[Congressional Record Volume 167, Number 127 (Tuesday, July 20, 2021)]
[House]
[Pages H3696-H3701]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




              CYBERSECURITY VULNERABILITY REMEDIATION ACT

  Ms. CLARKE of New York. Madam Speaker, I move to suspend the rules 
and pass the bill (H.R. 2980) to amend the Homeland Security Act of 
2002 to provide for the remediation of cybersecurity vulnerabilities, 
and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 2980

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cybersecurity Vulnerability 
     Remediation Act''.

     SEC. 2. CYBERSECURITY VULNERABILITIES.

       Section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 
     659) is amended--
       (1) in subsection (a)--
       (A) in paragraph (5), by striking ``and'' after the 
     semicolon at the end;
       (B) by redesignating paragraph (6) as paragraph (7); and
       (C) by inserting after paragraph (5) the following new 
     paragraph:
       ``(6) the term `cybersecurity vulnerability' has the 
     meaning given the term `security vulnerability' in section 
     102 of the Cybersecurity Information Sharing Act of 2015 (6 
     U.S.C. 1501); and''.
       (2) in subsection (c)--
       (A) in paragraph (5)--
       (i) in subparagraph (A), by striking ``and'' after the 
     semicolon at the end;
       (ii) by redesignating subparagraph (B) as subparagraph (C);
       (iii) by inserting after subparagraph (A) the following new 
     subparagraph:
       ``(B) sharing mitigation protocols to counter cybersecurity 
     vulnerabilities pursuant to subsection (n); and''; and
       (iv) in subparagraph (C), as so redesignated, by inserting 
     ``and mitigation protocols to counter cybersecurity 
     vulnerabilities in accordance with subparagraph (B)'' before 
     ``with Federal'';
       (B) in paragraph (7)(C), by striking ``sharing'' and 
     inserting ``share''; and
       (C) in paragraph (9), by inserting ``mitigation protocols 
     to counter cybersecurity vulnerabilities,'' after 
     ``measures,'';
       (3) in subsection (e)(1)(G), by striking the semicolon 
     after ``and'' at the end;
       (4) by redesignating subsection (o) as subsection (p); and
       (5) by inserting after subsection (n) following new 
     subsection:
       ``(o) Protocols to Counter Certain Cybersecurity 
     Vulnerabilities.--The Director may, as appropriate, identify, 
     develop, and disseminate actionable protocols to mitigate 
     cybersecurity vulnerabilities to information systems and 
     industrial control systems, including in circumstances in 
     which such vulnerabilities exist because software or hardware 
     is no longer supported by a vendor.''.

     SEC. 3. REPORT ON CYBERSECURITY VULNERABILITIES.

       (a) Report.--Not later than one year after the date of the 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency of the Department of Homeland 
     Security shall submit to the Committee on Homeland Security 
     of the House of Representatives and the Committee on Homeland 
     Security and Governmental Affairs of the Senate a report on 
     how the Agency carries out subsection (n) of section 2209 of 
     the Homeland Security Act of 2002 to coordinate vulnerability 
     disclosures, including disclosures of cybersecurity 
     vulnerabilities (as such term is defined in such section), 
     and subsection (o) of such section (as added by section 2) to 
     disseminate actionable protocols to mitigate cybersecurity 
     vulnerabilities to information systems and industrial control 
     systems, that includes the following:
       (1) A description of the policies and procedures relating 
     to the coordination of vulnerability disclosures.
       (2) A description of the levels of activity in furtherance 
     of such subsections (n) and (o) of such section 2209.
       (3) Any plans to make further improvements to how 
     information provided pursuant to such subsections can be 
     shared (as such term is defined in such section 2209) between 
     the Department and industry and other stakeholders.
       (4) Any available information on the degree to which such 
     information was acted upon by industry and other 
     stakeholders.
       (5) A description of how privacy and civil liberties are 
     preserved in the collection, retention, use, and sharing of 
     vulnerability disclosures.
       (b) Form.--The report required under subsection (b) shall 
     be submitted in unclassified form but may contain a 
     classified annex.

     SEC. 4. COMPETITION RELATING TO CYBERSECURITY 
                   VULNERABILITIES.

       The Under Secretary for Science and Technology of the 
     Department of Homeland Security, in consultation with the 
     Director of the

[[Page H3697]]

     Cybersecurity and Infrastructure Security Agency of the 
     Department, may establish an incentive-based program that 
     allows industry, individuals, academia, and others to compete 
     in identifying remediation solutions for cybersecurity 
     vulnerabilities (as such term is defined in section 2209 of 
     the Homeland Security Act of 2002, as amended by section 2) 
     to information systems (as such term is defined in such 
     section 2209) and industrial control systems, including 
     supervisory control and data acquisition systems.

     SEC. 5. TITLE XXII TECHNICAL AND CLERICAL AMENDMENTS.

       (a) Technical Amendments.--
       (1) Homeland security act of 2002.--Subtitle A of title 
     XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et 
     seq.) is amended--
       (A) in the first section 2215 (6 U.S.C. 665; relating to 
     the duties and authorities relating to .gov internet domain), 
     by amending the section enumerator and heading to read as 
     follows:

     ``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
                   DOMAIN.'';

       (B) in the second section 2215 (6 U.S.C. 665b; relating to 
     the joint cyber planning office), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

       (C) in the third section 2215 (6 U.S.C. 665c; relating to 
     the Cybersecurity State Coordinator), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

       (D) in the fourth section 2215 (6 U.S.C. 665d; relating to 
     Sector Risk Management Agencies), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

       (E) in section 2216 (6 U.S.C. 665e; relating to the 
     Cybersecurity Advisory Committee), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.''; AND

       (F) in section 2217 (6 U.S.C. 665f; relating to 
     Cybersecurity Education and Training Programs), by amending 
     the section enumerator and heading to read as follows:

     ``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING 
                   PROGRAMS.''.

