[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINING DHS'S CYBERSECURITY MISSION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY AND
INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 3, 2017
__________
Serial No. 115-30
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
28-419 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Lou Barletta, Pennsylvania William R. Keating, Massachusetts
Scott Perry, Pennsylvania Donald M. Payne, Jr., New Jersey
John Katko, New York Filemon Vela, Texas
Will Hurd, Texas Bonnie Watson Coleman, New Jersey
Martha McSally, Arizona Kathleen M. Rice, New York
John Ratcliffe, Texas J. Luis Correa, California
Daniel M. Donovan, Jr., New York Val Butler Demings, Florida
Mike Gallagher, Wisconsin Nanette Diaz Barragan, California
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Brendan P. Shields, Staff Director
Steven S. Giaier, Deputy Chief Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Thomas A. Garrett, Jr., Virginia Val Butler Demings, Florida
Brian K. Fitzpatrick, Pennsylvania Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Kristen M. Duncan, Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 6
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Oral Statement................................................. 9
Prepared Statement............................................. 10
Witnesses
Mr. Christopher Krebs, Senior Official Performing the Duties of
the Under Secretary, National Protection and Programs
Directorate, U.S. Department of Homeland Security:
Oral Statement................................................. 12
Joint Prepared Statement....................................... 14
Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and
Communications, National Protection and Programs Directorate,
U.S. Department of Homeland Security:
Oral Statement................................................. 18
Joint Prepared Statement....................................... 14
Ms. Patricia Hoffman, Acting Assistant Secretary, Office of
Electricity Delivery and Energy Reliability, U.S. Department of
Energy:
Oral Statement................................................. 20
Prepared Statement............................................. 22
Appendix
Questions From Chairman Michael T. McCaul for Christopher Krebs.. 41
Questions From Chairman John Ratcliffe for Christopher Krebs..... 41
Questions From Chairman Michael T. McCaul for Jeanette Manfra.... 42
Questions From Chairman John Ratcliffe for Jeanette Manfra....... 42
EXAMINING DHS'S CYBERSECURITY MISSION
----------
Tuesday, October 3, 2017
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:04 a.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, McCaul, Garrett,
Fitzpatrick, Donovan, Katko, Richmond, Thompson, Demings, and
Langevin.
Mr. Ratcliffe. The Committee on Homeland Security's
Subcommittee on Cybersecurity and Infrastructure Protection
will come to order. First of all, I am sure I speak for all of
us here on the dais in expressing our deepest condolences to
all of the family members and all of the victims of yesterday's
tragedy in Las Vegas.
Events like the one yesterday really demand the utmost
humanity in response to such blind hate and evil, and hopefully
it will give us all a renewed sense of purpose today as we
approach the tasks of the day.
The subcommittee is meeting today to receive testimony
regarding the Department of Homeland Security's cybersecurity
mission. I recognize myself for an opening statement.
We are here today at the start of National Cybersecurity
Awareness Month to discuss what I believe is one of the
defining public policy challenges of this generation, the
cybersecurity posture of the United States.
We have seen cyber attacks hit practically every sector of
our economy, with devastating impacts to both Government
agencies and the private sector alike. It is our shared duty to
ensure that we are doing our very best to defend against the
very real threat our cyber adversaries are posing.
But make no mistake. The cybersecurity challenges we face
are about much, much more than simply protecting bottom lines
or intellectual property or even our Nation's most Classified
information. They also impact the personal and often
irreplaceable information of every American.
This year we have seen on a grand scale just how much
damage can be done by a single individual or entity looking to
conduct a cyber attack. The Equifax breach shows that it takes
only one bad actor and only one exploitable vulnerability to do
something to compromise the information of 145 million
Americans. This is not the first cyber attack that has garnered
National attentions, and unfortunately it almost assuredly will
not be the last.
As the members of this panel and as our witnesses here
today know well, there is no silver bullet or guaranteed
technology to fix the cybersecurity problem. Rather, we need to
be part of an on-going, sustained, dedicated, persistent, and
comprehensive campaign to ensure the United States remains the
world's cybersecurity superpower.
We will continue to need a sharp work force, collective
efforts in public-private partnerships and the leadership of
our Government agencies to leverage our resources and to
counter our highly sophisticated cyber adversaries.
Today, the subcommittee meets to hear from the Government
officials that are charged with meeting these cyber threats.
These are the folks on the front lines day in and day out.
DHS is the Federal Government's lead civilian agency for
cybersecurity, and within it, the National Protection and
Programs Directorate, or NPPD, leads our National effort to
safeguard and enhance the resilience of our Nation's physical
and cyber infrastructure, helping Federal agencies and, when
requested, the private sector harden their networks and respond
to cybersecurity incidents.
NPPD partners with critical infrastructure owners and
operators and other homeland security enterprise stakeholders
to offer a wide variety of cybersecurity capabilities, such as
system assessments, incident response and mitigation support,
and the ability to hunt for malicious cyber activity.
This collaborative approach to mitigating cyber incidents
is meant to prioritize meeting the needs of DHS's partners, and
is consistent with the growing recognition among Government,
academic, and corporate leaders, that cybersecurity is
increasingly interdependent across sectors and must be a core
aspect of all risk management strategies.
This committee has been working hard to ensure that NPPD
and DHS in its entirety has the necessary authorizations and
organization it needs to combat growing cyber threats. DHS
needs a strong and sharp work force and an efficient
organizational structure to support both its cybersecurity and
its infrastructure protection missions.
Earlier this year, the committee marked up and passed H.R.
3359, the Cybersecurity and Infrastructure Security Agency Act
of 2017, to reorganize and to strengthen NPPD.
As the cyber threat landscape continues to evolve, so
should DHS. In doing so, H.R. 3359 is the tool that we will use
to bring NPPD to a more visible role in the cybersecurity of
this Nation.
As a committee and as a Congress, we have taken important
steps in the right direction with legislation on information
sharing, on modernizing the Federal Government's information
technology, and in getting our State and local officials the
cybersecurity support that they need.
Some of these programs have been years in the making. Real-
time collaboration between the Government and the private
sector is a lofty and worthwhile goal. Through the automated
indicator-sharing program, or AIS, DHS has been partnering with
industry to create and enhance that broader information-sharing
environment, and we have made progress in the right direction.
While we know that proactive information sharing is only as
good as the information being provided, that type of
relationship can only be made possible with a strong foundation
of trust.
I am looking forward to a robust discussion today, not only
about how the Department can be best organized and equipped to
ensure that we are leveraging the resources of the Federal
Government toward this immense challenge, but also how the
Government can forge and grow the necessary partnerships to
achieve the greater cybersecurity for our Nation.
We have to get this right, because new technologies, the
internet of things, driverless cars, artificial intelligence,
and quantum computing are all rapidly evolving. So we need to
be securing at the speed of innovation and not at the speed of
bureaucracy. We are in an era that requires flexibility,
resiliency, and discipline, and I hope that I will hear those
values operationalized in the forthcoming testimony.
Cyber space plays an increasingly dominant role in the
fabric of the American society, and it will take continued
collaboration across the public, private, international, and
domestic spaces, to keep making the advancements needed to
prioritize cybersecurity for our country.
I know this is a responsibility that everyone on this
subcommittee takes extraordinarily seriously, and I look
forward to the discussion today with our witnesses.
[The prepared statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
October 3, 2017
We are here to today, at the start of National Cybersecurity
Awareness Month, to discuss what I believe is one of the defining
public policy challenges of our generation--the cybersecurity posture
of the United States. We have seen cyber attacks hit practically every
sector of our economy with devastating impacts to both Government
agencies and the private sector alike--and it's our shared duty to
ensure we're doing our best to defend against the very real threat our
cyber adversaries pose.
But make no mistake--the cybersecurity challenges we face are about
much, much more than simply protecting bottom lines, or intellectual
property, or even our Nation's most Classified information. They also
impact the personal, often irreplaceable information, of every
American.
This year, we've seen--on a grand scale--just how much damage can
be done by a single individual or entity looking to conduct a cyber
attack. It may take only one bad actor and only one exploitable
vulnerability to do something such as compromise the information of 143
million Americans.
This is not the first cyber attack that's garnered National
headlines, and unfortunately--it almost assuredly will not be the last.
As the members of this panel and as our witnesses here today know
well, there is no silver bullet or guaranteed technology to ``fix'' the
cybersecurity problem. Rather, this is part of an on-going, sustained,
and comprehensive campaign to ensure the United States remains the
world's cybersecurity superpower.
We will continue to need a sharp workforce, the collective efforts
in public-private partnerships, and the leadership of our Government
agencies to leverage our resources and counter our highly sophisticated
cyber adversaries.
Today, this subcommittee meets to hear from the Government
officials charged with meeting these cyber threats. These are the folks
on the front lines day in and day out.
DHS is the Federal Government's lead civilian agency for
cybersecurity, and within it, the National Protection and Programs
Directorate, or NPPD, leads our National effort to safeguard and
enhance the resilience of the Nation's physical and cyber
infrastructure, helping Federal agencies and, when requested, the
private sector harden their networks and respond to cybersecurity
incidents.
NPPD partners with critical infrastructure owners and operators and
other homeland security enterprise stakeholders to offer a wide variety
of cybersecurity capabilities, such as system assessments, incident
response and mitigation support, and the ability to hunt for malicious
cyber activity.
This collaborative approach to mitigating cyber incidents is meant
to prioritize meeting the needs of DHS partners, and is consistent with
the growing recognition among Government, academic, and corporate
leaders that cybersecurity is increasingly interdependent across
sectors and must be a core aspect of risk management strategies.
This committee has been working hard to ensure that NPPD--and DHS
in its entirety--has the necessary authorizations and organization it
needs to combat growing cyber threats.
DHS needs a robust workforce and an efficient organizational
structure to support both its cybersecurity and infrastructure
protection missions.
Earlier this year, this committee marked up and passed H.R. 3359--
the Cybersecurity and Infrastructure Security Agency Act of 2017 to
reorganize and strengthen NPPD.
As the cyber threat landscape continues to evolve, so should DHS,
and in doing that, H.R. 3359 is the tool we'll use to bring ``NPPD'' to
a more visible role in the cybersecurity of this Nation.
As a committee, and as a Congress, we have taken important steps in
the right direction with legislation on information sharing,
modernizing the Federal Government's information technology, and in
getting our State and local officials the cybersecurity support they
need.
Some of these programs have been years in the making.
Real-time collaboration between the Government and the private
sector is a lofty and worthwhile goal. Through the Automated Indicator
Sharing program, or AIS, DHS has been partnering with industry to
create and enhance that broader information-sharing environment--and
we've made progress in the right direction.
While we know that proactive information sharing is only as good as
the information being provided, that type of relationship can only be
made possible with a strong foundation of trust.
I'm looking forward to a robust discussion today, not only about
how the Department can be best organized and equipped to ensure that we
are leveraging the resources of the Federal Government toward this
immense challenge, but also how the Government can forge and grow the
necessary partnerships to achieve greater cybersecurity for our Nation.
We have to get this right because new technologies--the internet of
things, driverless cars, artificial intelligence, and quantum
computing--are rapidly evolving.
We need to be securing at the speed of innovation--not of
bureaucracy.
Because we are in an era that requires flexibility, resiliency, and
discipline and I hope I will hear those values operationalized in the
forthcoming testimony.
Cyber space plays an increasingly dominant role in the fabric of
our society, and it will take continual collaboration across the
public, private, international, and domestic spaces to keep making the
advancements needed to prioritize cybersecurity for our country.
I know this is a responsibility that everyone on this subcommittee
takes extraordinarily seriously, and I look forward to the discussion
today with our witnesses.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of the subcommittee, the gentleman from
Louisiana, Mr. Richmond, for his opening statement.
Mr. Richmond. Thank you, Mr. Chairman.
Good morning. I am pleased that we are kicking off
Cybersecurity Awareness Month by talking to the Department of
Homeland Security about its cybersecurity mission and how
Congress can help ensure DHS is well-positioned to protect
critical infrastructure from cyber attacks.
Before I begin, however, I would like to send my
condolences to the families of the victims of Sunday night's
horrific shooting. To the survivors, you are in our thoughts
and prayers. To the brave first responders who ran into danger
when everyone else was running away from it, we are grateful.
The Democrats on this committee have said this before, but
it bears repeating. At some point, we are gonna have to come
together and enact sensible gun legislation. As the Congressman
representing New Orleans, I cannot sit silently as the
President insults the hurricane survivors of Puerto Rico and
the San Juan mayor who is trying to help them.
I have been through Katrina, and I know what it is like
when you are at your most vulnerable moment and you have lost
everything. What you are looking for is assistance because it
is beyond your capacity to respond to a storm of that
magnitude.
So having seen the people grieve the loss of their homes
and businesses and struggle to piece their lives back together,
I can tell you that the last thing the people in Puerto Rico
and the Virgin Islands need are insults. I urge the President
to take a break from Twitter, roll up his sleeves and get to
work.
Turning to the issue at hand, as I mentioned, I represent
New Orleans, which has significant energy sector assets. Last
month, we heard disturbing reports of a new wave of efforts to
breach energy sector networks in the United States.
According to Symantec, in some cases, hackers achieved
unprecedented access to operational systems. In light of these
reports, I am interested to know how the Department of Homeland
Security and the Department of Energy are working together to
secure energy sector networks and make them more resilient.
Additionally, as a Member of this committee and the
Congressional Task Force on Election Security, I am eager to
hear about DHS's activities to secure our election systems.
Although the administration's commitment to the critical
infrastructure designation appeared to waver earlier this year,
I was encouraged when acting Secretary Duke told committee
Democrats last month that there are no plans to rescind the
designation.
With that comment, I look forward to hearing about the
progress DHS is making to help State and local governments
secure election infrastructure and whether the Department has
adequate resources to carry out its responsibilities in that
space.
For example, I understand there is a 9-month wait for a
risk and vulnerability assessment and that some Secretaries of
State have complained about the lengthy clearance process for
election officials. I am concerned that these kinds of
challenges may deter some States, particularly those hostile to
the critical infrastructure designation, from taking full
advantage of the resources DHS can bring to bear.
To that point, DHS has struggled to build some of the
relationships necessary to executing its election security
mission. Although I have heard that DHS is making progress in
this regard, I am concerned mistakes made notifying certain
Secretaries of State that their election infrastructure had
been targeted, though it had not been, may have undermined the
trust that DHS has sought to build.
I would be interested in learning, what do you need from
Congress to address election infrastructure requests more
quickly and build trust with the election infrastructure
community?
Finally, when Ms. Manfra testified before the subcommittee
in March, I asked when I could expect the DHS cybersecurity
strategy. The strategy required pursuant to legislation I
authored was due March 23. It still has not been submitted to
Congress.
I understand the Trump administration did not fill
leadership positions relevant to the execution of DHS
cybersecurity strategy with any real sense of urgency and on-
going vacancies may be contributing to the delays. But the
strategy is 6 months overdue, and that is not acceptable.
