[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
EVOLVING THE U.S. APPROACH TO CYBERSECU-
RITY: RAISING THE BAR TODAY TO MEET
THE THREATS OF TOMORROW
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 3, 2021
__________
Serial No. 117-36
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
47-035 PDF WASHINGTON : 2022
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas John Katko, New York
James R. Langevin, Rhode Island Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana
J. Luis Correa, California Michael Guest, Mississippi
Elissa Slotkin, Michigan Dan Bishop, North Carolina
Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey
Al Green, Texas Ralph Norman, South Carolina
Yvette D. Clarke, New York Mariannette Miller-Meeks, Iowa
Eric Swalwell, California Diana Harshbarger, Tennessee
Dina Titus, Nevada Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey Carlos A. Gimenez, Florida
Kathleen M. Rice, New York Jake LaTurner, Kansas
Val Butler Demings, Florida Peter Meijer, Michigan
Nanette Diaz Barragan, California Kat Cammack, Florida
Josh Gottheimer, New Jersey August Pfluger, Texas
Elaine G. Luria, Virginia Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
Hope Goins, Staff Director
Daniel Kroese, Minority Staff Director
Natalie Nixon, Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Committee on Homeland
Security:
Oral Statement................................................. 3
Prepared Statement............................................. 5
Witnesses
Mr. J. Chris Inglis, National Cyber Director, Executive Office of
the President of the United States:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Ms. Jen Easterly, Director, Cybersecurity and Infrastructure
Security Agency, U.S. Department of Homeland Security:
Oral Statement................................................. 12
Prepared Statement............................................. 14
Appendix
Question From Honorable Michael Guest for Jen Easterly........... 57
EVOLVING THE U.S. APPROACH TO CYBERSECURITY: RAISING THE BAR TODAY TO
MEET THE THREATS OF TOMORROW
----------
Wednesday, November 3, 2021
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC.
The committee met, pursuant to notice, at 10:03 a.m., via
Webex, Hon. Bennie G. Thompson [Chairman of the committee]
presiding.
Present: Representatives Thompson, Jackson Lee, Langevin,
Payne, Slotkin, Cleaver, Green, Clarke, Titus, Watson Coleman,
Torres, Katko, Higgins, Guest, Van Drew, Norman, Miller-Meeks,
Clyde, Gimenez, LaTurner, Meijer, Cammack, Pfluger, and
Garbarino.
Chairman Thompson. The Committee on Homeland Security will
come to order.
I would like to thank National Cyber Director Inglis and
CISA Director Easterly for participating in today's hearing on
how the Federal Government is maturing its approach to securing
Federal networks and critical infrastructure. At the outset, I
would like to commend the administration for its steadfast
commitment to confronting the cybersecurity challenges facing
the Nation, and I would like to thank both of you for the
important role you play. This committee has a long history of
bipartisan collaboration in support of advancing strong, sound
cybersecurity policy, and we look forward to working with both
of you in your respective roles.
Last Congress, Members of the committee worked together to
raise CISA's funding, expand CISA's authorities, and authorize
the National cyber director. With the support of this
committee, CISA worked tirelessly with State and local election
officials to ensure the most secure election in history--during
a global pandemic no less. But late last year, we learned that
the Russian government conducted a sophisticated supply chain
attack and gained access to our Government and private-sector
networks. Only months later, Microsoft disclosed that Chinese
hackers exploited multiple zero-day vulnerabilities in
Microsoft Exchange Servers to gain access to emails and
maintain persistent access to the networks. A series of high-
profile ransomware attacks threatening the fuel and food supply
followed. Just yesterday, voters went to the polls to cast
their ballots even as efforts to push the big lie and erode
public confidence in democratic institutions persist.
These events forced three important conversations: How do
we activate resources and authorities quickly to modernize
Federal network security programs? Does the Federal approach to
securing critical infrastructure, which relies heavily on
voluntary frameworks, serve the National security interests of
the American people? How do we protect public confidence in our
democratic institutions, particularly our elections?
To its credit, the administration has confronted these
challenges head-on, laid out a bold agenda, and put its money
where its mouth is. From the ambitious Executive Order on
Improving the Nation's Cybersecurity, to the National Security
Memorandum on Improving Cybersecurity for Critical
Infrastructure Control Systems, to the pipeline security
directives, the administration is aggressively leveraging
existing authorities to raise the Nation's cybersecurity
posture. Last week, the White House asked Congress to expand
the Environmental Protection Agency's ability to regulate
cybersecurity for the water sector.
Moving forward, I will be interested to know whether you
expect the administration to leverage or seek similar
authorities to impose mandatory cyber standards on other
sectors, and if so, what you expect the role of your
organizations to be in that process.
Given my role on both this committee and the January 6th
Select Committee, I am disturbed by how disinformation fosters
conspiracy theories, divides us, and makes us doubt our
democratic institutions. I will be interested to understand how
CISA's maturing its election security activities, related to
both the security of election infrastructure and its rumored
control efforts.
While I appreciate the administration doing what it can by
leveraging the authorities it has, this committee is working
hard to provide many of the additional authorities necessary
for CISA to take on the challenges ahead. For example,
bipartisan members of the committee offered amendments to the
NDAA that would establish a mandatory cyber incident reporting
framework, authorize the CyberSentry program, and establish the
Joint Collaboration Environment. I am hopeful that today we can
discuss how you will implement those measures when they are
enacted into law, as I expect them to be.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
November 3, 2021
Good morning. I would like to thank National Cyber Director Inglis
and CISA Director Easterly for participating in today's hearing on how
the Federal Government is maturing its approach to securing Federal
networks and critical infrastructure.
At the outset, I would like to commend the administration for its
steadfast commitment to confronting the cybersecurity challenges facing
the Nation, and I would like to thank both of you for the important
role you play.
