybersecurity crisis in this country and that we are in a
cybersecurity crisis because we have a work force that is
severely diminished.
We have lacked educational preparedness. We are lacking a
plan to recruit and develop the best and the brightest talent
from every corner, from black kids, brown kids, women, Asian
kids, diversity, equity, and inclusion. We need all the kids on
this fight, is that correct? All of them.
So one of the things that has not been discussed about
today that I am very concerned with, well, another point that
you have all highlighted is the need for a definite more robust
cyber education plan to reach into high schools, to reach into
colleges, to create internships.
We have CyberCorps, which is a great program, but it needs
to be enhanced but it is an educational program. So, I am very
concerned in light of the backdrop of what we have already seen
over the last 2 weeks of shuttering our Federal work force,
shuttering USAID, intimidating our law enforcement,
intimidating cyber enforcement personnel, but we haven't even
talked about what Trump plans to do with the Department of
Education.
The New York Times is reporting he is planning to shutter
it, too. So, I assume that you all agree with me that if the
Federal Government dismantles the Department of Education that
could have catastrophic implications to the security and the
safety of this country. Would any of you disagree with that?
You know, I think that is really important for the American
people to realize that this is not politics. This isn't
theater. This is the foundational premises of our security.
Mr. Jones, I want to ask you a question. I am a Texas
Democrat. I have a grid in our State that is messed up, that
has failed, and I lived through a situation where our grid
failed for 10 days and hundreds of people died and businesses
suffered mightily and people suffered mightily.
As a rural electric co-op you provide critical
infrastructure to millions of people in this country. You
provide power. Hopefully, you will provide broadband, but
opportunity, which I believe is a critical infrastructure as
well, but how devastating would it be to your co-ops for a
cyber attack to shut down your grid?
Mr. Jones. Well, it's something we think about a lot and I
recall, of course, the situation you're describing from 3
winters ago, I believe it was in Texas.
Mrs. Johnson. Correct.
Mr. Jones. Of course, that was many things went to that.
Not a cybersecurity incident but that wasn't your point. But I
mean, it's, you know, we want to keep the lights on. That's
what we're here for.
Our members depend on us and so this subject is so
important for us for that reason, so we're putting in place as
best we can resources, processes, technology, to make sure that
we are doing our part. But this is bigger than us and that's
why we're here, too. So, we welcome this conversation.
Mrs. Johnson. Right and I welcome this hearing, Mr.
Chairman. Mr. Chairman? Because I do think that cybersecurity
is one of the biggest vulnerabilities of our country and it is
the new frontier of security and threat.
It is really frightening and scary to many people out in
this country the fact that the Trump administration is doing
everything it can to undermine the confidence in the
cybersecurity work force that we have in this country by
dismissing employees, by shuttering and hiring freezes, by
dismissing the Department of Education, by doing all of the
things, by undermining the CIA, by undermining the FBI. To
prevent cyber crime in this country we are in a critical mass.
Mr. Stier, I want to go back and give you an opportunity on
DEI. We need everyone. DEI is about reaching kids who have not
been adequately reached in the past and giving them opportunity
to see the light. We need to do that, right?
Mr. Stier. There's no doubt that we need to pull from
talent where we can find it everywhere. I think really, quite
importantly, we need to create environments in any workplace
that enable people to do their best and that's how you get
better performance.
So, that is a basic proposition. We ought to be doing good
management in Government just like we should see good
management everywhere.
Mrs. Johnson. Thank you so much.
Mr. Chairman, I yield my time.
Chairman Green. The gentlewoman yields back.
I recognize the gentleman from Alabama, Mr. Strong for his
5 minutes of questioning.
Mr. Strong. Thank you, Mr. Chairman.
Mr. Russomanno, I recently introduced legislation, the
CyberCorps Enhancement Act, to extend the visiting CyberCorps
Scholarship for Service program's participation period from 3
to 5 years allowing local colleges and universities to continue
to produce highly-trained cybersecurity experts.
As you know, local colleges and universities, including the
University of Alabama in Huntsville, affectionately known as
UAH in my district, leverage these programs to recruit, retain,
and place highly-skilled cybersecurity experts with an average
ACT test score of a 28.5 where 80 percent of the graduates
remain locally after graduation.
In fact, UAH has the second-highest number of participants
and graduates in the program submitting north Alabama
leadership in cybersecurity education. This will pay dividends
for the FBI Cyber Threat Division that is locating in
Huntsville as we speak.
Mr. Russomanno, can you discuss the benefits of expanding
the participation period to enable students to pursue advanced
degrees?
Mr. Russomanno. Yes. Thank you for your question, and we've
enjoyed the opportunity to partner with UAH in the past.
Yes. This is a multi-prong opportunity for us. In any way
that we can offer opportunities to all students, and I
definitely agree with all students, and how we then commit
ourselves to a successful student outcome.
I think the expansion of eligibility in terms of number of
years, also the opportunity for the delayed service commitment
to provide an opportunity to either pursue a baccalaureate
degree or an advanced graduate degree, I think those aspects of
both the CyberCorps and potentially the PIVOTT Act are
critically important.
You know, many times students are looking not only for that
first job but a satisfying career progression that provides
opportunity for added responsibility. I think what you cited
provides an opportunity to do just that. Thank you.
Mr. Strong. Thank you. I also want to mention we have a
State-wide cyber high school located in the second-largest
research park in the United States in Huntsville, Alabama. It
is another level of starting this progression so that we can
bring more to colleges and universities.
As we have covered, the Chairman's Cyber PIVOTT Act and my
CyberCorps legislation, both aim to strengthen the
cybersecurity work force pipeline. How would these programs
complement each other to address the current cybersecurity
talent shortage?
Mr. Russomanno. Well, in my opening remarks I talked some
about some of the challenges around transfer matriculation, so
I think we have some opportunities to improve smooth pathways
for advancement.
So, if you look at technical schools, community colleges,
there are some challenges in getting the knowledge and skills
and abilities acquired through those programs to matriculate to
4-year universities. So, that's an opportunity for improvement
for us.
Mr. Strong. Thank you. In addition to this legislation what
more can we do to ensure we recruit and train future
generations of cybersecurity experts in the United States?