With that, Mr. Chairman, I yield back the balance of my
time.
[The prepared statement of Ranking Member Richmond
follows:]
Statement of Ranking Member Cedric L. Richmond
October 3, 2017
I am pleased that we are kicking off cybersecurity awareness month
by talking to the Department of Homeland Security about its
cybersecurity mission and how Congress can help ensure DHS is well-
positioned to protect critical infrastructure from cyber attacks.
Before I begin, however, I would like to send my condolences to the
families of the victims of Sunday night's horrific shooting in Las
Vegas. To the survivors, you are in our thoughts. To the brave first
responders who ran into danger when everyone else was running away from
it, we are grateful.
The Democrats on this committee have said this before, but it bears
repeating: At some point, the Majority is going to have to stand up to
the gun lobby and enact responsible gun control legislation.
And, as the Congressman representing New Orleans, I cannot sit
silently as the President insults the hurricane survivors of Puerto
Rico and the San Juan Mayor who is trying to help them.
Having seen people grieve the loss of their homes and businesses
and struggle to piece their lives back together, I can tell you the
last thing the people of Puerto Rico need are insults from the
President. I urge the President to take a break from Twitter, roll up
his sleeves, and get to work.
Turning to the issue at hand, as I mentioned, I represent New
Orleans, which has significant energy sector assets. Last month, we
heard disturbing reports of a ``new wave'' of efforts to breach energy
sector networks in the United States. According to Symantec, in some
cases, hackers achieved unprecedented access to operational systems.
In light of these reports, I am interested to know how the
Department of Homeland Security and the Department of Energy are
working together to secure energy sector networks and make them
resilient.
Additionally, as a Member of this committee and of the
Congressional Task Force on Election Security, I am eager to hear about
DHS's activities to secure our election systems.
Although the administration's commitment to the critical
infrastructure designation appeared to waver earlier this year, I was
encouraged when Acting Secretary Duke told committee Democrats last
month that ``[t]here are no plans'' to rescind the designation.
With that commitment, I look forward to hearing about the progress
DHS is making to help State and local governments secure election
infrastructure and whether the Department has adequate resources to
carry out its responsibilities in that space.
For example, I understand there is a 9-month wait for a Risk and
Vulnerability Assessment and that some Secretaries of State have
complained about the lengthy clearance process for election officials.
I am concerned that these kinds of challenges may deter some States--
particularly those hostile to the critical infrastructure designation--
from taking full advantage of the resources DHS can bring to bear.
To that point, DHS has struggled to build some of the relationships
necessary to executing its election security mission. Although I have
heard that DHS is making process in this regard, I am concerned
mistakes made notifying certain Secretaries of State that their
election infrastructure had been targeted----though it had not been--
may have undermined the trust DHS has sought to build.
I will be interested in learning what do you need from Congress to
address election infrastructure requests more quickly and build trust
within the election infrastructure community.
Finally, when Ms. Manfra testified before the subcommittee in
March, I asked when I could expect the DHS Cybersecurity Strategy. The
strategy, required pursuant to legislation I authored, was due March
23. It still has not been submitted to Congress.
I understand the Trump administration did not fill leadership
positions relevant to the execution of a DHS Cybersecurity Strategy
with any real sense of urgency, and on-going vacancies may be
contributing to the delays. But the strategy is 6 months overdue, and
that is not acceptable.
Mr. Ratcliffe. I thank the gentleman.
The Chair now welcomes and recognizes the Chairman of the
full committee, my colleague from Texas, Mr. McCaul, for any
opening statement that he might have.
Chairman McCaul. Thank you, Chairman Ratcliffe.
I also would like to extend my thoughts and prayers to the
victims and family members of the horrifying tragedy in Las
Vegas. I am hopeful that as Americans we can come together and
prevent such violence from happening in the future.
I am pleased to be here at this important hearing today,
with our distinguished guests here at this hearing. America's
National security is threatened by Islamist terrorists,
tyrannical regimes building and proliferating weapons of mass
destruction, human traffickers, and transnational gang members
like MS-13 who stream across our border.
These threats are well-known, and we need to do everything
we can to stop them as we see them coming. However, we also
find ourselves in the crosshairs of invisible attacks and
sustained cyber war from nation-states and other hackers.
As we become more and more reliant on computers and
smartphones in both our personal and professional lives,
everyone is a potential target. Sadly, many of us have already
been victims.
Over the past few years, we have seen many successful
large-scale cyber attacks take place. In early September,
hackers were able to breach Equifax, a credit reporting agency,
gaining access to sensitive information on as many as 143
million people.
In 2016, we know that Russia tried to undermine our
electoral system and democratic process, and in 2015, we
learned that China stole over 20 million security clearances,
including mine, and probably some here at this dais. These
kinds of violations are simply unacceptable.
I am proud to say that over the last few years this
committee, the Committee on Homeland Security, has recognized
these threats and has led the charge in the Congress to
strengthen the defense of our Nation's networks.
In 2014, we enacted several important bills and empowered
DHS to bolster its work force, codified DHS's cyber center, and
updated FISMA for the first time in 12 years. A year later, the
Cybersecurity Act became law, which enhances information
sharing and makes DHS the lead conduit for cyber threat
indicators and defensive measures within the Federal
Government.
While information sharing has come a long way, the WannaCry
ransomware attack recently illustrated just how important and
beneficial these relationships are. Just last week, Rob Joyce,
the cybersecurity coordinator at the White House, noted that we
needed to find a way to provide the private sector with more
expansive access to cyber threat information in a controlled
setting, something I believe we need to strengthen.
Moreover, issues relating to the sharing of Classified
information with the private sector, like accrediting SCIF
space, granting security clearances to key personnel and
enabling consistent two-way communications are issues we are
looking at closely.
In other words, we have made great progress in the way
indicators are shared. But I want to examine if we can do more
regarding the overall sharing of Classified information.
Earlier this year, I was pleased to see President Trump
issue an Executive Order to strengthen the cybersecurity of
Federal networks and critical infrastructure. Going forward, I
am hopeful that the House can advance legislation that I have
introduced to elevate NPPD as a stand-alone agency and better
support the cybersecurity mission at DHS.
This month is National Cybersecurity Awareness Month, a
time to learn more about these threats and offer ideas on how
we can best secure ourselves against these growing threats.
While we have had some success on this issue, we must do more.
Our cyber enemies, including terrorists, are always
evolving, looking for new ways to carry out their next attack.
Fortunately, this is an issue that I believe transcends party
lines. It is not a Republican or Democrat issue. So let's work
together to make our cybersecurity strong and keep the American
people safe.
Again, I would like to thank the witnesses for being here
today, and thank you for your service. A very important
component of the Department that often, as I mentioned in my
opening, we focus a lot on counterterrorism and the border
among other things. But I consider this mission that the
Department has to be one of the most important that this Nation
faces.
So I look forward to the conversation on how Congress and
the Executive branch can work together, and how we can work
with leaders in the private sector to enhance the Nation's
cybersecurity. So, with that I would like to yield back to the
Chairman, and if I may, submit my questions for the record.
[The statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
October 3, 2017
Thank you, Chairman Ratcliffe. I would also like to extend my
thoughts and prayers to the victims and family members of the
horrifying tragedy in Las Vegas. I am hopeful that as Americans, we can
come together and prevent such violence from happening again.
America's National security is continually threatened by Islamist
terrorists, tyrannical regimes building and proliferating weapons of
mass destruction, and human traffickers and transnational gang members
like MS-13 who stream across our border. These threats are well-known,
and we need do everything we can to stop them as we see them coming.
However, we also find ourselves in the crosshairs of invisible
attacks in a sustained cyber war from nation-states and other hackers.
As we become more and more reliant on computers and smartphones in both
our personal and professional lives, everyone is a potential target and
sadly, many of us have already been victims.
Over the past few years we have seen many successful large-scale
cyber attacks take place. In early September, hackers were able to
breach Equifax, a credit reporting agency, gaining access to sensitive
information on as many as 143 million people.
In 2016, we know that Russia tried to undermine our electoral
system and democratic process and in 2015, we learned that China stole
over 20 million security clearances including mine. These kinds of
violations are simply unacceptable.
I am proud to say that over the last few years, the Committee on
Homeland Security has recognized these threats and led the charge to
strengthen the defense of our Nation's networks.
In 2014, we enacted several important bills that empowered DHS to
bolster its work force, codified DHS's cyber center, and updated FISMA
for the first time in 12 years. A year later, the Cybersecurity Act
became law, which enhances information sharing and makes DHS the lead
conduit for cyber threat indicators and defensive measures within the
Federal Government.
While information sharing has come a long way, the WannaCry
ransomware attack recently illustrated just how important and
beneficial those relationships are.
Just last week Rob Joyce, the cybersecurity coordinator at the
White House, noted that we need to find a way to provide the private
sector with more expansive access to cyber threat information in a
controlled setting; something I believe we need to strengthen.
Moreover, issues relating to the sharing of Classified information
with the private sector, like accrediting SCIF space, granting security
clearances to key personnel, and enabling consistent two-way
communication, are issues we are looking at closely.
In other words, we have made progress in the way indicators are
shared but I want to examine if we can do more regarding the overall
sharing of Classified information.
Earlier this year, I was pleased to see President Trump issue an
Executive Order to strengthen the cybersecurity of Federal networks and
critical infrastructure. Going forward, I am hopeful that the House can
advance legislation that I have introduced to elevate NPPD as a stand-
alone agency and better support the cybersecurity mission at DHS.
This month is National Cybersecurity Awareness Month, a time to
learn more about these threats and offer ideas on how we can best
secure ourselves against these growing threats. While we have had some
success on this issue, we must do more.
Our cyber enemies, including terrorists, are always evolving,
looking for new ways to carry out their next attack. Fortunately, this
is an issue that transcends party lines. Let's work together to make
our cybersecurity strong and keep the American people safe.
I would like to thank today's witnesses for their time and their
service. I look forward to our conversation about how Congress and the
Executive branch can work together and also with leaders in the private
sector to enhance our Nation's cybersecurity.
I would also like to work with you, Chairman Ratcliffe, and our
witnesses to bring our Members to the NCCIC before the end of the year
to see the progress first-hand.
Thank you.
Mr. Ratcliffe. I thank the Chairman.
The Chair now welcomes and recognizes the Ranking Minority
Member of the full committee, the gentleman from Mississippi,
Mr. Thompson, for his opening statement.
Mr. Thompson. Thank you very much. Good morning. I would
like to thank Chairman Ratcliffe and Ranking Member Richmond
for holding today's hearing to examine the work DHS is doing to
shore-up our Nation's cyber defenses.
There is no doubt that our country is facing an ever-
evolving rate of cyber threats. As we stand here today, our
enemies are thinking of new and novel ways to strike at
everything from banks to hospitals and chemical facilities.
Nefarious actors even want to disrupt some of our most basic
institutions.
Last year, we learned that our Nation's election system
served as a new frontier for cyber attacks. With every passing
day, we learn of new ways cyber operatives are looking to
exploit everything from the media we consume to the databases
that store voter registration data.
In this country, there is nothing more sacred than the
ability to engage in civic activity, and cyber criminals are
seeking to undermine our democracy. Furthermore, as I watch the
devastation unfold in Texas, Florida, Puerto Rico, and the
Virgin Islands, I am reminded of the fragility of our systems.
Disrupting the systems we rely on for power, fuel, food,
and water, can be deadly, regardless of whether it is caused by
a cyber attack or a natural disaster. In short, the digital
networks we rely on for our day-to-day life are facing a
multitude of threats. To respond to these treats, Congress has
put its trust in DHS.
Over the past few years, Congress, by way of this
committee, has consistently expanded DHS's cybersecurity
mission, giving the Department a key role in securing Federal
networks, as well as the systems that support our Nation's
critical infrastructure.
The Department made huge strides in implementing these new
authorities, including by standing up an automated system to
share cyber threat data and advising the new election
infrastructure subsector on how to promote cyber hygiene with
election administrators throughout the country. We cannot,
however, expect DHS to carry out these responsibilities with
both hands tied behind its back.
To be successful, the Department needs adequate resources,
a robust staff, strong leadership and a clear strategy.
Unfortunately, this administration has been gravely unfocused
when it comes to cybersecurity.
President Trump falsely promised to deliver a comprehensive
plan to protect America's vital infrastructure from cyber
attacks on the first day in office. It took months for the
President to get around to issuing an Executive Order on
cybersecurity.
Also a quarter of the 28-person National Infrastructure
Advisory Council resigned in protest to President Trump's
insufficient attention to cyber threats. President Trump
floated the idea of an impenetrable cyber unit with Russia. At
the same time, members of his administration were considering
and ultimately deciding to ban the use of the Kaspersky
products on Federal networks.
Within DHS, the chief information officer resigned after
serving only 4 months. The National Programs and Protection
Directorate, the Department's main cyber arm is still operating
without a permanent under secretary.
Whether the men and women in this room are willing to
acknowledge in an open setting, that they are struggling
without this leadership, we can be certain that these gaps are
making their job harder. I look forward to hearing from the
panel today about how the Department is carrying out its cyber
mission.
I hope that you will be candid with us about the obstacles
you face. If there are areas where you need additional
resources or legislative clarity, tell us how we can help. I am
especially eager to hear from Ms. Hoffman about how DHS works
with one of its key partners in securing critical
infrastructure, the Department of Energy.
With that Mr. Chairman, I yield back.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
October 3, 2017
There is no doubt that our country is facing an evolving array of
cyber threats. As we stand here today, our enemies are thinking of new
and novel ways to strike at everything from banks to hospitals and
chemical facilities. Nefarious actors even want to disrupt some of our
most basic institutions.
Last year, we learned that our Nation's election system served as a
``new frontier'' for cyber attacks.
With every passing day, we learn of new ways cyber operatives are
looking to exploit everything from the media we consume to the
databases that store voter registration data.
In this country, there is nothing more sacred than the ability to
engage in civic activity and cyber criminals are seeking to undermine
our democracy.
Furthermore, as I watch the devastation unfold in Texas, Florida,
Puerto Rico, and the Virgin Islands--I am reminded of the fragility of
our systems. Disrupting the systems we rely on for power, fuel, food,
and water can be deadly, regardless of whether it's caused by a cyber
attack or a natural disaster.
In short, the digital networks we rely on for our day-to-day life
are facing a multitude of threats. To respond to these threats,
Congress has put its trust in DHS.
Over the past few years, Congress--by way of this committee--has
consistently expanded DHS's cybersecurity mission--giving the
Department a key role in securing Federal networks as well as the
systems that support our Nation's critical infrastructure.
The Department made huge strides in implementing these new
authorities--including by standing up an automated system to share
cyber threat data and advising the new Election Infrastructure
subsector on how to promote cyber hygiene with election administrators
throughout the country.
