[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CYBER PREPAREDNESS AND RESPONSE AT THE LOCAL LEVEL
=======================================================================
FIELD HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND SECURITY
TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
APRIL 7, 2016
__________
Serial No. 114-62
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
22-755 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
John Ratcliffe, Texas, Chairman
Peter T. King, New York Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania Loretta Sanchez, California
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Curt Clawson, Florida James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Brett DeWitt, Subcommittee Staff Director
John Dickhaus, Subcommittee Clerk
Christopher Schepis, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statement
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 1
Witnesses
Mr. Alphonse Davis, Deputy Director/Chief Operations Officer,
Texas A&M Engineering Extension Service:
Oral Statement................................................. 4
Prepared Statement............................................. 6
Mr. Sam Greif, Chief, Plano Fire-Rescue Department, Plano, Texas:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Richard F. Wilson, Lieutenant, Dallas Police Department,
Dallas, Texas:
Oral Statement................................................. 11
Prepared Statement............................................. 14
Mr. Don Waddle, Detective (Ret.), Greenville Police Department,
Greenville, Texas:
Oral Statement................................................. 15
Prepared Statement............................................. 17
Appendix
Questions From Chairman John Ratcliffe for Alphonse Davis........ 29
Questions From Chairman John Ratcliffe for Sam Greif............. 30
Questions From Chairman John Ratcliffe for Richard F. Wilson..... 30
Questions From Chairman John Ratcliffe for Don Waddle............ 30
CYBER PREPAREDNESS AND RESPONSE AT THE LOCAL LEVEL
----------
Thursday, April 7, 2016
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Sherman, TX.
The subcommittee met, pursuant to call, at 11:09 a.m., in
the Mabee Foundation Banquet Room, Wright Campus Center, Austin
College, 1301 East Brockett, Sherman, Texas, Hon. John
Ratcliffe [Chairman of the subcommittee] presiding.
Present: Representative Ratcliffe.
Also present: Representative Burgess.
Mr. Ratcliffe. Good morning. The Committee on Homeland
Security, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies will come to order.
The subcommittee is meeting today to learn how State and
local officials prepare for, respond to, and investigate cyber
incidents, and to learn about different cyber training
opportunities for State and local officials to bolster our
cyber preparedness and response.
I appreciate the effort taken by everyone that is involved
here to put together an important field hearing. I would like
to start by thanking our friends here at Austin College for
letting us hold this hearing today here at the Mabee Hall.
This is an official Congressional hearing, as opposed to a
town hall meeting, and, as such, there are certain rules of the
Committee on Homeland Security and the House of Representatives
that we have to abide by. So for our guests here today, we
can't have demonstrations from the audience, including
applause, verbal outbursts, the use of signs or placards. All
those things, as fun as they may sound, are a violation of the
rules of the House of Representatives. It is important that we
do respect the decorum and rules of the committee, and I have
also been requested to say that photography and cameras are
limited to accredited press only and can't be used for campaign
or political purposes.
As Americans become more aware every single day as they
turn on their computers and their televisions, cyber threats
are exponentially increasing. They come from criminal
organizations, nation states like China, Russia, and Iran, and
even terrorist groups like ISIS. These attackers don't only
target Federal networks, big banks, and National retail chains.
They also hit towns and families and local businesses. So there
is a great need to address cybersecurity at the State and local
level.
From emergency response centers, Department of Motor
Vehicle offices, to courthouses and our critical
infrastructure, the exploitable vulnerabilities and possible
consequences for public safety are alarming. On the law
enforcement side, FBI Director Jim Comey recently testified
that an element of virtually every National security threat and
crime problem that the FBI faces is cyber-based or facilitated.
It is incredible that Federal law enforcement is seeing a cyber
element to almost every single crime.
Because society is increasingly connected, we can be
certain that our State and local law enforcement are seeing the
same trend, arguably with even fewer tools to address it. It no
longer takes a sophisticated cyber criminal to compromise
sensitive information from companies and from everyday
Americans, and law enforcement is seeing a cyber element to
almost every crime. It is vital that State and local law
enforcement, the prosecutors and judges all be properly trained
to respond to cyber crime and to protect the American people.
We have recently seen a flurry of ransomware attacks
against hospitals, including at least one located here in the
4th Congressional District of Texas, where patients' personal
medical data is encrypted and held hostage until the hospital
pays a ransom to get it back. As reports indicate, cyber
attacks against emergency workers are spiking and will continue
to rise.
We all recognize that interconnectivity and automation
increase convenience and improve responses. Emergency services
are just one area where automation and interconnectivity
provide clear benefits to us all. But while these technologies
increase efficiency and cut costs, they do present new risks
that, if exploited, could bring vital emergency services and
our critical infrastructure to a halt.
Regardless of the magnitude of a natural or man-made
disaster, first responders--firemen, police, paramedics, and
National Guardsmen--are the ones, the first ones that are on
the scene. Their ability to communicate and to execute key
command-and-control responsibilities during an incident often
depends entirely on internet-enabled technologies.
As we examine cyber preparedness and response at the State
and local level, I am pleased that we are joined by a number of
distinguished witnesses this morning who are at the tip of the
spear in this effort. I look forward to hearing about how they
are preparing for, responding to, and mitigating and
investigating the threats that we face right now in cyber
space.
I am also pleased that this hearing is taking place not in
the halls of Congress today but right here in the 4th
Congressional District of Texas, the first-ever Congressional
hearing here in Grayson County. The police, prosecutors,
judges, paramedics, and firefighters, they all need the
appropriate tools and training to respond to the increasing
threats that we face, and to make sure that they are fully
equipped, we need to hear directly from them. The best
solutions, believe it or not, don't usually come from
Washington, DC. People often hear me say that governing is a
team sport, and I think that today's hearing and the location
of today's hearing hopefully reinforces that fact.
As Chairman of this subcommittee, I have been closely
examining these challenges. I will continue to lead efforts in
Congress to strengthen our Nation's cyber defenses and provide
for the common defense against these National security threats.
Last fall, I authored and moved legislation to strengthen
State and local cyber crime-fighting efforts. Specifically, the
legislation would support the National Computer Forensics
Institute, or NCFI, which is run by the United States Secret
Service, and provides greatly-needed cyberforensics training to
State and local law enforcement across the country, including
those right here in Texas' 4th District. In fact, we are
pleased today that one of our witnesses, former Greenville
Detective Don Waddle, was trained at the NCFI.
Today I hope this subcommittee will learn more about how
first responders here in Texas are being trained to address
cyber incidents, how first responders are preparing for and
responding to cyber incidents, and how local law enforcement
officials are being trained in computer forensics.
This hearing will provide needed background to further
reinforce the subcommittee's efforts regarding cyber training
and workforce needs at the State and local level. Cybersecurity
is a shared responsibility, including all levels of government
and the private sector.
While much has been done to improve our Nation's
cybersecurity, there are a number of challenges that remain. I
look forward to hearing from our witnesses today as we consider
ways to address those challenges.
My good friend, Mr. Burgess of Texas, is here today, and I
ask unanimous consent for him to be permitted to sit and
participate in today's hearing.
Without objection, so ordered.
Other committee Members are reminded that opening
statements may be submitted for the record.
Before I introduce the distinguished panel of witnesses
before us on this important topic today, again I would like to
thank a number of folks that are here.
I mentioned Austin College President Hass, for always being
a hospitable host to us.
We have a number of law enforcement folks that are here
today that are not testifying.
Lieutenant McGreevy from Sherman Police Department.
From Denison Police Department we have Assistant Chief Joe
Clapp, Assistant Chief Don Maury, Paris Fire Chief Larry
Wright, and Assistant Chief Thomas McGonagall.
Constable Bob Douglas from Grayson County; Commissioner
Jeff Whitmeyer from Grayson County; Dan Sharp from the Denison
IT department; Tom Watt, a Grayson County sheriff-elect.
We have Rita Knowles, justice of the peace, who is here,
Tammy Johnson from the Sherman City Council, Kevin Couch from
the Sherman City Council, Reggie Smith, esteemed local
activist.
We have assistant chief of the Sherman Police Department,
Lieutenant John Henneberg, here. I would also like to welcome
Terra Petty and Daryl Birkland from Wilson and Jones IT
department.
I am sure I am leaving some others out and I apologize, but
I am trying to recognize everyone who has taken the time to be
here, including a number of students here from Austin College.
Welcome. Thank you for being a hospitable host to us. I would
say that I have been the beneficiary personally of a number of
Austin College students who have interned in my Congressional
office, and a number of them are here today. Thank you for
coming back. It is great to see you all again.
With that, I would like to recognize our distinguished
panel of testifying witnesses this morning.
We have with us Mr. Al Davis, who is the deputy director
and chief operations officer at Texas A&M Engineering Extension
Service. Welcome, Mr. Davis.
Mr. Davis. Thank you, sir.
Mr. Ratcliffe. We have Mr. Sam Greif, the chief of the
Plano Fire-Rescue Fire Department, who is testifying on behalf
of the International Association of Fire Chiefs. Welcome,
Chief.
Mr. Greif. Thank you, sir.
Mr. Ratcliffe. We have Mr. Richard Wilson, who is a
lieutenant with the Dallas Police Department. Welcome,
lieutenant.
Last but not least, we have now-retired Detective Don
Waddle from the Greenville Police Department.
Mr. Waddle. Thank you, sir.
Mr. Ratcliffe. Very good. All right.
With that, I would like to ask the witnesses to stand so
that I can administer an oath.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that the witnesses
have answered in the affirmative.
The witnesses' full written statements will appear in the
record.
You may be seated.
The Chair now recognizes Mr. Davis for 5 minutes for his
opening statement.
STATEMENT OF ALPHONSE DAVIS, DEPUTY DIRECTOR/CHIEF OPERATIONS
OFFICER, TEXAS A&M ENGINEERING EXTENSION SERVICE
Mr. Davis. Thank you very much, Mr. Ratcliffe. I would like
to thank you and also Mr. Burgess and other Members of the
subcommittee. It is an honor to appear here before you on
behalf of our agency, the Texas A&M Engineering Extension
Service, to discuss cyber preparedness and response at the
local level.
I will start by telling you just a little bit about TEEX.
We are affectionately known as TEEX to those that we train and
that we partner with. We began training in 1930. The impact is
at the local, State, and National, and global levels. We cover
training and technical assistance across the entire homeland
security enterprise domain to include cybersecurity, and an
important part of our mission and our role is our extension
service, we are proud to say, to the great State of Texas.