This committee has a long history of bipartisan collaboration in
support of advancing strong, sound cybersecurity policy, and we look
forward to working with both of you in your respective roles.
Last Congress, Members of the committee worked together to raise
CISA's funding, expand CISA's authorities, and authorize the National
cyber director.
With the support of this committee, CISA worked tirelessly with
State and local election officials to ensure the most secure election
in history--during a global pandemic no less.
But late last year, we learned that the Russian government
conducted a sophisticated supply chain attack and gained access to our
Government and private-sector networks.
Only months later, Microsoft disclosed that Chinese hackers
exploited multiple zero-day vulnerabilities in Microsoft Exchange
Servers to gain access to emails and maintain persistent access to the
networks.
A series of high-profile ransomware attacks threatening the fuel
and food supply followed.
And just yesterday, voters went to the polls to cast their ballots
even as efforts to push the Big Lie and erode public confidence in
democratic institutions persist.
These events forced three important conversations.
How do we activate resources and authorities quickly to
modernize Federal network security programs?
Does the Federal approach to securing critical
infrastructure--which relies heavily on voluntary frameworks--
serve the National security interests of the American people?;
How do we protect public confidence in our democratic
institutions, particularly our elections?
To its credit, the administration has confronted these challenges
head-on, laid out a bold agenda, and put its money where its mouth is.
From the ambitious Executive Order on Improving the Nation's
Cybersecurity, to the National Security Memorandum on Improving
Cybersecurity for Critical Infrastructure Control Systems, to the
pipeline security directives, the administration is aggressively
leveraging existing authorities to raise the Nation's cybersecurity
posture.
Last week, the White House asked Congress to expand the
Environmental Protection Agency's ability to regulate cybersecurity for
the water sector.
Moving forward, I will be interested to know whether you expect the
administration to leverage or seek similar authorities to impose
mandatory cyber standards on other sectors, and if so, what you expect
the role of your organizations to be in that process.
Given my role on both this committee and the January 6th Select
Committee, I am disturbed by how disinformation fosters conspiracy
theories, divides us, and makes us doubt our democratic institutions.
I will be interested to understand how CISA's maturing its election
security activities, related to both the security of election
infrastructure and its rumor control efforts.
While I appreciate the administration doing what it can by
leveraging the authorities it has, this committee is working hard to
provide many of the additional authorities necessary for CISA to take
on the challenges ahead.
For example, bipartisan Members of the committee offered amendments
to the NDAA that would establish a mandatory cyber incident reporting
framework, authorize the CyberSentry program, and establish the Joint
Collaboration Environment.
I am hopeful that today we can discuss how you will implement those
measures when they are enacted into law, as I expect them to be.
With that, I look forward to the testimony from the witnesses and I
yield back.
Chairman Thompson. With that, I look forward to the
testimony from the witnesses and I yield to the Ranking Member
of the full committee, the gentleman from New York, Mr. Katko.
Mr. Katko. Thank you, Chairman Thompson, for hosting this
most important hearing today. Welcome to the witnesses,
Director Inglis and Director Easterly. I am pleased to have
both of you here.
I am going to echo the Chairman's sentiments. This isn't
partisan at all, these are damned good appointments to really
important positions within the cybersecurity realm. I applaud
the administration for doing that.
I appreciate you all being here today to provide testimony
on your strategic goals and discuss how Congress can work with
the administration to secure the cyber threats of tomorrow.
We started off 2021 by uncovering the impact of the
devastating Solar Winds cyber espionage campaign. But, as we
all know, the attacks did not stop there. While they may seem
distant, the Microsoft exchange vulnerability, Pulse Connect,
and other significant ransomware attacks, including the attacks
on Colonial Pipeline, Kaseya, and JBS, happened this year
alone. As a result, CISA has issued an unprecedented number of
emergency directives, alerts, and advisories regarding serious
vulnerabilities and cyber threats. Just this week, CISA
announced it was issuing a binding operational directive to
quickly remediate known vulnerabilities across the Federal
enterprise, and I applaud that.
The volume of our alerts, advisories, and directives goes
to show the pervasiveness of vulnerabilities affecting owners
and operators of critical infrastructure and Federal networks.
CISA has performed commendable work given the daunting task
it has faced over the past 20 years. This in part has been due
to additional authorities from the Fiscal Year 2021 National
Defense Authorization Act. This includes significant
authorities, such as the ability to issue administrative
subpoenas to notify critical infrastructure entities of
vulnerable devices, as well as the authority to conduct threat
hunting on Federal agency networks without advance notice.
While new authorities are an important piece, CISA must
also be fully funded. I have been a strong proponent of
responsible growth at CISA and I am pleased the House
Committee-passed appropriations bill puts the agency on that
path.
We must also move past bureaucratic turf battles and
remember that cyber incidents are rarely sector-specific. We
need to continue building on the resources within CISA as a
central agency that can quickly connect the dots when a
malicious cyber campaign spans multiple sectors and then share
that information across a broader critical infrastructure
community.
Director Inglis, this is where I expect you to have an
important role. Given your role as a principal advisor for
cybersecurity, the ``head coach'', as I like to call it, or as
the overseeing the entire Federal Government's cybersecurity
mission, it is important that you are setting the tone that
everyone has a role to play and must work together.
I look forward to learning more about the various roles and
responsibilities of your position, the National Security
Council, and the CISA director.
To ensure CISA can successfully carry out its mission, it
needs a higher degree of visibility into cybersecurity threats
and incidents impacting private-sector networks. Increased
collaboration across governments and private industry is
essential. I applaud new initiatives, such as CISA's stand-up
of the Joint Cyber Defense Collaborative.
