[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] ENHANCING PREPAREDNESS AND RESPONSE CAPABILITIES TO ADDRESS CYBER THREATS ======================================================================= JOINT HEARING BEFORE THE SUBCOMMITTEE ON EMERGENCY PREPAREDNESS, RESPONSE, AND COMMUNICATIONS AND THE SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ MAY 24, 2016 __________ Serial No. 114-71 __________ Printed for the use of the Committee on Homeland Security [[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S GOVERNMENT PUBLISHING OFFICE 23-243 PDF WASHINGTON : 2017 ___________________________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey Scott Perry, Pennsylvania Filemon Vela, Texas Curt Clawson, Florida Bonnie Watson Coleman, New Jersey John Katko, New York Kathleen M. Rice, New York Will Hurd, Texas Norma J. Torres, California Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Daniel M. Donovan, Jr., New York Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON EMERGENCY PREPAREDNESS, RESPONSE, AND COMMUNICATIONS Daniel M. Donovan, Jr., New York, Chairman Tom Marino, Pennsylvania Donald M. Payne, Jr., New Jersey Mark Walker, North Carolina Bonnie Watson Coleman, New Jersey Barry Loudermilk, Georgia Kathleen M. Rice, New York Martha McSally, Arizona Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Kerry A. Kinirons, Subcommittee Staff Director Kris Carlson, Subcommittee Clerk Moira Bergin, Minority Subcommittee Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES John Ratcliffe, Texas, Chairman Peter T. King, New York Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania Loretta Sanchez, California Scott Perry, Pennsylvania Sheila Jackson Lee, Texas Curt Clawson, Florida James R. Langevin, Rhode Island Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Brett DeWitt, Subcommittee Staff Director Katie Rashid, Subcommittee Clerk Christopher Schepis, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable Daniel M. Donovan, Jr., a Representative in Congress From the State of New York, and Chairman, Subcommittee on Emergency Preparedness, Response, and Communications: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Donald M. Payne, Jr., a Representative in Congress From the State of New Jersey, and Ranking Member, Subcommittee on Emergency Preparedness, Response, and Communications: Oral Statement................................................. 3 Prepared Statement............................................. 5 The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 5 Prepared Statement............................................. 7 The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Prepared Statement............................................. 8 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 9 Witnesses Mr. Mark Ghilarducci, Director, Emergency Services, Office of the Governor of California: Oral Statement................................................. 10 Prepared Statement............................................. 13 Mr. Daniel J. Cooney, Assistant Deputy Superintendent, Office of Counter Terrorism, New York State Police: Oral Statement................................................. 17 Prepared Statement............................................. 18 Brigadier General Steven Spano, (Retired, USAF), President and Chief Operating Officer, Center for Internet Security: Oral Statement................................................. 22 Prepared Statement............................................. 23 Mr. Mark Raymond, Vice President, National Association of State Chief Information Officers: Oral Statement................................................. 28 Prepared Statement............................................. 30 Mr. Robert Galvin, Chief Technology Officer, Port Authority of New York and New Jersey: Oral Statement................................................. 33 Prepared Statement............................................. 34 ENHANCING PREPAREDNESS AND RESPONSE CAPABILITIES TO ADDRESS CYBER THREATS ---------- Tuesday, May 24, 2016 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Emergency Preparedness, Response, and Communications, and Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittees met, pursuant to call, at 10:07 a.m., in Room 311, Cannon House Office Building, Hon. Daniel M. Donovan [Chairman of the Subcommittee on Emergency Preparedness, Response, and Communications] presiding. Present: Representatives Donovan, Walker, McSally, Ratcliffe, Watson Coleman, Jackson Lee, Langevin, and Payne. Mr. Donovan. The Subcommittees on Emergency Preparedness, Response, and Communications and Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittees are meeting today to receive testimony regarding efforts to enhance preparedness and response capabilities to address cyber threats. I now recognize myself for an opening statement. First, I would like to thank Chairman Ratcliffe and Ranking Member Richmond for working with me and Ranking Member Payne on this issue. Also, I would like to thank all out of our witnesses today for coming to join us in this important discussion. We are all aware the cyber threat is real, from both state and non-state actors. The countless cyber attacks against the United States and its citizens, including major attacks against Target, Home Depot, OPM, and Anthem are just the tip of the iceberg. I believe that the number and magnitude of attacks will only increase, especially as more and more of our lives become connected to the internet. It is imperative that we ensure that our State and local officials, as well as our first responders, are prepared to protect against and respond to a cyber attack. Furthermore, we are seeing an increase in the number of cyber attacks that, if successful, can cause widespread physical damages to a community and require a whole-of- community response. Already, state and non-state actors have attempted to interfere with 9-1-1 call centers, sent out inaccurate alerts and warnings, and tried to take over the controls of a dam. While we have taken numerous steps to enhance our capabilities, we have a long way to go in addressing these threats. As a member of Chairman Ratcliffe's subcommittee, I have heard about the progress the Federal Government, States, and localities have made in enhancing our cybersecurity capabilities. But I am left scratching my head when I see that for the fourth year in a row, the National preparedness report released by FEMA indicates that States continue to report cybersecurity as the lowest core capability. What is preventing us from reaching the appropriate level of cybersecurity? What obstacles are States facing, and what can we do to help? I am especially interested in learning more about what happens after a cyber attack that has physical consequences. Who is in charge of the response, and how are first responders coordinating with cyber officials who are trying to mitigate the attack? I know States like California have set up a task force to answer these exact questions. Additionally, in 2012, the National-Level Exercise looked at the Nation's ability to respond to a large-scale cyber attack with physical consequences. One of the key recommendations from this exercise was to finalize a cyber response plan that clearly defines the roles and responsibilities of all of the potential response entities. Four years since that exercise and 6 years since the interim draft of the National cyber incident response plan was released, we do not have a finalized and approved plan. Developing and finalizing this plan needs to be a priority of the Federal Government. I understand that the Department plans to finally begin stakeholder engagement on the development of the final plan in the coming weeks. I certainly hope that they will be engaging with all of today's witnesses to get their feedback. Also, I have heard that while sharing cyber information is becoming more prevalent, there is still confusion on who States should talk to when an incident occurs. The sharing of cyber- related information with the emergency management and first response communities is, at best, ad hoc. These people are going to be the first on the scene and should have insight into whether the incident they are responding to has been caused by a cyber attack. Can States utilize their fusion centers to be a force multiplier to disseminate critical cyber information? I know that my State is taking this approach, and I am interested to hear if it has been successful. A few years ago, Secretary Johnson made a statement that I feel is still true today. He said, ``Cybersecurity is a shared responsibility, and it boils down to this: In cybersecurity, the more systems we secure, the more secure we are. We are all connected on-line, and a vulnerability in one place can cause a problem in many other places. So everyone needs to work on this. Government officials and business leaders, security professionals and utility owners and operators.'' That is why we are here today. I want to thank all the witnesses for testifying today, and I look forward to highlighting the good work that you are all doing to enhance your cybersecurity capabilities and learning about what areas are still a challenge and how the Federal Government can help in mitigating those gaps. [The statement of Chairman Donovan follows:] Statement of Chairman Daniel M. Donovan, Jr. May 24, 2016 First, I'd like to thank Chairman Ratcliffe and Ranking Member Richmond for working with me and Ranking Member Payne on this issue. Also, I would like to thank all the witnesses for coming today to join in this important discussion. As we are all aware, the cyber threat is real from both state and non-state actors. The countless cyber attacks against the United States and its citizens, including major attacks against Target, Home Depot, OPM, and Anthem, are just the tip of the iceberg. I believe that the number and magnitude of attacks will only increase, especially as more and more of our lives become connected to the internet. It is imperative that we ensure that our State and local officials as well as our first responders are prepared to protect against and respond to a cyber attack. Furthermore, we are seeing an increase in the number of cyber attacks that if successful can cause wide-spread physical damages to a community and require a whole-of-community response. Already, state and non-state actors have attempted to interfere with 9-1-1 call centers, send out inaccurate alerts and warnings, and tried to take over the controls of a dam. While we have taken numerous steps to enhance our capabilities, we have a long way to go in addressing these threats. As a Member of Chairman Ratcliffe's subcommittee, I have heard about the progress the Federal Government, States, and localities have made in enhancing our cybersecurity capabilities, but I'm left scratching my head when I see for the fourth year in a row, the National Preparedness Report, released by FEMA, indicates that States continue to report cybersecurity as the lowest core capability. What is preventing us for reaching the appropriate level of cybersecurity? What obstacles are States facing and what can we do to help? I'm especially interested in learning more about what happens after a cyber attack that has physical consequences. Who is in charge of the response and how are first responders coordinating with cyber officials who are trying to mitigate the attack? I know States like California have set up task forces to answer these exact questions. Additionally, in 2012, the National Level Exercise looked at the Nation's ability to respond to a large-scale cyber attack with physical consequences. One of the key recommendations from this exercise was to finalize a cyber response plan that clearly defines the roles and responsibilities of the all the potential response entities. Four years since the exercise and 6 years since the interim draft of the National Cyber Incident Response Plan (NCIRP) was released, we still do not have a finalized and approved NCIRP. Developing and finalizing this plan needs to be a priority of the Federal Government. I understand that the Department plans to finally begin stakeholder engagement on the development of the final plan in the coming weeks. I certainly hope they will be engaging with all of the witnesses at today's hearing to get their feedback. Also, I have heard that while sharing cyber information is becoming more prevalent, there is still confusion on who States should talk to when an incident occurs and the sharing of cyber-related information with the emergency management and first responder communities is ad hoc at best. These people are going to be the first on the scene and should have insight into whether the incident they are responding to has been caused by a cyber attack. Can States utilize their fusion centers to be a force multiplier to disseminate critical cyber information? I know my State is taking this approach and I'm interested to hear if it has been successful. A few years ago, Secretary Johnson made a statement that I feel is still true today. He said ``[c]byersecurity is a shared responsibility, and it boils down to this: In cybersecurity, the more systems we secure, the more secure we are. We are all connected on-line and a vulnerability in one place can cause a problem in many other places. So everyone needs to work on this: Government officials and business leaders, security professionals and utility owners and operators.'' And that is why we are here today. I want to thank all the witnesses for testifying today and I look forward to highlighting the good work you all are doing to enhance your cybersecurity capabilities and learning about what areas are still a challenge and how the Federal Government can help in mitigating those gaps. Mr. Donovan. The Chair now recognizes the gentleman from New Jersey, Mr. Payne, for an opening statement he may have. Mr. Payne. Good morning. I would like to thank Chairmen Donovan and Ratcliffe for holding today's hearings to assess our ability to respond to cyber threats. The last time our subcommittee held a joint hearing on the subject was in the 113th Congress, about 3 years ago. What we have learned is that cyber threats are the new frontier of disaster response. Our legacy response doctrine from the National Response Framework to the Stafford Act are rooted in the era that predates reliance on cyber networks and growing threats posed by sophisticated actors. Despite our best efforts to ensure that our National preparedness doctrine is responsive to evolving threats, it has not kept pace with cyber threats. My district is rich with critical infrastructure, all of which rely on cyber networks. Within 2 miles, we have major transit systems, chemical facilities, and refineries mixed among homes, schools, and hospitals. A hack of any one of these targets could have devastating, cascading effects and could risk overwhelming our brave first responders. We know that the threat is real. Earlier this year, Iranian hackers breached the Bowman Avenue's Dam network in Rye, New York. Fortunately, the dam was off-line for repair when the authorities discovered this breach. But I am worried that it is only a matter of time before the hackers are successful, and we need to be prepared when they are. I applaud efforts at the State level to confront cyber threats head on. Some States, like California and my home State of New Jersey, have established State-level cyber information- sharing centers modeled after the National Cybersecurity and Communications Integration Center, or NCCIC. I would be interested to learn whether these centers facilitate improved information sharing and encourage better relationships among non-traditional partners who would play an important role in cyber response. At the same time, I would be remiss if I did not note that while States annually indicate that they lack the confidence in their cybersecurity capabilities in the National preparedness report, very few invest homeland security grant funding to address the capability gap. I would be interested in understanding why. Is it because the Federal Government has not provided adequate guidance on how to address the threat or whether the amount of grant funds available after cuts to grant programs in the recent years prevent States from investing in cyber capability? The witnesses at that hearing made two points that stuck with me: First, the witnesses emphasized that the response to cyber attacks will require people from chief information officers to emergency managers to private-sector partners to break out of their silos and coordinate with non-traditional partners; second, they said that the existing disaster response guidance does not adequately address the complexities of responding to cyber events these days. I look forward to hearing our witnesses' opinions on how the National Incident Management System, the National Response Framework, and other disaster management doctrine should be updated to reflect the unique qualities of a cyber event. I appreciate the witnesses for being here today, and I look forward to their testimony. With that, Mr. Chair, I yield back. [The statement of Ranking Member Payne follows:] Statement of Ranking Member Donald M. Payne, Jr. May 24, 2016 The last time our subcommittees held a joint hearing on this subject was during the 113th Congress--about 3 years ago. What we learned is that cyber threats are the new frontier of disaster response. Our legacy response doctrine--from the National Response Framework to the Stafford Act--are rooted in an era that predates reliance on cyber networks and growing threats posed by sophisticated hackers. Despite our best efforts to ensure that our National preparedness doctrine is responsive to evolving threats, it has not kept pace with cyber threats. My district is rich with critical infrastructure, all of which rely on cyber networks. Within 2 miles, we have major transit systems, chemical facilities, and refineries mixed among homes, schools, and hospitals. A hack of any one of these targets could have devastating cascading effects and could risk overwhelming our brave first responders. And we know the threat is real. Earlier this year, Iranian hackers breached the Bowman Avenue Dam network in Rye, New York. Fortunately, the dam was off-line for repair when the authorities discovered the breach. But I am worried it is only a matter of time before the hackers are successful--and we need to be prepared when they are. I applaud efforts at the State level to confront the cyber threat head on. Some States--like California and my home State of New Jersey-- have established State-level cyber information-sharing centers modeled after the National Cybersecurity and Communications Integration Center. I will be interested to learn whether these centers facilitate improved information sharing and encourage better relationships among non- traditional partners who would play important roles in a cyber response. At the same time, I would be remiss if I did not note that while States annually indicate that they lack confidence in their cybersecurity capabilities in the National Preparedness Report, very few invest Homeland Security Grant funding to address that capability gap. I will be interested in understanding why--is it because the Federal Government has not provided adequate guidance on how to address the threat or whether the amount of grant funds available after cuts to grant programs in recent years prevents States from investing in cyber capabilities? While I am on the subject of grant funds, I have been outspoken about my opposition to the proposed cuts to the Homeland Security Grant Program as well as the Port and Transit Security Grants. I have serious concerns that the proposed cuts would only further jeopardize whatever progress States and other grantees are making to address cyber threats, and I will be interested in the witness' thoughts on that point. Finally, as I indicated, our subcommittees held a joint hearing on responding to a cyber attack about 3 years ago. The witnesses at that hearing made 2 points that stuck with me. First, the witnesses emphasized that a response to a cyber attack will require people--from chief information officers to emergency manager to private-sector partners--to break out of their silos and coordinate with non-traditional partners. Second, they said that existing disaster response guidance does not adequately address the complexities of responding to a cyber event. I look forward to hearing our witness' opinions on how the National Incident Management System, the National Response Framework, and other disaster management doctrine should be updated to reflect the unique qualities of a cyber event. Mr. Donovan. The gentleman yields. The Chair now recognizes the Chairman of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, the gentleman from Texas, Mr. Ratcliffe, for an opening statement he may have. Mr. Ratcliffe. Good morning, everyone. I want to thank Chairman Donovan, Ranking Member Payne, for working with me and with Ranking Member Richmond on putting this issue together today. I also want to thank the witnesses for being here today. I am looking forward to hearing your testimony. On the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, we talk a lot about the variety and high number of growing cyber threats that are out there. But today, we are going to hear about the other part of the equation, which includes the people, the hours, the programs designed and dedicated to preparing for and responding to the dangers that these cyber threats pose. Hopefully, having this discussion at a National level, will help bring to light some of the best practices and most evident areas for improvement at every level of government, whether it be the Federal, State, or local level. Because the truth is, every level of government is constantly having to face and respond to these threats, so we all need to be working together to understand the tactics and techniques and procedures that hackers are using so that we are better equipped to face the threats of tomorrow. It is important that we spend as much time and energy thinking about the solutions that secure Americans as we do examining the dangers. The purpose of today's hearing is to focus on seeking those solutions to make Americans safer. In that spirit, we are constantly seeking to improve upon and expand the programs and partnerships in both the private sector and State and local governments that function to help keep Americans safe. These partnerships are the nuts and bolts to secure Americans against the havoc that is possible if a bad actor were to successfully disrupt or damage one of the many systems that we rely upon for everyday life, like our water and our power. What we are hoping to gain from today's hearing is what more we can be doing to further these partnerships and programs. The importance of the flow of information can't be stressed enough, as information is the currency with which security and insecurity is established in today's digital age. As fast as the bad actors are moving in cyber space, we have to be constantly moving faster to stay ahead of them, and right now we are not. While they have to only be right one time to cause damage, we have to always be resilient and stand perpetually ready with a plan and with answers. I am glad to be having this joint hearing to highlight the interconnectedness of the response plans that are in place in case of a devastating cyber event, and the first responders who carry them out. At the Federal level, we have the ability to push out and develop plans beyond the capability currently available to the 50 States. But it is the responders already in those areas who will be the first people that those most directly affected will see if a catastrophic cyber attack occurs. As Chairman Donovan mentioned, the draft National incident response plan, or NCIRP, was delivered to the White House in fall 2009, and in March 2010, an interim draft was released but not approved, subject to on-going review by the administration. It has now been 6 years since the release of the interim draft with stakeholder engagement just now starting. Six years is entirely too long for any type of response plan to sit on a shelf in the White House, but it is especially dangerous in the case of cyber. In 2014, Congress passed a law to require this cyber incident response plan to be finalized. Clearly, the administration, by not finalizing this plan doesn't seem to be taking cyber incident response planning seriously. It begs the very obvious questions: What if there is a significant cyber attack in the United States? Does every level of government know their role? And how cyber response will be coordinated? We are neither too ignorant nor too proud to think that a major cyber event is outside the realm of possibility right now. So I would like to take this moment to convey that we are watching the development of this document very closely. Look, it is very apparent that we have a lot more work to do. Securing our States from cyber threats now includes entirely new roles and responsibilities that didn't exist 50 years ago. Discussing, examining, and encouraging the programs and partnerships that Americans rely upon is absolutely critical to being able to preserve and guarantee the American way of life. I look forward to hearing from our witnesses today to learn what more we can and what we should be doing to advance the security of the American people. Thank you. I yield back. [The statement of Chairman Ratcliffe follows:] Statement of Chairman John Ratcliffe May 24, 2016 Good morning, I want to thank Chairman Donovan and Ranking Member Payne for working with myself and Ranking Member Richmond on this issue. I also want to thank the witnesses for coming today to speak on this important topic. On the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technology, which I chair, we often discuss the wide variety