[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
RESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE
FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY
DIRECTORATE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
MARCH 11, 2020
__________
Serial No. 116-68
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
42-345 PDF WASHINGTON : 2021
--------------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas Mike Rogers, Alabama
James R. Langevin, Rhode Island Peter T. King, New York
Cedric L. Richmond, Louisiana Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey John Katko, New York
Kathleen M. Rice, New York Mark Walker, North Carolina
J. Luis Correa, California Clay Higgins, Louisiana
Xochitl Torres Small, New Mexico Debbie Lesko, Arizona
Max Rose, New York Mark Green, Tennessee
Lauren Underwood, Illinois John Joyce, Pennsylvania
Elissa Slotkin, Michigan Dan Crenshaw, Texas
Emanuel Cleaver, Missouri Michael Guest, Mississippi
Al Green, Texas Dan Bishop, North Carolina
Yvette D. Clarke, New York Jefferson Van Drew, Texas
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
Hope Goins, Staff Director
Chris Vieson, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Cedric L. Richmond, Louisiana, Chairman
Sheila Jackson Lee, Texas John Katko, New York, Ranking
James R. Langevin, Rhode Island Member
Kathleen M. Rice, New York Mark Walker, North Carolina
Lauren Underwood, Illinois Mark Green, Tennessee
Elissa Slotkin, Michigan John Joyce, Pennsylvania
Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio)
officio)
Moira Bergin, Subcommittee Staff Director
Sarah Moxley, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 6
The Honorable Mike Rogers, a Representative in Congress From the
State of Alabama, and Ranking Member, Committee on Homeland
Security:
Oral Statement................................................. 5
Prepared Statement............................................. 6
Witnesses
Mr. Christopher C. Krebs, Director, Cybersecurity and
Infrastructure Security Agency, U.S. Department of Homeland
Security:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Andre Hentz, Acting Deputy Under Secretary for Science and
Technology, U.S. Department of Homeland Security:
Oral Statement................................................. 13
Mr. William Bryan, Senior Official Performing the Duties of the
Under Secretary for Science and Technology Directorate, Science
and Technology Directorate, U.S. Department of Homeland
Security:
Prepared Statement............................................. 14
Appendix
Questions From Hon. Sheila Jackson Lee for Christopher C. Krebs.. 35
RESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE
FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY
DIRECTORATE
----------
Wednesday, March 11, 2020
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 11:05 a.m., in
room 310, Cannon House Office Building, Hon. Cedric L. Richmond
[Chairman of the subcommittee] presiding.
Present: Representatives Richmond, Thompson, Jackson Lee,
Langevin, Rice, Underwood, Slotkin; Katko, Rogers, Walker,
Green, and Joyce.
Mr. Richmond. Good morning. I would like to thank Director
Krebs and Acting Deputy Under Secretary Hentz to discuss the
fiscal year 2021 budget priorities for the Cybersecurity and
Infrastructure Security Agency, CISA, and the Science and
Technology Directorate, S&T.
Before I begin I would like to commend my colleague,
Congressman Jim Langevin, for his work on the Cyberspace
Solarium Commission.
The Solarium Commission's final report will be formally
released hours from now, and I look forward to working with you
and Chairman Thompson to codify important recommendations aimed
at empowering CISA and better securing our elections.
I understand Director Krebs was very engaged in the
cyberspace solarium. Toward that end, I will be interested in
knowing if the fiscal year 2021 budget request from CISA is
sufficient to implement the recommendations aimed at increasing
CISA's capacity and, if not, what additional resources will be
necessary.
At the outset I want to debunk the myth that the Federal
agencies can do more with less. I support eliminating waste and
increasing efficiency, but the fact is that with more you can
do more.
Technology is evolving and creating opportunities for our
adversaries to hack critical infrastructure, disrupt our
elections, and hold State and local government networks
hostage. CISA must be equipped to be an effective Federal
partner and S&T must be positioned to develop and identify
technology to strengthen our defenses.
The President's fiscal year 2021 budget fails to do either
of those important components. Last year committee Democrats
led a bipartisan letter to appropriators seeking additional
funding for CISA's cybersecurity mission. Together we succeeded
in increasing CISA's cyber budget by $350 million, accelerating
efforts to secure Federal networks, and ramping up CISA's
threat analysis and response capabilities for private-sector
critical infrastructure owners and operators and State and
local governments.
Despite bipartisan support for an increase in CISA's
cybersecurity budget, the President's budget cuts it by over
$150 million. I don't understand how a cut of that magnitude
makes communities trying to defend themselves against
ransomware attacks, Federal networks, or critical lifeline
services, from power to communications, any more secure.
Director Krebs, you know your mission. I want to know what
resources you need to do it.
I would also like to express my concern about the
administration's decision to eliminate the CFATS program. To
the best of my knowledge, there is no intelligence that
suggests that the security risk to chemical facilities has
diminished. There is no evidence that a voluntary security
framework will yield the same security results as a regulatory
program. You can be certain that members of this committee will
not allow CFATS to expire.
I am also concerned about the administration's continued
efforts to cut S&T. Last fall this committee held a hearing
exploring the security threats posed by emerging technologies.
Despite ample evidence that U.S. investment in research and
development is lacking, this budget cuts research and
development for cybersecurity, as well as important university
programs and centers of excellence. We cannot afford to
continue to defer investments in R&D, and I will work hard to
restore funding.
Before I close, I want to make clear my expectation that
Members of this committee will receive accurate, candid
intelligence about threats to our elections. Last month the
intelligence community's assessment of whether the Russian
Government's influence activities were intended to advance the
President's re-election appeared to change overnight, because
the President did not like the intelligence. As Members of
Congress, we must have the information necessary to understand
the threat and ensure you have budget and resources you need to
defend against sophisticated cyber threats.
With that, I thank the witnesses for being here, and I
yield back the balance of my time.
[The statement of Chairman Richmond follows:]
Statement of Chairman Cedric L. Richmond
March 11, 2020
The Solarium Commission's final report will be formally released
hours from now, and I look forward to working with you and Chairman
Thompson to codify important recommendations aimed at empowering CISA
and better securing our elections. I understand Director Krebs was very
engaged in the Cyberspace Solarium.
Toward that end, I will be interested in knowing if the fiscal year
2021 budget request for CISA is sufficient to implement the
recommendations aimed at increasing CISA's capacity and, if not, what
additional resources will be necessary. At the outset, I want to debunk
the myth that Federal agencies can do more with less. I support
eliminating waste and increasing efficiency, but the fact is that with
more you can do more.
Technology is evolving and creating opportunities for our
adversaries to hack critical infrastructure, disrupt our elections, and
hold State and local government networks hostage. CISA must be equipped
to be an effective Federal partner and S&T must be positioned to
develop and identify technology to strengthen our defenses. The
President's fiscal year 2021 budget does fails both of these important
components.
Last year, Committee Democrats led a bipartisan letter to
appropriators seeking additional funding for CISA's cybersecurity
mission. Together, we succeeded in increasing CISA's cyber budget by
$350 million, accelerating efforts to secure Federal networks and
ramping up CISA's threat analysis and response capabilities for
private-sector critical infrastructure owners and operators and State
and local governments.
Despite bipartisan support for increasing CISA's cybersecurity
budget, the President's budget cuts it by about over $150 million. I
don't understand how a cut of that magnitude makes communities trying
to defend themselves against ransomware attacks, Federal networks, or
critical lifeline services--from power to communications--any more
secure.
Director Krebs, you know your mission. I want to know what
resources you need to do it. I would also like to express my concern
about the administration's decision to eliminate the CFATS program.
To the best of my knowledge, there is no intelligence that suggests
that the security risks to chemical facilities has diminished. There is
no evidence that a voluntary security framework will yield the same
security results as a regulatory program.
You can be certain the Members of this committee will not allow
CFATS to expire. I am also concerned about the administration's
continued efforts to cut S&T.
Last fall, this committee held a hearing exploring the security
threats posed by emerging technologies. Despite ample evidence that
U.S. investment in research and development is lacking, this budget
cuts R&D for cybersecurity as well as important University Programs and
Centers of Excellence. We cannot afford to continue to defer
investments in R&D, and I will work hard to restore funding.
Before I close, I want to make clear my expectation that Members of
this committee will receive accurate, candid intelligence about threats
to our elections. Last month, the intelligence community's assessment
of whether the Russian government's influence activities were intended
to advance the President's re-election appeared to change overnight
because the President did not like the intelligence.
As Members of Congress, we must have the information necessary to
understand the threat and ensure you have budget and resources you need
to defend against sophisticated cyber threats.
Mr. Richmond. I would recognize the Ranking Member of the
committee, Mr. Katko, for 5 minutes.
Mr. Katko. Thank you, Mr. Chairman.
Thank you, Mr. Krebs, for being here. Thank you also for
participating yesterday in the election security briefing. It
was very helpful and informative and, as always, your input was
well received.
I want to echo the sentiments of my colleague, the
Chairman, about the cyber solarium and the work that has been
done on it. I know you were an integral part of that, and I
know Mr. Langevin has, as well. I look forward to a bipartisan
effort implementing as many, if not all, of his policies into
law and--on the Homeland side. Working closely with both sides
now to get that done is, I think, critical.
Our Nation faces digital and physical threats daily that
have the potential to disrupt, damage, and destroy their
targets. These threats will only grow in magnitude, frequency,
and sophistication in years ahead, as you well know, as cyber
adversaries, particularly nation-state actors, seek political,
economic, and National security advantages.
The Federal Government works with public and private-sector
partners to prevent and deter current threats, but also to plan
for the future. The Cybersecurity Infrastructure Security
Agency Act, or CISA, was tasked by Congress in 2018 to serve as
the Nation's risk advisor, providing for the timely sharing of
information, analysis, and assessment, and facilitating
resilience building and mitigation in the .gov domain, State
and local governments, and the private sector across
industries.
Today we will take a closer look at CISA's plans and how
they intend to carry out and achieve their mission. I must say
I agree with Ms.--the chair. Cutting CISA's budget is not a
really good idea at all. In fact, the opposite is true. We need
to expand your resources so you can better handle the emerging
threats.
CISA is responsible for securing the civilian Federal
networks, monitoring emerging threats across sectors 24/7/365,
securing our Nation's chemical facilities, advising State and
local governments on election security, partnering with the
public and private sector to protect soft targets in crowded
places, and identifying and addressing risks to our National
critical functions.
During the past year CISA completed its transition to a
stand-alone agency subject to DHS oversight. I am very
interested in hearing how strengthening CISA's authorities
could further clarify civilian cybersecurity risk management
authorities, and CISA's role as a convener of public-private
partnerships.
As we have spoken in private, and in my office, and
elsewhere, I am very interested in you telling us what else you
need, and you know we will respond if you tell us what you
need. I encourage you not to be shy about it, Mr. Krebs.
I look forward to hearing about CISA's plans to continue
its progress securing our supply chain and tackling risk to our
National critical functions and election infrastructure.
Finally, I invite you to share insights on CISA's work with
State and local governments to secure the 2020 elections from
the hindsight of Super Tuesday and other election primaries.
We will also hear from the Directorate of Science and
Technology, or S&T, about how they plan to execute their
mission in the year ahead. S&T, through partnerships with the
Federal Government, academia, and industry, develops innovative
solutions to aid the Department of Homeland Security in
achieving its mission more effectively, efficiently, and
affordably.
I look forward to hearing from both of our witnesses and my
colleagues to see how we can work together--and the keyword is
``together''--to ensure DHS is capable of protecting our Nation
from digital and physical threats. This is the inherently
bipartisan effort we are all involved in, and we should proceed
in that manner.
With that I yield back.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
Thank you, Mr. Chairman, for holding this hearing, and thank you to
our distinguished witnesses for being here today.
