[House Hearing, 116 Congress] [From the U.S. Government Publishing Office] RESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY DIRECTORATE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND INNOVATION OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTEENTH CONGRESS SECOND SESSION __________ MARCH 11, 2020 __________ Serial No. 116-68 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 42-345 PDF WASHINGTON : 2021 -------------------------------------------------------------------------------------- COMMITTEE ON HOMELAND SECURITY Bennie G. Thompson, Mississippi, Chairman Sheila Jackson Lee, Texas Mike Rogers, Alabama James R. Langevin, Rhode Island Peter T. King, New York Cedric L. Richmond, Louisiana Michael T. McCaul, Texas Donald M. Payne, Jr., New Jersey John Katko, New York Kathleen M. Rice, New York Mark Walker, North Carolina J. Luis Correa, California Clay Higgins, Louisiana Xochitl Torres Small, New Mexico Debbie Lesko, Arizona Max Rose, New York Mark Green, Tennessee Lauren Underwood, Illinois John Joyce, Pennsylvania Elissa Slotkin, Michigan Dan Crenshaw, Texas Emanuel Cleaver, Missouri Michael Guest, Mississippi Al Green, Texas Dan Bishop, North Carolina Yvette D. Clarke, New York Jefferson Van Drew, Texas Dina Titus, Nevada Bonnie Watson Coleman, New Jersey Nanette Diaz Barragan, California Val Butler Demings, Florida Hope Goins, Staff Director Chris Vieson, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND INNOVATION Cedric L. Richmond, Louisiana, Chairman Sheila Jackson Lee, Texas John Katko, New York, Ranking James R. Langevin, Rhode Island Member Kathleen M. Rice, New York Mark Walker, North Carolina Lauren Underwood, Illinois Mark Green, Tennessee Elissa Slotkin, Michigan John Joyce, Pennsylvania Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio) officio) Moira Bergin, Subcommittee Staff Director Sarah Moxley, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Oral Statement................................................. 1 Prepared Statement............................................. 2 The Honorable John Katko, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Oral Statement................................................. 3 Prepared Statement............................................. 4 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Chairman, Committee on Homeland Security: Prepared Statement............................................. 6 The Honorable Mike Rogers, a Representative in Congress From the State of Alabama, and Ranking Member, Committee on Homeland Security: Oral Statement................................................. 5 Prepared Statement............................................. 6 Witnesses Mr. Christopher C. Krebs, Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security: Oral Statement................................................. 7 Prepared Statement............................................. 9 Mr. Andre Hentz, Acting Deputy Under Secretary for Science and Technology, U.S. Department of Homeland Security: Oral Statement................................................. 13 Mr. William Bryan, Senior Official Performing the Duties of the Under Secretary for Science and Technology Directorate, Science and Technology Directorate, U.S. Department of Homeland Security: Prepared Statement............................................. 14 Appendix Questions From Hon. Sheila Jackson Lee for Christopher C. Krebs.. 35 RESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY DIRECTORATE ---------- Wednesday, March 11, 2020 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Washington, DC. The subcommittee met, pursuant to notice, at 11:05 a.m., in room 310, Cannon House Office Building, Hon. Cedric L. Richmond [Chairman of the subcommittee] presiding. Present: Representatives Richmond, Thompson, Jackson Lee, Langevin, Rice, Underwood, Slotkin; Katko, Rogers, Walker, Green, and Joyce. Mr. Richmond. Good morning. I would like to thank Director Krebs and Acting Deputy Under Secretary Hentz to discuss the fiscal year 2021 budget priorities for the Cybersecurity and Infrastructure Security Agency, CISA, and the Science and Technology Directorate, S&T. Before I begin I would like to commend my colleague, Congressman Jim Langevin, for his work on the Cyberspace Solarium Commission. The Solarium Commission's final report will be formally released hours from now, and I look forward to working with you and Chairman Thompson to codify important recommendations aimed at empowering CISA and better securing our elections. I understand Director Krebs was very engaged in the cyberspace solarium. Toward that end, I will be interested in knowing if the fiscal year 2021 budget request from CISA is sufficient to implement the recommendations aimed at increasing CISA's capacity and, if not, what additional resources will be necessary. At the outset I want to debunk the myth that the Federal agencies can do more with less. I support eliminating waste and increasing efficiency, but the fact is that with more you can do more. Technology is evolving and creating opportunities for our adversaries to hack critical infrastructure, disrupt our elections, and hold State and local government networks hostage. CISA must be equipped to be an effective Federal partner and S&T must be positioned to develop and identify technology to strengthen our defenses. The President's fiscal year 2021 budget fails to do either of those important components. Last year committee Democrats led a bipartisan letter to appropriators seeking additional funding for CISA's cybersecurity mission. Together we succeeded in increasing CISA's cyber budget by $350 million, accelerating efforts to secure Federal networks, and ramping up CISA's threat analysis and response capabilities for private-sector critical infrastructure owners and operators and State and local governments. Despite bipartisan support for an increase in CISA's cybersecurity budget, the President's budget cuts it by over $150 million. I don't understand how a cut of that magnitude makes communities trying to defend themselves against ransomware attacks, Federal networks, or critical lifeline services, from power to communications, any more secure. Director Krebs, you know your mission. I want to know what resources you need to do it. I would also like to express my concern about the administration's decision to eliminate the CFATS program. To the best of my knowledge, there is no intelligence that suggests that the security risk to chemical facilities has diminished. There is no evidence that a voluntary security framework will yield the same security results as a regulatory program. You can be certain that members of this committee will not allow CFATS to expire. I am also concerned about the administration's continued efforts to cut S&T. Last fall this committee held a hearing exploring the security threats posed by emerging technologies. Despite ample evidence that U.S. investment in research and development is lacking, this budget cuts research and development for cybersecurity, as well as important university programs and centers of excellence. We cannot afford to continue to defer investments in R&D, and I will work hard to restore funding. Before I close, I want to make clear my expectation that Members of this committee will receive accurate, candid intelligence about threats to our elections. Last month the intelligence community's assessment of whether the Russian Government's influence activities were intended to advance the President's re-election appeared to change overnight, because the President did not like the intelligence. As Members of Congress, we must have the information necessary to understand the threat and ensure you have budget and resources you need to defend against sophisticated cyber threats. With that, I thank the witnesses for being here, and I yield back the balance of my time. [The statement of Chairman Richmond follows:] Statement of Chairman Cedric L. Richmond March 11, 2020 The Solarium Commission's final report will be formally released hours from now, and I look forward to working with you and Chairman Thompson to codify important recommendations aimed at empowering CISA and better securing our elections. I understand Director Krebs was very engaged in the Cyberspace Solarium. Toward that end, I will be interested in knowing if the fiscal year 2021 budget request for CISA is sufficient to implement the recommendations aimed at increasing CISA's capacity and, if not, what additional resources will be necessary. At the outset, I want to debunk the myth that Federal agencies can do more with less. I support eliminating waste and increasing efficiency, but the fact is that with more you can do more. Technology is evolving and creating opportunities for our adversaries to hack critical infrastructure, disrupt our elections, and hold State and local government networks hostage. CISA must be equipped to be an effective Federal partner and S&T must be positioned to develop and identify technology to strengthen our defenses. The President's fiscal year 2021 budget does fails both of these important components. Last year, Committee Democrats led a bipartisan letter to appropriators seeking additional funding for CISA's cybersecurity mission. Together, we succeeded in increasing CISA's cyber budget by $350 million, accelerating efforts to secure Federal networks and ramping up CISA's threat analysis and response capabilities for private-sector critical infrastructure owners and operators and State and local governments. Despite bipartisan support for increasing CISA's cybersecurity budget, the President's budget cuts it by about over $150 million. I don't understand how a cut of that magnitude makes communities trying to defend themselves against ransomware attacks, Federal networks, or critical lifeline services--from power to communications--any more secure. Director Krebs, you know your mission. I want to know what resources you need to do it. I would also like to express my concern about the administration's decision to eliminate the CFATS program. To the best of my knowledge, there is no intelligence that suggests that the security risks to chemical facilities has diminished. There is no evidence that a voluntary security framework will yield the same security results as a regulatory program. You can be certain the Members of this committee will not allow CFATS to expire. I am also concerned about the administration's continued efforts to cut S&T. Last fall, this committee held a hearing exploring the security threats posed by emerging technologies. Despite ample evidence that U.S. investment in research and development is lacking, this budget cuts R&D for cybersecurity as well as important University Programs and Centers of Excellence. We cannot afford to continue to defer investments in R&D, and I will work hard to restore funding. Before I close, I want to make clear my expectation that Members of this committee will receive accurate, candid intelligence about threats to our elections. Last month, the intelligence community's assessment of whether the Russian government's influence activities were intended to advance the President's re-election appeared to change overnight because the President did not like the intelligence. As Members of Congress, we must have the information necessary to understand the threat and ensure you have budget and resources you need to defend against sophisticated cyber threats. Mr. Richmond. I would recognize the Ranking Member of the committee, Mr. Katko, for 5 minutes. Mr. Katko. Thank you, Mr. Chairman. Thank you, Mr. Krebs, for being here. Thank you also for participating yesterday in the election security briefing. It was very helpful and informative and, as always, your input was well received. I want to echo the sentiments of my colleague, the Chairman, about the cyber solarium and the work that has been done on it. I know you were an integral part of that, and I know Mr. Langevin has, as well. I look forward to a bipartisan effort implementing as many, if not all, of his policies into law and--on the Homeland side. Working closely with both sides now to get that done is, I think, critical. Our Nation faces digital and physical threats daily that have the potential to disrupt, damage, and destroy their targets. These threats will only grow in magnitude, frequency, and sophistication in years ahead, as you well know, as cyber adversaries, particularly nation-state actors, seek political, economic, and National security advantages. The Federal Government works with public and private-sector partners to prevent and deter current threats, but also to plan for the future. The Cybersecurity Infrastructure Security Agency Act, or CISA, was tasked by Congress in 2018 to serve as the Nation's risk advisor, providing for the timely sharing of information, analysis, and assessment, and facilitating resilience building and mitigation in the .gov domain, State and local governments, and the private sector across industries. Today we will take a closer look at CISA's plans and how they intend to carry out and achieve their mission. I must say I agree with Ms.