Mr. Russomanno. Once again, I think it's the partnerships
that have been talked about here today, a steadfast commitment
on partnerships between the public and the private sector. I
think we all ultimately have the same goal here, provide
opportunities for students that make an impact to improve the
safety and security of our Nation.
Mr. Strong. Thank you. I also wanted to touch on the pay
differences between cybersecurity professionals in Government
and the private sector. In your opinion, what more can we do to
recruit and incentivize the best of the best cybersecurity
professionals to stay in Government and to contribute to
protecting our Nation's security from adversaries and those who
look to harm America?
Mr. Russomanno. Once again, I think that opportunity for
pursuing continued education while a civil servant is
critically important, whether that's a Baccalaureate degree, a
Master's degree, even a Ph.D. Having those opportunities within
the Government, I think, would be very attractive in terms of
retention.
Mr. Strong. Thank you.
Mr. Jones, first, I want to commend you. I am very familiar
with your power system. We have evaluated Winchester in that
area and it had been very beneficial years ago when I was the
county commission chairman in Huntsville, Alabama.
The energy sector has been described as an enabling
function for all critical infrastructure sectors, making it one
of the most vital and one of the most targeted. Knowing this,
it is of no surprise that the energy sector was targeted by
Volt Typhoon.
Mr. Jones, given the increasing cyber threats to energy
infrastructure how can Federal work force initiatives better
support the utility industry in developing skilled
cybersecurity professionals? What role should public-private
partnerships play in that effort?
Mr. Jones. Congressman, thank you. So I think again the
PIVOTT Act and the virtues of that, deepening the talent pool.
We need, you know, more not fewer resources so I think that's
the essence of what I would suggest in the limited time. But
happy to be a partner with you.
Mr. Strong. Yes. I want to thank each of the witnesses for
being here.
Chairman Green, I yield back.
Chairman Green. The gentleman yields.
I now recognize Mr. Hernandez, is that right----
Mr. Hernandez. Yes.
Chairman Green [continuing]. For 5 minutes, the gentleman
from Puerto Rico.
Mr. Hernandez. Thank you, Mr. Chairman. When we talk about
DEI we tend to focus on an ideological or a partisan
perspective, but I am more concerned about the practical
consequences that anti-DEI policies can have on U.S. citizens
on the U.S. mainland and on what concerns me the most, which is
Puerto Rico, the Commonwealth of Puerto Rico, which I represent
here in Congress.
Puerto Rico has officially 2 languages but in practice we
all speak Spanish in our everyday lives. Unfortunately, in my
opinion, a significant majority of Puerto Ricans do not speak
English even in among Government employees, which brings me to
the following.
We have a history of cyber attacks in the island against
the Puerto Rico government where we have had the collaboration
of the U.S. Federal Government in addressing these cyber
attacks. In light of the anti-DEI agenda, Mr. Stier, how do you
see the impact of this agenda in Puerto Rico given that the
Government operates predominantly in Spanish?
Mr. Stier. I'm sorry but I don't think I can really speak
directly to the impact on Puerto Rico with any expertise. I
will----
Mr. Hernandez. Then sorry, I will broaden the question.
Having a diverse Federal work force helps the Federal
Government collaborate. Let's assume diverse means Spanish-
speaking or familiar with Hispanic cultures. It will enable
them to work more effectively with a Spanish-speaking
government official.
Do you see that having any potential consequences in
cybersecurity efforts and partnerships?
Mr. Stier. As we covered earlier, I do think that it's
fundamental to draw best-in-class talent from all communities
and that requires investment to make sure that that can happen.
We've heard this in terms of rural areas versus urban areas.
This is true across the board.
So, we do have an incredible gap that we're trying to
close. It's getting larger not smaller in my view, so we need
to work harder. I think fundamental to that will be intense
efforts to get talent from everywhere.
So, to that extent, and the back half, too, is create
environments that enable people to provide their best no matter
who they are. That's part of the responsibility of good leaders
and good culture.
Mr. Hernandez. Would you agree that beyond any ideological
or partisan concern it can just be simply practical to have a
diverse work force?
Mr. Stier. One hundred percent. Look, I think that this is
the focus that I'm trying to stay on is the practicality here.
There's a lot to be done. It has huge consequence and ensuring
that you have, you know, best-in-class talent from everywhere,
and again, environments that enable your people to perform no
matter who they are, that is just, you know, good management
and in the Federal context effective use of taxpayer dollars.
Mr. Hernandez. Well, thank you.
I yield the remainder of my time.
Chairman Green. The gentleman yields.
I now recognize the gentlelady from South Carolina, Mrs.
Biggs, for 5 minutes of questioning.
Mrs. Biggs. Thank you, Chairman Green, for holding this
important hearing today.
Thank you to all of our witnesses for your testimonies.
I believe that while cybersecurity vulnerabilities affect
all communities, unique challenges faced by South Carolina's
Third District and similar rural communities around the country
make us particularly vulnerable and disproportionately impacted
by cyber attacks.
So, I have heard from electric co-ops and wastewater system
operators as recent as yesterday in my office and other utility
providers that serve hundreds of thousands of my constituents.
It is evident that a key component of these challenges is the
limited availability of a local, readily-accessible
professional cybersecurity work force.
Providers in rural areas, like in my district, Greenwood
Newberry, Abbeville, Oconee, and McCormick, they frequently
lack the funding necessary to implement robust cybersecurity
infrastructure and training. Furthermore, they struggle to
attract and to retain qualified cybersecurity professionals who
are often drawn to larger urban centers with more lucrative
opportunities.
So with this combination of limited resources and a
shortage of skilled personnel, it leaves our rural communities
particularly vulnerable to malicious actors seeking to exploit
their digital weakness.
So because of the heightened vulnerability of rural
communities and critical infrastructure sectors to cyber
attacks, I find the Cyber PIVOTT Act's emphasis on placing
cybersecurity interns in these areas particularly compelling.
So, this focus addresses a critical need bridging the
cybersecurity skills gap where it is most acutely felt.
As a proud original co-sponsor of this legislation, I
believe that the strategic placement of these individuals
represents a promising approach to strengthening our Nation's
cybersecurity resilience, particularly in the areas that need
it most.
So, in addressing Mr. Jones, from your perspective what
critical hands-on skills can entry-level talent learn from
interning with a utility company like those in your co-op?
The second question I would like to tag on to that is in
return how can interns provide value to your work force?