We also need to ensure the information being shared with
the private sector is timely, actionable, and meets the needs
of a diverse set of cross-sector stakeholders. To be sure, we
need to work on that and get better with that.
It is important that there be a high-value proposition for
entities to partner with CISA. It can't be a one-way street.
I am pleased to have partnered with Chairman Thompson and
Subcommittee Chairwoman Clarke on mandatory cyber incident
reporting legislation, as it will be another important tool for
CISA to have to protect the critical infrastructure community,
but it won't be a silver bullet.
We live in a world of an increasingly interdependent web of
hardware, software services, and other connected
infrastructure. Single points of failure in layers of systemic
importance across this ecosystem leave the potential for
cascading impact, which I have been focusing on legislation
which would require that CISA designate and prioritize risks to
key infrastructure sectors as they work to mitigate cyber risks
across the various industry sectors and Government entities
facing threats from nefarious cyber actors every day.
As CISA nears its whopping third anniversary in a few
weeks, it is incumbent upon Congress to ensure CISA is
appropriately prioritizing its mission space and focusing on
what it does best within its limited resources to address the
most pressing challenges in the evolving threat environment.
Between these two highly-capable witnesses here today,
Director Easterly and Director Inglis, I am confident that our
Federal Government is poised to tackle the growing litany of
cyber threats facing our Nation.
I want to just note from a personal standpoint before I
end, this is the way Government is supposed to work. You all
are getting along and you are working well together. I dare say
you should stand as an example for other agencies to follow,
just like I hope Chairman Thompson and I set an example for
others in Congress, which we hope they would follow more than
they do.
Again, I want to thank you very much for being here today
and I look forward to hearing testimony from both of you.
I yield back.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
Thank you, Chairman Thompson, for hosting this hearing today. Thank
you to Directors Easterly and Inglis for joining us to provide
testimony on your strategic goals and discuss how Congress can work
with the administration to secure the cyber threats of tomorrow.
We started off 2021 by uncovering the impact of the devastating
SolarWinds cyber espionage campaign, but, as we all know, the attacks
did not stop there.
While they may seem distant, the Microsoft Exchange Vulnerability,
Pulse Connect, and other several significant ransomware attacks,
including the attacks on Colonial Pipeline, Kaseya, and JBS, happened
this year alone.
As a result, CISA has issued an unprecedented number of Emergency
Directives, Alerts, and Advisories regarding serious vulnerabilities
and cyber threats. Just this week, CISA announced it was issuing a
Binding Operational Directive to quickly remediate known
vulnerabilities across the Federal enterprise.
The volume of alerts, advisories, and directives goes to show the
pervasiveness of vulnerabilities affecting owners and operators of
critical infrastructure, and Federal networks.
CISA has performed commendable work given the daunting task it has
faced over the past few years. This, in part, has been due to
additional authorities from the Fiscal Year 2021 National Defense
Authorization Act (NDAA).
This includes significant authorities such as the ability to issue
administrative subpoenas to notify critical infrastructure entities of
vulnerable devices, as well as the authority to conduct threat hunting
on Federal agency networks without advanced notice.
While new authorities are an important piece, CISA must also be
fully funded. I have been a strong proponent of responsible growth at
CISA, and I'm pleased the House Committee-passed Appropriations bill
puts the agency on that path.
We must also move past bureaucratic turf battles and remember that
cyber incidents are rarely sector-specific. We need to continue
building on the resources within CISA as the central agency that can
quickly connect the dots when a malicious cyber campaign spans multiple
sectors, then share that information across the broader critical
infrastructure community.
Director Inglis, this is where I expect you to have an important
role. Given your role as the principal advisor for cybersecurity, or as
I like to call it, the head coach, the one overseeing the entire
Federal Government's cybersecurity mission. It's important that you're
setting the tone that everyone has a role to play and must work
together. I look forward to learning more about the various roles and
responsibilities of the NCD, the National Security Council, and the
CISA director.
To ensure CISA can successfully carry out its mission, it needs a
high degree of visibility into cybersecurity threats and incidents
impacting private-sector networks. Increased collaboration across
governments and private industry is essential. I applaud new
initiatives such as CISA's stand-up of the Joint Cyber Defense
Collaborative (JCDC).
We also need to ensure that information being shared with the
private sector is timely, actionable, and meets the needs of a diverse
set of cross-sector stakeholders. It's important that there be a high-
value proposition for entities to partner with CISA--it can't be a one-
way street.
I am pleased to have partnered with Chairman Thompson and
Subcommittee Chairwoman Clarke on mandatory cyber incident reporting
legislation, as it will be another important tool for CISA to have to
protect the critical infrastructure community. But it won't be a silver
bullet.
We live in a world of an increasingly interdependent web of
hardware, software, services, and other connected infrastructure.
Single points of failure and layers of systemic importance across this
ecosystem leave the potential for cascading impact.
Which is why I have been focusing on legislation which would
require that CISA designate and prioritize risks to key infrastructure
sectors as they work to mitigate cyber risks across the various
industry sectors and Government entities facing threats from nefarious
cyber actors every day.
As CISA nears its third anniversary in a few weeks, it's incumbent
on Congress to ensure CISA is appropriately prioritizing its mission
space and focusing on what it does best within its limited resources to
address the most pressing challenges in the evolving threat
environment.
Between the two highly-capable witnesses here today, Director
Easterly and Director Inglis, I am confident that our Federal
Government is poised to tackle the growing litany of cyber threats
facing our Nation.
Again, thank you for being here today, and I look forward to
hearing your testimony.
Chairman Thompson. The gentleman yields back.
Other Members of the committee are reminded that under
committee rules opening statements may be submitted for the
record.
I now welcome our panel of witnesses.
Our first witness is National Cyber Director Chris Inglis.