--the chair. Cutting CISA's budget is not a really good idea at all. In fact, the opposite is true. We need to expand your resources so you can better handle the emerging threats. CISA is responsible for securing the civilian Federal networks, monitoring emerging threats across sectors 24/7/365, securing our Nation's chemical facilities, advising State and local governments on election security, partnering with the public and private sector to protect soft targets in crowded places, and identifying and addressing risks to our National critical functions. During the past year CISA completed its transition to a stand-alone agency subject to DHS oversight. I am very interested in hearing how strengthening CISA's authorities could further clarify civilian cybersecurity risk management authorities, and CISA's role as a convener of public-private partnerships. As we have spoken in private, and in my office, and elsewhere, I am very interested in you telling us what else you need, and you know we will respond if you tell us what you need. I encourage you not to be shy about it, Mr. Krebs. I look forward to hearing about CISA's plans to continue its progress securing our supply chain and tackling risk to our National critical functions and election infrastructure. Finally, I invite you to share insights on CISA's work with State and local governments to secure the 2020 elections from the hindsight of Super Tuesday and other election primaries. We will also hear from the Directorate of Science and Technology, or S&T, about how they plan to execute their mission in the year ahead. S&T, through partnerships with the Federal Government, academia, and industry, develops innovative solutions to aid the Department of Homeland Security in achieving its mission more effectively, efficiently, and affordably. I look forward to hearing from both of our witnesses and my colleagues to see how we can work together--and the keyword is ``together''--to ensure DHS is capable of protecting our Nation from digital and physical threats. This is the inherently bipartisan effort we are all involved in, and we should proceed in that manner. With that I yield back. [The statement of Ranking Member Katko follows:] Statement of Ranking Member John Katko Thank you, Mr. Chairman, for holding this hearing, and thank you to our distinguished witnesses for being here today. Our Nation faces digital and physical threats daily that have the potential to disrupt, damage, and destroy their targets. These threats will only grow in magnitude, frequency, and sophistication in the years ahead as cyber adversaries particularly nation-state actors seek political, economic, and National security advantages. The Federal Government works with public and private-sector partners to prevent and deter current threats, but also to plan for the future. The Cybersecurity and Infrastructure Security Agency Act, or CISA, was tasked by Congress in 2018 to serve as the Nation's risk advisor, providing for the timely sharing of information, analysis, and assessment, and facilitating resilience building and mitigation in the .gov domain, State and local governments, and the private sector across industries. Today we will take a closer look at CISA's plans and how they intend to carry out and achieve their mission. CISA is responsible for: Securing the civilian Federal networks; monitoring emerging threats across sectors 24/7/365; securing our Nation's chemical facilities, advising State and local governments on election security; partnering with the public and private sector to protect soft targets and crowded places; and identifying and addressing risks to our National critical functions. During the past year CISA completed its transition to a stand-alone agency subject to DHS oversight. I am interested in hearing how strengthening CISA's authorities could further clarify civilian cybersecurity risk management authorities and CISA's role as a convener of public-private partnerships. I look forward to hearing about CISA's plans to continue its progress securing our supply chain and tackling risks to our National critical functions and election infrastructure. Finally, I invite Director Krebs to share his insights on CISA's work with State and local governments to secure 2020 elections from the hindsight of Super Tuesday and other election primaries. Today we also will hear from the Science & Technology Directorate, or S&T, about how they plan to execute their mission in the year ahead. S&T, through partnerships within the Federal Government, academia, and industry, develops innovative solutions to aid the Department of Homeland Security in achieving its mission more effectively, efficiently, and affordably. I look forward to hearing from both our witnesses and my colleagues to see how we can work together to ensure DHS is capable of protecting our Nation from digital and physical threats. Mr. Richmond. The gentleman from New York yields back. I now recognize the Ranking Member of the full committee to give an opening statement. Mr. Rogers. Mr. Rogers. Thank you, Mr. Chairman, and thank you for holding this important hearing. I want to thank the witnesses for being here, and taking the time to prepare for these hearings. I know it takes a lot of time, and that you have got other things to do, but we appreciate it. It is very helpful to us. Today's threats can be cyber, or physical, or man-made, or natural. They can emerge from nation-states, criminal organizations, or terrorists. Just in the last 2 months we have dealt with cyber threats from Russia and Iran, ransomware attacks and disinformation campaigns on social media. These are the threats we know about. Many more may be lurking on the networks. Unless we do something about it, these threats will only grow. CISA is the agency Congress created to do something about this. CISA's work is critical. That is why I was disappointed to see this year's budget request for the agency. I am very concerned that any cuts like this would undermine CISA's ability to successfully carry out its mission. But I do take comfort in knowing, from my 18 years here, that the President only proposes budgets; we write budgets. I can tell you these cuts are not going to take place. I look forward to hearing from Director Krebs on how he intends to mitigate the growing cybersecurity threats with a smaller budget, if that were to happen. I also look forward to hearing from S&T on the important work it is doing to develop new technologies to defend our homeland. [The statement of Ranking Member Rogers follows:] Statement of Ranking Member Mike Rogers March 11, 2020 Thank you, Mr. Chairman, for holding this hearing, and to our witnesses for being here today. Today's threats can be cyber or physical, manmade or natural. They can emerge from nation-states, criminal organizations, and terrorists. Just in the last 2 months, we've dealt with cyber threats from Russia and Iran, ransomware attacks, and disinformation campaigns on social media. These are the threats we know about. Many more may be lurking on our networks. Unless we do something about it, these threats will only grow. CISA is the agency Congress created to do something about it. CISA's work is critical. That's why I was disappointed to see this year's budget request for the agency. I'm very concerned these cuts will undermine CISA's ability to successfully carry out its critical mission. I look forward to hearing from Director Krebs on how he intends to mitigate growing cybersecurity threats with a smaller budget. I also look forward to hearing from S&T on the important works it's doing to develop new technologies to defend our homeland. Mr. Rogers. With that, Mr. Chairman, I yield back, and thank you. Mr. Richmond. The gentleman yields back. Other Members are reminded that statements may be submitted for the record. [The statement of Chairman Thompson follows:] Statement of Chairman Bennie G. Thompson March 11, 2020 Around this time last year, this subcommittee held a hearing to discuss the fiscal year 2020 budget request. At the time, Acting Secretary McAleenan had just replaced Secretary Nielson amid a flurry of leadership changes throughout the Department of Homeland Security. Today you report to Acting Secretary Chad Wolf, the fifth person to serve as Secretary during this administration and the third to serve as Secretary since CISA became an operational component in November 2018. I have raised concerns about the lack of consistent leadership at the Department in the past, but I think it is particularly relevant in conversations about the future of CISA and S&T. Both CISA and S&T play critical roles in defending the homeland. CISA is charged with coordinating the Federal efforts to defend critical infrastructure against physical and cyber attacks and protecting the .gov. S&T is responsible for putting cutting-edge technologies into the hands of DHS's boots on the ground to enable the workforce to do their jobs better and safer. Despite their critical missions, neither of these agencies are without their challenges. CISA has been an operational component for less than 2 years. As foreign adversaries increasingly rely on cyber tools to undermine our democratic institutions, surveil critical infrastructure networks, and hold State and local government networks hostage, Congress and the public have demanded more of CISA. But Trump administration has never provided Congress with a candid assessment of how much funding is necessary for CISA to accommodate the increased demands for its services. The White House has been without a White House cybersecurity coordinator for nearly 2 years, leaving Federal agencies to coordinate cybersecurity activities amongst themselves. Although CISA's leadership has been steady and widely respected both within the Federal Government and among the private-sector stakeholder community, a strong, only a strong, Senate-confirmed Secretary can effectively advocate for CISA's budget need and policy positions at the White House. In the absence of strong DHS leadership, the White House proposes to gut CISA's budget by over $250 million, cutting funding for cybersecurity activities and eliminating the Chemical Facility Anti- Terrorism Standards Program (CFATS). As a Member of Congress with a number of chemical facilities in my Congressional District and a long-time advocate for ensuring chemical facilities across the Nation are not weaponized by terrorists, I was particularly troubled to learn the administration supports eliminating the program. I believe that if DHS had a permanent Secretary in place, the White House would not have proposed eliminating the program. Accordingly, on Monday, I introduced legislation to extend the CFATS program for 18 months, and I expect CISA to support that effort. I would also note that the lack of consistent leadership at DHS has similarly undermined S&T's mission. The Science and Technology Directorate has been victim of too many ``course corrections'' to count and has struggled to solidify its position as the research and development hub among DHS's components. Moreover, its budget is most frequently raided to pay for the President's political promises or to cut spending in order to comply to budget caps. The President's fiscal year 2021 budget request is no different--reducing cyber R&D and cutting University Programs in half. We cannot continue to defer investments in R&D for homeland security technologies. A permanent Secretary would understand that. I will not ask either of you to explain how these proposed cuts will make us safer because they will not. Instead, I hope that you will be frank with Congress about the resources you need to do your jobs. Mr. Richmond. Let me welcome our panel of witnesses. First I would like to welcome Chris Krebs, the director of the DHS Cybersecurity and Infrastructure Security Agency, back to testify before this panel. Director Krebs has been at the helm of DHS's cybersecurity activity since 2017, and he has been an integral player in shaping and developing the Department's election security capabilities. Next we have Mr. Andre Hentz. He is the acting deputy under secretary for science and technology. Deputy Under Secretary Hentz has been with S&T since 2014, and in his current role since 2017. Without objection, the witnesses' full statements will be inserted into the record. I now ask each witness to summarize his or her statement for 5 minutes, beginning with Dr. Krebs--Director Krebs, I am sorry. Mr. Krebs. I will take doctor. Mr. Richmond. I made you a doctor overnight. [Laughter.] STATEMENT OF CHRISTOPHER C. KREBS, DIRECTOR, CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Krebs. Chairman Richmond, Ranking Member Rogers, Ranking Member Katko, and Members of the subcommittee. Happy Cyberspace Solarium Report Rollout Day. Congressman Langevin, thanks for all your efforts there, and thank you for recognizing the significance and importance of CISA in the broader National cybersecurity efforts. So thank you for that. Thank you for today's opportunity to address the Cybersecurity and Infrastructure Security Agency's--CISA's--fiscal year 2021 budget. The 2021 budget provides meaningful investment in CISA's ability to lead the National effort to safeguard and secure critical infrastructure from cyber and physical threats. To accomplish this mission, we must work with our partners where they are, not where we are. Accordingly, this budget invests an additional field-based personnel that are located outside the D.C. Beltway, where our partners are found. My statement focuses on each of our priorities: Protection of Federal networks; election infrastructure security; securing operational technology; supply chain risk management; and soft target security. First, with Federal cybersecurity, across the Federal Government our ability to defend networks has improved. The budget will help CISA establish a cybersecurity shared services offering that will centralize, standardize, and deliver best- in-class cybersecurity capabilities to Federal agencies. Through this effort CISA will develop service standards, evaluate individual offerings, and oversee a marketplace of qualified cybersecurity services for Federal customers. We must also invest in our people. CISA is leading a Government-wide training program for all Federal cybersecurity professionals. This includes a rotational program, training program, and re-skilling academy. Training cybersecurity professionals is a crucial part of closing the gap on workforce demands for CISA and across our Government. But perhaps the most high-profile threat today is attempts by nation-state actors to interfere in our elections. Over the last several years, as you heard yesterday, we have been-- become close partners with the election community, and we are focusing on broadening the reach and depth of assistance, emphasizing the criticality of election audit ability, prioritizing the need to patch vulnerabilities in election systems, and developing locality-specific cybersecurity profiles that officials can use to manage risk. Also, we are focusing on operational technologies or control systems, those components that operate our critical infrastructure. The increasing integration and connectivity of those technologies has vastly increased the potential impact of cyber threats. Included in this year's budget is funding to expand our control system security efforts, including sensing analytics and partner training platforms. We are also investing in our efforts to understand and manage supply chain security risks. CISA's Supply Chain Risk Management Task Force has brought together 20 Federal agencies and 20 of the largest companies in information communications sectors to reach consensus on how to best manage risk. We are not using--rather, we are using this forum to understand what is working and what is not, sharing best practices and crowd- sourcing solutions to close out supply chain risk management gaps. At CISA we also recognize that far too often our Nation is confronted with violent attacks on places such as entertainment venues, places of worship, and schools. Funding in this budget to support CISA's school safety initiatives, including stewardship of the Federal School Safety Clearinghouse, a one- stop shop for local officials to find resources that help provide children with a safe learning environment. Before closing, research and development is critical to CISA's mission. CISA and S&T are committed to effective coordination. We are