and high number of cyber threats that are out there and growing. Today, we are going to hear about the other part of the equation, which is the people, the hours, and programs designed and dedicated to preparing for and responding to the dangers that these cyber threats pose. Hopefully having this discussion at a National level will help bring to light some of the best practices and most evident areas for improvement that will be applicable to every level of government whether it be at the Federal, State, or local level. Because the truth is, every level of government is constantly having to face and respond to these threats. We all need to work together to understand the tactics, techniques, and procedures of hackers in order to better equip ourselves and face the threats of tomorrow. It is important that we spend as much time and energy thinking about the solutions that secure Americans as we do on the examination of the dangers. The purpose of today's hearing is to focus on seeking those solutions to make America safer. In that spirit, we are constantly seeking to improve upon and expand the programs and partnerships with both the private sector and State and local governments that function to make Americans safe. These partnerships are the nuts and bolts to secure Americans against the havoc that is possible should a bad actor successfully disrupt or damage one of the many systems that we rely on for everyday life such as our water and our power. What we are hoping to gain from today's hearing is what more we can be doing to further these partnerships and programs. The importance of the flow of information cannot be stressed enough as information is the currency with which security and insecurity is established in today's age. As fast as the bad actors are moving in cyber space, we have to be constantly moving faster to stay ahead of them. While they only have to be right once to do damage, we must be resilient and stand perpetually ready with a plan and with answers. I'm glad to be having this joint hearing to highlight the interconnectedness of the response plans that are in place in the case of a devastating cyber event, and the first responders who carry them out. At the Federal level we have the ability to push out and develop plans beyond the capability currently available to States, but it is the responders already in the area who will be the first people that those most directly affected will see when a catastrophic cyber attack occurs. As Mr. Donovan mentioned, the draft National Incident Response Plan or NCIRP was delivered to the White House in the fall of 2009. In March 2010, a draft interim was released but not approved, subject to on- going review by the administration. It has now been 6 years since the release of the interim draft, with stakeholder engagement just now starting. While 6 years is entirely too long for any type of response plan to sit on a shelf in the White House, it is especially dangerous in the case of cyber. In 2014, Congress passed a law to require this cyber incident response plan to be finalized. Clearly, this administration, by not finalizing this plan, does not take cyber incident response planning seriously. It begs the very obvious question ``What if there is a significant cyber attack in the United States? Does every level of government know their role and how cyber response will be coordinated?'' We are neither too ignorant nor too proud to think that a major cyber incident is outside of the realm of possibility so I would like to take this moment to convey that we are watching the development of this document very closely. It is very apparent that we have a lot more work to do. Securing our States from cyber threats now includes entirely new roles and responsibilities that didn't exist 50 years ago. Discussing, examining, and encouraging the programs and partnerships that Americans rely on is absolutely crucial in guaranteeing the solvency of our ways of life. I look forward to hearing from the witnesses to learn what more can and should be done to advance the security of the American people. Mr. Donovan. The gentleman yields back. The Chair recognizes the gentleman from New Jersey, Mr. Payne. Mr. Payne. Mr. Chairman, I ask unanimous consent to submit the gentleman from Louisiana, the Ranking Member, Mr. Richmond's statement into the record. Mr. Donovan. Without objection, so ordered. [The statement of Ranking Member Richmond follows:] Statement of Ranking Member Cedric L. Richmond May 24, 2016 In developing policy and budgeting for cyber preparedness and response, it is crucial we know what needs protecting, how badly protection is needed, and what kinds of redundancies can be made available. For critical infrastructure entities, after knowing what machines are operating on a network, what applications they are running, and what privileges have been established, the posture of cybersecurity for each of these entities and systems networks is key. Also, for critical infrastructure enterprises and supply chains, the advent of, ``bring your own devices'', along with the growing sophistication of smart phones and tablets involved in day-to-day infrastructure operations, compounds cybersecurity efforts and increases our resiliency challenges. Knowing where to devote efforts to protect our information security in critical infrastructure organizations is a core choice, particularly in determining how much defense to commit to the perimeter, and how much to commit to internal threats. Consider the potential for adversaries to employ countermeasures . . . as defenses are installed on our systems, we must acknowledge that we are dealing with a thinking and competitive opponent in the cyber world . . . and that as we install measures to thwart hackers that very act tends to induce countermeasures from our foes, as hackers probe for ways around or through our new defenses. As new versions of cyber attacks emerge affecting critical infrastructure, it will be important to have the DHS Industrial Control Systems Computer Emergency Response Teams, or ICS-CERT, and the Joint Interagency Task Force consisting of the National Institute of Standards and Technology, or NIST, the Department of Defense, and the intelligence community, clearly delineate and prioritize their roles in protecting critical infrastructure, and to have that as well-defined as possible. A good place to start is to build a body of cyber knowledge on how various critical infrastructure cyber systems are likely to fail, which is a necessary prerequisite to preventing failure, and then share that information among all sectors. Most experts tell us this is a daunting proposition, in light of the fast pace and range of cyber threat vectors that present themselves daily, but we must try. In closing, any critical infrastructure sector that is prepared to share what went wrong and what could be done better next time, will create the most likely scenario to produce higher levels of cybersecurity and resiliency for future regional and National cyber emergency situations. Mr. Donovan. Other Members of the subcommittees are reminded that opening statements may be submitted for the record. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson May 24, 2016 Over the past 15 years, the Nation has experienced man-made and natural disasters that caused damage beyond our expectations and overwhelmed the response capabilities of the impacted communities. After each disaster--from the 9/11 attacks and Hurricane Katrina to the Boston Marathon bombings and Hurricane Sandy--we take the lessons learned and adjust the response plans so that we are better prepared for the next version of the same event. Preparing to respond to those kinds of events has become almost routine. We assess terror threats and the potential for various natural disasters. We conduct vulnerability assessments of our communities, and we hone, train, and exercise our disaster response plans. The doctrine guiding how we prevent, protect against, mitigate, respond to, and recover from more conventional disasters is well-established and incorporates important lessons learned from past events. Unfortunately, National guidance of a similar caliber is lacking for a response to a cyber attack. When I am home in Mississippi, local emergency managers tell me that roles and responsibilities are not clearly defined for a cyber response and that the statutory authority for the Federal Government to render aid to affected States is murky at best. We need to do better. The frequency of cyber attacks is increasing and the attacks are becoming more sophisticated. I fear a cyber Katrina if we do not establish a ``whole community approach'' to prevent, respond to, and recover from cyber attacks soon, before hackers disable part of the electric grid, gain control of one of our transit systems, or infiltrate our water treatment facilities. Addressing the growing cyber threat and equipping emergency managers with the tools they need to effectively respond to disasters triggered by hackers will require at least 3 changes. First, we have to improve information sharing. Second, we have to improve communication among the emergency response community and non- traditional response partners, including private-sector infrastructure owners and chief information officers. Third, we have to do a better job defining roles, responsibilities, and authorities related to a cyber response. Late last year, the House of Representatives took an important step advancing those objectives by passing H.R. 3878, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act. Introduced by Congresswoman Torres, H.R. 3878 would improve information sharing and cooperation in addressing cybersecurity risks at our Nation's ports by directing DHS to establish voluntary guidelines for reporting of cybersecurity risks, implement a maritime cybersecurity risk model, and make recommendations on enhancing the sharing of cyber information. The legislation also directs the Coast Guard to ensure area maritime security and facility security plans address cybersecurity risks. H.R. 3878, along with several other important pieces of cybersecurity legislation from this committee, has passed the House is currently pending in the Senate. I urge our Senate colleagues to act on these bills before the summer recess. In the mean time, I am eager to learn from our witnesses about existing challenges in developing response plans for cyber events and what the Federal Government can do to help. Mr. Donovan. We are pleased to have a distinguished panel before us today on this important topic. Mark Ghilarducci serves as the director of the California Governors Office of Emergency Services, a position he has held since July 1, 2013. As a member of the cabinet, Director Ghilarducci serves as the Governor's Homeland Security Adviser, and oversees State-wide public safety, emergency management, emergency communications, counterterrorism efforts, and a State threat assessment system. Mr. Ghilarducci previously served as the secretary of the California Emergency Management Agency. Welcome, sir. Lieutenant Colonel Daniel J. Cooney currently serves in the Office of Counterterrorism of the New York State Police. He serves as adviser to the director of the New York State Office of Homeland Security and oversees the staff of the New York State Intelligence Center, New York's fusion center. He has been a New York State police officer for 23 years, and has been awarded a master's degree in security studies from the Naval Postgraduate School. Welcome, Colonel. Brigadier General Steven J. Spano is president and chief information officer of the Center for Internet Security. Most recently, he served as the general manager for defense and national security for Amazon Web Services Worldwide Public Sector. Prior to Amazon Web Services, General Spano served over 28 years in United States Air Force in a variety of leadership roles. He retired in 2011 from Air Force combat command where he served as the director of communications. Welcome, General, and thank you for your service to our country. Mr. Mark Raymond began serving as the chief information officer for the State of Connecticut Department of Administrative Services, Bureau of Enterprise Systems and Technology on June 2, 2011. He has over 2 decades of technology and business experience consulting in New York, Connecticut, and Massachusetts; that includes working in the areas of finance, payroll, human services, budgeting, procurement, human services revenue, and transportation. As a consultant, he has worked with Federal agencies, including the United States Treasury, Federal Highway Administration, National Highway Traffic Safety Administration, and the U.S. Department of Transportation. Welcome, sir. Mr. Robert Galvin serves as the chief technology officer for the Port Authority of New York and New Jersey, a position he has held since December 2013. In this capability, he provides oversight, direction, and management for all of the agency's technology, information systems, and technology service delivery. Prior to joining the Port Authority, Mr. Galvin served as the chief technology officer at the New York City School Construction Authority. The witnesses' full written statements will appear in the record. The Chair now recognizes Mr. Ghilarducci for 5 minutes. STATEMENT OF MARK GHILARDUCCI, DIRECTOR, EMERGENCY SERVICES, OFFICE OF THE GOVERNOR OF CALIFORNIA Mr. Ghilarducci. Okay. Well, good morning, Chairman and distinguished Members of the subcommittee. Mark Ghilarducci, and I am the director of OES in California. I am here today on behalf of the National Emergency Management Association, which represents State emergency management directors of the 50 States, territories in the District of Columbia. I appreciate the opportunity to come before you today to discuss concerns related to the consequences of a cyber attack and the role of emergency management community in responding to this unique and evolving threat. As our lives, our systems, our critical infrastructure, as well as our emergency management coordination and communication platforms become more and more integrated with and dependent upon the Internet of Things, so does the proliferation of threats and complexities from cyber attacks, and, of course, the need to continue to evolve capabilities and countermeasures. These emerging threats, ushered in by advancements in technology, are a challenge for emergency management at a time when the adversary is unpredictable, asymmetrical, and very active. The range of threat actors, the methods of attack, targeted systems, and victims are ever-expanding. Because information systems are now the backbone of critical infrastructure in the United States, we are at an age of transitioning into next generation public safety due to its significance to National and economic security. Of concern to the emergency management community is the threat and potential cascading impacts of a cyber attack to our critical infrastructure systems. Lifelines and assets, whether physical or virtual, by actors with malicious intent to exploit vulnerabilities, disrupt or destroy control systems, or incapacitate the delivery of essential services, all which places the security and safety of our communities, our citizens, and the economy at great jeopardy. Like the consequences of other asymmetrical terrorist threats, consequence management of cyber attacks is challenging due to its unpredictable and ubiquitous nature. It requires a considered and coordinated effort of collaborative planning, risk identification and management, communications, information sharing, interdiction, response and mitigation. As information technology becomes increasingly integrated with physical infrastructure operations, emergency management must plan and prepare for the increased risk for large-scale or high-impact events and that cascading impacts that could harm or disrupt services, or worse, cause fatalities or destruction in our communities. Widespread and long-term power outages, loss of water telecommunications systems, disruption of public health or public safety systems, destruction of control systems, interruption of food production and distribution, and/ or the movement of commodities or people are just a few potential consequences of a successful cyber attack on our critical infrastructure; all consequences emergency management must consider, plan, and prepare for. There is no doubt that the potential aftermath of a significant cyber attack resulting in physical consequences will challenge existing hierarchies, dependencies, reporting structures, and planning assumptions. Emergency managers will need to leverage all necessary local, State, and private-sector resources; implement redundant capabilities for continuity of operations, and possible continuity of Government; and will require Federal support for both technical and Stafford Act assistance. But it remains unclear today how the consequences of an attack will be defined and meet requirements for Stafford Act assistance. Another challenge facing State emergency management and homeland security organizations is the ability to effectively manage cyber risk as it is not possible to eliminate it. Like many other hazards, both natural and human-caused, State leaders must build cybersecurity systems, communication, and information capabilities, and procedures designed to not only preempt attacks through adequate cyber defense systems, but enable an organization to withstand attacks when they succeed, or, in other words, to build cyber resilience. A logical approach to cybersecurity preparedness and incident response begins at all levels of government and in partnership with the private sector. As the Federal Government continues to build its capabilities, policies, and strategies, it has left States to build cybersecurity capacities with limited resources, trained personnel, and guidance or a specific blueprint to follow, all while facing threat actors who are advanced, nimble, quick to adapt, and overcome defenses in intending to do harm to private citizens and government services. Dedicated cybersecurity grants for planning and operational capabilities, developing, training, and supporting the blueprint of a workforce of cyber warriors, as well as identified post-event, remediation funding streams that do not currently exist, but are absolutely necessary to ensure States are prepared to adequately build cyber capabilities and defenses, this needs to be a priority. For example, in California, one key cybersecurity capability we recently stood up is the California Cybersecurity Integration Center as a way to measure our whole-of-Government and public/private sector integration approach. The Cal-CSIC, as it is called, integrates critical cybersecurity functions directly impacting my ability to manage both the homeland security and emergency management portfolios in California. It is co-located with the California State Threat Assessment Center, our State's primary fusion center, which maximizes information sharing and allows for communications to be properly vetted and classified, ensuring conductivity and information sharing between the intelligence community, law enforcement, and California's other 5 regional fusion centers, and it expands upon our current capabilities focused specifically on protecting California. It resides within our homeland security division, aligned with DHS's organizational structure, and integrates both the academic and private sectors. It provides a State-wide nexus for cyber threat information sharing for the State of California, our critical infrastructure sector partners that provide essential services, our 9-1-1 system, the intelligence community, and law enforcement. It promotes proactive situational awareness of the cyber threat, cyber hygiene, and best cybersecurity practices, and it augments the State Emergency Operation Center during activations for emergency incidents through systems analysis and resilient communication. Most importantly, it provides support to our State's emergency support Function 18, the component of the State emergency plan that focuses on the impacts and countermeasures related to a major cyber attack. A key element for success of this capability, but, nonetheless, a challenge we are working with, is establishing a blueprint for integrating desperate agency sector efforts and mission sets into a unified, coordinated, and streamlined operation that reflects the full intelligence cycle from collection analysis to dissemination that supports situational awareness and the complete emergency management cycle. The Cal-CSIC design forces collaboration between all of the major State agencies and sector representatives that have a role in cybersecurity through protocols and the integration of respective cybersecurity staff. This partnership forces down the silos and stovepipes and generates a level of collaboration on the cyber front not seen before in our State government, which helps to define the roles and responsibilities of each organization during cyber events at a State-wide significance. As well, through partnerships with the National Cybersecurity Communications Integration Center and a multi- State information-sharing analysis center, the Cal-CSIC addresses prevention, protection, response, and recovery while providing detail on cyber threats and trends specifically to California. The Cal-CSIC can use this analysis to notify residents of current threats and how to prevent and mitigate those threats. The consolidation of National, State, and local cyber threat data will provide a more strategic picture benefiting prevention and response. To further our resiliency platform, we are also moving to implement the DHS and CCIC cyber hygiene campaign across California's State agencies and departments. In closing, collaboration, coordination, training, planning, clear protocols, real-time information sharing, and processing of indicators of attack are essential elements of a robust cybersecurity and emergency management posture for all governments. Linking up critical infrastructure assessors and analysis, and analysts with cybersecurity personnel and emergency planners also needs to be approached holistically and sustainably. At all levels, Government must be prepared to deal with an ever-changing and increasingly complex set of challenges that test our traditional approaches to emergency preparedness and response to disasters. Changing demographics, emerging technologies, and the interdependencies of our infrastructure and systems create vulnerabilities that defer from those of the past. The cyber threats facing our Nation are not subsiding, but, in fact, are evolving in such a way that these threats demand purposeful, proactive action, adequate funding support, and a more forward-thinking and collaborative approach at all government levels and critical infrastructure sectors. This has to be one team, one fight. Thank you. [The prepared statement of Mr. Ghilarducci follows:] Prepared Statement of Mark Ghilarducci May 24, 2016 introduction Thank you Mr. Chairman, Ranking Member, and distinguished Members of the committee. My name is Mark Ghilarducci, and I am the director of the Governor's Office of Emergency Services as well as the Homeland Security Advisor to Governor Jerry Brown for the State of California. I am here on behalf of the National Emergency Management Association (NEMA), which represents the emergency management directors of the 50 States, territories, and District of Columbia. NEMA's members, many of whom, like me, also serve as Homeland Security Advisors, are prepared to deal with an ever-changing and increasingly complex set of challenges that test traditional approaches to natural and man-made disasters. I appreciate the chance to come before you today to discuss the current concerns related to consequences of cyber attacks and the role of the emergency management community in responding to these unique events. where are we now? We are witnessing a more diverse array of threats than at any other time in history. The skill, speed, and adaptability of these threats are challenging our defense in ways we have not seen before. The emerging threat landscape for the Nation is characterized both by standing threats, as well as dynamic and fluid ones ushered in by advancements in technology. As we witness our society make unprecedented advancements in innovation, we become more and more reliant on information technology and increasingly vulnerable to devices that are developed and distributed with minimal security requirements. The ranges of threat actors, methods of attack, targeted systems, and victims are also expanding. We are transitioning into Next Generation Public Safety, and information systems are now the backbone of National and economic security in the United States. Our success as a Nation depends upon critical infrastructure functioning reliably at all times. The threat to this infrastructure by those with malicious intent to exploit vulnerabilities, steal information and money, and disrupt, destroy, or threaten the delivery of essential services are unlike any other. Cybersecurity threats exploit the risks associated with the increased complexity and connectivity of these systems, which places our Nation's security, economy, and public safety at greater risk. This risk affects both the private and public sectors. We have seen ``Ransomware'' in the public and private sector in California and across the United States designed to prevent public and private institutions from accessing their own data. Criminal tools and malware are increasingly being discovered on State and local government networks. As information technology becomes increasingly integrated with physical infrastructure operations, there is increased risk for wide- scale or high-impact events that could cause harm or disrupt services upon which our economy and the daily lives of millions of Americans depend. Long-term power outages, loss of water, and disruption in the movement of goods, services, and people as a result of disrupted transportation systems are a few of the potential consequences of a successful cyber attack on our critical infrastructure. The aftermath of a cyber event with physical consequences will challenge existing hierarchies, reporting structures, and planning assumptions. In the event of an incident, most emergency managers will turn to the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Pub. L. 92-288) for Federal assistance, but unless the consequences of a cyber attack have large-scale physical consequences, funds from the Stafford Act will be limited. Many of the fixes, whether administrative or legislatively initiated, throughout the last few years seem to only address the prevention and preparedness side of cybersecurity. While the pre-event aspects of cybersecurity maintain a high level of importance, so too will the post-event considerations especially when considering the potential disastrous physical consequences of a cyber attack. current challenges facing state emergency management/homeland security While cybersecurity and cyber response capabilities continually rate very low in FEMA's annual National Preparedness Report, identifying the capability gaps and needs is often a difficult task for State and local government and has limited measurable improvement toward the National Preparedness Goal.Cyber risk must be managed as it is not possible to eliminate; the diverse possibilities of malicious actors penetrating, intruding, and circumventing from the inside continue to grow and will hold every internet communication technology system at risk for years to come. The risk calculus employed by some State and local organizations does not adequately address the top cyber threats or systemic interdependencies across critical infrastructure sectors. State leaders must accept the predictability of cyber attacks, and build security systems and procedures that can not only preempt attacks through cyber defense, but enable organizations to withstand attacks when they succeed, or in other words build cyber resilience. A coordinated approach to cybersecurity preparedness and incident response is in its nascent stages, even at the Federal level. As the Federal Government is still working to build Federal institutions, policy, and strategy, it has left States to build cybersecurity capacities with limited resources and trained personnel, and a lack of guidance or successful blueprint to follow--all while facing threat actors who are advanced, nimble, quick to adapt and overcome defenses and who intend to harm private citizens and Government services. A dedicated cybersecurity grant funding stream would also ensure States were prepared to adequately build their cyber capabilities and defenses. Currently there is no funding dedicated specifically to this priority. States are still playing catch-up in developing a ``whole- of-Government,'' State-wide approach to cybersecurity. best practices at the state level/on-going efforts to improve resilience I am excited to discuss some California examples of best practices we are implementing to ensure the Golden State is safe and secure and cyber resilient. Cyber Hygiene Partnership with DHS's National Cybersecurity Communications Integration Center (NCCIC).