       (2) Consolidated appropriations act, 2021.--Paragraph (1) 
     of section 904(b) of division U of the Consolidated 
     Appropriations Act, 2021 (Public Law 116-260) is amended, in 
     the matter preceding subparagraph (A), by inserting ``of 
     2002'' after ``Homeland Security Act''.
       (b) Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended by 
     striking the items relating to sections 2214 through 2217 and 
     inserting the following new items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Ms. Clarke) and the gentleman from New York (Mr. Katko) each 
will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Ms. CLARKE of New York. Madam Speaker, I ask unanimous consent that 
all Members may have 5 legislative days to revise and extend their 
remarks and to include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Ms. CLARKE of New York. Madam Speaker, I yield myself such time as I 
may consume.
  Madam Speaker, 5 years ago a Government Accountability Office survey 
found that 12 out of 12 Federal agencies used obsolete information 
technology. In other words, 12 out of 12 Federal agencies were using 
software or hardware for which vendors no longer provided support, 
updates, or patches.
  The Federal Government is hardly alone. It has been widely reported 
that State and local governments and critical infrastructure owners and 
operators across the country rely on legacy technology.
  We have seen malicious cyber actors wreak havoc by exploiting known 
vulnerabilities.
  H.R. 2980 would authorize CISA to develop and distribute playbooks to 
provide procedures and mitigation strategies for the most critical, 
known vulnerabilities, especially those affecting software or hardware 
that is no longer supported by a vendor. The playbooks would be 
available to Federal agencies, industry, and other stakeholders.
  The bill, as introduced by the gentlewoman from Texas (Ms. Jackson 
Lee), also authorizes the Department of Homeland Security Science and 
Technology Directorate, in consultation with CISA, to establish a 
competition program for industry, individuals, academia, and others to 
provide remediation solutions for cybersecurity vulnerabilities that 
are no longer supported.
  Importantly, in response to recent cyberattacks, H.R. 2980 
prioritizes efforts to address vulnerabilities of industrial control 
systems of critical infrastructure that may be targeted, like water 
systems and pipelines.
  H.R. 2980 is no substitute for investing in new technology, but it 
will provide important support to government and private sector 
entities that cannot replace legacy technology or rapidly patch known 
vulnerabilities because of resource limitations or other system 
complications.
  Madam Speaker, I urge all of my colleagues to support H.R. 2980, and 
I reserve the balance of my time.
  Mr. KATKO. Madam Speaker, I yield myself such time as I may consume.
  Madam Speaker, I rise today in support of H.R. 2980, the 
Cybersecurity Vulnerability Remediation Act. I would like to thank the 
gentlewoman from Texas (Ms. Jackson Lee), my friend, for being a 
staunch advocate of CISA and these important cybersecurity issues. I 
look forward to continuing to work with her and my other colleagues on 
the preeminent national security threat facing our Nation today.
  Madam Speaker, I urge Members to join me in supporting H.R. 2980, and 
I reserve the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield 5 minutes to the 
gentlewoman from Texas (Ms. Jackson Lee).
  Ms. JACKSON LEE. Madam Speaker, I thank the gentlewoman from New York 
for her leadership, and I thank the ranking member of the full 
committee and the chair of the full committee for bringing these 
matters to the attention of the Nation.
  Madam Speaker, I rise in support of my bill, H.R. 2980, the 
Cybersecurity Vulnerability Remediation Act, which authorizes the 
Department of Homeland Security to take actions to counter 
cybersecurity vulnerabilities in our Nation's critical infrastructure.
  Interestingly enough, when we introduced this bill some years ago, we 
called it the zero-day bill, which was to presuppose what would happen 
when everything collapsed. When we introduced it, it was before the 
Colonial Pipeline, it was before the Solaris attack, it was before 
knowing about the gangs in Russia, cyber gangs that proliferate before 
the activity of China.
  I thank Chairman Thompson and Ranking Member Katko for their 
leadership in putting the security of our Nation's cyber access first, 
whether they are computing resources used in voting technology or 
industrial control systems that support delivery of electricity, oil, 
and gas, or management of transportation systems that are vital to our 
Nation's economic health.
  The Cybersecurity Vulnerability Remediation Act was introduced, as I 
said, and passed the House during the 115th and 116th Congresses and 
has been updated again in the 117th Congress to meet the ever-evolving 
nature of cyber threats faced by Federal and private sector information 
systems and our Nation's critical infrastructure.

  As I said before, it will be very important that the other body 
seriously considers the cyber threats against this Nation. This bill 
goes significantly further than the first cybersecurity vulnerability 
act that I introduced in the 115th Congress to address the instance of 
zero-day events that can lead to catastrophic cybersecurity failures of 
information and computing systems.
  It is estimated that 85 percent of critical infrastructure is owned 
by the private sector, and for far too long this fact has hampered 
efforts to establish stronger requirements for cybersecurity by owners 
and operators.
  Private sector critical infrastructure failure due to a cyberattack 
is no longer a private matter when it can have massive impacts on the 
public, such as disruption of gasoline flowing to filling stations, 
which we saw recently.
  My bill, the Cybersecurity Vulnerability Remediation Act, will expand

[[Page H3698]]

the definition of security vulnerability to include cybersecurity 
vulnerability; add sharing mitigation protocols to counter 
cybersecurity vulnerabilities; establish protocols to counter 
cybersecurity vulnerabilities involving information system and 
industrial control systems, which will include vulnerabilities related 
to software or hardware that is no longer supported by a vendor; direct 
the undersecretary for DHS Office of Science and Technology to stand up 
a competition to find solutions to known cybersecurity vulnerabilities; 
provide greater transparency on how the Department of Homeland Security 
CISA is coordinating cybersecurity vulnerability disclosures through 
the sharing of actionable protocols to mitigate cybersecurity 
vulnerabilities with information systems and industrial control systems 
owners and operators.