partnering to advance threat-driven cyber analytics and development of a cyber risk framework. This project is an important first step in the larger plan to enhance analytics in conjunction with big data and machine learning. In closing, I would like to briefly touch on my keys to success for CISA in 2020. Those keys to success are threefold: First, we must continue focusing on our strengths; second, we must seek strategic alignment with our interagency partners, not compete with them; and third, we must be a customer-centric organization. So what are our strengths? Convening, bringing a broad range of partners together to tackle tough challenges, sharing actionable information, and collectively identifying best practices for areas like Federal and State and local cybersecurity and soft target security. Who must we align with? Our partners in the intelligence community and law enforcement, the Department of Defense, and elsewhere in the civilian government. This is crucial, if we are going to be successful, for instance, in election security, as well as control systems. Last, if we are not intensely focused on our customers, we are doing it wrong. We must continue to push--to support out across this great Nation and help infrastructure partners big and small. Ransomware is the perfect example of how we must become a customer-centric organization. So with that, thank you for the opportunity to be here today. Thank you for your prior investments at CISA. I look forward to discussing this year's budget, and I look forward to your questions. [The prepared statement of Mr. Krebs follows:] Prepared Statement of Christopher C. Krebs March 11, 2020 Good afternoon Chairman Richmond, Ranking Member Katko, and distinguished Members of the subcommittee, thank you for the opportunity to testify regarding the fiscal year 2021 President's budget for the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA). The fiscal year 2021 President's budget of $1.78 billion for CISA reflects our commitment to safeguard our homeland, our values, and our way of life. CISA strengthens the cybersecurity of Federal networks and increases the security and resilience of our Nation's critical infrastructure. Safeguarding and securing critical infrastructure is a core DHS mission. The fiscal year 2021 President's budget recognizes the criticality of this mission and ensures the men and women of CISA have the resources they need to achieve it. CISA's defends the homeland against the threats of today, while working with partners across all levels of government and the private sector to secure against the evolving risks of tomorrow--``Defend Today, Secure Tomorrow.'' As the Nation's risk advisor, CISA is a hub of efforts to build National resilience against a growing and interconnected array of threats; organizing risk management efforts around securing the National Critical Functions that underpin National security, economic growth, and public health and safety; and ensuring Government continuity of operations. CISA marshals its wide-ranging domain expertise and central coordination role to guide partners in navigating hazards ranging from extreme weather and terrorism to violent crime and malicious cyber activity. We identify high-impact, long-term solutions to mobilize a collective defense of the Nation's critical infrastructure. The fiscal year 2021 President's budget for CISA has been reorganized under new budget lines to fully reflect the operational vision for CISA. The CISA Act of 2018 reorganized the National Protection and Programs Directorate into an operational component, and the budget should reflect the new organization. For instance, management and operational watch activities that were previously spread across multiple budget lines are now merged into a single funding line that will serve as a nexus of cyber, physical, and communications integration. The new funding lines also combine all regional field operations, including Protective Security Advisors and Cybersecurity Advisors, into a single report channel. This enhances the ability of CISA to engage with critical infrastructure partners outside the beltway, where they are located. If adopted, this new structure will streamline authority, increase transparency, and better enable CISA to execute the funding. cisa priorities Nefarious actors want to disrupt our way of life. Many are inciting chaos, instability, and violence. At the same time, the pace of innovation, our hyper connectivity, and our digital dependence has opened cracks in our defenses, creating new vectors through which our enemies and adversaries can strike us. This is a volatile combination, resulting in a world where threats are more numerous, more widely distributed, highly networked, increasingly adaptive, and incredibly difficult to root out. CISA is strengthening our digital defense as cybersecurity threats grow in scope and severity. The fiscal year 2021 President's budget continues investments in Federal network protection, proactive cyber protection, infrastructure security, reliable emergency communications for first responders, and supply chain risk management. CISA, our Government partners, and the private sector, are all engaging in a more strategic and unified approach toward improving our Nation's defensive posture against malicious cyber activity. In May 2018, DHS published the Department-wide DHS Cybersecurity Strategy, outlining a strategic framework to execute our cybersecurity responsibilities during the next 5 years. Both the Strategy and Presidential Policy Directive 21--Critical Infrastructure Security and Resilience emphasize an integrated approach to managing risk. CISA ensures the timely sharing of information, analysis, and assessments to build resilience and mitigate risk from cyber and physical threats to infrastructure. CISA's partners include intergovernmental partners, the private sector, and the public. Our approach is fundamentally one of partnerships and empowerment, and it is prioritized by our comprehensive understanding of the risk environment and the corresponding needs of our stakeholders. We help organizations manage their risk better. The fiscal year 2021 President's budget includes $1.1 billion for cybersecurity initiatives at CISA to detect, analyze, mitigate, and respond to cybersecurity threats. We share cybersecurity risk mitigation information with Government and non-Government partners. By issuing guidance or directives to Federal agencies, providing tools and services to all partners, and leading or assisting the implementation of cross-Government cybersecurity initiatives, we are protecting Government and critical infrastructure networks. Within the cybersecurity initiatives funding amount, the fiscal year 2021 President's budget includes $660 million for cybersecurity technology and services, including Continuous Diagnostics and Mitigation (CDM) and National Cybersecurity Protection System (NCPS) programs. These programs provide the technological foundation to secure and defend the Federal Government's information technology against advanced cyber threats. NCPS is an integrated system-of-systems that delivers intrusion detection and prevention, analytics, and information-sharing capabilities. NCPS primarily protects traffic flowing into and out of Federal networks. One of its key technologies is the EINSTEIN intrusion detection and prevention sensor set. This technology provides the Federal Government with an early warning system, improves situational awareness of intrusion threats, and near-real time detection and prevention of malicious cyber activity. Funding included in the budget will allow NCPS to begin transitioning capabilities to use commercial and Government cloud services to the greatest extent possible. The funding will also support newly-developed information sharing and intrusion prevention capabilities into the operational environment. CDM provides Federal network defenders with a common set of capabilities and tools they can use to identify cybersecurity risks within their networks, prioritize based on potential impact, and mitigate the most significant risks first. The program provides Federal agencies with a risk-based and cost-effective approach to mitigating cyber risks inside their networks. The fiscal year 2021 President's budget includes funding to continue deployment and operation of necessary tools and services for all phases of the CDM program. Funding will cover completion of activities to strengthen management of information technology assets including for cloud and mobile-based assets and protection of data on networks that carry highly-sensitive and critical information. By pooling requirements across the Federal space, CISA is able to provide agencies with flexible and cost- effective options to mitigate cybersecurity risks and secure their networks. Funding for cybersecurity initiatives also includes $408 million for cybersecurity operations. Within this category, approximately $264 million is dedicated to threat hunting and vulnerability management operations. Threat hunting activity identify, analyze, and address significant cyber threats across all domains through detection activities, countermeasures development, as well as hunt and incident response services. Vulnerability management capabilities include assessments and technical services, such as vulnerability scanning and testing, penetration testing, phishing assessments, and red teaming on operational technology that includes the industrial control systems which operate our Nation's critical infrastructure, as well as recommended remediation and mitigation techniques that improve the cybersecurity posture of our Nation's critical infrastructure. The budget includes funding to support CyberSentry. This voluntary program is designed to detect malicious activity on private-sector critical infrastructure networks, including operational technology, such as industrial control systems. The pilot will utilize network sensor systems to detect threats; collect threat data; increase the speed of information sharing; and produce real-time, effective, actionable information to the companies vulnerable to malicious attacks. Funding is also included to support cybersecurity capacity building. Capacity building is delivering tools and services to stakeholders to strengthen cyber defenses and coordinating policy and governance efforts to carry out CISA's statutory responsibility to administer the implementation of cybersecurity policies and practices across the Federal Government. The budget provides funding for a cybersecurity shared services office that will centralize, standardize, and deliver best-in-class cybersecurity capabilities to Federal agencies. Through this effort, CISA will develop service standards, evaluate individual offerings, and oversee a marketplace of qualified cybersecurity services to Federal customers. Through this budget, CISA will lead a Government-wide cybersecurity training program for all Federal cybersecurity professionals, including an interagency cyber rotational program, a cybersecurity training program, and a cyber-reskilling academy. Training cybersecurity professionals will be a crucial part of closing the gap on workforce demands for CISA and across Government. This effort also includes funding for CISA to continue hosting the annual President's Cup Challenge, a cyber competition to test the skills of the Federal cyber workforce. The fiscal year 2021 President's budget request also includes funding for State and local Government cybersecurity and infrastructure assistance prioritized for election security. These resources are institutionalizing and maturing CISA's election security risk-reduction efforts, allowing the agency to continue providing vulnerability management services such as cyber hygiene scans, and on-site or remote risk and vulnerability assessments, organizational cybersecurity assessments, proactive adversary hunt operations; and enhanced threat information sharing with State and local election officials. For infrastructure security, the fiscal year 2021 President's budget includes $96 million for protecting critical infrastructure from physical threats through informed security decision making by owners and operators of critical infrastructure. Activities include conducting vulnerability and consequence assessments, facilitating exercises, and providing training and technical assistance Nation-wide. The program leads and coordinates National efforts on critical infrastructure security and resilience by developing strong and trusted partnerships across the Government and private sector. This includes reducing the risk of a successful attack on soft targets and crowded places, from emerging threats such as unmanned aircraft systems. Funding supports CISA's school safety initiatives, including stewardship of the Federal School Safety Clearinghouse, the expansion of existing school security activities, and the development of additional resources and materials for safety to provide children with a safe and secure learning environment. This year's budget eliminated funding for the Chemical Facilities Anti-Terrorism Standards program while simultaneously increasing funding significantly for the Protective Security Advisors program. This will allow CISA to provide voluntary support for chemical facilities without the unnecessary burden of regulatory requirements, placing the chemical sector on par with all the other critical infrastructure sectors for which CISA has oversight. The fiscal year 2012 President's budget includes $158 million for emergency communications to ensure real-time information sharing among first responders during all threats and hazards. CISA enhances public safety interoperable communications at all levels of Government across the country through training, coordination, tools, and guidance. We lead the development of the National Emergency Communications Plan to maximize the use of all communications capabilities available to emergency responders--voice, video, and data--and ensures the security of data and information exchange. CISA supports funding, sustainment, and grant programs to advance communications interoperability, such as developing annual SAFECOM Grant Guidance in partnership with Public Safety stakeholders, and partnering with FEMA Grants Program Directorate to serve as communications subject-matter experts for FEMA- administered grants. We assist emergency responders and relevant Government officials with communicating over commercial networks during natural disasters, acts of terrorism, and other man-made disasters through funding, sustainment, and grant programs to support communications interoperability and builds capacity with Federal, State, local, Tribal, and territorial stakeholders by providing technical assistance, training, resources, and