Our Nation faces digital and physical threats daily that have the
potential to disrupt, damage, and destroy their targets. These threats
will only grow in magnitude, frequency, and sophistication in the years
ahead as cyber adversaries particularly nation-state actors seek
political, economic, and National security advantages.
The Federal Government works with public and private-sector
partners to prevent and deter current threats, but also to plan for the
future.
The Cybersecurity and Infrastructure Security Agency Act, or CISA,
was tasked by Congress in 2018 to serve as the Nation's risk advisor,
providing for the timely sharing of information, analysis, and
assessment, and facilitating resilience building and mitigation in the
.gov domain, State and local governments, and the private sector across
industries.
Today we will take a closer look at CISA's plans and how they
intend to carry out and achieve their mission.
CISA is responsible for: Securing the civilian Federal networks;
monitoring emerging threats across sectors 24/7/365; securing our
Nation's chemical facilities, advising State and local governments on
election security; partnering with the public and private sector to
protect soft targets and crowded places; and identifying and addressing
risks to our National critical functions.
During the past year CISA completed its transition to a stand-alone
agency subject to DHS oversight. I am interested in hearing how
strengthening CISA's authorities could further clarify civilian
cybersecurity risk management authorities and CISA's role as a convener
of public-private partnerships.
I look forward to hearing about CISA's plans to continue its
progress securing our supply chain and tackling risks to our National
critical functions and election infrastructure.
Finally, I invite Director Krebs to share his insights on CISA's
work with State and local governments to secure 2020 elections from the
hindsight of Super Tuesday and other election primaries.
Today we also will hear from the Science & Technology Directorate,
or S&T, about how they plan to execute their mission in the year ahead.
S&T, through partnerships within the Federal Government, academia,
and industry, develops innovative solutions to aid the Department of
Homeland Security in achieving its mission more effectively,
efficiently, and affordably.
I look forward to hearing from both our witnesses and my colleagues
to see how we can work together to ensure DHS is capable of protecting
our Nation from digital and physical threats.
Mr. Richmond. The gentleman from New York yields back. I
now recognize the Ranking Member of the full committee to give
an opening statement.
Mr. Rogers.
Mr. Rogers. Thank you, Mr. Chairman, and thank you for
holding this important hearing. I want to thank the witnesses
for being here, and taking the time to prepare for these
hearings. I know it takes a lot of time, and that you have got
other things to do, but we appreciate it. It is very helpful to
us.
Today's threats can be cyber, or physical, or man-made, or
natural. They can emerge from nation-states, criminal
organizations, or terrorists. Just in the last 2 months we have
dealt with cyber threats from Russia and Iran, ransomware
attacks and disinformation campaigns on social media. These are
the threats we know about. Many more may be lurking on the
networks.
Unless we do something about it, these threats will only
grow. CISA is the agency Congress created to do something about
this. CISA's work is critical. That is why I was disappointed
to see this year's budget request for the agency. I am very
concerned that any cuts like this would undermine CISA's
ability to successfully carry out its mission.
But I do take comfort in knowing, from my 18 years here,
that the President only proposes budgets; we write budgets. I
can tell you these cuts are not going to take place.
I look forward to hearing from Director Krebs on how he
intends to mitigate the growing cybersecurity threats with a
smaller budget, if that were to happen.
I also look forward to hearing from S&T on the important
work it is doing to develop new technologies to defend our
homeland.
[The statement of Ranking Member Rogers follows:]
Statement of Ranking Member Mike Rogers
March 11, 2020
Thank you, Mr. Chairman, for holding this hearing, and to our
witnesses for being here today.
Today's threats can be cyber or physical, manmade or natural. They
can emerge from nation-states, criminal organizations, and terrorists.
Just in the last 2 months, we've dealt with cyber threats from
Russia and Iran, ransomware attacks, and disinformation campaigns on
social media.
These are the threats we know about. Many more may be lurking on
our networks.
Unless we do something about it, these threats will only grow.
CISA is the agency Congress created to do something about it.
CISA's work is critical.
That's why I was disappointed to see this year's budget request for
the agency.
I'm very concerned these cuts will undermine CISA's ability to
successfully carry out its critical mission.
I look forward to hearing from Director Krebs on how he intends to
mitigate growing cybersecurity threats with a smaller budget.
I also look forward to hearing from S&T on the important works it's
doing to develop new technologies to defend our homeland.
Mr. Rogers. With that, Mr. Chairman, I yield back, and
thank you.
Mr. Richmond. The gentleman yields back.
Other Members are reminded that statements may be submitted
for the record.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
March 11, 2020
Around this time last year, this subcommittee held a hearing to
discuss the fiscal year 2020 budget request.
At the time, Acting Secretary McAleenan had just replaced Secretary
Nielson amid a flurry of leadership changes throughout the Department
of Homeland Security.
Today you report to Acting Secretary Chad Wolf, the fifth person to
serve as Secretary during this administration and the third to serve as
Secretary since CISA became an operational component in November 2018.
I have raised concerns about the lack of consistent leadership at the
Department in the past, but I think it is particularly relevant in
conversations about the future of CISA and S&T.
Both CISA and S&T play critical roles in defending the homeland.
CISA is charged with coordinating the Federal efforts to defend
critical infrastructure against physical and cyber attacks and
protecting the .gov. S&T is responsible for putting cutting-edge
technologies into the hands of DHS's boots on the ground to enable the
workforce to do their jobs better and safer.
Despite their critical missions, neither of these agencies are
without their challenges. CISA has been an operational component for
less than 2 years.
As foreign adversaries increasingly rely on cyber tools to
undermine our democratic institutions, surveil critical infrastructure
networks, and hold State and local government networks hostage,
Congress and the public have demanded more of CISA. But Trump
administration has never provided Congress with a candid assessment of
how much funding is necessary for CISA to accommodate the increased
demands for its services. The White House has been without a White
House cybersecurity coordinator for nearly 2 years, leaving Federal
agencies to coordinate cybersecurity activities amongst themselves.
Although CISA's leadership has been steady and widely respected
both within the Federal Government and among the private-sector
stakeholder community, a strong, only a strong, Senate-confirmed
Secretary can effectively advocate for CISA's budget need and policy
positions at the White House.
In the absence of strong DHS leadership, the White House proposes
to gut CISA's budget by over $250 million, cutting funding for
cybersecurity activities and eliminating the Chemical Facility Anti-
Terrorism Standards Program (CFATS).
As a Member of Congress with a number of chemical facilities in my
Congressional District and a long-time advocate for ensuring chemical
facilities across the Nation are not weaponized by terrorists, I was
particularly troubled to learn the administration supports eliminating
the program.
I believe that if DHS had a permanent Secretary in place, the White
House would not have proposed eliminating the program. Accordingly, on
Monday, I introduced legislation to extend the CFATS program for 18
months, and I expect CISA to support that effort. I would also note
that the lack of consistent leadership at DHS has similarly undermined
S&T's mission.
The Science and Technology Directorate has been victim of too many
``course corrections'' to count and has struggled to solidify its
position as the research and development hub among DHS's components.
Moreover, its budget is most frequently raided to pay for the
President's political promises or to cut spending in order to comply to
budget caps. The President's fiscal year 2021 budget request is no
different--reducing cyber R&D and cutting University Programs in half.
We cannot continue to defer investments in R&D for homeland
security technologies. A permanent Secretary would understand that. I
will not ask either of you to explain how these proposed cuts will make
us safer because they will not. Instead, I hope that you will be frank
with Congress about the resources you need to do your jobs.
Mr. Richmond. Let me welcome our panel of witnesses.
First I would like to welcome Chris Krebs, the director of
the DHS Cybersecurity and Infrastructure Security Agency, back
to testify before this panel.
Director Krebs has been at the helm of DHS's cybersecurity
activity since 2017, and he has been an integral player in
shaping and developing the Department's election security
capabilities.
Next we have Mr. Andre Hentz. He is the acting deputy under
secretary for science and technology. Deputy Under Secretary
Hentz has been with S&T since 2014, and in his current role
since 2017.
Without objection, the witnesses' full statements will be
inserted into the record.
I now ask each witness to summarize his or her statement
for 5 minutes, beginning with Dr. Krebs--Director Krebs, I am
sorry.
Mr. Krebs. I will take doctor.
Mr. Richmond. I made you a doctor overnight.
[Laughter.]
STATEMENT OF CHRISTOPHER C. KREBS, DIRECTOR, CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Krebs. Chairman Richmond, Ranking Member Rogers,
Ranking Member Katko, and Members of the subcommittee.
Happy Cyberspace Solarium Report Rollout Day. Congressman
Langevin, thanks for all your efforts there, and thank you for
recognizing the significance and importance of CISA in the
broader National cybersecurity efforts. So thank you for that.
Thank you for today's opportunity to address the Cybersecurity
and Infrastructure Security Agency's--CISA's--fiscal year 2021
budget.
The 2021 budget provides meaningful investment in CISA's
ability to lead the National effort to safeguard and secure
critical infrastructure from cyber and physical threats. To
accomplish this mission, we must work with our partners where
they are, not where we are. Accordingly, this budget invests an
additional field-based personnel that are located outside the
D.C. Beltway, where our partners are found.
My statement focuses on each of our priorities: Protection
of Federal networks; election infrastructure security; securing
operational technology; supply chain risk management; and soft
target security.
First, with Federal cybersecurity, across the Federal
Government our ability to defend networks has improved. The
budget will help CISA establish a cybersecurity shared services
offering that will centralize, standardize, and deliver best-
in-class cybersecurity capabilities to Federal agencies.
Through this effort CISA will develop service standards,
evaluate individual offerings, and oversee a marketplace of
qualified cybersecurity services for Federal customers.
We must also invest in our people. CISA is leading a
Government-wide training program for all Federal cybersecurity
professionals. This includes a rotational program, training
program, and re-skilling academy. Training cybersecurity
professionals is a crucial part of closing the gap on workforce
demands for CISA and across our Government.
But perhaps the most high-profile threat today is attempts
by nation-state actors to interfere in our elections. Over the
last several years, as you heard yesterday, we have been--
become close partners with the election community, and we are
focusing on broadening the reach and depth of assistance,
emphasizing the criticality of election audit ability,
prioritizing the need to patch vulnerabilities in election
systems, and developing locality-specific cybersecurity
profiles that officials can use to manage risk.
Also, we are focusing on operational technologies or
control systems, those components that operate our critical
infrastructure. The increasing integration and connectivity of
those technologies has vastly increased the potential impact of
cyber threats. Included in this year's budget is funding to
expand our control system security efforts, including sensing
analytics and partner training platforms.
We are also investing in our efforts to understand and
manage supply chain security risks. CISA's Supply Chain Risk
Management Task Force has brought together 20 Federal agencies
and 20 of the largest companies in information communications
sectors to reach consensus on how to best manage risk. We are
not using--rather, we are using this forum to understand what
is working and what is not, sharing best practices and crowd-
sourcing solutions to close out supply chain risk management
gaps.
At CISA we also recognize that far too often our Nation is
confronted with violent attacks on places such as entertainment
venues, places of worship, and schools. Funding in this budget
to support CISA's school safety initiatives, including
stewardship of the Federal School Safety Clearinghouse, a one-
stop shop for local officials to find resources that help
provide children with a safe learning environment.
Before closing, research and development is critical to
CISA's mission. CISA and S&T are committed to effective
coordination. We are partnering to advance threat-driven cyber
analytics and development of a cyber risk framework. This
project is an important first step in the larger plan to
enhance analytics in conjunction with big data and machine
learning.
In closing, I would like to briefly touch on my keys to
success for CISA in 2020. Those keys to success are threefold:
First, we must continue focusing on our strengths; second, we
must seek strategic alignment with our interagency partners,
not compete with them; and third, we must be a customer-centric
organization.