                              {time}  1330

  H.R. 2980 bolsters the efforts to engage critical infrastructure 
owners and operators in communicating cybersecurity threats and lays 
the foundation for greater transparency on the real threats posed by 
cyberterrorists to private and government sector critical 
infrastructure and information systems, which impact the people of this 
Nation.
  This legislation allows the science and technology director, in 
consultation with CISA, to establish an incentive-based program that 
allows industry, individuals, academia, and others to compete in 
identifying remediation solutions for cybersecurity vulnerabilities to 
information systems and industrial control systems, including 
supervisory control and data acquisition systems.
  This bill, when it becomes law, will put our Nation's best minds to 
work on closing the vulnerabilities that cyber thieves and terrorists 
use to access, disrupt, corrupt, or take control of critical 
infrastructure information systems.
  In addition to these changes, the bill requires a report to Congress 
that may contain a classified annex.
  The report will provide information on how DHS coordinates 
cybersecurity vulnerability disclosures and disseminates actionable 
protocols to mitigate cybersecurity vulnerabilities involving 
information systems and industrial systems.
  Congress needs to know how prevalent and persistent cybersecurity 
threats targeting critical infrastructure and information systems might 
be, especially if those threats result in a payment of ransom. They 
need to know about a payment of ransom.
  Paying a ransom for ransomware emboldens and encourages bad cyber 
actors and places everyone at greater risk for the financial and 
societal costs of increases in threats as others seek payouts.
  The SPEAKER pro tempore. The time of the gentlewoman has expired.
  Ms. CLARKE of New York. Madam Speaker, I yield the gentlewoman an 
additional 1 minute.
  Ms. JACKSON LEE. Madam Speaker, as long as there is silence about 
cyberattacks like ransomware, the criminals and terrorists will remain 
out of reach and continue to feel safe and emboldened in carrying out 
these attacks, often from the soil of our enemies or peer competitors.
  I applaud and thank the Biden administration for its quick action in 
responding to the attack against Colonial Pipeline, but it did shut 
down the whole East Coast, and he did it by an executive order.
  Today, our Nation is in a cybersecurity crisis. The attacks against 
Federal, State, local, territorial, and Tribal Governments, as well as 
threats posed to private information systems and critical information 
systems make this bill necessary.
  So I am hoping, along with those who have been attacked, like the 
Metropolitan Police Department, the medical system in Houston--the gang 
known as the Babuk group released thousands of Metropolitan Police 
sensitive documents, and it goes on and on.
  Madam Speaker, I include in the Record four articles regarding this 
issue.

               [From the Forbes Magazine, July 20, 2021]

Turning Up The Heat: A Ransomware Attack On Critical Infrastructure Is 
                          a Nightmare Scenario

               (By Richard Tracy, Forbes Councils Member)

       Ransomware attacks in 2020 were up more than 150% compared 
     to the previous year, while ransomware payments were up over 
     300%.
       Over the past six months, we've seen a number of ransomware 
     attacks against critical infrastructure--from a water 
     treatment facility to a gas pipeline and multiple food 
     distribution companies--all of which present clear and 
     present danger to society. The impact was so dire--with 
     recent research finding over seven ransomware attacks per 
     hour--that the Department of Justice elevated ransomware 
     attacks to a similar priority as terrorism.
       The recent Colonial Pipeline hack, in particular, appears 
     to have struck a nerve, as there is finally discussion about 
     cybersecurity standards for the pipeline industry. That would 
     be a good start and one that is long overdue considering the 
     importance of fuel distribution for our economy and overall 
     way of life.
       However, the oil and gas industry is just one element in a 
     single critical infrastructure sector--the energy sector. DHS 
     has defined sixteen critical infrastructure sectors, and each 
     is deemed critical for the proper functioning of our society. 
     Due to the connected nature of everything these days, each 
     sector is a potential cyber target. Disruption to any 
     critical infrastructure segment has potentially dire 
     economic, safety and national security consequences. As such, 
     it only makes sense to address cybersecurity risk management 
     for all sectors, not just oil and gas.
       The threat goes beyond the pipeline.
       To better understand the need to focus on all critical 
     infrastructure, let's look at the power grid. Imagine a 
     ransomware attack against the power grid that services highly 
     populated areas in the desert southwest. Now, imagine this 
     attack takes place during the hottest part of the summer.
       Think about the heat-related deaths that would likely occur 
     and the impact on medical supplies that require 
     refrigeration. Yes, there are generator backups in hospitals 
     where supplies are stored, but we already know from the 
     pipeline hack that the fuel needed to run these generators 
     can be disrupted too. It's also important to note that 
     hospitals, also considered critical infrastructure, have also 
     suffered from ransomware attacks. In fact, hospitals have had 
     an even bigger target on their backs in recent months. The 
     connected nature of our critical infrastructure compounds the 
     problem and potential impacts.
       To further illustrate how important the power grid is to 
     our citizens, Protect Our Power, an independent, non-profit 
     advocacy and educational organization focused solely on 
     driving increased resilience of the U.S. electric grid to 
     attacks, recently conducted a public opinion poll of 1,095 
     Americans. Most notably, the study found:
       86 percent of Americans are concerned that the grid is 
     vulnerable to a serious cyberattack.
       70 percent say they would feel unsafe in the event of an 
     extended power outage of two weeks or more.
       66 percent believe their quality of life will suffer from 
     an outage lasting more than seven days.
       64 percent say they are unprepared for an extended power 
     outage that will last more than two weeks.
       70 percent say the infrastructure bill should include 
     funding to address this important issue.
       Only 16 percent believe the federal government is doing all 
     it can to prevent an attack on the grid.
       As most Americans agree, the federal government can and 
     should do more to help secure all of our critical 
     infrastructures.
       Recent ransomware attacks against critical infrastructure 
     help us understand standards and practices that would have 
     helped. For example, multi-factor authentication (MFA), a 
     widely recognized best practice, may have prevented the 
     Colonial Pipeline hack. According to GAO, greater and more 
     consistent adoption of the NIST CSF, which was specifically 
     developed to help critical infrastructure manage cyber risk, 
     would benefit cyber risk management efforts across all 
     critical infrastructure sectors.
       In summary, we need to secure all critical infrastructure 
     sectors. The power grid example used here illustrates how 
     dire the consequences could be. It's time to move. Summer is 
     upon us, and the desert southwest is getting hot.
                                  ____