Mr. Jones. Well, Congresswoman, thank you for the question.
You have summarized a lot of our concerns very well.
So, yes, so internship opportunities I think the skills
that they could glean would be real-world and technical
certainly, but something that speaks to your second question I
should say in addition to that, is that we tend to be able to
when we expose people to what an electric co-op is and the
virtues of service, you know, again, we're good jobs in rural
areas.
If we expose them to what we do, we are able to show them
about who we are and we can often win people, especially
younger people who want purpose in what they do because we have
an incredible purpose as part of our organization.
So, I think that those internship programs will provide
well-rounded opportunities for them that allow us to expose,
you know, who we are. You know, and we've done this for a long
time. When you think about classically what a co-op student is,
it's you think of an engineering student that comes to the
utility and learns more about engineering, is mentored.
The same thing can happen with this and through the PIVOTT
Act, I believe, and so we're excited about that.
Mrs. Biggs. So, have you found that keeping those
individuals--what would be your perspective on that, retaining
good quality?
Mr. Jones. So in terms of trying to retain those
individuals, again, I think that there's something to be said
for the virtue of our mission and purpose but, you know,
understanding what the market is demanding from the standpoint
of salary and benefits, you know, we have to do our best to get
those right. That's the challenge that we have.
So, we look to any suggestions that others have in that
regard, but it's something that we're working very hard to do.
Again, we collaborate so well within the cooperative community.
These are conversations we're having routinely. Today at MTE
we're having a meeting with a number of TVA electric
cooperatives and municipal systems talking about this very
issue, too, so it's something we're serious about.
But it's a bigger issue than we are, so we're happy to have
conversations and get advice from others.
Mrs. Biggs. Thank you so much.
My time is up so I yield back.
Chairman Green. The gentlelady yields.
I now recognize the gentleman from Texas, Mr. Turner.
Appreciate you, and fire away 5 minutes.
Mr. Turner. Thank you, Mr. Chairman. I think we can all
agree, regardless of whether we are Democrats or Republicans,
that the cybersecurity threats are increasing, that we are in a
major crisis that we need to address. I think we can all agree
on that.
I will tell you that over the last few days I have gotten a
number of calls from people in Houston and the former mayor of
Houston, concerned about the payment system. You have got
Social Security information, medical information, tax
information.
Will you agree with me that when you are sending this
information from various sources that it is important to have
the right checks in place to make sure that you don't make us
more vulnerable to these cyber attacks? Is that important, a
consideration that you take in place?
So that is what I am hearing from people.
As we talk about cybersecurity and we are talking about it
today, they know it is getting worse, and they are concerned
who has my information and, Congressman Turner, is it secure? I
am having a hard time explaining that to them.
Another point that I want to ask, it is important, would
you agree, that we train the existing work force within the
Federal Government throughout the entire Federal system? That
is important. I do think it is important to do everything we
can to make sure that that training occurs.
But Mr. Russomanno, you made a comment that said young
people need to see themselves in these fields. Then Mr.
Rashotte, you said we need to break down the barriers of
training and we have been 500,000 people short in this area in
the United States. Would you agreed that we need to be very
intentional in recruiting, training, and bringing people into
this space?
It shouldn't be where, for example, you mentioned K through
12, colleges and universities, community colleges, technical
schools, but that also includes Historically Black Colleges and
Universities as well in terms of reaching out to them and
bringing them into this space. Would you agree?
I think you all also agree that you could be black, white,
or brown. You could be from urban America or rural America.
Your qualifications are not diminished by who you look like or
geographically where you come from but rather I would argue the
entire conversation of protecting us in the future is
strengthened when we have people coming from all sectors of
America. Any disagreement on that?
So, when people argue that if you are diverse, I am an
African American, and I go through the training, I go to your
schools, I am educated and I am prepared and if I am in this
space it doesn't mean that I am incompetent. It doesn't mean
that I am unqualified.
Quite frankly, those arguments help to discourage people
from moving into these spaces. Would you agree with that? Any
disagreement on that?
That is why I am concerned with this conversation about
diversity, equity, and inclusion. What I have found in my
lifetime is that it is important to have people coming from all
walks of life which strengthens our organization. It doesn't
diminish them. It strengthens our organization.
So, Mr. Russomanno, since you made the point that it is
important for people to see themselves in these fields, could
you elaborate on that for me?
Mr. Russomanno. Well, Congressman, thank you so much for
your comments, and I agree with you. We need to embrace
everyone from all walks of life, all backgrounds. At the
University of Memphis we're particularly proud of our very
diverse student body, significant African American population.
You know, in some cases I think we are looking at where we
need to reframe how potential outreach is described. If I think
what we look at, areas like first-generation students, students
that have significant unmet financial need, we can impact many
of the populations that you've been discussing, so I agree with
your comments.
Mr. Turner. Thank you.
I yield back, Mr. Chairman.
Chairman Green. The gentleman yields.
I now recognize Mr. Knott for 5 minutes, the gentleman from
North Carolina for his 5 minutes of questioning.
Mr. Knott. Thank you, Mr. Chairman.
I will start with you, Dr. Russomanno. If you had to
describe the current state of the cybersecurity ecosystem,
would you describe it as one that is lacking in personnel
exclusively or are those who are in the space right now here in
the United States are they lacking in a skill set? Are they
lacking in advancement? Are we being outpaced on that front as
well?
Mr. Russomanno. Thank you for your question. I think,
frankly, it's a combination of both although the data is very
compelling regarding the need to grow our work force. I think
that data is very clear.
However, if you look at certain circumstances where
industry in particular is going after mid- and advanced level
of cybersecurity professionals, that also speaks to a gap in
terms of the knowledge and abilities of our work force.
Mr. Knott. OK.
Mr. Jones, in terms of servicing rural communities and,
sort-of outside, the urban areas, describe how cybersecurity
plays a role in the threats that you face.
Also, and second to that, how is the threat increased if
people come here to the United States outside of the law,
outside of us being aware of it in terms that they have
physical access to your facilities that you represent?
Mr. Jones. Yes, sir. Congressman, thank you. So, one thing
I would touch on I believe to the first part of your question,
the threats we face, it's something we haven't talked so much
about but that I would like to if I could, is that it's not
just an issue of technology, process, and specific
cybersecurity resources. It is----
Mr. Knott. Yes.