guidance. The program also provides priority telecommunications services over commercial networks to enable National security and emergency preparedness personnel to communicate during telecommunications congestion scenarios across the Nation. The President's budget includes $167 for the Integrated Operations Division. This division is charged with coordinating CISA's front line, externally facing activities in order to provide seamless support and an expedited response to critical needs. These funds include $82 million to support 373 protective security advisors and cybersecurity advisors located across the country. Protective Security Advisors conduct proactive engagement and outreach with Government at all levels and critical infrastructure. Additionally, cybersecurity advisors expand the DHS cyber field presence across the country. These resources better enable CISA to reach critical infrastructure partners and other stakeholders where they live outside the beltway. The fiscal year 2021 President's budget fully funds CISA's risk management activities, including $91.5 million for the National Risk Management Center (NRMC). The NRMC is a planning, analysis, and collaboration center working to identify and address the most significant risks to our Nation's critical infrastructure. The NRMC also houses the National Infrastructure Simulation and Analysis Center (NISAC), which provides homeland security decision makers with timely, relevant, high-quality analysis of cyber and physical risks to critical infrastructure across all sectors during steady state and crisis action operations. Increased funding will support election security, securing 5G telecommunications, and supply chain risk analysis. The new Stakeholder Engagement and Requirements program is funded at $38 million. This funding will support the coordination and stewardship of the full range of CISA stakeholder relationships; the operation and maintenance of the CISA stakeholder relationships; the operation and maintenance of the CISA stakeholder relationship management system; the implementation of the National Infrastructure Protection Plan voluntary partnership framework; the management and oversight of National infrastructure leadership councils; and the effective coordination among the National critical infrastructure stakeholder community in furtherance of shared goals and objectives. The President's budget asks for $24 million within the Science and Technology Directorate (S&T) to continue research and development efforts in support of CISA's cybersecurity mission. CISA and S&T have made tremendous strides in collaborating to advance joint priorities. In fiscal year 2019, CISA and S&T awarded a project to create a `pipeline' for low technology readiness-level efforts to mature and transition into CISA. Workstreams in this pipeline are advancing threat-driven cyber analytics and development of a cyber risk framework. This project is an important first step in the larger plan for CISA and S&T to enhance analytics in conjunction with big data and machine learning. Subsequent efforts in fiscal year 2020 and beyond are planned to leverage hyperscale cloud platforms and significantly advance the data and analytics capabilities of CISA. Finally, Congress provided a substantial investment last year to consolidate CISA in a new state-of-the-art headquarters facility at DHS's St. Elizabeth's Campus. CISA currently must operate from 8 different leased locations spread across the National Capital Region, in facilities not capable of fully supporting CISA operational demands, which contributes to administrative inefficiencies. The fiscal year 2021 President's budget provides $459 million to the General Services Administration for the continued consolidation of DHS facilities at the St. Elizabeth's Campus. Included in this amount are funds for both additional DHS component building construction and also campus infrastructure enhancements, such as additional parking, that are critical to the success of CISA's future relocation to the campus. conclusion In the face of increasingly sophisticated threats, CISA employees stand on the front lines of the Federal Government's efforts to defend our Nation's Federal networks and critical infrastructure. The threat environment is complex and dynamic with interdependencies that add to the challenge. As new risks emerge, we must better integrate cyber and physical risk in order to effectively secure the Nation. CISA contributes unique expertise and capabilities around cyber-physical risk and cross-sector critical infrastructure interdependencies. I recognize and appreciate this committee's strong support and diligence as it works to resource CISA in order to fulfill our mission. Your support over the past few years has helped bring additional Federal departments and agencies into NCPS more quickly, speed deployment of CDM tools and capabilities, and build out our election security efforts. We at CISA are committed to working with Congress to ensure our efforts cultivate a safer, more secure, and resilient homeland while also being faithful stewards of the American taxpayer's dollars. Thank you for the opportunity to appear before the subcommittee today, and I look forward to your questions. Mr. Richmond. Thank you, Director. I now recognize Acting Deputy Under Secretary Hentz to summarize his statement for 5 minutes. STATEMENT OF ANDRE HENTZ, ACTING DEPUTY UNDER SECRETARY FOR SCIENCE AND TECHNOLOGY, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Hentz. Good afternoon, Chairman Richmond, Ranking Member Katko, Ranking Member Rogers, and distinguished Members of the subcommittee. Thank you for inviting me here today to testify on the President's budget for fiscal year 2021, which includes a request for $643 million for the Science and Technology Directorate within the Department of Homeland Security. S&T's research develops activities which support a broad range of DHS missions, including domain threat awareness, delivery of mitigation strategies, and creating novel technologies and approaches for the components, first responders, and other partners across the Homeland Security enterprise. Our customers put their lives on the line every day to keep our Nation safe. Having the correct tools, techniques, and/or technologies can be vital to the operational safety and success. Research and development must enable efficient, effective, and secure operations across all DHS security missions by applying timely, scientific, engineering, and innovation solutions. This is how S&T delivers results. Technology innovation cycles are rapidly changing, and the nature of the threats we see are dynamic. It is important to note, however, that S&T represents less than one-half of 1 percent of the entire Federal R&D budget. Let me repeat that: S&T represents less than one-half of 1 percent of the entire Federal research and development budget, and we strive every day to get as much value out of those funds as possible. Under my leadership, with Mr. Bryan, S&T has strengthened our relationship with our customers by providing impactful solutions to those on the front line. We continue to solidify and strengthen S&T's core capabilities and provide deliberative approaches to program execution that ensures timely delivery and solid returns on investment for our Nation's taxpayers. The fiscal year 2021 request includes $5 million for quantum information sciences, including artificial intelligence. S&T is beginning to focus on machine learning, with the goal of mitigating risk to potential misuse of artificial intelligence, and identifying opportunities and applications for the use of trustworthy artificial intelligence, while providing privacy protection and developing new governance and policy frameworks for artificial intelligence and machine learning. The fiscal year 2021 budget request provides $14.3 million for S&T's Probabilistic Analysis for National Threats, Hazards, and Risk program, known as PANTHR. PANTHR aligns S&T's chemical and biological hazard awareness and characterization activities to provide timely, accurate, and defensible decision support tools and knowledge to stakeholders. Working with the Countering Weapons of Mass Destruction Directorate, PANTHR is leveraging S&T's National Biodefense Analysis and Countermeasures Center to address pertinent scientific questions and DHS operational concerns regarding the surface stability and decontamination of COVID-19. Funding in 2021 would allow PANTHR to develop additional assessment capabilities to address growing infrastructure concerns such as the bio-economy, and fill other critical gaps regarding weapons of mass destruction risks to the homeland. The administration is also focusing on targeted violence and terrorism prevention, and S&T's 2021 requests includes $7 million for research to inform policy, strategy, tactics, techniques, and procedures in this area. S&T is actively working to support technology integration and techniques to reduce the likelihood of mass violence and improve the ability to prevent and respond to a mass violent event. The fiscal year 2021 budget request supports S&T's Office of University Programs in two vital efforts, our centers of excellence and working with minority-serving institutions. Centers of excellence that receive funding in fiscal year 2021 will conduct research and development that aligns with the administration's priorities to strengthen border security, cybersecurity, infrastructure protection, and prioritize transnational criminal investigations. Finally, the 2021 budget requests at $18.9 million in a procurement, construction, and investment account for S&T to begin to address the decontamination and closure of the Plum Island Animal Disease Center. S&T is committed to our mission to deliver effective, innovative insights, methods, and solutions for critical needs of DHS components, first responders, and our operational partners in the Homeland Security space. Chairman Richmond, Ranking Member Katko, Ranking Member Rogers, and Members of the committee, thank you again for the opportunity to appear before you today, and for your continued support of S&T. I look forward to answering your questions. [The prepared statement of Mr. Bryan, as presented by Mr. Hentz, follows:] Prepared Statement of William Bryan March 11, 2020 Good afternoon Chairman Richmond, Ranking Member Katko, and distinguished Members of the subcommittee. Thank you for inviting me here today to testify on the President's budget request for fiscal year 2021, which includes a request of $643.7 million for the Science and Technology Directorate (S&T) within the U.S. Department of Homeland Security (DHS). S&T's research and development (R&D) activities support a broad range of DHS missions, including domain threat awareness, delivering mitigation strategies, and creating novel technology and approaches for the components, first responders, and other partners across the homeland security enterprise. Our customers put their lives on the line every day to keep our Nation safe, and having the correct tools, techniques, and/or technologies can be vital to the operators' safety and success. We must enable efficient, effective, and secure operations across all homeland security missions by applying timely scientific, engineering, and innovative solutions through research, design, test and evaluation, and acquisition support. This is how S&T delivers results. Technology innovation cycles are rapidly changing and the nature of the threats we see is dynamic. This combination presents a significant challenge to traditional R&D approaches as well as meeting component requirements and needs in a fiscally constrained R&D environment. S&T is less than 1 percent of the entire Federal R&D budget--and we strive every day to get as much value out of those funds as possible. Therefore, it is my responsibility to ensure an efficient, effective, and nimble organization is in place to address R&D needs of Homeland Security front-line operators, particularly the DHS operational components and first responders, today and into the future. Either through the identification of existing technologies or the timely development of new technology, S&T can provide them with the tools they need to safely and effectively protect the homeland and the American people. Under my leadership S&T has strengthened our relationships with our customers, the DHS operational components and first responders, to provide impactful solutions to those on the front line. We continue to solidify and strengthen S&T's core capabilities and provide a deliberative approach to program execution that ensures timely delivery and solid return on investment for our Nation's taxpayers. S&T has become more agile and responsive, ready to move quickly in response to changes in the threat environment, and makes use of existing technologies, when available, that can be adapted and leveraged to expedite the development of vital capabilities. S&T has significantly enhanced its ability to transfer capabilities to where they are most needed by working closely with operators, component partners, and industry to deliver effective solutions. The revitalized S&T has strengthened its relationships with DHS components, first responders, and other customers, and results in a more integrated approach to innovation, requirements gathering, and problem solving. At a strategic level, S&T has created a capability to identify, prioritize, and report on emerging technology risks facing the United States. Together with DHS Policy, S&T will identify and assess emerging technologies most likely to significantly improve operations and/or threaten the DHS mission over the next 2-5 years. Results will support senior DHS executives as they prioritize the list of technologies and shape the DHS investment portfolio to address risk. A strong cross-Department cybersecurity R&D program is critical for DHS. The Cyber Security & Infrastructure Security Agency (CISA) and S&T have made tremendous strides in resetting the relationship, directing R&D resources into mission support of CISA requirements. CISA and S&T have established repeatable processes to identify capability gaps, prioritize needs, and execute on RD&I needs. The fiscal year 2021 cybersecurity R&D budget request is for $24 million and places all cyber R&D funding with S&T. S&T is currently partnered with the National Institutes of Artificial Intelligence (AI) with the goal of mitigating risks to misuse of AI, identifying opportunities and applications of AI within the homeland security mission space, improving privacy protection, and developing new governance and policy frameworks for artificial intelligence and machine learning. S&T is working with its operational DHS component partners to assess opportunities for leveraging Automated Machine