                [From the New York Times, July 19, 2021]

            U.S. Formally Accuses China of Hacking Microsoft

                (By Zolan Kanno-Youngs, David E. Sanger)

       Washington.--The Biden administration on Monday formally 
     accused the Chinese government of breaching Microsoft email 
     systems used by many of the world's largest companies, 
     governments and military contractors, as the United States 
     joined a broad group of allies, including all NATO members, 
     to condemn Beijing for cyberattacks around the world.
       The United States accused China for the first time of 
     paying criminal groups to conduct large-scale hackings, 
     including ransomware attacks to extort companies for millions 
     of dollars, according to a statement from the White House. 
     Microsoft had pointed to hackers linked to the Chinese 
     Ministry of State Security for exploiting holes in the 
     company's email systems in March; the U.S. announcement on 
     Monday morning was the first suggestion that the Chinese 
     government hired criminal groups to hack tens of thousands of 
     computers and networks around the

[[Page H3699]]

     world for ``significant remediation costs for its mostly 
     private sector victims,'' according to the White House.
       Secretary of State Antony J. Blinken said in a statement on 
     Monday that China's Ministry of State Security ``has fostered 
     an ecosystem of criminal contract hackers who carry out both 
     state-sponsored activities and cybercrime for their own 
     financial gain.''
       ``These contract hackers cost governments and businesses 
     billions of dollars in stolen intellectual property, ransom 
     payments, and cybersecurity mitigation efforts, all while the 
     MSS had them on its payroll,'' Mr. Blinken said.
       Condemnation from NATO and the European Union is unusual, 
     because most of their member countries have been deeply 
     reluctant to publicly criticize China, a major trading 
     partner. But even Germany, whose companies were hit hard by 
     the hacking of Microsoft Exchange--email systems that 
     companies maintain on their own, rather than putting them in 
     the cloud--cited the Chinese government for its work.
       ``We call on all states, including China, to uphold their 
     international commitments and obligations and to act 
     responsibly in the international system, including in 
     cyberspace,'' according to a statement from NATO.
       Despite the broadside, the announcement lacked sanctions 
     similar to ones that the White House imposed on Russia in 
     April, when it blamed the country for the extensive 
     SolarWinds attack that affected U.S. government agencies and 
     more than 100 companies. (The Justice Department on Friday 
     did unseal an indictment from May charging for Chinese 
     residents with a campaign to hack computer systems of dozens 
     of companies, universities and government entities in the 
     United States between 2011 and 2018. The hackers developed 
     front companies to hide any role the Chinese government had 
     in backing the operation, according to the Justice 
     Department.)
       By imposing sanctions on Russia and organizing allies to 
     condemn China, the Biden administration has delved deeper 
     into a digital Cold War with its two main geopolitical 
     adversaries than at any time in modern history.
       While there is nothing new about digital espionage from 
     Russia and China--and efforts by Washington to block it--the 
     Biden administration has been surprisingly aggressive in 
     calling out both countries and organizing a coordinated 
     response.
       But so far, it has not yet found the right mix of defensive 
     and offensive actions to create effective deterrence, most 
     outside experts say. And the Russians and the Chinese have 
     grown bolder. The SolarWinds attack, one of the most 
     sophisticated ever detected in the United States, was an 
     effort by Russia's lead intelligence service to alter code in 
     widely used network-management software to gain access to 
     more than 18,000 businesses, federal agencies and think 
     tanks.
       China's effort was not as sophisticated, but it took 
     advantage of a vulnerability that Microsoft had not 
     discovered and used it to conduct espionage and undercut 
     confidence in the security of systems that companies use for 
     their primary communications. It took the Biden 
     administration months to develop what officials say is ``high 
     confidence'' that the hacking of the Microsoft email system 
     was done at the behest of the Ministry of State Security, the 
     senior administration official said, and abetted by private 
     actors who had been hired by Chinese intelligence.
       The last time China was caught in such broad-scale 
     surveillance was in 2014, when it stole more than 22 million 
     security-clearance files from the Office of Personnel 
     Management, allowing a deep understanding of the lives of 
     Americans who are cleared to keep the nation's secrets.
       President Biden has promised to fortify the government, 
     making cybersecurity a focus of his summit meeting in Geneva 
     with President Vladimir V. Putin of Russia last month. But 
     his administration has faced questions about how it will also 
     address the growing threat from China, particularly after the 
     public exposure of the Microsoft hacking.
       Speaking to reporters on Sunday, the senior administration 
     official acknowledged that the public condemnation of China 
     would only do so much to prevent future attacks.
       ``No one action can change China's behavior in 
     cyberspace,'' the official said. ``And neither could just one 
     country acting on its own.''
       But the decision not to impose sanctions on China was also 
     telling: It was a step many allies would not agree to take.
       Instead, the Biden administration settled on corralling 
     enough allies to join the public denunciation of China to 
     maximize pressure on Beijing to curtail the cyberattacks, the 
     official said.
       The joint statement criticizing China, to be issued by the 
     United States, Australia, Britain, Canada, the European 
     Union, Japan and New Zealand, is unusually broad. It is also 
     the first such statement from NATO publicly targeting Beijing 
     for cybercrimes.
       The European Union condemned on Monday ``malicious 
     cyberactivities'' undertaken from the Chinese territory but 
     stopped short of denouncing the responsibility of the Chinese 
     government.
       ``This irresponsible and harmful behavior resulted in 
     security risks and significant economic our loss for 
     government institutions and private companies, and has shown 
     significant spillover and systemic effects for our security, 
     economy and society at large,'' Josep Borrell Fontelles, the 
     E.U.'s foreign policy chief, said in a statement. ``These 
     activities can be linked to the hacker groups,'' the 
     statement added.
       Mr. Borrell called on Chinese authorities not to allow 
     ``its territory to be used'' for such activities, and to 
     ``take all appropriate measures and reasonably available and 
     feasible steps to detect, investigate and address the 
     situation.''
       The National Security Agency, F.B.I. and Cybersecurity and 
     Infrastructure Security Agency also issued an advisory on 
     Monday warning that Chinese hacking presented a ``major 
     threat'' to the United States and its allies. China's targets 
     include ``political, economic, military, and educational 
     institutions, as well as critical infrastructure.''
       Criminal groups hired by the government aim to steal 
     sensitive data, critical technologies and intellectual 
     properties, according to the advisory.
       The F.B.I. took an unusual step in the Microsoft hacking: 
     In addition to investigating the attacks, the agency obtained 
     a court order that allowed it to go into unpatched corporate 
     systems and remove elements of code left by the Chinese 
     hackers that could allow follow-up attacks. It was the first 
     time that the F.B.I. acted to remediate an attack as well as 
     investigate its perpetrators.
                                  ____