We cannot, however, expect DHS to carry out these responsibilities
with both hands tied behind its back. To be successful, the Department
needs adequate resources, a robust staff, strong leadership, and a
clear strategy.
Unfortunately, this administration has been gravely unfocused when
it comes to cybersecurity. President Trump falsely promised to deliver
``a comprehensive plan to protect America's vital infrastructure from
cyber attacks'' on his first day in office. It took months for the
President to get around to issuing an Executive Order on cybersecurity.
Also, a quarter of the 28-person National Infrastructure Advisory
Council resigned in protest of President Trump's ``insufficient
attention'' to cyber threats.
President Trump floated the idea of an ``impenetrable cyber unit''
with Russia at the same time members of his administration were
considering--and ultimately decided--to ban the use of Kaspersky
products on Federal networks.
Within DHS, the chief information officer resigned after serving
only 4 months, and the National Programs and Protection Directorate,
the Department's main cyber arm, is still operating without a permanent
under secretary.
Whether the men and women in this room are willing to acknowledge,
in an open setting, that they are struggling without this leadership--
we can be certain these gaps are making their jobs harder.
I look forward to hearing from this panel today about how the
Department is carrying out its cyber mission, and I hope that you'll be
candid with us about the obstacles you face. If there are areas where
you need additional resources or legislative clarity, tell us how we
can help.
Mr. Ratcliffe. I thank the gentlemen. Other Members of the
committee are reminded that opening statements may be submitted
for the record.
We are pleased to have a distinguished panel of witnesses
before us today on this very important topic. Mr. Christopher
Krebs is the senior official performing the duties of the under
secretary of the National Protection and Programs Directorate
at the United States Department of Homeland Security. Great to
see you today Mr. Krebs, and great to see you in your new roles
at DHS.
Ms. Jeanette Manfra is the assistant secretary for
cybersecurity and communications in the National Protection and
Programs Directorate at DHS. Also great to have you back before
our subcommittee, Ms. Manfra.
Finally Ms. Patricia Hoffman is the acting assistant
secretary for the Office of Electricity Delivery and Energy
Reliability at the U.S. Department of Energy. Thank you for
being here with us today.
I would now like to ask the witnesses to stand and raise
your right hand so that I can swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that each of the
witnesses has answered in the affirmative. You may be seated.
The witnesses' full written statements will appear in the
record.
The Chair now recognizes Mr. Krebs for 5 minutes for his
opening statement.
STATEMENT OF CHRISTOPHER KREBS, SENIOR OFFICIAL PERFORMING THE
DUTIES OF THE UNDER SECRETARY, NATIONAL PROTECTION AND PROGRAMS
DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Krebs. Chairman Ratcliffe, Ranking Member Richmond,
Ranking Member Thompson, Members of the committee, good morning
and thank you for today's hearing.
In this month of October, we recognize National
Cybersecurity Awareness Month, a time to focus on how
cybersecurity is a shared responsibility that affects all
Americans. The Department of Homeland Security serves a
critical role in safeguarding and securing cyber space, a core
Homeland Security mission.
I want to begin my testimony by thanking the committee for
taking action earlier this summer on the Cybersecurity and
Infrastructure Security Agency Act of 2017. If enacted, this
legislation would mature and streamline the National Protection
and Programs Directorate, or NPPD, and rename our organization
to clearly reflect our central mission. The Department strongly
supports this much-needed effort and encourages swift action by
the full House and Senate.
NPPD's mission statement is clear. We lead the Nation's
efforts to ensure the security and resilience of our cyber and
physical infrastructure. We collaborate with other Federal
agencies, State, local, Tribal, and territorial governments
and, of course, the private sector.
Our three goals are as follows: Secure and defend Federal
networks and facilities; identify and mitigate critical
infrastructure systemic risk; incentivize and broadly enable
enhanced cyber and physical security practices. No question
this is an expansive mission.
As we meet today, I am proud to share with you the tireless
efforts of so many at NPPD and in coordination with our
interagency partners to accomplish this mission: The targeting
of our elections, WannaCry, NotPetya, intrusions into energy
and nuclear sector infrastructure, Harvey, Irma, Maria, soft-
target attacks in London, Barcelona, Orlando, and most
recently, Las Vegas.
As threats to our critical infrastructure evolve and in
many ways remain the same, our people are partnering with
owners and operators across America. We are engaging the public
to raise awareness because our security is truly a shared
responsibility.
Today's hearing is about DHS's cybersecurity mission.
Earlier this year the President signed an Executive Order on
strengthening the cybersecurity of Federal networks and
critical infrastructure. This Executive Order set in motion a
series of these assessments and deliverables to improve our
defenses and lower our risks to cyber threats.
DHS is organized around these deliverables by working with
Federal and private-sector partners. We are emphasizing the
security of Federal networks. Across the Federal Government,
agencies have been implementing the industry standard NIST
cybersecurity framework.
Agencies are reporting to DHS and the Office of Management
and Budget, or OMB, on their cybersecurity risk management and
mitigation acceptance choices. DHS and OMB are evaluating the
totality of these agency reports in order to comprehensively
assess the adequacy of the Federal Government's overall
cybersecurity risk management posture.
In addition to our efforts to protect Federal Government
networks, we are focused on how Government and industry work
together to protect the Nation's critical infrastructure. We
are prioritizing deeper, more collaborative public-private
relationships and partnerships.
In collaboration with civilian, military, and intelligence
agencies, we are developing an inventory of authorities and
capabilities. We are prioritizing entities at greatest risk of
attacks that could result in catastrophic consequences. We
commonly call this our Section 9 efforts.
Before closing, let me also discuss our continued efforts
to address cybersecurity risks facing our election
infrastructure. Facing the threat of cyber-enabled operations
by a foreign government during the 2016 elections, DHS and our
interagency partners conducted unprecedented outreach and
provided cybersecurity assistance to State and local election
officials. Information shared included indicators of
compromise, technical data, and best practices.
Through numerous efforts before and after election day, we
declassified and shared information related to Russian
malicious cyber activity. These steps have been critical to
protecting our elections, enhancing awareness among election
officials, and educating the American public.
The designation of election infrastructure as critical
infrastructure provides a foundation to institutionalize and
prioritize services and support. We are working with Federal,
State, and local partners to develop information, sharing
protocols and establish key working groups. Yet there is more
to be done and we shall not waiver.
In the face of increasingly sophisticated threats, NPPD is
focused on defending our Nation's critical infrastructure. The
risks are complex and dynamic with interdependencies.
Technological advances, such as the internet of things, and
cloud computing, increased access, and streamlined
efficiencies.
However, they also increase access points that could be
leveraged by adversaries to gain unauthorized access to
networks. As new threats emerge and our use of technology
evolves, we must integrate cyber and physical risk in order to
effectively secure our Nation. Expertise around cyber physical
risk and cross-sector critical infrastructure interdependencies
is where NPPD brings unique expertise and capabilities.
Thank you for inviting me here today, and I look forward to
your questions.
[The joint prepared statement of Mr. Krebs and Ms. Manfra
follows:]
Joint Prepared Statement of Christopher Krebs and Jeanette Manfra
October 3, 2017
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, thank you for the opportunity to be here today. In this
month of October, we recognize National Cybersecurity Awareness Month,
a time to focus on how cybersecurity is a shared responsibility that
affects all Americans. The Department of Homeland Security (DHS) serves
a critical role in safeguarding and securing cyber space, a core
homeland security mission. The administration recognizes the
committee's work to provide DHS with the authorities necessary to carry
out this mission. The National Protection and Programs Directorate
(NPPD) at DHS leads the Nation's efforts to ensure the security and
resilience of our cyber and physical infrastructure. Earlier this year,
this committee voted favorably on H.R. 3359, the ``Cybersecurity and
Infrastructure Security Agency Act of 2017.'' If enacted, this bill
would mature and streamline NPPD, and rename our organization to
clearly reflect our essential mission and our role in securing cyber
space. The Department strongly supports this much-needed effort and
encourages swift action by the full House and the Senate.
NPPD is responsible for protecting civilian Federal Government
networks and collaborating with other Federal agencies, as well as
State, local, Tribal, and territorial governments, and the private
sector to defend against cyber threats. We endeavor to enhance cyber
threat information sharing across the globe to stop cyber incidents
before they start and help businesses and Government agencies to
protect their cyber systems and quickly recover should such an attack
occur. By bringing together all levels of government, the private
sector, international partners, and the public, we are taking action to
protect against cybersecurity risks, improve our whole-of-Government
incident response capabilities, enhance information sharing on best
practices and cyber threats, and to strengthen resilience.
threats
Cyber threats remain one of the most significant strategic risks
for the United States, threatening our National security, economic
prosperity, and public health and safety. The past year has marked a
turning point in the cyber domain, at least in the public
consciousness. We have long been confronted with a myriad of attacks
against our digital networks. But over the past year, Americans saw
advanced persistent threat actors, including hackers, cyber criminals,
and nation-states, increase the frequency and sophistication of these
attacks. Our adversaries have been developing and using advanced cyber
capabilities to undermine critical infrastructure, target our
livelihoods and innovation, steal our National security secrets, and
threaten our democracy through attempts to manipulate elections.
Global cyber incidents, such as the ``WannaCry'' ransomware
incident in May of this year and the ``NotPetya'' malware incident in
June, are examples of malicious actors leveraging cyber space to create
disruptive effects and cause economic loss. These incidents exploited
known vulnerabilities in software commonly used across the globe. Prior
to these events, NPPD had already taken actions to help protect
networks from similar types of attacks. Through requested vulnerability
scanning, NPPD helped stakeholders identify vulnerabilities on their
networks so they could be patched before incidents and attacks occur.
Recognizing that not all users are able to install patches immediately,
NPPD shared additional mitigation guidance to assist network defenders.
As the incidents unfolded, NPPD led the Federal Government's incident
response efforts, working with our interagency partners, including
providing situational awareness, information sharing, malware analysis,
and technical assistance to affected entities.
Historically, cyber actors have strategically targeted critical
infrastructure sectors including energy, financial services, critical
manufacturing, water and wastewater, and others with various goals
ranging from cyber espionage to developing the ability to disrupt
critical services. In recent years, DHS has identified and responded to
malware such as ``Black Energy'' and ``Havex,'' which were specifically
created to target industrial-control systems, associated with critical
infrastructure such as power plants and critical manufacturing. More
recently, the discovery of ``CrashOverride'' malware, reportedly used
against Ukrainian power infrastructure in 2016, highlights the
increasing cyber threat to our infrastructure.
In one recent campaign, advanced persistent threat actors targeted
the cyber infrastructure of entities within the energy, nuclear,
critical manufacturing, and other critical infrastructure sectors since
at least May 2017. In response, NPPD led the asset response, providing
on-site and remote assistance to impacted entities, help them evaluate
the risk, and remediate the malicious actor presence. In addition,
NPPD, the Federal Bureau of Investigation, and the Department of Energy
(DOE) shared actionable analytic products with critical infrastructure
owners and operators regarding this activity. This information provides
network defenders with the information necessary to understand the
adversary campaign and allows them to identify and reduce exposure to
malicious activity. In addition, DHS has been working together with DOE
to assess the preparedness of our electricity sector and strengthen our
ability to respond to and recover from a prolonged power outage caused
by a cyber incident.
cybersecurity priorities
Earlier this year, the President signed Executive Order (EO) 13800,
on Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure. This Executive Order set in motion a series of
assessments and deliverables to understand how to improve our defenses
and lower our risk to cyber threats. DHS has organized around these
deliverables, working with Federal and private-sector partners to work
through the range of actions included in the Executive Order.
We are emphasizing the security of Federal networks. Across the
Federal Government, agencies have been implementing action plans to use
the industry-standard Department of Commerce's National Institute of
Standards and Technology Cybersecurity Framework. Agencies are
reporting to DHS and the Office of Management and Budget (OMB) on their
cybersecurity risk mitigation and acceptance choices. In coordination
with OMB, DHS is evaluating the totality of these agency reports in
order to comprehensively assess the adequacy of the Federal
Government's overall cybersecurity risk management posture.
Although Federal agencies have primary responsibility for their own
cybersecurity, DHS, pursuant to its various authorities, provides a
common set of security tools across the civilian Executive branch and
helps Federal agencies manage their cyber risk. NPPD's assistance to
Federal agencies includes: (1) Providing tools to safeguard civilian
Executive branch networks through the National Cybersecurity Protection
System (NCPS), which includes ``EINSTEIN'', and the Continuous
Diagnostics and Mitigation (CDM) programs, (2) measuring and motivating
agencies to implement policies, directives, standards, and guidelines,
(3) serving as a hub for information sharing and incident reporting,
and (4) providing operational and technical assistance, including
threat information dissemination and risk and vulnerability
assessments, as well as incident response services. NPPD's National
Cybersecurity and Communications Integration Center (NCCIC) is the
civilian government's hub for cybersecurity information sharing, asset
incident response, and coordination for both critical infrastructure
and the Federal Government.
EINSTEIN refers to the Federal Government's suite of intrusion
detection and prevention capabilities that protects agencies'
Unclassified networks at the perimeter of each agency. EINSTEIN
provides situational awareness of civilian Executive branch network
traffic, so threats detected at one agency are shared with all others
providing agencies with information and capabilities to more
effectively manage their cyber risk. The U.S. Government could not
achieve such situational awareness through individual agency efforts
alone.
Today, EINSTEIN is a signature-based intrusion detection and
prevention capability that takes action on known malicious activity.
Leveraging existing investments in the Internet Service Provider
``ISP'' infrastructure, our non-signature based pilot efforts to move
beyond current reliance on signatures are yielding positive results in
the discovery of previously-unidentified malicious activity. DHS is
demonstrating the ability to capture data that can be rapidly analyzed
for anomalous activity using technologies from commercial, Government,
and open sources. The pilot efforts are also defining the future
operational needs for tactics, techniques, and procedures as well as
the skill sets and personnel required to operationalize the non-
signature-based approach to cybersecurity.
State, local, Tribal, and territorial governments are able to
access intrusion detection and analysis services through the Multi-
State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC's
service, called ``Albert,'' closely resembles some EINSTEIN
capabilities. While the current version of Albert cannot actively block
known cyber threats, it does alert cybersecurity officials to an issue
for further investigation. DHS worked closely with MS-ISAC to develop
the program and considers MS-ISAC to be a principal conduit for sharing
cybersecurity information with State and local governments.
EINSTEIN, the Federal Government's tool to address perimeter
security will not block every threat; therefore, it must be
complemented with systems and tools working inside agency networks--as
effective cybersecurity risk management requires a defense-in-depth
strategy that cannot be achieved through only one type of tool. NPPD's
Continuous Diagnostics and Mitigation (CDM) program provides
cybersecurity tools and integration services to all participating
agencies to enable them to improve their respective security postures
by reducing the attack surface of their networks as well as providing
DHS with enterprise-wide visibility through a common Federal dashboard.