Our relationships. First of all, we have relationships with
responders across all disciplines, all 16 disciplines, at the
State and local levels. With DHS/FEMA, we have relationships
not only with the National training and education division but
with CS&C, Cybersecurity and Communications, who we dialogue
with. We also dialogue with the Infrastructure Protection
Directorate, Personal Protection Directorate, and the Office of
Bombing Prevention.
We also have consortium memberships, first of all, since
1998, with the National Domestic Preparedness Consortium, with
the National Cybersecurity Preparedness Consortium, and we are
also a member of the Forensics Consortium. Those memberships
help us to address cybersecurity across a number of areas.
Our role in addressing the cybersecurity challenge began in
2010 when DHS/FEMA asked us to take on some training that was
previously done on a competitive training grant. We have also
linked cybersecurity to emergency planning and response, and we
think that is very, very important.
Why we think it is important: I think the police chiefs and
fire chiefs would agree, we used to think about cybersecurity
on the left hand and emergency planning and response on the
right hand, and they should be thought about together, because
if the emergency response planner or manager thinks that they
can really put off a plan or respond without cyber intrusion,
that is not accurate. That is really not accurate because of
those reasons you stated, sir.
We have done some pioneering efforts also, and what I mean
by that is when we visit a lot with our partners at DHS/FEMA,
we didn't visit in silos. We thought there was a need to bring
them together, and we are proud to say that we did, in fact,
bring those different entities together to actually develop
further training. So again, we were pioneers in that effort.
We also at TEEX, through cybersecurity technical assistance
and vulnerability assessments--that is very important, we do
that not only with some universities, but we have been doing
that with some communities. We have done some training also,
assessments that is, in Congress, and Texas also, sir.
As far as our products go--and that is our training
courses--this focuses also on training, and I will refer to
something we submitted, our statement. We had 5 instructor-led
courses. Four deal with cyber and incident management, and it
comes from the community level, the Essentials of Community
Cybersecurity, Community Preparedness, and Community
Cybersecurity Exercise Planning.
We also have 10 on-line courses that are provided at no
cost to individuals, designed for 3 levels of students,
including the general user, which is very important--you
addressed that, sir--the information technology staff and
specialists, and for business managers also. So again, that
training is, at no cost, available to the general public.
As far as our results, over the last 5 years TEEX has
provided cybersecurity training for students and participants
in 40 States and 5 territories, reaching a total of 32,900
training instances, and we think that is very, very important.
As we move forward, sir, we will continue to work closely
with States and local communities in identifying their needs
and supporting their efforts. States have reported, through the
National Preparedness Reports beginning in 2012, that
cybersecurity is a key National area of improvement and
concern, and it is listed as a top priority in the 2014 and
2015 National Preparedness Report.
So again, we are very, very pleased to be here. We have
submitted a statement in more detail, and I will be willing,
sir, when appropriate, to take your questions that you may
have.
[The prepared statement of Mr. Davis follows:]
Prepared Statement of Alphonse Davis
April 7, 2016
Chairman Ratcliffe, and other distinguished Members of the
subcommittee, it is an honor to appear before you today on behalf of
the Texas A&M Engineering Extension Service (TEEX) to discuss cyber
preparedness and response at the local level.
history of teex emergency management training program
TEEX, a State of Texas agency and member of the Texas A&M
University System (TAMUS), began training State and local responders in
1930, and today trains over 170,000 annually from across the world. In
1998, TEEX became a founding member of the National Domestic
Preparedness Consortium (NDPC). The NDPC is a partnership of 7
universities and organizations that are the primary means through which
the Department of Homeland Security/Federal Emergency Management
Agency's (DHS/FEMA) National Training and Education Division (NTED)
provides training to State, local, Tribal, and territorial responders
and communities in support of PPD-8--National Preparedness. The NDPC is
Congressionally-authorized and annually appropriated funding through
the Homeland Security National Training Program to develop and deliver
training for the Nation's emergency first responders within the context
of all hazards; including chemical, biological, radiological, and
explosive Weapons of Mass Destruction (WMD) hazards. To date the NDPC
has trained over 2.4 million, more than 540,000 of which were trained
by TEEX.
This long-term relationship with State and local level emergency
managers, responders, and leaders, and infrastructure/industrial
partners, along with more than 20 years of experience in workforce and
software development, prepared TEEX to provide training on preparedness
and response for cyber incidents or attacks. In today's connected world
cyber refers to anything that contains, is connected to, or is
controlled by computers and computer networks.
beginning of teex cyber training program
In 2010, at the request of FEMA, TEEX began training State and
local communities in cybersecurity awareness, specifically where local
communities and responders need to collaborate with their critical
infrastructure partners in planning for and responding to a possible
cyber attack or incident. TEEX launched this effort within their
existing HSNTP funding (then fiscal year 2009--$22,344,500) by
continuing the delivery and maintenance of cyber courses originally
developed under FEMA Continuing Training Grants and awarded to other
universities.
At the National level, the need for an increase in cybersecurity
awareness and the ability to collaboratively plan with critical
infrastructure partners was highlighted through PPD-21--Critical
Infrastructure Security and Resilience and EO-13636--Executive Order
Cybersecurity/Presidential Policy Directive on Critical Infrastructure
Security and Resilience. TEEX responded to the growing need by
expanding the cyber training program and leveraging the partnerships
with the DHS Office of Infrastructure Protection (IP) and the DHS
Office of Cybersecurity and Communications (CS&C). TEEX had previously
developed 2 courses on the protection of critical infrastructure with
DHS/IP and was asked to develop a third, which specifically-focused on
the challenges of both physical and cybersecurity on critical
infrastructure, with DHS/IP and DHS/CS&C.
current teex training and assessment programs
TEEX trains students through the DHS/FEMA HSNTP, offered at no cost
to State, local, Tribal, and territorial communities, and includes:
5 instructor-led courses that are delivered across the
country and the U.S. territories, allowing communities to train
together in the classroom:
4 courses on cyber and incident management
Promoting Community Cybersecurity
Essentials of Community Cybersecurity
Community Preparedness for Cyber Incidents
Community Cybersecurity Exercise Planning.
1 course specifically addressing both physical and
cybersecurity
Physical and Cybersecurity for Critical
Infrastructure.
10 on-line courses, available at no cost to individuals,
designed for 3 levels of student, including:
3 courses for General Users, covering broadly-applicable
awareness needs
4 course for Information Technology staff and specialists,
addressing security, forensics, and response techniques for
IT systems
3 courses for Business Management staff that include Risk
Management and legal parameters critical to small
businesses.
In addition to training, TEEX also provides technical assistance,
offering community and organizational vulnerability assessments and
compliance reviews. Vulnerability assessments include network
vulnerability testing, review and validate IT security processes, and
review IT system security configurations, while compliance reviews
include organizational policy conformance reports and recommendations
to make their systems more secure.
implementation of teex training programs
Over the last 5 years, TEEX has provided cybersecurity training for
students in 40 States and 5 territories, reaching a total of 32,290
students. These students trained both in the classroom and on-line.
Instructor-led training (delivered in local communities):
345 deliveries to 8,413 students in the United States
31 deliveries to 815 students in Texas.
Online training:
23,877 students in the United States
4,264 students in Texas
50 students in TX District 4.
future of teex training programs
As we move forward, we will continue to work closely with States
and local communities in identifying their needs and supporting their
efforts. States have reported through the annual National Preparedness
Reports, beginning in 2012, that cybersecurity is a key National area
of improvement, listing it as a top priority in 2014 and 2015. Some of
our recent work in support of the States includes:
Working with States to provide employee training web portals
with direct access to State-identified required on-line cyber
training and reporting capabilities for States to monitor
employee progress in completing the courses. Student training
portals are now active for the States of Arkansas, Louisiana,
and Wyoming, as well as Fresno Pacific University in
California.
Most recently, as a member of the National Cybersecurity
Preparedness Consortium (NCPC), consisting of 5 partners
focused on training for State and local communities, TEEX is
developing new training on the integration of cybersecurity
into the local Emergency Operations Center (EOC). Through FEMA
NTED's Continuing Training Grants, TEEX will develop 2 hands-on
courses, with simulated scenarios designed to develop
managerial and operational-level skills sets. The first course,
now in development and piloted in Utah and Rhode Island, is
designed to help ensure that traditional emergency management
personnel and IT personnel recognize the importance of working
together to mitigate the effects of a cyber incident. A second,
more technical, course will follow and will provide students
with the key skills and processes needed to more effectively
defend their organizational networks.
In summary, we will continue to focus on how we can further assist
and prepare local entities for a cyber incident, as well as enhancing
engagement with the public and private sectors in planning and response
to a cyber incident.
Mr. Ratcliffe. Thank you, Mr. Davis.
The Chair now recognizes Chief Greif for his opening
statement.
STATEMENT OF SAM GREIF, CHIEF, PLANO FIRE-RESCUE DEPARTMENT,
PLANO, TEXAS
Mr. Greif. Good morning, Chairman Ratcliffe, Representative
Burgess. Today I thank you for the opportunity to represent the
International Association of Fire Chiefs to discuss this
important topic.
Cyber crime and cyber attacks are an ever-increasing threat
to the American homeland. However, fire and emergency services
are still learning how to recognize these threats and the
adverse effects of those to our operations. There have been
attempts to use robocalls and other service attacks that would
affect operations of 9-1-1 public safety answering points. In
addition, we have seen recent examples of cyber attacks against
hospitals in California, Kentucky, and the Washington, DC area.
The greater concern is that a cyber attack can be used in
conjunction with kinetic bombing or an active-shooter incident
to create confusion during the response. Fire and EMS
departments must be vigilant for malware, phishing, spam,
spyware, and other new and diverse threats. The keys to
successful cybersecurity efforts for fire and EMS departments
are multifaceted.
We need to harden and test systems, stay aware of and
informed by our new threats, and make sure that the staff are
trained and prepared to prevent and to respond to a cyber
incident. It is vital that fire and EMS departments take steps
to protect themselves.
During my tenure with the Fort Worth Fire Department, I
oversaw our Fire Communications Division. In order to protect
our computer-aided dispatch and 9-1-1 systems, IT departments
segregated them from the outside world. This reduced their
vulnerability. We updated the systems by testing updates and
manually installing them on our servers.
To protect the PSAPs, departments have to constantly test
the 9-1-1 system vulnerabilities to make sure that they can
withstand a concerted service attack. PSAPs also should be
constructed securely from the outside attacks and have
resilient systems as back-up.
