Skip to main content

tv   Acting CISA Director Testifies on Solar Winds Federal Cybersecurity  CSPAN  April 5, 2021 6:05pm-8:01pm EDT

6:05 pm
winds cyber breach which took place in september affected a number of government agencies. up next, representatives from the infrastructure security agency talk about that cyberattack and way to secure those systems. this is just under two hours. s. >> at this theory is a debate -- we must address a few housekeeping matters. members are responsible for muting and unmuting themselves when you're recognized to speak. if i notice you have not and needed yourself i will ask you if you would like the staff to unmute you. if you indicate approval by nodding, staff or unmute your microphone. to avoid inadvertent background noise that share our staff designated by the chair may use participant microphones when are not recognized to speak. i remind all members and witnesses that the five-minute clock still applies. if there is a technology issue during your time we will move to
6:06 pm
the next member until the issue is resolved and he will retain the balance of your time. you will notice a clock on your screen showing the remaining time. at one minute remaining a clock will turn yellow. at 30 seconds remaining i will gently tap the compromise and members speaking that the time is almost expired. when your time has expired the clock will turn red and i will begin to recognize the next member. we will follow the speaking order set forth in the house rules beginning with the chair and ranking member of followed by members present at the time they ring is called to order, in note of seniority, and we'll alternate by hardy. next we'll go to members who were not present when the hearing was called to order, until every member present has had the first round. finally, house rules require me to remind you that we've set up an e-mail address to which members can submit information in writing at any of our
6:07 pm
hearings or markups. that email e-mail addressn provided in advance to your staff. now with that business out of the way i would welcome everyone to the first department of homeland security subcommittee hearing of the 117th congress. i particularly want to welcome our new members ms. underwood, mr. quigley and ms. hanson. welcome also to today's witnesses, acting director whale and assistant director goldstein of the cybersecurity and infrastructure security agency. i will make my opening statement brief to maximize time for questions. acting director comes you been asked to step into an interim role as cisa director would very much appreciate your service in this capacity. we have spoken about some of the recent challenges you and cisa face and want to reaffirm my
6:08 pm
commitment to helping you address them. the solar winds incident, a water treatment system the in florida, and most recently the compromise of microsoft exchange server, demonstrate that cybersecurity breaches are no longer isolated incidents. networks are an emerging battlefield for both the public and private sector. in the case of solar winds incident, it took far too long to become aware that a foreign adversary had infiltrated federal civilian agency networks, and infiltrated sensitive data. i am deeply concerned about how long it will take to learn the full extent of that compromise, and we are just beginning to learn about the impact of the microsoft exchange server intrusion. it is also unnerving how easy it was for a hacker to manipulate the control system of the
6:09 pm
florida treatment plant. increasing the amount of lead levels which could have led to tragedy if the supervisor had not noticed it in time. it is clear that we need to be investing much more in preventing, mitigating, and responding the cyber intrusion and the tax. the 1.9 trillion america rescue plan includes significant funding to quickly improve the federal civilian cybersecurity posture, including $650 million for cisa. i look forward to hearing more from you on that today and on the overall vision for modernizing the approach to cybersecurity. i would now like to turn to the distinguished gentleman from tennessee, ranking member fleischmann, for his opening comments. >> thank you, madam chair, and
6:10 pm
as always is a pleasure to work with you and yours in this subcommittee and on the full committee as well. welcome, acting director wales and assistant director goldstein and thank you for joining us today as we look into ways to help modernize cybersecurity and infrastructure security agency. first off, i know that we are here to identify problems and hopefully to come to agreement on some recommended areas for improvement to the government protection of and response to cyber attacks but first let me take this opportunity to address that the scope of this hearing is not just to critique the work that you and the men and women at cisa of done to this point. with limited resources at your disposal you have done a tremendous job, and i thank you. it's unfortunate that the world that cybersecurity is almost a thankless job.
6:11 pm
where in the best case scenario all of your work allows government operations and agencies to continue unhindered and that all your hard work goes almost completely unnoticed. and at worst, , only your shortcomings are brought up after a major attack occurs. so please pass on our thanks to your work first and let them know that we appreciate their efforts -- workforce. unfortunately despite our best efforts, nationstate actors with access to significant funds and resources have found a way to fort our best protection and exploit our vulnerabilities as we've seen from the russian backed solar winds attack in the much more recent china attack based on microsoft's exchange servers. we have learned from these attacks that our adversaries are not fully aware of our capabilities but they are shrewd and cunning enough to go around them, exploiting weaknesses and take taking advantage of our
6:12 pm
vulnerabilities in real time almost completely undetected. the cyber world is certainly a challenging one whose vulnerabilities and shortcomings are not always readily apparent. given the speed at which technology advances and the skills and abilities of bad actors with it, we must ensure that we are doing everything we can to keep up with new advancements, allowing ourselves the building to both better recognize our shortcomings and better protect, identify and respond to any future attacks. i look forward to your testimony on cisa's recommendation for improvements and ensuring, and ensuing conversations on how to best protect our cyber infrastructure moving forward. thank you for being here. i look forward to your testimony. madam chair, i yield back. >> acting director wales come we will submit the full text of your official statement for the running record. please begin your oral summary.
6:13 pm
>> thank you and good morning chairwoman delauro, chairman roybal-allard and members of the committee. thank you for allowing me to decide today regarding the cybersecurity and infrastructure security agencies perspective on modernizing the federal civilian approach to cybersecurity. if we needed any reminder of the significance of the cyber threats we face to our national and economic security, the last three months in a deep the last week should serve as a warning. we must invest in and focus on modernizing our cybersecurity and network infrastructure in order to truly defend today and secure tomorrow. cisa leads the nation's of defensive cybersecurity physical security and resilience of our critical infrastructure we share information between the federal government, state and local governments, the private sector, international partners -- [inaudible]
6:14 pm
and law enforcement intelligence and defense community. this has proven invaluable in managing recent cyber events and i cannot understate how important collective defenses for cybersecurity. we also know there's a lot more work that needs to be done. today will focus on two recent significant cybersecurity incidents. first come the exploitation of microsoft exchange full abilities last week and sector and the supply chain complex the federal government was over to december 2020. starting with exchange vulnerabilities on march 2, cisa am innocent, microsoft disclose previously unknown vulnerabilities in microsoft exchange products. through coordinated disclosure process our organization help all partners insurable the building engaged actions were quickly shared broadly. on march 3, cisa issued executive emergency directive 2102 requiring federal civilian departments and agencies to
6:15 pm
investigate, patch and if necessary disconnect vulnerable products from the network. this reflects our determination that these vulnerabilities pose an excitable wrist to federal networks and require emergency action. cisa is aware of wide spread exploitation and her supporters of the malicious actors using these full abilities to get access to target organizations in the united states and globally. in portly, once an episode gains access to microsoft exchange server, they can access and control enterprise network even after the vulnerabilities unpatched. malicious exportation could be conducted by actors with various motivation from student steve information to ask you ransomware attacks were physically damaging connected infrastructure. cisa and stood up the website as a consolidated resource and for mechanism for all of our information on this vulnerability. we're using all of our forums to share this information quickly
6:16 pm
and broadly with our partners. switching to the supply chain compromise come late last year at cisa they can more overbroad cyber intrusion campaign and large associate with the supply chain compromise of solar winds or rye network management software. nearly 18,000 entities potentially exposed to the malicious software. cisa estimates a much smaller number were compromise when the threat active active in a malicious backdoor installed in the solomons product and moved into an expose network. once inside the network the act was able to use the privileged access to view the authentication method, the controls trust and there's a duty to ultimate allowing them to access email and other data from compromise networks and microsoft office 365 cloud environment. the primary objective of the threat actor appears to be gaining access to unclassified situation to identify additional opportunities to compromise i.t. supply chain.