CDM is helping us achieve two major advances for Federal
cybersecurity. First, agencies are gaining visibility, often for the
first time, into the extent of cybersecurity risks across their entire
network. With enhanced visibility, they can prioritize the mitigation
of identified issues based upon their relative importance. Second, with
the summary-level agency-to-Federal dashboard feeds, the NCCIC will be
able to identify systemic risks across the civilian Executive branch
more effectively and closer to real-time. For example, the NCCIC
currently tracks Government-wide progress in implementing critical
patches via agency self-reporting and manual data calls. CDM will
transform this, enabling the NCCIC to immediately view the prevalence
of a given software product or vulnerability across the Federal
Government so that the NCCIC can provide agencies with timely guidance
on their risk exposure and recommended mitigation steps. Effective
cybersecurity requires a robust measurement regime, and robust
measurement requires valid and timely data. CDM will provide this
baseline of cybersecurity risk data to drive improvement across the
civilian Executive branch.
DHS conducts a number of activities to measure agencies'
cybersecurity practices and works with agencies to improve risk
management practices. The Federal Information Security Modernization
Act of 2014 (FISMA) provided the Secretary of Homeland Security with
the authority to develop and oversee implementation of Binding
Operational Directives (BOD) to agencies. In 2016, the Secretary issued
a BOD on securing High-Value Assets (HVA), or those assets, Federal
information systems, information, and data for which unauthorized
access, use, disclosure, disruption, modification, or destruction could
cause a significant impact to the United States' National security
interests, foreign relations, economy, or to the public confidence,
civil liberties, or public health and safety of the American people.
NPPD works with interagency partners to prioritize HVAs for assessment
and remediation activities across the Federal Government. For instance,
NPPD conducts security architecture reviews on these HVAs to help
agencies assess their network architecture and configurations.
As part of the effort to secure HVAs, DHS conducts in-depth
vulnerability assessments of prioritized agency HVAs to determine how
an adversary could penetrate a system, move around an agency's network
to access sensitive data, and exfiltrate such data without being
detected. These assessments include services such as penetration
testing, wireless security analysis, and ``phishing'' evaluations in
which DHS hackers send emails to agency personnel and test whether
recipients click on potentially malicious links. DHS has focused these
ssessments on Federal systems that may be of particular interest to
adversaries or support uniquely significant data or services. These
assessments provide system owners with recommendations to address
identified vulnerabilities. DHS provides these same assessments, on a
voluntary basis upon request, to private sector and State, local,
Territorial, and Tribal (SLTT) partners. DHS also works with the
General Services Administration to ensure that contractors can provide
assessments that align with our HVA initiative to agencies.
Another BOD issued by the Secretary directs civilian agencies to
promptly patch known vulnerabilities on their internet-facing systems
that are most at risk from their exposure. The NCCIC conducts Cyber
Hygiene scans to identify vulnerabilities in agencies' internet-
accessible devices and provides mitigation recommendations. Agencies
have responded quickly in implementing the Secretary's BOD and have
sustained this progress. When the Secretary issued this directive, NPPD
identified more than 360 ``stale'' critical vulnerabilities across
Federal civilian agencies, which means the vulnerabilities had been
known for at least 30 days and remained unpatched. Since December 2015,
NPPD has identified an average of less than 40 critical vulnerabilities
at any given time, and agencies have addressed those vulnerabilities
rapidly once they were identified. By conducting vulnerability
assessments and security architecture reviews, NPPD is helping agencies
find and fix vulnerabilities and secure their networks before an
incident occurs.
In addition to efforts to protect Government networks, EO 13800
continues to examine how the Government and industry work together to
protect our Nation's critical infrastructure, prioritizing deeper, more
collaborative public-private partnerships in threat assessment,
detection, protection, and mitigation. In collaboration with civilian,
defense, and intelligence agencies, we are identifying authorities and
capabilities that agencies could employ, soliciting input from the
private sector, and developing recommendations to support the
cybersecurity efforts of those critical infrastructure entities at
greatest risk of attacks that could result in catastrophic impacts.
For instance, by sharing information quickly and widely, we help
all partners block cyber threats before damaging incidents occur.
Equally important, the information we receive from partners helps us
identify emerging risks and develop effective protective measures.
Congress authorized the NCCIC as the civilian hub for sharing cyber
threat indicators and defensive measures with and among Federal and
non-Federal entities, including the private sector. As required by the
Cybersecurity Act of 2015, we established a capability, known as
Automated Indicator Sharing (AIS), to automate our sharing of cyber
threat indicators in real-time. AIS protects the privacy and civil
liberties of individuals by narrowly tailoring the information shared
to that which is necessary to characterize identified cyber threats,
consistent with longstanding DHS policy and the requirements of the
Act. AIS is a part of the Department's effort to create an environment
in which as soon as a company or Federal agency observes an attempted
compromise, the indicator is shared in real time with all of our
partners, enabling them to protect themselves from that particular
threat. This real-time sharing capability can limit the scalability of
many attack techniques, thereby increasing the costs for adversaries
and reducing the impact of malicious cyber activity. An ecosystem built
around automated sharing and network defense-in-depth should enable
organizations to detect and thwart the most common cyber attacks,
freeing their cybersecurity staff to concentrate on the novel and
sophisticated attacks. More than 129 agencies and private-sector
partners have connected to the AIS capability. Notably, partners such
as information sharing and analysis organizations (ISAOs) and computer
emergency response teams further share with or protect their customers
and stakeholders, significantly expanding the impact of this
capability. AIS is still a new capability and we expect the volume of
threat indicators shared through this system to substantially increase
as the technical standards, software, and hardware supporting the
system continue to be refined and put into full production. As more
indictors are shared from other Federal agencies, SLTT governments, and
the private sector, this information-sharing environment will become
more robust and effective.
Another part of the Department's overall information-sharing effort
is to provide Federal network defenders with the necessary context
regarding cyber threats to prioritize their efforts and inform their
decision making. DHS's Office of Intelligence and Analysis (I&A) has
collocated analysts within the NCCIC responsible for continuously
assessing the specific threats to Federal networks using traditional
all-source methods and indicators of malicious activity so that the
NCCIC can share with Federal network defenders in collaboration with
I&A. Analysts and personnel from the Department of Energy, Treasury,
Health and Human Services, FBI, DoD, and others are also collocated
within the NCCIC and working together to understand the threats and
share information with their sector stakeholders.
mitigating cyber risks
We also continue to adapt to the evolving risks to critical
infrastructure, and prioritize our services to mitigate those risks.
Facing the threat of cyber-enabled operations by a foreign government
during the 2016 elections, DHS and our interagency partners conducted
unprecedented outreach and provided cybersecurity assistance to State
and local election officials. Information shared with election
officials included indicators of compromise, technical data, and best
practices that have assisted officials with addressing threats and
vulnerabilities related to election infrastructure. Through numerous
efforts before and after Election Day, DHS and our interagency partners
have declassified and publicly shared significant information related
to the Russian malicious cyber activity. These steps have been critical
to protecting our elections, enhancing awareness among election
officials, and educating the American public. The designation of
election infrastructure as critical infrastructure serves to
institutionalize prioritized services, support, and provide data
protections and does not subject any additional regulatory oversight or
burdens.
As the Sector-Specific Agency, NPPD is providing overall
coordination guidance on election infrastructure matters to subsector
stakeholders. As part of this process, the Election Infrastructure
Subsector Government Coordinating Council (GCC) is being established.
The Election Infrastructure Subsector GCC will be a representative
council of Federal, State, and local partners with the mission of
focusing on sector-specific strategies and planning. This will include
development of information-sharing protocols and establishment of key
working groups, among other priorities.
The Department also recently took action against specific products
which present a risk to Federal information systems. After careful
consideration of available information and consultation with
interagency partners, last month the Acting Secretary issued a BOD
directing Federal Executive branch departments and agencies to take
actions related to the use or presence of information security
products, solutions, and services supplied directly or indirectly by AO
Kaspersky Lab or related entities. The BOD calls on departments and
agencies to identify any use or presence of Kaspersky products on their
information systems in the next 30 days, to develop detailed plans to
remove and discontinue present and future use of the products in the
next 60 days, and at 90 days from the date of this directive, unless
directed otherwise by DHS based on new information, to begin to
implement the agency plans to discontinue use and remove the products
from information systems. This action is based on the information
security risks presented by the use of Kaspersky products on Federal
information systems.
The Department is providing an opportunity for Kaspersky to submit
a written response addressing the Department's concerns or to mitigate
those concerns. The Department wants to ensure that the company has a
full opportunity to inform the Acting Secretary of any evidence,
materials, or data that may be relevant. This opportunity is also
available to any other entity that claims its commercial interests will
be directly impacted by the directive.
conclusion
In the face of increasingly sophisticated threats, NPPD stands on
the front lines of the Federal Government's efforts to defend our
Nation's critical infrastructure from natural disasters, terrorism and
adversarial threats, and technological risk such as those caused by
cyber threats. Our infrastructure environment today is complex and
dynamic with interdependencies that add to the challenge of securing
and making it more resilient. Technological advances have introduced
the ``internet of things'' (IoT) and cloud computing, offering
increased access and streamlined efficiencies, while increasing our
footprint of access points that could be leveraged by adversaries to
gain unauthorized access to networks. As our Nation continues to evolve
and new threats emerge, we must integrate cyber and physical risk in
order to understand how to effectively secure it. Expertise around
cyber-physical risk and cross-sector critical infrastructure
interdependencies is where NPPD brings unique expertise and
capabilities.
We must ensure that NPPD is appropriately organized to address
cybersecurity threats both now and in the future, and we appreciate
this committee's leadership in working to establish the Cybersecurity
and Infrastructure Security Agency. As the committee considers these
issues, we are committed to working with Congress to ensure that this
effort is done in a way that cultivates a safer, more secure, and
resilient homeland.
Thank you for the opportunity to testify, and we look forward to
any questions you may have.
Mr. Ratcliffe. Thank you, Mr. Krebs.
Ms. Manfra you are now recognized for 5 minutes.
STATEMENT OF JEANETTE MANFRA, ASSISTANT SECRETARY FOR
CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Manfra. Chairman Ratcliffe, Ranking Member Richmond,
Ranking Member Thompson, Members of the committee, thank you
for holding today's hearing.
I also want to begin my testimony by thanking this
committee for taking action earlier this summer of the
Cybersecurity and Infrastructure Security Agency Act of 2017. A
name for our organization that reflects our mission is
essential to our work force recruitment efforts and effective
stakeholder engagement.
We must also ensure that NPPD is appropriately organized to
address cybersecurity threats, both now and in the future, and
we appreciate this committee's leadership.
Cyber threats remain one of the most significant strategic
risks for the United States. Cyber risks threaten our National
security, economic prosperity, and public health and safety.
Our adversaries cross borders at the speed of light.
Over the past year Americans saw advanced persistent threat
actors, including hackers, criminals, and nation-states
increase in frequency, complexity, and sophistication. In my
role at DHS, I head the Department's Office of Cybersecurity
and Communications, which includes our 24/7 watch center and
operations at the National Cybersecurity and Communications
Integration Center.
Our role goes along three work streams: Instrumenting
agency networks through the deployment of sensors; assessing
and measuring agency vulnerabilities and risks, as well as
critical infrastructure; and directing and advising actions
that Federal agencies and critical infrastructure entities can
take to better secure their networks.
As you well know, the NCCIC is a civilian-Government hub
for cybersecurity information sharing, asset incident response,
and coordination for both critical infrastructure and the
Federal Government.
As my colleague noted, we are emphasizing the security of
Federal networks. NPPD's assistance to Federal agencies
includes first providing tools to safeguard civilian Executive
branch networks through our National cyber protection system
and the continuous diagnostics and mitigation programs; second,
measuring and motivating agencies; and third, serving as a hub
for information sharing and incident reporting; and finally,
providing operational and technical assistance.
Einstein, the sensors deployed as a part of the National
cyber protection system, refers to the Federal Government's
suite of intrusion detection and prevention capabilities that
protects the agencies' Unclassified networks at the perimeter
of each agency. Today Einstein is a signature-based intrusion
protection and prevention capability that takes action on known
malicious activity.
Our non-signature-based pilot efforts to move beyond
signatures are yielding positive results. These capabilities
are essential to discovery of previously-unidentified malicious
activity. We are demonstrating the ability to capture data that
can rapidly be analyzed for anomalous activity, using
technologies from commercial, Government, and open sources.
The pilot efforts are also defining the future operational
needs for tactics, techniques, and procedures, as well as the
skill sets and personnel required to operationalize the non-
signature-based approach to cybersecurity.
Einstein is our tool to address perimeter security, but it
will not detect or block every threat. Therefore we must
complement it with systems and tools working inside agency
networks.
Our continuous diagnostics and mitigation program provides
those tools and integration services to Federal agencies. These
tools are enabling agencies to manage risks across their entire
enterprise. At the same time, these tools are also going to
provide DHS visibility into our enterprise risk across the
Federal Government through a common Federal dashboard.
NPPD is also working with our interagency partners to
prioritize high-value assets, or those systems for which a
cyber incident could cause a significant impact to the United
States.
As part of this effort, we conduct security architecture
reviews to help agencies assess their network architecture and
configurations. We conduct in-depth vulnerability assessments
of these prioritized assets to determine how an adversary would
penetrate a system, move around an agency's network to access
sensitive data, and exfiltrate such data without being
detected.
These assessments provide system owners with
recommendations to address identified vulnerabilities,
protecting them before an incident occurs.
When necessary, the Department also is also taking targeted
action to address specific cybersecurity risks through the
issuance of binding operational directives. We are working to
enhance cyber threat information sharing across the globe to
stop cyber incidents before they start.
These actions help businesses and Government agencies
protect their systems and quickly recover should such an attack
occur. By bringing together all levels of government, the
private sector, international partners, and the public, we are
taking action to protect against cybersecurity risks, improve
our whole-of-Government incident response capabilities, enhance
information sharing on best practices and cyber threats, and to
strengthen resilience.
Thank you for the opportunity to testify and I look forward
to any questions you may have.
Mr. Ratcliffe. Thanks, Ms. Manfra.
Ms. Hoffman you are recognized for 5 minutes.
STATEMENT OF PATRICIA HOFFMAN, ACTING ASSISTANT SECRETARY,
OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S.
DEPARTMENT OF ENERGY
Ms. Hoffman. Chairman Ratcliffe, Ranking Member Richmond,
and Members of the subcommittee, thank you for the opportunity
to discuss the continuing threats facing our Nation's energy
infrastructure, and the Department of Energy's role.
Cybersecurity and resilience of the energy sector is one of
the Secretary's top priorities and a major focus of the
Department. The Department of Energy is the sector-specific
agency for cybersecurity of the energy sector.
DOE works with DHS and jointly with other agencies, the
private-sector organizations, for a whole-of-Government
response to cyber incidents by protecting assets and countering
threats.