            [From the New York Times, Updated June 8, 2021]

     Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity

                 (By David E. Sanger, Nicole Perlroth)

       For years, government officials and industry executives 
     have run elaborate simulations of a targeted cyberattack on 
     the power grid or gas pipelines in the United States, 
     imagining how the country would respond.
       But when the real, this-is-not-a-drill moment arrived, it 
     didn't look anything like the war games.
       The attacker was not a terror group or a hostile state like 
     Russia, China or Iran, as had been assumed in the 
     simulations. It was a criminal extortion ring. The goal was 
     not to disrupt the economy by taking a pipeline offline but 
     to hold corporate data for ransom.
       The most visible effects--long lines of nervous motorists 
     at gas stations--stemmed not from a government response but 
     from a decision by the victim, Colonial Pipeline, which 
     controls nearly half the gasoline, jet fuel and diesel 
     flowing along the East Coast, to turn off the spigot. It did 
     so out of concern that the malware that had infected its 
     back-office functions could make it difficult to bill for 
     fuel delivered along the pipeline or even spread into the 
     pipeline's operating system.
       What happened next was a vivid example of the difference 
     between tabletop simulations and the cascade of consequences 
     that can follow even a relatively unsophisticated attack. The 
     aftereffects of the episode are still playing out, but some 
     of the lessons are already clear, and demonstrate how far the 
     government and private industry have to go in preventing and 
     dealing with cyberattacks and in creating rapid backup 
     systems for when critical infrastructure goes down.
       In this case, the long-held belief that the pipeline's 
     operations were totally isolated from the data systems that 
     were locked up by DarkSide, a ransomware gang believed to be 
     operating out of Russia, turned out to be false. And the 
     company's decision to turn off the pipeline touched off a 
     series of dominoes including panic buying at the pumps and a 
     quiet fear inside the government that the damage could spread 
     quickly.
       A confidential assessment prepared by the Energy and 
     Homeland Security Departments found that the country could 
     only afford another three to five days with the Colonial 
     pipeline shut down before buses and other mass transit would 
     have to limit operations because of a lack of diesel fuel. 
     Chemical factories and refinery operations would also shut 
     down because there would be no way to distribute what they 
     produced, the report said.
       And while President Biden's aides announced efforts to find 
     alternative ways to haul gasoline and jet fuel up the East 
     Coast, none were immediately in place. There was a shortage 
     of truck drivers, and of tanker cars for trains.
       ``Every fragility was exposed,'' Dmitri Alperovitch, a co-
     founder of CrowdStrike, a cybersecurity firm, and now 
     chairman of the think tank Silverado Policy Accelerator. ``We 
     learned a lot about what could go wrong. Unfortunately, so 
     did our adversaries.''
       The list of lessons is long. Colonial, a private company, 
     may have thought it had an impermeable wall of protections, 
     but it was easily breached. Even after it paid the 
     extortionists nearly $5 million in digital currency to 
     recover its data, the company found that the process of 
     decrypting its data and turning the pipeline back on again 
     was agonizingly slow, meaning it will still be days before 
     the East Coast gets back to normal.
       ``This is not like flicking on a light switch,'' Mr. Biden 
     said Thursday, noting that the 5,500-mile pipeline had never 
     before been shut down.
       For the administration, the event proved a perilous week in 
     crisis management. Mr. Biden told aides, one recalled, that 
     nothing could wreak political damage faster than television 
     images of gas lines and rising prices, with the inevitable 
     comparison to Jimmy Carter's worse moments as president.
       Mr. Biden feared that, unless the pipeline resumed 
     operations, panic receded and price gouging was nipped in the 
     bud, the situation