--We are moving to embrace and implement the DHS's National Cybersecurity Communications Integration Center's Cyber Hygiene campaign across California State Agencies. Working with NCCIC staff, we are working to push this program to all of California's State executive agencies as a start. This program is voluntary, but it will allow us to baseline State agencies' vulnerabilities and provide an overall State profile for a majority of public- facing assets. This is a good metric for performance and will help our team develop a long-term State strategy. To date, only 13 organizations across all of California are taking advantage of this Federal program. Integrating and Automating Data Feeds.--One of the things we are spearheading in California is a Cal OES-supported project at our California fusion centers that supports automating cyber threat intelligence, as we believe that is a fundamental facet to cyber resilience on all levels of Government. We must get past the manual human-to-human transactions that continue to dominate State and local cyber information sharing and move towards an automated cyber threat intelligence design, which we believe should anchor States' resilience and inform cyber response efforts. We are also working, in conjunction with DHS/ NCCIC, on a program called Automated Indicator Sharing Initiative, which shares observable cyber ``indicators'' to also help bolster the State's defense through a machine indicator exchange. California Cybersecurity Integration Center (Cal-CSIC).--We recently stood up our California Cybersecurity Integration Center (Cal-CSIC) (pronounced Cal-SICK) as a way to mature this approach, but one of the biggest challenges we face is establishing a blueprint for integrating disparate efforts and mission sets into a unified, coordinated, and streamlined operation that reflects the full intelligence cycle from collection, analysis, to dissemination, and that supports a robust cyber response. The Cal-CSIC does the following critical cybersecurity functions, directly impacting my ability to manage both the homeland security and emergency management portfolios in California: Expands upon current capabilities in our State's primary fusion center to build out a cybersecurity center focused specifically on protecting California. Resides within the Cal OES Homeland Security Division, aligning with DHS's organizational structure. Its co-location with the California State Threat Assessment Center (STAC) allows for communications to be properly vetted and classified, ensuring connectivity between the intelligence community, law enforcement, and fusion centers. Provides a State-wide nexus for cyber threat information sharing for the State of California, intelligence community, and law enforcement. Promotes situational awareness of cyber threats, cyber hygiene, and best cybersecurity practices for all California organizations. Augments the State Operations Center activities during emergency incidents through media analysis and resilient communications. Marries our critical infrastructure analysts and assessors to our cybersecurity professionals to create a novel holistic security assessments capability. The National Cybersecurity Communications Integration Center (NCICC) and Multi-State Information Sharing Analysis Center (MS-ISAC) operate as focal points for cyber and physical protection of Federal, State, local, Tribal, territorial government (FSLTT) and Critical Infrastructure/Key Resources (CI/KR) network, storage, and communications systems and seeks to address prevention, protection, response, and recovery. The Cal-CSIC will address prevention, protection, response, and recovery while providing detail on cyber threats and trends specifically to California. The Cal-CSIC can use this analysis to notify residents of current threats and how to prevent and mitigate those threats. The consolidation of National and State cyber threat data will provide a more strategic picture benefitting prevention and response. The NCCIC will also be a partner in the Cal-CSIC as will other Federal agencies to ensure for real-time collaboration and coordination that is needed. The Cal-CSIC design forces collaboration between all of the major State agencies that have a role in cybersecurity because those agencies have, or are going to, embed their cybersecurity staff there. This partnership will force down the siloes and stove pipes, and generate a level of collaboration on the cyber front not seen before in State government, which helps to define the roles and responsibilities of each agency during cyber events of State-wide significance. Governor's Cybersecurity Task Force.--This task force facilitates cybersecurity outreach to private industry, academic, law enforcement, and Government partners both inside and outside of California. The Governor's Cybersecurity Task Force is a public-private partnership that serves as the advisory body to the Cal-CSIC to raise awareness of new threats and mitigation techniques. Sometimes, simply assembling the right players to have the tough conversations is half the battle. In this case, educating cybersecurity professionals about emergency management, and vice versa, remains a significant challenge. This is why the State of California created the Governor's Cybersecurity Task Force to be wide-reaching, pairing up local emergency management experts with cybersecurity professionals to collaborate on the bigger strategic questions. It has made a tremendous impact, but more work needs to be done to align State and local defense with Federal efforts. recommendations for the future As a Nation we must map out a comprehensive collaborative strategy that delivers timely, cost-effective, and actionable responses. This will strengthen our National security by better preparing us to respond to potential disruptions that would have cascading consequences on the country. Collaboration, employee cybersecurity training, enterprise defense-in-depth, and real-time information sharing and processing of indicators of attacks are essential elements of a robust cybersecurity posture for all governments. Marrying critical infrastructure assessors and analysts with cybersecurity personnel also will breed unique and nuanced synergies by approaching the problem holistically. This would include: Review current statutory authorities for emergency management personnel and ensure resources can and will be available to respond to a cyber attack. Encourage information sharing between intelligence and operational officials to ensure stovepipes do not unnecessarily hinder collaboration and integrated planning. Coordinate with State and local officials to ensure their priorities are included in legislative reforms and changes within the administration's cybersecurity policies. Avoid mandating State and local governments without also providing Federal funding. Provide adequate and sustainable funding to ensure for the development of robust cybersecurity interdiction, response and preparedness/education systems at the State and local levels, to better inform and empower communities, where the consequences of cyber attacks are most impactful. Ensure that we communicate to American citizens our commitment to protecting their privacy, when incorporating emerging technology--specifically, the Internet of Things or ``smart devices.'' While these devices maximize efficiency and carry the allure of convenience, we must incorporate the benefits of innovative technology into State and local government with the utmost appreciation for their potential to threaten data privacy, data integrity, or continuation of services. This also opens vulnerabilities by allowing threat actors to not only steal data, but also, manipulate it. Threat actors almost certainly will adapt and introduce new tactics that will challenge our defenses so we must seize the opportunities to implant past intelligence from cybersecurity investigations back into the intelligence cycle for further analysis and dissemination. conclusion At all levels, Government must be prepared to deal with an ever- changing and increasingly complex set of challenges that test our traditional approaches to emergency preparedness and responses to disaster. Capability, experience, and flexibility are critical in dealing with emerging issues and the unknown. Changing demographics, emerging technologies, and the interdependencies of our infrastructure and systems create vulnerabilities that differ from those of the past. The cyber threats facing our Nation are evolving in such a way that demands purposeful action and a more forward-thinking approach in our National preparedness efforts. I appreciate the opportunity to testify before you today and stand ready to answer any questions the committee may have. Mr. Donovan. Thank you, Mr. Ghilarducci. The Chair now recognizes Lieutenant Colonel Cooney for 5 minutes. STATEMENT OF DANIEL J. COONEY, ASSISTANT DEPUTY SUPERINTENDENT, OFFICE OF COUNTER TERRORISM, NEW YORK STATE POLICE Mr. Cooney. Good morning, Chairman Donovan, Ranking Member Payne, Chairman Ratcliffe, and Members of the subcommittees. Thank you for inviting me to testify today. My name is Dan Cooney. I am a lieutenant colonel with the New York State Police responsible for overseeing the New York State Intelligence Center or NYSIC, the State's designated fusion center, which is staffed by approximately 90 individuals, drawn from nearly 20 law enforcement and homeland security agencies at the local, State, and Federal levels. Since we opened our doors in 2003 as one of the Nation's first fusion centers, NYSIC has maintained an all-crimes approach with the ultimate goal of preventing criminal and terrorist activity in our State, and supporting our partners' on-going law enforcement investigations. The New York State Police has long had a computer crimes unit. NYSIC incorporated cyber threat intelligence into its mission in 2014 by creating a cyber analysis unit when the NYSIC had just moved to co-locate with the Center for Internet Security and the Multi-state Information Sharing and Analysis Center. Our approach is based on partnerships, intelligence production, and outreach. To further our outreach, NYSIC spearheaded creation of the New York State cyber partners working group, which meets monthly and is comprised of State and Federal Government law enforcement, homeland security, and information technology personnel, and a National Guard. As the intelligence center, our role is to take the lead in developing cyber intelligence products for both the technical and nontechnical audiences, and we leverage the partnerships formed through this group to accomplish this mission. The NYSIC also relies on National cyber information-sharing networks. Routinely, we access the National Fusion Center Association's cyber intelligence network through which over 250 Federal, State, and local law enforcement members act as a virtual fusion center, utilizing a cloud service provided by the homeland security information network to share cyber threat intelligence in real time at the ``For Official Use Only,'' or FOUO level. Within the State, our distribution lists are separated by sector and between technical and nontechnical audiences to ensure recipients receive exactly the information they need: Actionable intelligence for IT staff, so they can deploy appropriate prevention or mitigation controls; and more strategic information on trends in cyber actors' tactics, techniques, and procedures for executives and policy makers to better inform policy decisions and resource allocation. NYSIC's intelligence liaison officer network maintains points of contact in fire, EMS, and emergency management agencies in each county with whom we engage in 2-way threat information sharing. Additionally, nearly all of the 500-plus law enforcement agencies in New York State have a designated field intelligence officer that regularly communicates with the NYSIC. More technical products are shared directly with county chief information security officers. At both the fusion center and across State agencies, New York State is sharing more information more effectively than ever before. Despite a constantly changing environment, we have made excellent progress. But I want to highlight two specific areas for continued growth from the full statement I submitted on the record. First, the information-sharing lessons of the last 13 years in the counterterrorism space must be applied to cybersecurity today. At the State level, the fusion center is DHS's single point of contact for terrorism-related information, and we know from where within DHS this information is coming. This is not yet the case with cyber threat information, and more often than not, the fusion centers do not receive cybersecurity intelligence information in a timely manner. The more information that fusion centers receive, the more we can share with agencies and businesses within our State, allowing us to close the current intelligence gaps, and push information to smaller entities that direct Federal sharing currently does not reach. Second, we observe a large amount of cyber threat information is Classified. While fusion centers have the capability to receive Classified documents, we cannot share useful contents with many of our customers unless the classification is downgraded. On behalf of New York's fusion center and as part of the larger National network of fusion centers, thank you for this opportunity to speak before your subcommittees, and I welcome any questions. [The prepared statement of Mr. Cooney follows:] Prepared Statement of Daniel J. Cooney May 24, 2016 Good morning Chairman Donovan, Ranking Member Payne, Chairman Ratcliffe, Ranking Member Richmond, and Members of the subcommittees: My name is Dan Cooney and I am an assistant deputy superintendent with the New York State Police, responsible for overseeing the New York State Intelligence Center, the State's designated fusion center. Thank you for inviting me to speak today about our cyber threat information and intelligence-sharing efforts. The New York State Intelligence Center, or ``NYSIC'', is managed by the New York State Police and staffed by approximately 90 people representing nearly 20 law enforcement, homeland security agencies at the local, State, and Federal levels. Since we opened our doors in 2003 as one of the first fusion centers in the Nation we have maintained an ``all-crimes'' approach, with the ultimate goal of preventing criminal and terrorist activity in our State and supporting our partners' on- going law enforcement investigations. We are primarily responsible for supporting the 57 counties outside New York City, but we work closely with our New York City Police Department colleagues on New York City- based issues. NYSIC incorporated cyber threat intelligence into its mission in 2014 by creating a Cyber Analysis Unit. The catalyst was two-fold: We recognized the need to dedicate resources to the growing threat of cyber attacks, and we had just co-located with the Center for Internet Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC), which the U.S. Department of Homeland Security has designated as the cybersecurity information sharing and analysis center for State, local, Tribal, and territorial governments. This provided a timely opportunity for us to learn best practices from top cybersecurity experts. Over time, we were able to staff the unit with an Investigator and 4 intelligence analysts who possess a mix of specialized technical knowledge or intelligence and analysis experience, a hiring model that has worked well. Our approach is based on partnerships, intelligence production, and outreach, and I will highlight a few examples of the benefits to the State's cybersecurity efforts. best practices in information-sharing efforts The New York State Police has long had a Computer Crimes Unit, and other agencies in New York have worked on cyber threats for some time. We have worked to bolster our relationships with other agencies, not only to learn from them, but to ensure proper information sharing, identify collaborative opportunities, and avoid duplication of effort. To that end, the NYSIC spearheaded the creation of the New York State Cyber Partners Working Group. This group of State and Federal Government agencies--including law enforcement, homeland security, information technology and the National Guard, to name a few--formally meets on a monthly basis to review cyber threat intelligence and discuss training, exercise and joint project opportunities. As the intelligence center, our role is to take the lead in developing cyber intelligence products for both technical and non-technical audiences, and we leverage the partnerships formed through this group to develop and share intelligence. The Cyber Partners Working Group also joins together for training and exercises. NYSIC, along with its working group partners, has participated in table-top and National-level full- scale cyber-related exercises, as both observers and participants. Examples include GridEx III, Cyberstorm V, and New York agency-specific tabletops. Effective State and Federal collaboration is also vital to confronting these challenges. For example, recently NYSIC and its State and Federal partners collaborated on the production and dissemination of a joint cyber intelligence bulletin detailing the analyses of detected malware. During the analysis, which determined the malware was a well-documented downloader and credential stealing Trojan, an encrypted file was discovered. Encryption often prevents further investigation; however in this case the team obtained a tool from a partner agency that allowed us to decrypt the file. The file revealed specific and actionable data that could protect IT assets. The NYSIC published these findings as a joint cyber intelligence bulletin and received positive feedback from recipients. The NYSIC also relies on National cyber information-sharing networks. Routinely, we access the National Fusion Center Association's Cyber Intelligence Network (CIN), which is a relatively new network of fusion center cyber analysts, to ascertain whether the intelligence we are developing in New York may be part of a broader trend. The CIN is comprised of over 250 Federal, State, and local law enforcement members who focus on cyber crimes. These members come together and act as a Virtual Fusion Center utilizing a cloud service provided by the Homeland Security Information Network (HSIN) to share real-time cyber threat intelligence in support of an incident, event, or mission. This level of cyber threat information sharing was impossible only a few years ago, yet now is becoming routine. There are several instances in which the CIN collaborated during high-profile events to great effect. For example, the CIN launched the HSIN's secure, web-conferencing platform, called CINAWARE, in response to Distributed Denial of Service (DDoS) attacks launched by cyber hacktivists against several State and local government networks which included law enforcement and emergency medical service entities that were responding to an incident. The CIN immediately began sharing real- time intelligence on the attacks with the relevant local agencies. The National Fusion Center Association reports that more than 350 individuals from fusion centers and other Federal, State, and local agencies around the country participated in the CINAWARE room over a period of several weeks, with an average of 50 to 90 users in the room at any given time. The room was supported 24/7, which included overnight support from the MS-ISAC. During that period, more than 250 queries were submitted and answered via the CINAWARWE room, enabling rapid sharing of information with decision makers. Leaders in State, local, and Federal agencies were consistently briefed on the information from the CINAWARE room. Since that event, the CINAWARE room on HSIN has been opened to support the response to the Vikingdom DDoS attacks against State and local networks across the country, the sharing of cyber-specific information related to the Paris Bombings, and to support the law enforcement and homeland security mission for Super Bowl 50. The CIN also facilitates daily sharing throughout the country of indicators of system-compromise identified in discrete geographic regions, issues and responds to Requests for Information, and acts as a team of subject- matter experts to support local operations. All of this sharing occurs between fusion centers utilizing the Federal platform, HSIN, and occurs at the For Official Use Only (FOUO) level. Similarly, the NYSIC's co-location with the Center for Internet Security and the MS-ISAC allows our staff to walk downstairs and talk with their intelligence or operations analysts about Nation-wide reporting and how it may impact New York State. Any relevant, sharable information these networks provide NYSIC ultimately benefits our Cyber Partners Working Group and the State's broader cybersecurity prevention efforts. This intelligence is of limited use, however, if we cannot provide it to consumers and decision makers. Equally as important is communication with those outside of NYSIC. The NYSIC team is constantly meeting and briefing local governments and private critical infrastructure sectors on cybersecurity concerns. Participants leave with contact information needed to build distribution lists for intelligence products. Our distribution lists are separated by sector, and between technical and non-technical audiences, to ensure recipients receive exactly the information they need. We provide IT staff with actionable intelligence that can be cross-referenced with traffic on their networks, so they can deploy appropriate prevention or mitigation controls. Other partners, such as executives, appreciate more strategic information on trends in cyber actors' tactics, techniques, and procedures relevant to their sectors that can help inform better policy decisions. We listen to their feedback and tailor our intelligence products appropriately. The NYSIC Cyber Analysis Unit may receive or develop intelligence that is particularly relevant to the first responder community, or a subset thereof. For the Fire/EMS/Emergency Management agencies in New York, our team leverages NYSIC's Intelligence Liaison Officer (ILO) network--points of contact in each county from those 3 disciplines that participate in two-way sharing of threat information with our center. We educate them on cyber threat reporting and the types of technical and analytical support NYSIC can provide. For example, we crafted a cyber bulletin distributed specifically to 9-1-1 call centers with an ``E-911'' capability based on our receipt of threat and vulnerability information relevant to technology that is employed. Information specific to law enforcement is pushed to agencies in the field using another outreach program called the Field Intelligence Officer (FIO) program. In support of this program, nearly all of the more than 500 law enforcement agencies in New York has a designated FIO that regularly communicates with the NYSIC to advance the homeland security and counter-terrorism mission. We utilize these members to share cyber information in their jurisdictions as well. More technical products, which may include vulnerability and consequence information, are shared directly with county Chief Information Security Officers (CISOs). New York State is currently working to expand its information sharing with the health care sector--both public- and privately-owned facilities. The NYSIC is finding that this sector is willing to partner with the State to discuss intelligence requirements, information sharing, training opportunities, and best practices in mitigating cyber threats. recommendations for continued growth in information sharing New York State has made significant strides in building its cybersecurity capabilities, both at the fusion center and across State agencies. We are sharing more information more effectively than ever before. Policies and best practices have been developed by consensus through multilateral and interagency policy bodies and professional associations. They are reinforced through daily engagements between Federal, State, local, and private-sector partners. Despite a constantly-changing environment we have made excellent progress. In order to build upon our successful efforts, we have identified 4 areas for continued growth. First, information-sharing regarding cyber threats between the Federal Government and the States should be further streamlined. The information-sharing lessons of the last 13 years in the counter- terrorism space must be applied in the cybersecurity today. In 2003, as the first New York State fusion center director, I remember working through information-sharing issues with DHS, FBI, and others. Ultimately, an agreed-upon vertical information-sharing pathway was developed between Federal partners and the fusion centers. At the State level, the fusion center is DHS's single point of contact for terrorism-related information, and we know from which subset of DHS to expect information. This is not yet the case with cyber threat information. There are many entities within DHS that gather, analyze, and disseminate various types of cyber threat intelligence, whether it's tactical indicators of compromise, strategic intelligence assessments, or organizing outreach campaigns with private-sector entities in our jurisdiction. Given this information--whether it is raw information or finished intelligence--does not come together in one place at the Federal level with a designated unit to ensure rapid communication with the fusion centers, more often than not the centers do not receive information in a timely manner. This problem is exacerbated by the fact that other Federal agencies also have a cyber mission, and many have not yet built relationships with the fusion centers like DHS or FBI have over the last 13 years. This includes sector-specific agencies like Energy, Treasury, and Health and Human Services that play an important role in protecting key sectors of the Nation's critical infrastructure and economy, and who conduct outreach and information dissemination campaigns with private-sector entities under their jurisdiction. Any steps that DHS can take to streamline the overall Federal cyber intelligence-sharing processes with the fusion centers will help States and our local partners better understand the current threat landscape and more efficiently align our own cyber information sharing with the private sector. Working together will better enable us to protect against and respond to inevitable cyber attacks. The more cyber threat intelligence that fusion centers receive, the more we can share with agencies and businesses in our jurisdictions. This will close intelligence gaps and help us communicate threats to smaller entities that Federal information- sharing currently does not reach. Second, we must also continue to evaluate how we share Classified cyber-threat intelligence from the Federal Government to the fusion centers. There is no central Federal system that stores indicators of compromise against which fusion center cyber analysts can run comparisons and lookups. The National Network of Fusion Centers does not have a space on the National Cybersecurity and Communications Integration Center (NCCIC) floor, and therefore lacks access to that critical data source which is available to other Federal information- sharing partners. The network has interactions at the DHS Office of Intelligence and Analysis' Cyber Intelligence and Analysis Division (CIAD), but that interaction primarily occurs at the FOUO level and involves information being shared up to the Federal level, but not necessarily back down. Additionally, we observe that a large amount of cyber threat information is Classified. While the NYSIC understands why that might be the case, the Federal community needs to continue to focus on creating Unclassified tear lines of actionable intelligence. The fusion centers may have the capability to receive Classified documents, but cannot share useful contents with many of its customers unless the classification is downgraded. We would be pleased to work with authors of Classified documents to develop Unclassified actionable information for our non-cleared partners. I believe there has been some effort to share more Unclassified indicators based on recent production efforts by one Federal agency, and I hope that effort continues across the Federal community. Third, we need to continue our efforts to share information with local and county governments and private sector. We need to make sure there is consistency, and not confusion, regarding ``who to call'' when a local government or private entity experiences a cyber incident. We successfully worked through similar issues in the counter-terrorism area and I believe collective development of clear guidance would better serve our customers. Finally, the parallels between counter-terrorism and cyber extend beyond information sharing. Adequate cyber preparedness requires wide- spread implementation of best practices and mitigation efforts, which invariably can exceed the capacity of local and county governments facing a growing myriad of threats. In our ever-more connected world, your network is only as strong as its weakest interconnection, yet implementing strong cybersecurity solutions is often costly. As we continue the hard work of policy development and adoption of best practices, the need for Federal Government support of State and local cybersecurity preparedness should not be overlooked. Much the same way the DHS Homeland Security Grant Program provides essential Federal support for counter-terrorism initiatives, similar support for cybersecurity would further enhance the capacity of States, fusion centers, and local governments to prevent and respond to cyber incidents that threaten our Nation's critical infrastructure and economy. Thank you for this opportunity to speak before your subcommittees. On behalf of New York's fusion center, and as part of the larger National Network of Fusion Centers, I appreciate the invitation to participate in this discussion and I welcome any questions you may have. Mr. Donovan. Thank you, Lieutenant Colonel. The Chair now recognizes General Spano for 5 minutes. STATEMENT OF BRIGADIER GENERAL STEVEN SPANO, (RETIRED, USAF), PRESIDENT AND CHIEF OPERATING OFFICER, CENTER FOR INTERNET SECURITY Mr. Spano. Mr. Chairman, Ranking Members, Members of the committee, I am Steve Spano, the president and chief operating officer for the Center for Internet Security, or CIS. I appreciate the opportunity to share our thoughts on the state of National cybersecurity, and offer a number of suggestions and address some of the challenges that lie ahead. I would like to talk a little bit about our organization, what we do, our primary ambition, and how that feeds into our assessment of the current state of cybersecurity in the area that we know best, which is State, local, Tribal, and territorial governments. Then I will talk a little bit about how we service and are enhancing that mission, working with our partners, like the fusion center, and State and local governments, and then offer some ideas moving forward strategically that perhaps this committee can begin to address as the challenges we face continue to grow. About CIS, it began in 2000 out of the passion and the belief that everybody deserves a secure on-line experience. The 100-plus professionals work collaboratively to enhance the cybersecurity mission, readiness, and response, and we do that in 3 core areas: Beginning from the foundation, we believe that it is inherently practical and important to establish a secure framework to build your cyber strategy on and evolving to. We call that security framework the critical security controls, or the CIS controls. They are a set of prioritized actions that organizations of any size can take in a priority order to deal with the current threats that exist in today's environment. That security framework serves as a foundation for some of the products and services that we offer, one such being the security benchmarks, which are automated configurations that lock down devices, operating systems, and software. So these security benchmarks help execute and implement the CIS controls, along with many of the services and products that our partners out in industry also support and provide. The controls, the benchmarks, the products, and services are put into execution in our primary mission, and that is running the Multistate Information Sharing and Analysis Center, or the MS-ISAC. The ISAC was established in a partnership with DHS in 2010, and we began the journey of beginning to monitor all 56 SLTTs, where we are approximately more than two-thirds of the way through bringing the States and these local governments and Tribal networks onto our network. We currently have 41 that we actively monitor that we provide network intrusions, that we provide intelligence analysis to, that we provide forensics capability and response as part of a computer emergency response team. That mission continues to grow and strengthen. What I would like to talk about now is how that mission feeds our assessment of where we believe the current state of National cybersecurity is within the SLTTs. We inform it through the day-to-day mission and the operation over the last several years, our experience, and global situational awareness and engagement. We are also responsible for producing the National cybersecurity in this report to DHS, which every 2 years is provided to Congress. We are working to finalize this year's report. The NCSR is a self-assessment by the States in 13 key categories, and we measure those categories in a number of ways through the self-assessment amongst these entities. We find that in each of the 13 categories, while year to year, there has been improvements among the States, there are still challenges that reside in all 13 categories to meet the self- prescribed benchmarks metrics that they want to achieve. Progress is being made. I characterize in my written testimony that the current state within the SLTTs is improving, but there are still a number of challenges that are facing the States, to include under-resource budgets, a workforce that I would characterize as high-demand, low-density in its assets and that is insufficient to address on many of the challenges, and a number of other areas of dealing with basic hygiene in terms of executing some of their strategies. But progress is being made, and I would characterize it as improving. I look forward to the dialogue and the questions and to diving into some of the specific details on how we can improve moving forward in two key areas: One is establishing a basic hygiene campaign, whether that is a built upon the critical security controls or other frameworks; and the other areas I mentioned that I believe is a strategic challenge for us Nationally is how to inspire and generate a cybersecurity workforce that can grow and meet the challenges. Because as I mentioned, they are high-demand, low-density asset across, and the trends we are seeing within K through 12 and interest in STEM, colleges and universities are offering programs but it is insufficient to get to scale. We are seeing that just the basic capabilities to keep up with the growing threats and the expertise and the training of existing professionals is a challenge for a lot of the SLTTs. Thank you very much for the opportunity to address you. I look forward to your questions. [The prepared statement of Mr. Spano follows:] Prepared Statement of Steven Spano May 24, 2016 Chairmen Donovan and Ratcliffe, Ranking Members Payne and Richmond, and Members of the committee, thank you for inviting me today to this hearing. My name is Steve Spano, and I serve as the president and chief operating officer of the Center for Internet Security--or ``CIS.'' I appreciate the opportunity today to share our thoughts on the current state of National cybersecurity, focusing in the area we know best: State, local, Tribal, and territorial (SLTT) government entities. As the Nation addresses the complicated issue of cybersecurity, your efforts to assess the current state of National cyber preparedness and response capabilities and determine how best to improve our National cybersecurity posture is noteworthy. I look forward to offering our ideas on how we can collectively build on the progress being made in this important area of critical National security. Established in 2000 as a not-for-profit organization, CIS's primary mission is to advance cybersecurity readiness and response. CIS was instrumental in establishing the first guidelines for systems hardening at a time when there was little on-line security leadership. In 2010, the U.S. Department of Homeland Security (DHS), under the National Protection and Programs Directorate (NPPD), partnered with CIS to host the Multi-State Information Sharing and Analysis Center, or MS-ISAC. Under a cooperative agreement with DHS, the MS-ISAC was established as a 24x7 cybersecurity operations center that provides real-time network monitoring, threat analysis, and early warning notifications to SLTTs. MS-ISAC also consolidates and shares threat intelligence information with the DHS National Cybersecurity and Communications Information Center (NCCIC), where we have 2 employees serving as liaisons for MS- ISAC. In 2015, we became the home of the CIS Critical Security Controls, previously known as the SANS Top 20. With this expanded operational mission, CIS has evolved as a trusted resource to help public and private organizations start secure and stay secure. Today, CIS collaborates with the global security community to lead Government and private-sector entities to on-line security solutions and resources. While I will elaborate more fully below, the 100-plus professionals at CIS provide cyber expertise in three main program areas: 1. As I just mentioned, the MS-ISAC operates a 24x7 Secure Ops Center to support SLTTs. 2. The CIS Critical Security Controls (CIS Controls), a consensus- driven, prioritized set of cyber best practices created to stop today's most pervasive and dangerous cyber attacks. The CIS Controls are referenced in several policy and security frameworks such as the NIST 800.43; and 3. The Security Benchmarks, a program that provides well-defined configuration best practices to help organizations world-wide assess and improve their cybersecurity. Over 100 consensus- based Security Benchmarks have been developed to date, and Security Benchmarks members can access tools and automated content for both traditional hardware and software as well as cloud-based services. More information about CIS is included at Attachment A and incorporated herein by reference. the current state of cybersecurity preparedness CIS's assessment of the current state of cybersecurity preparedness and response capabilities is based on our collective daily experience with the MS-ISAC, represented by over 1,000 SLTT members (including all 50 States), as well as our dealings with those using the CIS Security Benchmarks and the CIS Controls, all of which provide us unique and wide-ranging insight into the cybersecurity posture of those we serve. Today, thanks to Congressional and DHS support and SLTT participation, the MS-ISAC is actively monitoring the networks of 41 States and territories. In 2016, our goal is to have all 50 States and all 6 territories being monitored by the MS-ISAC. Our members represent local governments, public universities, critical infrastructure entities, and public authorities that own and operate critical infrastructures. In 2015, our monitoring program analyzed over 3 trillion records, which generated over 56,000 actionable alerts to our SLTT partners. In 2015, our CERT team managed 161 incidents for our partners, largely focused on computer forensics. Their efforts actively identify types of threats, origins of attack, and root causes of the attack. Our intelligence team has produced a large number of analytical reports that both DHS and the FBI have cited as key resources to help in their investigations and high-level threat detection. Our cyber support for SLTTs also includes a computer emergency response capability, and the issuance of real-time cyber alerts, advisories, and intelligence products. Based on this work, we can state that since 2004, when the MS-ISAC partnership with DHS began, we have seen progress in the state of cybersecurity of our SLTT partners that can be characterized as improving, with many positive trends. There are, however, significant challenges that we are collectively working to improve. These challenges include under-resourced cybersecurity budgets, poorly crafted and vulnerable software provided by vendors, misconfigured networks, and insufficient numbers of qualified professional staff. Our assessment of SLTT cybersecurity preparedness and response capability is supported in the findings of the DHS-funded Nation-wide Cyber Security Review (NCSR). This annual review, tasked to the MS-ISAC by DHS, is produced in conjunction with the National Association of Counties and the National Association of State Chief Information Officers, and is reported to Congress by DHS every 2 years. It is a voluntary, self-assessment survey designed to evaluate cybersecurity management within, and the cybersecurity posture of, SLTT governments. To gauge the Nation-wide level of cybersecurity readiness, the NCSR measures maturity of cybersecurity programs within the SLTT community by assessing how SLTTs are performing in 13 key cybersecurity areas. The 2013 and 2014 NCSRs found SLTT respondents continuing to improve towards the highest level of maturity, ``risk aware'', in all 13 of these measured functions, but they have not yet reached that maturity level in any of the 13 categories. Further support for our assessment is found in the DHS 2015 National Preparedness Report (the ``Preparedness Report''), which acknowledges both that SLTTs place significant emphasis on the importance of cybersecurity, but have been challenged to find sufficient financial resources and staffing to meet growing cybersecurity demands. The MS-ISAC, the NCSR and the Preparedness Report all recognize that steady progress is being made in many areas of SLTT cybersecurity, in the face of cyber threats that continue to increase in scope, sophistication, and number, but that challenges remain for SLTTs to reach full cybersecurity preparedness. This reality will not change any time soon. The strategy and execution of defensive responses must evolve at a faster pace. This will require continued investment, strong leadership, and collaboration at all levels of government. Outside of the SLTT space, our experience with our Security Benchmarks customers and those using the CIS Controls also show increased efforts to improve organizations' cybersecurity posture. In the last 3 years, the number of organizations purchasing Security Benchmarks memberships has almost tripled, and the growth in the use of automated machine image versions of the Benchmarks has grown tenfold since they were first released a year ago. This shows us that there is increasing emphasis on ensuring that organizational networks and devices are securely configured. In October 2015, we released Version 6 of the CIS Controls. In the period of time since the release, the CIS Controls have been downloaded over 32,000 times. This data, coupled with on-going requests for information and assistance in learning more about the Controls, shows us that companies and organizations are seeking guidance in how to start secure and stay secure, and are looking for the roadmap to tell them how to get there. how cis is working to increase cybersecurity preparedness Since its inception, CIS's mission has been focused on increasing cybersecurity preparedness, both for SLTT governments through the MS- ISAC and for the private sector as well with the CIS Controls and Security Benchmarks programs. I appreciate the opportunity to highlight our work in these 3 areas, and why we believe our work is making a difference. MS-ISAC The on-going work of the MS-ISAC has and will continue to improve the cybersecurity posture of SLTT governments. Our continuous monitoring of SLTT networks across the country provides us with the ability to see and analyze the scope of potential malicious activity and identify when there are multiple incidents of the same nature and source. As noted above, in 2015 alone, MS-ISAC detected and analyzed malicious activity events that generated over 56,000 incident reports. We provide response assistance if needed, including CERT team assistance. Equally importantly, we provide timely issue alerts to all our SLTT members, which include steps to take to avoid or mitigate the risk of the identified malicious activity event. We also share SLTT event information with Federal agencies and other trusted partners through our liaisons on the NCCIC floor, so our work also informs the cybersecurity posture of the Federal Government and the Nation as a whole. In addition to our monitoring and response services, we produce a monthly situational awareness report that shares timely cybersecurity information with our over 1,000 members. We distribute weekly reports of cyber threat indicators and support an automated indicator sharing platform (STIX/TAXII). We hold monthly webcasts focusing on particular cybersecurity issues. We also offer group purchasing opportunities for cybersecurity training and products, with substantially discounted pricing for SLTTs, educational and not-for-profit entities. Since starting the purchasing alliance in 2012, we have been able to save SLTT governments almost $30 million in their purchase of essential cybersecurity training and products. Our work with the NCSR is providing SLTTs with a tool to monitor and track their progress, both internally and against other SLTT entities. More information on MS-ISAC services is included in Attachment B and incorporated herein; further information is available here: https:/ /msisac.cisecurity.