6:17 pm
since his network in response this campaign falls under four primary lines of effort. one, scoping the campaign come to beckham sharing information, three, supporting short-term remediation, and four, providing guidance and assistance in long-term network recovery. these lines of effort on the framework around which we think about our response to any cyber incident. we continue to work with campaign aggressively. just yesterday we rolled out a new website that consolidates information resources on best practices to prepare federal department and agencies for long-term actions to build more secure, resilient networks. he for i closed address a more fundamental question. what does this all mean? the microsoft exchange full of those and the wind campaign highlight links to which sophisticated adversaries will go to compromise or networks. they will use never seen before techniques, exquisite
6:18 pm
tradecraft, zero day follow those to defeat our current cybersecurity architecture. knowing that, we must raise our game. we need modern cybersecurity governments and capabilities that we need cybersecurity tools and services that provide us a better chance of detecting the most sophisticated attacks and we need to rethink our approach to managing cybersecurity across 101 federal, sibling, executive branch agencies. thank you again for the opportunity to testify and i will now turn the discussion over to the newly appointed cyber super division executive assistant director eric goldstein to talk about the direction we're headed, the capabilities we need and what you can do to help. >> thank you. chairman dolor, chairman roybal-allard, ranking member fleischmann thank you for the chance to speak with you and the committee today. this is my first hearing before the committee in my new capacity as executive assistant director for cybersecurity within cisa. i would like to commend the
6:19 pm
committee first and foremost for focusing on this urgent national security threat. i look forward to partnering with the committee to ensure that our nation has acute bills and resources to address rapidly increasing cybersecurity risks. an overview of recent incident affecting public and private entities file types. these incidents reflect the need to strengthen our nation cyber defenses, invest in new capability and began to fundamentally change how we think about cybersecurity. even as cisa response the impact of these immediate incidents, we are looking ahead to ensure that cisa's is appropriate postured to defend today and secure tomorrow. to this end we are focused on urgent improvements across four areas of strategic growth. first, we must increase our visibility into cyber -- into
6:20 pm
cybersecurity risks across the federal civilian executive branch and where feasible across nonfederal entities. second, we must expand cisa's incident response. third, we must improve our ability to analyze large volumes of cybersecurity information to rapidly identify emerging threats and direct mitigation. and fourth, but perhaps strategically most importantly, we must drive adoption of networks including progressing towards zero trust environment where we assume that networks are compromised and with focus on protecting the users. we are turning to a key priority of operational visibility. we must increase and improve our insight into federal agencies cloud environment and the servers and computers that agencies used to conduct their daily business. this is important during covid-19's covid-19 as the federal workforce has moved to increase remote work, a a trend we expt to continue and can increase in
6:21 pm
use of cloud computing. to achieve this goal we must provide agencies with detection tools and build our ability to analyze data arising therefrom. while no organization can prevent every cyber intrusion, increase visibility will let us detect and respond to incidents more quickly thereby limiting harm to organizations. as we expand our visibility will also detect more cybersecurity incidents. to this end we must for the development our incident response capacity to hunt for threats of federal networks and provide urgent assistance to compromise entities. where we are effective respond to incidents today, our resources must be fortified to ensure that we can meet demand in the future. going forward we must shift to a persistent threat hunting bottle in which cisa searches for malicious activity across partner networks as authorized by the fy '21 national defense authorization act.
6:22 pm
in addition to increasing our incident response capacity we must also develop and refine our analytic capabilities so we can analyze cybersecurity data and rapidly identify risks across the executive branch. and lastly over the long-term we must facilitate adoption and more defensible networks, including by offering shared services to federal agencies to raise the baseline of cybersecurity across the executive branch and providing the agencies with tools and guidance to move to zero trust principles where again we presume that network parameters can be compromised and with focus on protecting the critical assets within each network. we deeply appreciate congresses consideration of additional funding to address these priorities which are urgently needed persistent to provide foundational capabilities across the federal civilian executive branch. these investments critically to be considered a down payment a sustained effort required to improve and modernize federal
6:23 pm
civilian cybersecurity over the long-term. it's now more critical than ever to focus on securing the federal civilian government and respond quickly when a compromise occurs. by enhancing our visibility into agency networks moving towards a posture of proactive hunting and deploying more defensible network architectures we can both effectively ensure that the federal government can provide the critical services upon which the american people depend. thank you again for this chance to speak with you. we look forward to taking your questions. >> thank you. before we go to questions i understand that the chairwoman of the full committee is here, and would like to ask if she has any opening comments that she would like to make before we go into question. >> what i will do, madam chair, thank you very, very much but i will submit my opening remarks for the record and then we will move to questions. thank you. thank you very, very much for the opportunity. appreciate it.
6:24 pm
so some servers is what i i le to talk about right now. it has been three months since we first learned about the significance supply chain cyber incident involving solar winds software but many questions still remain, and i know that you and your team have been working tirelessly to address this problem and that you shared this responsibility with the fbi, odni, the nsa, u.s. cybercom and your private sector partners. and impact of agencies and companies. unfortunately last week we learn learned about another set of compromises associate with vulnerabilities in premises like the microsoft server. in the case of the solar winds incident please describe how the
6:25 pm
ever so was able access our network and infiltrate data and information for months if not longer without being detected? and also what information was removed from federal civilian networks and do we know whether the adversary did anything other than steel information, a chance to do manipulate or delete information or otherwise alter our systems and networks? >> sure, thank you, chairwoman. what i would say is that the actor in this case used extremely sophisticated techniques to bypass the security that is in place at agency as well as the significant number of private sector companies that were compromise as part of the campaign. by executing a supply chain attack, by compromising the solar winds product and putting the back door inside of one of
6:26 pm
their legitimate patches, that bypasses all of the normal traditional perimeter security that is the place to protect agencies. and so it was a trusted patch that was stalled by network operators, and because of the nature of the solar winds products, that they are brought administrative rights, there's usually to get a broad rights, that gave the actor access to the network and allow them to get their privileges and ways we could not see. i think that, and as eric highlighted, this really, this highlights the need for us to have better insight and visibility inside of networks. conducting security at the edge on the perimeter is increasingl
6:27 pm
increasingly, lacks the ability to detect the more sophisticated type of attacks which only could you take place on individual workstations by individual servers. that's why we're pushing for this increase in visibility down inside networks. but your larger question on what they stole and whether the did anything else, we continue believe this was largely an espionage operation waited for collecting information largely based on microsoft office 365 e-mail for agency personnel. in many cases that was extremely targeted. there was usually on a couple dozen individuals at agency that were targeted as part of this campaign, and we have no evidence at this time that the actor did anything except steel information. >> in the case of the more recent microsoft exchange server compromises where federal agencies compromised and if so, what is the impact and what
6:28 pm
steps is cisa taken to help agencies recover? >> so we are still in the early days of the investigation of exportation of microsoft exchange server, as the director noted. cisa issued directive which required all federal civilian agencies to both analyze their networks for indications of compromise and to immediately patch. we've seen outstanding responses to that directive and now the vast majority of microsoft exchange servers has been mitigated across the federal civilian executive branch. we are working with individual agencies to assess the results of the forensic analysis. at this point in time there are no federal civilian agencies that are confirmed to be compromised by this campaign. however, cisa is what with individual agencies to assess the results of their analysis and this is an evolving campaign
6:29 pm
with new information coming in by the hour. >> mr. fleischmann. >> thank you, madam chair,, and also wanted to acknowledge and thank the full committee chair, chair of the for joining us today. thank you, madam chair, for being with us as well. in the supply chain attack by russian state actors, we first learn about the compromise in early december. but we have since determine if the compromise itself began many months prior to that. with that getting into why it took so long for us to learn what we had compromised, i want to get to another underlying issue. to my questions. assuming we knew that a supply chain attack was a significant vulnerability, how long have we known this? and what was done previously, if anything, to address this concern? my other question would be, more
6:30 pm
importantly, how can we better understand where our vulnerabilities are, and once identified, ensure we are addressing them? thank you. >> sure. thank you ranking member. i'll take the first part and allow assisstant director goldstein to take on the second. i would say there was a substantial amount of work done a supply chain security over the last several years, including several executive orders focus on improving information through communication technology supply chain. there was the passage of the federal acquisition supply chain council that was stood up for federal agencies at the civilian, if the national security systems, and intelligence feed to work together to assess supply chain risks and take action to remove supply chain, potential dangers supply chains out of federal networks. but there is still more work to be that done anything the s
6:31 pm
campaign highlights where trusted patches from otherwise companies that have a strong business are indeed, they need a different approaches to work with them. how do we ensure that when the federal government takes on software from a supplier, that that software is free of malicious backdoors? and that's going to take more work tickets also one of the key principles we need to put in place, as your trust mindset were even if -- that might be compromised, you have built enough protections about it. your segmented your properly with introduction of that piece of compromise code will have minimal impacts. ..