[[Page H3700]]

     would feed concerns that the economic recovery is still 
     fragile and that inflation is rising.
       Beyond the flurry of actions to get oil moving on trucks, 
     trains and ships, Mr. Biden published a long-gestating 
     executive order that, for the first time, seeks to mandate 
     changes in cybersecurity.
       And he suggested that he was willing to take steps that the 
     Obama administration hesitated to take during the 2016 
     election hacks--direct action to strike back at the 
     attackers.
       ``We're also going to pursue a measure to disrupt their 
     ability to operate,'' Mr. Biden said, a line that seemed to 
     hint that United States Cyber Command, the military's 
     cyberwarfare force, was being authorized to kick DarkSide off 
     line, much as it did to another ransomware group in the fall 
     ahead of the presidential election.
       Hours later, the group's internet sites went dark. By early 
     Friday, DarkSide, and several other ransomware groups, 
     including Babuk, which has hacked Washington D.C.'s police 
     department, announced they were getting out of the game.
       DarkSide alluded to disruptive action by an unspecified law 
     enforcement agency, though it was not clear if that was the 
     result of U.S. action or pressure from Russia ahead of Mr. 
     Biden's expected summit with President Vladimir V. Putin. And 
     going quiet might simply have reflected a decision by the 
     ransomware gang to frustrate retaliation efforts by shutting 
     down its operations, perhaps temporarily.
       The Pentagon's Cyber Command referred questions to the 
     National Security Council, which declined to comment.
       The episode underscored the emergence of a new ``blended 
     threat,'' one that may come from cybercriminals, but is often 
     tolerated, and sometimes encouraged, by a nation that sees 
     the attacks as serving its interests. That is why Mr. Biden 
     singled out Russia--not as the culprit, but as the nation 
     that harbors more ransomware groups than any other country.
       ``We do not believe the Russian government was involved in 
     this attack, but we do have strong reason to believe the 
     criminals who did this attack are living in Russia,'' Mr. 
     Biden said. ``We have been in direct communication with 
     Moscow about the imperative for responsible countries to take 
     action against these ransomware networks.''
       With DarkSide's systems down, it is unclear how Mr. Biden's 
     administration would retaliate further, beyond possible 
     indictments and sanctions, which have not deterred Russian 
     cybercriminals before. Striking back with a cyberattack also 
     carries its own risks of escalation.
       The administration also has to reckon with the fact that so 
     much of America's critical infrastructure is owned and 
     operated by the private sector and remains ripe for attack.
       ``This attack has exposed just how poor our resilience 
     is,'' said Kiersten E. Todt, the managing director of the 
     nonprofit Cyber Readiness Institute. ``We are overthinking 
     the threat, when we're still not doing the bare basics to 
     secure our critical infrastructure.''
       The good news, some officials said, was that Americans got 
     a wake-up call. Congress came face-to-face with the reality 
     that the federal government lacks the authority to require 
     the companies that control more than 80 percent of the 
     nation's critical infrastructure adopt minimal levels of 
     cybersecurity.
       The bad news, they said, was that American adversaries--not 
     only superpowers but terrorists and cybercriminals--learned 
     just how little it takes to incite chaos across a large part 
     of the country, even if they do not break into the core of 
     the electric grid, or the operational control systems that 
     move gasoline, water and propane around the country.
       Something as basic as a well-designed ransomware attack may 
     easily do the trick, while offering plausible deniability to 
     states like Russia, China and Iran that often tap outsiders 
     for sensitive cyberoperations.
       It remains a mystery how DarkSide first broke into 
     Colonial's business network. The privately held company has 
     said virtually nothing about how the attack unfolded, at 
     least in public. It waited four days before having any 
     substantive discussions with the administration, an eternity 
     during a cyberattack.
       Cybersecurity experts also note that Colonial Pipeline 
     would never have had to shut down its pipeline if it had more 
     confidence in the separation between its business network and 
     pipeline operations.
       ``There should absolutely be separation between data 
     management and the actual operational technology,'' Ms. Todt 
     said. ``Not doing the basics is frankly inexcusable for a 
     company that carries 45 percent of gas to the East Coast.''
       Other pipeline operators in the United States deploy 
     advanced firewalls between their data and their operations 
     that only allow data to flow one direction, out of the 
     pipeline, and would prevent a ransomware attack from 
     spreading in.
       Colonial Pipeline has not said whether it deployed that 
     level of security on its pipeline. Industry analysts say many 
     critical infrastructure operators say installing such 
     unidirectional gateways along a 5,500-mile pipeline can be 
     complicated or prohibitively expensive. Others say the cost 
     to deploy those safeguards are still cheaper than the losses 
     from potential downtime.
       Deterring ransomware criminals, which have been growing in 
     number and brazenness over the past few years, will certainly 
     be more difficult than deterring nations. But this week made 
     the urgency clear.
       ``It's all fun and games when we are stealing each other's 
     money,'' said Sue Gordon, a former principal deputy director 
     of national intelligence, and a longtime C.I.A. analyst with 
     a specialty in cyber issues, said at a conference held by The 
     Cipher Brief, an online intelligence newsletter. ``When we 
     are messing with a society's ability to operate, we can't 
     tolerate it.''
                                  ____


 [From MeriTalk: Improving the Outcomes of Government IT, May 20, 2021]

   House Homeland Security Committee Advances Slate of Cybersecurity 
                                 Bills

                           (By Lamar Johnson)