Mr. Jones [continuing]. But it's also about a culture of
cybersecurity within the organization because, and my
colleagues would know better than I probably, but as far as
most of the incidents we see, the intrusions that have resulted
from an e-mail lapse of some kind or someone clicks on the
wrong thing. So making sure that our employees--we have a
culture of safety. We have to have a culture of cybersecurity
awareness as well.
Mr. Knott. Right.
Mr. Jones. Making sure that we're facilitating that
throughout the organization is very important.
Mr. Turner. Right but protecting your facilities physically
is also important for cybersecurity as well. They are not all
overseas, correct? If we have cybersecurity criminals that are
here illegally in this country that adds a layer of
vulnerability to the systems----
Mr. Jones. Yes, sir. That's right. That's the screen and
we're watching that as well. That's the other component to it.
I would say, if I could speculate with regard to the risks,
you know, cybersecurity is one that we're keenly concerned
about, we're most concerned about, but the physical pieces as
well. We have to have, again, equipment, processes, people in
place to safeguard against that potential as well. It's very
real.
Mr. Knott. Yes.
Now, Mr. Stier, it is Stier, correct?
Mr. Stier. Yes.
Mr. Knott. Great. Just briefly, one thing that is upsetting
in this job is the speaking with broad brushes and that is
unfortunate for our dialog. I think specificity is the best way
forward.
As a former Federal employee, I was a Federal prosecutor, I
am somewhat troubled by the dialog and because obviously it is
inhibited by time, but to say that all civil servants are
uniformly described as excellent in their craft, eager to
better themselves while they are employed, proficient in
serving the taxpayers above all else or highly focused and
patriotic in the execution of their duties, that is certainly
true for some.
As a prosecutor, I mean, I worked with agents at just about
every agency. We had great agents and we had some that were
there that you don't know what they did all day. Part of
maintaining efficiency and effectiveness, I think you would
admit and agree with me, not admit, I'm not trying to extract
it, but----
Mr. Stier. Yes.
Mr. Knott [continuing]. Is figuring out efficient----
Mr. Stier. I agree 100 percent.
Mr. Knott. Yes.
Mr. Stier. Yes.
Mr. Knott. And figuring out ways to constructively remove
those who are not motivated.
Mr. Stier. One hundred percent.
Mr. Knott. One of the frustrations I had in the Federal
work force is when there were people who were partners or
people you had to work with in other agencies, firing just was
not an option or removing them. If you did cross that
threshold, immediate litigation, burdensome, burdensome
countersuits would have been implemented.
So given the threat of cybersecurity and the need to
maintain a professional, efficient, and effective work force,
how can we better extract those who are not focused?
Mr. Stier. One hundred percent and I entirely agree with
you. Like all work forces there are better and worse, and I
think that the Federal Government more broadly has not had
effective focus on these kinds of management issues.
So there are some system changes that ought to take place.
It's too complicated to actually fire people. You have to
decide depending on, you know, what the issue is, where you go.
That could actually be streamlined in a very profound way.
The thing that would change it the most would be actually
to get managers better trained on doing the performance
evaluation that you're describing and to have leaders that
actually support their management to get rid of the poor
performers because right now it's easier to ignore the problem
than to address the problem.
So the rules can improve things, but it ultimately is a
management responsibility and that focus is by and large not
there.
Mr. Knott. OK. All right.
Mr. Chairman, I am over. I yield back.
Chairman Green. Yes. The gentlemen's time has expired.
I now recognize the Ranking Member for his closing
statement.
Mr. Thompson. Thank you, Mr. Chairman.
First, let me thank our witnesses. Thank you for being here
for a little while, but it is still shorter than most hearings
so there are some benefits.
Mr. Chair, I ask unanimous consent for the record to be
included the following documents: an article in cybersecurity
entitled, ``Cybersecurity: Government Experts are Aghast at
Security Failures at DOGE Takeover''; a copy of a letter
committed Democrats have sent to OPM regarding the impact of
the hiring freeze on Federal cyber work force; a copy of a
letter committed Democrats have sent OMB on security threats
DOGE poses to Federal networks.
Chairman Green. Without objection, so ordered.
[The information follows:]
Article by Cyberscoop.com Submitted by Ranking Member Bennie G.
Thompson
cybersecurity, government experts are aghast at security failures in
doge takeover
Elon Musk's takeover of key systems across the Federal Government is
ignoring decades of laws, regulations and procedures, experts
told CyberScoop.
By Derek B. Johnson, February 4, 2025
As the world's richest man and his team from the Department of
Government Efficiency continue their quest to dismantle Federal
agencies, cybersecurity experts, good government experts and Democrats
are increasingly expressing outrage and alarm, in some cases likening
the actions to an ongoing data breach.
Elon Musk and employees from DOGE--which is, legally, an external
advisory board--have reportedly taken a number of steps since Jan. 20
that could be exposing the personal data of millions of Federal
employees, violating Federal laws against sharing classified or
sensitive information with uncleared individuals and creating new
cybersecurity vulnerabilities for malicious hackers to exploit, these
experts say.
Chief among these concerns are efforts by Musk's team to access the
Department of the Treasury's payment system housed in the Bureau of
Fiscal Service. This system controls much of the spending by the
Federal Government, including congressionally mandated spending
programs like Social Security.
Federal employees at the Office of Personnel Management are also
suing the government, claiming that Musk had a private server installed
that has not been vetted or approved for security. OPM's systems
contain sensitive employee records for tens of millions of current and
former Federal workers, and the hack and theft of OPM records by
Chinese hackers in 2015 is considered among the worst Federal security
breaches of all time. The use of a private email server by then-
Secretary of State Hillary Clinton was the subject of a criminal
investigation by the FBI during the 2016 election and was bitterly
criticized by Trump and Republicans at the time as a massive security
lapse.
The White House claimed Monday that DOGE employees' access to these
systems were restricted to ``read-only,'' meaning they could not alter
files or make larger changes, but according to reporting from Wired, a
25-year-old former employee of Musk's has been granted administrative
access to the system.
Sen. Elizabeth Warren, D-Mass., wrote to Treasury Secretary Scott
Bessant this week seeking answers about this ``security and management
failure.''