Director Inglis has over 40 years of Government service,
including 30 years of service in the Air Force. Director Inglis
held singular leadership assignments at the Department of
Defense and the National Security Agency throughout his career,
including deputy director and senior civilian leader.
Our second witness is Cybersecurity Infrastructure Security
Agency Director Jen Easterly. Director Easterly also has a
strong record of Government service, including two tours of the
White House during both the Obama and Bush Two administrations.
An Army veteran of 20 years of service, she was responsible for
standing up to Army's first cyber battalion and was
instrumental in the design and creation of the United States
Cyber Command.
Before we begin receiving testimony, I would like to
recognize the impressive military service records of both of
our witnesses and thank them for all, and all the veterans, for
their service in advance of Veterans Day next week.
Thank you for your participation here today. I look forward
to your testimony.
Without objection, the witnesses' full statements will be
inserted in the record.
I now ask each witness to summarize their statement for 5
minutes, or do the best you can, beginning with Director
Inglis.
STATEMENT OF J. CHRIS INGLIS, NATIONAL CYBER DIRECTOR,
EXECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATES
Mr. Inglis. Chairman Thompson, Ranking Member Katko,
distinguished Members of the committee and staff, thank you for
the privilege to appear before you today and the honor to
appear alongside Director Easterly. I am eager to update you on
the Biden/Harris administration's progress in standing up the
new Office of the National Cyber Director and to discuss the
administration's approach to cybersecurity.
The President's commitment to cybersecurity is a matter of
National security and is an issue of concern to all Americans,
as evidenced by the positions he created, the appointments he
made, as well as by the speed with which the administration
continues to modernize defenses and bolster our security.
I am of course appearing before you today as the inaugural
National cyber director, a position this Congress created in
January, confirmed for me in June after nomination by President
Biden. I am grateful for the confidence that the President and
the Congress have placed in this role, for the opportunity to
bring it to life, and for the cybersecurity and critical
infrastructure resilience investments you are endeavoring to
make in the proposed infrastructure investment and Jobs Act,
and elsewhere. I remain committed to engaging with you as we
can on these critical and shared imperatives.
To that end, I am pleased to tell you that the new office
is making progress as full-fledged leader in these imperatives.
On Thursday, October 28 we publicly released the National cyber
director's first strategic intent statement, which outlines the
strategic approach and the scope of the work that I intend the
office to undertake. At the same time, we announced the
designation of Chris DeRusha as the deputy National cyber
director for Federal cyber security, a dual-headed title that
he will hold along with his current role as the Federal chief
information security officer. We will create unity of effort
and unity of purpose in our shared mission to ensure the
security of Federal networks. Both of these announcements lay
the groundwork for the office's approach, but are certainly not
the sum total of our intended endeavors. We continue to build
out the National cyber director team and, equally important,
relationships with key partners inside and outside of the
Federal Government and will follow up in the very near future
with a more concrete comprehensive description of our
priorities and the strategic objectives that will guide our
work for years to come.
The Office of the National Cyber Director is of course
currently constrained by the lack of an appropriated budget and
we continue to work with Congress to secure the resources we
need to bring on key staff. Beyond the constraint this places
on our ability to hire key staff members, make necessary
procurement and acquisitions, and find permanent office space
for our future, the lack of appropriations inhibits our ability
to plan and delays our ability to quickly and fully make the
expected contributions of the National cyber director.
That limitation notwithstanding, I am pleased to inform the
committee that we have built a robust pipeline of talent and
once appropriations are available expect to reach a total of 25
personnel on board by the end of December and a full complement
sometime later in fiscal year 2022.
As I have testified previously to the Senate Homeland
Security and Governmental Affairs Committee, the National cyber
director looks to four key outcomes as its benchmark of
success. Given the foundations that these priorities establish
for accountability of the National cyber director, I will
comment briefly on them here.
First, the Office will drive coherence across the Federal
enterprise, ensuring that we build, operate, and defend digital
infrastructure under control of the Federal Government and
support the private security with unity, purpose, effort, and
messaging.
Second, we will zero in on improving private-public
collaboration, supporting and building on the work of CISA and
others.
Third, in close collaboration with the Office of Management
and Budget, we will ensure that the U.S. Government is aligning
its resources to its aspirations and accounting for the
execution of cyber resources entrusted to its care.
Finally, the Office will work to increase present and
future resilience not only within the Federal Government, but
across the American digital ecosystem, in technology, the
skills of our people, and in roles and responsibilities. This
is, of course, a big task which we have initiated by exercising
incident response and planning processes and we will continue
to evolve these processes so they are future-proved for
tomorrow.
None of this work occurs in a vacuum and much of the credit
for progress in developing these themes and in the work of
putting them into practice must go to my partners on the
National Security Council, my colleague sitting alongside me,
Director Easterly, and many others serving in the Federal cyber
ecosystems. The challenges we face are daunting and overcoming
them will require realizing a digital ecosystem that is
resilient by design and robustly defended, a policy and
commercial environment that aligns actions to consequences, and
ensuring that public and private sectors proactively and
decisively collaborate.
Although the Office of the National Cyber Director is a
young and still small office, we have made significant progress
and are building robust relationship with our inter-agency
partners. When funding is in place and with the continued
leadership and support of this Congress, the ONCD will be in a
strong position to lead in enhancing the security and
resilience of our Nation's cyber ecosystem.
I thank you for the opportunity to testify before you
today. I look forward to your questions.
[The prepared statement of Mr. Inglis follows:]
Prepared Statement of J. Chris Inglis
November 3, 2021
Chairman Thompson, Ranking Member Katko, distinguished Members of
the committee, and your staff--thank you for the privilege to appear
before you today, and the honor to appear alongside Director Easterly.