Learning (AutoML) and related data preparation tools as a means of accelerating understanding and use of this technology within the DHS enterprise. In fiscal year 2021, S&T will examine and characterize the state of artificial intelligence research relative to future homeland security mission applications. Research activities will focus on the development of core capabilities that enable trustworthy artificial intelligence to improve core automation capabilities that are secure, private, and trusted for critical homeland security applications. The fiscal year 2021 budget request provides $14.4 million for S&T's Probabilistic Analysis for National Threats Hazards and Risks (PANTHR) program that aligns S&T's chemical and biological hazard awareness and characterization activities to provide timely accurate and defensible decision support tools and knowledge to stakeholders. PANTHR is currently supporting the Countering Weapons of Mass Destruction Office (CWMD) to address the on-going Coronavirus outbreak by providing consolidated up-to-date information regarding the virus to DHS components. PANTHR is currently leveraging the capabilities of one of the DHS laboratories, the National Biodefense Analysis and Countermeasure Center (NBACC), which is addressing pertinent scientific questions and DHS operational concerns regarding Coronavirus surface stability and decontamination. PANTHR funding in fiscal year 2021 would further support the expansion of these National capabilities to address current and emerging chemical and biological concerns. Additionally, the fiscal year 2021 request would allow PANTHR to develop additional assessment capabilities to address growing infrastructure concerns, such as the bio-economy, and fill other critical technical hazard data gaps regarding WMD risks to the Homeland. S&T is requesting $35.9 million in the fiscal year 2021 budget to directly address Customs and Border Protection (CBP), the U.S. Coast Guard (USCG), the U.S. Secret Service (USSS), and the Federal Protective Service (FPS) requirements for Countering Unmanned Aircraft System (CUAS) requirements. In close coordination with our operational customers, S&T is responsible for the initial CUAS deployment architecture, technology selection, system integration, system test, training and cyber compliance. The fiscal year 2021 S&T CUAS investment will focus on mission interoperability with the Department of Defense and Department of Justice in the National Capital Region, improved CUAS capabilities for DHS components, and addressing future threats. UAS threats to critical infrastructure and security activities will likely increase in the near future as the number of UAS introduced into the National airspace continues to increase. However, currently the use of technical means to detect, track, and disrupt malicious UAS operations remains limited. S&T is dedicated to developing or adopting innovative tools for DHS components, and the fiscal year 2021 budget request supports that effort. For example, the S&T Opioid Detection project continues to integrate advanced technologies, including narcotics anomaly detection algorithms and chemical sensing technologies, into CBP international mail facilities, and to evolve efforts directed at detecting synthetic opioids in additional operational environments in response to changing trafficking dynamics. Increased funding will also further improve the understanding of supply chain logistics and intelligence to aid in targeting, investigations, and ultimately, disruption of international smuggling. The administration is also focusing on Targeted Violence and Terrorism Prevention, and S&T is a vital partner using research to inform policy, strategy, tactics, techniques, and procedures. S&T is actively working to support technology integration and techniques to reduce the likelihood of mass violence and improve the ability to prevent and respond to a mass violence event. The fiscal year 2021 request continues support for S&T's Silicon Valley Innovation Program (SVIP) at $10 million, which leverages innovative commercial capabilities from across the country through non- traditional Government contractors to rapidly deliver technology to fulfill DHS component-defined requirements. This program fosters rapid development and delivers tested technology into the field in a much shorter time frame than is possible under traditional vehicles. S&T's SVIP collaborates with DHS operational components to provide solutions that enhance overall situational awareness, detection, tracking, interdiction, and apprehension. To date, S&T's SVIP has awarded $18 million in funding and processed over 485 applications across 14 topic areas. S&T has worked with 49 small start-up companies from 15 different States and leveraged over $500 million in private-sector investment that aligns on-going private-sector activity with DHS operational component requirements. SVIP has successfully transitioned 3 technologies into CBP operational environments including a new generation of radar to support U.S. Border Patrol operations. This radar technology was incorporated into 58 Border Patrol towers on the Southwest Border and a similar amount are planned for transition in 2020. The fiscal year 2021 budget request adds a Procurement, Construction, and Improvements account to address the decontamination and closure of the Plum Island Animal Disease Center. S&T is on time and on budget to complete the construction of the National Bio and Agro-Defense Facility (NBAF). This state-of-the-art facility will be transferred to the U.S. Department of Agriculture upon completion of construction and will be the Nation's only Bio Safety Level 4 laboratory that is capable of studying large animal diseases in livestock, such as African Swine Fever and Foot and Mouth Disease. After NBAF is completed, the Plum Island facility will require decontamination. The $18.9 million of the fiscal year 2021 request will begin decontamination activities and stand up the program office to manage this multi-year effort. The fiscal year 2021 budget request supports S&T's Office of University Programs in two vital efforts, our Centers of Excellence (COE) and working with Minority Serving Institutions (MSI). The fiscal year 2021 budget request allows for the continuation of the University-based COEs that are focused on homeland security mission needs. COEs that will receive funding in fiscal year 2021 will conduct research and development that aligns with the administration's priorities to strengthen border security, cybersecurity and infrastructure protection, and prioritize trans-national criminal investigations. S&T conducts rigorous evaluations of each Center's performance using established criteria to help inform project funding decisions that meet operator needs and stay focused on transferring or transitioning research and technology outputs into field use. S&T seeks to leverage and utilize the unique intellectual capital in the MSI community to address current and future homeland security challenges and to provide relevant learning opportunities to diverse and highly talented individuals and inspire the next generation of dedicated to homeland security professionals. Our efforts provide learning opportunities for students that already are pursuing Science, Technology, Engineering, and Mathematic (STEM)-related degrees. These awards support MSIs in their efforts to attract highly technical students and provide exposure and mentorship opportunities with DHS programs. S&T's efforts with MSIs are important for ensuring students develop the cross-functional skills essential to their flourishing and meeting the demanding needs of the homeland security missions. By establishing continuous relationships between COEs, MSIs, DHS component agencies, and private-sector entities, S&T is expanding partnering institutions and providing resources needed for students to gain meaningful work experiences that prove invaluable to the growth of their careers in homeland security-related areas. S&T's mission is to deliver effective and innovative insight, methods, and solutions for the critical needs of DHS components and our operational partners in homeland security. Chairman Richmond, Ranking Member Katko, and Members of the committee, thank you again for the opportunity to appear before you today and for your continued support of S&T. I look forward to answering your questions. Mr. Richmond. I want to thank the witnesses for their testimony. I will remind each Member that he or she will have 5 minutes to question the panel. I will now recognize myself for 5 minutes for questions. Director Krebs, in January 2017 the Office of the Director of National Intelligence issued a report concluding that the Russian government meddled in the 2016 Presidential election, and that Russia's goal was to assist the campaign of now- President Trump. Last month several news outlets reported that President Trump removed the acting director of national intelligence, Joseph McGuire, had the staff from his office brief bipartisan members of the House Permanent Select Committee on Intelligence on foreign threats to U.S. elections. Are you familiar with that? Mr. Krebs. I am certainly aware of the intelligence community assessment of 2017, and recall seeing some of the press reports. Yes, sir. Mr. Richmond. Initial reports indicated that ODNI staff told Members in the briefing that the Russian government, once it--was once again attempting to meddle in our elections to benefit President Trump's re-election. This is the same thing that Russia did in 2017, when they interfered in the U.S. election to help President Trump. Wouldn't that be the same assessment? Mr. Krebs. I am sorry, is the--can you repeat the question? I am trying to understand what---- Mr. Richmond. Well, the intelligence is the same intelligence from 2017 that Russia is trying to interfere in the election. Mr. Krebs. So I certainly can't talk to the intelligence. I would defer to the intelligence community on the specific assessments. We are planning as if the Russians and others are coming back for the 2020 election to again attempt to interfere. Mr. Richmond. Let me just get to the--my main point on this is that we need to believe in the intelligence that we are getting. All of the reports indicate that the assessment and intelligence changed once the President didn't like it. We, as Members of Congress, need to know that we are going to get the whole truth and nothing but the truth from our intelligence communities, because we have a responsibility to act whether we like it--don't like the information. So the real question to you is can we believe and trust that the information we are getting from you, and you all in the intelligence community, is the whole truth and nothing but the truth? Mr. Krebs. Yes, sir, absolutely. Mr. Richmond. Let me shift a little bit to CFATS. I represent, probably, the No. 1 and No. 2 largest petrochemical district in the country. I am concerned that--where the proposed budget eliminates the CFS program. Last year officials from CISA testified before this committee that CFATS is a vital part of our Nation's counter-terrorism efforts, and very much a pressing need in view of the continuing level of chemical terrorism threats. January 15, DHS issued an alert warning about heightened threats from Iran, specifically in the chemical sector. So can you share any information you have about what intelligence assessments or security assessments CISA has completed to support the elimination of the CFATS program, and how will eliminating CFATS make my constituents safer? Mr. Krebs. So thank you for the question specific to the January alert related to the heightened tensions of Iran. I don't believe that was associated with any specific intelligence product targeting chemical--the chemical sector. That was more--again, back to my opening comment about being a customer-centric organization, that was a request that came in from the chemical sector that said, ``Can you guys pull something together for the sector that will speak specifically to Iran and the things the chemical sector can do to protect the sector?'' So more broadly on the CFATS issue, I think where we are right now is that, you know, over 15 years or so of implementation of the CFATS program, there is no question that we have changed the risk management dynamics across that sector. At the same time, the threat landscape has also shifted. Some of the players that were heavy in the 2005 to 2007 period are not necessarily on the map any more. In the mean time, other actors have spread up. The economy, in and of itself, how it works, supply chain, chemicals and commerce have also shifted. So I think part of what we are looking to accomplish here is, if you look back at CFATS in general and the application of the regulatory program to the sector, it really only encompasses about 3,300 facilities. So, if you look back at the fiscal year 2020 budget, that is about $72 million across 3,300 facilities. What we are looking to accomplish here is, as we have fundamentally changed the way risk is managed in the chemical sector across at least 3,300 facilities, what opportunity do we have to extend that risk management opportunity across the 40,000 facilities of the chemical sector? My sense is that, regardless of what happens here--and of course, we will implement whatever Congress and--passes, and the President signs, whether it is a re-authorization of CFATS or a shift to a voluntary program. But the bigger point here is we are looking for this opportunity to more broadly change risk management posture across the chemical sector. Mr. Richmond. My last question would be do you support a temporary extension of CFATS so Congress can determine the appropriate path forward, No. 1; and No. 2, do you maintain a list of unfunded priorities so that--if you have money, things that you would do? Mr. Krebs. Sir, we do have a significant list of PDOs, or program opportunities that we would be able to--if funded, we would be able to execute, of course. On your private--on your first question, you know, again, we are in a transition planning process right now with about a month, a little over a month or so, out from expiration of the program. So we are focused on transitioning right now. But whatever happens, again, we have the funding for the rest of the year to execute the program if there is a temporary extension put in. Thanks. Mr. Richmond. Thank you, and I yield back. I now recognize the Ranking Member, the gentleman from New York, Mr. Katko, for 5 minutes. Mr. Katko. Thank you, Mr. Chairman. Mr. Krebs, I want to kind-of ask you about the Cyberspace Solarium report in general, but really talk about how it may impact the budget if those recommendations get implemented. So I view this Solarium report as one of