``The public depends on the integrity of those systems, which
control the flow of over $6 trillion in payments to American families,
businesses, and other recipients each year--with millions relying on
them for Social Security checks and Medicare benefits, Federal
salaries, government contract payments, grants, and tax refunds this
filing season,'' Warren wrote.
According to one former Federal worker with a decade of
cybersecurity experience across multiple agencies--including the U.S.
Digital Service that was absorbed into DOGE--the actions of Musk and
his allies run afoul of ``the spirit and letter of the law'' for
Federal cybersecurity statutes, including the Federal Information
Security Management Act (FISMA) and security controls established by
the National Institute of Standards and Technology for securing Federal
systems.
Access to highly sensitive Federal systems is often subject to
strict access and logging requirements. Individuals that do not possess
a clearance in which they are allowed to access OPM and Treasury
systems would, in any other situation, be viewed as a straightforward
security breach with lasting ramifications.
``These systems have now become untrusted, so once this is done and
over, to have those systems back to the level of assurances they had on
Jan. 20 will require a lot of work and a lot of resources,'' said the
former Federal Government employee, who now works in the private sector
and was granted anonymity due to fear of reprisal.
The risks include DOGE employees potentially downloading and taking
protected Federal data to creating weak points for attackers through
unvetted IT infrastructure like the newly launched private server at
OPM. The office's systems also connect to other agencies, like the
Defense Counterintelligence and Security Agency, which handles
congressional background checks. Lacking independent oversight and
activity logging, there's no way to confirm what information was
accessed or changes that were made.
``The biggest issue right now is . . . the secure connection from
OPM to DCSA, to either enter in or request security clearance
information,'' the former Federal employee said.
Reps. Gerry Connolly, D-Va., ranking member for the House Oversight
Committee, and Shontel Brown, D-Ohio, ranking member on the
Cybersecurity, Information Technology and Government Innovation
Subcommittee, wrote this week to OPM acting Director Charles Ezell
saying that the lack of security and oversight associated with the new
email system ``threatens to expose Federal workers to personalized
social engineering or `spear phishing' attacks.''
``At best, the Trump Administration's actions at OPM to date
demonstrate gross negligence, severe incompetence, and a chaotic
disregard for the security of our government data and the countless
services it enables our agencies to provide to the public,'' Connolly
and Brown wrote. ``At worst, we fear that Trump Administration
officials know full well that their actions threaten to break our
government and put our citizens at risk of foreign adversaries like
China and Russia gaining access to our sensitive data.''
According to legal experts, Musk and Trump's actions are putting
Federal employees in a lose-lose situation. Trump's executive order
creating DOGE only gave Musk access to unclassified Federal systems.
Under Title V of the E-Government Act of 2002, it is a Class E felony
carrying a maximum penalty of 5 years in prison and a $250,000 fine for
Federal employees who have taken the oath of office to ``willfully''
disclose such information to any person or agency not entitled to
receive it.
Bradley Moss, an attorney who specializes in national security,
Federal employment and security clearance law, was unequivocal when
CyberScoop asked about the legal constraints Federal employees face in
this situation.
``No Federal employee should be granting access to anyone--no
matter what special `DOGE' badge they have--absent specific written
authorization to do so,'' Moss said. ``The president's [executive
order] does not suffice, and Federal employees appear to be trying to
hold the line on protocols so far. Unfortunately, those who are doing
that are being punished for it, as many are being put on administrative
leave or outright fired.''
Beneath the classified level, many Federal systems also contain
what's known as Controlled Unclassified Information (CUI), which can
include financial, law enforcement and privacy-related data on
Americans. That data is less sensitive, but still must be legally
protected by Federal employees and contractors.
``There are well-established procedures, beginning with Federal
employment screening, to determine whether individuals are
`trustworthy,' such that they should be afforded access to these CUI
categories,'' said Robert Metzger, an attorney and Federal
cybersecurity contracting expert. ``Higher standards and controls apply
to persons who would have rights of `use' of that information.''
The potential for unintended consequences on Federal IT and
administrative operations is also real. Researcher Danah Boyd compared
the structure of the U.S. administrative state to a game of Jenga. As
politicians add or remove different blocks from the system, civil
servants have usually played the role of repairman, fixing holes and
propping up the byzantine American system.
The dismissal of many Federal employees overseeing these systems
has made that job more difficult. Boyd believes that Musk's team
interfering with vital Treasury financial systems could lead to a
``normal accident,'' causing significant parts of the system to
collapse.
``It has been a hard 2 weeks for [civil servants], but, regardless
of the legal dynamics, turning over access to the core systems at the
heart of an administrative state to a wrecking ball is really, really
bad,'' Boyd wrote.
This story was updated Feb. 4, 2025, with details from a letter sent to
OPM by Reps. Connolly and Brown.
______
Letter Submitted by Ranking Member Bennie G. Thompson
February 5, 2025.
Mr. Charles Ezell,
Acting Director, U.S. Office of Personnel Management, 1900 E Street,
NW., Washington, DC 20415-1000.
Dear Acting Director Ezell: We are writing to request information
on the impact of President Trump's hiring freeze on the Federal
cybersecurity workforce. As you may know, the Federal Government has
struggled to recruit, hire, and retain qualified cybersecurity workers
for many years. During the Biden Administration, the Federal Government
took several steps to address this challenge, including through the
issuance of a National Cyber Workforce and Education Strategy and
implementation of the Cyber Talent Management System at the Department
of Homeland Security (DHS). Now, reckless attacks on Federal workers
risk reversing recent progress in addressing the Federal Government's
cyber workforce shortage.
On Inauguration Day, President Trump issued an executive order to
mandate ``a freeze on the hiring of Federal civilian employees.''\1\
While the order included an exemption for positions related to
``national security,'' it failed to provide any definition for that
term.\2\ Related guidance from the Office of Personnel Management (OPM)
and the Office of Management and Budget similarly failed to clarify how
agency heads should implement this exemption.\3\ While the Department
of Defense has continued hiring for civilian positions,\4\ the
Cybersecurity and Infrastructure Security Agency, which is the
operational lead for Federal cybersecurity and the national coordinator
for critical infrastructure security and resilience, does not have a
single open position listed on the USA Jobs website.\5\
---------------------------------------------------------------------------
\1\ Hiring Freeze, The White House, Jan. 20, 2025, https://
www.whitehouse.gov/presidential-actions/2025/01/hiring-freeze/.