- org/. CIS Critical Security Controls CIS is the home of the Critical Security Controls, the set of internationally recognized prioritized actions that form the foundation of basic cyber hygiene, demonstrated to prevent 80-90% of all known pervasive and dangerous cyber attacks. The CIS Controls were initially created, and are regularly updated, by a global network of cyber experts based on actual attack data derived from a variety of public and private threat sources, so they are informed by both professional expertise and real-world threat information. The CIS Controls act as a blueprint for network operators to improve cybersecurity by suggesting specific actions to be done in a priority order. In this regard, we strongly believe that the CIS Controls can help all organizations, especially the small- and mid- sized entities, many of which need help in identifying exactly what to do and when. The CIS Controls are recognized by a number of cybersecurity frameworks and reports as an effective and practical tool for improving an organization's cybersecurity preparedness. The CIS Controls are specifically called out in the NIST Cybersecurity Framework as one of a handful of cybersecurity tools that help organizations implement the Framework. Just recently, the California Attorney General released the California Data Breach Report (2016), which specifically points to the Controls as a tool that if followed, would meet the requirement of ``reasonable security'' under California law. (The full report can be accessed here: https://oag.ca.gov/breachreport2016). Additionally, the Controls are included in the following foundational frameworks, reports, and documents: NIST Framework Symantec 2016 Internet Security Threat Report, https:// www.symantec.com/content/dam/symantec/docs/reports/istr-21- 2016-en.pdf, pages 75-77 Verizon DBIR 2015, page 55 Tripwire, ``The Executive's Guide to the Top 20 Critical Security Controls,'' http://www.tripwire.com/state-of-security/ featured/20-csc-list-post/ Zurich Insurance/Atlantic Council ``Risk Nexus: Overcome by Cyber risks? Economic Benefits and Costs of Alternate Cyber Futures''--page 28 NGA ``National Governors Association Call to Action on Cybersecurity'', page 4 UK CPNI (the British infrastructure protection directorate-- entire web page references the Controls) Conference of State Bank Supervisors, ``Cybersecurity 101: A Resource Guide for Bank Executives, pages 8, 12, 24, https:// www.csbs.org/CyberSecurity/Documents/ CSBS%20Cybersecurity%20101%20Resource%20Guide%20- FINAL.pdf We make the CIS Controls available for download at no cost to the general public, as well as free companion guides that provide more detailed information and support for the implementation of the CIS Controls. Find out more information about the Controls and download them for free at: https://www.cisecurity.org/critical-controls.cfm. Additional information about the CIS Controls is also included at Attachment C and incorporated herein by reference. CIS Security Benchmarks CIS is also the world's largest producer of authoritative, community-supported, and automatable security configuration benchmarks and guidance. The CIS Security Benchmarks (also known as ``configuration guides'' or ``security checklists'') provide highly technical, detailed security recommendations for specific components of information technology, such as operating systems and devices, and are vital for any credible security program. The Security Benchmarks are developed though a collaborative effort of public and private-sector security experts. CIS has developed over 100 consensus-based Security Benchmarks have been developed today and are available in PDF format free to the general public, or in an automated format through the purchase of a membership. We have also created a number of Amazon Machine Images (AMIs) for the most utilized Security Benchmarks, which are available for purchase in the AWS Marketplace and in Amazon GovCloud, and we are discussing similar arrangements with other cloud providers. CIS Security Benchmarks are used world-wide by organizations ranging from small, nonprofit businesses to Fortune 500 companies. The CIS Security Benchmarks are referenced in a number of recognized security standards and control frameworks, including: Payment Card Industry (PCI) Data Security Standard v3.1 (PCI) (April 2016)? NIST Guide for Security-Focused Configuration Management of Information System; Federal Risk and Authorization Management Program (FedRAMP) System Security Plan; DHS Continuous Diagnostic Mitigation Program; and CIS Critical Security Controls, Version 6 More information about CIS Security Benchmarks is included at Attachment D and incorporated herein by reference. what more can be done? The current cyber threat is clear, unmistakable, and unlikely to abate anytime soon. Fortunately, much is currently being done to improve cybersecurity--but more needs to be done. We would like to focus our comments on 2 areas that we believe are of significant importance to both SLTT and non-SLTT organizations: (1) Improving cyber hygiene; and (2) creating a comprehensive approach to both increasing and improving the cybersecurity workforce. Improving Cyber Hygiene Probably the single most important effort that we can undertake to dramatically make our networks more secure is to adopt basic cyber hygiene. Like personal hygiene, it involves basic, regular routines and actions that are needed to maintain basic safety and security. Despite a growing understanding of the threats and vulnerabilities in the technical community, wide-spread adoption of safe cyber behavior in cyber space is the exception, not the norm. It is our experience that the vast majority of cyber incidents result from either the failure to patch known vulnerabilities in software and web applications or failure to adopt proper security configurations on network operating systems or devices. We believe that part of the difficulty in getting more traction for cyber hygiene is the existence of a plethora of defensive tools, security frameworks, and guidelines, combined with the complexity of our networks, which have simply overwhelmed and confused consumers, private-sector companies and governments. For example, while the NIST Framework lays out a process for beginning a dialogue on cybersecurity measures, it is by design not a framework listing prioritized actions based on effectiveness. As we have discussed above, we believe that the CIS Controls provide the specific, actionable controls in priority order that will thwart the most pervasive attacks. This is supported in a study by the Australian government Department of Defense, which revealed that 85% of known cybersecurity vulnerabilities can be mitigated by deploying the Top 5 CIS Controls. Whether by using the CIS Controls or some other framework, increased efforts by the Federal Government to promote a roadmap for basic cyber hygiene will yield proven results in mitigating the most prevalent and pervasive cyber attacks. Creating a Comprehensive Approach to Improving Our Cybersecurity Workforce One of the major reasons that organizations have struggled in achieving basic cyber hygiene is the lack of available and qualified cybersecurity professionals to undertake the necessary cyber protection actions, particularly on an on-going basis. There are simply too few qualified cyber professionals in the workforce. This is the result of several factors: too few students in the K-12 level of education are interested in pursuing further education in computer science and cybersecurity; too few universities and colleges are offering cybersecurity degree or certificate programs that offer the practical training needed to meet the qualifications of cybersecurity professional roles; there is a need for more continuing cyber education of staff in the current cybersecurity workforce to keep up with the ever-changing technical landscape of cyber threats; and for SLTTs and smaller organizations, the ability to hire from the limited existing cybersecurity workforce is hampered by the inability to compete with private-sector salary levels. We believe that there are several areas in which the Federal Government can assist with increasing and improving the cybersecurity workforce: 1. Help to increase awareness and promote STEM education at the K-12 level; 2. Because of our DHS support, CIS is able to recruit students from the National Science Foundation's Scholarship for Services Program (SFS) for certain MS-ISAC positions. This program has been a great tool in helping us recruit and maintain entry- level cyber professionals. We would recommend considering additional funding for the SFS program to open the program up to more students. This would assist in growing the number of students entering cybersecurity studies at the college level. We would also suggest considering broadening the organizations that qualify to hire SFS students to include non-governmental critical infrastructure organizations and not-for-profits, all of whom share the same challenges that Federal and SLTT governments face in recruiting and retaining cyber talent. 3. Providing more opportunities for cyber exercises and simulations and expand participation by SLTT entities. In addition to allowing SLTTs more opportunities to assess their cyber readiness and response capabilities, these exercises and simulations provide on-going training for the SLTT cybersecurity workforce. The threat to our Nation is real and extends down to every individual. As such, improving our cybersecurity defense of this country demands the combined efforts of us all. We will continue our efforts at CIS to help SLTTs protect citizen data at every level of Government. We will also continue our excellent partnership with the Federal Government as we work to extend monitoring services to all 56 States and territories as the foundation of best practice in cybersecurity information sharing. I want to thank the committee for the opportunity to participate in this important hearing, and look forward to addressing any questions you might have. Find out more information about CIS here: https:// www.cisecurity.org/. Attachment A.--The Center for Internet Security Attachment B.--MS-ISAC Attachment C.--CIS Critical Security Controls Attachment D.--CIS Security Benchmarks Mr. Donovan. Thank you, General Spano. The Chair now recognizes Mr. Raymond for 5 minutes. STATEMENT OF MARK RAYMOND, VICE PRESIDENT, NATIONAL ASSOCIATION OF STATE CHIEF INFORMATION OFFICERS Mr. Raymond. Thank you, Chairman Donovan, Chairman Ratcliffe, and Ranking Members Payne and Richmond for inviting me to testify for you today. My name is Mark Raymond, and I serve as the chief information officer for the State of Connecticut and the vice president of the National Association of State Chief Information Officers. NASCIO is a nonprofit association that represents State CIOs and IT executives and managers from States, territories, and the District of Columbia. Today, I would like to provide the committee with an overview of cybersecurity preparedness in the States, what States are doing to improve our resilience, and opportunities to enhance the security profile of our Nation. State CIOs are Executive branch officials who serve as business leaders, advisers of IT policy, and implementation at the State level. The most critical role for the CIO today includes the security of State networks, protection of State data, and helping formulate the response for cyber incident or disruption. These responsibilities are shared with the chief information security officer, or CISO, a position that exists among all 50 States and for whom are becoming increasingly standardized in their roles. State CIOs and CISOs operate in an increasingly challenging environment. In the 2014 Deloitte-NASCIO Cybersecurity Study, we found that the top barriers for States addressing cybersecurity were insufficient budgets, increased sophistication of threats, and the inadequate availability of security professionals. Regarding insufficient funding, the majority of the States spend in the range of 1 to 2 percent of their overall IT budget on cybersecurity. The Federal Government spends around 14 to 16 percent. Combined with recent events, this disparity shows that there is no one correct amount or percentage. States must assess their cybersecurity risk and spend commensurate with that risk. The lack of qualified IT security professionals are also a challenge for States. People with IT security skills are the most difficult to recruit and retain for States, and the State government salary rates and pay structures are the biggest challenge in bringing on IT talent. Another obstacle for CIO and CISOs is the increasing sophistication of threats. The top 3 are malicious code, hacktivism, and zero-day attacks. State CIOs are playing defense, but we have been able to better prepare for known threats through information sharing. Despite these challenges, States are progressing towards a more secure cyber environment. NASCIO has long called for States to adopt a cybersecurity framework, and quickly endorsed the NIST framework upon its release. From 2015 data, we know that 80 percent of the States have adopted a cybersecurity framework based on National standards and guidelines. States are utilizing public and private resources to enhance their cybersecurity posture in both times of relative rest and in times of emergency. To better identify and detect cyber threats, States are increasingly sharing threat information through fusion centers and MS-ISAC. Eighty percent of States have established trusted partnerships for information sharing and response. Eighty percent of the States have also acquired and implemented continuous vulnerability monitoring capabilities to better identify and detect malicious cyber activity. Many States also participate in ALBERT, a joint program between MS-ISAC and DHS, which brings an EINSTEIN-based, cyber- traffic monitoring system to the States. Knowing that the ability to identify and detect is our first line of defense, Connecticut is the first State to take advantage of DHS's threat intelligence offering provided by iSight partners. In the realm of response and recoveries, States are also showing maturity. In a disaster, State officials expect the State CIO to maintain reliable and secure infrastructure, coordinate with other State officials, and restore communications services. I am responsible for these duties in my State as outlined in our disaster response framework. Recognizing that States could face a catastrophic disaster that coincides with or is caused by a cyber event, NASCIO has called on States to develop a cyber disruption plan that contemplates massive disruptions to the business of State government. States like Michigan have taken the whole-community approach and have developed disruption plans that outline roles and responsibilities during a disaster. A key partner to the States has been DHS. States are heavy utilizers of DHS State and local cyber programs like ICS-CERT and FedVTE. Also Federal programs like CyberCorps helps shore the IT security workforce gap that all States are facing. Another way the Federal Government could aid in enhancing State's ability to identify, protect, detect, respond, and recover is by harmonizing Federal security requirements. CIOs must comply with IRS publication 1075, FBI-CJIS, HIPAA, FERPA, CMS's MARS-E, amongst others. Regulation harmonization could lessen the burden on States, enabling us to focus on providing security services rather than checking off boxes. Thank you for holding this important hearing and for the opportunity to testify today on this truly critical issue. [The prepared statement of Mr. Raymond follows:] Prepared Statement of Mark Raymond May 24, 2016 Thank you Chairmen Ratcliffe and Donovan and Ranking Members Payne and Richmond for inviting me to testify before you today. My name is Mark Raymond and I serve as the chief information officer (CIO) for the State of Connecticut and also as the vice president of the National Association of State Chief Information Officers (NASCIO). At NASCIO, I also co-chair the cybersecurity committee. NASCIO is a nonprofit, 501(c)(3) association representing State chief information officers and information technology executives and managers from the States, territories, and the District of Columbia. Today, I would like to provide the committee an overview of the status of cybersecurity preparedness in the States, what States are doing to improve and enhance resilience to cyber attacks, and opportunities to enhance the security profile of our Nation. State chief information officers are State executive branch officials who serve as business leaders and advisors of information technology policy and implementation at the State level.--All States have a CIO and all CIOs serve within the executive branch of State government. The office of the State CIO takes many forms, some are cabinet officials and others are executive directors; regardless of the title, all State CIOs share a common function of setting and implementing a State's IT policy. State CIOs are also responsible for providing IT services to State executive branch agencies. This not only includes the more typical business of provisioning enterprise data or phone services but also securing the digital business of State government. The most critical role today for the CIO includes the security of State networks, protection of State data, and helping formulate the response for a cyber incident or disruption. These responsibilities are shared with the chief information security officer (CISO), a position that exists among all 50 States and duties for whom are becoming increasingly standardized. State CIOs and CISOs operate in an increasingly challenging environment.--In the 2014 Deloitte-NASCIO Cybersecurity Study, State governments at risk: Time to move forward, (2014 Deloitte-NASCIO Study) [http://www.nascio.org/Portals/0/Publications/Documents/Deloitte- NASCIOCybersecurityStudy_2014.pdf], we studied the current cybersecurity environment in the States, common challenges, and barriers to a strong State cybersecurity posture. The 2014 Deloitte- NASCIO Study showed that the top barriers to States addressing cybersecurity were insufficient budgets, increased sophistication of threats, and the inadequate availability of security professionals. These challenges remained the same in 2015. Insufficient budgets for cybersecurity have been cited as a top barrier since the inception of the Deloitte-NASCIO Cybersecurity Study in 2010. The majority of States spend in the range of 1-2 percent of their overall IT budget on cybersecurity. The Federal Government spends around 14-16 percent of their IT budget on cybersecurity. Combined with recent events, this disparity shows that there is no one correct amount or percentage; States must assess their cybersecurity risk and spend commensurate with that risk. Funding challenges also affect the ability of States to hire and retain skilled IT security personnel. NASCIO's State IT Workforce: Facing Reality with Innovation [http://www.nascio.org/Portals/0/ Publications/Documents/NASCIO_StateIT- WorkforceSurvey2015_WEB.pdf] survey shows that a shortage in the State IT workforce has been predicted for some time and States are finding that those with IT security skills are the most difficult to recruit and retain (67.3%) followed by application development, programming, and support (57.1%); and architecture (55.1%). Ninetey-two percent of respondents reported that salary rates and pay structures are a challenge in bringing on top IT talent. States are responding to the dearth of qualified IT security personnel by getting innovative. In Maine, State CIO Jim Smith confronted the reality that 24 percent of his 480 State IT workers would be eligible to retire in the next 2 years thus highlighting the need to recruit and retain new IT talent. He has addressed 1 aspect of the workforce issue by updating the application process, moving it on-line, and making it mobile friendly. He has also created an IT intern program and over 70 percent of those interns have become full-time employees. High school students are also welcome to visit Maine's Office of Information Technology for its annual ``Technight,'' [http://www.maine.gov/oit/technight/ index.shtml] where students participate in a variety of tech-related activities, which introduces them to exciting IT careers. While insufficient budgets and workforce shortages continue to be obstacles for State CISOs, 3 out of 5 also reported that the increasing sophistication of threats was also a major barrier to addressing cybersecurity. In the 2014 Deloitte-NASCIO Study, CISOs reported their top 3 cyber concerns: Malicious code (74.5%), hacktivism (53.2 %), and zero-day attacks (42.6%). Malicious cyber activity happens daily in State government, but State CIOs have been able to better prepare for known threats through information sharing, a concept with which emergency managers are acutely aware. Despite these challenges, States are progressing toward a more secure cyber environment. NASCIO has long called for States to adopt a cybersecurity framework and quickly endorsed [http://nascio.org/ Newsroom/ArtMID/484/ArticleID/34/NASCIO-Supports-Adoption-of-the-NIST- Cybersecurity-Framework] the National Institute of Science and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) upon its release in February, 2014. In the 2014 Deloitte-NASCIO Study, we found that 88 percent of States were reviewing or planning to leverage the NIST Cybersecurity Framework within the year. In the NASCIO, Grant Thornton, CompTIA 2015 State CIO Survey, The Value Equation: Agility in Sourcing, Software and Services, [http://www.nascio.org/Portals/0/Publications/ Documents/2015/NASCIO_- 2015_State_CIO_Survey.pdf] we found that 80 percent of States had adopted a cybersecurity framework based on National standards and guidelines. States are adapting to shared cybersecurity challenges and utilizing public and private resources to enhance their cybersecurity posture both in times of relative rest and in times of emergency. The NIST Cybersecurity Framework identifies 5 basic functions: Identify, protect, detect, respond, and recover. States are making progress in each of these areas. To better identify and detect cyber threats to protect a wealth of State digital assets, States are increasingly sharing threat information through established forums like fusion centers and the Multi-State Information Sharing and Analysis Center (MS-ISAC). From the 2015 State CIO Survey, we know that 80 percent of States have established trusted partnerships for information sharing and response. Additionally, 80 percent of States have also acquired and implemented continuous vulnerability monitoring capabilities in order to better identify and detect malicious cyber activity. Knowing that the ability to identify and detect are our first line of defense, NASCIO has called on States to invest in advanced cyber analytics as a part of the practice of business intelligence and recently published, Advanced Cyber Analytics: Risk Intelligence for State Government. [http:// www.nascio.org/Portals/0/Publications/Documents/2016/ NASCIO_AdvancedCyberAnalytics_FINAL_- 4.18.16.pdf] To that end, Connecticut is the first State to take advantage of DHS's threat intelligence offering provided via iSight Partners. Many States also participate in ALBERT, a joint program between MS-ISAC and DHS which brings an EINSTEIN-based, cyber-traffic monitoring system to the States. In my State, in addition to participating in the information sharing through MS-ISAC and utilizing ALBERT, Emergency Management Deputy Commissioner and State Homeland Security Advisor, William Shea, and I co-chair a cybersecurity task force whose membership includes a diverse mix of stakeholders including higher education, law enforcement, public utilities, private businesses, and others. We meet regularly to discuss the latest threat and vulnerability information because we know that information sharing is key to cultivating a culture of information security and is a best practice to which States should conform. In the realm of response and recovery, States are also showing maturity.--State CIOs are expected to play a role in helping State governments respond to and recover from natural and man-made disasters. According to the 2015 State CIO Survey, the top 3 functions for which State CIOs were responsible are maintaining a robust, reliable, and secure infrastructure; coordinating with other State officials; and restoring communications services. When riots broke out in and Baltimore, Maryland, Governor Larry Hogan declared a state of emergency. Maryland's CIO organization, led by Secretary of Information Technology David Garcia, assisted with the swift deployment of ``Maryland First Responders Interoperable Radio System Team (FIRST),'' the State-wide radio communications equipment for first responders and stood up a website, ``Maryland Unites'' to which State and local leaders could direct members of the affected community. They also worked with public and private partners to reverse engineer Anonymous' attack on State networks. Information sharing was also helpful; officials in Missouri shared their experience with Maryland as they had faced a similar crisis. In ways like these, State CIOs are showing maturity in response in both the cybersecurity and emergency management fronts and especially when those two worlds collide. Recognizing that States could face a catastrophic emergency event that coincides with or is caused by a cybersecurity event, NASCIO has called on States to develop a cyber disruption plan and recently released the ``Cyber Disruption Response Planning Guide.'' [http:// www.nascio.org/Portals/0/Publications/Documents/2016/ NASCIO_CyberDisruption_040616.pdf] A cybersecurity disruption is defined as: ``an event or effects from events that are likely to cause, or are causing, harm to critical functions and series across the public and private sectors by impairing the confidentiality, integrity, or availability, of electronic information, information systems, services, or networks that provide direct information technology services or enabling and support capabilities for other services; and/or threaten public safety, undermine public confidence, have a negative effect on the state economy, or diminish the security posture of the state.'' A cybersecurity disruption differs from a cybersecurity incident which is limited in scope and impact. Examples of a cybersecurity disruption include: A cyber attack on the power grid which leads to a loss of power for a significant population; a cyber attack on water treatment and delivery leading to a loss of water supply to a significant population; a cyber attack on network capabilities leading to loss of communications which then hampers, interrupts, or prevents the operation of government and requires implementation of a continuity of operations plan; or a hurricane, flood, or other natural disaster that impairs or destroys key infrastructure assets that then precipitates the loss of connectivity over the internet or internal network. With these scenarios in mind, States like Michigan, taking the ``whole community'' approach, convened State and local government representatives and private-sector critical infrastructure owners and operators to develop the Michigan Cyber Disruption Response Strategy, initially completed in 2013. Michigan's Cyber Disruption Response Strategy [https://www.michigan.gov/documents/cybersecurity/ Michigan_Cyber_Disruption_Response_Strategy_1.0_438703_7.pdf] provides a common framework to encourage a State-wide effort among public and private partners to defend Michigan's critical networks. Specifically the plan prompts critical infrastructure owners and operators to address: Data backup, disaster recovery/business continuity, halt key processes, equipment shutdown, log file, communications, and how to activate the cyber disruption response plan. States like the Commonwealth of Massachusetts, New Hampshire, and Rhode Island have taken a regional approach to cyber disruption planning, an effort supported by FEMA's Regional Catastrophic Preparedness Grant Program and Urban Areas Security Initiative (UASI) funding. In 2012, as part of the New England Regional Catastrophic Preparedness Imitative (NERCPI), these 3 States along with the city