the critical things we can do in Congress this year, and I really believe that the next 9/11 could absolutely, positively be, God forbid, a cyber attack that is cataclysmic. I am not sure we are ready for it. I think this report recognizes that, and it recognizes--and it makes a series of recommendations. I know part of it is on the defense side, and I--you know, we are more interested in the homeland side in this committee, obviously. So if you could, talk from the homeland side on what are some of the big things in that report, and how it might be--might impact the budget going forward, so we can plan for it. Mr. Krebs. So thank you for that. It is interesting, and I am sure Congressman Langevin shares this. Being so close to the wheel and the development of the report, you see the recommendations, and they just make a lot of sense to us. But it is good that someone that is not developed in the--you know, was not involved in the process also thinks they make sense, and this doesn't just kind-of fall flat. So the--kind-of the pickup I have seen today, at least, has been very, very positive that there is some innovative, bold recommendations in the report. But more importantly, there are recommendations within the report that are practical and eminently implementable. That is the most important aspect of the report in and of itself, that whatever is in it, that we can actually do it. To your point about that defense/offense divide, that was one of the important policy signals that comes out of the report--to me, at least--that this is not just about investing in the Department of Defense and General Nakasone's teams. It is also about ensuring that CISA and the rest of the civilian cybersecurity space and the private sector have the direction, guidance, and resources they need to be able to implement. Some of the key takeaways that I have, the report--I think I will focus on 3. First is that it squarely puts CISA at the central coordination point for civilian cybersecurity defense, and that brings all the Federal partners together, but that also, importantly, brings the Federal--or the private sector, as well as State and local partners together. There are going to be some significant employment implications here. Do we have the facilities that we need to truly set up a collaboration space? We are operating in about 9 different facilities in Baghdad. Mr. Katko. A bunch of them, and they do seem to be all over the place. Mr. Krebs. We have 9 facilities in the National Capital Region that we have been in since 2005, when I was a contractor with the prior organization, one of the first inhabitants of the building. We need a refresh. So we are going through that process right now with the St. Elizabeths program. We just need to make sure that we have the access for our private-sector partners to the facility, that we can accommodate regular access from private-sector partners, and make it an experience that they want to actually participate in. It is a kind-of if-you-build-it-they-will-come sort-of approach. So that aspect we are focused on. There is another piece of it, continuity of the economy, that we are working through right now. That is kind-of, in some part, a manifestation of our National critical functions work that we launched last year. We are also seeing that play out right now across the COVID response. So we have developed a framework for analyzing broader supply chain impacts of COVID across 4 different elements. The first is, is there a commodity disruption that would disrupt a business or a function? The second is, is there a workforce disruption that you may not be able to continue delivering that service or function? Then there are 2 kind-of demand-side issues. No. 1, you have over-demand, and that could be, like, the N95, you have too much demand and, therefore, you have a cratering within the function. On the flip side of that, you may see in transportation there is a lack of demand. So the function then degrades. So those are the sorts of things that we want to push into that continuity of the economy. We have the rubric, but we are--you know, to fully implement that recommendation is going to require significant analytic investments within the agency. Then last, workforce, workforce, workforce. As I mentioned in my opening, to be successful in this space, to be truly a customer-centric organization, I have to have personnel out in the field, not just engineers here in District of Columbia, but customer service professionals out where our customers are. That is going to require a significant investment in personnel. Mr. Katko. Thank you very much. It does sound like there is going to be more requests, from a financial standpoint, from the committee and from other committees to implement these plans. As we work them out and tease them out and get them into legislative formats, we will definitely revisit those issues. So thank you very much for that. Mr. Hentz, what--if you could, just describe quickly, what are the key legislative priorities for your organization this year? Mr. Hentz. Thank you, Chairman, Ranking Member. What we were---- Mr. Katko. I will take Chairman. Mr. Hentz [continuing]. Trying to do right now is---- [Laughter.] Mr. Hentz. What we are trying to do right now is prioritize the list of requirements from our operational components. To specifically answer your question, those priorities look like countering unmanned aerial systems, things like 5G and other supply chain risk mitigators. Obviously, support to border and commerce, as well as our support to emerging biological and chemical risk. So those are our core primary equities right now that we are trying to focus on. Mr. Katko. Thank you very much. I am interested in that. I will yield back, but I just want to note in Syracuse, New York they are going to start building a 5G manufacturing facility, the first one in the country that is going to have all American components, which is critical for cybersecurity, going forward. We also have one of the largest unmanned aerial system research corridors, from Rome Labs to Syracuse, New York. So we are at the tip of the spear with some of your priorities. So I look forward to working with you further on those, going forward. I hope we can continue the lines of communication. With that I yield back, Mr. Chairman. Mr. Richmond. The gentleman yields back. I now recognize the gentleman from Rhode Island, Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. Let me begin by thanking you for--and the Ranking Member for the supportive comments about the Solarium Commission project, and the report that we are issuing today, and, Mr. Chairman, for your leadership on the issue of cyber, and I look forward to continuing to collaborate with you on these--on this important topic. Good morning to Director Krebs and Mr. Bryan, thank you very much for being here today. Mr. Hentz, I appreciate your being here today, I look forward to hearing what you have to say. Director Krebs, I guess I want to begin with you, and express my appreciation to you for your participation in the Cyberspace Solarium Commission. Your contributions to that effort, and the dialog that took place, and the ultimate findings, your contributions were invaluable. Obviously, the report is being released today, and I am very proud of the work that we did bring, in bringing together many different stakeholders and coming up with a series of recommendations, as you pointed out, I think, are eminently doable, and that I hope will advance the ball on cybersecurity. So my first question, the report identifies various ways that CISA should work with sector-specific agencies to improve information sharing and collaboration with private-sector entities. So, for example, the report highlights that we need more clarity in statute of what is required of SSAs in order to ensure that you have the information that you need to do your job. So, Director Krebs, do you agree that Congress should work to lay out the responsibilities of SSAs to both their private- sector partners and to CISA? That we should research them appropriately to perform these functions? Well, I will stop there, and then I have other questions. Mr. Krebs. So I think this is where we need to strike the right balance. It certainly makes a whole lot of sense to me that sector-specific agencies--of which I actually own 8 of them, between IT, comms, critical manufacturing, chemical, nuclear, emergency services--that we develop within those sector-specific agencies the specific requirements and attributes of those sectors. You know, we can handle the core cybersecurity, whether it is the business side or the control system side. We can develop that core capability. But what I need is the specifics of the sector to be layered on top of that understanding, and I can't invest in significant treasury, or banking, finance, so that is absolutely the responsibilities that we would be looking to be clearly articulated. Mr. Langevin. Can you talk about how CISA plans to work toward implementing the recommendations, if you would? Mr. Krebs. Well, I--so, right now, it--now that the report is out we have that kind of--the triage list, working through, of course, some of the templates that the--Executive Director Montgomery has pushed out. So we have got those identified, and the sorts of resources that we will need, the things we could do now, the things we will have to do down the road, but also working with the Commission on what will require legislative assistance. You know, I think there is a significant amount of the recommendations that we can implement right now. But, obviously, with some of the requirements for--whether it is IOT standards or some of the additional requirements on critical infrastructure, that is going to require either Congressional action or some sort of regulatory proceeding. Mr. Langevin. So, like my other colleagues here today, I also want to be on record as saying that I am very concerned about the cuts to CISA's budget proposed by the administration. Look, the National Risk Management Sector--Center, in particular, is a critical component of the Solarium Commission's recommendations, especially when it comes to syncing up the cyber expertise that CISA has with the sector- specific enterprise and the SSAs. So do you believe that the NRMC will be able to carry out its own mission, in addition to the ones recommended by the Solarium report, with the requested amount of funding? Mr. Krebs. So I think--the way that I see the budget is-- Ranking Member Rogers mentioned, you know, the proposal and the actual budgeting piece. You know, I am on the formulation and implementation side. The way the 2021 budget was developed, given the timing of formulation, the timing of the 2020 appropriations, they were out of step. So the 2021 budget request, the President's budget request, was built on the 2019 enacted. So if you look at it in--through that lens, it is actually an increase over the 2019 enacted. Because we didn't receive the fiscal year 2020 appropriations until late December, by that time the 2021 President's budget was already baked, from my--from where I sit, at least. So it was out of my control, that was already cooked. There was not time to kind-of re-peg it against the 2020. So what you see, instead, in the President's budget request, are the key areas of focus for the agency. There is plenty of room for investment. The National Risk Management Center, for instance, has plenty of room for investment to get the additional analytic capabilities, we would need, if that is what the Congress decides. Mr. Langevin. Clearly, CISA is going to need additional resources to do the job that we are expecting you to do. I appreciate the job that you are doing, as director, and your team at CISA. Thank you for that. With that, Mr. Chairman, I yield back. Mr. Richmond. The gentleman from Rhode Island yields back. I now recognize the gentleman from Alabama, Mr. Rogers, for 5 minutes. Mr. Rogers. Thank you, Mr. Chairman. Mr. Krebs, you know, it has been reported that there are over 300,000 cybersecurity job vacancies in the country at present. So we have a real challenge. That is across, you know, the private and public sectors. How many job vacancies do you have that you are struggling to fill? Mr. Krebs. At the moment we have got about 655 vacancies within the agency, about 151 of those are cybersecurity. I have about a 95 percent retention rate on the cybersecurity side, which is good, and it is improving. What we are doing right now, particularly as we continue to hire against the fiscal year 2020 funding--in that set, again, peg the FTE rate higher. We are trying to look at hiring as a-- from a systematic approach. So left to right, from--you know, identifying the job to actually getting a person in a seat with the PIV card and a machine, ready to roll. That requires a whole host of partners within CISA and without. So, really trying to flush out who owns these things, what are the bottlenecks, and then what is the plan we are putting against it. So a couple examples of choke points or bottlenecks that we are seeing, it is the hiring manager develops a position description. The problem with the hiring manager doing that is a hiring manager is a collateral job. It is an other-duties-as- assigned. So I have someone who is a program manager and an engineer, but also has to do a hiring manager job. So we are saying, OK, maybe we relieve them of the hiring manager responsibility and have full-time hiring managers that--their job, at least on a 6-month, maybe cyclical basis, would be to just work position descriptions, just work the interview process. We think that can streamline and make a more efficient process. We also have to look at---- Mr. Rogers. Have you started that? Mr. Krebs. Yes, sir. We did. We--a couple of weeks ago we launched a task force to focus just on this sort of thing. Mr. Rogers. I am sorry to interrupt you. Mr. Krebs. So we are going to be plowing through those PDs and the selections, which then gets us to the subsequent piece, the security. For instance, in the past we have looked at cybersecurity jobs as requiring top secret SCI clearances. We are challenging those assumptions. You know what? I might not need out in the field anybody that has a TS. Secret might be fine. So let's take a stab at that. If they need TS down the road, then we can put them in for that process. The TS is a--the top secret clearance is a significant additional time lag in hiring. So we are going to change the way we write PDs. Plus there are other policy and process issues. Again, some of that security clearance review I have to outsource to other parts of the Department, so let's see what we can do there. But also, like, just getting smarter about how we write position descriptions. So working in part with the Aspen