\2\ Id.
\3\ Memorandum from Matthew J. Vieth and Charles Ezell to Heads of
Executive Departments and Agencies, Jan. 20, 2025, https://chcoc.gov/
sites/default/files/OMB-OPM%20-
Federal%20Civilian%20Hiring%20Freeze%20Guidance%201-20-
2025%20FINAL.pdf.
\4\ Karen Jowers, All of DOD exempt from White House's civilian
hiring freeze, Military Times, Jan. 29, 2025, https://
www.militarytimes.com/news/pentagon-congress/2025-01-29/all-of-dod-
exempt-from-white-houses-civilian-hiring-freeze/.
\5\ USAJOBS, https://www.usajobs.gov/ (last accessed Feb. 2, 2025).
---------------------------------------------------------------------------
Agencies throughout the Federal Government are responsible for
defending their agency networks, regardless of whether cybersecurity is
their primary mission, and any delay in filling vacant cybersecurity
positions at Federal agencies risks severe national security
implications. Recent cyber incidents have demonstrated that Federal
agencies remain top targets for foreign adversaries. In December 2024,
the Treasury Department suffered a major cyber incident when Chinese
hackers were able to gain access to then-Secretary Janet Yellen's files
through a supply chain attack.\6\ In June 2023, the State Department
discovered a breach of Microsoft's cloud networks by Chinese hackers,
uncovering an incident that affected 22 organizations and over 500
individuals around the world, including the Commerce Department and
then-Secretary Raimondo.\7\ The Departments of Treasury, State, and
Commerce all have zero open positions listed on the USA Jobs
website.\8\ A hiring freeze that precludes Federal agencies from
filling cybersecurity positions risks the security of Federal networks
and may prevent sector risk management agencies from fulfilling their
obligations to help defend critical infrastructure.
---------------------------------------------------------------------------
\6\ Jonathan Greig, U.S. sanctions hacker and company allegedly
behind Treasury and telecom breaches, The Record, Jan. 17, 2025,
https://therecord.media/treasury-sanctions-alleged-salt-typhoon-hacker-
company.
\7\ Review of the Summer 2023 Microsoft Exchange Online Intrusion,
Cyber Safety Review Board, March 20, 2024, https://www.cisa.gov/
sitesfdefault/files/2024-04/CSRB_Review_of_-
the_Summer_2023_MEO_Intrusion_Final_508c.pdf.
\8\ USAJOBS, https://www.usajobs.gov/ (last accessed Feb. 2, 2025).
---------------------------------------------------------------------------
On January 28, 2025, OPM emailed Federal employees an ``offer'' to
resign from Federal employment, entitled a ``Fork in the Road.''\9\
This offer included an exemption for positions related to national
security but similarly failed to define which positions fall under the
exemption. While we understand that many DHS components have been
exempted from this offer, there is a risk that incentives offered by
OPM could reduce the number of cybersecurity professionals across the
Federal Government.
---------------------------------------------------------------------------
\9\ Fork in the Road, Office of Personnel Management, http://
www.opm.gov/fork (last accessed Feb. 3, 2025).
---------------------------------------------------------------------------
To better understand the homeland security implications of the
current hiring freeze, we seek to clarify how President Trump's
executive order has impacted the Federal cybersecurity workforce and
what OPM plans to do to mitigate the national security harms of the
President's poorly drafted, vague, and irresponsible hiring freeze.
Please respond to the following questions by February 19, 2025:
1. How many cybersecurity-related open positions are subject to the
current hiring freeze? Please detail them by department or
agency.
2. How many cybersecurity professionals have chosen to resign under
the ``Fork in the Road'' offer? Please detail them by
department or agency.
3. Are all cybersecurity-related positions exempt from the hiring
freeze or the Fork in the Road offer?
4. What guidance has OPM provided to agencies on the application of
the hiring freeze or Fork in the Road offer to cybersecurity-
related positions? Please provide a copy of such guidance.
5. What impact has the hiring freeze had on participants in
programs where Federal employment is a condition of scholarship
support, such as the CyberCorps: Scholarship for Service
program? Please describe any delays or restrictions on hiring
such participants.
Sincerely,
Bennie G. Thompson,
Member of Congress,
Ranking Member, Committee on Homeland Security.
Eric Swalwell,
Member of Congress.
J. Luis Correa,
Member of Congress.
Shri Thanedar,
Member of Congress.
Seth Magaziner,
Member of Congress.
Dan Goldman,
Member of Congress.
Delia C. Ramirez,
Member of Congress.
Timothy M. Kennedy,
Member of Congress.
LaMonica McIver,
Member of Congress.
Julie Johnson,
Member of Congress.
Pablo Jose Hernandez,
Member of Congress.
Nellie Pou,
Member of Congress.
Sylvester Turner,
Member of Congress.
______
Letter Submitted by Ranking Member Bennie G. Thompson
February 5, 2025.
Mr. Matthew J. Vaeth,
Acting Director, Office of Management and Budget, 1725 17th St., NW.,
Washington, DC 20503.
Dear Acting Director Vaeth: We write to express our serious
concerns about the unprecedented access to sensitive government data
granted to Elon Musk and his US DOGE Service (DOGE) associates and
inquire about what policies and procedures are in place to protect the
security and integrity of sensitive government information.
Under the Federal Information Security Modernization Act (FISMA) of
2014, the Director of the Office of Management and Budget (OMB) is
responsible for ``developing and overseeing the implementation of
policies, principles, standards, and guidelines on information
security'' and ``requiring agencies, consistent with the standards
promulgated under such section 11331 and the requirements of this
subchapter, to identify and provide information security protections
commensurate with the risk and magnitude of the harm resulting from the
unauthorized access, use, disclosure, disruption, modification, or
destruction of (A) information collected or maintained by or on behalf
of an agency; or (B) information systems used or operated by an agency
or by a contractor of an agency or other organization on behalf of an
agency.''\1\
---------------------------------------------------------------------------
\1\ 44 U.S.C. 3553(a).