So what are our strengths? Convening, bringing a broad
range of partners together to tackle tough challenges, sharing
actionable information, and collectively identifying best
practices for areas like Federal and State and local
cybersecurity and soft target security.
Who must we align with? Our partners in the intelligence
community and law enforcement, the Department of Defense, and
elsewhere in the civilian government. This is crucial, if we
are going to be successful, for instance, in election security,
as well as control systems.
Last, if we are not intensely focused on our customers, we
are doing it wrong. We must continue to push--to support out
across this great Nation and help infrastructure partners big
and small. Ransomware is the perfect example of how we must
become a customer-centric organization.
So with that, thank you for the opportunity to be here
today. Thank you for your prior investments at CISA. I look
forward to discussing this year's budget, and I look forward to
your questions.
[The prepared statement of Mr. Krebs follows:]
Prepared Statement of Christopher C. Krebs
March 11, 2020
Good afternoon Chairman Richmond, Ranking Member Katko, and
distinguished Members of the subcommittee, thank you for the
opportunity to testify regarding the fiscal year 2021 President's
budget for the U.S. Department of Homeland Security's (DHS)
Cybersecurity and Infrastructure Security Agency (CISA). The fiscal
year 2021 President's budget of $1.78 billion for CISA reflects our
commitment to safeguard our homeland, our values, and our way of life.
CISA strengthens the cybersecurity of Federal networks and
increases the security and resilience of our Nation's critical
infrastructure. Safeguarding and securing critical infrastructure is a
core DHS mission. The fiscal year 2021 President's budget recognizes
the criticality of this mission and ensures the men and women of CISA
have the resources they need to achieve it.
CISA's defends the homeland against the threats of today, while
working with partners across all levels of government and the private
sector to secure against the evolving risks of tomorrow--``Defend
Today, Secure Tomorrow.''
As the Nation's risk advisor, CISA is a hub of efforts to build
National resilience against a growing and interconnected array of
threats; organizing risk management efforts around securing the
National Critical Functions that underpin National security, economic
growth, and public health and safety; and ensuring Government
continuity of operations. CISA marshals its wide-ranging domain
expertise and central coordination role to guide partners in navigating
hazards ranging from extreme weather and terrorism to violent crime and
malicious cyber activity. We identify high-impact, long-term solutions
to mobilize a collective defense of the Nation's critical
infrastructure.
The fiscal year 2021 President's budget for CISA has been
reorganized under new budget lines to fully reflect the operational
vision for CISA. The CISA Act of 2018 reorganized the National
Protection and Programs Directorate into an operational component, and
the budget should reflect the new organization. For instance,
management and operational watch activities that were previously spread
across multiple budget lines are now merged into a single funding line
that will serve as a nexus of cyber, physical, and communications
integration. The new funding lines also combine all regional field
operations, including Protective Security Advisors and Cybersecurity
Advisors, into a single report channel. This enhances the ability of
CISA to engage with critical infrastructure partners outside the
beltway, where they are located. If adopted, this new structure will
streamline authority, increase transparency, and better enable CISA to
execute the funding.
cisa priorities
Nefarious actors want to disrupt our way of life. Many are inciting
chaos, instability, and violence. At the same time, the pace of
innovation, our hyper connectivity, and our digital dependence has
opened cracks in our defenses, creating new vectors through which our
enemies and adversaries can strike us. This is a volatile combination,
resulting in a world where threats are more numerous, more widely
distributed, highly networked, increasingly adaptive, and incredibly
difficult to root out.
CISA is strengthening our digital defense as cybersecurity threats
grow in scope and severity. The fiscal year 2021 President's budget
continues investments in Federal network protection, proactive cyber
protection, infrastructure security, reliable emergency communications
for first responders, and supply chain risk management.
CISA, our Government partners, and the private sector, are all
engaging in a more strategic and unified approach toward improving our
Nation's defensive posture against malicious cyber activity. In May
2018, DHS published the Department-wide DHS Cybersecurity Strategy,
outlining a strategic framework to execute our cybersecurity
responsibilities during the next 5 years. Both the Strategy and
Presidential Policy Directive 21--Critical Infrastructure Security and
Resilience emphasize an integrated approach to managing risk.
CISA ensures the timely sharing of information, analysis, and
assessments to build resilience and mitigate risk from cyber and
physical threats to infrastructure. CISA's partners include
intergovernmental partners, the private sector, and the public. Our
approach is fundamentally one of partnerships and empowerment, and it
is prioritized by our comprehensive understanding of the risk
environment and the corresponding needs of our stakeholders. We help
organizations manage their risk better.
The fiscal year 2021 President's budget includes $1.1 billion for
cybersecurity initiatives at CISA to detect, analyze, mitigate, and
respond to cybersecurity threats. We share cybersecurity risk
mitigation information with Government and non-Government partners. By
issuing guidance or directives to Federal agencies, providing tools and
services to all partners, and leading or assisting the implementation
of cross-Government cybersecurity initiatives, we are protecting
Government and critical infrastructure networks.
Within the cybersecurity initiatives funding amount, the fiscal
year 2021 President's budget includes $660 million for cybersecurity
technology and services, including Continuous Diagnostics and
Mitigation (CDM) and National Cybersecurity Protection System (NCPS)
programs. These programs provide the technological foundation to secure
and defend the Federal Government's information technology against
advanced cyber threats.
NCPS is an integrated system-of-systems that delivers intrusion
detection and prevention, analytics, and information-sharing
capabilities. NCPS primarily protects traffic flowing into and out of
Federal networks. One of its key technologies is the EINSTEIN intrusion
detection and prevention sensor set. This technology provides the
Federal Government with an early warning system, improves situational
awareness of intrusion threats, and near-real time detection and
prevention of malicious cyber activity. Funding included in the budget
will allow NCPS to begin transitioning capabilities to use commercial
and Government cloud services to the greatest extent possible. The
funding will also support newly-developed information sharing and
intrusion prevention capabilities into the operational environment.
CDM provides Federal network defenders with a common set of
capabilities and tools they can use to identify cybersecurity risks
within their networks, prioritize based on potential impact, and
mitigate the most significant risks first. The program provides Federal
agencies with a risk-based and cost-effective approach to mitigating
cyber risks inside their networks. The fiscal year 2021 President's
budget includes funding to continue deployment and operation of
necessary tools and services for all phases of the CDM program. Funding
will cover completion of activities to strengthen management of
information technology assets including for cloud and mobile-based
assets and protection of data on networks that carry highly-sensitive
and critical information. By pooling requirements across the Federal
space, CISA is able to provide agencies with flexible and cost-
effective options to mitigate cybersecurity risks and secure their
networks.
Funding for cybersecurity initiatives also includes $408 million
for cybersecurity operations. Within this category, approximately $264
million is dedicated to threat hunting and vulnerability management
operations. Threat hunting activity identify, analyze, and address
significant cyber threats across all domains through detection
activities, countermeasures development, as well as hunt and incident
response services. Vulnerability management capabilities include
assessments and technical services, such as vulnerability scanning and
testing, penetration testing, phishing assessments, and red teaming on
operational technology that includes the industrial control systems
which operate our Nation's critical infrastructure, as well as
recommended remediation and mitigation techniques that improve the
cybersecurity posture of our Nation's critical infrastructure.
The budget includes funding to support CyberSentry. This voluntary
program is designed to detect malicious activity on private-sector
critical infrastructure networks, including operational technology,
such as industrial control systems. The pilot will utilize network
sensor systems to detect threats; collect threat data; increase the
speed of information sharing; and produce real-time, effective,
actionable information to the companies vulnerable to malicious
attacks.
Funding is also included to support cybersecurity capacity
building. Capacity building is delivering tools and services to
stakeholders to strengthen cyber defenses and coordinating policy and
governance efforts to carry out CISA's statutory responsibility to
administer the implementation of cybersecurity policies and practices
across the Federal Government. The budget provides funding for a
cybersecurity shared services office that will centralize, standardize,
and deliver best-in-class cybersecurity capabilities to Federal
agencies. Through this effort, CISA will develop service standards,
evaluate individual offerings, and oversee a marketplace of qualified
cybersecurity services to Federal customers.
Through this budget, CISA will lead a Government-wide cybersecurity
training program for all Federal cybersecurity professionals, including
an interagency cyber rotational program, a cybersecurity training
program, and a cyber-reskilling academy. Training cybersecurity
professionals will be a crucial part of closing the gap on workforce
demands for CISA and across Government. This effort also includes
funding for CISA to continue hosting the annual President's Cup
Challenge, a cyber competition to test the skills of the Federal cyber
workforce.
The fiscal year 2021 President's budget request also includes
funding for State and local Government cybersecurity and infrastructure
assistance prioritized for election security. These resources are
institutionalizing and maturing CISA's election security risk-reduction
efforts, allowing the agency to continue providing vulnerability
management services such as cyber hygiene scans, and on-site or remote
risk and vulnerability assessments, organizational cybersecurity
assessments, proactive adversary hunt operations; and enhanced threat
information sharing with State and local election officials.
For infrastructure security, the fiscal year 2021 President's
budget includes $96 million for protecting critical infrastructure from
physical threats through informed security decision making by owners
and operators of critical infrastructure. Activities include conducting
vulnerability and consequence assessments, facilitating exercises, and
providing training and technical assistance Nation-wide. The program
leads and coordinates National efforts on critical infrastructure
security and resilience by developing strong and trusted partnerships
across the Government and private sector. This includes reducing the
risk of a successful attack on soft targets and crowded places, from
emerging threats such as unmanned aircraft systems. Funding supports
CISA's school safety initiatives, including stewardship of the Federal
School Safety Clearinghouse, the expansion of existing school security
activities, and the development of additional resources and materials
for safety to provide children with a safe and secure learning
environment.
This year's budget eliminated funding for the Chemical Facilities
Anti-Terrorism Standards program while simultaneously increasing
funding significantly for the Protective Security Advisors program.
This will allow CISA to provide voluntary support for chemical
facilities without the unnecessary burden of regulatory requirements,
placing the chemical sector on par with all the other critical
infrastructure sectors for which CISA has oversight.
The fiscal year 2012 President's budget includes $158 million for
emergency communications to ensure real-time information sharing among
first responders during all threats and hazards. CISA enhances public
safety interoperable communications at all levels of Government across
the country through training, coordination, tools, and guidance. We
lead the development of the National Emergency Communications Plan to
maximize the use of all communications capabilities available to
emergency responders--voice, video, and data--and ensures the security
of data and information exchange. CISA supports funding, sustainment,
and grant programs to advance communications interoperability, such as
developing annual SAFECOM Grant Guidance in partnership with Public
Safety stakeholders, and partnering with FEMA Grants Program
Directorate to serve as communications subject-matter experts for FEMA-
administered grants. We assist emergency responders and relevant
Government officials with communicating over commercial networks during
natural disasters, acts of terrorism, and other man-made disasters
through funding, sustainment, and grant programs to support
communications interoperability and builds capacity with Federal,
State, local, Tribal, and territorial stakeholders by providing
technical assistance, training, resources, and guidance. The program
also provides priority telecommunications services over commercial
networks to enable National security and emergency preparedness
personnel to communicate during telecommunications congestion scenarios
across the Nation.
The President's budget includes $167 for the Integrated Operations
Division. This division is charged with coordinating CISA's front line,
externally facing activities in order to provide seamless support and
an expedited response to critical needs. These funds include $82
million to support 373 protective security advisors and cybersecurity
advisors located across the country. Protective Security Advisors
conduct proactive engagement and outreach with Government at all levels
and critical infrastructure. Additionally, cybersecurity advisors
expand the DHS cyber field presence across the country. These resources
better enable CISA to reach critical infrastructure partners and other
stakeholders where they live outside the beltway.