I am eager to update you on the Biden-Harris administration's progress
in standing up the new Office of the National Cyber Director (ONCD) and
to discuss the administration's approach to cybersecurity. The
President's commitment to cybersecurity as a matter of National
security is evident both by the positions he created and appointments
he made, as well as the unmatched speed with which the administration
continues to act to modernize our defenses and bolster our security in
11 short months.
But first, I wanted to recognize the history of this particular
moment. I am appearing before you as the first National cyber director
(NCD), a position the Congress created just last year, and then
confirmed me for following my nomination by President Biden. I am
grateful for the confidence that the President and Congress have placed
in me in this role, as well as for the cybersecurity and critical
infrastructure resilience investments that you are endeavoring to make
in the proposed Infrastructure Investment and Jobs Act and elsewhere. I
remain committed to engaging with you as we take on these critical,
shared imperatives.
To that end, I am pleased to tell you that our new office is making
progress as a full-fledged leader in those imperatives. On Thursday,
October 28, I released the NCD's first Strategic Intent Statement,
which outlines at a high level the strategic approach and scope of work
I expect my office to undertake. At the same time, I announced the
designation of Chris DeRusha as a deputy National cyber director for
Federal cybersecurity, a dual-hatted title he will hold along with his
current role as Federal chief information security officer, creating
unity of effort and unity of purpose in our shared mission to ensure
the security of Federal networks. Both of these announcements lay the
groundwork for the ONCD's approach but are certainly not the sum total
of our endeavors. We will continue to build out our leadership team and
our strategic intent will soon be followed by a more concrete,
comprehensive description of our priorities and strategic objectives
that will guide our work for years to come.
While we will continue working with Congress to secure the
resources we need to bring on key staff, I am pleased to inform the
committee that we have built a robust pipeline of talent and expect to
reach a total of 25 personnel on board by the end of December.
Additionally, with limited funds from the President's Unanticipated
Needs Fund, we have procured an office suite for the Office of the
National Cyber Director at the 716 Jackson Place Townhome within the
White House complex. I would emphasize, however, that without
appropriations, we remain limited in our ability to hire key staff
members, make necessary procurement and acquisitions, and find
permanent office space for our future, full complement of staff. More
fundamentally, the lack of appropriations inhibits our ability to plan
and delays our ability to quickly and fully realize the role of the
NCD.
As I have testified previously to the Senate Homeland Security and
Government Affairs Committee, the ONCD looks to four key outcomes as
its benchmark of success. Given the foundations these priorities
establish for ONCD accountability, I will comment on them here.
First, the ONCD will drive coherence across the Federal
cyber enterprise--from coordinating with NIST in standards and
guideline development, harmonizing our approach to supply chain
risk management, supporting the Cybersecurity and
Infrastructure Security Agency (CISA) in providing operational
support to Federal agencies, and working in partnership with
OMB to resource these key cybersecurity initiatives. This means
ensuring that the Government is speaking with one voice, moving
in the same direction, and, to the greatest extent practicable,
sharing common priorities by which we can organize our
collective efforts for maximum possible effect. Acting with
unity of purpose and effort in the defense of our digital
infrastructure is an absolute imperative.
Second, the ONCD will ensure the continued improvement of
public-private collaboration in cybersecurity. We will work
closely with Director Easterly, CISA, the National Institute of
Standards and Technology (NIST), and Sector Risk Management
Agencies and seek to expand engagement and partnership across
sectoral lines to new levels--because tackling the cyber
challenges we face demands nothing less. The new Joint Cyber
Defense Collaborative (JCDC), hosted by CISA and leveraging
authorities, capabilities, and talents of the Federal cyber
ecosystem in partnership with industry, will play an important
role in this effort, and I look forward to working with the
JCDC and other associated initiatives to ensure synergy across
the Federal Government.
Third, we will ensure that the U.S. Government is aligning
our cyber resources to our aspirations and accounting for the
execution of cyber resources entrusted to our care. We are in
close discussions with OMB on how best to exercise the National
Cyber Director's budget review and recommendations authority to
identify investments that warrant an increase and those that
may not be having the intended impact or effect. The ONCD
intends to work with and through OMB in assessing and
evaluating the performance of these investments and advising
departments and agencies on recommended changes and updates in
alignment with administration priorities.
Finally, the Office will work to increase present and future
resilience of technology, people, and doctrine, not only within
the Federal Government, but also across the American digital
ecosystem. We expect to do this by identifying common, emerging
priorities in partnership with relevant departments and
agencies and planning strategic, Government-wide initiatives to
address them. That is a big task for which we will start by
exercising our incident response and planning processes, and we
hope to soon be working to ensure our workforce, technologies,
and our structures and organizations are not only fit for
purpose today, but are prepared for the challenges of tomorrow.
None of this work occurs in a vacuum, and much of the credit for
progress in developing these themes and in the work of putting them
into practice must go to my partners at the National Security Council,
my colleague sitting alongside me--Director Easterly--and many others
serving in the Federal cyber ecosystem.
Attempting to subvert this cyber ecosystem is attractive to our
adversaries and frustrating to our allies because of how difficult it
is for any one country or entity to have the benefit of a complete
picture of actions and actors across its shared spaces. Cyber space
allows a reach and efficiency of scale unrivaled in any other domain,
meaning that our geopolitical competitors can have global reach and
strategic effect; criminals and malicious actors can wield an
unprecedented level of influence, impact, and coercion.
The general strategic imperatives emerging in response to these
threats includes ensuring our digital infrastructure is resilient by
design, proactively defended by collaborative coalitions, and
backstopped by a doctrine that delivers benefits for good behavior and
costs for bad. For the committee's consideration, I submit there are
three categories of threat that are systemic, enduring, and globally
diffuse in nature and warrant continued effort and attention.