of Boston and Providence completed regional cyber disruption planning and created a Cyber Disruption Response Annex which outlines how cyber responders will support industrial control system (ICS) structure in each jurisdiction, how critical cyber incident information will be shared, and how IT organizations can support public safety and each other. NERCPI also created cyber disruption teams in each State and the city of Boston; these teams are comprised of experts from IT, emergency management and public safety and are responsible for coordinating resources and information during catastrophic events. As these previous examples exhibit, protection from cybersecurity attacks requires a ``team'' or ``whole community'' approach and a key partner to the States has been the U.S. Department of Homeland Security (DHS). States are heavy utilizers of DHS's cybersecurity-focused State and local programs including: ICS-CERT, FedVTE (virtual training environment), and cybersecurity advisors (CSA). Also, Federal programs like ``CyberCorps: Scholarship for Service'' allow qualifying students to serve in an IT assurance role with a Federal, State, or local government after graduation; this helps shore the IT security workforce gap that all States are facing. The Federal Government, principally through DHS, has and hopefully will continue to provide support for successful cybersecurity programs. There is, however, another way the Federal Government could aid in enhancing States' ability to identify, protect, detect, respond, and recover--by harmonizing Federal security requirements. When States receive Federal funds, they are required to certify that certain security measures are in place; this is mandated by the Federal Information Security Management Act (FISMA). CIOs and CISOs must also comply with a variety of Federal regulations, typically promulgated in a silo-ed fashion. Some of the Federal regulations with which our community must comply include: IRS Publication 1075, FBI- Criminal Justice Information Services (FBI-CJIS), the Health Insurance Portability and Accountability Act (HIPAA), social security administration security standards, Family Educational Rights and Privacy Act (FERPA), Office of Child Support Enforcement (OCSE) security requirements, the Center for Medicare and Medicaid Services' Minimum Acceptable Risk Standards for Exchanges (MARS-E), among others. The overarching goal of these regulations is data/information security. Knowing that the vast majority of States are utilizing National standards like those issued by NIST, the Federal Government could lessen the regulatory burden on States by harmonizing Federal requirements especially since most if not all of these regulations share a common security goal. Cybersecurity is an issue that will only become more complex as we enter an age where the Internet of Things will become more prominent and technology like unmanned aerial systems (UAS), body-worn cameras, and cloud adoption are a norm. New technologies will require State governments to constantly assess security vulnerabilities as citizens demand consumer-level technology services to be deployed on a whole-of- Government or enterprise basis. Given this background, the Congress and Federal agencies should continue to partner with State CIOs and CISOs when reviewing or promulgating new data security laws or regulations to ensure that the goal of security is achieved without undue burden or redundancy. Thank you for opportunity to testify today on this critical issue. Mr. Donovan. Thank you, Mr. Raymond. The Chair now recognizes Mr. Galvin for 5 minutes. STATEMENT OF ROBERT GALVIN, CHIEF TECHNOLOGY OFFICER, PORT AUTHORITY OF NEW YORK AND NEW JERSEY Mr. Galvin. Good morning, Chairman Ratcliffe, Chairman Donovan, Ranking Member Payne, and Members of the subcommittees. Thank you for this opportunity to discuss strategies for strengthening our Nation's cybersecurity. Since December 2013, it has been my privilege to serve the Port Authority of New York and New Jersey as its chief technology officer. The Port Authority builds, operates, and maintains infrastructure critical to New York and New Jersey transportation and regional trade. These facilities include America's busiest airport system, including JFK, LaGuardia, and Newark Liberty International Airports, the World Trade Center, the PATH rail transit system, 6 tunnels and bridges between New York and New Jersey, the Port Authority Bus Terminal, Hudson River ferries, and marine terminals. For more than 90 years, the Port Authority has worked to improve the quality of life for more than 18 million people who live, work, and visit New York and New Jersey metropolitan region. Safety is the No. 1 priority across all of the authority's locations. Technology touches virtually all of our operations so the secure and reliable functioning of our computing assets is vital to public safety. In our limited time, I would like to briefly discuss 3 areas in which I believe the Federal Government can assist technology professionals in addressing cyber threats. These areas are communication, readiness, and public education. In the realm of communication, events like today's public hearing play a valuable role. Government and technology leaders need to work together to create safe forums to discuss prevention strategies and deconstruct cybersecurity incidents. Through the avenues of improved communication, best practices can be shared across many organizations to the benefit of the whole. Turning now to readiness. When I joined the Port Authority, the organization was in the planning stages of designing a comprehensive cybersecurity program. We adopted a framework, the NIST 800-53, which was developed by a joint task force of people from the National Institute of Standards and Technology, DOD, Department of Homeland Security, intelligence community, and Committee on National Security Systems. This was an invaluable tool saving us time and money as we put our cybersecurity program in place. I believe the Federal Government has a similar opportunity to assist organizations by coordinating regular drills, simulating large-scale cybersecurity events. Facilitating these exercises would allow those involved to understand whether they have the right procedures in place to respond effectively and to identify any deficiencies. At the Port Authority, our Office of Emergency Management conducts regular readiness drills simulating such things as active-shooter scenarios and aircraft emergencies. From these exercises, teams learn how to improve their response. Cybersecurity professionals can benefit from the same rigorous testing of our readiness. Like many organizations, the Port Authority invests resources to detect, prioritize, and examine suspicious activity on our computer networks. We also use strong, complex passwords across all mission-critical systems, restrict administrator access to only essential personnel, and staff a 247 operations center to respond to alarms generated by our cybersecurity tools and alerts received from other agencies. But probably the single most important thing we do to improve our cybersecurity posture is to require all staff who access Port Authority computers to participate in mandatory cybersecurity training programs. Themes such as ``Think Before You Click on Email Links'' and ``Be Aware Before You Share on Social Media'' encourage people to contact our help desks and the operations center before they open questionable links and attachments. Education is essential. I believe the Federal Government can play a significant role in strengthening America's cybersecurity by sponsoring a National public education campaign to promote safe computing practices. In my experience, people are more likely to exercise good cyber hygiene if they understand the important role their individual actions play in keeping our computer network secure. In the physical world, we rely on the American public to see something and say something. We need to develop Nation-wide awareness and training programs to empower people to do the same in the realm of cybersecurity. I thank the committee and look forward to your questions. [The prepared statement of Mr. Galvin follows:] Prepared Statement of Robert Galvin May 24, 2016 about the pa The Port Authority of New York & New Jersey conceives, builds, operates, and maintains infrastructure critical to the New York/New Jersey region's trade and transportation network. These facilities include America's busiest airport system, including: John F. Kennedy International, LaGuardia, and Newark Liberty International airports, marine terminals and ports, the PATH rail transit system, 6 tunnels and bridges between New York and New Jersey, the Port Authority Bus Terminal in Manhattan, and the World Trade Center. For more than 90 years, the Port Authority has worked to improve the quality of life for the more than 18 million people who live and work in New York and New Jersey metropolitan region. I. It is important to keep the Authority up and running The Authority operates a diverse groups of facilities that can have both logistic and economic impacts that can reach across the globe if the facilities were to be shut down by a cyber attack. These facilities have implemented many different internet-based technologies to add efficiencies to how they operate. However, it is these technologies that make these facilities more vulnerable to cyber attacks. II. The Authority relies of its supply chain to operate The Authority relies on its supply chain in 2 States (New York and New Jersey) in order to operate its facilities. Required resources are provided by multiple suppliers. If fuel cannot be provided, or if electricity is impacted in either State, the Authority cannot operate at full capacity. It is critical that these supply chains are resilient to cyber attacks and have resilient business continuity plans. III. The Port Authority takes cybersecurity seriously and has an evolving program The Port Authority takes cybersecurity very seriously. In 2012, the Authority conducted an audit of its cybersecurity posture, and as a result, immediately started to build a cybersecurity program. Working with a consultant to identify the requirements of our cybersecurity program, the authority decided to use the NIST SP 800-53 guidelines as a standard for organizing teams, and developing and implementing the program. Leveraging this existing standard created by a joint task force of NIST (National Institute of Standards and Technology), the Department of Defense, Department of Homeland Security, the intelligence community and the Committee on National Security systems saved The Port Authority time and effort we otherwise would have had to develop a framework implementing cybersecurity. The first step the Authority took to advance the cybersecurity program was to implement services from MS-ISAC (Multi-State Information Sharing and Analysis Center). MS-ISAC analyzes all the logs generated by our perimeter security tools and provides the authority visibility into potential indicators of compromise. The Authority built and staffs a 24x7 Cybersecurity Operations Center (CSOC) that responds to all of the alarms generated by our cybersecurity tools, and to alerts received from the agency partners and cybersecurity services. We created and manage a mandatory cybersecurity awareness and training program for all staff who access the authority's computing resources. Through this process, Port Authority developed and maintains strong partnerships with DHS, FBI, NYPD, NJSP, MS-ISAC (multi-State information sharing and analysis centers), US-CERT, and ICS-CERT. We continue to engage these agencies to perform vulnerability assessments and to assist with incident response. We also strengthened internal partnerships within the Port Authority between the Chief Security Office, Office of Emergency Management, Office of Inspector General and the Technology departments. Early on we recognized that no one team or group would have the total solution. From these efforts, the Port Authority has seen positive results, but much work remains to protect critical assets. The technology we put in place provides visibility into emerging threats and have shown results, such as the ability to detect and automatically block 90% of critical incidents. We continue to make improvements in our cybersecurity operations. Last year, we reduced our critical incident response time by one-third over the previous year. However, just as the technology sector continuously innovates, criminal organizations, nation-states, and hacktivists are also innovating their methods for exploiting vulnerabilities presented by new technologies, ``apps'', and new attack surfaces like the Internet of Things. IV. The Port Authority's Biggest Cybersecurity Concerns Like many organizations, The Port Authority uses a large number of ICS (Industrial Control Systems) to operate its facilities, for example: tunnel ventilation systems, PATH Train Control Systems and Airport Airfield Lighting Systems. Some of these systems, if compromised, could cause loss of life. This year, the Authority initiated a program to better understand our vulnerabilities and properly patch and mitigate these systems. But, it is an enormous task. In order to properly respond to a massive cyber attack or the breach of a partner organization, the PA must be in communication with partner organizations in real time and have specific remediation actions or practices to follow. Today's ISACs while useful, do not provide such real-time breach notification. According to Verizon's 2015 Data Breach Investigations Report, 75% of attacks spread from the first victim to the second victim within 24 hours, and 40% spread from the first victim to the second in 1 hour. In order to operate all these diverse facilities and business functions, the Agency hires thousands of contractors. These individuals have access to some of our most critical systems. The Authority has recognized that insider threat is potential attack vector. The Authority invests in resources and money to implement cybersecurity tools. We have learned from telecommunications carriers and cybersecurity service providers that it is possible for aggressive nation-states to obtain these tools through third parties and to reverse engineer them to determine how these detection and prevention tools may be circumvented. V. How can the Federal Government help? Education.--I think there is a clear role for the Federal Government to play by launching a massive public education campaign to practice ``Safe Computing''. The weakest link in our cybersecurity chain is the end-user. Phishing scams, e- mails with links to malevolent sites are often the first step toward a breach. Two-thirds of cybersecurity incidents that fit a pattern of cyber-espionage feature phishing scams. (DBIR, 2015). Raising our internal education & awareness level was a crucial step in improving the security posture at the Port Authority. I think PSAs (public service announcements) to inform the public about how technology works, responsible measures such as good passwords, ``Think before your click'' and other safe computing practices should be taught to the American public, beginning in school. Communication.--Events such as today's, not built around an incident or a breach, but a conversation between technology and policy makers to reach understanding go a long way to help both technologists and our Government make better decisions. Government and technology leaders need to work together to create safe forums to discuss prevention strategies and de- construct cybersecurity incidents. The Federal Government can conduct in-depth reviews following an organizational breach, similar to the investigations conducted following plane crashes or what hospitals do after a medical mistake. These non- punitive approaches have been very successful improving airline safety and in reducing medical mistakes in the hospitals and emergency rooms--I would think it could have a significant impact improving cybersecurity. The name of the breached organization could be withheld, and the Federal Government can inform agencies of findings and recommendations after completing the review. Case studies provide more than technical remediation requirements; they inform industry how to prevent problems over the long term. Simulations.--The Federal Government can assist the PA and related agencies by coordinating an exercise or drill simulating a large-scale cybersecurity event. This drill would allow the agencies to understand where our deficiencies lie, and whether we have the right procedures and external relationships in place to respond correctly. For example, the operations of the Port Authority rely on several Federal Agencies: The CBP (Customs & Border Protection), TSA, FAA. If their systems were compromised, the impact on the Port Authority would be substantial. if the TSA cannot perform pre- screening, we cannot board passengers, if the CBP cannot review manifests, we cannot transport cargo, if the FAA air traffic controllers are impacted, our regional airports can be shut down. The operational stability of these Federal entities has a direct impact on the Port Authority's ability to provide services to the region. Post-drill, the Fed can assist the agencies to ensure that their comprehensive cybersecurity programs and resilient business continuity plans are complete and coordinate with related agencies. Consider oversight of cybersecurity tool developers to ensure their intellectual property is not compromised. The Authority, like many public and private-sector organizations, invests resources and money into their cybersecurity tools. If aggressive nation-states obtained these same tools through third parties and reverse-engineered them to determine how they can be circumvented, the protection we seek from cybersecurity tools would be lost. The tech industry and Federal Government must work together to protect the intellectual capital that represents the vanguard of our security apparatus for it to operate effectively. The Federal Government may be able to provide oversight of the developers of cybersecurity tools to ensure that they are not sold to malicious third parties. Consider stopping the Federal Government's participation in ``bug bounty'' programs which encourage grey hat hackers to sell zero-day vulnerabilities to the highest bidder. The amount governments are willing to pay for some vulnerabilities inflates their value and creates a potentially lucrative secondary market for trading vulnerabilities and may even encourage programmers to `build in' vulnerabilities they can later sell. VI. Challenges related to planning for, and responding to, cybersecurity The first challenge of planning for cybersecurity is the wide variety of threat scenarios an organization must plan for: Viruses, ransomware, hacktivists, nation-states, simple human error, Point-of- Sale intrusion, payment card skimmers, web app attacks, denial-of- service attacks, and cyber espionage. The second challenge is the size, configuration, and expanding nature of the attack surface: Internet presence (websites), internal network, desktops and servers, cloud-based software systems & file storage, public WiFi infrastructure, portable storage devices, VOIP systems, and the looming Internet of Things. This list includes the traditional boundary of the organization. However, we are seeing a common entry point into an organization being the subcontractors and consultants who bring equipment onsite or connect their organization's networks to provide services. The computing networks and infrastructure of suppliers who provide critical support services to an organization should be considered part of any organization's `attack surface' that could be exploited by a malevolent entity. Another challenge is the speed with which threats evolve and time required to detect a breach before damage can be done. This is often referred to the ``volume, velocity, and variation'' of malware. At a high level, there are approximately 5 malware events globally every second (170 million in 2015). Most of this is filtered out by an organization's firewalls and other cybersecurity technology, but half of all organizations discover malware during 35 or fewer days per year. This seems to align with `releases' of malware during specific periods, rather than all year long. As for variation, 70-90% of malware samples in 2015 were unique to the organizations in which they were found. This combination shows that adversaries are getting more sophisticated to overcome defenses and more targeted in their approaches. Mr. Donovan. Thank you, Mr. Galvin. I now recognize myself for 5 minutes for questions. Since each of us only has 5 minutes, I would like to give each of you an opportunity to answer. I think I would like to just ask the entire panel just one question and ask each of you to spend a minute on a response. States have constantly ranked their cyber capabilities the lowest among their core capabilities, and it makes sense that States would look towards the Federal Government for assistance. Each of you, in 1 minute, can you tell me--and some of you hit on it--declassification of information, training as we do it, active-shooter demonstrations we should do with cyber attacks. Could each of you just tell me what you think the No. 1 priority of the Federal Government should be for each of the States to help them in securing their cyber terrorist capabilities? Mr. Ghilarducci. Mark Ghilarducci. Really, 2 areas: No. 1, information sharing is really critical here so that we are all on the same page with regards to the threat streams; and dedicated funding to implement that collective footprint or blueprint as we move forward working together to minimize the threat. There is no dedicated funding for cybersecurity. It needs to be raised on the priority scale. Mr. Donovan. Lieutenant Colonel. Mr. Cooney. In the post-9/11 environment, there was a tremendous amount of effort and time put together to create a structure and a network for counterterrorism, and that is, you know, the National network of fusion centers. I compare the cyber environment now to that environment then where, you know, we should leverage this structure that took so long to build, you know, to share this threat, this cyber threat information. I think, as I mentioned in my testimony, I think that is something that is there, we just need to take it a little further, and I think--if I had to name one thing, that would be my one topic. Mr. Donovan. Thank you, sir. General. Mr. Spano. Yeah, I would probably say the workforce is probably the biggest challenge and where the Federal Government can help. In that area, the States are really struggling, both to compete with industry, and so when they do hire cyber professionals, because, again, they are in such demand, it is hard to compete with industry who also is requiring and demanding and hiring of those cyber professionals. So looking at the catalyst of how to start in K through 12 to get more interest in STEM, to look at the scholarship for service and how perhaps we can broaden that into other areas of not-for-profits and other businesses that surround critical security controls and critical infrastructures would be a clear role for the Federal Government to sort-of serve as a catalyst. I would say very closely to that would be tighten in the command and control in the apparatuses that link the State governments through the fusion centers, through the ISAC, to continue to strengthen the situational awareness that we present from the ISAC to DHS, which informs many National and international threats and actions and fusing that together and presenting it for National action. So they would be my 2 areas. Mr. Donovan. General, I suspect that one of your frustrations is that all of you train people who then eventually go onto industry. Mr. Spano. Yeah. Mr. Donovan. Yes. Mr. Raymond. Mr. Raymond. Thank you. Two areas: No. 1 is, I think, continuing to raise the recognition of cyber risks as equally as critical as physical infrastructure risk to our critical infrastructure. I think the second is to leverage--broader leveraging of funding that is available to the States for a variety of different directed programs; that if we could leverage that more broadly to address the cyber risk across the State, that would be tremendously beneficial to the States. Mr. Donovan. Thank you, sir. Mr. Galvin. Mr. Galvin. Chairman, thank you. So I outlined 3 in my opening remarks. If I had to narrow it down to--I could narrow it down to 2, which I think is in the area of readiness. I talked a little bit about coordinating cybersecurity simulation incidents. My intent there is really not so much to exercise the cybersecurity plans of each organization or agency, but to look at the coordination between agencies and organizations. For example, the Port Authority relies heavily on Customs and Border Protection and the FAA. But there is no one organization that is responsible for overseeing a coordinated response to a coordinated attack, which is a very high concern for me. The other I talked about is public education. So as a technology practitioner professional who has been working in the technical areas for 30 years, frankly, I don't know how most normal individuals who have training in other areas deal with the onslaught of technology that comes at them every day. We have all been trained as technology professionals in information access and security and control mechanisms and so on and so forth. Today, people buy WiFi devices, they come home, and they set them up. They buy televisions that interconnect with their WiFi networks and their cable systems. There are protections that you can use and leverage, but without some kind of a training plan, I don't know how people deal with it. I assume that what happens is most of them, if they don't have someone in their life that works in the technology sphere