The fiscal year 2021 President's budget fully funds CISA's risk
management activities, including $91.5 million for the National Risk
Management Center (NRMC). The NRMC is a planning, analysis, and
collaboration center working to identify and address the most
significant risks to our Nation's critical infrastructure. The NRMC
also houses the National Infrastructure Simulation and Analysis Center
(NISAC), which provides homeland security decision makers with timely,
relevant, high-quality analysis of cyber and physical risks to critical
infrastructure across all sectors during steady state and crisis action
operations. Increased funding will support election security, securing
5G telecommunications, and supply chain risk analysis.
The new Stakeholder Engagement and Requirements program is funded
at $38 million. This funding will support the coordination and
stewardship of the full range of CISA stakeholder relationships; the
operation and maintenance of the CISA stakeholder relationships; the
operation and maintenance of the CISA stakeholder relationship
management system; the implementation of the National Infrastructure
Protection Plan voluntary partnership framework; the management and
oversight of National infrastructure leadership councils; and the
effective coordination among the National critical infrastructure
stakeholder community in furtherance of shared goals and objectives.
The President's budget asks for $24 million within the Science and
Technology Directorate (S&T) to continue research and development
efforts in support of CISA's cybersecurity mission. CISA and S&T have
made tremendous strides in collaborating to advance joint priorities.
In fiscal year 2019, CISA and S&T awarded a project to create a
`pipeline' for low technology readiness-level efforts to mature and
transition into CISA. Workstreams in this pipeline are advancing
threat-driven cyber analytics and development of a cyber risk
framework. This project is an important first step in the larger plan
for CISA and S&T to enhance analytics in conjunction with big data and
machine learning. Subsequent efforts in fiscal year 2020 and beyond are
planned to leverage hyperscale cloud platforms and significantly
advance the data and analytics capabilities of CISA.
Finally, Congress provided a substantial investment last year to
consolidate CISA in a new state-of-the-art headquarters facility at
DHS's St. Elizabeth's Campus. CISA currently must operate from 8
different leased locations spread across the National Capital Region,
in facilities not capable of fully supporting CISA operational demands,
which contributes to administrative inefficiencies. The fiscal year
2021 President's budget provides $459 million to the General Services
Administration for the continued consolidation of DHS facilities at the
St. Elizabeth's Campus. Included in this amount are funds for both
additional DHS component building construction and also campus
infrastructure enhancements, such as additional parking, that are
critical to the success of CISA's future relocation to the campus.
conclusion
In the face of increasingly sophisticated threats, CISA employees
stand on the front lines of the Federal Government's efforts to defend
our Nation's Federal networks and critical infrastructure. The threat
environment is complex and dynamic with interdependencies that add to
the challenge. As new risks emerge, we must better integrate cyber and
physical risk in order to effectively secure the Nation. CISA
contributes unique expertise and capabilities around cyber-physical
risk and cross-sector critical infrastructure interdependencies.
I recognize and appreciate this committee's strong support and
diligence as it works to resource CISA in order to fulfill our mission.
Your support over the past few years has helped bring additional
Federal departments and agencies into NCPS more quickly, speed
deployment of CDM tools and capabilities, and build out our election
security efforts. We at CISA are committed to working with Congress to
ensure our efforts cultivate a safer, more secure, and resilient
homeland while also being faithful stewards of the American taxpayer's
dollars.
Thank you for the opportunity to appear before the subcommittee
today, and I look forward to your questions.
Mr. Richmond. Thank you, Director.
I now recognize Acting Deputy Under Secretary Hentz to
summarize his statement for 5 minutes.
STATEMENT OF ANDRE HENTZ, ACTING DEPUTY UNDER SECRETARY FOR
SCIENCE AND TECHNOLOGY, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Hentz. Good afternoon, Chairman Richmond, Ranking
Member Katko, Ranking Member Rogers, and distinguished Members
of the subcommittee. Thank you for inviting me here today to
testify on the President's budget for fiscal year 2021, which
includes a request for $643 million for the Science and
Technology Directorate within the Department of Homeland
Security.
S&T's research develops activities which support a broad
range of DHS missions, including domain threat awareness,
delivery of mitigation strategies, and creating novel
technologies and approaches for the components, first
responders, and other partners across the Homeland Security
enterprise.
Our customers put their lives on the line every day to keep
our Nation safe. Having the correct tools, techniques, and/or
technologies can be vital to the operational safety and
success.
Research and development must enable efficient, effective,
and secure operations across all DHS security missions by
applying timely, scientific, engineering, and innovation
solutions. This is how S&T delivers results. Technology
innovation cycles are rapidly changing, and the nature of the
threats we see are dynamic.
It is important to note, however, that S&T represents less
than one-half of 1 percent of the entire Federal R&D budget.
Let me repeat that: S&T represents less than one-half of 1
percent of the entire Federal research and development budget,
and we strive every day to get as much value out of those funds
as possible.
Under my leadership, with Mr. Bryan, S&T has strengthened
our relationship with our customers by providing impactful
solutions to those on the front line. We continue to solidify
and strengthen S&T's core capabilities and provide deliberative
approaches to program execution that ensures timely delivery
and solid returns on investment for our Nation's taxpayers.
The fiscal year 2021 request includes $5 million for
quantum information sciences, including artificial
intelligence. S&T is beginning to focus on machine learning,
with the goal of mitigating risk to potential misuse of
artificial intelligence, and identifying opportunities and
applications for the use of trustworthy artificial
intelligence, while providing privacy protection and developing
new governance and policy frameworks for artificial
intelligence and machine learning.
The fiscal year 2021 budget request provides $14.3 million
for S&T's Probabilistic Analysis for National Threats, Hazards,
and Risk program, known as PANTHR. PANTHR aligns S&T's chemical
and biological hazard awareness and characterization activities
to provide timely, accurate, and defensible decision support
tools and knowledge to stakeholders. Working with the
Countering Weapons of Mass Destruction Directorate, PANTHR is
leveraging S&T's National Biodefense Analysis and
Countermeasures Center to address pertinent scientific
questions and DHS operational concerns regarding the surface
stability and decontamination of COVID-19. Funding in 2021
would allow PANTHR to develop additional assessment
capabilities to address growing infrastructure concerns such as
the bio-economy, and fill other critical gaps regarding weapons
of mass destruction risks to the homeland.
The administration is also focusing on targeted violence
and terrorism prevention, and S&T's 2021 requests includes $7
million for research to inform policy, strategy, tactics,
techniques, and procedures in this area. S&T is actively
working to support technology integration and techniques to
reduce the likelihood of mass violence and improve the ability
to prevent and respond to a mass violent event.
The fiscal year 2021 budget request supports S&T's Office
of University Programs in two vital efforts, our centers of
excellence and working with minority-serving institutions.
Centers of excellence that receive funding in fiscal year 2021
will conduct research and development that aligns with the
administration's priorities to strengthen border security,
cybersecurity, infrastructure protection, and prioritize
transnational criminal investigations.
Finally, the 2021 budget requests at $18.9 million in a
procurement, construction, and investment account for S&T to
begin to address the decontamination and closure of the Plum
Island Animal Disease Center. S&T is committed to our mission
to deliver effective, innovative insights, methods, and
solutions for critical needs of DHS components, first
responders, and our operational partners in the Homeland
Security space.
Chairman Richmond, Ranking Member Katko, Ranking Member
Rogers, and Members of the committee, thank you again for the
opportunity to appear before you today, and for your continued
support of S&T. I look forward to answering your questions.
[The prepared statement of Mr. Bryan, as presented by Mr.
Hentz, follows:]
Prepared Statement of William Bryan
March 11, 2020
Good afternoon Chairman Richmond, Ranking Member Katko, and
distinguished Members of the subcommittee. Thank you for inviting me
here today to testify on the President's budget request for fiscal year
2021, which includes a request of $643.7 million for the Science and
Technology Directorate (S&T) within the U.S. Department of Homeland
Security (DHS).
S&T's research and development (R&D) activities support a broad
range of DHS missions, including domain threat awareness, delivering
mitigation strategies, and creating novel technology and approaches for
the components, first responders, and other partners across the
homeland security enterprise. Our customers put their lives on the line
every day to keep our Nation safe, and having the correct tools,
techniques, and/or technologies can be vital to the operators' safety
and success.
We must enable efficient, effective, and secure operations across
all homeland security missions by applying timely scientific,
engineering, and innovative solutions through research, design, test
and evaluation, and acquisition support. This is how S&T delivers
results. Technology innovation cycles are rapidly changing and the
nature of the threats we see is dynamic. This combination presents a
significant challenge to traditional R&D approaches as well as meeting
component requirements and needs in a fiscally constrained R&D
environment. S&T is less than 1 percent of the entire Federal R&D
budget--and we strive every day to get as much value out of those funds
as possible.
Therefore, it is my responsibility to ensure an efficient,
effective, and nimble organization is in place to address R&D needs of
Homeland Security front-line operators, particularly the DHS
operational components and first responders, today and into the future.
Either through the identification of existing technologies or the
timely development of new technology, S&T can provide them with the
tools they need to safely and effectively protect the homeland and the
American people. Under my leadership S&T has strengthened our
relationships with our customers, the DHS operational components and
first responders, to provide impactful solutions to those on the front
line. We continue to solidify and strengthen S&T's core capabilities
and provide a deliberative approach to program execution that ensures
timely delivery and solid return on investment for our Nation's
taxpayers.
S&T has become more agile and responsive, ready to move quickly in
response to changes in the threat environment, and makes use of
existing technologies, when available, that can be adapted and
leveraged to expedite the development of vital capabilities. S&T has
significantly enhanced its ability to transfer capabilities to where
they are most needed by working closely with operators, component
partners, and industry to deliver effective solutions. The revitalized
S&T has strengthened its relationships with DHS components, first
responders, and other customers, and results in a more integrated
approach to innovation, requirements gathering, and problem solving. At
a strategic level, S&T has created a capability to identify,
prioritize, and report on emerging technology risks facing the United
States. Together with DHS Policy, S&T will identify and assess emerging
technologies most likely to significantly improve operations and/or
threaten the DHS mission over the next 2-5 years. Results will support
senior DHS executives as they prioritize the list of technologies and
shape the DHS investment portfolio to address risk.
A strong cross-Department cybersecurity R&D program is critical for
DHS. The Cyber Security & Infrastructure Security Agency (CISA) and S&T
have made tremendous strides in resetting the relationship, directing
R&D resources into mission support of CISA requirements. CISA and S&T
have established repeatable processes to identify capability gaps,
prioritize needs, and execute on RD&I needs. The fiscal year 2021
cybersecurity R&D budget request is for $24 million and places all
cyber R&D funding with S&T.
S&T is currently partnered with the National Institutes of
Artificial Intelligence (AI) with the goal of mitigating risks to
misuse of AI, identifying opportunities and applications of AI within
the homeland security mission space, improving privacy protection, and
developing new governance and policy frameworks for artificial
intelligence and machine learning. S&T is working with its operational
DHS component partners to assess opportunities for leveraging Automated
Machine Learning (AutoML) and related data preparation tools as a means
of accelerating understanding and use of this technology within the DHS
enterprise. In fiscal year 2021, S&T will examine and characterize the
state of artificial intelligence research relative to future homeland
security mission applications. Research activities will focus on the
development of core capabilities that enable trustworthy artificial
intelligence to improve core automation capabilities that are secure,
private, and trusted for critical homeland security applications.
The fiscal year 2021 budget request provides $14.4 million for
S&T's Probabilistic Analysis for National Threats Hazards and Risks
(PANTHR) program that aligns S&T's chemical and biological hazard
awareness and characterization activities to provide timely accurate
and defensible decision support tools and knowledge to stakeholders.