First is the vulnerability of our software supply chains. As
we saw with the SolarWinds intrusion, sophisticated malicious
actors are exploiting security and quality control seams among
software service providers and software development pipelines,
affording those actors the ability to rapidly ``scale up'' the
reach and depth of their malicious activities across our
digital ecosystem.
Second is the pervasive vulnerability of the products and
devices that enable opportunistic cyber attacks typified by
ransomware actors and more sophisticated actors alike. Poor
security practices, insecure design, short-sighted approaches
to doctrine, and a lack of cyber talent among the workforce
remain wide-spread, even in the face of known flaws,
shortcomings, and vulnerabilities. Propagating best practices--
including enforcing accountability for those who do not adhere
to those practices--will be critical to righting the ship.
Finally, we must remain laser-focused on maintaining the
integrity of our information and telecommunications
infrastructure against high-risk actors. Large portions of the
hardware supply chain underpinning our most critical such
technologies are located in countries that could leverage it
for intelligence gathering or disruption at global scale.
These threats are serious and are receiving urgent and aggressive
attention from the Biden-Harris administration. The administration is
also, however, looking beyond these immediate threats and toward how to
shape the future of cyber space so that such threats are systemically
blunted or mitigated. This requires not only a thorough understanding
of the nature of the threats, but also a clear vision for our digital
ecosystem and what we want that ecosystem to achieve. With such a
vision, we can pursue the fundamental, systemic changes necessary to
realize the digital future in which we want to live. Such changes
require clarity of accountability and depth of collaboration.
Accountability must flow in both positive and negative directions.
It is rarely clear what it means to ``do the right thing'' when
preparing or responding to a cyber incident, and harder yet to
celebrate the benefits of an attack avoided. Conversely, the
consequences for failing to take appropriate security steps are not
always clear, even for those who knew (or should have known) how to
secure their systems and who had the resources to do so, yet still
chose not to do it. A key priority for the ONCD will be examining roles
and responsibilities between the public and private sectors so as to
make the required clarity of responsibility more actionable. It is an
oft-cited statistic that 85 percent of our critical infrastructure is
owned and operated by the private sector, and that privately-owned
critical infrastructure is increasingly core to the Government's
imperative to protect and provide for National security. Shared defense
is not a choice, but an imperative.
Incorporating these lessons into a modern social contract will also
require us to consider which stakeholders in the digital ecosystem
should be held accountable for what magnitude of responsibilities. As I
articulated in our office's first Strategic Intent Statement, the
complexity of our challenges in cyber space has too often resulted in
responsibility for systemic cyber risk being devolved onto the
smallest, least-sophisticated actors: Individuals, small businesses,
and local governments. The potential consequences of one key
individual's password being compromised are simply too grave; tools
like multi-factor authentication are a critical means to staunch the
bleeding, but are not in and of themselves a systemic remedy. It is
unreasonable to ask everyday Americans to maintain constant digital
vigilance without also looking to key stakeholders to shoulder a
greater share of this ecosystem-wide burden, especially those firms
charged with operating and securing our information and communications
systems and networks. How and where this burden reallocation should
happen will be one of our preeminent objectives.
To achieve these and other objectives, it is clear that more
routine and explicit statements of priorities and guidance on a year-
to-year basis will support Departments and agencies in their efforts to
set their own planning and operational priorities. The Federal
Government undertakes a vast array of actions and programs to support
and defend the private sector in cyber space; ensuring coherence across
these lines of effort will be key in ensuring these initiatives are
always mutually supporting and never redundant. Realizing this unity of
effort and unity of purpose will continue to be a core guiding
principle in all that we do. We have the good fortune of having a
number of capable agencies at the forefront of securing and defending
cyber space--CISA, FBI, Department of Defense, the National Security
Agency, Department of Energy, and NIST, among others--whose roles
complement one another and who, working together, strengthen our
defense of cyber space in ways that could not happen if they were in
competition or isolation. The more we can support these agencies'
synchronized efforts and partnerships, with each other and the private
sector, the greater the return on our investment will be for the
American people.
The Biden-Harris administration has already made progress in
addressing these issues and countering the threats we face in cyber
space--most recently during last month's 30-nation summit on
ransomware. On May 12, 2021, President Biden issued Executive Order
14028, Improving the Nation's Cybersecurity, taking bold, aggressive
action to transform Federal Government cybersecurity for the better,
and through that, to improve the security of critical infrastructure
for all Americans. Since the President signed the Order, OMB, CISA,
NIST, and others in the interagency have worked tirelessly to ensure
its successful implementation. This includes developing contracting
requirements, implementation guidance, cybersecurity expectations,
information-sharing improvements, and incident notification
requirements. Our expectation is that the Federal Government's
purchasing power is great enough that the requirements in the Executive
Order will drive improvements throughout industry, even outside of
direct contractual relationships with the Government.
The President has also taken aggressive action to secure the
Nation's critical infrastructure. His Industrial Control Systems
Cybersecurity Initiative has already driven improvements in the
electricity and pipeline subsectors and will soon expand to other
areas. On July 28, he signed a National Security Memorandum on
Improving Cybersecurity for Critical Infrastructure Control Systems,
which among other things directed CISA and NIST to develop performance
goals for critical infrastructure cybersecurity. Director Easterly can
give you more details about the terrific progress CISA and NIST have
made in this area.
Steps like these are critical to ensuring that critical
infrastructure owners, whether public or private sector, implement
necessary security measures and become more accountable for their
responsibility to the broader economic and digital ecosystem in which
they reside. The importance of this dynamic has been reinforced by
recent ransomware attacks against critical infrastructure entities. The
Colonial Pipeline attack was a stark illustration of how the
increasingly digitized nature of every part of our commercial ecosystem
can create cascading, physical consequences. We hope that this real-
world example will catalyze stakeholders across the public and private
sectors to implement security controls commensurate with the importance
of their operations.