to come and help them set up, I think they take it out of the box, they plug it in, and if it works, they declare victory and they leave it until it breaks and they buy another one. So I think public education has a huge role in protecting individuals' information as well as the information at risk in organizations, because what we are seeing is social media being leveraged by people who are posing a threat in order to gain access to corporate and agency systems. Mr. Donovan. Thank you, sir. I thank you, all, for your testimony and sharing your expertise with us. The Chair now recognizes the gentleman from New Jersey, Mr. Payne, for questions. Mr. Payne. Thank you, Mr. Chairman. Just on Mr. Galvin's last question, I resemble some of those remarks. I was the relative back in the 1980s that hooked everyone's VCR up. So I went around to all my aunts and uncles and that was my job for a while, so I understand what you are saying in terms of that. I will stay with you, Mr. Galvin. You know, like California, we in New Jersey have established a State cybersecurity and communications integration cell with the goal of bringing together diverse stakeholders, promote State-wide awareness and local cyber threats and wide-spread adoption of cybersecurity best practices. In your opinion, is New Jersey cybersecurity cell carrying out its mission effectively? What is it doing well and what should it be doing better? Mr. Galvin. Great. Thank you. One thing I want to make clear is that, you know, the work of securing our information assets and ensuring the reliable function of our systems is performed by a, in my organization, a hardworking staff of technology and security professionals, and also in our partners' agencies. I am truly fortunate to work with such a talented and dedicated set of public servants. I assume that other members of the panel have a similar experience. This is a team effort. You know, we recognized early on putting our cybersecurity program together that there was no one group or individual that was going to have the total solution. So we have developed strong partnerships with New Jersey CISC, New York CIG, New Jersey State Police, NYPD, FBI, DHS, the MS-ISAC, US-CERT, and ICS-CERT, and we continue to engage with those agencies to perform vulnerability assessments and to assist with incident response. Likewise, we also, in this process of putting our cybersecurity program together, strengthen internal partnerships between the chief security office, which the Port Authority is responsible for the PAPD, the Office of Emergency Management, the Office of Inspector General, and the technology departments. So it's definitely a coordinated team approach that--I think you said it very well, Mr. Ghilarducci, that it is a team solution. Mr. Payne. So you feel that you are breaking through the silos of these different entities and working together to better assess these threats? Mr. Galvin. We do. We spent time--I assume this will probably be a question--breaking down the NIST 853 framework, and we did a RACI diagram--responsible, accountable, consulted, and informed--to identify who was in the lead for each of the different tasks. It was a very lengthy exercise, but it was extremely valuable to us in helping put our plan together. Mr. Payne. Thank you. Mr. Ghilarducci, every year the National Preparedness Report reveals that of the 32 core capabilities, States are least confident in cybersecurity. At the same time, States invest very little of their homeland security grant funds into improving that cybersecurity capability. Why do you think that is? Mr. Ghilarducci. Well, I think that part of it is because really the emphasis from DHS to States, to the State administrative agents or to the HSAs that are doing the investment justifications, are not necessarily clear. The whole concern about cyber, as has been stated here, really isn't fully yet understood. This is an evolving threat. It is getting more complex. It is getting worse as the days go on. I think that we, as DHS and the States, really we need to catch up with the fact that this threat is not going away. So once the DHS--and of course Congress--allocate funding specifically targeted towards the cyber threat, I think that then you will start to see States start to implement more of that capability. Now, I would say that just this year, I, as the SSA, went into our investment justification and broadened the investment justification to include cybersecurity and countering violent extremism to be able to push down to local grant recipients at other State agencies and local governments so that they could utilize what funds they do have and repurpose those funds. But, as you know, funds are pretty limited as they are, and it is hard to sort-of move one thing to start working on the other. So it is a constant prioritization and reprioritization issue. Mr. Payne. Thank you. Mr. Chair, I will yield back. Mr. Donovan. The gentleman yields. The Chair now recognizes the gentleman from Texas, Mr. Ratcliffe, for questions. Mr. Ratcliffe. Thank you, Mr. Chairman. Earlier, I guess the end of last year, we passed an information-sharing bill in this Congress aimed at improving our ability to timely share cyber threat indicators. I want to start with you, General Spano. How would you characterize the quality of the information flow that the MS- ISAC has with the NCCIC? Mr. Spano. I would say that the quality, I believe, as representative and testified by FBI and other DHS of information that we provided from monitoring State networks, is very high quality, and it is fused. We have representatives from the MS-ISAC that sit on the NCCIC floor as liaison, so they are very integrated into that mission. Mr. Ratcliffe. So is that how you give feedback in terms of what information you are getting that is valuable? Mr. Spano. The feedback of what we provide comes from our analysis within the MS-ISAC from our monitoring mission. So, for instance, 2015, we analyzed 3 trillion records and provided 56,000 alerts, sifting through all of those that were actionable for the States, but we also fed into the NCCIC for further analysis and fusing with other sources of intelligence. We have supported FBI investigations with some of our analysis of what we have seen at the State level. So the conduit and the function and the command and control has been working extremely well based upon the maturity of the ISAC mission and its capabilities year over year. Mr. Ratcliffe. Okay. So I am pleased to hear that the sharing is going extremely well. Can you offer, would you offer anything to improve the efficiency or effectiveness? Mr. Spano. Again, what we provide is, I think, moving up in its intelligence. The processes are lean and getting better as we continue to strengthen that relationship. The challenges, I think, are more downward into the State levels, as I talked about with respect to some of the resources. Mr. Ratcliffe. Yes. You talked about the workforce being a challenge. Mr. Spano. Right. Mr. Ratcliffe. I think you characterized it as high-demand, low-density. So what can DHS do to create a workforce that is well- trained and fully-equipped to respond to cyber threats? Mr. Spano. I don't know that it is any one responsibility or one responsibility of any single agency. I believe it is a collaborative effort at all levels--public, private, facilitated, encouraged by DHS. They have a number of programs that the ISAC implements to try to encourage younger students. We do a poster contest, and the CIS offers some summer camps to try to encourage it. There is a scholarship for service under the National Science Foundation, which is really important. We believe that looking at that and examining whether we can continue to do that. It is not any silver bullet that is going to solve this problem. It is a generational problem where if the pipeline at the K through 12 is not satisfying the growing demand, you are sort-of always chasing. Looking at it from a comprehensive perspective of how to ignite that STEM capability at all levels and then balancing the differences between the public and private partnerships, I think will help create a stop-gap with programs that are specific to workforce exercises, joint exercises, to raise awareness. Mr. Ratcliffe. All right. Thank you. Let me turn to you, Mr. Raymond. Last month I held a field hearing in my district where I got perspectives from fire chiefs and local law enforcement officials on how they are responding to cyber incidents. I want your perspective from the State, the NASCIO perspective. What is the greatest limitation out there right now for States in terms of defending their cyber networks? I guess part 2 of that is, are there shared best practices that NASCIO is using to coordinate between State CIOs and local first responders and law enforcement? Mr. Raymond. Thank you for that question. I would say that the biggest challenge is the velocity of the threat and the changing threat. So continued improvement on providing information and actionable information as efficiently as it can be provided almost to machine-to-machine level to allow us to react will continue to allow the States to be able to defend as best we can. It does help with the workforce issue in many ways where we can have our machines responding on our behalf. In terms of working out with the field, NASCIO has put out over 31 different publications that are responsible or intending to work with both the education aspects, so making sure that our leaders understand how important cyber, is all the way to practitioners. We have over a 100-page cyber guide and a set of information for State information security officers on best practices that we have assembled across the States to help them as they are new to these rules. We do have turnover, that they can pick it up quickly and understand the very diverse environment that we have across all States. Mr. Ratcliffe. Terrific. Thanks very much. I appreciate you all being here and your testimony. My time has expired, so I will yield back. Mr. Donovan. The gentleman yields back. The Chair now recognizes the gentleman from Rhode Island, Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. I want to thank our panel here today. Your testimony was excellent, and I appreciate your work that you are doing in this field. Let me start, if I could, with Mr. Raymond and Mr. Galvin. Let's say that the State of Connecticut or the Port Authority has experienced what you, Mr. Raymond, in your testimony term a cyber disruption event. Whom do you call first? Mr. Raymond. For Connecticut, we actually have a cyber working group. So the homeland security adviser, Deputy Commissioner Bill Shea, and I work closely with this. Our first call is to the fusion center and then to MS-ISAC in terms of coordinating our events. We pull together a cyber response team that includes both homeland security and my office in terms of dealing with the response. Mr. Langevin. Okay. Mr. Galvin. For our organization, we have a cybersecurity operations center that would likely be the initial point of contact or the discovery point for a potential incident. We would assess as much as possible the depth of the breach before reaching out. But we would certainly contact MS-ISAC. Usually they find out the same time we do. If we identify that the breach involves personally identifiable information or something of that sort, we would initiate a call to the FBI. Mr. Langevin. Okay. Thank you. As a follow-up, Colonel Cooney and Mr. Ghilarducci, as individuals with emergency management roles, whom do you recommend New Yorkers or Californians call in the event of a disruption event? Mr. Cooney. For us it depends on the nature, but, of course, I would say the NCCIC, the fusion center being collocated with the MS-ISAC, and then we would take it from there depending on the nature of it. Mr. Ghilarducci. As well, it depends on the nature. With this new integration center we built, this will be the central point where all information and reporting will flow into. If there is a criminal predicate associated with the intrusion, our State police that has a cyber crime investigation unit will sort-of take the lead and be supported by the rest of the entities that have come together in a collaborative way. But that is the process. Because the center also includes connections with DHS and FBI, they are right there with us, and then we can move on as rapidly as possible. Mr. Langevin. Do you all feel comfortable with knowing who in particular who to call at the Federal level and who would respond to you in the event of a cyber disruption event? I have found that that is something that is unclear to many, whether it is big businesses or even Government agencies. Are you all clear on that, and who would you call? Mr. Ghilarducci. Well, this is a question, I mean, we typically would turn to the FBI, DHS as information sharing. But the FBI would be working with us on the actual analysis of the intrusion. But the Secret Service also plays a role in it. So there is a little bit of a conflict there. But, typically, our next step is to go to the FBI. Mr. Langevin. Okay. Mr. Galvin. I think your point is well taken, though, that in the private sector I think there is less awareness of who to call. You have got a panel of people who work in Government and who spend time putting together cybersecurity program, so we more than anybody are going to know the right individuals to call. But I think you are correct that depending on the nature of the entity, particularly a privately-held organization, I am not sure they would know who to reach out to. Mr. Langevin. I think that is why we have to work at the Federal level here to help get the word out more. One of the first places to go, in addition to FBI, would also be the NCCIC or US-CERT to request Federal assistance. But, Mr. Raymond, if I could, in your testimony you mention that NASCIO recommends that the States have a cyber disruption response plan. I know you highlighted New Hampshire, Massachusetts, and my home State of Rhode Island. I know what we have been doing in Rhode Island, that our cyber disruption team that we have created has visited all the stakeholders at the table, emergency management people, State police. We have our colleges and universities, as well as the private sector at the table. It has really proven to be very effective at bringing the stakeholders to the table to plan for a response to a cyber disruption event. Is there a way for the Federal Government that we can encourage this type of approach? Mr. Raymond. I believe as it related to education and continuing to hold exercises, continuing to participate through homeland security and having the States describe their disruption plans, I think all of those encouragement points are very helpful in organizing States' response to incidents like that. Participation. NGA is holding a cyber policy academy for several States. Connecticut is one of those participating. That helps brings best practices across the States. I know that DHS is a good partner in that exercise as well. Mr. Langevin. Thank you all. I yield back. Mr. Donovan. The gentleman yields back. The Chair now recognize the Vice Chairman of the Subcommittee on Emergency Preparedness, Response, and Communications, the gentleman from North Carolina, Mr. Walker. Mr. Walker. Thank you, Mr. Chairman. Thank you, panel, for being here and the professional testimony. Very detailed, very important to us. Mr. Raymond, I have a question here. Two-part question, so I may break it up. How can the roles of information-sharing organizations such as MS-ISAC and ISAC be more strongly defined and effectively implemented? Mr. Raymond. I know that we actively work with MS-ISAC, and we find that it is fairly defined. I am not sure I understand how more strongly---- Mr. Walker. Let me add a little more description. Should their responsibilities be strengthened to increase information- sharing efficiency? Is that fair? Mr. Raymond. Yes. I believe the velocity of information sharing specifically across all players can be improved. Mr. Walker. Okay. General Spano, what efforts does the MS-ISAC take to gauge customer satisfaction with the States that they are engaging with? Mr. Spano. Sure. So we have an executive committee that is comprised of several of the representatives from the CISO's office and the security professionals. We have monthly calls with all the members. We have over a thousand members, although the 56 are the ones that we actively are pursuing monitoring with. We have an annual conference that they attend. We provide newsletters, efforts, the NCSR we manage on behalf of DHS to get their self-assessments to work. So it is a very strong and growing collaborative environment. Mr. Walker. In your testimony, I believe you described the value add of a State being a member of the MS-ISAC? Mr. Spano. Correct. Mr. Walker. What additional services or capabilities do you see the MS-ISAC being able to provide taking up the next 5 to 10 years? Mr. Spano. The next 5 to 10 years, I believe that as we help solidify the basic hygiene of the security framework, such as the controls, as the foundations at the State level, and begin to help them evolve from the basics of just trying to keep their systems patched and configured correctly, I think the whole state or posture of cybersecurity will eventually begin to increase at a much more rapid pace. That is one specific area. As technology evolves to the Internet of Things and into the cloud environment, there may be a different dimension to cybersecurity that has not yet fully matured or evolved or is understood. Mr. Walker. Sure. Mr. Spano. So we have started to move out by offering those hardened images within Amazon Web Services, and we are talking to the other cloud providers like Microsoft to be able to provide the same type of hardened machine images in their cloud so that as the States begin to move toward cloud they can do it much more securely than they are now, because there are tremendous advantages and cost savings that could help fuel resources to help in the cybersecurity area. Mr. Walker. My next question was, what kind of steps do you see there to effectively get us there? But I think you just touched on some of that. Let me take, if I could, please, going back to Mr. Raymond, what do you currently see as the greatest limitation of the States' ability to defend just against the general cyber attacks? Can you speak to that for a second, talk about the problems there? Mr. Raymond. Different States are organized very differently. We a critical infrastructure provider from State data centers to State networks. I think if we look at sort-of the complexity of the business that we serve, from schools, libraries, in some instances hospitals, so the diversity of the population that we serve and that sort of discreet nature of how funding comes in, doesn't allow us to leverage things as broadly as we would like. So I would say that that is one of the primary challenges. Mr. Walker. Can I open that up to anybody else on the panel? I have got 57 seconds left. Anybody else want to touch on the States, sort-of the obstacles there? Mr. Spano. I think one of the bigger challenges that they have that makes implementing cybersecurity tougher is a more strategic problem in how software and applications are developed. So many of the software products are coming out of the box with inherent vulnerabilities, and I think they are poorly crafted and require a lot of lift to continue to sustain it. That is not going to be solved in any sweeping legislation, but it has to be addressed, because the competitive nature of providing software and services and applications to get the speed and agility that you need to compete means you are getting beta versions and you are a little bit sloppier in the production. The applications that you are building, even internally, to do specific things are oftentimes poorly crafted and have security vulnerabilities that tax your cyber professionals. Mr. Walker. My time has expired. Mr. Ghilarducci, you looked like you were in agreement there. Did you need to add anything to that? Mr. Ghilarducci. I would just say that cyber, what I call low-hanging fruit, just cyber hygiene training across the board can go a long way in making sure that State employees and State networks are as robust against attacks. That is one of the things that there is really not a lot of consistent and standardized training that is really made available, and I think that more of that would help a great deal. Mr. Walker. Thank you, Mr. Chairman. Mr. Donovan. The gentleman's time has expired. The Chair now recognizes the gentlewoman from New Jersey, Mrs. Watson Coleman. Mrs. Watson Coleman. Thank you, Mr. Chairman. Good morning, gentlemen. Thank you for your testimony. Mr. Galvin, frequently the first person to decide what to do in response to a cyber incident is not the CEO or even senior leadership, it is the operational personnel level and often physical security professionals who are vastly more comfortable protecting against physical threats than threats to a network. My question is: What are the most important relationships emergency responders should maintain with private-sector employees at all organizational levels? Mr. Galvin. It is a very good question, Congresswoman. Thank you for it. I think your observation is entirely accurate, that the person who is sitting at the facility overseeing operations is the person who is going to see the symptoms or the effects of a cyber attack first and foremost. I think there are several important relationships. One, within any organization, there has to be training to make sure that the person who is operating the facility is aware of what they should do in order to pick up the phone and contact, in our case our help desk or our CSOC, cyber security operations center. Then from there it goes from a technical professional who is going to field the call and take a look at the nature of the threat and make a determination as to whether this is an opportunistic thing that is just a latent incident that has been there active for a while versus something that is emergent. Then that person escalates it internally in our organization, and I would suspect that a lot of organizations are similar. There is a kind of a tiered operation that goes on. It goes to a second- or a third-level person in order to investigate and follow up further on. So I think the relationships are first and foremost between the operations personnel and the technical personnel, and then second is the escalation in the partnerships that happen within an organization as well as awareness as to where to escalate it further if the threat cannot be contained. Mrs. Watson Coleman. Thank you. This is a question I would like to start with you, Mr. Galvin, and then kind-of move on down as quickly as we possibly can. This has to do with sort-of just imagine a cyber Katrina. So our question is, I mean, if we fail to develop, implement, and train on doctrine to respond to a cyber event with physical or collateral consequences because it is something we have not seen before, then we will be inventing the wheel as we try to drive the car when we have these attacks. So my question is: From your perspective, what is the most important action the Federal Government can take to ensure that the communities can effectively respond to a cyber event of this nature? Mr. Galvin. Again, I think it relates to the readiness and the preparedness. We haven't really talked about this yet, but one of the things that keeps me awake at night, and I am sure it keeps a lot of CIOs awake, is industrial control systems or operational technology. So we have talked a little bit about IT systems and the fact that there is patching required. We are used to that as technology professionals--oh, there is a fix that came out. You know, Microsoft has patch Tuesday, and it has turned into cyber threat Wednesday, right? Because they release the vulnerability, people know about it, and they try to leverage it. But there is no analog to the operational technology world, the things that control lighting systems or fire alarm systems or ventilation systems or things of that nature, and those pose a real threat for us. I am sorry. I am getting lost in your question. But---- Mrs. Watson Coleman. What do you see the Federal Government---- Mr. Galvin. Yeah. So, again, I think it has to do with the preparedness, making sure that the plans are in place to respond and that there is coordination between organizations, not just within a single organization. Mrs. Watson Coleman. Thank you. Is there anyone else who would like to respond to this question? Mr. Raymond. Mr. Raymond. Thank you. I think continuing to sponsor and participate in exercises that allow the States to demonstrate their preparedness as Internet of Things continues to grow, unmanned vehicle systems, all of that will continue to get more complex. So being an important sponsor to allow us to play and work through these exercises in advance and think through them helps us really prepare for real events when they do occur. Mrs. Watson Coleman. Thank you. Thank you. One quick question, since we can't go down there. On a scale of 1 to 10 being the very best, how well are we doing in incorporating risk into emergency response plans and developing contingency operations? I should just probably give that to you, Mr. Ghilarducci. Did I slay that name? Mr. Ghilarducci. You did great. Thanks. Well, I appreciate the question, Congresswoman. We don't need to reinvent the wheel with regards to all-hazard planning. I mean, we have a national construct, a National Incident Management System, and having those capabilities in place to respond to the consequences, the cascading consequences of a cyber attack, should be reinforced and exercised and built upon. The delta or the challenge is that the traditional systems that we depend upon for communications and situational