---------------------------------------------------------------------------
Executive Order (EO) 14158, Establishing and Implementing the
President's ``Department of Government Efficiency,'' gave DOGE
unprecedented access to information systems across government.\2\ It
directs Agency Heads ``to take all necessary steps'' to ensure DOGE
``has full and prompt access to all unclassified agency records,
software systems, and IT systems.''\3\ The EO also directs DOGE to
adhere to ``rigorous data protection standards.''\4\ Although the EO
fails to articulate those standards, they presumably include Federal
laws including, but not limited to, FISMA, the E-Govemment Act of
2002,\5\ and the Federal Acquisition Regulation, as well as OMB
policies intended to protect Federal networks, including OMB 22-09,
Moving the U.S. Government Toward Zero Trust Cybersecurity
Principles.\6\ Instead, by all accounts, DOGE is running roughshod
across Federal networks, accessing untold amounts of information about
Americans in complete disregard for security and privacy standards.
---------------------------------------------------------------------------
\2\ Exec. Order No. 14158, Establishing and Implementing the
President's ``Department of Government Efficiency.'' 90 Fed. Reg. 8441
(Jan 20, 2025), https://www.federalregister.gov/documents/2025/01/29/
2025-02005/establishing-and-implementing-the-presidents-department-of-
government-efficiency.
\3\ Id.
\4\ Id.
\5\ 44 U.S.C. � 101.
\6\ OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero
Trust Cybersecurity Principles (Jan. 26, 2022), https://
zerotrust.cyber.gov/downloads/M-22-09%20Federal-
%20Zero%20Trust%20Strategy.pdf.
---------------------------------------------------------------------------
According to media reports, in recent days, Elon Musk and his DOGE
associates have accessed a broad range of government databases at
multiple Federal agencies. These agencies include the Treasury
Department, the U.S. Office of Personnel Management, the U.S. Agency
for International Development, the Small Business Administration, and
possibly others.\7\ The systems include the payment systems that the
Treasury Department uses to honor U.S. financial obligations, those
that store sensitive personnel data on Federal employees, and
reportedly classified information systems, which DOGE has absolutely no
authority to access. This reporting also indicates that DOGE officials
have transferred data to commercial servers that may not have been
vetted for compliance with security and privacy requirements, another
potential violation of Federal law.\8\ These databases include
personally identifiable information on Federal employees and millions
of other Americans, and any risk of exposure to foreign adversaries
could have grave national security consequences. Due to the complete
lack of transparency about DOGE's activities, it is possible that DOGE
has gained access to other information that the public is not yet aware
of.
---------------------------------------------------------------------------
\7\ Fatima Hussein, Elon Musk's DOGE commission gains access to
sensitive Treasury payment systems: AP sources, Associated Press, Feb.
1, 2025, https://apnews.com/article/donald-trump-elon-musk-doge-
treasury-5e26cc80fcb766981cea56afd57ae759; Abigail Williams, Vaughn
Hillyard, Yamiche Alcindor, and Dan De Luce, USAID security leaders
removed after refusing Elon Musk's DOGE employees access to secure
systems, NBC News, Feb. 3, 2023 [sic], https://www.nbcnews.com/
politics/national-security/usaid-security-leaders-removed-refusing-
elon-musks-doge-employees-acce-rcna190357; Tim Reid, Exclusive: Musk
aides lock workers out of OPM computer systems, Reuters, Feb. 2, 2023
[sic], https://www.reuters.com/world/us/musk-aides-lock-govemment-
workers-out-computer-systems-us-agency-sources-say-2025-01-31/.
\8\ Caleb Ecarma and Judd Legum, Musk associates given unfettered
access to private data of government employees, Musk Watch, Feb. 3,
2025, http://www.muskwatch.com/p/musk-associates-given-unfettered/.
---------------------------------------------------------------------------
We know that China and other foreign adversaries are regularly
seeking to breach Federal agency networks to gather exploitable
information about government officials, American citizens, and U.S.
businesses. That is why the U.S. Government has implemented numerous
policies and programs to secure sensitive data. Elon Musk and his DOGE
associates are not exempt from those policies. Under your statutory
obligations, you are responsible for ensuring that Elon Musk complies
with data privacy and security requirements, and we urge you to take
action to ensure compliance.
The American public deserves to know who is accessing their
personal information and why. The government also has an obligation to
keep their information secure. To help us better understand what
policies and procedures are currently in place to secure data obtained
by DOGE and what steps are being taken to secure Americans' data, we
request that you respond to the following questions by February 19,
2025:
1. Which departments and agencies have granted DOGE access to their
information systems and data? Please specify the types of
information DOGE has accessed and the purpose of the access.
2. DOGE has no authority to access classified systems, but media
reports indicate DOGE employees have, in fact, accessed such
systems.
a. Have DOGE employees accessed classified systems? Please
specify the authority under which DOGE employees accessed
classified systems, which classified systems DOGE employees
have accessed, and the purpose of DOGE access.
b. Do the DOGE employees who have accessed classified systems
have security clearances? If so, did they complete the SF-86
form and undergo the background investigations required for
Federal employees to obtain access to classified information.
Please provide the dates upon which each DOGE employee who
accessed classified information received their clearance, the
type of security clearance each DOGE employee has, the date of
their clearance security education meeting, and who provided
the clearance security education meeting.
3. What procedures are in place to ensure that DOGE complies with
the E-Govemment Act of 2002's requirement of Privacy Impact
Assessments for the use of new information technology?
4. How is OMB ensuring DOGE is in compliance with the Federal
Government's mandatory information security policies under
FISMA and other relevant laws?
5. What guidance, if any, has OMB provided to Federal agencies how
to mitigate security risks posed by DOGE access to their
networks?
6. In the past, the US Digital Service accessed Federal department
and agency information systems after being invited to do so. Do
Federal agencies have the authority to refuse DOGE access to
their information systems and data?
OMB has an obligation to ensure Federal information systems and
data security laws are being followed, and we urge to move
expeditiously to investigate what Federal laws and policies DOGE may
have violated and take appropriate action. We look forward to your
timely response.
Sincerely,
Bennie G. Thompson,
Member of Congress,
Ranking Member, Committee on Homeland Security.
Eric Swalwell,
Member of Congress.
J. Luis Correa,
Member of Congress.
Shri Thanedar,
Member of Congress.
Seth Magaziner,
Member of Congress.
Dan Goldman,
Member of Congress.
Delia C. Ramirez,
Member of Congress.
Timothy M. Kennedy,
Member of Congress.