These are daunting undertakings, and overcoming them will require
realizing a digital ecosystem that is resilient by design, a policy and
commercial environment that aligns actions to consequences, and
ensuring public and private sectors are postured to proactively,
decisively collaborate. Although the Office of the National Cyber
Director is a young and still small office, we have made significant
progress, and are building robust relationships with our interagency
partners. When funding is in place, and with the continued confidence
and support of this Congress, ONCD will be in a strong position to lead
in enhancing the security and resilience of our Nation's cyber
ecosystem. Thank you for the opportunity to testify before you today,
and I look forward to your questions.
Chairman Thompson. Thank you.
Director Easterly.
STATEMENT OF JEN EASTERLY, DIRECTOR, CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND
SECURITY
Ms. Easterly. Great. Thank you.
Chairman Thompson, Ranking Member Katko, Members of the
committee, thanks very much for the opportunity to testify
today.
I am really thrilled to be here as your partner in
protecting the American people from cybersecurity threats. We
know that cybersecurity is a team sport, so I am also honored
to testify before our Nation's first cyber director, my
teammate and friend, Chris Inglis.
I want to start by also thanking this committee for your
steadfast support in ensuring that CISA has the resources and
authorities need to carry out the critical and substantial
mission of the agency.
As you know, CISA serves both as the operational lead for
Federal cybersecurity and as the National coordinator for
critical infrastructure security and resilience. Our goal is to
lead the National effort to understand, manage, and reduce risk
to the cyber and physical infrastructure that Americans rely on
every hour of every day. The mission is challenging to execute
and the stakes couldn't be higher if we fail.
Our mission can only be accomplished through strong
collaborative partnerships and collaboration is built into our
DNA at CISA. Partnerships are our strength, our ability to
share information broadly about threats and vulnerabilities to
enable early warning and prevent other victims from getting
attacked. This is what I consider one of CISA's most important
superpowers, our authorities to share information broadly with
a variety of key stakeholders.
Now, as we evolve our approach to cybersecurity, my goal as
director is to fundamentally shift the paradigm from public-
private partnership into public-private operational
collaboration. From information sharing into information
enabling. Timely, relevant, and most importantly, actionable
data that network defenders can use to increase the security
and resilience of their networks.
Powering this shift is the new Joint Cyber Defense
Collaborative, or JCDC, build off the concept of the Joint
Cyber Planning Office. Authorized and resourced by Congress,
the JCDC is driving two key changes. First, it is the only
Federal cyber entity that by statute is required to bring
together the capabilities across the Federal Government, State
and local partners, and our Nation's critical infrastructure
owners and operators. We are working closely with the largest
cloud providers, internet providers, cybersecurity companies,
and Federal partners, like FBI, NSA, and the National Cyber
Director, to take collective action against urgent cyber risks.
Second, it is the first effort to focus on creating,
exercising, and executing cyber defense plans that proactively
address risk before an incident occurs. This effort is a major
step forward, leveraging unique capabilities of Government and
the private sector to drive risk reduction at scale.
We are already yielding positive results. We are validating
and sharing information across broad swaths of partners in
multiple sectors and producing measurable mission impact. Last
month we utilized JCDC partner information with FBI and NSA to
develop and issue joint guidance against BlackMatter ransomware
that critical infrastructure entities are actively using to
protect themselves.
Going forward we are going to focus on defining a robust
planning agenda and producing plans to adjust ransomware risks
and threats to cloud infrastructure.
We are also taking urgent steps to reduce National
cybersecurity risks. This morning we issued a new Binding
Operational Directive that fundamentally changes how the
Federal civilian Government addresses vulnerabilities being
actively exploited by our adversaries. Under this directive
Federal agencies must now fix vulnerabilities identified by
CISA within specified time frames and update their security
programs to effectively account for these requirements. This
directive will significantly improve the Federal Government's
vulnerability management practices and degrade our adversaries'
ability to exploit known vulnerability. While the BOD only
covers Federal civilian agencies, we strongly recommend that
every network defender review the known vulnerabilities posted
publicly at CISA.gov and prioritize urgent remediation.
I was gratified to see significant reports for this
directive, to include from this committee.
I also consider our partnership with Congress, and
specifically this committee, as absolutely essential to CISA's
mission success. Last year's NDAA included significant new
authorities for CISA, to include the administrative subpoena.
We have issued over 30 of these that have directly resulted in
mitigation of numerous vulnerable devices. We are also
positioning CISA to conduct persistent hunt across Federal
civilian networks through deployment of end-point detection and
response tools.
Another factor critical is our people. I want to make CISA
the place where the Nation's best cyber defenders and security
professionals want to work. We are making positive strides on
this front. Just last week we announced that Washington
Secretary of State Kim Wyman will be joining CISA to lead our
election security efforts. I am thrilled about welcoming her to
the team at the end of this month.
I am also pleased to finally leverage the Cyber Talent
Management System later this month. CTMS will help CISA cut
time to hire, reduce bias, and ensure that we are assessing the
right skills while enhancing work force diversity. There are a
number of areas where we must continue strengthening CISA and I
am grateful for the committee's work to advance key legislative
priorities, including cyber incident reporting, new State and
local government cybersecurity grant opportunities, and
codifying key CISA ICS authorities, like the CyberSentry
Program.
You have my commitment to continue working together as
partners to advance these and other crucial legislative
priorities.
Thank you again for the opportunity to appear before the
committee today. I look forward to your questions.
[The prepared statement of Ms. Easterly follows:]
Prepared Statement of Jen Easterly
November 3, 2021
Chairman Thompson, Ranking Member Katko, and Members of the
committee, thank you for the opportunity to testify on how the
Cybersecurity and Infrastructure Security Agency (CISA) is positioned
to enhance the security and resilience of our Nation's Federal networks
and critical infrastructure.