awareness may be actually impacted by a cyber attack. So we need to make sure we have continuity of operations redundancies put in place. This was an area where the Federal Government can support States. You want to leverage that public-private capability so that you are utilizing the most information you can get to be able to make the right decisions. So in your training and in your focus you need to also plan for--you know, don't just always plan for the technology is going to be operational. Start to do exercises and plans where you lose all that. How are you going to continue to communicate? How are you going to continue to get resources and get situational awareness in a timely way to make sure you protect lives and property? So those are some of the things. But it has to start with the construct of that all-hazards environment and our NIMS construct. Mrs. Watson Coleman. Thank you. Thank you very much. I yield back my time, even though I am over it. Mr. Donovan. The gentlewoman yields back the time that she doesn't have. We have a few more moments, and our panel travelled so far, I would just like to offer a second round of quick questions for my colleagues. I just would like to start. We spoke about your challenges, and each of you told us about the challenge of lack of resources, competing, the competition for talent with industry, the inability to share information because of its classifications. Would each of you just share with us what you think your biggest achievement is or your biggest success, without divulging trade secrets to our enemies, that maybe some of your colleagues would be able to piggyback on and use in their various environments? Mr. Ghilarducci. I will start. I guess two areas. Again, it continues to evolve for us, and we are working hard at it. But that is the establishment of a public-private nongovernmental academic cybersecurity task force to be able to share information and best practices and recommendations and ideas to help us as a State drive those ideas forward, and the establishment of this integrated cybersecurity fusion center, if you would, that collocates with our primary fusion center and our critical infrastructure protection team, they can come together and all be looking at similar threat streams together with an effort to be able to mitigate prior to the event actually having the greatest impact. So I think those are two areas. Then spinoffs from those is working with K through 12 and community colleges. We have actually implemented a cyber warrior program in California that has just taken off--I hate to use the word like wildfire, because we have a lot of those--but has really taken off in California. The cyber warrior program for high school students and community college students has really been well-received, and really we are trying to make that cyber warrior work for us. Mr. Donovan. Thank you, sir. Lieutenant Colonel. Mr. Cooney. I think it would be the establishment of our cyber analysis unit at our fusion center. I think we were fortunate to find the right people and the right mix between technical capability and the ability to do intelligence analysis. It has worked well for us in an area that, as I mentioned in my testimony, that when it comes to cyber intrusion and the intel up front in the prevention realm, this is still relatively new for us. We got into it in about 2014 and so far we have made some good progress. So I would say if other States could emulate that, then they may find that beneficial. Mr. Donovan. Thank you, sir. General. Mr. Spano. Yeah, I would say that the success of the ISAC in terms of showing how public and private can come together to address an issue of such National importance. Within the ISAC, I probably would highlight our CERT function, which is probably one of the best, certainly, in the Nation. I would like to say that it is probably world-recognized in terms of its ability to conduct forensics and analysis for a plethora of customers, predominantly, of course, focused at the SLTT. Mr. Donovan. Thank you. Mr. Chairman. Mr. Raymond. Mr. Raymond. Thank you. One of the things that I think we are really proud of in Connecticut is that we have been sort-of baking telecommunications and networking into our incident response teams. So we have had several weather events over the past few years and through that it has become really critical that citizens rely on communication technology much more so than they ever had before. So we do have a response team associated with restoring commercial networks and communication structures. Having those relationships at the ready has allowed us to respond very quickly when Superstorm Sandy came and to be able to restore communications as much as possible. Mr. Donovan. Thank you, sir. Mr. Galvin. Mr. Galvin. Thank you. At the Port Authority, the technology, the policies, the procedures, and the personnel that we have put in place, we have been able to detect and automatically block 90 percent of the critical incidences that we can see on our network, and we have been able to reduce our critical incident response time by two-thirds in the past year. So we are proud of these things, but there is a lot of work that remains to protect our critical technology assets. As many people on the panel have already talked about and I won't repeat, the threat continues to evolve and the attack surface continues to expand with mobile devices and the emerging Internet of Things. So we are confident, but we are continuing to work diligently. Mr. Donovan. Thank you, sir. The Chair now recognizes the gentleman from New Jersey, Mr. Payne. Mr. Payne. Thank you, Mr. Chairman. Mr. Galvin, in your testimony you note that the Port Authority has undertaken an effort to better understand cyber vulnerabilities and address them. What is the biggest challenge in carrying out this task? What has the Port Authority learned in the process that might help other ports or critical infrastructure owners conduct a similar assessment? Mr. Galvin. Thank you very much. So I think the size of the task is enormous. We have approximately 690 applications to assess. I think the lesson that I would give to other organizations is to start now. It doesn't decrease in effort or size as time goes on, because there are new techniques, new technologies that every day get introduced into the organization whether or not you are aware of them. They do require an assessment. So it is a huge effort, and the limiting factor, I think, is the size of the staff and the ability of our organization to absorb what we learn. Mr. Payne. Thank you. Mr. Ghilarducci, you have observed that risk assessments used by some States do not adequately address the top cyber threats or systematic interdependencies. How can we help States better assess their cyber vulnerabilities? Should FEMA be improving the bureau guidance, or should the Federal Government be providing separate guidance on how to conduct cyber assessments more thoroughly? Mr. Ghilarducci. Well, the guidance, I mean, really, the standards for assessments that we are using really are the NIST standards. I think that we would all agree that a little bit more meat could be put on the bones around doing assessments that speak a little bit more to the various aspects of the emergency management or public safety spectrum. I know we are looking at networks, but when you look at the networks' vulnerabilities, we also need to think about in the long term what would be the consequences should we lose certain networks and sort-of play that out in a little longer bit way. So FEMA would be a good entity to be able to provide some additional guidance there. The other thing is DHS, through their protective service analysts that work with our critical infrastructure protection folks, they do provide some additional support, and we appreciate that. But we probably need to get some area associated with the cyber networks, particularly when looking at private sector, given that most of the infrastructure is owned by the private sector. We need to continue to work to link those together with regards to the assessment process, because sometimes information sharing is a little bit challenging, because of proprietary and competitive kind of issues, but we need to find a place that we continue to share information to strengthen our capability as much as possible. Mr. Payne. You also talked about States playing catch-up in developing a whole-of-the-government approach to cybersecurity and noted that even in California only 13 organizations have participated in the cyber hygiene partnership. Why do you think more agencies within the States are not participating? What can the Federal Government do to encourage improved buy-in for cybersecurity efforts among State and local agencies or even in the private sector? Mr. Ghilarducci. Well, I think maybe Mr. Raymond and others may be a little bit more to talk about the challenges in State government. I know for us it has been, I think, one, framing and understanding of the threat. It means different things to different people. We need to be more outgoing, external, like we do with a lot of other preparedness programs. This is where the Federal Government, through cyber hygiene initiatives and other kind of training opportunities to build that knowledge base as to what it means to sit at a device or get onto the internet and what kind of challenges you could be faced with with regards to threats. So training and education is one thing. The second piece is, I think because there is a lack of knowledge, particularly at the Executive level in making decisions on funding allocations for doing assessments, quite a few times it is, you know, because you don't understand it, it is not made as a priority as it should be. Let's face it, we as a collective country, and it is just across the board, are behind the power curve with regard to this threat. We all are working very hard collectively, but we do need to do more to step this up. You can't just say it is a priority, we need to put resources behind it to really and truly make it a priority. Just like we have done with other kinds of threats, whether it is natural or human-caused threats, we throw a lot of resources at that to make sure that we are in front of it and are effectively all knowledgeable about it. Mr. Payne. Okay. I yield back, Mr. Chairman. Mr. Donovan. The gentleman yields. The Chair recognizes the gentleman from Rhode Island, Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. I just want to go back to something we had talked about in terms of knowing who to call. Mr. Ghilarducci, maybe I have a question for you. I just wanted to follow up with a point that Mr. Galvin had made about the private sector knowing who to call. So just so I understand, so if PG&E has a cyber incident, do you recommend that they contact you or DOE or DHS first? Are you concerned about losing visibility if critical infrastructure providers go Federal first? Mr. Ghilarducci. We have the California Utilities Emergency Association, it is an entity that is funded and supported by all of the major utilities in California, embedding into your cyber integration center. It gives them that one sort of belly button, so to speak, to be able to make the call and open all of the contacts in a one-call sort-of format. It is challenging, I think, for them now because they do have a lot of people that they need to be reporting to. Inadvertently, what happens is that someone, some entity that needs to know what is going on falls through those cracks. The other thing is that, historically, there hasn't been a lot of desire, I guess, so to speak, to let too many people know what is going on because of demonstrating vulnerabilities that an organization may have. So by utilizing authorities and procedures that are being put in place through this integrated approach, it gives the utilities and the privates, the health industry similar kind of thing, a single belly button to make the call. We are all looking at it at the same time, and all of the required notifications can be made at one point. Mr. Langevin. Okay. Thank you. Yeah, I think that the point about being reluctant to share, by the way, we have got to work at getting over that, because, obviously, if one is vulnerable, everybody is vulnerable, and that is what, hopefully, information sharing will help to mitigate. You know, we have been talking a lot about assessments this morning, but equally important is not only knowing the vulnerabilities that may exist in your assets, in your systems, but also knowing the value of the data that you are holding. So for Mr. Spano, Mr. Raymond, in Rhode Island, where I am from, our Governor, Governor Raimondo, set up a cybersecurity commission to examine the State cyber posture. One of the biggest initial findings had to do with managers not understanding the value of the data or systems and their vulnerability to attack. Incidentally, this is the same problem that the Federal Government faced with the OPM attack, knowing that their systems were vulnerable, but also not understanding the value really of the data that they were responsible for protecting. In your experience, how well do State agencies, particular those that aren't focused on IT, understand their exposure and also the value of their data? Mr. Spano. The value question is hard to quantify other than to say that the question of the scope and standards of protection has been one that has been discussed and debated since sort-of the evolution of the internet into the challenges that we are facing today: What do I protect and how much protection is enough? We have got the full classification of systems. So I think there is a clear understanding of Secret, Top Secret. It is within that Unclassified regime of understanding personal identifiable information, HIPAA information. I think, by and large, there is a rudimentary understanding at sort-of the basic masses of employees that deal in those environments and with that information. There are isolated and pockets of excellence where managers are being trained in how to deal with HIPAA and identify PII, but by and large it is a challenge with educating your existing workforces against the basic cyber threats and the basic protections that they can do, as well as sort-of the identification of what that value is of information. Mr. Langevin. Okay. Thank you. Mr. Raymond. Mr. Raymond. I think that the States' response--it has been my experience that there are sort-of 2 buckets, right? One is for those who have regulated data, whether it is HIPAA, protected medical information, FERPA data, IRS, those organizations are very much aware of the value of the information that they have. I think for those that have nonregulated data but that may be important to protect, I think that the reliability of--or the awareness of what they have and the importance to protect it may be a little bit less. I know in Connecticut we have a data classification policy that makes you look at what data you have and how valuable it is in terms of treating it for data sharing or at least protecting, and I think having that kind of approach for all States can really raise that visibility level that you describe. Mr. Langevin. Very good. Thank you, Mr. Chairman. I yield back. Mr. Donovan. The gentleman yields back. The Chair now recognize the gentlewoman from Texas, Ms. Jackson Lee. Ms. Jackson Lee. Let me thank the Chair for his courtesies. Let me acknowledge the Chair and Ranking Member sitting, wearing many hats, Mr. Payne, to the full committee Chair and the full committee Ranking Member. We have overlapping committees, and I just came out of the Judiciary Committee, so I thank you for your courtesies. This is a very important hearing, which is one of the reasons I did the mad dash, because I chaired this committee when it was the Transportation and Infrastructure Committee, which included all of the Nation's technological networks. I remember visiting water and sewer plants and seeing the openness and the expanse and wondering what potential terrorist act or manipulation of the technology dealing with it. I just came back from Silicon Valley, and they are pleading for individuals who can code or to write code. So I want to offer to you some thoughts. Obviously, you have not looked at it, but I have a bill, H.R. 53, Cybersecurity Education and Federal Workforce Enhancement, which is to target in and focus in on building up the workforce for the Federal Government, dealing with technology. Also H.R. 60--one is H.R. 53 dealing with education--H.R. 60, the National Guard Act to develop a civilian force that can be activated in the event of a major cyber attack or event. Now, if we were domestic, we know that we have NORTHCOM that would rise up and be part of dealing with any attack to the United States in a very massive way. I pushed NORTHCOM to be engaged on State and local. But this is technology, this is a cyber attack. So if you can answer the question, the importance of building the workforce, and as well the importance of having well-experienced individuals for a massive attack that deals with infrastructure, such as water and sewer, such as our electrical grid, and the one that I live with every day, the petrochemical industry, which is highly automated at each stage of the process through energy extraction, transportation, processing, and distribution. As you well know, that is an arm of the movement of the economy in this Nation. So if you could answer those, I would appreciate it. I will listen to you. Thank you. Is there someone who wants to take-- thank you. Mr. Raymond. I think education and workforce are incredibly important for us being able to respond. I would just add one comment. Specifically around the Guard and Guard response, I think that as it relates to us being able to have and retain workforce, because many of these folks are highly trained individuals and they can gain higher salaries in the private sector, having that capability of applying that in the event it happens at a State level is important. We do work very closely. We have a monthly cyber meeting where members of the Guard participate in that for awareness capabilities. So it is one sort of creative way for the States to be able to utilize that capability and bring those skills to bear. Ms. Jackson Lee. Thank you. Mr. Galvin. I have a comment as well. Ms. Jackson Lee. Thank you. I appreciate it. Mr. Galvin. I think there are several different skills that are involved in doing incident response in cybersecurity. They not all of them require coding skills. I think the ability to think creatively, to think on your feet, to stay calm under pressure, I think those are all important skills that don't necessarily require coders. On the other side, after an incident is detected and you are trying to figure out how to protect yourself in the future from similar attacks, because the nature of cybersecurity events is you have something that is novel and that is unique, and then you have multiple copies of it replicated with slight variations. So if you can protect yourself against one, you can kind of replicate the protection going forward. That is where you need a coder, a skill, someone who can take apart the threat or at least work with someone who can take it apart, because these are getting increasingly more complex as time goes on. I think the other thing that you brought up was having a well of individuals to respond in the event of an attack on the grid or water systems or other such critical infrastructure is extremely important. Frankly, I think you have to talk to the operations people who would oversee the facilities to talk about what kind of staff those people are. If it is an attack on the grid, they are not IT people, because we don't function when there is no electricity. So the question is really back to your response plan, and back in the day when a lot of us did initial kind of major systems implementations, there was always the plan, like, what happens if we are not going to go live and we have to go back to the old system? That was an old product that was dusted off. So we have to go back and start looking at having those kinds of plans in place. Like, if the payroll system goes down, you go back to writing checks and doing things like that. So we need to start thinking about that in the face of these kinds of very major attacks on electrical infrastructure, for example. Ms. Jackson Lee. Let me pursue, if I could--thank you for that. I think it is important to emphasize calmness, creativity, and thinking on your feet. But this whole concept of code, what I gleaned from Silicon Valley, they are looking at it from one perspective, we don't have enough individuals Nation-wide. Maybe you would comment. I want to be able to see a far reach to be able to have those that can take apart a threat, which I believe that we are susceptible to. So anyone want to comment on building that code, coding and coders, body of infrastructure in the human resource? Mr. Spano. Yeah, we talked about that a little bit earlier in terms of sort-of the urgency or the burning platform of it is a challenge to look at this problem as we have and other challenges where capacity could solve it. The challenges we face in cyber are challenges of complexity. Capacity can't solve a complexity issue, so we have to think about it in a much different way. The workforce is not a simple fix of just going out and trying to figure out how you are going to compete with the availability. It is how do you produce a pipeline where there is zero unemployment? That starts back from K through 12 and STEM and getting much more interest in those areas at a much younger age, encouraging colleges and universities to develop more curriculum and more degrees. It is tied to loan forgiveness and scholarship for service beyond that to encourage them to move into those areas. So it has to be comprehensive and looked at across a broader spectrum of time. Ms. Jackson Lee. Yes, sir. Mr. Ghilarducci. Thanks for the question. I think it is a good one. I agree with everything that has been said. I think it is important that we sort-of understand kind-of talking about pre-event and post-event. Really the pre-event is where you need that workforce multiplier, those folks that are the coders, the folks that are going to interdict and mitigate prior to the event actually taking place. The consequences of power outages or a dam release or something where there is infrastructure impact, our systems that are in place currently for consequence management need to be leveraged, and those are the ones that are going to be responding to the consequences. Unless there is an on-going series of cyber attacks, the attack itself may be done once and then you have got now a resulting series of consequences that you have to deal with. The key thing, I think, is really in the pre-event phase, is trying to have that workforce. You mentioned the National Guard. I think the National Guard across the States is a model, a good model, that could be utilized for building real-time capabilities, where in the case of California there are a lot of people that work in Silicon Valley, actually, or in the IT industry, that are also guards men and women, and they bring them in on State Active Duty and be able work on the cyber topic. But they give you a workforce multiplier that you can continue to build upon. But that is not exclusive, mutually exclusive, to the need, as the general was saying, in building out workforce from the high school level moving forward. So I think that it is important that we think about it from the standpoint of, what do we have to prevent, interdict, and mitigate to minimize the impact? Then our consequence managers, the people who are going to respond, we need to train them with an understanding that, unlike a wildfire or earthquake, you may be operating in an environment with no IT, no situational awareness through the computer network, and you may have to go back to pen and paper to be able to get the job done. Those are the things that I think are important to understand. Ms. Jackson Lee. I want to thank the Chairman for his indulgence. If I can just, as I close, I would cite the petrochemical industry as one that argues for all that you said. Anybody just want to comment on that? Just because these industries are dealing not only with technology, but they are dealing with chemicals, it is just a combination that you need this holistic viewpoint. Mr. Spano. I think that is shared across finance, health care, electricity, and other critical infrastructures equally as well. Some are at varying levels of maturity in their thought, strategy, and execution. Ms. Jackson Lee. Well, let me say that I could listen to the experts that are here quite more extensively, but let me say that I am hoping to move these bills and also reviewing something called COIN technology--you may not have heard of it--or may have heard of it--that is supposed to be dealing with the bigger picture that you all are looking at. Being on this committee for so long, I will just say that when we started, we knew that 80 percent of the infrastructure, which includes all that you are speaking about, was in the private sector. It may have gone up now, maybe 85 percent. So we know what our work is, and we know what our work is going forward, and this is a very important hearing for collaboration between Government and the private sector. I thank you to the Chairman and Ranking Member, and I yield back. Mr. Donovan. The gentlewoman yields back. I thank the witnesses for their valuable testimony and the Members for their questions. The Members of the subcommittees may have some additional questions for the witnesses. We will ask you to respond to these in writing. Pursuant to the Committee Rule VII(E), the hearing record will be held open for 10 days. Without objection, the subcommittee stands adjourned. [Whereupon, at 12:03 p.m., the subcommittees were adjourned.] [all]