PANTHR is currently supporting the Countering Weapons of Mass
Destruction Office (CWMD) to address the on-going Coronavirus outbreak
by providing consolidated up-to-date information regarding the virus to
DHS components. PANTHR is currently leveraging the capabilities of one
of the DHS laboratories, the National Biodefense Analysis and
Countermeasure Center (NBACC), which is addressing pertinent scientific
questions and DHS operational concerns regarding Coronavirus surface
stability and decontamination. PANTHR funding in fiscal year 2021 would
further support the expansion of these National capabilities to address
current and emerging chemical and biological concerns. Additionally,
the fiscal year 2021 request would allow PANTHR to develop additional
assessment capabilities to address growing infrastructure concerns,
such as the bio-economy, and fill other critical technical hazard data
gaps regarding WMD risks to the Homeland.
S&T is requesting $35.9 million in the fiscal year 2021 budget to
directly address Customs and Border Protection (CBP), the U.S. Coast
Guard (USCG), the U.S. Secret Service (USSS), and the Federal
Protective Service (FPS) requirements for Countering Unmanned Aircraft
System (CUAS) requirements. In close coordination with our operational
customers, S&T is responsible for the initial CUAS deployment
architecture, technology selection, system integration, system test,
training and cyber compliance. The fiscal year 2021 S&T CUAS investment
will focus on mission interoperability with the Department of Defense
and Department of Justice in the National Capital Region, improved CUAS
capabilities for DHS components, and addressing future threats. UAS
threats to critical infrastructure and security activities will likely
increase in the near future as the number of UAS introduced into the
National airspace continues to increase. However, currently the use of
technical means to detect, track, and disrupt malicious UAS operations
remains limited.
S&T is dedicated to developing or adopting innovative tools for DHS
components, and the fiscal year 2021 budget request supports that
effort. For example, the S&T Opioid Detection project continues to
integrate advanced technologies, including narcotics anomaly detection
algorithms and chemical sensing technologies, into CBP international
mail facilities, and to evolve efforts directed at detecting synthetic
opioids in additional operational environments in response to changing
trafficking dynamics. Increased funding will also further improve the
understanding of supply chain logistics and intelligence to aid in
targeting, investigations, and ultimately, disruption of international
smuggling. The administration is also focusing on Targeted Violence and
Terrorism Prevention, and S&T is a vital partner using research to
inform policy, strategy, tactics, techniques, and procedures. S&T is
actively working to support technology integration and techniques to
reduce the likelihood of mass violence and improve the ability to
prevent and respond to a mass violence event.
The fiscal year 2021 request continues support for S&T's Silicon
Valley Innovation Program (SVIP) at $10 million, which leverages
innovative commercial capabilities from across the country through non-
traditional Government contractors to rapidly deliver technology to
fulfill DHS component-defined requirements. This program fosters rapid
development and delivers tested technology into the field in a much
shorter time frame than is possible under traditional vehicles. S&T's
SVIP collaborates with DHS operational components to provide solutions
that enhance overall situational awareness, detection, tracking,
interdiction, and apprehension.
To date, S&T's SVIP has awarded $18 million in funding and
processed over 485 applications across 14 topic areas. S&T has worked
with 49 small start-up companies from 15 different States and leveraged
over $500 million in private-sector investment that aligns on-going
private-sector activity with DHS operational component requirements.
SVIP has successfully transitioned 3 technologies into CBP operational
environments including a new generation of radar to support U.S. Border
Patrol operations. This radar technology was incorporated into 58
Border Patrol towers on the Southwest Border and a similar amount are
planned for transition in 2020.
The fiscal year 2021 budget request adds a Procurement,
Construction, and Improvements account to address the decontamination
and closure of the Plum Island Animal Disease Center. S&T is on time
and on budget to complete the construction of the National Bio and
Agro-Defense Facility (NBAF). This state-of-the-art facility will be
transferred to the U.S. Department of Agriculture upon completion of
construction and will be the Nation's only Bio Safety Level 4
laboratory that is capable of studying large animal diseases in
livestock, such as African Swine Fever and Foot and Mouth Disease.
After NBAF is completed, the Plum Island facility will require
decontamination. The $18.9 million of the fiscal year 2021 request will
begin decontamination activities and stand up the program office to
manage this multi-year effort.
The fiscal year 2021 budget request supports S&T's Office of
University Programs in two vital efforts, our Centers of Excellence
(COE) and working with Minority Serving Institutions (MSI).
The fiscal year 2021 budget request allows for the continuation of
the University-based COEs that are focused on homeland security mission
needs. COEs that will receive funding in fiscal year 2021 will conduct
research and development that aligns with the administration's
priorities to strengthen border security, cybersecurity and
infrastructure protection, and prioritize trans-national criminal
investigations. S&T conducts rigorous evaluations of each Center's
performance using established criteria to help inform project funding
decisions that meet operator needs and stay focused on transferring or
transitioning research and technology outputs into field use.
S&T seeks to leverage and utilize the unique intellectual capital
in the MSI community to address current and future homeland security
challenges and to provide relevant learning opportunities to diverse
and highly talented individuals and inspire the next generation of
dedicated to homeland security professionals. Our efforts provide
learning opportunities for students that already are pursuing Science,
Technology, Engineering, and Mathematic (STEM)-related degrees. These
awards support MSIs in their efforts to attract highly technical
students and provide exposure and mentorship opportunities with DHS
programs. S&T's efforts with MSIs are important for ensuring students
develop the cross-functional skills essential to their flourishing and
meeting the demanding needs of the homeland security missions. By
establishing continuous relationships between COEs, MSIs, DHS component
agencies, and private-sector entities, S&T is expanding partnering
institutions and providing resources needed for students to gain
meaningful work experiences that prove invaluable to the growth of
their careers in homeland security-related areas.
S&T's mission is to deliver effective and innovative insight,
methods, and solutions for the critical needs of DHS components and our
operational partners in homeland security.
Chairman Richmond, Ranking Member Katko, and Members of the
committee, thank you again for the opportunity to appear before you
today and for your continued support of S&T.
I look forward to answering your questions.
Mr. Richmond. I want to thank the witnesses for their
testimony. I will remind each Member that he or she will have 5
minutes to question the panel.
I will now recognize myself for 5 minutes for questions.
Director Krebs, in January 2017 the Office of the Director
of National Intelligence issued a report concluding that the
Russian government meddled in the 2016 Presidential election,
and that Russia's goal was to assist the campaign of now-
President Trump.
Last month several news outlets reported that President
Trump removed the acting director of national intelligence,
Joseph McGuire, had the staff from his office brief bipartisan
members of the House Permanent Select Committee on Intelligence
on foreign threats to U.S. elections. Are you familiar with
that?
Mr. Krebs. I am certainly aware of the intelligence
community assessment of 2017, and recall seeing some of the
press reports. Yes, sir.
Mr. Richmond. Initial reports indicated that ODNI staff
told Members in the briefing that the Russian government, once
it--was once again attempting to meddle in our elections to
benefit President Trump's re-election. This is the same thing
that Russia did in 2017, when they interfered in the U.S.
election to help President Trump. Wouldn't that be the same
assessment?
Mr. Krebs. I am sorry, is the--can you repeat the question?
I am trying to understand what----
Mr. Richmond. Well, the intelligence is the same
intelligence from 2017 that Russia is trying to interfere in
the election.
Mr. Krebs. So I certainly can't talk to the intelligence. I
would defer to the intelligence community on the specific
assessments. We are planning as if the Russians and others are
coming back for the 2020 election to again attempt to
interfere.
Mr. Richmond. Let me just get to the--my main point on this
is that we need to believe in the intelligence that we are
getting. All of the reports indicate that the assessment and
intelligence changed once the President didn't like it.
We, as Members of Congress, need to know that we are going
to get the whole truth and nothing but the truth from our
intelligence communities, because we have a responsibility to
act whether we like it--don't like the information.
So the real question to you is can we believe and trust
that the information we are getting from you, and you all in
the intelligence community, is the whole truth and nothing but
the truth?
Mr. Krebs. Yes, sir, absolutely.
Mr. Richmond. Let me shift a little bit to CFATS. I
represent, probably, the No. 1 and No. 2 largest petrochemical
district in the country. I am concerned that--where the
proposed budget eliminates the CFS program. Last year officials
from CISA testified before this committee that CFATS is a vital
part of our Nation's counter-terrorism efforts, and very much a
pressing need in view of the continuing level of chemical
terrorism threats.
January 15, DHS issued an alert warning about heightened
threats from Iran, specifically in the chemical sector. So can
you share any information you have about what intelligence
assessments or security assessments CISA has completed to
support the elimination of the CFATS program, and how will
eliminating CFATS make my constituents safer?
Mr. Krebs. So thank you for the question specific to the
January alert related to the heightened tensions of Iran. I
don't believe that was associated with any specific
intelligence product targeting chemical--the chemical sector.
That was more--again, back to my opening comment about being a
customer-centric organization, that was a request that came in
from the chemical sector that said, ``Can you guys pull
something together for the sector that will speak specifically
to Iran and the things the chemical sector can do to protect
the sector?''
So more broadly on the CFATS issue, I think where we are
right now is that, you know, over 15 years or so of
implementation of the CFATS program, there is no question that
we have changed the risk management dynamics across that
sector. At the same time, the threat landscape has also
shifted. Some of the players that were heavy in the 2005 to
2007 period are not necessarily on the map any more. In the
mean time, other actors have spread up. The economy, in and of
itself, how it works, supply chain, chemicals and commerce have
also shifted.
So I think part of what we are looking to accomplish here
is, if you look back at CFATS in general and the application of
the regulatory program to the sector, it really only
encompasses about 3,300 facilities. So, if you look back at the
fiscal year 2020 budget, that is about $72 million across 3,300
facilities.
What we are looking to accomplish here is, as we have
fundamentally changed the way risk is managed in the chemical
sector across at least 3,300 facilities, what opportunity do we
have to extend that risk management opportunity across the
40,000 facilities of the chemical sector?
My sense is that, regardless of what happens here--and of
course, we will implement whatever Congress and--passes, and
the President signs, whether it is a re-authorization of CFATS
or a shift to a voluntary program. But the bigger point here is
we are looking for this opportunity to more broadly change risk
management posture across the chemical sector.
Mr. Richmond. My last question would be do you support a
temporary extension of CFATS so Congress can determine the
appropriate path forward, No. 1; and No. 2, do you maintain a
list of unfunded priorities so that--if you have money, things
that you would do?
Mr. Krebs. Sir, we do have a significant list of PDOs, or
program opportunities that we would be able to--if funded, we
would be able to execute, of course.
On your private--on your first question, you know, again,
we are in a transition planning process right now with about a
month, a little over a month or so, out from expiration of the
program. So we are focused on transitioning right now. But
whatever happens, again, we have the funding for the rest of
the year to execute the program if there is a temporary
extension put in. Thanks.
Mr. Richmond. Thank you, and I yield back. I now recognize
the Ranking Member, the gentleman from New York, Mr. Katko, for
5 minutes.
Mr. Katko. Thank you, Mr. Chairman. Mr. Krebs, I want to
kind-of ask you about the Cyberspace Solarium report in
general, but really talk about how it may impact the budget if
those recommendations get implemented.
So I view this Solarium report as one of the critical
things we can do in Congress this year, and I really believe
that the next 9/11 could absolutely, positively be, God forbid,
a cyber attack that is cataclysmic. I am not sure we are ready
for it. I think this report recognizes that, and it
recognizes--and it makes a series of recommendations.
I know part of it is on the defense side, and I--you know,
we are more interested in the homeland side in this committee,
obviously. So if you could, talk from the homeland side on what
are some of the big things in that report, and how it might
be--might impact the budget going forward, so we can plan for
it.