       The House Homeland Security Committee voted May 18 to 
     advance five bills that would look to improve the nation's 
     cybersecurity in several areas, including protecting pipeline 
     infrastructure, testing cybersecurity readiness, and 
     improving state and local cybersecurity, among others.
       The bills to advance out of committee included the Pipeline 
     Security Act, the CISA (Cybersecurity and Infrastructure 
     Security Agency) Cyber Exercise Act, and the State and Local 
     Cybersecurity Improvement Act. Also advanced out of committee 
     were the Cybersecurity Vulnerability Remediation Act, 
     introduced by Rep. Sheila Jackson Lee, D-Tex., and the 
     Domains Critical to Homeland Security Act, introduced by Rep. 
     John Katko, R-N.Y., the ranking member on the committee.
       ``Since the beginning of this Congress, this Committee has 
     engaged in extensive oversight of these events and how the 
     Federal government partners with others to defend our 
     networks,'' Chairman Bennie Thompson, D-Miss., said in a 
     release. ``The legislation we reported today was the result 
     of this oversight. I am pleased that they received broad 
     bipartisan support and hope they are considered on the House 
     floor in short order.''
       The Pipeline Security Act was reintroduced by Rep. Emmanuel 
     Cleaver, D-Mo. just a day before advancing out of committee, 
     with the Colonial Pipeline ransomware attack still top of 
     mind. If passed, it will codify CISA and the Transportation 
     Security Agency's responsibilities in protecting pipelines 
     from cyberattacks and terrorist attacks.
       ``The Colonial Pipeline ransom ware attack that shut down 
     one [of] our nation's largest pipelines and triggered fuel 
     shortages across the northeast has brought new urgency to our 
     work to protect the country's critical infrastructure. This 
     attack also follows a string of disturbing cyberattacks 
     against government entities and the private sector,'' 
     Thompson said.
       The CISA Cyber Exercise Act would authorize and require 
     CISA to establish a National Cyber Exercise Program 
     responsible for testing the nation's cyber readiness. The 
     bill was introduced by Elissa Slotkin, D-Mich., and would 
     direct the agency to create a set of exercises that states, 
     local governments, and private sector businesses could use to 
     test their cyber readiness.
       State and local governments get a win with the advancement 
     of the State and Local Cybersecurity Improvement Act. The 
     bill was reintroduced by Rep. Yvette Clarke, D-N.Y., on May 
     12, and a similar version passed in the House in the last 
     Congress. The bill would direct the Department of Homeland 
     Security (DHS) to create a $500 million-per-year grant 
     program to incentivize state and local governments to work to 
     improve their cybersecurity.
       The committee also advanced two bills aimed at protecting 
     critical infrastructure and the supply chain after a recent 
     spate of cyberattacks exposed vulnerabilities in the 
     cybersecurity of each.
       Rep. Lee's Cybersecurity Vulnerability Remediation Act 
     would authorize CISA to work with the owners and operators of 
     critical infrastructure on mitigation strategies around known 
     and critical vulnerabilities. Rep. Katko's Domains Critical 
     to Homeland Security Act would direct DHS to do research and 
     development around supply chain risks in domains that are 
     critical to the nation's economy. It would then be required 
     to submit that report to Congress.
       The next step for all these bills is a vote on the full 
     House floor.

  Ms. JACKSON LEE. Madam Speaker, I ask my colleagues to support this 
legislation because there is a known list of these attacks from the ISS 
World to the $50 million paid. I ask my colleagues to support this 
legislation, and I ask my friends in the other body, to pass this 
legislation so it becomes law.
  Madam Speaker, I rise in support of H.R. 2980, ``The Cybersecurity 
Vulnerability Remediation Act,'' which authorizes the Department of 
Homeland Security to take actions to counter cybersecurity 
vulnerabilities in our nation's critical infrastructure.
  I thank Chairman Thompson and Ranking Member Katko for their 
leadership in putting the security of our nation's cyber assets first, 
whether they are computing resources used in voting technology or 
industrial control systems that support the delivery of electricity, 
oil and gas, or management of transportation systems that are vital to 
our nation's economic health.

[[Page H3701]]