In addition, the Department of Energy serves as the lead
agency for Emergency Support Function 12, which is energy,
under the National response framework. As a lead, ESF 12 is
responsible for facilitating restoration of damaged energy
infrastructure. The Department works with industry, Federal,
State, and local partners to facilitate response and
recoveries.
Combining DOE's role as the SSA for cybersecurity with
National response activity, ensures that incidents, both cyber
and physical, impacts are coordinated in the energy sector.
At this moment in time I would like to acknowledge that the
Secretary does express his support for the victims of
Hurricanes Harvey, Irma, and Maria, and I would also like to
express my gratitude for all the utility workers that have been
working very hard in the regions for restoring power.
In extreme cases the Department can also use its legal
authorities, as those in the Federal Power Act as amended by
the Fixing America's Service Transportation Act, to assist in
response and recovery operations. Congress enacted several
important new energy security measures in this act as it
relates to cybersecurity.
The Secretary of Energy was provided a new authority upon
declaration of a grid security emergency by the President, to
issue emergency orders to protect or restore critical electric
infrastructure, or defense critical electric infrastructure.
This authority allows DOE to respond as needed to the threat of
cyber and physical attacks to the grid.
DOE has collaborated with the energy sector for nearly two
decades in voluntary public-private partnerships that engage
owners and operators at all levels, technical, operational, and
executive, along with State and local governments, to identify
and mitigate physical and cyber risks to the energy systems.
In the energy sector, the core partnerships have consisted
with the electric sector coordinating council and the oil and
gas coordinating council. In these meetings, interagency
partners, including DHS, States, international partners come
together to discuss important security and resilience issues
for the energy sector.
The electric sector, specifically, has been very forward-
leaning and aggressive in trying to address cybersecurity
issues. DOE plays a critical role in supporting the energy
sector's cybersecurity by building in security.
Specifically we have been looking at building capabilities
in the sectors in three areas. The first area is preparedness,
enhancing the visibility and situational awareness in
operational networks as well as I.T. networks, increasing the
alignment of cybersecurity preparedness across multiple States
and Federal jurisdictions, response and recovery activities,
and supporting the whole-of-Government effort, and leveraging
the expertise of the Department of Energy's National labs to
drive cybersecurity innovation.
Threats continue to evolve. DOE is working diligently to
stay ahead of the curve. The solution is an ecosystem of
resilience that works in partnership with State, local, and
industry stakeholders to advance best practices, strategies,
and tools.
To accomplish this we must accelerated information sharing
to better inform local investment decisions, encourage
innovation, and the use of best practices to help raise the
energy sector's security maturity and strengthen local incident
response and recovery activities, especially through the
participation in training programs and exercises.
I appreciate the opportunity to be here before the
subcommittee and represent one of the sector's specific
agencies and the energy sector's cybersecurity capabilities.
However I would be remiss not to take a moment and stress
the interdependent nature of our infrastructure. It requires
all sectors to be constantly focused on improving their
cybersecurity posture. So DOE looks forward to continue working
with the Federal agencies to share best practices and build a
defense in-depth.
So with that I would like to thank you for being here today
and look forward to answering your questions.
[The prepared statement of Ms. Hoffman follows:]
Prepared Statement of Patricia Hoffman
October 3, 2017
introduction
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee, thank you for the opportunity to discuss the continuing
threats facing our National energy infrastructure and the Department of
Energy's (DOE's) role in supporting the cybersecurity of the Nation's
energy infrastructure. Cybersecurity and the resilience of the energy
sector is one of the Secretary's top priorities and a major focus of
the Department.
Our economy, National security, and even the well-being of our
citizens depend on the reliable delivery of electricity. The mission of
the Office of Electricity Delivery and Energy Reliability (DOE-OE)--
which I oversee in my roles as the acting under secretary for science
and energy and acting assistant secretary for DOE-OE--is to strengthen,
transform, and improve energy infrastructure to ensure access to
reliable and secure sources of energy. The Secretary of Energy and DOE
are committed to working with our public and private-sector partners to
protect the Nation's critical energy infrastructure from physical
security events, natural and man-made disasters, and cybersecurity
threats.
doe's role as the energy sector's ``sector-specific agency''
In preparation for, and response to, cybersecurity threats, the
Federal Government's operational framework is provided by Presidential
Policy Directive 41 (PPD-41). A primary purpose of PPD-41 is to clarify
the roles and responsibilities of the Federal Government during a
``significant cyber incident,'' which are described as cyber incidents
that are ``likely to result in demonstrable harm to the National
security interests, foreign relations, or economy of the United States
or to the public confidence, civil liberties, or public health and
safety of the American people.''
Under the PPD-41 framework, as the Sector-Specific Agency (or SSA)
for cybersecurity of the energy sector, DOE works jointly with other
agencies and private-sector organizations, including the Federal
Government's designated lead agencies for coordinating the response to
significant cyber incidents by protecting assets and countering
threats: The Department of Homeland Security (DHS) acting through the
National Cybersecurity and Communications Integration Center (NCCIC)
and the Department of Justice (DOJ), acting through the Federal Bureau
of Investigation (FBI) and the National Cyber Investigative Joint Task
Force, respectively. In the event of a cybersecurity emergency in the
energy sector, closely aligning DOE's activities with those of our
partners at DHS and DOJ helps to ensure that DOE's deep expertise with
the sector is appropriately leveraged.
Under Presidential Policy Directive-21 (PPD-21): Critical
Infrastructure Security and Resilience, later codified in part in the
Fixing America's Surface Transportation Act, DOE is designated as the
SSA for cybersecurity of the energy sector. As the SSA, DOE coordinates
with DHS and other Federal agencies and collaborates with industry and
State, local, Tribal, and territorial partners on matters of cyber
resilience, incident response, and planning. For any risk to the energy
sector, DOE thus acts to ensure unity of effort across government,
including States, and industry partners.
In addition, DOE serves as the lead agency for Emergency Support
Function 12 (ESF-12) under the National Response Framework. As the lead
for ESF-12, DOE is responsible for facilitating the restoration of
damaged energy infrastructure. The Department works with industry and
Federal, State, and local partners to facilitate response and recovery.
Combining DOE roles as the SSA in cybersecurity with National response
ensures incidents with both cyber and physical impacts can be
coordinated for the energy sector.
In extreme cases, the Department can use its legal authorities such
as those in the Federal Power Act, as amended by the Fixing America's
Surface Transportation (FAST) Act, to assist in response and recovery
operations. Congress enacted several important new energy security
measures in the FAST Act as it relates to cybersecurity. The Secretary
of Energy was provided a new authority, upon declaration of a ``Grid
Security Emergency'' by the President, to issue emergency orders to
protect or restore critical electric infrastructure or defense critical
electric infrastructure. This authority allows DOE to respond as needed
to the threat of cyber and physical attacks on the grid.
DOE is working to address public comments received regarding the
rules of procedure to issue an order under this new authority. The Grid
Security Emergency authority is unique to DOE and an important element
in partnering with DHS and DOJ to fully address the cybersecurity risks
to the energy sector.
the special nature of energy security cybersecurity
Cyber attacks targeting ``information technology'' or IT, including
computing and business applications, to cause disruptions, obtain
access to email accounts and personal information, exfiltrate data to
release to the world at large, and exploit information for private gain
are growing increasingly common. The energy sector is not immune to
such attacks.
However, our adversaries understand that the energy sector is a
valuable target not because of its IT systems, but because of the
assets that the sector controls. Accordingly, we have seen an increased
interest in vulnerabilities of the ``operating technology,'' or OT, of
energy delivery systems and other critical infrastructure as well. OT
systems consist of industrial control systems (or ICS), programmable
logic controls, and its associated supervisory control and data
acquisition software (known as SCADA). The heavy use of OT systems has
made electric utilities, oil and natural gas providers, hydro and
nuclear facilities, and water utilities prime targets for OT-related
cyber attacks. The disruption of any one of these is not only
inherently problematic, it also hampers the ability to respond to any
type of emergency event.
The Department's focus on OT systems specific to the energy sector
makes our activities both distinct from, and complementary to, the
activities of DHS and our other Federal agency partners. The
cybersecurity of energy sector OT systems requires specific and focused
attention because of their need for extremely high reliability and
availability, the fact that any significant reduction in the speed of
the systems is unacceptable, and because these systems are so critical
to underpinning the Nation's economic health, public safety, and
National security.
In December 2015, the first known successful cyber attack on power
grid OT took place in Ukraine. Over 225,000 residents were left without
power for several hours in the coordinated attack, and a second attack
occurred in December 2016 that left portions of Kiev without
electricity. More recently, publicly-available information about
threats such as the Crash Override malware used in Ukraine and the
nation-state activities described under the name ``Dragonfly 2.0'' are
just two of many examples that illustrate the threat to the Nation's
energy infrastructure is real and growing more concerning by the day.
importance of partnerships
Before I describe the details of the Department's activities in
support of the energy sector's cybersecurity, I must first focus on the
most foundational aspect of our activities: Partnerships. The Federal
Government does not own or operate the vast majority of the assets in
the Nation's energy sector, and DOE does not hold a monopoly on
protecting the Nation's critical infrastructure from cyber threats. As
such, we cannot function effectively unless we have strong partnerships
throughout the public and private sectors and with our Federal
colleagues at DHS and other law enforcement- and National security-
oriented agencies.
DOE has collaborated with the energy sector for nearly two decades
in voluntary public-private partnerships that engage energy owners and
operators at all levels--technical, operational, and executive, along
with State and local governments--to identify and mitigate physical and
cyber risks to energy systems.
These partnerships are built on a foundation of earned trust that
promotes the mutual exchange of information and resources to improve
the security and resilience of critical energy infrastructures. These
relationships acknowledge the special security challenges of energy
delivery systems and leverage the distinct technical expertise within
industry and Government to develop solutions.
The security and integrity of energy infrastructure is both a State
and Federal Government concern because energy underpins the operations
of every other type of critical infrastructure; the economy; and public
health and safety. The owners and operators of energy infrastructure,
however, have the primary responsibility for the full spectrum of
cybersecurity risk management: Identify assets, protect critical
systems, detect incidents, respond to incidents, and recover to normal
operations.
When the lights go out or gasoline stops flowing in pipelines, the
first responder is usually not the State or Federal Government but,
rather, industry or local government. This is why public-private
partnerships regarding cybersecurity are paramount--they recognize the
distinct roles and capabilities of industry and Government in managing
our critical energy infrastructure risks.
In the Energy Sector, the core of critical infrastructure partners
consists of the Electricity Subsector Coordinating Council (ESCC), the
Oil and Natural Gas Subsector Coordinating Council (ONG SCC), and the
Energy Government Coordinating Council (EGCC). The ESCC and ONG SCC
represent the interests of their respective industries. The EGCC, led
by DOE and co-chaired with DHS, is where the interagency partners,
States, and international partners come together to discuss the
important security and resilience issues for the energy sector. This
forum ensures that we're working together in a whole-of-Government
response.
As defined in the National Infrastructure Protection Plan, the
industry coordinating councils or ``SCCs'' are created by owners and
operators and are self-organized, self-run, and self-governed, with
leadership designated by the SCC membership. The SCCs serve as the
principal collaboration points between the Government and private-
sector owners and operators for critical infrastructure security and
resilience coordination and planning, as well as a range of sector-
specific activities and issues.
The SCCs, EGCC, and associated working groups operate under DHS's
Critical Infrastructure Partnership Advisory Council (CIPAC) framework,
which provides a mechanism for industry and Government coordination.
The public-private critical infrastructure community engages in open
dialog to mitigate critical infrastructure vulnerabilities and to help
reduce impacts from threats.
doe's cybersecurity strategy for the energy sector
To address these challenges, it is critical for us to be proactive
and cultivate what I call an ecosystem of resilience: A network of
producers, distributors, regulators, vendors, and public partners,
acting together to strengthen our ability to prepare, respond, and
recover. We continue to partner with industry, DHS and other Federal
agencies, States, local governments, and energy stakeholders broadly to
quickly identify threats, develop capabilities to support mitigation
strategies, and rapidly respond to any disruptions.
DOE plays a critical role in supporting energy sector cybersecurity
to enhance the security and resilience of the Nation's energy
infrastructure. As part of a comprehensive strategy for energy
resilience, the Department is focusing cyber support efforts to:
Enhance visibility and situational awareness of operational networks;
increase alignment of cyber preparedness and planning across local,
State, and Federal levels; and leverage the expertise of DOE's National
Labs to drive cybersecurity innovation.
Enhance visibility and situational awareness of operational networks
It is necessary for partners in the Energy Sector and the
Government to share emerging threat data and vulnerability information
to help prevent, detect, identify, and thwart cyber attacks more
rapidly. An example of this type of collaboration is the Cybersecurity
Risk Information Sharing Program (CRISP), a voluntary public-private
partnership that is primarily funded by industry, administered by the
Electricity Information Sharing and Analysis Center (E-ISAC), and
enhanced by DOE through intelligence analysis by DOE's Office of
Intelligence and Counterintelligence. One of DOE's National
Laboratories--the Pacific Northwest National Laboratory--is a key
partner for the E-ISAC in accomplishing the goals of the CRISP program.
The purpose of CRISP is to share information among electricity
subsector partners, DOE, and the intelligence community to facilitate
the timely bi-directional sharing of Unclassified and Classified threat
information to enhance the sector's ability to identify, prioritize,
and coordinate the protection of critical infrastructure and key
resources. CRISP leverages advanced sensors and threat analysis
techniques developed by DOE along with DOE's expertise as part of the
intelligence community to better inform the energy sector of the high-
level cyber risks. Current CRISP participants provide power to over 75
percent of the total number of continental United States electricity
customers. The Department is currently in the early stages of taking
the lessons learned from CRISP and developing an analogous capability
to monitor network traffic on OT networks.
If CRISP has demonstrated one finding to DOE, the E-ISAC, and our
industry partners, it is that continuous monitoring of critical
networks and shared situational awareness is of utmost importance in
protecting against malicious cyber activities. Programs such as CRISP
are critical for facilitating the identification of and response to
advanced persistent threats targeting the energy sector.
Advancing this project to improve situational awareness of OT
networks is a key focus of DOE's current activities. Observing
anomalous traffic on networks--and having the ability to store and
retrieve network traffic from the recent past--can be the first step in
stopping an attack early in the cyber kill chain. Continuous monitoring
of IT and OT networks, in coordination with Federal partners and
industry, is a critical component of protecting the Nation against
cyber threats.
Increase alignment of cyber preparedness and planning across local,
State, and Federal levels
As the Energy SSA, DOE works at many levels of the electricity,
petroleum, and natural gas industries. We interact with numerous
stakeholders and industry partners to share both Classified and
Unclassified information, discuss coordination mechanisms, and promote
scientific and technological innovation to support energy security and
reliability. By partnering through working groups between Government
and industry at the National, regional, State, and local levels, DOE
facilitates enhanced cybersecurity preparedness.