6:32 pm
is one way we know our adversaries can compromise victim networks and we need to work through the federal acquisition security council to make sure we are raising the bar for software assurance and supply-side integrity across the executive branch and there's more work we can assuredly do there. at the same time it's important to appreciate as matthew zucker noted this was truly an exquisite attack perpetrated by sophisticated actors put significant amount of time and resources so we need to adopt a principal that cyber security is called the kill chain in which we are trying to prevent an intrusion at multiple stages
6:33 pm
so even if we are unable to prevent the supply chain compromise where detecting the lateral movement across a network or we are detecting the escalation of privileges when the adversary attempts to compromise the authentication systems used to gain accessto a network and on down the line . so we need robust layers of defense within each federal civilian executive branch network with data from those layers come back and coming back to cisa so we can correlate security trends across the executive branch and identify these sorts of deeply mature intrusions before they are able to come in one end and cause lasting damage >> i'm mindful of my time and i'll be brief and ask for a brief response. in regard to the existing vulnerabilities and finding ways to mitigate them can you describe in layman's terms of vulnerabilities of the microsoft attack along with how long we've known about
6:34 pm
this weakness ? >> very quickly. >> yes sir, i'll do my best. cisa was made aware of this vulnerability along with microsoft on march 2 last tuesday. as noted we moved urgently to issue a directive and direct remediation of the vulnerability and this was a previously unknown flaw in microsoft exchange server that allowed an adversary to use a combination of vulnerabilities to gain remote access to the server and execute remote commands , potentially exfiltration data . we are now seeing adversaries deploy what are known as web shelves which is a very small bit of code that the adversary can use a vulnerability to deploy on a microsoft exchange server whose shells can be hard to detect and allow the adversary to execute additional commands or to ask
6:35 pm
take further actions to steal information or launch more destructive types of attacks this so this was a previously unknown flaw in microsoft exchange server that was identified by cisa and to microsoft last week and urgently directed to be repeated immediately. >> thank you director goldstein and i yield back. >> i think these efforts and resources have gone into developing a national cyber security protection system also known as einstein . this is a perimeter defense tool yet our adversaries do not to be deterred by it. why is finance not more effective at keeping our adversaries off of federal networks and if there was a follow-up question with the changing technology landscape
6:36 pm
with increasing sophistication of our adversaries techniques , how does cisa cyber security strategy needs to change and what in particular does the future of einstein look like. why is it not more effective at keeping our adversaries off the federal network? >> thank you, it's an important one. it's a true result of cyber security that are defensive technologies need to adapt as the threat environment changes in any way that we use technology changes. einstein was originally designed as the acting director noted as a perimeter defense program meaning it provides intrusion detection and prevention at the point where agency networks meet the open internet. over time what we found is largely because of the increased use of encryption for traffic entering and exiting federal networks which of course has its own to see and security benefits, the einstein technology that
6:37 pm
was reasonably designed to address risks in technology a decade ago has grown stale overtime and now does not provide visibility that needs . for this region cisa is moving our detection capabilities from that perimeter layer into agency networks to focus on these endpoints, the servers and workstations where seeing adversary activity today. this is consistent with leading trends in the cyber security industry adopted by public and private organizations although we already have pilots in place to precipitate this transition and with funding under consideration by congress we will rapidly accelerate this transition from a perimeter defense construct where we are in real time identifying activity with agency networks is where the visibility storage is. >> what your timing on this transition? >> the transition is underway now.
6:38 pm
these tools are called endpoint direction and response with certain agencies at this point with funding requested for congress we will be able to accelerate those pilots and deploy this kind of internal detection and prevention tools with the agency network and a faster time frame. >> is it a year, two years, six months. >> we will be deployed over time and certainly each month that goes by we will cover more agencies. we can come back with an date of when we think we will have full coverage but this is a scalable process where every month that goes by there will be more agencies protected which is of course why this funding is so urgent to get started on this acceleration today. >> let me add the $650 million currently under consideration in the relief package is a down payment. it accelerates some of these efforts but this will require
6:39 pm
detained investment. affordable cisa as well as the agencies themselves. we want to ensure as we increase visibility it's going to increase visibility to cisa and also increase the visibility for agencies themselves. i know the agencies themselves will need additional resources to make sure they can leverage the improved capabilities that will be deployed . we want to make sure their posture increases with ours so the layers of defense that eric talked about our solid. >> it's going to be important to note when you talk about sustained investment it would be good to get to the committee, to the ranking member, what you anticipate as the cost for this and again how quickly because every month that goes by we are at risk like the last two events we are talking about, one of march 7 last week in
6:40 pm
paris. maybe i can ask a quick question. this is about the impact of election security on federal cyber security. there have been some conversations about this election security in 20/20 may have distracted the agencies took us away from security. since cisa focus contributes to a lack of resource or situational awareness that made it more vulnerable to cyber security breaches, for those efforts were those efforts a factor in allowing the solar winds intrusion to go undetected. >> if i can thank you, collects you can take all the time you want . >>. >> let me address better by saying the work that we did in concert with our interagency partners to protect our democratic
6:41 pm
institutions is not a distraction. it is a core mission of the agency, a priority of work thatcontinues to this day . and let me address it secondly by saying our agency has a broad mission. as i covered opening remarks we work across cyber cyclical communications with building resilience andheightened and enhancing security . we have to have the ability to work multiple problems really even in the midst of the election season. still dealing with cyber security incidents and the state and local government and private sector, i do not believe that the election distracted us. if anything it has further harmed our capabilities and improved our coordination within the interagency has made the us government cyber security mission more efficient and more effective and we're just going to try to build on that going forward. >> and i yield back and i
6:42 pm
think the gentlewoman for indulging the time. appreciate it. >> mister rutherford. >> thank you madam chair. director wells, the continuous diagnostic in many cases of the program which is governmentwide cyber security programs to provide capabilities to identify cyber security risk, prioritize those risk based on potential impacts and mitigate the most insignificant problems . the program was designed through phases which was basically asset management, phase ii was to identify and assess that management. access management and phase 3 was let's see.
6:43 pm
the data protection phase and then phase 4 was agencies were going to be, different agencies were going to be supervised to adopt cdm capabilities which we would fund for up to chs would fund a base year and one optional year. can you, cisa said this was foundational. that sounds to me pretty important. can you tell me how many agencies are now actively moving through the continuous diagnostic mitigation program ? how many are phase 1 and how many are requesting phase i levels. >> i'll give you a little bit of a high-level answer and then ask how we envision the program moving forward and cdm is going to be critical
6:44 pm
for a number of the capabilities that eag goldstein outline including the endpointdetection and response tool .cdm provides and every agency is currently every federal and executive branch agency is dissipating in cdm and has, and is i say phase i is almost fully deployed. there's a couple agencies that continue to deploy asset management tools but we need that, agencies need to understand what's on your network and improve on your network, understand the current catch level, where our current vulnerabilities because the more sophisticated techniques, endpointdetection , assume you have a comprehensive understanding of what your network looks like and the potential vulnerabilities on it. we could move to these more sophisticated tools and capabilities without getting
6:45 pm
that foundation in place . tdm had that foundation and it's a reason why agencies today and respond so quickly to our emergency directive is that cdm provided them that level of insight into their network and we are able to look at the individual objects on their network and know where they are, what catch level they are and where they need to take immediate action. that gives you a little highlight about what the next apps are as we move into phases three and four. >> but if i could, so director you're telling me that all executive branch agencies are in cdm at least to phase 2. is that correct? >> i would say every agency has largely completed phase i. there's a couple of places, most agencies are in phase 2 and these are
6:46 pm
actually some of the funding for fy 22 and 23 begins on phase 3 and phase 4effort across the federal executive branch . >>. >> from the state of cdm has provided free foundational capabilities for federal and cyber security and the first is it's a mechanism for assistance to provide on the mental security tools to all federal civilian agencies as the director noted as we moved to provision of the next generation of fiber security tools including excellent detection and response tools, including tools that allow adoption of these zero trust principles . >> can interrupt just one minute. so these fundamental detection tools, are these also those. we mentioned einstein as kind of order security. the interior security tools that look inside the systems, not at the intrusion point
6:47 pm
but are those tools, that has been developed and is cdm moving forward? >> they have actually been developed and i think it's useful to think of the national cyber security protection system or einstein these programs not as separate offerings but really as part of cisa is cohesive and holistic strategy to protect federal civilian agencies so mcs and cvs really work and in glove to protect all levels of the network against cyber security risk again, both of those programs transition to address changes with in the technology environment. a lot was providing executive to provide agencies with many of these modern security tools that we need for layered defense. cdm is also the mechanism through which agencies are able to get visibility into their own risk which is
6:48 pm
critically important for agency cios to understand their environment and the risk they are in and for cisa to get across government visibility into risk trends which will then the agency directive we issued is an example when we issue these directives cdm particularly as it matures gives us the ability to look into agency networks and understand the pervasiveness of a given risk and drive refocused remediation. >> very good answer. with batman chair i yield back. >> thank you madam chairwoman and first thing i want to talk about is a macroissue and that's where we are in cyber security . when i was on the intelligence committee and i represent nsa also so i focused a lot in cyber security and we are nsa is very good as it relates to
6:49 pm
russia and china and those issues but we moved to cisa and i think cisa has been given a task that they just can't do the job that they need to do because of a lack of resources and lack of personnel but i do want to say that, the personnel there is doing a great job and they just can't do it all. i really was upset when we had a small team that was working well and our former president fired chris krebs the director because he spoke truth to power. we can't have any politics involved in this issue. it's very serious. i authored section 1745 of the fy 21 national defense authorization act and that requires cisa to pick up a structured assessment, very important. this assessment is in part intended to address whether cisa after personnel, material and facilities to achieve its mission.