As public safety communications move to digital systems,
they can become vulnerable to cyber attacks. These
communication systems must be secured. Fire and EMS departments
also must stay aware of new threats. State and local fusion
centers can provide information about cyber threats. In
addition, Federal information-sharing systems like the Homeland
Security Information Network are good sources of cyber
information for fire and EMS chiefs.
Fire and EMS chiefs also should develop close working
relationships with their local law enforcement, emergency
managers, IT departments, and the surrounding jurisdictions. At
Fort Worth, I worked with the local police and intelligence
communities to stay aware of these threats. In Plano, I meet
monthly with the police chief, the public safety communications
director, the emergency management director, and among our
discussions is how to improve and secure our communications
systems.
Major events require regional planning. For Super Bowl XLV
in 2011, we developed a multi-county consortium and developed a
communications plan that actually included response to cyber
terrorism.
Finally, training and exercises are key to preventing and
responding to an incident. Antivirus software must be kept up-
to-date. Staff should adopt preparedness and a culture to not
put on any links to malware, spyware, or other threats. Fire
and EMS chiefs also can study the effects of cyber attacks and
other public safety and private organizations and learn how to
mitigate the consequences before they occur.
The Federal Government can be an important partner in a
Federal cybersecurity regime. Many fire departments are not
aware of the threat that they face. DHS can work with the U.S.
Fire Administration and the National Fire Academy to develop
standards and training for all fire and EMS departments. Fire
chiefs recommend that the U.S. Fire Administration's budget be
restored to the fiscal level of 2011, which was $45.6 million,
in order to facilitate this type of educational effort. In
addition, DHS can continue to fund the State Homeland Security
Grant Program and the Urban Area Security Initiative, also
known as UASI. These programs support their operations. In
addition, these grants can be used to fund cyber components to
regional training. Unfortunately, the administration's fiscal
year 2017 budget request would impose Draconian cuts on these
programs. The State Homeland Security Grant Program will be cut
by more than 50 percent, and the UASI program would be cut by
45 percent. We recommend that these programs be funded at least
to the fiscal year 2016 level of $467 million for State
Homeland Security Grant Program and $600 million for UASI.
Thank you for the opportunity to represent Fire and
Emergency Services at today's hearing. Local fire and EMS
departments must take necessary precautions to protect
themselves from this new and emerging threat. In addition, the
Federal Government can provide critical information, education,
and practical training about the threat of cyber attacks.
I look forward to answering any questions you may have.
[The prepared statement of Mr. Greif follows:]
Prepared Statement of Sam Greif
April 7, 2016
Good morning, Chairman Ratcliffe, Ranking Member Richmond, and
Members of the subcommittee. I am Chief Sam Greif of the Plano Fire-
Rescue Department. Today I am pleased to testify on behalf of the
International Association of Fire Chiefs. The IAFC represents more than
11,000 leaders of the Nation's fire, rescue, and emergency medical
services. Thank you for the opportunity to discuss important issues
related to cybersecurity and the fire and emergency service. This is a
growing threat that adds yet another mission for the America's
firefighters and emergency medical personnel.
the problem of cybersecurity
Cyber crime and cyber attacks are becoming a more prevalent threat
to the American homeland. A 2010 report by Norton found that two-thirds
of the world's population have been the victim of some form of cyber
crime. A 2009 study by McAfee demonstrated that cyber crime, including
security breaches and data theft, may have cost international business
has much as $1 trillion. We have seen how cyber attacks can harm major
universities, medical facilities, financial institutions, retailers,
local governments, and Federal agencies.
The fire and emergency service is just beginning to recognize how
these threats can affect our operations. There have been attempts to
use robocalls and other denial-of-service attacks to affect operations
at 9-1-1 Public Safety Answering Points (PSAP). Just recently, we have
seen a rash of cyber attacks against hospitals in California, Kentucky,
and the Washington, DC area. In addition, we always must be vigilant
for malware, phishing, spammers, and spyware which are aimed at
infiltrating and debilitating our systems.
From the fire and emergency service's perspective, it is important
that we protect vital systems that support our operations. The 9-1-1
systems are necessary for the public to call and request assistance
during emergency situations. Computer-aided dispatch (CAD) systems are
essential for determining which units are available to respond and
assigning them to an incident scene. These units must be able to
communicate with the dispatch center, command units and each other
effectively at the incident scene. In addition, patient reporting
information must be protected by the emergency medical service (EMS),
because of the nature of the data. As the Nation transforms to a more
digital world and the ``Internet of Things,'' all of these capabilities
will be presented with an increasing number of opportunities to provide
service to our citizens and a corresponding number of vulnerabilities
to cyber threats.
protecting the fire and emergency service
As they consider the various threats to their computer systems,
fire and EMS departments must take steps to protect themselves. Before
I became fire chief in Plano, I served for 30 years in the Fort Worth
Fire Department, where I oversaw the city's 9-1-1 center for 10 years.
One of our major missions was to protect our CAD and 9-1-1 systems from
cyber attacks. To protect our systems, we segregated them from the
outside world. This action minimized the ability of outsiders to
compromise our systems through the internet. To update our systems, we
would have to go to the server and install software manually. It is
important to recognize, though, that most of a fire and EMS
department's computer systems, like human resources, email, and
finance, will be part of the overall jurisdiction's information
technology (IT) systems.
Fire and EMS departments also have to take steps to harden their
systems. In order to protect their 9-1-1 systems from massed robocalls
aimed at taking down the system, the departments have to constantly
test their systems' vulnerabilities to make sure that they can
withstand heavy call volumes. The fire departments also have to
download and use a testbed to evaluate all software before installing
it. It is important to realize that--as communications systems move to
digital systems that use VoIP--these systems need to be secure from
cyber attacks that might compromise life-saving operations on the fire
scene. In addition, 9-1-1 Public Safety Answering Points (PSAP) should
be constructed to be secure from outside attacks and have resilient
systems and back-up power.
As with other threats, local fire and EMS chiefs must stay aware of
new threats and prepare for them. The best way to stay informed is to
develop relationships with intelligence fusion centers, Federal
officials and local law enforcement. If fire and EMS departments can
support the staffing requirements, they should have personnel stationed
at the State and local fusion centers. Grants administered by the
Federal Emergency Management Agency (FEMA), including the State
Homeland Security Grant Program (SHSGP) and Urban Areas Security
Initiative (UASI), will support fire and emergency service personnel in
fusion centers. Fire and EMS departments also should maintain close
relationships with local Joint Terrorism Task Forces. These resources
will keep fire and EMS chiefs informed on the latest cyber threats and
help them address any vulnerabilities.
It also is important to develop close working relationships with
local law enforcement officials. In Fort Worth, I worked with the local
police intelligence unit, which was aware of new threats to the
community. In Plano, the public safety group, composed of the city
communications director, the police chief, the emergency manager and
me, meet monthly to discuss threats and how to prepare for them.
Federal information-sharing systems, like the Homeland Security
Information Network (HSIN), also can provide important information
about cyber threats and how to prepare for them. HSIN is a National,
secure, web-based portal for information sharing and collaboration
between Federal, State, local, Tribal, territorial, and private-sector
partners. HSIN has a community of interest dedicated to the fire and
emergency service. The U.S. Department of Homeland Security (DHS) must
make sure that cybersecurity-related information is added to this
community of interest, so that local fire and EMS chiefs can access it.
Since fire and EMS departments depend on mutual aid to respond to
major incidents, they should address cybersecurity concerns as part of
their planning and training. Communications must be interoperable
during an incident; a breakdown in communications or dispatch systems
during an incident could cause confusion at a critical time. To address
this risk, the North Central Texas Council of Governments addressed
cybersecurity as part of its interoperability plans. For Super Bowl XLV
in 2011, the Multi-Quad County Consortium developed a communications
plan that addressed cybersecurity concerns and developed plans for
responding to a cyber attack.
Finally, training and exercises are key to preventing and
responding to an incident. One of the basic ways to protect computer
systems is to train staff not to click on spamware, malware, or
spoofing attacks. In addition, fire and EMS departments must ensure
that all of their virus software is up-to-date. These are simple tasks
that can protect a system. Fire and EMS departments also can audit
their systems to evaluate vulnerabilities. It also is worthwhile to
study the effects of cyber attacks on other public safety organizations
to see how their operations were affected and what they did to mitigate
the damage. Local fire and EMS departments can work with local law
enforcement agencies, emergency managers and the jurisdictions' IT
staff to plan and exercise contingency plans in case of cyber attacks
aimed at taking down key systems.
the federal government's role
The Federal Government can be an important partner. Most
importantly, it can help educate fire and EMS departments about the
cybersecurity threat. The DHS's Office of Cybersecurity and
Communications (C&SC) can work with FEMA to raise awareness in local
fire departments about the threats that cyber attacks can pose. The
U.S. Fire Administration (USFA) is an agency within FEMA that supports
the local fire and emergency service. By working with USFA and its
National Fire Academy, C&SC can develop education and training to help
fire and EMS departments learn how to determine which systems might be
vulnerable to cyber attacks and make the necessary changes to protect
them. It is important to note that the President's fiscal year 2017
budget proposes to cut USFA by $1.7 million. We recommend that--
instead--Congress fund USFA at the fiscal year 2011 level of $45.6
million, so that the agency can develop training for emerging threats
like cybersecurity.
Also, DHS can continue to support training and exercises to help
fire and EMS departments prepare for the threat of a cyber attack. A
cyber-related component can be added to the State and local exercises.
In addition, DHS should continue to support State and local fusion
centers, which serve an important purpose in sharing threat
information. These programs are funded though the SHSGP and UASI
programs. Unfortunately, the President's fiscal year 2017 budget
proposes to cut these programs drastically. The budget would cut the
SHSGP program to $200 million (a decrease of more than 50%) and the
UASI program would be cut to $330 million (a 45% cut). We urge Congress
to fund these programs--at least--at the fiscal year 2016 level of $467
million for the SHSGP program and $600 million for the UASI program.
Recently, the DHS National Protection and Programs Directorate
(NPPD) announced a proposal to realign itself to have a greater focus
on cybersecurity. Overall, the IAFC is supportive of this proposal.
However, we have concerns about how this realignment would affect the
Office of Emergency Communications (OEC). The OEC's mission is to
promote public safety communications interoperability using a local
stakeholder-directed approach. The IAFC and other public safety
organizations do not support efforts to move OEC under the
Infrastructure Security component. Instead, we recommend that OEC
remain a separate component within NPPD.
conclusion
Thank you for the opportunity to testify at today's hearing.
Cybersecurity is an issue of growing importance to the Nation. A
breakdown of a fire and EMS department's CAD or communications system
during the response to an incident could result in tragic consequences.