As a recent example, DOE-OE and the National Association of
Regulatory Utility Commissioners (NARUC) sponsored the third edition of
a cybersecurity primer for regulatory utility commissioners. This
document was published in January of this year and is publicly
available on the NARUC Research Lab website, benefiting not only
regulators, but State officials focused on the sector as well.
The updated cyber primer provides best practices, access to
industry and National standards, sample questions, and easy reference
materials for commissions in their engagements with utilities to ensure
their systems are resilient to cyber threats.
We are continuing to work with the NARUC Research Lab to support
regional trainings on cybersecurity throughout the year, with the goal
of building commissioner and commission staff expertise on
cybersecurity so they ensure cyber investments are both resilient and
economically sound.
DOE also continues to work closely with our public and private
partners to ensure that our response and recovery capabilities fully
support and bolster the actions needed to help ensure the reliable
delivery of energy. We continue to coordinate with industry through the
SCCs to synchronize DOE and industry cyber incident response playbooks.
DOE-OE also engages directly with our public and private-sector
stakeholders to help ensure we all are prepared and coordinated in the
event of a cyber incident to the industry. Innovation and preparedness
are vital to grid resilience. This past December, DOE and the National
Association of State Energy Officials (NASEO) co-hosted the Liberty
Eclipse Exercise in Newport, Rhode Island, which focused on a
hypothetical cyber incident that cascaded into the physical world,
resulting in power outages and damage to oil and natural gas
infrastructure. The event featured 96 participants from 13 States, and
included representatives from State energy offices, emergency
management departments, utility commissions, as well as Federal
partners, such as FEMA, and private-sector utilities and petroleum
companies.
In November, we are looking forward to participating in GridEx IV,
which is the biennial exercise lead by the North American Electric
Reliability Corporation (NERC) and is designed to simulate a cyber and
physical attack on electric and other critical infrastructures across
North America. Coordination with Federal partners and participation in
preparedness activities enable DOE to identify gaps and develop
capabilities to support cyber response as the SSA.
Leverage the expertise of DOE's National Labs to drive cybersecurity
innovation
Beyond providing guidance and technical support to the energy
sector, DOE-OE also supports an R&D portfolio designed to develop
advanced tools and techniques to provide enhanced cyber protection for
key energy systems. Intentional, malicious cyber threat challenges to
our energy systems are on the rise in both number and sophistication.
This evolution has profound impacts on the energy sector.
Cybersecurity for energy control and OT systems is much different
than that of typical IT systems. Power systems must operate
continuously with high reliability and availability. Upgrades and
patches can be difficult and time-consuming, with components dispersed
over wide geographic regions. Further, many assets are in publicly-
accessible areas where they can be subject to physical tampering. Real-
time operations are imperative and latency is unacceptable for many
applications. Immediate emergency response capability is mandatory and
active scanning of the network can be difficult.
The CEDS R&D program is designed to assist the energy sector asset
owners by developing cybersecurity solutions for energy delivery
systems through a focused research and development effort. DOE-OE co-
funds projects with industry partners to make advances in cybersecurity
capabilities for energy delivery systems. These research partnerships
are helping to detect, prevent, and mitigate the consequences of a
cyber-incident for our present and future energy delivery systems. Of
course, our National Laboratories are critical partners in executing
this work.
To select cybersecurity R&D projects, DOE constantly examines
today's threat landscape and coordinates with partners, like DHS, to
provide the most value to the energy sector while minimizing overlap
with existing projects. For example, the Artificial Diversity and
Defense Security (ADDSec) project will develop solutions to protect
control system networks by constantly changing a network's virtual
configuration, much like military communications systems that rapidly
change frequencies to avoid interception and jamming. As a result,
ADDSec can harden networks against the mapping and reconnaissance
activities that are the typical precursors to a cyber attack.
Another project, the Collaborative Defense of Transmission and
Distribution Protection and Control Devices against Cyber Attacks
(CODEF), is designed to anticipate the impact a command will have on a
control system environment. If the commands would result in damage to
the system or other negative consequences, CODEF will have the ability
to prevent their execution. This type of solution is especially
intriguing as it can detect malicious activity regardless of the
source, be it an insider threat or an external actor.
Since 2010, DOE-OE has invested more than $210 million in
cybersecurity research, development, and demonstration projects that
are led by industry, universities, and the National Laboratories. These
investments have resulted in more than 35 new tools and technologies
that are now being used to further advance the resilience of the
Nation's energy delivery systems.
conclusion
Threats continue to evolve, and DOE is working diligently to stay
ahead of the curve. The solution is an ecosystem of resilience that
works in partnership with local, State, and industry stakeholders to
help provide the methods, strategies, and tools needed to help protect
local communities through increased resilience and flexibility. To
accomplish this, we must accelerate information sharing to inform
better local investment decisions, encourage innovation and the use of
best practices to help raise the energy sector's security maturity, and
strengthen local incident response and recovery capabilities,
especially through participation in training programs and preparedness
exercises.
Building an ecosystem of resilience is--by definition--a shared
endeavor, and keeping a focus on partnerships remains an imperative.
DOE will continue its years of work coordinating with DHS and fostering
vital energy sector relationships and investing in technologies to
enhance security and resilience in order to support industry efforts to
respond to, and recover quickly from all threats and hazards.
I appreciate the opportunity to appear before the subcommittee to
discuss the cybersecurity of the energy sector. I would, however, be
remiss if I did not take a moment to stress that the interdependent
nature of our infrastructure requires that all sectors be constantly
focused on improving their cybersecurity posture. Collaboration among
DOE, DHS, and the rest of the Federal family is absolutely critical to
ensuring that we remain both ahead of the curve and resilient to any
potential cyber attack. DOE, as always, looks forward to our continued
partnership to share best practices, collaborating where appropriate
and possible, and helping to protect our civilian infrastructure from
the Nation's cyber adversaries.
Mr. Ratcliffe. Thanks, Ms. Hoffman.
I now recognize myself for 5 minutes of questions.
Ms. Manfra, I want to start with you. You mentioned
Einstein and CDM in your testimony and the role that they play
in securing Federal networks. So I want to give you an
opportunity to provide some public clarity on the
implementation of CDM specifically.
So can you give us some idea of how many departments and
agencies have fully implemented CDM phase one and how many
agency dashboards are up and running? Is the DHS dashboard up
and running? Give us some perspective on that.
Ms. Manfra. Yes, sir. Thank you for the question. We are in
the process of deploying both phase one and phase two. Phase
one being focused on hardware software asset management, sort-
of identifying what is on the networks internal to the
agencies, and phase two looking at who is on the network. So
dealing with issues like access and identity management.
We can get back to you with the specific numbers of agency
deployment. They are all in various stages of deployment. We
have made it available to all agencies, but each individual
agency is in different stages of deploying.
We are nearing 20 agencies that have an agency dashboard up
and running. This month the Department of Homeland Security
will be standing up the Federal dashboard, so that we will be
receiving feeds from those agency dashboards.
That will then allow us to have more near-real-time
understanding of what those sensors are identifying on those
agency networks and allow us to better prioritize vulnerability
management for our agencies.
Mr. Ratcliffe. Terrific. Thanks. So one of the other points
I wanted to cover today was, last week the GAO came out with a
fairly critical report on the current state of Federal
cybersecurity.
One of the most, would appear to be, at least, troubling
aspects of that was a statistic that said only 7 of the 24 CFO
Act agencies have programs with any functions considered
effective per the NIST standards for cybersecurity control. So
that doesn't sound very good.
I want to give either you, Mr. Krebs, or you, Ms. Manfra,
the opportunity to, you know, as we talk about the
cybersecurity posture of the dot.gov reconcile that with that
GAO report.
Ms. Manfra. Sir, I think that we have learned a lot over
the years about agency capacity to manage cybersecurity risks
and the resources they have to do so. I can say that agencies
have prioritized the management of their cyber risk at their
highest level across the Government.
What we have learned in both the deployment of CDM, our
engagement and partnership with OMB in measuring agencies is
that there remain some significant gaps.
We have built over the last couple years and are continuing
to build a technical assistance capabilities, things like
design and engineering, architecture reviews, helping agencies
getting much more in-depth insight into their networks and
providing them with a greater level of assistance, both
engineering and on the governance side to help them address
their often very complicated networks with the limited
resources we have.
But we do see a lot of potential for CDM in the ability to
deliver tools at a lower cost across agencies and this is the
first time that many agencies have had access to this level of
automated data to understand what is on their network.
So we see a lot of potential for this, but for many
agencies there is a lot of capability that has to be built. We
are continuing to take advantage of things like shared service,
more capability from DHS to deploy to agencies who need it
most.
Mr. Ratcliffe. So your comment about shared services and
resources, I want to follow up on that a bit because I think it
is important to look where we are but also look to where we are
going.
So looking forward a bit, how do you see DHS's Federal
network protection tools evolving past, say, signature-based
threat detection tools and particularly where my conversations
with the administration and the cybersecurity advisors to the
President, really putting an emphasis on cloud computing and
shared I.T. services and resources?
So I guess, in a sense, what is Einstein future
generations--Einstein 10.0 look like?
Ms. Manfra. Well, sir, I am not exactly sure what Einstein
10.0 will look like yet, but I can tell you where we are
looking to evolve. As agencies, and the President's key
initiative around modernizing our I.T. and that is not just the
technology.
There are large challenges with legacy technology, but we
also need to modernize the way we govern and procure I.T.
services within the Government. As we do that we are working
very closely to modernize our security processes.
So as we take advantage of things like cloud services we
ensure that we are modernizing our security approach, but also
not losing the insight that we have into traffic, either
traversing internal networks or in and out of agency networks.
Importantly we have learned on CDM some key lessons from
the first phases of deployment. We now have a new contract
vehicle in place that will enable the deployment of cloud and
mobile security technologies in addition to the on-premise
sensing capability that we have right now.
So we are evolving. We are building on what industry is
learning from behavioral-based detection methods, and we have
had some successful pilots. We look forward to continuing to
build that capability.
Mr. Ratcliffe. Terrific. Thanks very much. My time has
expired.
The Chair now recognizes Mr. Richmond for his questions.
Mr. Richmond. Ms. Manfra or Mr. Krebs, either one, you all
know that I authored legislation that called for a Department-
wide cybersecurity strategy within DHS. That strategy and
report was due in March. We still don't have it.
So what is the status of it; if you are running into
problems in getting it done, what are those problems? How can
we help?
Mr. Krebs. Sir, thank you for the question. The Office of
Policy has the pen, so to speak, for drafting the Department
cybersecurity strategy. It rolls in components across the
Department, between the Secret Service, ICE, Homeland Security
Investigations, the U.S. Coast Guard, Transportation and
Security Administration, as well as NPPD.
So while we don't necessarily lead the development of that
strategy because it is a Department-wide strategy, we are a
significant player.
Now, to speak to the status of the strategy itself, my
understanding of where it sits is influenced by the President's
Executive Order 13800 that was released back earlier in the
spring.
Now that report puts DHS at the front or in the lead for
almost all of the reports, particularly in the first two and
the fourth work stream, Federal networks' critical
infrastructure and cyber work force. So while those reports and
assessments are under way, they are anticipated to have
significant impacts on some of the priorities perhaps of the
Department, including NPPD.
So I believe the decision on finalizing the strategy has
been to let's get through the cybersecurity assessments related
to the E.O., as well as the administration's anticipated
National security strategy and National cybersecurity strategy
that are expected in the next several months.
Then, when we have a broader understanding of where the
Department is going, that will then feed into the cybersecurity
strategy.
That said, rolling it all back to the requirement in the
NDAA--that you offered, it still is a priority to finalize that
report. That said, as a Department, we are moving forward with
a number of our priorities.
I do want to touch on a couple things you mentioned early.
As the senior official performing the duties of the under
secretary, while we do not have a permanent under secretary for
NPPD, I have been authorized and given the very clear direction
by acting Secretary Duke to move out and execute every aspect
of NPPD.
So while we do not have a permanent under secretary right
now, I have all authority that I believe I need to execute the
Department's mission within NPPD.
Mr. Richmond. With regards to a strategy, and we talk about
in terms of report, let me just take that aside.
Mr. Krebs. Yes, sir.
Mr. Richmond. Do we have a Department-wide strategy with
how we deal with cybersecurity and our needs and challenges
that we are going to continue to face in the near future?
Mr. Krebs. Sir, my understanding is that there is a
Department-wide cybersecurity strategy in draft form, yes, sir.
Mr. Richmond. So and again with--I don't want to get into
the weeds. I am just saying are you all operating with some
comprehensive strategy----
Mr. Krebs. Yes.
Mr. Richmond [continuing]. On a day-to-day basis to protect
the cybersecurity?
Mr. Krebs. I understand, yes, sir. So going back to my
opening remarks, I indicated that NPPD is in the lead for
ensuring the Nation's critical infrastructure, both
cybersecurity and physical threats, and under that are three
goals.
I mentioned the top goal, which is securing our Federal
networks and facilities. For me and with Assistant Secretary
Manfra, that is at the very top of our minds every, single day.
The second piece is identifying and mitigating systemic
risk across the infrastructure, the Nation's infrastructure.
When I think about that, I am thinking about the Section 9,
critical infrastructure at greatest risk, but I am also putting
election infrastructure in there.
As I mentioned in my opening comments, that, for me, is the
No. 1 priority for NPPD from a critical infrastructure
perspective. We cannot fail there.
Third and finally, is enabling and incentivizing better
security practices across the broader critical infrastructure
community to include State, local, small, and medium-sized
businesses.
Mr. Richmond. Ms. Hoffman, there has been a great deal of
concern among National security experts that Russia's goal in
disrupting the Ukraine's power supply in 2015 and 2016 was to
test its capabilities in preparation for a large attack on the
United States.
Last month we learned that Russia may have been responsible
for Dragonfly 2.0, which exploited and targeted some of our
energy sector. How is the energy sector responding and what is
their capabilities to prevent a wide-spread attack?
With that, I yield back.
Ms. Hoffman. Thank you, Congressman, for the question. The
Ukraine attack was very much an eye-opening event for the
energy sector. The energy sector, specifically the electric
sector, got very organized in recognizing that we had to
continue to step up our continuous monitoring capabilities, our
ability to detect behavior on the system, but also building
inherent protections as we develop new technologies.
Recognize that the core of anything is protecting against
spearfishing and passwords and credentials and that starting to
really go after where do we need to be with respect to
preventing an attack from occurring on the system. So we have
been working very actively with the electric sector to build
some tools and capabilities and for protections of their
system.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
New York, Mr. Donovan for 5 minutes.
Mr. Donovan. Thank you, Mr. Chairman. I would just like to
ask one question of all of you. In 2015, Congress passed the
Cybersecurity Act of 2015. In 2017, the committee passed the
Cyber and Infrastructure Security Agency Act, and the President
also issued an Executive Order back in May to strengthen our
abilities.