6:50 pm
i support this review which is timely as press reports outlay that offenders are stretched thin to deal with the combination of solarwinds related malware and newly released microsoft exchange server vulnerabilities. i deeply disturbed and when i hear state and local governments, school systems and even hospitals may have bad actors on their network for months as they wait for a scarce incident response team to help them clean up the networks, other than nuclear weapons i believe that a cyber issue is going to really be maybe the next war where we have one and that in space and i think it's time that we really have this assessment and that we have to really look at where we are and what we're doing. nsa is very good but we're all concerned about the defense issues that have occurred and because nsa has no jurisdiction in the united
6:51 pm
states and there are a lot of privacy issues which we need to adhere to, but i think we have to look at the whole big picture about what we're going to do to protect our country from the cyber attacks that we had now and this is going to continue and it's going to worse before it gets better and it's unfortunate i think in this area of cyber security if there are maybe 15 members that i know that focus on cyber security and that's a lot . i really hope we can make this a priority with the help of our leadership and the appropriations committee to move forward with this assessment and decide where we need to go, get the money to where we need to go because the people that exist in leadership right now on this committee, mister goldstein and mister wales, they are working hard. but they sure need a lot of help and a lot of resources. two quick questions, do you
6:52 pm
believe is the need for more inherent incident response capability at cisa to assist data and local partners and the second question out of the american rescue plan request support spanning this capability . >> let me say at the outset that this agency has benefited tremendously from strong support in congress, both parties, both houses and we want to make sure we maintain that support by our openness, our transparency and the work ofour agency . i would say without a doubt to accomplish the scale of the mission that we have, we need more resources. as goldstein laid out during his opening we are asking for it in particular in the area extending our incident response capability to allow us to offer more persistent capabilities for incident response capabilities to deal with a wide array of incidents that we face on a routine basis. so what the money and they
6:53 pm
are a is a down payment on thescale of capabilities, tools and resources we need . sir, we're on the workforce assessment is already underway and we look forward to raising you later this year. >> we do see the need for incident response capability in those two areas . both to meet demand from federal and nonfederal partners and critically this model where we are not only reactively responding to incidents but moving to this persistent threat of a model where wecan search for adversaries that may have compromised american networks . >> chair. >> thank you madam chair and thank you director wales.
6:54 pm
thank you both of you for joining us today and i appreciate the opportunity to ask you questions about this . as we look at this, this is an exquisite, how confident are you that you understand the tradecraft and what was actually employed in this attack, this cyber attack on us and if we can work to prevent future attacks, that would be my first question and the second is the reference specifically the patching procedure and how they were able to access that data even after passing. does that data at any vulnerability now? can we make sure that vulnerability no longerexists ? >> i'll take the first question and let eric and a portion on the microsoft exchange. we understand the tactics the adversary used two compromise most networks.
6:55 pm
part of what cisa does is it takes information in and it looks to identify the tactics and techniques the adversary used. we then push out that information either in the form of a broader cyber security community to look for that. and in some cases we deploy tools that allow the agencies or private companies to use and look for evidenceon their networks . we had our crowds run 16 working on christmas eve to deploy a tool to look for evidence of the compromise to microsoft cloud environment. just this week we've released a new tool starting with federal agencies to look for evidence in the solar winds compromise with adversaries moving off the solarwinds device into the network so were looking for ways we can push out that kind of detection technique to the benefit of all network defenders. that's a learning process. every new incident we see could be a slightly new tactic that the adversary
6:56 pm
uses but we have multiple ways of getting that information out. all of the current tacticsand techniques we are aware of , attack and share broadly with our public and private sector partners . >> asked that second question regarding microsoft vulnerability, we are driving urgent progress across agencies to catch that vulnerability. as noted over 90 percent of said incidents already been mitigated. microsoft has also hopefully released a tool that allows it and its organization to assess compromise as part of its campaign and we have put out accompanying alerts and guidance for network defenders to understand their risk to identify if they have been exposed and compromised and take urgent remediation action at as necessary. where providing ongoing assistance to agencies to help them understand their risk because they have taken
6:57 pm
the appropriate steps to minimizetheir vulnerabilities . >> one other question i would have in the follow-up to that, you talk about our adversaries and the actor, who is the actor that is responsible for this attack. if you can say that for the record because obviously when we're talking about a major enough operation in the future, these bad actors all over the world are not going to pause.they follow us every day so who is this actor. >> so in the solarwinds case the us government had said this campaign is likely of russian origin. we, us government continues to discuss that situation and provide additionalinformation to congress and the american people . on the microsoft exchange vulnerability, is not to an
6:58 pm
actor yet. microsoft did in its long time back to chinese state actors. that being said, we already are seeing multiple actors now utilize those vulnerabilities and it's no longer just a single actor exploiting the microsoft exchange vulnerabilities, there are multiple actors who are using the full durability . or conduct more significant and potentially damaging and destructive fiber incidents. so we are at a race against that threat actor community to make sure we pat into as many systems as possible for a moredisruptive attack against to emerge . >> you talk about the persistent threat model in going forward and dealing with these, can you elaborate because i'm running out of time on what that's going to look like as you're planning for the next year. the next 3 to 5 years. just some quick perspective on that would be great. >> a way that incident response and threat works historically is we would begin the response only when
6:59 pm
triggered by a compromise, a possible breach. what we want to move to is a paradigm where cisa is able to assess security data from agencies on an ongoing basis. for evidence of compromise utilizing both known and potential indicators of compromise including advanced techniques so that we can get ahead of the adversary and if they intrude we have a high likelihood of catching them versus waiting until an adversary makes a mistake and then we trigger incident response so our goal is to move leftward in our ability to detect intrusions that do occur. >> thank you madam chair, i yield back. >> thank you madam chair and thank you for calling us here on this important topic. vulnerabilities in our networks are federal networks that we're discussing today are urgent and i'm grateful the president has prioritized funding for cisa to address
7:00 pm
these issues and others through the american rescue plan. but our state and local governments have also been targeted by attackers only grown bolder during the pandemic and they rack lack the expertise and resources of the federal agencies. like my colleague mister price and perhaps others of this committee i represent constituents been directly impacted by such attacks on more than one occasion. in 2016 personal information of 76,000 illinoisans was accessed by russian hackers whose part of the state election infrastructure and last year in crystal lake illinois was hit by iran somewhere attack.mister wales, can you elaborate on how the funding included in the american rescue plan will expand cisa's capacity to support organizations outside the federal government and in particular how state and local governments willbenefit from these investments . >> the majority of the funding in the american rescue act is focused on
7:01 pm
improving federal cyber security. that being said, the expansion in incident response resources for cisa will stay up necessary capabilities to allow us to support more state, local and private sector entities that are coming to us for support. and i think that's critical. i would add to other quick points. we completely agree with you that state and local actors need more support. secretary mayor chris had talked about this. we need more investment in date and local cyber security and we're eager to work with congress on the right way of ensuring that kind of continued investment to bring state and local to a stronger baseline. i know from our work the last years on election security that we can make a lot of progress towards a focused effort from the federal government with our state and local partners and i think with congressional support
7:02 pm
will be able to make it in half that level of impact more broadly as to state and local information infrastructure . >> i'm sorry. do you have something else? >> one of the lessons i took away from the attack on illinois board of elections is when our infrastructure is so interconnected are only as strong as our weakest link and that's why it's so important to take the whole government approach to modernizing our nations tiber security and as we continue advancing and strengthening our federal network security once what steps should congress take to ensure our state andlocal governments don't get left behind . >> i think i don't think we have a specific proposal today. the department has taken action for example increasing the amount ofmoney , the percentage of our homeland security grants at our, they need to go to cyber security investments for our states and state and local communities.