It is important that local fire and EMS departments strengthen their
systems to protect them. In addition, fire and EMS chiefs should
develop strong working relationships with Federal, State, and local law
enforcement officials to be aware of emerging threats. Finally, local
fire and EMS chiefs should make sure that their staff are trained in
basic cybersecurity safety, and plan and exercise for the consequences
of a successful cyber attack. Taking these necessary precautions should
help local fire and EMS departments to adapt to this emerging threat.
Mr. Ratcliffe. Thank you, Chief Greif.
The Chair now recognizes Lieutenant Wilson for his opening
statement.
STATEMENT OF RICHARD F. WILSON, LIEUTENANT, DALLAS POLICE
DEPARTMENT, DALLAS, TEXAS
Mr. Wilson. Good morning, sir. Chairman Ratcliffe, Mr.
Burgess, thank you and Ranking Member Richmond for the
opportunity to testify today.
The challenges faced by law enforcement at the local level
in preparing for and preventing cyber attacks are on the rise
and continue to be difficult. While all Americans recognize our
dependence on the internet and telecommunications devices to
stay connected with the world, this increasing level of
connectivity has resulted in additional responsibilities for
public officials and law enforcement to police the world-wide
communications network without impeding communications between
the members of our community.
The first and perhaps most difficult challenge the Dallas
Police Department and our community partners face today is our
total reliance on computer networks for operational and
investigative functions. This all-inclusive dependence allows
for a much greater negative impact on our abilities to perform
our duties when these systems fail or become infected.
Second, the extent of this connectivity enables persons and
organizations with malicious intent to conduct cyber attacks
from greater distances. This ability for a hacker to attack
systems world-wide expands the list of possible suspects to all
of the world's population that possess a smartphone or computer
that is connected to the internet.
Third, the quantity of information passing through all
communications networks allows hackers to avoid the trained
systems analysts and target their attacks to enter networks at
their weakest points, by exploiting lapses in security
committed by end-users or consumers.
Since cyber attacks recognize no State and local
jurisdictional boundaries, public officials and corporate
managers must coordinate their investigative and management
processes to define roles for all the partners.
The pace at which technology continues to advance is
currently outpacing law enforcement's ability to educate its
workforce to recognize and address cyber crime activity. For
those officials that do recognize the necessity to increase
security infrastructures, and choose to develop or subscribe to
cyber protection programs, the costs associated with these
efforts often compete with funds required to maintain other
essential tasks within the organizations, where the impact from
these other functions can be more readily counted and observed
by such measures as crime rates and response times to calls for
service.
For those State and local agencies that commit funds for
hiring cyber-trained personnel, these agencies are often unable
to compete financially with compensation packages and programs
offered by private corporations and Federal agencies.
Lastly, while most State and local agencies recognize their
need to enhance cyber training for their existing workforce,
the growing demand for cybersecurity and cyber investigative
training far exceeds the current class sizes and training
opportunities.
Cyber training is an expanding area of instruction that
often provides training to State and local partners at reduced
costs or without tuition. While these programs reduce the
direct costs of obtaining training for State, local, and Tribal
employees, some indirect costs may result from committing a
portion of the workforce to training. The student employee's
absence can produce temporary staffing shortages that may
adversely affect the employer agency's responsiveness to calls
for service, visual presence and enforcement activity in the
community, and the ability to conduct timely investigations of
reported crimes.
Due to the size and mission of the Dallas Police
Department, and the wide range of assignment-based duties
performed by DPD officers and civilians, supervisors within
each division or unit are responsible for identifying job-
specific training needs beyond State-mandated training
requirements, and obtaining instruction for all employees
within their workgroup.
Currently, a variety of on-site cyber training courses are
offered by organizations such as the Federal Law Enforcement
Training Center in Georgia, the National Computer Forensics
Institute in Alabama, and Abbott Laboratories in Illinois. Some
examples of additional training that can be obtained on-line
are SEARCH On-line training and at the National White Collar
Crime Center. There are also additional training and support
programs offered by other DHS components, FEMA and ICE, as well
as the Multi-State Information Sharing and Analysis Center.
While detectives and analysts from the Dallas Fusion Center
have been able to attend some of these training programs, there
are always challenges for a first responder organization like
the Dallas Police Department. As such, our core capabilities at
the Dallas Fusion Center are always subject to staffing
patterns, personnel changes, and other policy considerations,
so that to keep our level of current cyber expertise consistent
and on the cutting edge we need affordable access to cost-
effective and timely training to stay on the vanguard.
Having said that, I think we can all agree that this
challenge is one we face as a Nation, and not just in a select
few States, regions, or cities. It will take a full-time
training effort and identified funding resources for the first
responders of the Dallas Police Department and other major
metropolitan cities across the country to stay current in our
struggle to meet the increasing sophistication of cyber crime,
especially in today's threat landscape.
While much progress has been made in identifying the needs
of State, local, Tribal, and territorial agencies to address
illegal cyber activity, opportunities do still exist to create
cyber preparedness and responsiveness at the local level.
The first area of support should be to provide increased
scholarship support of formal education programs that contain
emphasis on cybersecurity and cyber forensics. Funding for
training is always an issue in the budgets of State, local, and
Tribal agencies.
Second, education and public service announcements should
be developed and communicated by all levels of government to
all Americans to clarify the importance of each citizen's role
and responsibilities for creating a safer cyber network. This
type of community outreach should emphasize the importance of
hardening computer systems and provide tips for using
technology in ways that reduce opportunities for computer
hackers and criminals who benefit from security lapses.
Third, until the gap between training opportunities supply
is reduced to match the increasing need for training,
additional facilities and programs should be created to provide
training to State, local, and Tribal government employees.
Last, I would urge each Member of Congress to continue to
create legislation as necessary to address emerging methods of
cyber crime activity as they are identified and require stiff
incarceration sentences for those convicted of committing cyber
crimes.
Thank you again, Chairman Ratcliffe and Mr. Burgess, for
the opportunity to testify before you today. I would be glad to
answer any questions.
[The prepared statement of Mr. Wilson follows:]
Prepared Statement of Richard F. Wilson
April 7, 2016
Chairman Ratcliffe, Ranking Member Richmond, Members of the
subcommittee, thank you for the opportunity to testify today.
The challenges faced by law enforcement at the local level in
preparing for and preventing cyber attacks are on the rise, and
continue to be difficult. While all Americans recognize our dependence
on the internet and telecommunication devices to stay connected with
the world, this increasing level of connectivity has resulted in
additional responsibilities for public officials and law enforcement to
police the world-wide communications network without impeding
communications between all members of their community.
The first and perhaps most difficult challenge the Dallas Police
Department and our community partners face today, is our total reliance
on computer networks for operational and investigative functions. This
all-inclusive dependence allows for a much greater negative impact on
our abilities to perform our duties when these systems fail or become
infected.
Second, the extent of this connectivity enables persons and
organizations with malicious intent to conduct cyber attacks from
greater distances. This ability for a hacker to attack systems world-
wide expands the list of possible suspects to all of the world's
population that possess a smartphone or computer connected to the
internet.
Third, the quantity of information passing through all
communications networks allows hackers to avoid the trained systems
analysts, and target their attacks to enter networks at their weakest
points, by exploiting lapses in security committed by end-users or
consumers.
Since cyber attacks recognize no State and local jurisdictional
boundaries, public officials and corporate managers must coordinate
their investigative and management processes to define roles for all
partners.
The pace at which technology continues to advance is currently
outpacing law enforcement's ability to educate its workforce to
recognize and address cyber crime activity. For those officials that do
recognize the necessity to increase security infrastructures, and
choose to develop or subscribe to cyber protection programs, the costs
associated with these efforts often compete with funds required to
maintain other essential tasks within the organizations, where the
impact from these other functions can be more readily counted and
observed by such measures as crime rates and response times to calls
for service.
For those State and local agencies that commit funds for hiring
cyber-trained personnel, these agencies are often unable to compete
financially with compensation packages and programs offered by private
corporations and Federal agencies.
Lastly, while most State and local agencies recognize their need to
enhance cyber training for their existing workforce, the growing demand
for cybersecurity and cyber investigative training far exceeds the
current class sizes and training opportunities.
Cyber training is an expanding area of instruction that often
provides training to State and local partners at reduced costs or
without tuition. While these programs reduce the direct costs of
obtaining training for State, local, and Tribal employees, some
indirect costs may result from committing a portion of the workforce to
training. The student employee's absence can produce temporary staffing
shortages that may adversely affect the employer agency's
responsiveness to calls for service, visual presence, and enforcement
activity in the community, and the ability to conduct timely
investigations of reported crimes.
Due to the size and mission of the Dallas Police Department, and
the wide range of assignment-based duties performed by DPD officers and
civilians, supervisors within each division or unit are responsible for
identifying job-specific training needs beyond State-mandated training
requirements, and obtaining instruction for all employees within their
workgroup.
Currently, a variety of on-site cyber training courses are offered
by organizations such as the Federal Law Enforcement Training Center in
Georgia, the National Computer Forensics Institute in Alabama, and
Abbott Laboratories in Illinois. Some examples of additional training
that can be obtained on-line are, SEARCH On-line training and at the
National White Collar Crime Center. There are also additional training
and support programs offered by other DHS components FEMA and ICE, as
well as the Multi-State Information Sharing & Analysis Center.
While detectives and analysts from the Dallas Fusion Center have
been able to attend some of these training programs, there are always
challenges for a first responder organization like the Dallas Police
Department.
As such, our core capabilities at the Dallas Fusion Center are
always subject to staffing patterns, personnel changes, and other
policy considerations, so that to keep our level of current cyber
expertise consistent and on the cutting edge, we need affordable access
to cost-effective and timely training to stay on the vanguard.
Having said that, I think we can all agree that this challenge is
one we face as a Nation, and not just in a select few States, regions,
or cities.
It will take a full-time training effort and identified funding
resources for the first responders of the Dallas Police Department, and
other major metropolitan cities across the country, to stay current in
our struggle to meet the increasing sophistication of cyber crime,
especially in today's threat landscape.
While much progress has been made in identifying the needs of
State, local, Tribal, and territorial agencies to address illegal cyber
activity, opportunities to create cyber preparedness and responsiveness
at the local level do still exist.
The first area of support should be to provide increased
scholarship support of formal education programs that contain emphasis
on cybersecurity and cyber forensics. Funding for training is always an
issue in the budgets of State, local, and Tribal agencies.