What do you guys need? What can Congress do to help you
protect our Nation, our Federal agencies, our private entities,
as Mr. Richmond said, our energy industries? What do you guys
need from us to help you protect our Nation better than we are
able to do now?
Mr. Krebs. Sir, thank you for the question. The very first
thing I would start with is, as you mentioned, the
Cybersecurity and Infrastructure Security Agency Act in 2017.
Passing out of the full committee was a significant step
forward. What we need, as I mentioned in my opening comments,
is quick action by the full House and the Senate. Let me give
you a little anecdote about why that is important. That bill
will give us three things.
One, it will allow us to introduce some operational
efficiencies, looking at common infrastructure across the
organization, push them together so that we are more
streamlined in how we engage and deliver services from a
customer service orientation.
Second, it will help with our branding and clarify roles
and responsibilities not just within NPPD, but more
importantly, with our Federal partners, State and local
partners, and the private sector. I want to come back to that
in just a second.
Finally what that is going to do is give us the ability to
attract talent. We have talked a little bit about work force,
we talked about hiring, and we talked about partnership. But on
that clarity of roles and responsibilities, let me talk about
that for just a second.
I have been down to Puerto Rico twice in the last week. I
was there last Monday with Administrator Long and the
President's Homeland Security Advisor Tom Bossert, and then I
was there last Friday with Acting Secretary Duke.
On Friday, meeting with Acting Secretary Duke, Governor
Rossello and his key staff, we were discussing a number of the
critical infrastructure challenges in Puerto Rico.
When it came around to me, I talked about communications
infrastructures. As you all know, the National Communication
Center resides within the Office of Cybersecurity and
Communication, Assistant Secretary Manfra's organization.
Now when we talked about the status of things, what I was
talking about was how we are assisting the communications
carriers, whether it is AT&T, Sprint, Claro, T-Mobile, Verizon,
helping them get back in, prioritize deliveries of temporary
capabilities, this cell on wheels, cell on light trucks, things
like that, to helping temporarily pop up the communications
coverage, but at the same time helping them get resources in
for cell towers.
Now as I briefed out where we were on helping those
companies get resources back in, I introduced myself as the
senior official performing the duties of the under secretary
for the National Protection and Programs Directorate. Now, try
repeating that back. It is not easy.
So someone that has never heard that before, immediately
went on to a press interview and alongside the TSA
administrator, vice commandant of the Coast Guard, the
secretary of Homeland Security, the FEMA regional
administrator, she said, ``We at FEMA, TSA, Coast Guard, and
the COMS guy.'' She didn't know how to describe me.
When I am out engaging my stakeholders, they don't
understand the mission I deliver. I need help in clarifying
that and providing very front, up front clear what I do and
what my team delivers. That is a significant advancement. So
any help I can get there, please, help me out.
But more broadly though, in terms of additional authorities
and clarification of authorities, we are in the process of
running that kind of stocktaking of where the Department sits
in cybersecurity.
Department of Energy in the FAST Act got significant
authorities that could come to bear in the event of a grid
incident. DHS has authorities in terms of incident response,
information sharing. Thank you for those authorities.
Going forward, we are not quite sure just yet what we need,
but I am going to tell you this. The cybersecurity threat is
not going away. Our adversaries are getting better, they are
getting faster, they are getting more agile.
We need to be resourced, we need to be staffed, we need to
be positioned to respond to that, because I also know one more
thing. We are not going to use less technology going forward.
As you indicated earlier, we are going to the cloud. We are
going to shared services. We are going to be relying upon these
cross-cutting technology capabilities in the information
technology sector. We need to ensure that from a digital
defense perspective, we have what we need.
So we welcome that conversation, and you can believe that
you will see me again and we are going to be talking about
that.
Mr. Donovan. Ms. Manfra, I have 2 seconds left in my--would
you contribute, please?
Ms. Manfra. Yes, sir. Very briefly just to complement what
Chris talked about, we are working within the Federal
Government to understand what is the full breadth of our
authorities? How can we lean into the existing authorities that
they have to deploy more capability?
With the critical infrastructure sectors, we are working to
understand now that we have identified these most critical
assets at greatest risk, are there legal and operational and
policy hurdles that we need to address in order to ensure that
we have appropriate prevention and response and recovery
capabilities in place? So we look forward to working with you
as we conclude these analyses.
Mr. Donovan. Please don't wait until another hearing. Let
us know how we can help you.
Ms. Manfra. Absolutely, sir.
Mr. Donovan. Mr. Chairman, I yield back the time I don't
have left.
Mr. Ratcliffe. Thank the gentleman.
The Chair recognizes the gentleman from Mississippi, Mr.
Thompson.
Mr. Thompson. Thank you, Mr. Chairman. The last two
speakers have talked about being resourced and staffed from an
agency standpoint. Last March we held a hearing talking about
staffing at the Department. Can you give us the number of
unfilled positions in the cyber division right now?
Ms. Manfra. Sir, we are currently staffed at 76 percent of
our fully-funded billet.
Mr. Thompson. So we are 24 percent under. Can you tell us
why we are understaffed at this point?
Ms. Manfra. Yes, sir. There are a variety of reasons. The
first, largely thanks to the work in this committee and our
appropriations staff in Congress in building the billets that
are allocated to my organization, we have grown significantly.
We have worked very hard to build according to that growth in
billets, but we have had some challenges.
We have worked with our management, colleagues, and our
human capital colleagues to identify areas where we can reduce
the time to hire. I can say that looking at the statistics from
fiscal year 2016 hiring to fiscal year 2017 hiring, we have
been able to reduce the time to hire by 10 percent.
Many of these requirements have to do with security
clearances. It does take a long time to process people through
that security clearance process, but we have made significant
progress. We are continuing to work with our security office to
identify ways that we can continue to shorten that.
We are also diversifying our recruitment path, looking at
the scholarship for service. The CyberCorps program has been a
great pipeline for us to bring to--after we, the Government has
funded scholarships, bringing these individuals in as interns
and then hiring them full-time.
They are already fully qualified for our direct hire
authority. Looking at other programs such as Pathways,
Presidential Management Fellows and other recent graduate
programs. We are also looking at partnerships with industry
where they can----
Mr. Thompson. I don't mean to cut you off, but----
Ms. Manfra. Yes, sir.
Mr. Thompson [continuing]. So is the problem we have too
many programs to attach people to? Or I am just trying to find
out why when we give you the authority to hire, why we have not
been able to come closer to whatever that authority is. Is
there something----
Ms. Manfra. I see, sir.
Mr. Thompson [continuing]. We need to do to get you to that
point?
Ms. Manfra. Sir, I separate the authority that we were
given by Congress to build an accepted service program. What I
was referring to was I did not believe a couple of years ago we
were fully leveraging the authorities we already had and the
programs that we already had to bring people in and tightening
the time line that it takes to bring people on.
The accepted service program is led by our chief human
capital officer, who I know this is a high priority for her. We
did not probably appropriately expedite the development of that
program 4 years ago. We have now done so.
My understanding is that we will now be able to hire
against that program beginning in fiscal year 2019, but there
is a regulatory process that we do have to undergo as a part of
that.
Mr. Thompson. Just for the sake of the committee, can you
provide us with a time line between when somebody who is
considered for employment and when that is completed? Is it--
just get back to us.
Ms. Manfra. Yes, sir.
Mr. Thompson. Was it 3 months, 6 months, a year? I think
that would be instructive for us so we can kind of see if there
are some bottlenecks involved.
Ms. Manfra. Yes, sir.
Mr. Thompson. The reason I say that, Mr. Chairman, I mean,
all of us are constantly bombarded by people looking for
employment opportunities. If we have potential opportunities
here, is it something we are not doing? Are we not going out
recruiting in a broader view or just what? But we just need
to----
Ms. Manfra. Sure.
Mr. Thompson [continuing]. Kind-of figure something out.
Ms. Manfra. Right. If I could, sir, just clarify that the
76 percent is just indicating people that are on-board right
now. If you include the people that are in the full pipeline,
that brings us about to 85 percent.
So for us, we are averaging about 224 days to hire. That
sounds long, but that is to include a Top Secret SCI clearance
process, which is actually fairly for the benchmark of the rest
of the Government, we are actually doing quite well.
We want to continue to work with you sir, though. We will
come back with you.
Mr. Thompson. Just, please get back----
Ms. Manfra. Yes, sir.
Mr. Thompson [continuing]. With us.
Mr. Krebs we have a Congressional Task Force on Election
Security, and we may request of the Department to provide us a
Classified briefing around this issue. We have been told that
it has to be bipartisan, that you can't just brief Democrats.
Are you aware of that?
Mr. Krebs. Sir, I am not aware of any existing policy, but
let me say this. I share your concern on election
infrastructure. I think I have made that clear today, and I
want to say it directly to you as well, that it is my top
priority at the Department.
Again, if we can't do this right, if we can't dedicate
every single asset we have to assisting our State and local
partners, then, frankly, you know, I am not sure what we are
doing day-to-day.
So in terms of what we have done in terms of engagements,
we are prioritizing delivery of those briefings, information
sharing to our State and local partners. We are doing it in a
bipartisan manner because my opinion is that this does
transcend party lines, and we should be doing this, all pull in
the same direction.
So going forward, I would encourage any additional
briefings. We have provided a series of bipartisan briefings to
the House Homeland Security Committee, both Classified and
Unclassified. The real crux of this issue, the underpinning
issue here, is a trusted relationship.
Now, did we have some--yes, sir----
Mr. Thompson. I appreciate it, but we have established a
working group within the Democrats on the committee, and we are
just trying to get a briefing. So I think it is nice to say I
don't want to brief you because there are no Republicans, but
we are Members of Congress. All we are trying to do is get
access to the information.
If your interest is there, I am convinced that you will
provide it. That is the spirit in which the request was made.
So we will make it again.
Mr. Krebs. Yes, sir.
Mr. Thompson. I look forward to you coming back. Just bring
us what information you have as Members of Congress, and that
is all we ask.
Mr. Krebs. Thank you.
Mr. Thompson. I yield back, Mr. Chairman.
Mr. Ratcliffe. Thank the Ranking Member.
The Chair now recognizes the gentleman from Virginia, Mr.
Garrett.
Mr. Garrett. Hit my talk button. My voice sounds better
with the microphone on. But I want to piggyback on what my
friend and colleague, Ranking Member Thompson said, and suggest
that I would agree with you that election infrastructure,
cybersecurity as it relates to partnering with States whose
responsibility it is to overseeing and conduct elections is a
priority that crosses and transcends the aisle.
I would ask that any briefing that you give to Democrat
Members you also perhaps invite me to or give the exact same
briefing to Republican Members, which I think is inconsiderate
of your time given that that would be a great redundancy.
But I can't fathom why one party should be briefed on
cybersecurity as it relates to our elections in the absence of
another in the United States of America.
So if you do, in fact, and I hope you will, respond to the
Ranking Member's request to brief on electoral security as it
relates to cyber issues, please invite me, because I can't
fathom that one party has a monopoly on hoping that we can have
free and fair and trustworthy elections.
I am sure that my colleague didn't mean it that way, but I
just want to be very clear in suggesting that that should not
be a partisan issue and that perhaps maybe people from both
parties should be invited. Or we can just make you give the
same briefing twice which, again, I think is inconsiderate and
shortsighted.
Having said that, transitioning to what we know as it
relates to malicious Russian cyber activity, specifically with
relation to Estonia and the Ukraine, based on my understanding,
the bulk of the platforms used to infiltrate infrastructure--I
say, platforms--malware, it would appear, based on my ability
to speak in this forum, were off the shelf, if you will, Kill
This, or example, Black Energy were known entities that were
discovered as it relates to these attacks as part of a
coordinated attack. How well do we stay ahead or try to stay
on-line with it?
I understand that it is a moving target, the malware that
might be implemented because to the extent that there is any
hope, and again, I understand the format that we are in might
limit the conversation that we have, a lot of the malicious
activity to this point conducted we presume and data would
indicate by the Russians has used off-the-shelf technology.
So I guess the question there is how quickly can we pick up
on the advancements in malware and then sort-of inculcate them
into our preventative measures? That is wide open to whichever
one of you wonderful folks would like to address it.
Mr. Krebs. Thank you, sir. So if I may, I will start and
provide a bit of a broader approach and then defer to my expert
colleague from the Department of Energy on anything specific to
the grid and electricity.
Mr. Garrett. I am subject to a time limit, so, I apologize
but----
Mr. Krebs. So I will do this quickly.
Mr. Garrett. Yes, sir.
Mr. Krebs. Generally speaking when we talk--we have already
talked about advanced persistent threat here. When we think
about threats, it is not necessarily generally speaking
advanced. It is just persistent.
Companies are--organizations are still not doing the basic
blocking and tackling. When you think about WannaCry, when you
think about NotPetya, some of those exploitations were based on
open, known vulnerabilities. They just weren't patched.
So the concept of a zero-day exploit, while it is out
there, it is not actually the primary exploit that we tend to
see in the wild.
Mr. Garrett. Sorry to interrupt you. I am a big fan of
limited government, but in this arena, because the entire
Nation hangs in the balance, not just our elections but
everything as it relates to our grid, might it not be effective
to hit the particular power providers where it counts?
That is essentially make it cost something, perhaps
metaphorically and literally, for entities that don't patch
those open known threats. That is something that would be
within the purview of the Government, right? You will be up to
date on X, Y, and Z or it will cost you. Would that be
something that has been explored?
Mr. Krebs. So my colleague, Jeanette Manfra, can speak to
the Government piece. Then----
Ms. Manfra. OK, just very briefly----
Mr. Garrett. Again, I am not trying to--you guys are great,
I just, 5 minutes.
Ms. Manfra. No problem. So very briefly, the first binding
operational directive we issued for Federal agencies was
reducing the time to patch critical vulnerabilities, as you
said, 30 days.
We have actually seen a complete cultural change as a
result of that. We are now seeing the Government highly
prioritizing patching those critical vulnerabilities. So I just
wanted to throw that out there.
Mr. Garrett. So there is a carrot and a stick, right?
Ms. Manfra. Correct, sir.
Mr. Garrett. I am guessing the stick, but the carrots--I
would rather the carrot. But I am glad to hear you say you are
addressing that. Again Mr. Hoffman, I don't mean to cut you
short. I have got 15 seconds.
I wanna speak to the nature of NERC and whether or not the
fact that it is a semiprivate autonomous pseudo-entity
compromises intelligence tactics, techniques, procedures, et
cetera.
Ms. Hoffman. So I don't think NERC as an organization
compromises any sort of intelligence. It does have the
information-sharing analysis center, which is our mechanism for
sharing information to the sector writ large. It also has
capabilities to compel and look at the industry to respond so
we can get the information we need.
Mr. Garrett. Thank you all, and I apologize for going
briefly over.
Mr. Ratcliffe. Thank the gentleman.
The Chair recognizes my friend from Rhode Island,
Congressman Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank our
witnesses for your testimony here.