Mr. Krebs. So thank you for that. It is interesting, and I
am sure Congressman Langevin shares this. Being so close to the
wheel and the development of the report, you see the
recommendations, and they just make a lot of sense to us. But
it is good that someone that is not developed in the--you know,
was not involved in the process also thinks they make sense,
and this doesn't just kind-of fall flat.
So the--kind-of the pickup I have seen today, at least, has
been very, very positive that there is some innovative, bold
recommendations in the report. But more importantly, there are
recommendations within the report that are practical and
eminently implementable. That is the most important aspect of
the report in and of itself, that whatever is in it, that we
can actually do it.
To your point about that defense/offense divide, that was
one of the important policy signals that comes out of the
report--to me, at least--that this is not just about investing
in the Department of Defense and General Nakasone's teams. It
is also about ensuring that CISA and the rest of the civilian
cybersecurity space and the private sector have the direction,
guidance, and resources they need to be able to implement.
Some of the key takeaways that I have, the report--I think
I will focus on 3.
First is that it squarely puts CISA at the central
coordination point for civilian cybersecurity defense, and that
brings all the Federal partners together, but that also,
importantly, brings the Federal--or the private sector, as well
as State and local partners together.
There are going to be some significant employment
implications here. Do we have the facilities that we need to
truly set up a collaboration space? We are operating in about 9
different facilities in Baghdad.
Mr. Katko. A bunch of them, and they do seem to be all over
the place.
Mr. Krebs. We have 9 facilities in the National Capital
Region that we have been in since 2005, when I was a contractor
with the prior organization, one of the first inhabitants of
the building. We need a refresh. So we are going through that
process right now with the St. Elizabeths program.
We just need to make sure that we have the access for our
private-sector partners to the facility, that we can
accommodate regular access from private-sector partners, and
make it an experience that they want to actually participate
in. It is a kind-of if-you-build-it-they-will-come sort-of
approach. So that aspect we are focused on.
There is another piece of it, continuity of the economy,
that we are working through right now. That is kind-of, in some
part, a manifestation of our National critical functions work
that we launched last year. We are also seeing that play out
right now across the COVID response. So we have developed a
framework for analyzing broader supply chain impacts of COVID
across 4 different elements.
The first is, is there a commodity disruption that would
disrupt a business or a function?
The second is, is there a workforce disruption that you may
not be able to continue delivering that service or function?
Then there are 2 kind-of demand-side issues. No. 1, you
have over-demand, and that could be, like, the N95, you have
too much demand and, therefore, you have a cratering within the
function. On the flip side of that, you may see in
transportation there is a lack of demand. So the function then
degrades.
So those are the sorts of things that we want to push into
that continuity of the economy. We have the rubric, but we
are--you know, to fully implement that recommendation is going
to require significant analytic investments within the agency.
Then last, workforce, workforce, workforce. As I mentioned
in my opening, to be successful in this space, to be truly a
customer-centric organization, I have to have personnel out in
the field, not just engineers here in District of Columbia, but
customer service professionals out where our customers are.
That is going to require a significant investment in personnel.
Mr. Katko. Thank you very much. It does sound like there is
going to be more requests, from a financial standpoint, from
the committee and from other committees to implement these
plans. As we work them out and tease them out and get them into
legislative formats, we will definitely revisit those issues.
So thank you very much for that.
Mr. Hentz, what--if you could, just describe quickly, what
are the key legislative priorities for your organization this
year?
Mr. Hentz. Thank you, Chairman, Ranking Member. What we
were----
Mr. Katko. I will take Chairman.
Mr. Hentz [continuing]. Trying to do right now is----
[Laughter.]
Mr. Hentz. What we are trying to do right now is prioritize
the list of requirements from our operational components.
To specifically answer your question, those priorities look
like countering unmanned aerial systems, things like 5G and
other supply chain risk mitigators. Obviously, support to
border and commerce, as well as our support to emerging
biological and chemical risk.
So those are our core primary equities right now that we
are trying to focus on.
Mr. Katko. Thank you very much. I am interested in that. I
will yield back, but I just want to note in Syracuse, New York
they are going to start building a 5G manufacturing facility,
the first one in the country that is going to have all American
components, which is critical for cybersecurity, going forward.
We also have one of the largest unmanned aerial system
research corridors, from Rome Labs to Syracuse, New York. So we
are at the tip of the spear with some of your priorities. So I
look forward to working with you further on those, going
forward. I hope we can continue the lines of communication.
With that I yield back, Mr. Chairman.
Mr. Richmond. The gentleman yields back. I now recognize
the gentleman from Rhode Island, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Let me begin by
thanking you for--and the Ranking Member for the supportive
comments about the Solarium Commission project, and the report
that we are issuing today, and, Mr. Chairman, for your
leadership on the issue of cyber, and I look forward to
continuing to collaborate with you on these--on this important
topic.
Good morning to Director Krebs and Mr. Bryan, thank you
very much for being here today. Mr. Hentz, I appreciate your
being here today, I look forward to hearing what you have to
say.
Director Krebs, I guess I want to begin with you, and
express my appreciation to you for your participation in the
Cyberspace Solarium Commission. Your contributions to that
effort, and the dialog that took place, and the ultimate
findings, your contributions were invaluable. Obviously, the
report is being released today, and I am very proud of the work
that we did bring, in bringing together many different
stakeholders and coming up with a series of recommendations, as
you pointed out, I think, are eminently doable, and that I hope
will advance the ball on cybersecurity.
So my first question, the report identifies various ways
that CISA should work with sector-specific agencies to improve
information sharing and collaboration with private-sector
entities. So, for example, the report highlights that we need
more clarity in statute of what is required of SSAs in order to
ensure that you have the information that you need to do your
job.
So, Director Krebs, do you agree that Congress should work
to lay out the responsibilities of SSAs to both their private-
sector partners and to CISA? That we should research them
appropriately to perform these functions?
Well, I will stop there, and then I have other questions.
Mr. Krebs. So I think this is where we need to strike the
right balance. It certainly makes a whole lot of sense to me
that sector-specific agencies--of which I actually own 8 of
them, between IT, comms, critical manufacturing, chemical,
nuclear, emergency services--that we develop within those
sector-specific agencies the specific requirements and
attributes of those sectors.
You know, we can handle the core cybersecurity, whether it
is the business side or the control system side. We can develop
that core capability. But what I need is the specifics of the
sector to be layered on top of that understanding, and I can't
invest in significant treasury, or banking, finance, so that is
absolutely the responsibilities that we would be looking to be
clearly articulated.
Mr. Langevin. Can you talk about how CISA plans to work
toward implementing the recommendations, if you would?
Mr. Krebs. Well, I--so, right now, it--now that the report
is out we have that kind of--the triage list, working through,
of course, some of the templates that the--Executive Director
Montgomery has pushed out. So we have got those identified, and
the sorts of resources that we will need, the things we could
do now, the things we will have to do down the road, but also
working with the Commission on what will require legislative
assistance.
You know, I think there is a significant amount of the
recommendations that we can implement right now. But,
obviously, with some of the requirements for--whether it is IOT
standards or some of the additional requirements on critical
infrastructure, that is going to require either Congressional
action or some sort of regulatory proceeding.
Mr. Langevin. So, like my other colleagues here today, I
also want to be on record as saying that I am very concerned
about the cuts to CISA's budget proposed by the administration.
Look, the National Risk Management Sector--Center, in
particular, is a critical component of the Solarium
Commission's recommendations, especially when it comes to
syncing up the cyber expertise that CISA has with the sector-
specific enterprise and the SSAs. So do you believe that the
NRMC will be able to carry out its own mission, in addition to
the ones recommended by the Solarium report, with the requested
amount of funding?
Mr. Krebs. So I think--the way that I see the budget is--
Ranking Member Rogers mentioned, you know, the proposal and the
actual budgeting piece.
You know, I am on the formulation and implementation side.
The way the 2021 budget was developed, given the timing of
formulation, the timing of the 2020 appropriations, they were
out of step. So the 2021 budget request, the President's budget
request, was built on the 2019 enacted. So if you look at it
in--through that lens, it is actually an increase over the 2019
enacted.
Because we didn't receive the fiscal year 2020
appropriations until late December, by that time the 2021
President's budget was already baked, from my--from where I
sit, at least. So it was out of my control, that was already
cooked. There was not time to kind-of re-peg it against the
2020.
So what you see, instead, in the President's budget
request, are the key areas of focus for the agency. There is
plenty of room for investment. The National Risk Management
Center, for instance, has plenty of room for investment to get
the additional analytic capabilities, we would need, if that is
what the Congress decides.
Mr. Langevin. Clearly, CISA is going to need additional
resources to do the job that we are expecting you to do. I
appreciate the job that you are doing, as director, and your
team at CISA. Thank you for that.
With that, Mr. Chairman, I yield back.
Mr. Richmond. The gentleman from Rhode Island yields back.
I now recognize the gentleman from Alabama, Mr. Rogers, for 5
minutes.
Mr. Rogers. Thank you, Mr. Chairman.
Mr. Krebs, you know, it has been reported that there are
over 300,000 cybersecurity job vacancies in the country at
present. So we have a real challenge. That is across, you know,
the private and public sectors. How many job vacancies do you
have that you are struggling to fill?
Mr. Krebs. At the moment we have got about 655 vacancies
within the agency, about 151 of those are cybersecurity. I have
about a 95 percent retention rate on the cybersecurity side,
which is good, and it is improving.
What we are doing right now, particularly as we continue to
hire against the fiscal year 2020 funding--in that set, again,
peg the FTE rate higher. We are trying to look at hiring as a--
from a systematic approach. So left to right, from--you know,
identifying the job to actually getting a person in a seat with
the PIV card and a machine, ready to roll. That requires a
whole host of partners within CISA and without. So, really
trying to flush out who owns these things, what are the
bottlenecks, and then what is the plan we are putting against
it.
So a couple examples of choke points or bottlenecks that we
are seeing, it is the hiring manager develops a position
description. The problem with the hiring manager doing that is
a hiring manager is a collateral job. It is an other-duties-as-
assigned. So I have someone who is a program manager and an
engineer, but also has to do a hiring manager job.
So we are saying, OK, maybe we relieve them of the hiring
manager responsibility and have full-time hiring managers
that--their job, at least on a 6-month, maybe cyclical basis,
would be to just work position descriptions, just work the
interview process. We think that can streamline and make a more
efficient process.
We also have to look at----
Mr. Rogers. Have you started that?
Mr. Krebs. Yes, sir. We did. We--a couple of weeks ago we
launched a task force to focus just on this sort of thing.
Mr. Rogers. I am sorry to interrupt you.
Mr. Krebs. So we are going to be plowing through those PDs
and the selections, which then gets us to the subsequent piece,
the security.
For instance, in the past we have looked at cybersecurity
jobs as requiring top secret SCI clearances. We are challenging
those assumptions. You know what? I might not need out in the
field anybody that has a TS. Secret might be fine. So let's
take a stab at that. If they need TS down the road, then we can
put them in for that process. The TS is a--the top secret
clearance is a significant additional time lag in hiring. So we
are going to change the way we write PDs. Plus there are other
policy and process issues.
Again, some of that security clearance review I have to
outsource to other parts of the Department, so let's see what
we can do there.
But also, like, just getting smarter about how we write
position descriptions. So working in part with the Aspen Group
and the--their cybersecurity working group, they issued a
series of recommendations on how to improve cybersecurity
hiring.
One of them that we have adopted is how do you--don't over-
spec the position description. So you are trying to hire a
job--someone into a job. Don't say you have got to be able to
do 15 things. Just tell them the 2 or 3 things you need them to
do. So those are the sorts of things.
We are just trying to bring a little bit of reality into
the hiring process, and we have already seen a 12 percent
decrease in our time to hire. So, in some cases, it is--that is
only--you know, that goes from, like, 260 days to maybe 240
days, just trying to improve these numbers a little bit, and
incrementally do it. But we think we have got processes in
place. We will be able to dramatically cut the hiring process.