Second, education and public service announcements should be
developed and communicated by all levels of government to all
Americans, to clarify the importance of each citizen's role and
responsibilities for creating a safer cyber network. This type of
community outreach should emphasize the importance of hardening
computer systems, and provide tips for using technology in ways that
reduce opportunities for computer hackers and criminals who benefit
from security lapses.
Third, until the gap between training opportunities supply is
reduced to match the increasing need for training, additional
facilities and programs should be created to provide training to State,
local, and Tribal government employees.
Last, I would urge each Member of Congress to continue to create
legislation as necessary to address emerging methods of cyber crime
activity, as they are identified, and require stiff incarceration
sentences for those convicted of committing cyber crimes.
Thank you again Chairman Ratcliffe and Ranking Member Richmond for
the opportunity to testify before you today. I would be glad to answer
any questions.
Mr. Ratcliffe. Thank you, Lieutenant Wilson.
The Chair now recognizes Detective Waddle for his opening
statement.
STATEMENT OF DON WADDLE, DETECTIVE (RET.), GREENVILLE POLICE
DEPARTMENT, GREENVILLE, TEXAS
Mr. Waddle. Good morning, Chairman Ratcliffe and Mr.
Burgess. I thank you for the opportunity to speak with you all
today.
I served as a police officer in both the military and
civilian police departments for 39 years. The last 25 years
were spent with the Greenville Police Department in Greenville,
Texas. The last 15 years I was also assigned to the Criminal
Investigation Division working property crimes and fraud. Fraud
often involves the use of computers to facilitate those crimes.
Checks are generated and printed on computers. Credit card
abuse and identity theft are often committed using the
internet.
I did retire from law enforcement on the 31st of last month
and am now trying to settle into the quiet life.
During the last 10 years I have also been assigned to the
North Texas Electronic Crimes Task Force with the United States
Secret Service and worked side-by-side with both special agents
of the Secret Service and with numerous State and local
investigators. We were all trained to recover evidence from
computers and cell phones, and we do these examinations from
agencies throughout North Texas. These cases involve anything
from fraud, to narcotics, to child pornography, to murder, and
capital murder. I have testified in trials from possession of
child pornography, to enticing a child, to murder, and capital
murder.
As I look back at my career in law enforcement, I remember
going to a call for a burglary, throwing some dust around and
hoping that the perpetrators didn't get guns or the victims'
checkbooks or credit cards. As time moved forward, computers
and cell phones came into the game, and then my concern was,
did they get the victims' computer passwords for their I-pads
or their cell phones? It was obvious to me that for me to
provide better service to the people of my city, I had to know
how to catch the criminals and what they were doing, and what I
needed to do to be able to present a case that would put these
criminals in jail.
Computer crime investigation is not an inexpensive pursuit.
All of the software programs that you use for investigations
are all very expensive. All of them have licenses that have to
be renewed every year, and the monetary cost to a city of my
size can be anywhere from $300 a year to tens of thousands of
dollars a year for the software and equipment to do these
investigations.
We needed help. There was no way that we were going to be
able to do that. That is where the Secret Service and Federal
Government stepped in. They helped us help our citizens by
providing us with training, equipment, and expertise. Because
of the training I received, I became a more valuable asset to
my department. I was sought out by other detectives for help
with their investigations. In major crimes I have used the
training I have received to assist with murder investigations
by mapping out locations perpetrators used to hide their
victims' bodies, or to helping detectives plot computer
searches that outlined their case to intelligence for narcotics
investigators.
I am also called on to assist other local agencies with
their investigations. They have used the information I provided
to prepare their cases for prosecution. I am also called on by
the prosecutors to answer questions regarding computer crime.
Had I not had this training, I would not have made the new
contacts that I had that have been very beneficial to me.
In early 2006 I went to the United States Secret Service
office, the Dallas field office, to drop off a computer for
examination. I knew nothing about computers at that time. I
spoke with Bob Sheffield, who was the head of the Electronic
Crimes Special Agent Program there in the Dallas field office
and the North Texas Electronic Crimes Task Force at the Dallas
field office, and was telling him how interested I was in
learning about forensics. He plainly said, ``We can do that for
you.'' I went to the Federal Law Enforcement Training Center in
Brunswick, Georgia for 6 weeks learning about computers and
computer forensics. This was prior to the National Computer
Forensics Institute.
In that training I learned what a computer was, what the
programs on a computer were, what their purposes were, and the
overall operation of the computer, and I learned how to look
for evidence of a crime.
After that I went to the National Computer Forensics
Institute in Hoover, Alabama. I started to go to the training
there. I went to Advanced Forensics Training there. I went to
the first class, which was one of the very first classes at the
Institute of any kind, so there was a little bit of tweaking
that needed to be done, and then I went back and learned a
great deal that helped me towards my computer forensics.
I also went to the Mobile Device Data Recovery school, or
MDDR, which is cell phone training, and also just this last
February went to Mac Forensic Training at the NCFI. The NCFI
has worked very hard to give State and local officers like me a
good, quality education and lots of tools for my toolbox and
are always there to answer questions. I can call up there at
any time if I have a question about something, and there is
just somebody there who is going to be able to answer that
question.
The instructors that they have are all very expert in their
field, and they work very hard to provide all of us with the
proper training that we need to be able to do our jobs. You
don't have to be on a level way above our heads to talk to us.
I think that probably the best training that I ever
received in my 39 years of law enforcement was there at NCFI. I
walked away from each class very confident in what I had
learned and was able to put all those things back into practice
and was able to do those things, and I am grateful for that. I
am grateful to the Federal Government for providing that kind
of tool.
I would encourage giving thought to increasing the size of
those classes that were offered at the facility because cyber
crime is not going to do anything but increase. I have 2 trials
coming up later this month that come from the investigations
and the training that I got from the NCFI.
I want to thank you for your time today.
Oh, one other thing I wanted to say is that I am grateful
for the training that I received, but my citizens have been the
major benefactors of that training because I was able to do a
better job for them.
The other thing I really liked about NCFI is that they
didn't just work with law enforcement officers. They also work
with judges and prosecutors to help them understand about cyber
crime and what is happening there so they are able to do their
jobs more efficiently, too.
I am thankful for the time that you all have given me to
talk today, and I appreciate the opportunity that I have to say
something about this.
[The prepared statement of Mr. Waddle follows:]
Prepared Statement of Don Waddle
April 7, 2016
I served as a police officer in both military police and civilian
police departments for 39 years. The last 25 years were spent with the
Greenville Police Department in Greenville, Texas. The last 15 years I
was assigned to the Criminal Investigation Division working Property
Crimes and Fraud. Fraud often involves the use of computers to
facilitate the crime. Checks are generated and printed on computers.
Credit card abuse and identity theft are often committed using the
internet. I retired from law enforcement on March 31, 2016. During the
last 10 years I have also been assigned to the North Texas Electronic
Crimes Task Force with the United States Secret Service in Dallas,
Texas. In this assignment I have worked side-by-side with special
agents of the Secret Service and with numerous State and local
investigators. We are all trained to recover evidence from computers
and cell phones, and we do these examinations from agencies throughout
North Texas. These cases involve anything from fraud to narcotics to
child pornography to murder and capital murder. I have testified in
trials from possession of child pornography, to enticing a child, to
murder and capital murder.
As I look back at my career in law enforcement, I remember going to
a call for a burglary, throwing some dust around and hoping that the
perpetrators didn't get guns or the victims checkbook or credit cards.
As time moved forward computers and cell phones came into being and on
that same burglary, I now had to hope the perpetrators did not get the
victims' computer passwords or their cell phones. If that happened
there was no telling, how much the victim would end up being
victimized. It was obvious, that for me to provide better service for
the people of my city, I had to know how to catch the criminals that
were committing these offenses. Computer crime investigation is not an
inexpensive pursuit. The monetary cost to the city for training and
equipment, can be anywhere from $300 dollars a year to tens of
thousands of dollars a year. We needed help. That is where the U.S.
Secret Service and Federal Government come in. They helped us help our
citizens by providing us with training, equipment, and expertise.
Because of the training I received, I became a more valuable asset to
my department. I was sought out by other detectives for help with their
investigations. In major crime I have used the training I have received
to assist with murder investigations by mapping out locations
perpetrators used to hide their victims bodies, to helping detectives
plot computer searches that outlined their case, to intelligence for
narcotics investigators. I am also called on to assist other local
agencies with their investigations. They have used the information I
provided to prepare their cases for prosecution. I am also called on by
the prosecutors to answer questions regarding computer crime. Had I not
had this training, I would not have made new contacts that could be
beneficial for me as well.
In early 2006, I went to the United States Secret Service, Dallas
Field Office to drop off a computer for examination. While at the
office and lab, I spoke with Bob Sheffield who was the head of the
Electronic Crimes Special Agent Program (ECSAP) and The North Texas
Electronic Crimes Task Force (N-TEC) at the Dallas Field Office, and
was telling him how interested I was in learning about forensics. Mr.
Sheffield plainly stated ``We can do that for you.'' I went to the
Federal Law Enforcement Training Center in Brunswick Georgia, for 6
weeks learning about computers and computer forensics. Shortly after
completing this training the National Computer Forensics Institute
(NCFI) was opened in Hoover, Alabama. I started to go to the training
at NCFI, and have been to Advanced Forensics Training (AFT), Mobile
Device Data Recovery (MDDR) cell phone training, and Mac Forensic
Training. The NCFI has a solid outline of what is needed for each
class. They strive hard to provide very qualified instructors, who make
every effort to give each student all they need to be qualified to do
their job. The equipment NCFI provides and the equipment used for the
classes is some of the very best that can be used. Not only is there
discussion of ways to conduct a forensic investigation but discussion
also covers court procedure and testifying. I have also been to
numerous conferences related to electronic crime and have always come
away with something new. I am not the main benefactor of this training.
The citizens of Greenville, Texas and Hunt County, Texas, as well as
the north Texas area reap the benefits of this training with better
recovery rates for property as well as more perpetrators being taken
off the streets. NCFI also trains prosecutors and judges in protocols
and also in evidence.
Mr. Ratcliffe. Thank you, Detective Waddle.
I will now recognize myself for an initial round of
questions for our distinguished panel.
Let me start with you, Mr. Davis. As you know, prior to
being elected to Congress, I served on the Advisory Board at
TEEX, and so I am very familiar with your organization. It is
the largest homeland security training facility in the world, I
think some 200,000 folks a year.
Mr. Davis. Yes, sir. That is exactly correct.
Mr. Ratcliffe. So it is just a terrific organization, and
again I am thankful that you are here today.
So in your capacity there at TEEX, I would be interested in
your perspective on what are the key challenges with
cybersecurity training at the local level going forward.