LaMonica McIver,
Member of Congress.
Julie Johnson,
Member of Congress.
Pablo Jose Hernandez,
Member of Congress.
Nellie Pou,
Member of Congress.
Sylvester Turner,
Member of Congress.
Mr. Thompson. I also want to thank again our witnesses for
coming and testifying today and sharing that expertise. I was
long years ago an instructor. Those of you who are in
education, you have my heartfelt support and sympathy for the
talent and challenges you have. It is indeed a challenge.
I have rural electric co-ops in my district and one of the
things this Government committed to was having electricity to
every house in America, and it could not have been accomplished
had it not been for rural electric co-ops. So I thank you for
that work.
But I also know that all of you take this topic of
cybersecurity very seriously.
I am sorry for Mr. Stier for that unjustified treatment
that you received from Congresswoman Greene. You are a witness
for this committee and we owe all our witnesses a certain
amount of courtesy. You did not deserve what you received and
if not from anybody else, I apologize. We are better than that.
We should not antagonize people who we invite into this
great institution to offer their expertise, and so for that I
just wanted to say that I appreciate all of you for being here.
But I don't like people being maligned by any Member of this
committee.
So, Mr. Chairman, the goal of building a robust cyber work
force is to improve the security of our networks,
infrastructure owned by both the Government and the private
sector.
As we sit here today, Elon Musk and his DOGE team are
rifling through America's data and accessing agency networks
all while ignoring Federal information, security, and privacy
laws, and the Majority is silent about it.
We can't jump up and down about the cyber threats posed by
China and the need to build a cyber work force to defend
against them while at the same time allowing unchecked access
to the Federal networks.
I urge my colleagues on the other side of the aisle to stop
pretending like it is business as usual and take these threats
seriously.
We all appreciate the urgency of addressing the cyber work
force shortage. China and other adversaries are trying to hack
our Government and critical infrastructures every day, but the
Trump-Musk administration's war on the Federal work force is
putting our national security at risk.
While Trump's vague Executive Orders may have theoretical
exceptions for national security, its application across the
Federal Government has clearly impacted cybersecurity
positions.
For example, a search on the USAJOBS website shows that
there is a hiring freeze in place at CISA right now. In the
administration's reckless rush to force out Federal employees,
they sent their resignation letter to CISA employees, only
clarifying later that they were not eligible.
Mr. Stier's example in his opening statement of a student
in the CyberCorps Scholarships for Service demonstrates just
how serious the impact these policies have had on people
seeking to join the Federal cyber work force.
Again, I thank the witnesses for their time, and I hope all
Members of the committee join together to push back on the
Trump administration's dangerous policies toward the Federal
cyber work force. Our Nation's security depends on it.
Chairman Green. The gentleman yields.
I now recognize myself for a closing statement. First, I
would like to mention to everybody, sort-of, an announcement, I
guess. We just got another commendation from IBM to support the
PIVOTT Act, another stakeholder.
If you look at the list of these companies that thought
today's hearing and the discussion about this bill is really an
important thing you would wonder why all the people over here
were so critical and some called it even a stupid hearing but
I, you know, I digress.
I guess those companies are all, you know, going the wrong
way. They're not, of course, and we appreciate the support
despite what the left side of this committee has said today.
In closing, I want to thank our witnesses for their
informative testimony. I really appreciate all of you sharing
your comments.
The cyber threat environment continues to evolve and it is
a huge risk to our country. The fact that Volt Typhoon and Salt
Typhoon are where they are or where they have been should scare
the hell out of every American. We have a massive shortage of
people.
As we looked over the past, you know, my first term as
Chairman, we identified the priorities. This is the work force
shortage is No. 1, and that is why this committee, last week's
committee, focused on cyber the first of this Congress and this
committee.
Nation-state actors like China, Russia, Iran routinely
target critical networks and businesses in both private and
public sectors, and it is vital that we scale the work force
up.
I am disappointed that some seem concerned about
criticizing efforts to create much-needed efficiency and
improvement within the Federal Government and the actual
misallocation of massive taxpayer funds that could have gone to
cybersecurity.
Today's hearing and the Cyber PIVOTT Act are focused on
leveraging flexible approaches to close talent gaps and improve
our cyber work force using lessons and approaches from the
private sector.
I think we would all agree that developing our cyber work
force should be a much higher priority than spending $25
million to promote green transportation in the country of
Georgia or spending taxpayer dollars teaching journalists in
Sri Lanka to avoid using binary gender language.
Or to take another example, the Federal Government spending
$2 million to promote Moroccan pottery classes, another $2
million to promote tourism in Lebanon, which is under a travel
warning from the State Department, all discovered by the very
organization that nearly every Member of that side of the
committee spent today's committee hearing talking about when we
are here to talk about, you know, this massive cyber shortage
and risk to our country.
These are just the tip of the iceberg. Someone told me as I
was walking in this morning we sent $49 million to Guatemala to
build a gas station that never got built. Thank God someone's
figuring this out, the corruption that has happened.
Of course, they want to jump up and down and say somebody
is not supposed to be here, a guy by the way who builds rockets
for NASA and has a Top Secret security clearance. I will just
correct the record on that.
When you bring efficiency to Government you invest in the
core needs of Government. What is a core need of Government?
Cybersecurity. The enemy has invaded our infrastructure and our
telecommunications networks. We need every penny we have got to
go toward things like the PIVOTT Act.
Our approach to Cyber PIVOTT Act has received significant
support from the cybersecurity community, trade organizations,
businesses. We have talked about this.
I will look forward to making this bill become law this
Congress because our Nation needs it, and even the witness from
the other side agreed with that.
I will make a quick comment about when you are in a
committee hearing as a witness, the representative owns their
time, Mr. Steir. If you were offended I apologize, but they own
their time.
In this committee room and in every committee room I have
seen this happen many times where someone shuts down the
witness to say what they want to say.
So, we gaveled down people in this committee on my side of
the aisle when they did cross the line and attack the
witnesses, you know, verbally with character. I didn't see that
happen today and so we let that continue.
But it is interesting how the politics of this place works
and what the rules really are. But I want to catch you after
this so I can talk with you in person.
I want to again thank the witnesses for being here, the
Members for their questioning. This hearing is adjourned.
[Whereupon, at 12:57 p.m., the committee was adjourned.]
[all]