Before I go into my questions, I just wanted to mention
publicly and particularly to Mr. Garrett, so I am a member of
the elections task force that certain Democrats have put
together on how to go forward and improving election security.
I would say to my colleague that there was an initial
effort in outreach to Republicans to make this a bipartisan
effort, which was not accepted. It was not--we didn't find
anyone that was receptive. But I would say this. The task force
meetings are open to the public. My colleague Mr. Garrett is
welcome to participate fully with that.
With respect to the Ranking Member's question on the
Classified briefing both on Russian interference in our
elections and how we are better securing our election systems,
that is whether it was a Democrats only or Democrats and
Republicans, I would prefer it as a Democrat and Republican
briefing.
But however we get the briefing, unless I am
misunderstanding what the Ranking Member was asking, we just
want the briefing. So we have asked that you provide that to
us.
Mr. Krebs. Yes, sir. Thank you. I do believe we have
provided a Classified briefing in the past and welcome the full
committee briefing and the subcommittee briefing on that as
well. Yes, sir.
Mr. Langevin. So the other thing I wanted to mention that,
Mr. Krebs, I appreciate your comments, that you have all the
authorities in your acting role to do the job necessary in
cyber. But I would reiterate that it is vitally important that
we get key people appointed and in place permanently.
I respect the work that you are doing and your team, but we
need permanent people in place. It both inspires confidence and
clarity to what the mission is.
So let me get into my questions very quickly. I am gonna
try to go through them. For the ones you can't answer fully
because of time constraints, I would request a follow-up in
writing.
So on September 13, DHS issued a binding operational
directive, 1701, which directed Federal Executive branch
departments and agencies to remove Kaspersky products from
their systems within the next 90 days.
In doing so, DHS for the first time issued a public
statement to coincide with the establishment of the directive
and which I would like to commend the Department for this added
transparency. I thought that was important.
My question is: What analysis led to the removal of
Kaspersky from Federal networks? This is the case--I understand
that this answer may be Classified, in which case I would
request it that you and your team provide briefing to Members
on the deliberations behind it. I think that is something
vitally important that this committee, both sides of the aisle,
understand what went into that.
Next Mr. Krebs, the SEC was breached in late 2016. We now
know that the attackers had access to corporate filings prior
to their public release. The announcement of this breach was
made nearly a year after it was first discovered.
My question was: When was DHS informed of the breach? What
was DHS's involvement in detecting, responding, and recovering
from this attack?
Finally, how could DHS improve its integration with Federal
agencies to ensure these types of attacks are detected and
notified quicker in the future?
Mr. Krebs. Thank you, Congressman Langevin. Let me briefly
touch on the Kaspersky piece, and then I will kick it over to
Assistant Secretary Manfra. So on Kaspersky, that determination
was based on the totality of evidence including by, on the most
part open-source information.
In terms of a Classified briefing, I believe we are on the
schedule for some point in the next month or so with the full
committee, the monthly intel briefing. So with that, if I may,
I would like to turn it over to Assistant Secretary Manfra.
Mr. Langevin. Thank you. I would appreciate it. Thank you.
Ms. Manfra. Sir, welcome to support a briefing on
Kaspersky. As far as the SEC, we are also happy to come in and
have a more fulsome conversation with you about that. They did
notify us last year on November 4 of an issue.
It was, at the time, the extent of the issue was not well-
understood and given the time limits here, I think it might be
more useful if we sat down with you and other staff members as
appropriate to walk through specific details.
Mr. Langevin. OK. What do you think--what was the DHS
involvement, though, in detecting and responding to the
recovery though?
Ms. Manfra. Sir, we have very limited involvement with the
SEC. They did not request our follow-on assistance for a
response.
Mr. Langevin. OK. On the issue of how they can work better
in the future?
Ms. Manfra. Sir, in addition to this incident, as well as
several others, we are reviewing our procedures to ensure that
it is clear that when an incident happens, what role that the
Department needs to play in a response, not just at the request
of an agency.
That if we are looking at specific critical services and
functions then the Department needs to have a more active role
in that response, regardless of whether the agency requests it.
Mr. Langevin. Thank you. In August, Congressman Will Hurd
and I traveled to DefCon as a bipartisan trip to that security
conference. I think we both were impressed by the willingness
of security researchers to report vulnerabilities in order to
improve overall internet security.
What efforts has the Department made to establish a
vulnerability reporting process for DHS sites and software?
Again, one of the things that I found with sort-of the
Pentagon's bug bounty program was very helpful in identifying
security vulnerabilities and getting the attention of the right
individuals to close those vulnerabilities.
In talking to security researchers, one of the things that
impressed me the most is that they just want to make the
internet work better. But they wanna know that when they find a
vulnerability, there is a path forward that they can report it
and that someone is actually gonna do something about it and
they are actually gonna be heard.
So what progress has DHS made in this respect?
Ms. Manfra. Sir, we actually have a very long-standing
program on both operational technology vulnerabilities, so
industrial control systems as well as enterprise technologies.
We have been working with security researchers in both
communities for years to provide them a space for them to
identify that vulnerability and also to advocate with the owner
of that software for a patch. Much of the alerts that we issue
are the result of collaboration with security researchers.
We also have our own organization within my group that
conducts penetration testing and risk and vulnerabilities
assessments across the Government to include DHS networks.
So while bug bounty programs can be useful, we need to
ensure that they are supplemented with a broader risk and
vulnerability analysis and testing that my organization does to
ensure organizations are appropriately prioritizing what they
are addressing.
Mr. Langevin. OK. What about DHS's specifically-owned
systems?
Ms. Manfra. My organization also supports penetration
testing and vulnerability assessments within the DHS,
particularly the high-value assets that DHS owns.
But I do know that our leadership and the management is
interested in learning from what the Department of Defense has
done in their bug bounty program and how that might apply to
DHS. So we are continuing to work through how that might be
applied for our organization.
Mr. Langevin. Mr. Chairman, I had one more on election
security. Can I ask that? Thank you.
So I know we have touched on this a bit, but for the record
I really wanted to dive a little deeper into this. So I am very
interested, obviously, in ensuring that State and local
election officials have access to resources from DHS to protect
the vital systems that represent the cornerstone of our
democracy.
So can you further describe how DHS is working with
election officials to protect networks? Do you believe that
DHS's response to the unprecedented appearance in our elections
last year really has been sufficient?
Finally, how can we improve the relationship and access to
resources? Are there additional funds or resources that the
Department needs in this respect?
Mr. Krebs. So thank you for those questions. Let me start
at the end with your improving relationships. While I was not
at the Department last summer as this all manifested, I can
speak to generally the relationships with State election
officials.
That was not an existing relationship between the
Department of Homeland Security in the State and locals.
However, we do have strong relationships, of course, with the
Homeland Security advisors and the chief information officers
and chief information security officers.
But to square the circle on this specific threat, we need
to develop partnerships that are, you know, three or four legs
on the stool within each specific State. Each State is going to
be a little bit different in terms of how, you know, who they
designate as the chief election official, as well as you roll
in the vendors of technology.
So in terms of how to improve relationships, it is gonna
take a lot of effort and a little bit of time. Those are things
that we are working on right now. We don't have much time, but
we are dedicating resources.
In fact, just this morning I sent out a notice across my
organization, NPPD, reflecting some changes we made
organizationally last week by establishing an election task
force.
Previously, the election infrastructure piece had been held
within the Office of Infrastructure Protection as a program.
Again, matching my words with our execution, we are
elevating it as a task force, bringing components or pieces
from across the DHS components, including the Office of
Intelligence Analysis and resourcing it appropriately.
This is speaking to a lot of resources. We are pulling the
resources together in recognition that we don't have a lot of
time, given there are three elections this year.
Mr. Langevin. The number of FTEs and money that is it
actually committed to this?
Mr. Krebs. I don't have the FTEs on hand right now. But I
can get back to you on that one. I believe Miss Manfra has
them.
Mr. Langevin. The funds as well, specifically?
Ms. Manfra. Yes. If I could just make one additional point
on the resources, Ranking Member Richmond noted that his
understanding was that there was a 9-month wait for risk and
vulnerability assessments. I don't know whether that is the
exact current number.
But that speaks to the high demand that we are experiencing
for our assessment services. That is everything from
penetration testing to the cyber hygiene scans that multiple
States and localities have participated and continue to
participate in, as well as these more in-depth risk and
vulnerability assessments.
We are growing that program. We are diverting resources. We
are building infrastructure so that we can more scale that. But
these are services that we are providing not just to Federal
agencies, but also to State and local governments, as well as
critical infrastructure. We are experiencing much more demand
for those services, and we are continuing to look for ways to
scale that capability.
Mr. Langevin. Thank you. Thank you for your answers. Again,
if there are follow-ups that you can provide to give us in
writing or in briefings, I appreciate that.
Mr. Chairman, thank you for your indulgence.
Mr. Ratcliffe. You are welcome. The gentleman yields back.
I wanna thank all three of our witnesses today for your
valuable and insightful testimony. I thank all the Members for
their questions today. The Members of the committee do have
some additional questions for witnesses, and we will ask you to
respond to those in writing.
Pursuant to committee rule VII(D), the hearing record will
be held open for a period of 10 days. Without objection, the
subcommittee stands adjourned.
[Whereupon, at 11:28 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman Michael T. McCaul for Christopher Krebs
Question 1a. What is DHS doing and what more is planned for the
future to assist in and refine the process of providing clearances for
those in the private sector?
Answer. Response was not received at the time of publication.
Question 1b. Has there been talk of allowing for more clearances if
the private sector were willing to pay for each additional clearance
for individuals who qualify via the current standards?
Answer. Response was not received at the time of publication.
Question 1c. There also seem to be issues in clearing secure
facilities. Is the Department making the appropriate relevant
information available to the private sector on what the qualifications
are for obtaining a cleared facility?
Answer. Response was not received at the time of publication.
Question 2a. When it comes to information sharing, DHS has a
variety of programs from CISCP, to AIS, to the individual agreements
with the Information Sharing and Analysis Centers. How is DHS
incorporating stakeholder feedback to understand what information is
most useful and actionable for companies?
Answer. Response was not received at the time of publication.
Question 2b. What are the greatest challenges faced by the
information-sharing programs?
Answer. Response was not received at the time of publication.
Question 2c. Has there been any operational change to the amount,
type, or context around the cyber threat information shared to address
these challenges?
Answer. Response was not received at the time of publication.
Question 3. The protection of Federal networks was a large element
of the President's cyber Executive Order (EO). As DHS is currently
implementing the Continuous Diagnostics and Mitigation (CDM) program to
protect Federal networks, what is the role CDM in executing the EO?
Answer. Response was not received at the time of publication.
Questions From Chairman John Ratcliffe for Christopher Krebs
Question 1. In 2014, DHS was provided authority to establish
excepted service positions relating to cybersecurity; what is the time
line for implementation and operationalization of this authority?
Answer. Response was not received at the time of publication.
Question 2a. In 2015, Congress passed important legislation
authorizing the Automated Indicator Sharing program, or AIS. Is AIS
currently meeting the benchmarks that have been had laid out for the
program?
Answer. Response was not received at the time of publication.
Question 2b. What are the reasons for the successes DHS has had
with AIS and what are some impediments that the program is currently
facing?
Answer. Response was not received at the time of publication.
Question 2c. What are the latest benchmarks that DHS has set for
AIS and what can we in Congress do to support these efforts?
Answer. Response was not received at the time of publication.
Question 3. There seems to be a consensus that in order to keep
pace with the threats our networks face, collaboration between the
public and private sector will need to be strengthened. How do you see
engagement and collaboration with the private sector changing?
Answer. Response was not received at the time of publication.
Question 4. As part of the cyber Executive Order, the DHS Secretary
will be reviewing the capabilities and resources that can be and
currently are being offered to designated companies within the most
critical of critical infrastructure sectors (Section 9 companies).
Please provide a general overview of what is currently offered. Do you
expect any additional capabilities to be developed or implemented by
DHS for companies designated as ``Section 9'' in response to this
review?
Answer. Response was not received at the time of publication.
Questions From Chairman Michael T. McCaul for Jeanette Manfra
Question 1a. What is DHS doing and what more is planned for the
future to assist in and refine the process of providing clearances for
those in the private sector?
Answer. Response was not received at the time of publication.
Question 1b. Has there been talk of allowing for more clearances if
the private sector were willing to pay for each additional clearance
for individuals who qualify via the current standards?
Answer. Response was not received at the time of publication.
Question 1c. There also seem to be issues in clearing secure
facilities. Is the Department making the appropriate relevant
information available to the private sector on what the qualifications
are for obtaining a cleared facility?
Answer. Response was not received at the time of publication.
Question 2a. When it comes to information sharing, DHS has a
variety of programs from CISCP, to AIS, to the individual agreements
with the Information Sharing and Analysis Centers. How is DHS
incorporating stakeholder feedback to understand what information is
most useful and actionable for companies?
Answer. Response was not received at the time of publication.
Question 2b. What are the greatest challenges faced by the
information-sharing programs?
Answer. Response was not received at the time of publication.
Question 2c. Has there been any operational change to the amount,
type, or context around the cyber threat information shared to address
these challenges?
Answer. Response was not received at the time of publication.
Question 3. The protection of Federal networks was a large element
of the President's cyber Executive Order (EO). As DHS is currently
implementing the Continuous Diagnostics and Mitigation (CDM) program to
protect Federal networks, what is the role CDM in executing the EO?
Answer. Response was not received at the time of publication.
Questions From Chairman John Ratcliffe for Jeanette Manfra
Question 1. In 2014, DHS was provided authority to establish
excepted service positions relating to cybersecurity; what is the time
line for implementation and operationalization of this authority?
Answer. Response was not received at the time of publication.
Question 2a. In 2015, Congress passed important legislation
authorizing the Automated Indicator Sharing program, or AIS. Is AIS
currently meeting the benchmarks that have been had laid out for the
program?
Answer. Response was not received at the time of publication.
Question 2b. What are the reasons for the successes DHS has had
with AIS and what are some impediments that the program is currently
facing?
Answer. Response was not received at the time of publication.
Question 2c. What are the latest benchmarks that DHS has set for
AIS and what can we in Congress do to support these efforts?
Answer. Response was not received at the time of publication.
Question 3. There seems to be a consensus that in order to keep
pace with the threats our networks face collaboration between the
public and private sector will need to be strengthened. How do you see
engagement and collaboration with the private sector changing?
Answer. Response was not received at the time of publication.
Question 4. As part of the cyber Executive Order, the DHS Secretary
will be reviewing the capabilities and resources that can be and
currently are being offered to designated companies within the most
critical of critical infrastructure sectors (Section 9 companies).
Please provide a general overview of what is currently offered. Do you
expect any additional capabilities to be developed or implemented by
DHS for companies designated as ``Section 9'' in response to this
review?
Answer. Response was not received at the time of publication.