Mr. Davis. Yes, sir. Thank you. First of all, to your
comments regarding TEEX, because we are serving and extension
is part of our mission, I would think that my perspective is
the awareness issue that training is available that is DHS/
FEMA-funded training, sir. I reeled off some numbers of 32,000
that we have trained across the United States, but when we look
at what portion of those numbers come from the State of Texas,
for example, or if I go to State and local districts, those
numbers are very, very small.
So I think the issue is the awareness in accessing that
training that is available. One of my fellow panel members
mentioned the need for training, and of course I passed my
cards out here. But we go to those jurisdictions so they don't
have to spend any money sending them to us. We do direct-
delivery, face-to-face training.
So the short answer to your question is awareness and
accessing--not access, but accessing----
Mr. Ratcliffe. So as a follow-up, do you know that even
here in this audience there are a whole bunch of local
community representatives that could be the beneficiaries of
that type of cyber training TEEX offers? So how can they get
it?
Mr. Davis. Yes, sir. We have on-line training at
www.teex.org. If you go on our website you will see a section
on cybersecurity training, and anyone that is in this audience
can, in fact, access that training on-line.
Mr. Ratcliffe. So, a follow-up question. Is TEEX right now
in a position to--or how is TEEX leveraging any relationships
or partnerships with the Department of Homeland Security at the
National level?
Mr. Davis. Yes, sir, we are. I had some details in my
statement. But first of all, we think it is always important to
address any issue as a team. I think you used the team sport
analogy there. There has recently been a reorganization of
several entities at the DHS level to become more
operationalized, okay?
There is a young lady here with me today, Ms. Rebecca Tate.
When we started doing cyber training back in 2010, we visited
first with our program manager--back then it was also called
NCSD, National Cybersecurity Division--and the Infrastructure
Protection Directorate. We went to them to talk about those
things we were hearing from State and locals.
So we met with them on a regular basis to actually find out
what training needs did they see at the National level, and I
am proud to say we are on our third course now that is a result
of that collaboration. We did a recent course in the States of
Utah and Rhode Island that brings cyber and infrastructure
protection together, and that is a direct result of our
collaboration with those folks in DHS.
Mr. Ratcliffe. Terrific. Thank you.
Chief Greif, let me turn to you. You bring to us today a
wealth of professional experience with different public safety
organizations. I know you are here today as a spokesman for the
IAFC. So let me ask you, when Congressman Burgess and I and
others at the National level talk a lot about the importance
and the need for coordination across critical infrastructure
sectors to encourage cyber resilience, how are those efforts or
how do those efforts impact public safety organizations at the
State and local level like you have been involved with?
Mr. Greif. For example, we have fusion centers that are
often funded with Office of Emergency Communications funds.
Those fusion centers allow all of the common agencies, the
necessary agencies to mitigate any type of emergency situation,
to come together with all stakeholders. The more we are coming
together and sharing some information with one another, that
would be one example of how that benefits us. At the National
level, the funding trickles down to the local jurisdictions.
As I said earlier about the Super Bowl, I had no idea until
I was put on that committee just what-all goes into a major
event like that, the planning with all the different agencies
throughout the 4-county region that came together. We met
monthly for a year just on my committee, which was
communications. A big effort was talking about all the
resources that were available to us, protection as well as
workarounds, what to do in case of----
Mr. Ratcliffe. I am glad you mentioned that because as a
follow-up and in your testimony you talked about it being
worthwhile to study the effects of cyber attacks on public
safety organizations. Are you aware of anyone who is putting
together sort-of a best practices with respect to public safety
organizations and cybersecurity practices?
Mr. Greif. One of the efforts that is underway is I chair
a--I am on the board of directors for a public safety
communications agency. The DHS has actually sent members a few
times a year when we meet annually, and there is a panel of
experts. It is made up of IT personnel, information technology
people, as well as fire, police, EMS, and they are working on a
document just like that, that came out at last year's meeting.
So certainly it is on the forefront of our consciousness.
We are doing everything we can to piggyback on Mr. Davis'
comments. It is knowing, understanding what is out there. There
is some wonderful training available. It is getting personnel
to understand that the fire and police, especially speaking for
my brethren, that we understand the necessity for us to get
involved in the critical questions we need to be asking.
Mr. Ratcliffe. Terrific. I noticed in your testimony you
talked about segregating the CAT and the 9-1-1 systems for
security purposes. Is that common?
Mr. Greif. I can't say for sure because I have only been a
part of two jurisdictions, so I don't want to get too specific,
but I don't believe that it is widely spread. We were very
cautious where I came from. We wanted to make sure we took all
reasonable means, even though that added some complexities to
day-to-day life. The more you secure something, the harder it
is sometimes to operate it or update it. But we felt it was
worth the trouble to keep it segregated.
Mr. Ratcliffe. Terrific. Thank you.
I do have some additional questions, but I want to yield to
Congressman Burgess. As I mentioned, I am very grateful that he
is here today at this subcommittee hearing. He represents the
26th Congressional District of Texas, which sounds like it is a
long way away from the 4th District, but it is really next
door. He represents all of Denton County and most of Tarrant
County as well. He serves on the House Energy and Commerce
Committee, and in that capacity he also is the Chairman of the
Subcommittee on Commerce, Manufacturing, and Trade, and he is
very steeped in cybersecurity issues. In that role he has been
a leading voice in Congress on the data breach issues as cyber
criminals focus on more fraudulent activity that affects more
Americans and that affects commerce. He has been a leading
voice with respect to the need for legislation in that area.
So with that, I want to recognize Congressman Burgess and
yield him as much time as he may consume to provide some
remarks on the issue of data breach questions he may have for
our panel.
Mr. Burgess. Great. Thank you, Chairman.
Thank you all for being here. Thank you for allowing me to
be here.
Chairman, it is not lost on me that this is a field
hearing, and I am sure your district is grateful that you are
doing it and you are here on the campus. Even though we are not
in the Rayburn Room, Mr. Rayburn, this is his district. So it
is fitting that we are here.
I do serve as the Chairman of the Subcommittee on Commerce,
Manufacturing, and Trade. We are concerned about data breach
episodes that have occurred and the consequent notification
that is or should be required for the protection of the
consumer when these breaches do occur. So while Chairman
Ratcliffe is Chairman of the subcommittee that deals with the
.gov side of the world, we deal with the .com side of the
world. But as I tell people all the time, it doesn't really
matter. Data security is National security, and if you forget
that fact, then you are going to be upset at some point, which
we all found last year at tax filing time and we rather expect
it may come up again in a couple of weeks when the income taxes
are filed and people realize that they can no longer file their
taxes on-line because their accounts have been diverted in the
past and monies have gone inappropriately.
The good news is the taxpayer is eventually made whole. It
does take longer for them to get their refund. The bad news is
that the Federal Government actually is refunding that money
twice. It is unlikely they will recover it for the individual
who is inappropriately reimbursed, and this is no surprise
because of the behavior of someone who would do that. Sometimes
they over-estimate the amount of money they are doing that
reimbursement. So it is kind of like a double-whammy for the
IRS. I know we got a ton of calls on that last April 15.
Mr. Wilson, I rather suspect that--a lot of our calls
started to come from some of our local police agencies when our
neighbors called the police department and said, oh my gosh,
our taxes have been hacked and I have been robbed. They said,
well, let's call your Congressman and he will fix it.
[Laughter.]
Mr. Burgess. True, but it took some time, and it was very
uncomfortable all around.
I really got interested in the data breach notification.
All of us are consumers, and we hear the big stories about the
big breaches, and then the data is taken. It is data that is at
risk somewhere and you don't really know what anyone is doing
with it. But from the consumer's perspective, when do we need
to be notified? It almost seems like we have breach fatigue
because we hear so much about breaches. I am not going to worry
about it anymore because I just can't worry about all of these
things that I am hearing.
So we really did try to set the parameters around a
National data security standard and for when that breach
notification threshold should be triggered, and if law
enforcement says we need more time, that they be given more
time. But if law enforcement's time frame is okay, then the
person who was holding the data that has subsequently been
breached, that they have a certain time frame in which they
must notify the individual. Right now, the bill has passed
through the subcommittee, our subcommittee and our full
committee, and it is awaiting floor activity right now. That
time frame is set at 30 days.
In setting a National security standard, it is your duty to
tread carefully because there are 51 State jurisdictions, if
you include the District of Columbia, more if you include the
territories, who may already have their own ideas about what
these data security standards are, and I am sensitive to that.
The Commerce Clause is sometimes over-used and over-interpreted
by the Federal Government.
But this is one of those times when I try to envision the
Founding Fathers sitting down and writing those Article I
conventions: What are the powers of the Congress? The
regulation of interstate commerce, the trade between the Indian
tribes--well, okay, they were 100 years before the telegraph,
150 years before the telephone, 250 years before the internet,
but they were probably thinking of e-commerce when they wrote
the Commerce Clause into the Constitution because e-commerce,
by definition, needs to flow seamlessly across the borders of
those States, and the Commerce Clause was absolutely necessary
for e-commerce to exist. We want to be sensitive to that.
To the extent that a National standard is set, States do
need to have a big say in what that floor is that is going to
be established, and the State attorneys general. The provision
that passed through the committee, the full committee, was that
the Federal Trade Commission would use existing enforcement
authority. We did not want to create a new enforcement
authority because we already have enough Federal agencies. But
the Federal Trade Commission, using its existing authority on
deceptive and unfair trade practices, would exercise that
authority. But the attorneys general of the several States
would be able to bring their own cases under those FTC
provisions if the FTC was not moving fast enough, which will
occur from time to time.
That bill has passed through the subcommittee. It is
awaiting floor activity.
I wake up every morning kind-of living in fear of, when is
the next shoe going to drop on this? You hear about a big
company, and they have been hacked, and they took all these
records, and they are sitting somewhere, and nothing is really
happening with that. When is the other shoe going to drop on
all of those people who were exposed in that breach?
The other thing that we really have just begun to scratch
the surface of in our subcommittee, and I know Chairman
Ratcliffe will work on it in his subcommittee, is it is
terribly frightening to me as a physician to think about the
denial-of-service activity that has been hitting some health
care organizations. To think of having a fragile medical
patient in the ICU, and you walk in in the morning and you say
may I see the chart of the overnight vital signs of my patient,
and they say I am sorry, sir, it has been encrypted, and we
don't have the key. I mean, what a dreadful situation to find
oneself in.
Mr. Wilson, I think you mentioned it in your testimony,
about coming up with, how do you set the deterrence on some of
these activities?