7:03 pm
cisa is working closely with fema on the implementation of that but in addition we think that we need to identify additional mechanisms by which we can provide that level of support we are eager to work with congress. we know there are proposals address of legislation we've seen that focus on that including by provisional grants and others and we're eager to work with you on what that looks like. >> thank you. i want to shift gears to discuss how cisa is modernizing its workforce . we need the best and brightest minds tackling challenges in our nation and the ability to attract talent to bring diverse experiences and perspectives to their on our biggest and toughest security problems mister wales, what percentage of cisa please are women ? >> i believe currently roughly 35 percent of the workforce is women. >> what percentage of your employees identify as indigenous or people of color ?
7:04 pm
>> i do not have that statistics off the top of my head. we will get back to you on that. >> what steps are you taking to diversify the agency's workforce and what resources do you need to dothat ? >> this was a major focus of our deputy director during 2020 which we had dubbed our year of diversity and inclusion. we are looking at, we've taken a number of steps to increase our ability to recruit a diverse workforce. this included expanding recruitment in high school, minority serving institutions , women focused events and other groups who we thought we could increase our capacity to hire a diverse workforce. covid introduced some challenges that and slow down our hiring across the board
7:05 pm
but we're hoping as we move into 2021 with the ending of the pandemic we will be able to accelerate a number of these efforts and look forward to working with you on that and i think we're happy to come in a more detailed briefingon our workforce recruitment efforts. including our efforts on improving diversity . >> just briefly, as a duly appointed of our cyber security office this is one of my top priorities. diversity and inclusion is a national security issue and an urgent imperative for us to have a cyber security workforce that reflects the diversity of this country and you have my commitment it's going to be one of our top priorities in the monthsand years to come . >> recruiting retaining and advancing divers is offerings are important, thank you madam chair and i yield back. >> mister palacio. >> thank you madam chair. it'sgreat to be back to doing the people's business . i think the homeland security subcommittee is one of the most important committees in the out of the full committee.
7:06 pm
their task with protecting our homeland, there's many missions, many functions, many agencies that we have to deal with. before coming to the approach i had the pleasure to serve on the house armed services committee and you know, we had commandant, generals, secretaries of defense and so on. and the popular question they always would ask would be what keeps you up at night. what, what allows the four-star general not to be able to sleep because he's worried about what's next, what does that next threat, where is it going to come from. how are we going to defend america and you know, we've heard varying responses over the years. with china has been one that's pretty consistent and obviously that's not going away. russia, isis. even cyber. cyber is very important to the defense of our homeland
7:07 pm
and the protection of our troops abroad but the one thing that stood out and this was admiral mullins. he said our national debt. he said the greatest threat to america is our national debt and as appropriators, i think we need to take that to heart and we need to take that very seriously because we have limited resources but unlimited ones and the unlimited funds and the threats to america are not diminishing, they're growing and they're getting bolder because they see an america that fighting amongst ourselves. and they only have to watch c-span or the nightly news to see that we are putting politics over the american people, over the defense of our homeland and our national security and over sound and solid policy.
7:08 pm
i'll stop with that and this was one of my parts this morning but to mister wells and mister goldstein, a number of attacks, what number of attacks or engagements that we are seeing especially in regards to critical infrastructure for either state or nonstate actors and to whatever amount you can reveal in 95 seconds. >> so it's a challenging question to answer because we know that our adversaries, nationstate and criminal groups are continuously attempting to compromise public and private entitiesof all types . what we have seen over the past two days and in reports of the media along microsoft campaign is an example of that where vulnerability was revealed he saw countless adversaries, sophisticated
7:09 pm
and not compromised vulnerable entities so our focus needs to be raising the bar of cyber security across this country and then doing that in a risk-based way where additional protections are deployed based upon the criticality of a given revision and with cisa we are focused on ensuring all organizations understand the and whether federal agencies or private companies understand they are at increased risk and need to adopt a higher bar for cyber security. >> let me get back to one point for that, one of the challenges in answering your question with more specificity is that we are entirely dependent upon the private sector, voluntarily sharing information with us about compromises or potential compromises or attempts to compromise their networks. and i think we can see in the solarwinds campaign and microsoft exchange vulnerability exploitation campaign , we don't know that
7:10 pm
. we don't get that kind of information provided to us in a comprehensive way. where you can see the picture of what the federal risk were facing. and in order for usto be as effective as possible , it requires us to understand what the adversary is doing we can protect everyone by sharing that information and providing detection area by providing information on the adversaries tactics are so the more that information is held by optimized private sector entities, unless we are able to protect everyone else read it so i think that's we're eager to work withcongress to see how that can be addressed . >> thank you both. i think my time is ticking downfairly quick . i do want to just lead with i agree with.. i think any external threats that we're going to be witnessing in the future is going to be precluded by fiber and possibly our
7:11 pm
assessment and to some baby a little more conventional, maybe not on the homeland but where our allies and our interests reside abroad. so listen, i appreciate the both of you. your staff we appreciate them. you have a huge responsibility. to be a part of a group protecting our homeland and continue to let us know how we can source you to make sure that your efficient and effective and lastly medicare if we could in the near future and maybe do a follow-up in a classified setting that would be a very good and efficient so keep up the good work. >> mister klein. >> thank you madam chairman, thank you for holding this hearing .