  The Cybersecurity Vulnerability Remediation Act was introduced and 
passed the House during the 115th and 116th Congresses and has been 
updated again in the 117th Congress to meet the ever-evolving nature of 
cyber threats faced by federal and private sector information systems 
and our nation's critical infrastructure.
  This bill goes significantly further than the first Cybersecurity 
Vulnerability bill that I introduced in the 115th Congress, to address 
the instance of Zero Day Events that can lead to catastrophic 
cybersecurity failures of information and computing systems.
  It is estimated that eighty-five percent of critical infrastructure 
is owned by the private sector and for far too long this fact has 
hampered efforts to establish stronger requirements for cybersecurity 
by owners and operators.
  Private sector critical infrastructure failure due to a cyberattack 
is no longer a private matter when it can have massive impacts on the 
public such as the disruption of gasoline flowing to filling stations.
  The Jackson Lee Cybersecurity Vulnerability Remediation Act will:
  Expand the definition of security vulnerability to include 
cybersecurity vulnerability;
  Adds sharing mitigation protocols to counter cybersecurity 
vulnerabilities;
  Establish protocols to counter cybersecurity vulnerabilities 
involving information systems and industrial control systems, which 
will include vulnerabilities related to software, or hardware that is 
no longer supported by a vendor;
  Direct the Under Secretary for the DHS Office of Science and 
Technology to standup a competition to find solutions to known 
cybersecurity vulnerabilities; and
  Provide greater transparency on how the Department of Homeland 
Security's Cybersecurity and Information Security Agency (CISA) is 
coordinating cybersecurity vulnerability disclosures through the 
sharing of actionable protocols to mitigate cybersecurity 
vulnerabilities with information systems and industrial control systems 
owners and operators.
  H.R. 2890 bolsters the efforts to engage critical infrastructure 
owners and operators in communicating cybersecurity threats; and lays 
the foundation for greater transparency on the real threats posed by 
cyberterrorist to private and government sector critical infrastructure 
and information systems.
  The legislation allows the Science the Technology Directorate in 
consultation with CISA to establish an incentive based program that 
allows industry, individuals, academia, and others to compete in 
identifying remediation solutions for cybersecurity vulnerabilities to 
information systems and industrial control systems including 
supervisory control and data acquisition systems.
  This bill when it becomes law would put our nation's best minds to 
work on closing the vulnerabilities that cyber-thieves and terrorists 
to use them to access, disrupt, corrupt, or take control of critical 
infrastructure and information systems.
  In addition to these changes, the bill requires a report to Congress 
that may contain a classified annex.
  The report will provide information on how DHS:
  Coordinates cybersecurity vulnerability disclosures; and
  Disseminates actionable protocols to mitigate cybersecurity 
vulnerabilities involving information system and industrial systems.
  Congress needs to know how prevalent and persistent cybersecurity 
threats targeting critical infrastructure and information systems might 
be, especially if those threats result in a payment of ransom.
  Paying a ransom for ransomware emboldens and encourages bad cyber 
actors and places everyone at greater risk for the financial and 
societal costs of increases in threats as other seek payouts.
  As long as there is silence about cyber-attacks like ransomware the 
criminals and terrorists will remain out of reach and continue to feel 
safe in carrying out these attacks often from the soil of our enemies 
or peer competitors.
  A company cannot stand up to Russia or China, but the United States 
can and has done so to protect our national interest.
  I applaud and thank the Biden Administration for its quick action to 
respond to the attack against Colonial Pipeline in issuing a new 
Executive Order.
  Today, our nation is in a cybersecurity crisis.
  My concern regarding the security of information networks began in 
2015 when the Office of Personnel Management's data breach resulted in 
the theft of millions of sensitive personnel records on federal 
employees.
  The attacks against federal, state, local, territorial, and tribal 
governments, as well as threats posed to private information systems, 
and critical infrastructure systems makes this bill necessary.
  On May 13, 2021 it was reported that the DC Metropolitan Police 
Department had experienced the worst reported cyberattack against a 
police department in the United States.
  The gang, known as the Babuk group, released thousands of the 
Metropolitan Police Department's sensitive documents on the dark web 
because the department would not pay.
  Cyberthreats are not limited to information related to government 
employees.
  In February 2021, a cyberattack on an Oldsmar, Florida water 
treatment facility involved increasing the levels of sodium hydroxide 
from 100 parts per million to 11,100 parts per million in drinking 
water.
  However, the levels of this chemical in the water produced by 
Oldsmar, Florida was increased to levels that would cause harm to 
people if they drank or used it.
  This is just one example of how terrorists can attack critical 
infrastructure and cause threats to health, safety and life.
  Cyber terrorists and cyber criminals are also motivated to attack 
information networks in exchange for money.
  The sources of revenue from cyberattacks has moved from demands of 
payment for thieves not to release information--to the sale of stolen 
information on the dark web and now to a sophisticated denial of 
service attack in the form of ransomware that locks a system using 
encryption until the victim pays.
  A list of known ransomware attacks in 2020 that are suspected of 
paying ransoms, included:
  ISS World (Denmark) paid an estimated cost: $74 million;
  Cognizant (US) paid an estimated $50 million;
  Sopra Steria (French) paid estimated $50 million;
  Redcar and Cleveland Council (UK) paid an estimated $14 million; and
  University of California San Francisco (US) paid an estimated $1.14 
million.
  There are likely many other attacks that are not publicly known and 
this must change if we are to defeat this threat.
  Ransomware is becoming the tool of choice for those seeking a payout 
because it can be carried out against anyone or any entity by 
perpetrators who are far from U.S. shores.
  The Colonial Pipeline incident is just one in a long line of 
successful attacks or infiltrations carried out against domestic 
information systems and critical infrastructure with increasing 
consequences for the life, health, safety, and economic security of our 
citizens.
  CEO Joseph Blount testified before the U.S. Senate that the attack 
occurred using a legacy Virtual Private Network (VPN) system that did 
not have multifactor authentication.
  In other words, hackers were able to gain access to this critical 
infrastructure as a result of a single compromised password.
  There would be no need for the Cybersecurity Vulnerability 
Remediation Act if owners and operators were succeeding in meeting the 
cybersecurity needs of critical infrastructure.
  I know that there is more that should and ought to be done to address 
the issue of cybercrime and I will be pursuing this avenue under the 
jurisdiction of the House Judiciary Committee, as the chair of the 
Subcommittee on Crime, Terrorism and Homeland Security.
  Madam Speaker, I ask that my colleagues vote in support of H.R. 2890.
  Mr. KATKO. Madam Speaker, I have no further speakers, and I urge 
Members to support this bill. I yield back the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield myself the balance of 
my time.
  Madam Speaker, our adversaries are showing no signs of slowing their 
efforts to undermine U.S. interests in cyberspace.
  Most often, hackers exploit known vulnerabilities. The Federal 
Government can and should support efforts to address and mitigate known 
vulnerabilities.
  H.R. 2980 would do just that.
  I thank the gentlewoman from Texas for her foresight, and I urge my 
colleagues to support the bill.
  Madam Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Ms. Clarke) that the House suspend the rules 
and pass the bill, H.R. 2980, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. BISHOP of North Carolina. Madam Speaker, on that I demand the 
yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________