Mr. Chairman, I would just say I think in the case of
ransomware applied to a health care organization, the
deterrence ought to be, ``You will be shot at sunrise,'' and
perhaps that will do it, because this is a life-or-death
situation with these patients where their medical records have
been encrypted by a criminal.
But again, very useful panel for me. We do an emergency
preparedness summit in my district usually in April of every
year. I will be doing one in a couple of weeks. We live here in
an area where severe weather can happen in the month of April.
It can happen any month, as we learned this year, but April is
when we are most at risk for that. So I am very interested in
some of the things I learned this morning about--you protect
your systems. You conflate a denial-of-service activity with a
Super Bowl, and that is a big deal. You know the criminal mind
is just ever--things spring from it all the time, and you just
can't help but wonder what criminals might be thinking about.
But let me just start with you, Mr. Davis, and your
training. You mentioned you have some on-line instruction
courses----
Mr. Davis. Yes, sir.
Mr. Burgess [continuing]. That are available?
Mr. Davis. Yes, sir.
Mr. Burgess. Would you tell me just a little bit more about
this? Can average citizens access those, or is that something
that is perhaps reserved for the chiefs personnel in part of
their professional training?
Mr. Davis. The average citizen, Congressman, can access
those, and it is good basic information. I will give a personal
example, and I hope my wife doesn't get to see this----
Mr. Burgess. It is just between us.
Mr. Davis. Just between us boys here, right? Okay.
I got an email from a friend that said, hey, be careful.
This is a colleague at work, and I forwarded it to my wife. As
I was forwarding it, she was calling me or texting me to tell
me that, hey, I just got some information, re-verify my account
number, my password, my this, that, and the other. She was
doing a couple, 3 things. These shows that come on at 11
o'clock, these people, okay? She had given them all her
information. I said, my gosh, did you read the email I sent?
She didn't.
So when we talk about those things, when we talk about the
on-line courses, the general users, which talks about really
those things you need to be aware of, okay? Even now, even I am
more sensitized. Even when I get busy and I am looking at an
email, if I don't recognize somebody, I get more emails from
auctioneers, go pick up your money at the bank, we need your
account because we want to deposit something, and I go delete,
delete, delete.
So to answer your question, sir, they are available on-line
at www.teex.org, and the average citizen can access those
courses, and I recommend that they take them.
Also, last, let me say there are 3 States right now,
Arkansas, Louisiana, and Wyoming, and also a college, Fresno
Pacific University, where they are requiring their workers to
take our on-line courses.
Mr. Burgess. So part of my question, then, is do you
provide some credential for the person who has satisfactorily
completed the----
Mr. Davis. Yes, sir. They get a certificate for completing
an on-line course, and I think more importantly than the
certificate, they gain some knowledge that they can spread
around geometrically about how to protect their own
information.
Mr. Burgess. Seems like it would be a useful thing for a
homeowner's insurance policy. You know, sometimes we will give
a break to someone who takes a defensive driving course.
Mr. Davis. Yes, sir.
Mr. Burgess. On their automobile insurance. This might be
one of those places where the insurance company might want to
be proactive, and I am glad that you are providing the service.
Mr. Davis. Yes, sir.
Mr. Burgess. Is there a charge?
Mr. Davis. There is no charge, sir, but I think you have
just given us an idea to really reach out to insurance
companies and say, hey, here is an idea here, because you are
right, I have done that to get that discount. Dad doesn't teach
me to drive. I pay somebody----
Mr. Burgess. Very wise.
Chief, let me just ask you, in your previous role when you
were at the City of Fort Worth--of course, I don't want to get
parochial here. Forgive me, Chairman, but we have a Super Bowl
twice a year in Fort Worth called the Texas Motor Speedway, and
that will be happening this month. The Commander 500 I think is
the name of the race. Do you have as many people come to the
Texas Motor Speedway as come to a Super Bowl?
Mr. Greif. Yes.
Mr. Burgess. So even though the Super Bowl is unique, you
have these large, widely-attended events that happen in the
city of Fort Worth. I assume there has been kind of a learning
curve with that, but it gets back to the question that Chairman
Ratcliffe asked. How do you share that best practices
information from managing those large, widely-attended events
with other jurisdictions?
Mr. Greif. I am certain it is still going on. I am actually
glad I won't have to be part of that planning committee. We
used to tease the Arlington folks about we do Super Bowls twice
a year, as you alluded to. It starts months in advance, holding
meetings. You hold these meetings so often, you start building
personal relationships where you get to know Captain Webster
from Texas Department of Public Safety. I met more people
throughout the Denton region.
We came together and started about 3 or 4 months in advance
of each race, and you just literally shared as much information
as possible across lines with one another. As I said, it is so
important to prepare for a cyber attack and prevent it, and you
have to have preparations, which I won't go into details about,
but what do you do when one actually occurs? You need to have
back-up.
Those types of meetings are a mini-fusion center when it
really comes together and we sit there and spitball and come up
with ways to mitigate. So it is just a series of meetings, sir.
Mr. Burgess. Let me just ask you a question. We do have
some students in the audience, and you referenced the UASI
program. The former mayor of Mont Creek taught me a number of
new words, and UASI was one of them. I thought it was a
pejorative term when he first used it because when those
initial grants came out, if I recall correctly, as the
Department of Homeland Security was being organized, the UASI
grants were administered regionally. They were delivered to
Dallas and expected to be shared with Fort Worth, and I just
remember the mayor having some issues with that.
But for the students here, could you kind-of go through
what the UASI program is?
Mr. Greif. Well, a Federal program that provides funding
for fire and police in other jurisdictions as well, but
obviously those are the ones I am most concerned about, and
many things get funded out of that, like training
opportunities. We can hold anything from hazardous materials
classes, where that funding not only was paying for our
personnel to go get the needed training, but it was paying for
the backfield because you still had to have troops driving
trucks to keep the city safe, to hardened equipment. It is
amazing.
Again, some of the stuff is somewhat--I won't talk about
necessarily some of the equipment that was purchased to protect
the community, but a major expense in equipment was purchased
for the protection of many different types of terroristic
activities, and that equipment was in place in cities all
across central Texas because of UASI.
Mr. Burgess. Chairman, I will yield back to you, and if
possible I will do a second round as well.
Mr. Ratcliffe. Perfect. I thank the gentleman.
Detective Wilson, I want to take advantage of the fact that
you are here on behalf of the Dallas Police Department,
obviously one of the largest, most visible police departments
in the United States. I am just curious if you can offer
perspective on what the daily cyber threat looks like at the
Dallas Police Department.
You talked about in your testimony reliance on computer
networks for operational and for investigative functions, so I
assume that you have to take that into account in terms of the
daily threats that are coming into the Dallas Police
Department, and also take that into account in how you are
training your personnel to deal with those threats.
Mr. Wilson. Well, as you said, the Dallas Police Department
is the ninth-largest police department in the country, the
second largest in the State. So we act as a nexus for a lot of
information sharing, as well as collection. Daily, we get
notifications from agencies asking for information to support
an investigation or some type of threat that they have
uncovered, to give them the guidance or put them in the right
direction, who is the expert who can go in and help them.
Unfortunately, the Dallas center does not have a technical
expert within the center that deals with cybersecurity, but as
part of the approach to dealing with a wide varieties of crimes
that we deal with, we have a partnership with our Federal
agencies, and we have an expert within the Dallas Police
Department who actually works with a task force and the FBI. We
also have a couple of officers that deal with computers, and
they have been doing it for years and years. We find that as
they continue to perform these functions and people know the
capabilities that we have, we are increasingly tasked with
trying to assist other agencies.
As a fusion center director, I see most of the emails that
come into our center on a daily basis, so my email averages
approximately 200 to 300 per day coming in from Federal
partners, State partners, local partners, and from other States
as well, trying to reach out to you, to take advantage of the
network.
As we look forward to increasing our ability to address the
cyber threats, we basically have 2 problems. One is stop the
cyber threat in itself, and No. 2 is how do you pursue the
cyber threat actor, the person who actually committed it, and
to what extent do we go to prosecute? That definitely leans
toward our Federal partners. That is their jurisdictional area.
They have the resources and the expertise oftentimes that we do
not have, and they are always looking to try to assist us in
these types of situations.
Mr. Ratcliffe. Terrific. Thank you, Lieutenant.
Detective, I actually had a bunch of questions for you, but
your testimony was so thorough that you pretty much covered it.
I wanted to ask you about your experience with the Electronic
Crimes Task Force and, of course, the NCFI, National Computer
Forensics Institute, which my bill would authorize into law. I
really appreciated your testimony. You spoke eloquently of how
it benefitted you with respect to your career, but also
benefitted the folks that you serve as a detective in
Greenville. I just think that, more than anything else, it is a
great message, and I hope that as you go into retirement that
you will still continue to be a great ambassador because I
think that is what you are, an ambassador for how State, local,
and Federal partnerships, particularly as they pertain to
National security issues and cybersecurity as a National
security issue, how they are supposed to work.
We all know that 9/11 was a communication failure in many
respects, and we have worked hard in trying to eliminate that,
and with respect to the threats in cyber space and
cybersecurity, we want to avoid a cyber 9/11, if you will. So
some of the programs that you have been a part of, some of the
partnerships that you have been a part of have prevented that
up to this point in time and, I think, can in the future.
So again, I just appreciate you being here today, your
testimony, and what you stand for in that respect.
I am just going to close with a question for anyone that
wants to take it, or all of you that want to take it. We asked
the question about what are the key challenges, and from your
testimony many of you talked about the financial side of things
and, obviously, fundamentally the role that Congressman Burgess
and I and others in Washington can play with respect to that
and how that affects workforce issues.
But are there authority issues out there that we can help
you with in Washington? In other words, are there things from
an authority perspective that we should be legislating on in
this space that you think need to be addressed? Anyone.
Mr. Wilson. I would say that the proper authority for
investigating cyber crimes is the way that you can get the most
impact, obviously, achieve a conviction. I would love the
Federal system to stay for the day instead of 1 day or 3 days.
So oftentimes, when we can't get the impact to take that
offender off the streets in a time that we consider to be
reasonable, we turn to our Federal partners. They have a much
wider reach, a little bit bigger handle to hit them with it.
They are most gracious and most times if they can do so, they
will. They have expanded powers. I believe that through
legislation you will find it will be even a stronger growing
trend from a local perspective to turn around and say rather
than a State trial, let them go and see what they can do to
stop that behavior. That would be my perspective.