Group and the--their cybersecurity working group, they issued a series of recommendations on how to improve cybersecurity hiring. One of them that we have adopted is how do you--don't over- spec the position description. So you are trying to hire a job--someone into a job. Don't say you have got to be able to do 15 things. Just tell them the 2 or 3 things you need them to do. So those are the sorts of things. We are just trying to bring a little bit of reality into the hiring process, and we have already seen a 12 percent decrease in our time to hire. So, in some cases, it is--that is only--you know, that goes from, like, 260 days to maybe 240 days, just trying to improve these numbers a little bit, and incrementally do it. But we think we have got processes in place. We will be able to dramatically cut the hiring process. Mr. Rogers. Do you feel--have you found that your salary and benefit packages is adequate to compete for talent? Mr. Krebs. I--so thank you for bringing that up, because I neglected to mention it. We have been provided a series of different retention and hiring incentives that we can use, including tuition reimbursement, up to 25 percent hiring--or, rather, retention bonus. So I can actually, I think, generally, compete in the market. Certainly not on the top, top, top, top end, but we can provide--between mission and pay and just quality of life, we think we can do a pretty good job here. So it is just about getting out there, and making sure we are using smarter, you know, platforms, and really hitting some of the on-line--like, LinkedIn, and things like that, aggressively recruiting across those platforms. Mr. Rogers. Have you found that you have been able to bring in many CISA employees through the Scholarship for Service program? Mr. Krebs. We have used that, and that is one of the key partners that we bring folks in, particularly at the--kind-of the lower and mid-level of the GS structure, not at the higher GS-15. But we need to take greater advantage of that, that is the way I see it. For us, it is somebody is doing recruiting for us, and we have just got to go kind-of collect resumes. We can make on- the-spot--at the SFS hiring fairs we can make on-the-spot offers and immediately get the process started, and that shaves 2 weeks off. Mr. Rogers. I would love to take the lead on helping you with that particular issue. I think the Scholarship for Service program is a very under-used tool. So if you will get with me, let me know whatever you need, I will take the ball and run with that. Thank you, Mr. Chairman. Mr. Krebs. Thank you. Mr. Richmond. The gentleman from Alabama yields back. I now recognize the gentlewoman from New York, Miss Rice, for 5 minutes. Miss Rice. Thank you so much, Mr. Chairman. Director Krebs, as you responded in--as you said in response to a question by Mr. Langevin, it is clear that it is going to be up to Congress to translate many of the Cyberspace Solarium Commission's recommendations into legislation, or legislative proposals. But I think it is worth noting that the fiscal year 2021 budget request would not advance the Solarium's vision for CISA, which I think is problematic, to say the least. But my question is how is--how do you plan to invest in 5G security and resilience, supply chain security, and election security with less money? Mr. Krebs. So if you look at the past 3 years, we started from scratch. I will use election security as an example. We started from scratch. We had zero election-specific money. Over the past 3 years Congress has invested about $102 million in our election security effort. Last year was about--it was about $43 million. The fiscal year 2020 budget--2021 budget has, I think it is, about $30.5 pegged against election security. What we are using that, those funds, to do is, yes, provide specific election capabilities, but also invest in broader capacity and capabilities within the agency on vulnerability management, threat hunting, any of those sorts of vulnerabilities--scanning capabilities, remote penetration testing. So we will continue to do that. The more we put in there, it will directly benefit elections, but also the broader critical infrastructure community. But again, with more I can always do more. So, again, whatever you will, of course, appropriate, we will be able to implement and execute against. Miss Rice. So I think one of the problems with the election interference is--putting aside what the intent is, putting aside what countries like Russia and China--what specific candidate they are trying to help, put that determination aside. When you look at just the overwhelming amount of disinformation that is out there, how do you address that issue? So if a specific campaign sees this just repeated disinformation--that, obviously, we will just assume is negative--against one particular person, what do you suggest a campaign--and whether it is a Republican or a Democratic campaign, because disinformation is at the heart of what is happening here, and it--you know, the attempt to sway the opinions of everyday Americans. So how would you suggest that people and campaigns handle that? Mr. Krebs. So, stepping back a little bit in the broader disinformation issue, and countering disinformation, we tend to view it as a supply and demand problem. On the supply side, you actually--you have these--or the influence operators, whether it is Russia, Iran, China, whomever it is, doesn't matter, pushing that information. Right? So there are capabilities across the intelligence community, the law enforcement community, within the private sector on the social media platforms that can disrupt that supply, but do it in a content-neutral way that is more about tagging actors, sharing those, illuminating campaigns. You know, I got to give a lot of credit to the social media organizations for--you know, compared to 2016, we are light years ahead of where we were. Is there room to improve? Absolutely. There is more that can be done, particularly with encouragement, I think, from the Congress. But there is another side to all of this. So, specific to your question, if you see it, report, you know, send it in to the FBI, send it to the social media platforms. They have dedicated teams that are monitoring, but also have intake mechanisms so that they can identify and then take down these campaigns. But the more important aspect of this--so we are--this is a Whack-a-Mole game if we are always chasing the latest disinfo campaign. What we have got to do is focus also on the demand side. The demand side is the American people. So how do we create a more discerning public, a more informed, educated public on the things that are happening across the news and the media and the social media platforms they see? So that is what we have put a lot of effort into, and that--you know, I think probably the most known, well-known thing we have done there is the War on Pineapple, which was last year we launched a program that distilled down how disinformation operations work, how the Russians do it, but we did it not in a way that it is Russia, it is whether you like pineapple on your pizza or not. So it is a very kind of non- confrontational issue, but it is educational. We got Secretaries of State, election directors involved, pitted on either side. Even the--I think the armed forces of Canada got involved in the whole thing, so we had a foreign influence operator in here, but it doesn't matter. [Laughter.] Mr. Krebs. Anyway, it was educational. It actually took off. People started to get it. So there is a civic education opportunity in front of us, and those are the things we are looking to do with the social media platforms, as well as academia and some of the other nonprofits that are involved here. Miss Rice. I would like to follow up with you on that. Thank you very much. I yield back. Mr. Richmond. The gentlelady from New York yields back. I now recognize the gentleman from North Carolina, Mr. Walker, for 5 minutes. Mr. Walker. Thank you, Mr. Chairman. Mr. Hentz, is that the correct--so yes. Since the military doctrines of Russia, China, North Korea, and Iran include EMPs, electromagnetic pulse attacks, with their cyber strategies, and that our civilian infrastructure is highly vulnerable to EMPs, how is DHS addressing the existential threat of an EMP attack so that Americans can be assured they are safe? Mr. Hentz. Thank you for the question. So what we have done, specifically, is formed a very tight relationship with CISA, who, from the Department, owns the mission space, per the 18 NDA, I believe it was, to ensure that there is a cooperative public-private partnership between their organization and critical infrastructure owner-operators. What we have done, specifically, is a T&E assessment to help with a better understanding of how one might go about shielding their critical infrastructure, how to better obfuscate critical elements that might be subject to EMP, GMD, and other types of solutions, and then working with CISA, propagate that information throughout the mission spaces through which they operate to ensure that everyone has good hygiene practices. But at the end of the day, what we are really driven by is a demand signal from CISA and its mission partners in the field to help inform what our R&D should be. Mr. Walker. Thank you for that answer. Director Krebs, CISA has started their team closely monitoring the coronavirus, and is working with critical infrastructure partners to prepare for possible disruptions that--they may stem from wide-spread illnesses. How is the agency ensuring the disruptions are minimized to critical infrastructure sectors such as the emergency services sector, or the nuclear reactors, materials, and waste sector, both of which DHS has designated as the sector-specific agency in the event of a large outbreak? Can you address some of that? Mr. Krebs. Yes, sir. So we established within CISA about-- it was early February we stood up an enhanced coordination cell, and designated a mission manager. So that really was--is the nexus of all COVID-related activity within the agency. Under that we have got a series of lines of effort. The first line of effort is physical protective measures and recommendations. That typically takes CDC guidance, and then applies sector-specific guidance on top. That looks at different business models: ``If you are heavy into public engagement, like a hotel or a sporting venue, here are the things you should be doing.'' But it also looks at industrial environments, including pipelines, chemical, electricity. We also have a line of effort focused on cybersecurity. So, as organizations move to telework, what are the cybersecurity considerations? Because the attack profile changes. You might be using more VPNs, so make sure you have got your Citrix and other VPNs patched, things like that. But also targeting and looking into the phishing campaigns that we have already seen the bad actors using as an incentive or enticement to get people to click on links. We are also looking at these continuity of the economy aspects, as I already talked about, those 4 elements of how a function may be degraded. Then, looking deeply at disinformation, as well, so working with our intelligence community partners of how is disinfo playing out across COVID, and this is important in the election space. Particularly, we had a call last week with about 600 State and local election officials about, you know, what are the hygiene practices they can take, but also what are we seeing in the disinfo space, and how can we dispel any sort of coronavirus or COVID impacts on voter turnout, for instance. You are already starting to see some of those discussions take place into action. Earlier this week Secretary Frank LaRose from Ohio announced that any voting precincts in nursing homes or assisted living communities will be moved out---- Mr. Walker. OK. Mr. Krebs [continuing]. They will not be taking place. So we think that is a great outcome that we need to--we want to continue pushing that information---- Mr. Walker. A very thorough answer. My follow-up, would a decrease in funding for fiscal year 2021 threaten the functionality or security of any of these components that you mentioned if an outbreak were to occur? Mr. Krebs. So I think, based on the 2020 budget, we have been able to build capacity. The 2021 budget will allow us to continue that activity. I think what you would see is enhancements wouldn't be able to happen, necessarily. That is one thing that we are looking at right now on COVID with the National Risk Management Center, in particular, what additional analytic capability do we need to bring in right now to do prospective analysis. That, of course, is going to continue, likely, past the fiscal year break. Mr. Walker. So security, not necessarily compromised, but enhancements moving forward would be inhibited. Is that fair? Mr. Krebs. I think steady--it is--you know, we can maintain what we have, but we see the threat landscape shifting, and so, you know, the ability to further invest in capabilities, I think, would benefit. Mr. Walker. Thank you, Mr. Chairman. I yield back. Mr. Richmond. Thank you, the gentleman from North Carolina yields back. I now recognize the gentlewoman from Michigan, Ms. Slotkin, for 5 minutes. Ms. Slotkin. Great. Thanks to both of you for being here. Mr. Hentz, I am interested in this idea of how the Department of Homeland Security can move new ideas, particularly on the issue of border security, new technology that might help us secure our borders more efficiently. How do you take that right now, from pilot project to actual scaled use? It is a problem we have in the Defense Department. I am on the Armed Services Committee. I have a bill that is trying to bridge this gap. But can you explain to us, and potentially explain some of the gaps we have in going from great idea that maybe the private sector has to a scalable, usable piece of technology? Mr. Hentz. Sure. So thank you for the question. The first thing that we try to do is get a really refined understanding of what the operational gap is from that component. So, in this case, let's say, we are working with CBP. We established them as a board of director-type member for our innovation approach. What we have done is stood up capabilities such as the Silicon Valley Innovation Program--it is more so about the idea of finding unique innovation in industry--and we paired those innovators, those non-traditional performers, with those operators. Once they completely understand the use case, what we do is almost like a shark tank-like type of approach to determining whether or not their solution is actually, No. 1, usable and effective in an operational environment, and then, No. 2, does it then scale? Now, where the deficiency is, such--I think you are going for, is that