Mr. Rogers. Do you feel--have you found that your salary
and benefit packages is adequate to compete for talent?
Mr. Krebs. I--so thank you for bringing that up, because I
neglected to mention it.
We have been provided a series of different retention and
hiring incentives that we can use, including tuition
reimbursement, up to 25 percent hiring--or, rather, retention
bonus. So I can actually, I think, generally, compete in the
market. Certainly not on the top, top, top, top end, but we can
provide--between mission and pay and just quality of life, we
think we can do a pretty good job here.
So it is just about getting out there, and making sure we
are using smarter, you know, platforms, and really hitting some
of the on-line--like, LinkedIn, and things like that,
aggressively recruiting across those platforms.
Mr. Rogers. Have you found that you have been able to bring
in many CISA employees through the Scholarship for Service
program?
Mr. Krebs. We have used that, and that is one of the key
partners that we bring folks in, particularly at the--kind-of
the lower and mid-level of the GS structure, not at the higher
GS-15. But we need to take greater advantage of that, that is
the way I see it.
For us, it is somebody is doing recruiting for us, and we
have just got to go kind-of collect resumes. We can make on-
the-spot--at the SFS hiring fairs we can make on-the-spot
offers and immediately get the process started, and that shaves
2 weeks off.
Mr. Rogers. I would love to take the lead on helping you
with that particular issue. I think the Scholarship for Service
program is a very under-used tool. So if you will get with me,
let me know whatever you need, I will take the ball and run
with that.
Thank you, Mr. Chairman.
Mr. Krebs. Thank you.
Mr. Richmond. The gentleman from Alabama yields back. I now
recognize the gentlewoman from New York, Miss Rice, for 5
minutes.
Miss Rice. Thank you so much, Mr. Chairman.
Director Krebs, as you responded in--as you said in
response to a question by Mr. Langevin, it is clear that it is
going to be up to Congress to translate many of the Cyberspace
Solarium Commission's recommendations into legislation, or
legislative proposals. But I think it is worth noting that the
fiscal year 2021 budget request would not advance the
Solarium's vision for CISA, which I think is problematic, to
say the least.
But my question is how is--how do you plan to invest in 5G
security and resilience, supply chain security, and election
security with less money?
Mr. Krebs. So if you look at the past 3 years, we started
from scratch. I will use election security as an example. We
started from scratch. We had zero election-specific money. Over
the past 3 years Congress has invested about $102 million in
our election security effort. Last year was about--it was about
$43 million. The fiscal year 2020 budget--2021 budget has, I
think it is, about $30.5 pegged against election security.
What we are using that, those funds, to do is, yes, provide
specific election capabilities, but also invest in broader
capacity and capabilities within the agency on vulnerability
management, threat hunting, any of those sorts of
vulnerabilities--scanning capabilities, remote penetration
testing. So we will continue to do that. The more we put in
there, it will directly benefit elections, but also the broader
critical infrastructure community.
But again, with more I can always do more. So, again,
whatever you will, of course, appropriate, we will be able to
implement and execute against.
Miss Rice. So I think one of the problems with the election
interference is--putting aside what the intent is, putting
aside what countries like Russia and China--what specific
candidate they are trying to help, put that determination
aside. When you look at just the overwhelming amount of
disinformation that is out there, how do you address that
issue?
So if a specific campaign sees this just repeated
disinformation--that, obviously, we will just assume is
negative--against one particular person, what do you suggest a
campaign--and whether it is a Republican or a Democratic
campaign, because disinformation is at the heart of what is
happening here, and it--you know, the attempt to sway the
opinions of everyday Americans.
So how would you suggest that people and campaigns handle
that?
Mr. Krebs. So, stepping back a little bit in the broader
disinformation issue, and countering disinformation, we tend to
view it as a supply and demand problem. On the supply side, you
actually--you have these--or the influence operators, whether
it is Russia, Iran, China, whomever it is, doesn't matter,
pushing that information. Right?
So there are capabilities across the intelligence
community, the law enforcement community, within the private
sector on the social media platforms that can disrupt that
supply, but do it in a content-neutral way that is more about
tagging actors, sharing those, illuminating campaigns.
You know, I got to give a lot of credit to the social media
organizations for--you know, compared to 2016, we are light
years ahead of where we were. Is there room to improve?
Absolutely. There is more that can be done, particularly with
encouragement, I think, from the Congress.
But there is another side to all of this.
So, specific to your question, if you see it, report, you
know, send it in to the FBI, send it to the social media
platforms. They have dedicated teams that are monitoring, but
also have intake mechanisms so that they can identify and then
take down these campaigns.
But the more important aspect of this--so we are--this is a
Whack-a-Mole game if we are always chasing the latest disinfo
campaign. What we have got to do is focus also on the demand
side. The demand side is the American people. So how do we
create a more discerning public, a more informed, educated
public on the things that are happening across the news and the
media and the social media platforms they see?
So that is what we have put a lot of effort into, and
that--you know, I think probably the most known, well-known
thing we have done there is the War on Pineapple, which was
last year we launched a program that distilled down how
disinformation operations work, how the Russians do it, but we
did it not in a way that it is Russia, it is whether you like
pineapple on your pizza or not. So it is a very kind of non-
confrontational issue, but it is educational. We got
Secretaries of State, election directors involved, pitted on
either side. Even the--I think the armed forces of Canada got
involved in the whole thing, so we had a foreign influence
operator in here, but it doesn't matter.
[Laughter.]
Mr. Krebs. Anyway, it was educational. It actually took
off. People started to get it.
So there is a civic education opportunity in front of us,
and those are the things we are looking to do with the social
media platforms, as well as academia and some of the other
nonprofits that are involved here.
Miss Rice. I would like to follow up with you on that.
Thank you very much.
I yield back.
Mr. Richmond. The gentlelady from New York yields back. I
now recognize the gentleman from North Carolina, Mr. Walker,
for 5 minutes.
Mr. Walker. Thank you, Mr. Chairman.
Mr. Hentz, is that the correct--so yes. Since the military
doctrines of Russia, China, North Korea, and Iran include EMPs,
electromagnetic pulse attacks, with their cyber strategies, and
that our civilian infrastructure is highly vulnerable to EMPs,
how is DHS addressing the existential threat of an EMP attack
so that Americans can be assured they are safe?
Mr. Hentz. Thank you for the question. So what we have
done, specifically, is formed a very tight relationship with
CISA, who, from the Department, owns the mission space, per the
18 NDA, I believe it was, to ensure that there is a cooperative
public-private partnership between their organization and
critical infrastructure owner-operators.
What we have done, specifically, is a T&E assessment to
help with a better understanding of how one might go about
shielding their critical infrastructure, how to better
obfuscate critical elements that might be subject to EMP, GMD,
and other types of solutions, and then working with CISA,
propagate that information throughout the mission spaces
through which they operate to ensure that everyone has good
hygiene practices.
But at the end of the day, what we are really driven by is
a demand signal from CISA and its mission partners in the field
to help inform what our R&D should be.
Mr. Walker. Thank you for that answer.
Director Krebs, CISA has started their team closely
monitoring the coronavirus, and is working with critical
infrastructure partners to prepare for possible disruptions
that--they may stem from wide-spread illnesses. How is the
agency ensuring the disruptions are minimized to critical
infrastructure sectors such as the emergency services sector,
or the nuclear reactors, materials, and waste sector, both of
which DHS has designated as the sector-specific agency in the
event of a large outbreak?
Can you address some of that?
Mr. Krebs. Yes, sir. So we established within CISA about--
it was early February we stood up an enhanced coordination
cell, and designated a mission manager. So that really was--is
the nexus of all COVID-related activity within the agency.
Under that we have got a series of lines of effort. The
first line of effort is physical protective measures and
recommendations. That typically takes CDC guidance, and then
applies sector-specific guidance on top. That looks at
different business models: ``If you are heavy into public
engagement, like a hotel or a sporting venue, here are the
things you should be doing.'' But it also looks at industrial
environments, including pipelines, chemical, electricity.
We also have a line of effort focused on cybersecurity. So,
as organizations move to telework, what are the cybersecurity
considerations? Because the attack profile changes. You might
be using more VPNs, so make sure you have got your Citrix and
other VPNs patched, things like that.
But also targeting and looking into the phishing campaigns
that we have already seen the bad actors using as an incentive
or enticement to get people to click on links.
We are also looking at these continuity of the economy
aspects, as I already talked about, those 4 elements of how a
function may be degraded.
Then, looking deeply at disinformation, as well, so working
with our intelligence community partners of how is disinfo
playing out across COVID, and this is important in the election
space. Particularly, we had a call last week with about 600
State and local election officials about, you know, what are
the hygiene practices they can take, but also what are we
seeing in the disinfo space, and how can we dispel any sort of
coronavirus or COVID impacts on voter turnout, for instance.
You are already starting to see some of those discussions
take place into action. Earlier this week Secretary Frank
LaRose from Ohio announced that any voting precincts in nursing
homes or assisted living communities will be moved out----
Mr. Walker. OK.
Mr. Krebs [continuing]. They will not be taking place. So
we think that is a great outcome that we need to--we want to
continue pushing that information----
Mr. Walker. A very thorough answer. My follow-up, would a
decrease in funding for fiscal year 2021 threaten the
functionality or security of any of these components that you
mentioned if an outbreak were to occur?
Mr. Krebs. So I think, based on the 2020 budget, we have
been able to build capacity. The 2021 budget will allow us to
continue that activity. I think what you would see is
enhancements wouldn't be able to happen, necessarily. That is
one thing that we are looking at right now on COVID with the
National Risk Management Center, in particular, what additional
analytic capability do we need to bring in right now to do
prospective analysis. That, of course, is going to continue,
likely, past the fiscal year break.
Mr. Walker. So security, not necessarily compromised, but
enhancements moving forward would be inhibited. Is that fair?
Mr. Krebs. I think steady--it is--you know, we can maintain
what we have, but we see the threat landscape shifting, and so,
you know, the ability to further invest in capabilities, I
think, would benefit.
Mr. Walker. Thank you, Mr. Chairman. I yield back.
Mr. Richmond. Thank you, the gentleman from North Carolina
yields back. I now recognize the gentlewoman from Michigan, Ms.
Slotkin, for 5 minutes.
Ms. Slotkin. Great. Thanks to both of you for being here.
Mr. Hentz, I am interested in this idea of how the
Department of Homeland Security can move new ideas,
particularly on the issue of border security, new technology
that might help us secure our borders more efficiently. How do
you take that right now, from pilot project to actual scaled
use?
It is a problem we have in the Defense Department. I am on
the Armed Services Committee. I have a bill that is trying to
bridge this gap. But can you explain to us, and potentially
explain some of the gaps we have in going from great idea that
maybe the private sector has to a scalable, usable piece of
technology?
Mr. Hentz. Sure. So thank you for the question.
The first thing that we try to do is get a really refined
understanding of what the operational gap is from that
component.
So, in this case, let's say, we are working with CBP. We
established them as a board of director-type member for our
innovation approach. What we have done is stood up capabilities
such as the Silicon Valley Innovation Program--it is more so
about the idea of finding unique innovation in industry--and we
paired those innovators, those non-traditional performers, with
those operators.
Once they completely understand the use case, what we do is
almost like a shark tank-like type of approach to determining
whether or not their solution is actually, No. 1, usable and
effective in an operational environment, and then, No. 2, does
it then scale?
Now, where the deficiency is, such--I think you are going
for, is that we, as an S&T organization, we don't have
acquisition authority. So, while we may go off and find these
unique end-state types of solutions that are coming out of the
emerging market, it is still incumbent upon the operator, like
a CBP or a CISA, to program for those acquisitions. Because we
don't have that authority, we don't then, by definition, go off
and buy that solution for that operational component.