Mr. Waddle. I kind-of go along the same lines. We see so
many repeat offenders that go off and that use our State prison
systems as education. I think that we have to be stiffer in our
punishments with these offenders because of the amount of
damage they do monetarily and even physically. So maybe some
stiffer enforcement.
Mr. Ratcliffe. Thank you.
I again recognize my colleague for any additional questions
he may have.
Mr. Burgess. Thank you, Chairman.
Detective, you did an excellent job of detailing how you
had received the training and being able to provide protection
for the people of your jurisdiction. We live under the tyranny
of the Congressional Budget Office where we work, and
everything is looked at as a cost. But as I listened to you
provide your testimony, it also occurred to me that there was
value brought back to your department, to Greenville, value
back to the community, and sometimes it is very difficult to
dissect out. When we look at something on a sheet of paper, on
a spreadsheet, it is just a cost, and we deal with this in
health care all the time, and it drives me nuts. But there is
really no way to offset the cost with the value that you
brought back to your community.
Just as we conclude the hearing today, if there are
thoughts that you have on that that you would like to share
with us about how to better tease out that value figure,
whether there is a fraction or a multiplier that could be
applied. Perhaps in your experience you have encountered either
some examples or even a formulaic approach, this much was
invested in the activity that I undertook, but this much was
delivered back to the community.
Mr. Waddle. The one thing that I failed to mention in my
testimony was that not only do I cover Greenville, but I also
assist the local agencies in Hunt County. Privately in our
office I did that, but also at the Electronic Crimes Task
Force, we covered most of North Texas. So we assisted agencies
from Denton, from Steubenville, from Tyler, Lindale, that area,
all the way out to Texarkana. So the training that I received
has been able to help me help those people.
There is a cost, and I understand that. Again, I don't
question that. We had the same problem in the city, the city
manager saying, well, you don't need to spend that. I
understand that. But when we can benefit, and in my case, with
the experience that I have, when we can benefit our own
citizens and those around us, and they know that they have
somebody that they can contact to get answers, I think that the
money spent is spent well because it benefits so many people in
getting answers to their questions and assistance in their
investigations.
Mr. Burgess. Intangible, difficult to calculate for a
return on investment, but it definitely exists, doesn't it?
Mr. Waddle. Exactly.
Mr. Burgess. Thank you, Mr. Chairman. I will yield back.
Mr. Ratcliffe. I thank the gentleman.
I thank all the witnesses that have been here today for
your valuable testimony.
Again, I thank Congressman Burgess for being here and
bringing his insights into this important topic.
Other Members of this committee that aren't here today may
have some additional questions for our witnesses. So if that
happens, we will ask you to respond to those in writing.
Pursuant to Committee Rule 7(e), the hearing record from
today will be held open for 10 days for Member statements and
for follow-up questions.
In closing, let me just again say thank you to everyone
that is here today, that has participated in putting this
together, and thanks to everyone in Grayson County for letting
me bring the Washington road show here to my home district.
With that, without objection, this subcommittee stands
adjourned.
[Whereupon, at 12:22 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman John Ratcliffe for Alphonse Davis
Question 1. Are State and local governments ever the target of
nation states, hacktivists, or criminals and are they aware of and
taking advantage of the protections that DHS offers through its
Enhanced Cybersecurity Services program?
Answer. State and local governments are targets currently under
attack with unstructured, structured, and highly-structured attacks.
These attacks range from the unstructured ``script kiddies'' looking
for low-hanging fruit to the less-frequent, highly-structured attack
from nation states looking to gather information. We are also aware of
motivated actors from foreign organized crime organizations utilizing
ransomware in our country, even at the local Government level--a trend
that seems to be growing.
Our experiences and relationships across the country indicate that
the DHS-supported NIST Cybersecurity Framework is gaining recognition
and respect within local and State communities, as well as with small,
medium, and large businesses. However, widespread awareness and
adoption of the DHS Enhanced Cybersecurity Services (ECS) is in the
very early stages. ECS needs more exposure in order to educate local
and State governments on its availability and capabilities, with
additional information on how to request the services.
Question 2a. How does TEEX decide what cyber-related training
courses to offer? How are those courses evaluated?
Answer. For the development or continuation of any cyber-related
training courses, we conduct a needs analysis to examine gaps in
operational knowledge and capabilities, gathering data from National
surveys, utilizing publicly-available data on training needs (from
reports such as the 2015 National Preparedness Report), and
interviewing State and local contacts regarding their needs. As part of
that needs analysis, we evaluate the scope and priority of the need,
the audience, the method of training delivery, and the availability of
duplicate or similar training.
In some instances, the development of a new course is initiated by
Federal partners. Most recently, the ``Physical and Cyber Security for
Critical Infrastructure'' course was developed through a collaboration
between DHS Cybersecurity and Communications and the DHS Office of
Infrastructure Protection. They recognized the need for a better
understanding of the interdependency between physical and cybersecurity
at the local level as well as the need for communities to
collaboratively formulate enterprise risk management strategies,
enhancing infrastructure security and resilience efforts. The DHS
departments worked with TEEX to develop the course that meets that
need.
During the recent revision of a course on ``Community Preparedness
for Cyber Incidents,'' we examined the gap identified between Emergency
Management and Information Technology. We conducted interviews with
people in these disciplines to identify what they need to learn to be
better-prepared for the ever-increasing and ever-evolving threat of a
significant cyber incident. We are in constant communication with State
and local governments, and they often describe what they are seeing in
their communities and ask how we can assist.
Question 2b. Are they assessed or updated regularly, due to the
changing cyber landscape?
Answer. Our courses undergo a needs analysis and recertification
every 3 years in order to remain relevant and current. In addition, our
courses are continually evaluated through participant feedback to
identify improvements and updates prior to a schedule update.
Our program staff (instructors, curriculum developers, managers)
dedicates a significant amount of time each week researching and
learning about the latest trends and threats in the cybersecurity
landscape. This information is used to update course content and for
use as updated examples in course deliveries. We also keep in close
touch with our DHS partners and add information to our courses about
new DHS resources and assistance available as we learn it.
Questions From Chairman John Ratcliffe for Sam Greif
Question 1a. How important is coordination across critical
infrastructure sectors for encouraging cyber resilience?
Question 1b. How do these efforts impact public safety
organizations and State and local entities?
Answer. As you can imagine, it is vitally important that critical
infrastructure sectors share information about potential threats. Local
fire and emergency medical service departments need to be warned of
potential cyber threats, so that they can take the appropriate
protective action. For example, while there have been well-publicized
stories in the media about hospitals having to deal with the effects of
ransomware incidents, local fire departments also have had to deal with
these problems. In January, the city of Snoqualmie, Washington, paid a
ransom of $750 to hackers that took control of a computer at the Duvall
Fire District.
I receive notices of possible threats from the local Plano police
department, the council of governments, and the Homeland Security
Information Network, among other resources. This information, and the
lessons learned from cyber attacks, is key to preventing or mitigating
these threats. It is important to recognize that the ease of
implementing a cyber attack may encourage a lone-wolf terrorist or
criminal, who otherwise would not want to risk personal injury in a
kinetic assault on a fire or police station. So we may see an increase
in these threats in the future. Again, thank you for the opportunity to
participate in the discussion on this important topic. The threat of
cybersecurity only continues to increase. The Nation's fire and
emergency service must be prepared for it.
Questions From Chairman John Ratcliffe for Richard F. Wilson
Question 1. Are State and local governments ever the target of
nation states, hacktivists, or criminals and are they aware of and
taking advantage of the protections that DHS offers through its
Enhanced Cybersecurity Services program?
Answer. The city of Dallas has in the past, and with daily
incidents, been subjected to, and been the subject of adversarial
attacks by foreign powers, foreign extra-territorial actors, National
and local hacktivists, criminals and unclassifiable agents.
The city, in addition to local defensive capabilities, also
utilizes the services and cyber-intelligence capabilities provided by
Department of Homeland Security, DHS, and other National (private and
public) capabilities.
Question 2a. How important is coordination across critical
infrastructure sectors for encouraging cyber resilience?
Question 2b. How do these efforts impact public safety
organizations and State and local entities?
Answer. It is extremely important and a necessity to have a
structured, systemic coordination, incident response collaboration,
monitoring, quality capabilities and management between the SLTT and
central government.
The impacts these types of activities provide to public safety
organizations, and State and local entities are more structured
protective strategies, more pro-active incident alerting, and responses
that leads to faster incident identification and management. This in
turn ensures that outcomes of these incidents are managed effectively
and timely, thereby ensuring that the adverse potential outcomes of
these incidents, do not overburden the local resources and
capabilities.
Questions From Chairman John Ratcliffe for Don Waddle
Question 1. How was your work with the Electronic Crimes Task Force
(ECTF) valuable to your career as a detective?
Answer. In my police department, while working as a detective, I
worked property crimes, which covers theft, criminal mischief, stolen
cars, and fraud. Prior to being assigned to the North Texas Electronic
Crimes Task Force, there was only a few ways for me to go at fraud.
This would be what I read in books or by getting guidance form our
prosecutors. After getting on the task force I learned more by being
involved in investigations with other agencies and with helping Federal
authorities with their investigations. I was able to share my knowledge
with other members of law enforcement and was also able to build up my
knowledge in investigating fraud. I was also able, because fraud
oftentimes involves computers and cell phones, to learn about computer
and cell phone forensics. By being assigned to the task force I learned
more about the crimes I was investigating, and was able to use that
knowledge to prepare better cases for prosecution, and to bring answers
to my victims of crime.
Question 2. How did your work with ECTF differ from or support your
work as a detective in Greenville?
Answer. I do not believe my work with the task force differed from
my work as a detective in Greenville. My job is to investigate crime
and I did that in both places. I built a strong network of other
investigators that could help me if I had a question, or I could help
if they had a question. When I think of supporting my work as a
detective in Greenville, I would probably never have been able to
conduct the investigations I conducted without the equipment and
training I received as a task force member. One case in particular was
a defendant who stated he talked to another person very infrequently,
but when I examined both phones I was able to determine that they had
numerous conversations all the time. This was done using equipment and
training I received while assigned to the task force. I also had
Federal partners that could come in and help me with my investigations,
and if need be, could assist me in preparing for a Federal prosecution
of the case.
I hope that my answers to your questions provide enough information
for you to make important decisions related to Cybersecurity,
Infrastructure Protection, and Security Technologies.
I want to stress that I am extremely grateful for having been on
the North Texas Electronic Crimes Task Force and the training and
equipment that I received. The city of Greenville and all of Hunt
County, Texas, benefitted from my association with the Electronic
Crimes Task Force.
[all]