we, as an S&T organization, we don't have acquisition authority. So, while we may go off and find these unique end-state types of solutions that are coming out of the emerging market, it is still incumbent upon the operator, like a CBP or a CISA, to program for those acquisitions. Because we don't have that authority, we don't then, by definition, go off and buy that solution for that operational component. So I think that that is one of the main---- Ms. Slotkin. Yes. Mr. Hentz [continuing]. Deterrence for quick adaptation. The other is more predictability around other transactions authorities. By us using other transactions authorities, or the operators using 880 authority, that would also give the Department a head start, a jump, if you will, where it is not a big, traditional acquisition. Ms. Slotkin. Yes. So I am working on a bill with some of my colleagues across the aisle called the Intel at Our Borders Act, which basically requires the Department to provide a comprehensive strategy on how to integrate some of these new, emerging technologies. It is actually something CBP, our local folks in Michigan, the Northern Border, have been super excited about. They have helped us draft the bill. So more to follow, but we would love any notes for the record on what would be helpful for you to actually make this more effective. Director Krebs, I just want to thank you for your approach to this committee. I know it is a strange thing for both of you to be up here sort-of defending your budget which cuts your budget, but knowing that we will put money back in your budget. That is a complicated thing to do, and I want to thank you for having your--I think it is--he is your assistant director for cybersecurity--Bryan Ware came up and did a briefing, sort of a get-to-know-you thing, and that stuff makes such a difference when you are talking to a committee that is looking to help your department. So thank you for doing that. Can you tell me--we--I constantly do these events with my local governments, who feel pretty wholly unprepared to manage cybersecurity on their own. They just--some of them are working part-time, this is not their primary job. They are trying to do their best. I know that we have put in--again, like, this committee has been great about talking about building up resources for our local officials to provide for themselves. But in your perfect world, you know, it seems like we can't keep doing this, where we are expecting really small communities to defend themselves. They hold the private data of our residents. So what has to happen? Where are we going? Help us forecast how we are going to better protect ourselves, since our local communities are on the front lines. Mr. Krebs. So it is going to require--and, yes, I think about this almost nonstop, and nowhere is this more acute than in election security, of course, with 8,800 jurisdictions across the country that are managing, in a lot of cases, significantly outdated systems. They are just operating from a lack of funding. So I think there are a couple of challenges here. First is just the governance aspects, when you have just this diversity of ways that States manage, or are able to manage, based on home rule or otherwise, requirements across distributed counties and jurisdictions. There is also a funding issue, of course. The States just have significantly different funding profiles than the Federal Government that can run a deficit. Then, just the availability to services. There is not a lot of acquisition leverage or procurement leverage when you are talking about a local jurisdiction. So, at the governance piece, we are continuing to just raise awareness with State governments, with State legislatures. You know, my theory is that awareness leads to investment, which builds capabilities. We are going to have to continue beating the drum on cybersecurity awareness. That is, I know, sometimes a shocking thing to hear, that people still need to be made aware of cyber risks, but it just--it remains the case. We need the leadership to understand this. The second thing on the funding, understanding that there are a couple different bills floating around on providing grants to State and locals, I think those are certainly useful things we need to work through, and we need to get to a spot where, like FEMA has, the Disaster Relief Fund, you know, what does a cyber equivalent look like? But, at the same time, we are not sitting back and waiting. We--in the recent FEMA/ Homeland Security grant program, which I am sure you all heard from your chiefs of police and emergency management, we did put some requirements in there for cybersecurity and election security investments, which, over the last 7, 8, probably 10 years, has been a National preparedness report, key area of lack of preparation. Then, last, what more can I do in the Federal Government space to provide additional services out to Federal partners? So the continuous diagnostics and mitigation platform, for instance, is something that we can open up. It is on the GSA schedule, we can do that. Some States don't have the ability to buy from GSA, so we need to change that behavior, but also make things affordable. The DOTGOV Act, which allows for the actual .gov domains to open up. There is a $400 requirement. Four hundred dollars in local jurisdictions in Michigan or elsewhere, that is a difference-maker. That can be, you know, somebody's bonus. So these are the things we need to work through. Then last, we are making--we are working through standing up a protective DNS service for the Federal Government. How do we open that recursive protective DNS program or platform for State and locals, as well? I see centralization and opening up services like that as the key to changing risk outcomes for State and local partners. Mr. Richmond. The time of the gentlelady from Michigan is expired. I now recognize the gentlelady from Illinois, Ms. Underwood, for 5 minutes. Ms. Underwood. Thank you, Mr. Chairman. Several weeks ago a school district that serves my community in Crystal Lake, Illinois was hit with a ransomware attack. The school officials did pretty much everything right. They took the servers off-line, they protected sensitive data, they avoided major disruptions in student learning, they planned ahead. They even had a cyber insurance policy. But it still took over a month to get the student computers back on- line, and the attack cost over $800,000, not all of which is covered by even good insurance. The fact is that ransomware attacks our business, and that business is good. While both CISA and Congress have made important steps, they aren't enough for schools like those in Crystal Lake. So, Director Krebs, can you tell us more about the profile of these kinds of attackers, and are they nation-state actors or affiliates, organized cyber criminals, lone actors? Can you just say something about the---- Mr. Krebs. Yes, ma'am. I am smiling because your ``ransomware is business, and business is good'' line, I have used that before, and it is absolutely what is going on. Ms. Underwood. Yes, sir. Mr. Krebs. So the way we look at ransomware right now is there are kind-of 3 things that are going to have to change. First is we have to continue investing in the defensive side. Yes, they did all the right things, but I am sure that, when you go and do the post-mortem, there were elements that could have been implemented to protect. You know, really, what we are finding is just some simple measures like multi-factor authentication, appropriate Windows administration, lease privilege, things like that can just stop it from happening, and then go to the next partner. The--or the target. The second thing we have to do is disrupt the economic model, disrupt the business model. Ms. Underwood. Right. Mr. Krebs. It--like you said, business is good. That is why it continues. So how do we disrupt that? Are there things we can do, the Congress can do to target the ransomware actors, to take a look at actually paying out ransomware, whether that is a public policy issue or not? I think that is a good question that we need to take a hard look at. Then the third thing we have to do is what more can the Federal Government do, not just from a defensive side, but from more of an aggressive, almost defend-forward perspective, do to disrupt these behaviors? You know, we know where these guys operate. They are not in the United States, they are in Russia and elsewhere. What can we do to put additional pressure on them from the intelligence community and from the Department of Defense and---- Ms. Underwood. But would you characterize the actors--how would you characterize the attackers themselves? Mr. Krebs. The actors themselves are criminals. Ms. Underwood. OK. Mr. Krebs. They are straight-up criminals. Not necessarily, you know, in this case--you know, I mentioned Russia, so it is not like they are necessarily FSB, but they are cyber criminals operating in the sovereign space of some of our adversaries in some cases. Ms. Underwood. Yes. So I thank you for outlining those next steps that we can all take to protect our communities and critical assets that we all have within our own organizations from ransomware attacks. I do think that there is more room for leadership from CISA and from law enforcement here. Mr. Krebs. Yes, ma'am. Ms. Underwood. My constituents weren't sure, for example, whether to leave the evidence of the attack intact, or to try to get the operation up and running quickly to serve their students. So, if you can just offer, you know, advice for what to do for communities that are experiencing this type of attack---- Mr. Krebs. So we have issued a significant amount of guidance and best practices, not complicated, 80-page guidance stuff, but 1-page, 2-page sort-of guidance for our partners. One thing that I don't think we have explored quite enough is working with you and Congress, understanding the influence you have back home---- Ms. Underwood. Right. Mr. Krebs [continuing]. With your partners in the school districts and the public health community. Please encourage them to work with us. There are things that we could do to help them to make sure that they don't have that bad day. Ms. Underwood. Right. Mr. Krebs. Because $800,000 to a small community in your jurisdiction---- Ms. Underwood. It is significant. Mr. Krebs. It is. That can be back-breaking in some cases-- -- Ms. Underwood. So do you think that there are technical standards that hardware and software products should meet in order to limit their vulnerability to ransomware attacks? Mr. Krebs. Again, a lot of this ransomware is just a matter of somebody clicking on a link. It is often delivered by spear phishing. In some cases it is delivered by a remote desktop protocol, ports being open, things like that. So this is not necessarily a hard sec or software sec issue. It is configuration. It is Windows administration, Windows administration, Windows administration. Ms. Underwood. Right. Mr. Krebs. Those are the sorts of things that we need to invest in. It is just awareness, and how can we just configure from the get-go better postures. Ms. Underwood. OK. So Mr. Cuccinelli, your colleague, is going to be coming to testify before the larger committee this afternoon, and he has said that CISA has been assessing ``issues of concern,'' potential impacts to infrastructure from coronavirus in the event of significant community spread in the United States. Those are clips of his quotes. Significant community spread is already happening. So, Director Krebs, can you just talk about what impacts to critical infrastructure that you are seeing, and what should our States and localities expect to come in the weeks and months? Mr. Krebs. Yes, ma'am. So we are trying to break it out from the tactical today, and the PPE, or the personal protective equipment---- Ms. Underwood. Yes. Mr. Krebs [continuing]. That is out there into the more strategic, longer-term analysis. I talked about it a little bit earlier, but through our National Risk Management Center, and the National critical functions approach, what we are trying to do is understand what those key elements of degradation might be. We have identified 4 key aspects. The first is disruption of a commodity, of a key commodity, like a widget in a--that would go into a car, some sort of device that would go into a car that would prevent it from rolling off the line, for instance. The second is workforce disruption. So whether it is absenteeism, sick-outs, or other sorts of issues, particularly across different business models. The third and fourth are more about the demand. So, in some cases, like N95 you would have an increase of demand, where you can't meet it. Ms. Underwood. Right. Mr. Krebs. Then the other, the fourth element, is a cratering of demand. That could be, in some cases, transportation. So we try to pull those all together. We are seeing automotive, we are seeing IT and comms disruptions, and then also soft goods. Ms. Underwood. Well, as you are publishing documents to the communities about those, can you keep our committee informed? We appreciate it. Thank you, and I yield back. Mr. Richmond. The time of the gentlelady is expired. I want to thank the witnesses for their valuable testimony, and the Members for their questions. The Members of the committee may have additional questions for the witnesses, and we ask that you respond expeditiously in writing to those questions. Without objection, the committee records shall be kept open for 10 days. Hearing no further business, the committee is adjourned. [Whereupon, at 12:13 p.m., the subcommittee was adjourned.] A P P E N D I X ---------- Questions From Hon. Sheila Jackson Lee for Christopher C. Krebs Question 1. Director Krebs, I represent Houston, Texas. It is one of the largest metropolitan cities in the country, hosts one of the busiest international airports and is also home to one of the largest export hubs in America. As of yesterday, there were 13 cases of COVID- 19 in Texas. First, what are you doing, and what is the Government doing, to spread true information about the virus and its potential impacts? Answer. Response was not received at the time of publication. Question 2. In last week's CISA Insights document, you identified 4 risk management strategies related to supply chain security and the Coronavirus (COVID-19). For the record, can you tell me what advice CISA is giving to help States and industry prepare and be resilient against a COVID-19 pandemic? Answer. Response was not received at the time of publication. Question 3. How is the Department of Homeland Security preparing State and local election administrators for the November Election given Coronavirus will still be with us until there is a vaccine? Answer. Response was not received at the time of publication. [all]