So I think that that is one of the main----
Ms. Slotkin. Yes.
Mr. Hentz [continuing]. Deterrence for quick adaptation.
The other is more predictability around other transactions
authorities. By us using other transactions authorities, or the
operators using 880 authority, that would also give the
Department a head start, a jump, if you will, where it is not a
big, traditional acquisition.
Ms. Slotkin. Yes. So I am working on a bill with some of my
colleagues across the aisle called the Intel at Our Borders
Act, which basically requires the Department to provide a
comprehensive strategy on how to integrate some of these new,
emerging technologies. It is actually something CBP, our local
folks in Michigan, the Northern Border, have been super excited
about. They have helped us draft the bill.
So more to follow, but we would love any notes for the
record on what would be helpful for you to actually make this
more effective.
Director Krebs, I just want to thank you for your approach
to this committee. I know it is a strange thing for both of you
to be up here sort-of defending your budget which cuts your
budget, but knowing that we will put money back in your budget.
That is a complicated thing to do, and I want to thank you for
having your--I think it is--he is your assistant director for
cybersecurity--Bryan Ware came up and did a briefing, sort of a
get-to-know-you thing, and that stuff makes such a difference
when you are talking to a committee that is looking to help
your department. So thank you for doing that.
Can you tell me--we--I constantly do these events with my
local governments, who feel pretty wholly unprepared to manage
cybersecurity on their own. They just--some of them are working
part-time, this is not their primary job. They are trying to do
their best. I know that we have put in--again, like, this
committee has been great about talking about building up
resources for our local officials to provide for themselves.
But in your perfect world, you know, it seems like we can't
keep doing this, where we are expecting really small
communities to defend themselves. They hold the private data of
our residents. So what has to happen? Where are we going? Help
us forecast how we are going to better protect ourselves, since
our local communities are on the front lines.
Mr. Krebs. So it is going to require--and, yes, I think
about this almost nonstop, and nowhere is this more acute than
in election security, of course, with 8,800 jurisdictions
across the country that are managing, in a lot of cases,
significantly outdated systems. They are just operating from a
lack of funding.
So I think there are a couple of challenges here.
First is just the governance aspects, when you have just
this diversity of ways that States manage, or are able to
manage, based on home rule or otherwise, requirements across
distributed counties and jurisdictions.
There is also a funding issue, of course. The States just
have significantly different funding profiles than the Federal
Government that can run a deficit.
Then, just the availability to services. There is not a lot
of acquisition leverage or procurement leverage when you are
talking about a local jurisdiction.
So, at the governance piece, we are continuing to just
raise awareness with State governments, with State
legislatures. You know, my theory is that awareness leads to
investment, which builds capabilities. We are going to have to
continue beating the drum on cybersecurity awareness. That is,
I know, sometimes a shocking thing to hear, that people still
need to be made aware of cyber risks, but it just--it remains
the case. We need the leadership to understand this.
The second thing on the funding, understanding that there
are a couple different bills floating around on providing
grants to State and locals, I think those are certainly useful
things we need to work through, and we need to get to a spot
where, like FEMA has, the Disaster Relief Fund, you know, what
does a cyber equivalent look like? But, at the same time, we
are not sitting back and waiting. We--in the recent FEMA/
Homeland Security grant program, which I am sure you all heard
from your chiefs of police and emergency management, we did put
some requirements in there for cybersecurity and election
security investments, which, over the last 7, 8, probably 10
years, has been a National preparedness report, key area of
lack of preparation.
Then, last, what more can I do in the Federal Government
space to provide additional services out to Federal partners?
So the continuous diagnostics and mitigation platform, for
instance, is something that we can open up. It is on the GSA
schedule, we can do that. Some States don't have the ability to
buy from GSA, so we need to change that behavior, but also make
things affordable.
The DOTGOV Act, which allows for the actual .gov domains to
open up. There is a $400 requirement. Four hundred dollars in
local jurisdictions in Michigan or elsewhere, that is a
difference-maker. That can be, you know, somebody's bonus. So
these are the things we need to work through.
Then last, we are making--we are working through standing
up a protective DNS service for the Federal Government. How do
we open that recursive protective DNS program or platform for
State and locals, as well? I see centralization and opening up
services like that as the key to changing risk outcomes for
State and local partners.
Mr. Richmond. The time of the gentlelady from Michigan is
expired. I now recognize the gentlelady from Illinois, Ms.
Underwood, for 5 minutes.
Ms. Underwood. Thank you, Mr. Chairman.
Several weeks ago a school district that serves my
community in Crystal Lake, Illinois was hit with a ransomware
attack. The school officials did pretty much everything right.
They took the servers off-line, they protected sensitive data,
they avoided major disruptions in student learning, they
planned ahead. They even had a cyber insurance policy. But it
still took over a month to get the student computers back on-
line, and the attack cost over $800,000, not all of which is
covered by even good insurance.
The fact is that ransomware attacks our business, and that
business is good. While both CISA and Congress have made
important steps, they aren't enough for schools like those in
Crystal Lake.
So, Director Krebs, can you tell us more about the profile
of these kinds of attackers, and are they nation-state actors
or affiliates, organized cyber criminals, lone actors? Can you
just say something about the----
Mr. Krebs. Yes, ma'am. I am smiling because your
``ransomware is business, and business is good'' line, I have
used that before, and it is absolutely what is going on.
Ms. Underwood. Yes, sir.
Mr. Krebs. So the way we look at ransomware right now is
there are kind-of 3 things that are going to have to change.
First is we have to continue investing in the defensive
side. Yes, they did all the right things, but I am sure that,
when you go and do the post-mortem, there were elements that
could have been implemented to protect. You know, really, what
we are finding is just some simple measures like multi-factor
authentication, appropriate Windows administration, lease
privilege, things like that can just stop it from happening,
and then go to the next partner. The--or the target.
The second thing we have to do is disrupt the economic
model, disrupt the business model.
Ms. Underwood. Right.
Mr. Krebs. It--like you said, business is good. That is why
it continues. So how do we disrupt that? Are there things we
can do, the Congress can do to target the ransomware actors, to
take a look at actually paying out ransomware, whether that is
a public policy issue or not? I think that is a good question
that we need to take a hard look at.
Then the third thing we have to do is what more can the
Federal Government do, not just from a defensive side, but from
more of an aggressive, almost defend-forward perspective, do to
disrupt these behaviors? You know, we know where these guys
operate. They are not in the United States, they are in Russia
and elsewhere. What can we do to put additional pressure on
them from the intelligence community and from the Department of
Defense and----
Ms. Underwood. But would you characterize the actors--how
would you characterize the attackers themselves?
Mr. Krebs. The actors themselves are criminals.
Ms. Underwood. OK.
Mr. Krebs. They are straight-up criminals. Not necessarily,
you know, in this case--you know, I mentioned Russia, so it is
not like they are necessarily FSB, but they are cyber criminals
operating in the sovereign space of some of our adversaries in
some cases.
Ms. Underwood. Yes. So I thank you for outlining those next
steps that we can all take to protect our communities and
critical assets that we all have within our own organizations
from ransomware attacks.
I do think that there is more room for leadership from CISA
and from law enforcement here.
Mr. Krebs. Yes, ma'am.
Ms. Underwood. My constituents weren't sure, for example,
whether to leave the evidence of the attack intact, or to try
to get the operation up and running quickly to serve their
students.
So, if you can just offer, you know, advice for what to do
for communities that are experiencing this type of attack----
Mr. Krebs. So we have issued a significant amount of
guidance and best practices, not complicated, 80-page guidance
stuff, but 1-page, 2-page sort-of guidance for our partners.
One thing that I don't think we have explored quite enough
is working with you and Congress, understanding the influence
you have back home----
Ms. Underwood. Right.
Mr. Krebs [continuing]. With your partners in the school
districts and the public health community. Please encourage
them to work with us. There are things that we could do to help
them to make sure that they don't have that bad day.
Ms. Underwood. Right.
Mr. Krebs. Because $800,000 to a small community in your
jurisdiction----
Ms. Underwood. It is significant.
Mr. Krebs. It is. That can be back-breaking in some cases--
--
Ms. Underwood. So do you think that there are technical
standards that hardware and software products should meet in
order to limit their vulnerability to ransomware attacks?
Mr. Krebs. Again, a lot of this ransomware is just a matter
of somebody clicking on a link. It is often delivered by spear
phishing. In some cases it is delivered by a remote desktop
protocol, ports being open, things like that. So this is not
necessarily a hard sec or software sec issue. It is
configuration. It is Windows administration, Windows
administration, Windows administration.
Ms. Underwood. Right.
Mr. Krebs. Those are the sorts of things that we need to
invest in. It is just awareness, and how can we just configure
from the get-go better postures.
Ms. Underwood. OK. So Mr. Cuccinelli, your colleague, is
going to be coming to testify before the larger committee this
afternoon, and he has said that CISA has been assessing
``issues of concern,'' potential impacts to infrastructure from
coronavirus in the event of significant community spread in the
United States. Those are clips of his quotes.
Significant community spread is already happening. So,
Director Krebs, can you just talk about what impacts to
critical infrastructure that you are seeing, and what should
our States and localities expect to come in the weeks and
months?
Mr. Krebs. Yes, ma'am. So we are trying to break it out
from the tactical today, and the PPE, or the personal
protective equipment----
Ms. Underwood. Yes.
Mr. Krebs [continuing]. That is out there into the more
strategic, longer-term analysis. I talked about it a little bit
earlier, but through our National Risk Management Center, and
the National critical functions approach, what we are trying to
do is understand what those key elements of degradation might
be.
We have identified 4 key aspects. The first is disruption
of a commodity, of a key commodity, like a widget in a--that
would go into a car, some sort of device that would go into a
car that would prevent it from rolling off the line, for
instance.
The second is workforce disruption. So whether it is
absenteeism, sick-outs, or other sorts of issues, particularly
across different business models.
The third and fourth are more about the demand. So, in some
cases, like N95 you would have an increase of demand, where you
can't meet it.
Ms. Underwood. Right.
Mr. Krebs. Then the other, the fourth element, is a
cratering of demand. That could be, in some cases,
transportation. So we try to pull those all together.
We are seeing automotive, we are seeing IT and comms
disruptions, and then also soft goods.
Ms. Underwood. Well, as you are publishing documents to the
communities about those, can you keep our committee informed?
We appreciate it.
Thank you, and I yield back.
Mr. Richmond. The time of the gentlelady is expired. I want
to thank the witnesses for their valuable testimony, and the
Members for their questions.
The Members of the committee may have additional questions
for the witnesses, and we ask that you respond expeditiously in
writing to those questions.
Without objection, the committee records shall be kept open
for 10 days.
Hearing no further business, the committee is adjourned.
[Whereupon, at 12:13 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Hon. Sheila Jackson Lee for Christopher C. Krebs
Question 1. Director Krebs, I represent Houston, Texas. It is one
of the largest metropolitan cities in the country, hosts one of the
busiest international airports and is also home to one of the largest
export hubs in America. As of yesterday, there were 13 cases of COVID-
19 in Texas.
First, what are you doing, and what is the Government doing, to
spread true information about the virus and its potential impacts?
Answer. Response was not received at the time of publication.
Question 2. In last week's CISA Insights document, you identified 4
risk management strategies related to supply chain security and the
Coronavirus (COVID-19).
For the record, can you tell me what advice CISA is giving to help
States and industry prepare and be resilient against a COVID-19
pandemic?
Answer. Response was not received at the time of publication.
Question 3. How is the Department of Homeland Security preparing
State and local election administrators for the November Election given
Coronavirus will still be with us until there is a vaccine?
Answer. Response was not received at the time of publication.
[all]