7:12 pm
i'm assistant director appearing today and i appreciate the good work you're doing. you've led the nation through the most secureelection in american history . you continue to respond to the solarwinds incident with multiple, on multiple government fronts. and you're collaborating with government and private sector partners who are experiencing more and more frequent malicious activity. i want to ask you something about your homeland security department efforts with fema, with their expanded response abilities in this area but i want to revisit the topic my colleague ms. underwood raised because north carolina two has been home to some shocking intrusions of at the local government level. we didn't expect to experience. column county in my district was hit with a ransom where attack that crippled much of
7:13 pm
the county's network infrastructure associated business systems, ongoing problems just a few weeks ago the county discovered tentative files posted on the dark went. including employee personnel records. eviction notices, law enforcement investigators documents . it's a pretty serious breach and quite serious, quite sensitive information. chatham county admirably working through this but as you indicated, many state and local governments don't have anything like theresources they need to deal with this . if you just elaborate on your answer to ms. underwood, what kind of assistance do you perceive as most important for governments at this level ? what kind of resources, help in assessing the security situation and are there specific funding implications for this aspect of your mission. >>. >> we recognize the grave risks that are state and
7:14 pm
local tribal territorial governments plus cyber security threats particularly ransom where as you noted. it's an epidemic currently affecting parts of many municipalities and other jurisdictions in this country . we recently initiated a ransom where awareness campaign to drive adoption of best practices among public and private organizations to reduce the risk of ransom where affecting entities and we encourage all organizations to look at the ransom where materials on the webpage and avail themselves of the recommendations therein. it's also the case that cisa is available to provide us assessment, guidance, consultant assistance and as needed incident response services to state and local tribal territorial entities for affected by damaging cyber attack encourage any such entities to contact cisa and acquire collective resources to help assessment organizations at capacity and
7:15 pm
maturity and then if the incident does occur to request help there as well and i would note that cisa has regional personnel with cyber security expertise deployed across the country are available to assist our state local tribal and territorial partners on site to walk through concern and help figure out how those organizations can be more secure. >> that's very helpful, let me move to the femaquestion . going to fall on this state and local support tuition very closely. let me move to the secretary's announcement last month. that the required minimum spend on cyber security or fema grant awards will increase 5 to 7.5. that's a $25 million increase . a crucial step towards accelerating improvements in date and local cyber security. can you detail the support you plan to give that you're being asked to give that you will get to fema as they increase their cyber workload
7:16 pm
and asked announced that the secretary announced that he thinking of implementing a new grant program to support state and local governments including to combat the epidemic of somewhere. what about those possible new grant opportunities? >> cisa today provides robust subject matter expertise to fema to support the evaluation of grant proposals for cyber security expenditures and we were delayed by the secretary's decision to expand amendatory cost allocation. i think that's the $25 million that will result in that decision will significantly improve security majority trust recipient organizations and we will continue serving in our subject matter expert role to ensure grant applicants are making best use of those resources to improve their cyber security department. after the second question we agree with you that the level
7:17 pm
of investment in cyber security across our state and local entities must improve and i look forward to working with this committee and others in determining how cisa can help provide much-needed investment going forward. >> thank you madam chairman. >> mister aguilar. >> i appreciate the opportunity to be here and i want to thank both gentlemen for theirtestimony . assistant director goldstein, in your testimony you talked a little bit about in the aa authorities and the visibility issue. section 1705 of the fy 21 and the aa allows cisa to fund other agency networks. in other words it empowers cisa to search through security logs and other data or evidence compromised by sophisticated actors. while i support this authority and understand, i
7:18 pm
know there's other approaches implementing this language. cisa can either use an instrument and the networks of sister agencies to collect the data or the departments can give cisa the access you indicated on those laws. can you talk a little bit about approach cisa is considering to implement this language of the approaches mentioned, which one would cisa for her and why? >> we deeply appreciate this authority provided in the ncaa for the reason you said that it gives cisa the flexibility and execution to determine what model makes the most sense for federal cyber security or even what combination of models make the most sense that we are not seeing this as an either or proposition but exactly as you noted we are planning to deploy additional detection
7:19 pm
and response tools on federal networks that will allow us to continue toreanalyze the threat activity . we are working with our federal partners to encourage agencies to aggravate security information in such a way that cisa is able to conduct continuous analytics on that sort of log data derived from cloud environments. so our goal was to interpret it in a way that best advances are cyber security goals across the valley and enterprise as noted by the other members are execution model visibility will likely change over time as technology changes and as risk changes so our goal is to be able to detect adversary activity wherever it occurs but the model we do so has to change as required. >> how funding request for each of these approaches differ as you talk through that evolution and how it could change. what should we be mindful of
7:20 pm
when it comes to the funding request that we couldreceive ? >> i think there are the three variables in the funding request along these lines but i think they apply to each of these models but states differ indegree. the first would be the people . the trade expert to cure any practitioners understand the practice of hunting which is a specific expert discipline. cisa have an extraordinary group of individuals who do this work today. the second will be the tooling. the provision of agencies that will allow us to collect this data wherever the weather is the endpoint or in the cloud and the third would be the analytics infrastructure to allow cisa to either run queries on data at the agency level or analyze that data wherever it may be derived morning there
7:21 pm
from allowing to do the important work of identifying adversary activity so those three areas of investment. [inaudible] >> thank you so much gentlemen. i appreciate that. building off miss underwood and mister price and their discussion about local coordination as well, can you just elaborate a little bit on that coordination level with fema. what could we, i understand that subject matter experts and being available to localities, but how can we embed some of that coordination between you folks and fema. >> let me just clarify. when we talk about subject matterexperts are part of the review , it is not kind of ad
7:22 pm
hoc. it's a part of the review process so all the cyber security justifications that were submitted by states to support this cyber security investment umbrella, were reviewed by subject matter experts within cisa in concert with fema to make sure that was a true partnership to review the investments in the cyber security domain butin addition , we also put out information of a number of states who wanted our assistance as they were initially thinking through and beginning to craft investment justification that were going to be submitted to fema as part of the grant process. that was now in year two of the cycle which with the cyber security investment requirements. process is getting stronger. without embedded field-based personnel in states and cities across the country providing that assistance to
7:23 pm
state administrative agencies and other experts at the state and lower-level are involved in the investment justification grant writing process. >> i appreciate it, i go back. >>. >> i believe we have time to have around two. so i'd like to begin by going back to our funding response. to the solar winds. and as has been mentioned the american rescue plan includes a substantial funding for federal it modernization and cyber security including the 650 million for cisa. one of the things that is concerning to me is that many federal office 365 email accounts only the most rudimentary security capability to read is it necessary for either defenders to track malicious activity. it's also concerning a
7:24 pm
significant portion of cisa's investment plan, that funding is waiting to go to operating these licenses. why are advanced security logging enabled by the any of these federal cloud accounts that the government procures and how much of that 650 million supplemental funding is currently planned for licensed upgrades to support logging and one more point to that question, will cisa be issuing a directive to require agencies to procure licenses that require advanced security logging on cloud contracts and if not, how do we fix thisproblem . >> so cisa's strategic goal broadly and with its funding is to ensure agency it environments whether on premises or in the cloud have the security built in the american people would expect
7:25 pm
of their federal government. it aspects of that as you note is ensuring that cloud computing environments have blogging retention and security controls that can reasonably be expected to detect adversary activity, then and that cisa can use to understand events when they do occur and respond accordingly. as part of our funding request, we do intend to develop a process to approve the level of cloud security across the federal government . one option that could be considered in the improvement of licenses with existing vendors. there are other options that could achieve a similar goal so our goal is strategically to ensure that federal agency data is secured wherever it sits on perimeter and the cloud are planning to take any possible course of action to achieve that goal. working of course that our partners in each agency, house management and budget and other agencies.
7:26 pm
>>. >> i guess my next question has to do with how does cisa work to ensure that emergency funding is not needed for something as basic as logging. >> it's important to think of security funding man on to pass. the first is the funding cisa needs to provide a foundation of security across the executive branch and a second is the funding that each agency requests to modernize its own it structures. that's as we mentioned we do consider the funding in the ara to be a down modernize federal cyber security drive further progress. it is reasonable to anticipate other federal agencies will request a similar investment to improve
7:27 pm
their own added cyber security. that's certainly we do hope that these arts investments will be built into a baseline request going forward. but we do recognize this will be a long journey. there will be a long path to get federal cyber security to the point where it needs to be in the sophistication of the adversaries on our networks and i look forward to working with your committee to understand that funding path and the end state where trying to collectively reach.>> one of the major features of the continuous diagnostics program has been to include visibility and interagency networks. they continue to rely on data and call for agencies to answer more basic questions such as which agencies have exchanges on servers. how to address this problem if the currency does not provide enough visibility.
7:28 pm
do we need to change our strategy and will any of the 650 million be used at least in part to improve this visibility. >> will recall from a prior question cvm provides transparency at two levels. at the agency level and at the level of cisa. even though we issued a directive or a data call, agencies are still able to use their cdm tools and the transparency that they get at the agency level to respond to cisa. we're working with individual agencies to improve the fidelity of institutions that is able to derive and they achieve to the second part of your question, investments through the ara request for additionally improve both the coverage for advanced tools due to the program and an additional infrastructure to help cisa analyze data and derive information that we could use to get better fidelity into cyber security risks across the agencies.
7:29 pm
>> thank you madam chair and gentlemen, thank you for a very insightful hearing. this has been helpful. to me and i don't to the other members of the subcommittee. with the impending passage of the next covid release built $1 billion is carved out for cyber security with 650 million of that going towards cisa to help advance cyber protections. do you feel this will have demonstrable impact or are we just barely buying down the risk. another way, how much of a funding deficit are in with respect to cyber protections . and what percentage of that is addressed with the supplemental funding? thank you. >> this investment will make a demonstrable impact in federal cyber security. at the time it's an incremental step.
7:30 pm
this will be almost your process assuredly across the 101 agencies in the federal executive branch to make sure we are able to provide the level of security the american people expect. cisa of course plays key role in this not only in detecting and responding to incidents also providing shared services agencies can increasingly use to raise their baseline of cyber security and again, this will be a journey both for cisa and for the other 100 federal agencies to reach a model where we are quickly detecting adversary events and where we are moving to a more shared service, even centralized model where cisa is raising a baseline across the executive branch and i look forward to dialogue with this committee to understand that long-term funding profile overtime. >> thank you for that answer and this goldstein, i am also a former.
7:31 pm
[inaudible] i'm a lot older than you, i graduatedin 83 but i noticed that among your credentials . the solarwinds attack exploited a vulnerability but what else do you currently see as the biggest risk for vulnerability to cyber security and as a follow-up what are the specific tactics or resources cisa needs to have to combat this particular risk? >> i think the most grievous risk that cisa sees from the nationalstandpoint is the risk of an adversary compromising industrial control systems that could cost life safety impact . >> ..
7:32 pm
i think that incident although not resulting in immediate harm should be a clearly a call for this country for the risk that we face from cyber intrusion in critical systems. cisa in our role as the nation's lead agency for cybersecurity are deeply focus on working with the control system security, community, to ensure both understanding vulnerabilities in that community where applicable we're helping the community identify sophisticated threats including through cisa's program and we're working to incentivize increasing the baseline of cybersecurity across industrial control systems, owners and operators so that we are seeing the use of modern technology to reasonably protect these critical systems. >> thank you very much, and
7:33 pm
again, acting director wales and assistant director goldstein thank you for testimony. madam chair, thank you for holding this hearing. with that i yield about. >> mr. rutherford. >> i'm sorry, mr. rufus berger. >> two names like that. thank you. i just didn't have a chance to answer my question about the incident come how does a american rescue plan requests support expanding the capabilities when you need do? basically bottom line, that's short-term. you said that all the way through. what in more detail if you can where is the money come 650 million, where is that going to be used by you? what is your priority to take that money? because i believe this very strongly. that this is a serious issue of lack of funding and resources in
7:34 pm
what you all do. you can't do it all and it's going to get worse instead of better. we have to accept the fact that cybersecurity is a major issue and we other than people especially a work in it don't understand that. there's no question we've got to deal with the issue of covid, but we still have to move forward. what are you going to do with the short-term money come where is your party going to go and then what ideas do you have as far as moving forward in this big massive issue that you're going to try to work with that you just don't have the resources? >> thank you for the question. there are four key areas we can make real progress in with the money requested in the ara. the first is the deployment of detection within federal agencies to increase our visibility into cybersecurity threats to the agency environment and figure out
7:35 pm
adversary activity much quicker to minimize these kind of prolonged compromises that we have recently seen. the second is expanding our capacity for incident response and threat hunting including moving to that proactive hunting model i mentioned previously. the third is improving our capacity to conduct analysis of cybersecurity information coming into cisa to understand risk of such across executive branch, and number four and the longest term embeddedness progressing federal agencies to a more defensive network architecture, for example, using these principles where where some of the network is permeable and focusing on protecting assets and accounts they're th. that is a longer-term effort. to your broader question, none of these activities will be fully actualized by the money in ara so we're going to need a longer-term investment built by cisa and by individual agencies
7:36 pm
across all four of these paths as well as continuously reevaluating the risk and technology environment to make sure that our ongoing resources are commensurate with changes as you noted in this deep and complex space. >> do you have a dollar amount there? >> it is highly -- to estimate the final dollar amount for just the reasons that you noted. >> and that amount will not -- [inaudible] last thing, i still have a little time. i believe that we really have to look at cybersecurity as even made independent of this committee and have a direct line to the president. this is so serious. just like we did with the new space wars, but the threat we have, and what happened is indicative of what could happen in the future with russia and china and iran, and with that attacks with north korea.
7:37 pm
if we don't start taking this seriously we're going to put all of our citizens in this country at severe risk. so far it's just been stealing information. but if we have to -- was happening and the threats that shutting us down, we will be in that position us for his national our country, especially as it relates to the countries that are more involved in cybersecurity. >> so let me just add on that and follow up on that. we want to make sure that cisa and the entire whole of nation is prepared for significant cyber incidents. in many respects the fact that the solomons campaign targeted federal agencies and larger, more capitalized private sector companies, generally, was somewhat beneficial.
7:38 pm
if it's been a broad campaign targeting state and local governments or small and medium-size businesses like the microsoft exchange bulldozer facing, the challenges of them being able to have the resources, skills and the ability to remediate these problems would be magnified. we need to look at additional ideas for how we provide support to state and local governments and small businesses as a look to recover from significant cyber incidents. there are ideas that there like those pushed by the cyberspace command commission for cyber response and recovery fund but we need additional approaches to make sure the whole of nation can come together around significant cyber incident and it sure we have the right righte villas in the right places to take the steps and build back networks even stronger. >> excellent point. yield back. >> mr. rutherford. >> thank you, madam chair. director, that was exactly where i wanted to go was this whole of
7:39 pm
nation aspect that george's speaking of. as a follow-up on my colleague, mr. ruppersberger, point about, and your response concerning the industrial control systems, that's where i see the greatest potential for loss of life. we have lost of security through the federal systems, and one of the things that -- i understand your priority is going to be the federal agencies, and that's why when you answered concerning the $650 million in rar, american rescue act, ara i should say, when you answered you focus on all the federal responses like
7:40 pm
detection systems, expanding the response capabilities, analytics. and i understand that, but i really would like to know currently what is -- the requests that are coming to cisa from state, local and private industry, those industrial control systems we spoke of, because that's where i see the gracious threat to loss of life. you know, dropping planes out of the sky, running trains into each other, poisoning water systems like we saw in oldsmar. those are the kinds of things that equally concern -- i do want to say what is more important than the other, but
7:41 pm
the equally concern me, and i wonder, you know, dutch said it so well. i'm wondering how many people back home understand what he just said. that's what concerns me. and so are we reaching out for that assistance? i can tell you i just spoke with a florida league of cities yesterday, and this oldsmar water plant was primary -- well, not primary but it was one of the major topics on the list to discuss, and we talked about community development block grant and those sorts of things, because they understand now that they need to tighten up these cyber systems. can you tell me that we have as much focus on what dutch just spoke about as we do the federal site as well?
7:42 pm
>> yes, sir. >> let me answer and altered over to eric to give you details. six is a lot of authority and responsibility protect the federal civilian executive branch. and so it's highlighted key gaps and abilities in our cybersecurity and when you take aggressive action to address that that's why the ara has that dedicated funding to make sure we enhance our capacity to deal with vulnerabilities in an area where we have substantial responsibility and authorities. that being said, we have broad mission in cybersecurity and industrial control systems in a highest priorities for our broad cybersecurity mission. we release our strategic plan for addressing cybersecurity last year, a unified plan that would look across the interagency, and this is a
7:43 pm
significant effort, also significant competency. we have a lot of industrial control in cybersecurity which is a rare and precious talent that we have developed over time. but i want eric to talk about some of the initiatives and ideas we have in the space. >> if you could tell me, does that plan have a name which you mention it. >> yeah. it was called, like the -- i think it was initial control system cybersecurity unified initiative, i believe is the title of the plan. >> okay, thank you. >> and i would just add, cisa is focus on the most critical national cybersecurity risks and it is unequivocally the case that risk to endorse a control systems paramount among our concerns. there's two main thrust i was would offer. the first is how cisa can
7:44 pm
directly support the community of entities that own and operate control systems. services like boldly assessment, or lack of guidance, incident response or even in some cases the deployment of active sensing technologies across control systems to understand adversary threats. the secondary level and the one where we look to work with your committee and others is how the u.s. government can help raise the baseline of cybersecurity across entities that own or operate control systems recognizing many control systems may be operated by municipalities or rate cap utilities that may not be able to afford the best class cybersecurity solutions that other private companies can. we also want to think creatively working with congress and how we can collectively raise the bar for cybersecurity across this country. >> i look forward to working with you on that, others efforts. i thank you for all you all do. with that i yield back.
7:45 pm
>> mr. price. >> thank you, madam chairman. let me ask our guests to turn the focus to health care. in 2000 through the federal government established the health care and public health sector as one of 16 critical infrastructure sectors in the u.s., recognizing that its security is essential to the economy, the nationals could become public health and safety of the country. as our healthcare systems become more digitized from electronic health records to connected medical devices, we've seen packing in i.t. security incidents on the rise in healthcare as in other sectors. particularly worrisome during a pandemic of course, much of our healthcare information venture to online including vaccine distribution management and other critical function. healthcare organizations like lots of others are struggling to defend the networks from data breaches and what if you could
7:46 pm
give us an update on your assessment of this sector and efforts in this regard. could you elaborate on some of the work that dhs or for that matter of the partners are doing to secure the healthcare system? how are you keeping up with the numerous emerging technologies in medical sector? and then can you give us an estimate of the degree to which best practices and procedures are now known, publicized in place for insurance plans come healthcare providers, payers, to review the best -- to review how to best protect patient data? our best practices -- to what degree is a consensus come to what degree is a publicly available? and easily accessible to the stakeholders. >> sure. i'll start, and i would say without question over the past year since the early days of covid we very quickly recognized
7:47 pm
the importance of surging resources to the healthcare sector and related parts of the economy because of the criticality and fragility of these infrastructures in the midst of a global pandemic. we actually brought together a team can use some of the hiring authority and one of the earlier covid supplemental packages to bring on additional capacity, additional expertise in the healthcare industry and send them to work to improve the uptake on cybersecurity services that we offer and to come at them and offering all the capabilities that cisa as to bring whether it's in our cyber domain, physical securities, supply chain security and so on. we have worked hard over the past year to increase the cybersecurity profile of this industry. we have seen to our efforts the speed at which this sector is patching vulnerabilities that we
7:48 pm
can see through external scans improved dramatically last year. and beginning when operation warp speed stood up we began to work very closely with that organization to provide the cybersecurity services that we have to the companies involved in manufacture and distribution of the vaccine supply chain. that work continues today p we are still working with doing assessments, providing cinches on networks. we are providing overwatch of the ip space working with the intelligence community. there a lot of work designed to help provide an increase security posture about healthcare sector. we think this will pay long-term dividends beyond the pandemic informal relationship with the sector, their ability to utilize our resources and overall cybersecurity baseplate. that thinks of the healthcare industry is large, diverse, you've got small hospitals that are not as well capitalized and we're trying to find additional
7:49 pm
resources that can be provided. one good example the organization that operates what we call the multistate isac that helps provide support to state and local governments. it operates on a cooperative grant from cisa pick it operates a center network similar to our einstein system for state and local when you sign up for it but they made available for free to my critical healthcare companies -- to critical healthcare companies usually for municipal authorities to provide malicious domain blocking service quickly to companies at risk are and because of the criticality as part of the covid respond. and so we think there is a whole command effort to address this problem but it is one that will take a lot of work over a lot of years given its size, its complexity and the amount of help they may require. >> what would you say about that whole community concept, the
7:50 pm
extent to which some of the smaller and maybe less connected healthcare institutions, practitioners are fully aware of the threat? can we at least say now the wake-up call has occurred there's a fuller awareness, a desire to adopt best practices or do we still at some distance to go in that regard? >> i was a given the number of ransomware attacks etiquette hospitals even in the midst of the pandemic, which is a deplorable, which is just deplorable in the case of these criminal organizations come has been a wake-up call. that being said, if you're a small hospital and you're not as well capitalized, you may not have the option, , you may not have the resources to invest in a dedicated cybersecurity team and information security practices that are required for the threat that you may face. we need to think creatively about how do we give them the tools and capabilities they required to provide the level of security that is needed when
7:51 pm
you're protecting americans health and safety. >> thank you. thank you, madam chair,. >> thank you, madam chair. and again i want to thank you for all the work that you do in this committee as well as ranking member fleischmann. this is the one committee that i enjoy attending and participating in. my other one, two, but the two best communities out of the appropriations committee. but again i wanted to just thank chairman wells and mr. goldstein for being on today. there's so much to talk about, and i wanted to ask them, i should have, i talk about what keeps the chairman of the joint chiefs of staff and the secretary of defense. what causes you to have sleepless nights, gentlemen, if you don't mind sharing, if you can share a similar or an
7:52 pm
example of a sleepless nights because of the threat facing the homeland? >> i will just return back to a line that we are just on, which is the possibility of the cyber attack impacting a critical service function that results in loss of life or harm to the american people. this could be the control system. it could be a ransomware attack at hospital the results in the in the availability of critical services, as we've seen in other countries. so it is really this transition of cyber attacks moving from a focus on stealing or accessing data which is give the concerning but towards a cyber attack impacting the provision of a critical service, water, electricity come healthcare upon which people depend. it's that transition that is deeply concerning and presents an urgent and emergent nascar risk. >> so basically you describe what happened in other cities in
7:53 pm
and around the midwest because of the weather last week. what we are talking about of the weather, you know, a natural disaster type scenario, we have no control over at all, there's probably a bad actor of his second hit the keyboard and make something like this happen, or could make something like this happened if we don't safeguard and firewall our critical infrastructure. >> that is certainly the risk that we must urgently address, correct. >> you kind of tied that he was not only the cyber intrusions, but the stuff that's happening in the space domain relied of our, let's say economically we compete but there's also possibly our adversaries in space creating a bunch of technologies, we know we are becoming even more dependent
7:54 pm
upon satellites for our date in and day out life, our financial systems, our phones, everything. do you work with those other agencies to map out a plan? if you go to the bank and you have no bank in your account, money in your account, your phone doesn't work. we've seen that over time that if you, fear or paranoiac in college a lot of trouble in america. are you concerned about something like that happening? how are we i guess jointly working together, not having silos as the fat in the past and federal agencies with sharing communications to protect all of us? >> yes, sir. cisa works very closely with the defense department, private industry, other government partners on issues like space-age technologies that you know are inherently reliant upon networking and integrity of communications and present an
7:55 pm
increasingly fundamental dependency to all manner of critical infrastructure. so certainly we are deeply attuned to the some technological trends that are either emergent or already of ay manifested, how those technologies could be undermined by cyber intrusion and working with the companies that are developing, , manufacturing and applying these technologies making sure wherever possible security is built in by design on the front and. >> let me just add, leaving meeting with the newly formed space isac, companies involved in the space industry have formed an information sharing and analysis center as a means to share critical information related to cybersecurity threats that could impact space systems or the related ground-based infrastructure. that is a new focused area. the last administration kicked it off. if they had a space cybersecurity effort and we think it's critical that we continue to focus on these
7:56 pm
additional functions that we recognize are both vulnerable but essential to our way of life and we have a lot of work historical work in the gps and pnt world that if called upon as we embark on additional activity to support the companies involved in this space-based industry. >> thank you for that. i know my time is winding down. again i want to say appreciate everything you are talking about, and i know just as we've been focused in space instead had one big satellite that can be taken out we're trying to the aggregate our space footprints we have multiple satellites. there was some conversation about that on how to redo our electrical grid and things in the aftermath of our winter storm. i will just leave with this. one of my colleagues mentioned like why are we not taking this seriously? this committee and the members on this committee are taking cyber very seriously, and i
7:57 pm
think a large number of the american people if they were not so distracted by the shenanigans and the gains that basically their politicians are doing, you know, how can we expect of them to take seriously when you don't even take us seriously. i think that -- putting politics aside and focusing on the american people. and again with unlimited wants with unlimited resources and this committee has a big responsibility. thank you, gentlemen. and thank you for the work that you do. madam chair, i yield back. >> reiki. i just want to make a point with regards to the industrial system. cisa really does need to put together a very comprehensive strategy with schedules to help the nation address --
7:58 pm
[inaudible] we really would like to move very quickly and addressing this issue. like, i just want to make that point. and i just have one more question that i would like to ask. the reconciliation of the bill also includes funding to help address federal agency i.t. modernization efforts through the general services administrations technology modernization fund, or as a member of the board cisa play a role in overseeing the execution of those funds. can you speak to the current state of the federal government i.t. infrastructure, and how it impacts our private security capability? >> certainly. modernization and security are inherently interlink, but that must be intentional. cisa plays a key role of the
7:59 pm
technology modernization fund to ensure that critical new investment to ensure that federal i.t. is state of the art are conducted with security top of mine. so even as the the federal enterprise modernize the technology to make sure the federal workforce and the american people have access to the technology for the critical services delivered by federal agency that those efforts are conducted with security built in to some of the prior questions to ensure that years from that we don't look back and realize them invested in technology that didn't have the appropriate security control, the appropriate logging on down the line, although to make sure of the modernize we modernize securely so we're building in defensive from the ground up.
8:00 pm
>> thank you. i believe there are no more questions so we will conclude at this hearing. acting director wales and assistant director goldstein, thank you so very much for your time and for helping us through the very, very difficult challenges, and we certainly appreciate your agency's transparency in working with the subcommittee and interagency cooperation of the cyber unified coordination group. this has been a very, very informative hearing and very much appreciate your being here. this committee on homeland security now stands c-span is yd view of government, funded by these television companies and more, including comcast you think this is just a community center? it is more than that. >> students from low income families can get tools state need to be ready for anything. comcast supports c-span as a public service with these television


info Stream Only

Uploaded by TV Archive on