I am truly honored to appear before this committee today to share
my vision for CISA. Since being sworn in as director in July, I
continue to be impressed with the talent, creativity, and enthusiasm of
the dedicated CISA employees I am entrusted to lead. As I have shared
with my team every day, I have the best job in Government.
At CISA, our mission is to lead the National effort to understand,
manage, and reduce cyber and physical risk to our critical
infrastructure. Our vision is a secure and resilient critical
infrastructure for the American people. At the heart of this mission is
partnership and collaboration. Securing our Nation's cyber and critical
infrastructure is a shared responsibility, and has never been more
important than it is today. At CISA, we are challenging traditional
ways of doing business and are actively working with our Government,
industry, academic, and international partners to move from traditional
public-private partnerships to public-private operational
collaboration.
who we are
Established by the CISA Act of 2018, CISA is the Nation's
Cybersecurity and Infrastructure Security Agency.
While our programmatic mission areas deal in cyber defense,
infrastructure security, and secure and interoperable communications,
holistically, as one CISA, the organization is comprised of teams of
individuals with expertise across a wide spectrum of professional
backgrounds and disciplines. Each and every one of them rely on each
other to achieve our shared objectives. We recognize the connective
tissue that binds us together and ensures we are able to be successful
in our mission to lead the National effort to understand, manage, and
reduce risk to the cyber and physical infrastructure Americans rely on
every hour of every day. Our core values represent the fundamental
tenets of our CISA organization: Collaboration, innovation, service,
and accountability. Living these core values every day with a growth
mindset are the pathways to our mission success.
To achieve success in our cybersecurity mission, we build the
National capacity to defend against cyber attacks and work with our
Federal partners and provide them with cybersecurity tools, incident
response services, and assessment capabilities to safeguard the Federal
civilian Executive branch networks that support our Nation's essential
operations. We strengthen our Nation's cyber defense by leading asset
response for significant cyber incidents and ensuring that timely and
actionable information about known cyber threats and incidents is
shared with Federal and State, local, territorial, and Tribal (SLTT)
officials, as well as our international and private-sector partners, to
ensure the security and resilience of our critical infrastructure.
Within our infrastructure security mission, we enhance the
protection of critical infrastructure from physical threats through
enabling risk-informed decision making by owners and operators of
critical infrastructure. Our activities include conducting
vulnerability assessments, facilitating exercises, and providing
training and technical assistance Nation-wide. Our infrastructure
security program leads and coordinates National efforts on critical
infrastructure security. This includes reducing the risk of successful
attacks against soft targets and crowded places, such as in our
schools, and from emerging threats. CISA also leads efforts to secure
our Nation's chemical sector infrastructure, enhancing security and
resilience across the chemical industry to reduce the risk of hazardous
chemicals being weaponized. To this end, CISA has developed voluntary
and regulatory programs and resources to help stakeholders--private
industry, public sector, and law enforcement--secure chemical
facilities from many threats: Malicious cyber activity, biohazards,
insider threats, and theft and diversion.
Key to success in our cybersecurity and infrastructure security
mission is identifying and understanding risk, especially risk that is
systemic to our Nation's critical networks and infrastructure. CISA's
National Risk Management Center leverages sector and stakeholder
expertise to identify the most significant risks to the Nation, and to
coordinate risk reduction activities to ensure critical infrastructure
is secure and resilient both now and into the future. The goal of the
NRMC is to create an environment where Government and industry can
collaborate and share expertise to enhance critical infrastructure
resilience by focusing on collective risk to National Critical
Functions including through key initiatives such as election security,
Fifth Generation Network technology, supply chain risk mitigation, and
more.
Our emergency communications mission works to ensure reliable and
resilient, real-time information sharing among first responders during
all threats and hazards. CISA enhances National security and public
safety interoperable communications at all levels of government across
the country through training, coordination, tools, and guidance. We
lead the development and implementation of the National Emergency
Communications Plan to maximize the use of all communications
capabilities available to emergency responders--voice, video, and
data--and ensure the security of data and information exchange. CISA
assists emergency responders and relevant Government officials with
communicating over commercial networks, using priority
telecommunications services during natural disasters, acts of
terrorism, and other man-made disasters.
Underpinning our mission is CISA's commitment to preserving
individual privacy, civil rights, and civil liberties protections in
our operations and our engagements. We recognize that when Congress
statutorily required CISA to have a privacy officer for the agency that
we needed to--by default--fully integrate privacy, civil rights, and
civil liberties protections into everything we do. We are proud of the
fact that a number of our activities have the added benefit of
enhancing privacy, civil rights, and civil liberties.
threat landscape
In our globally interconnected world, our critical infrastructure
and American way of life face a wide array of serious risks with
significant real-world consequences. Today, the critical functions
within our society are built as ``systems of systems,'' complex designs
with numerous interdependencies and systemic risks that can have
cascading effects. This is something we have known for years as nation-
state actors and criminals increasingly leverage both cyber space and
traditional physical means in their attempts to subvert American power,
American security, and the American way of life. Many of these
challenges are exacerbated by the COVID-19 pandemic, which has led to
an unprecedented number of Americans working from home, meaning the
potential for malicious actors to exploit vulnerabilities has expanded
exponentially. Additionally, we are realizing the impact of climate
change on our National security and economic prosperity interests, and
must work with the infrastructure security and resilience community to
mitigate them--through planning efforts that include community
resilience, and a whole-of-Government guidance and information-sharing
effort.
At the same time, ransomware has become a scourge on nearly every
facet of our lives, and it's a prime example of the vulnerabilities
that are emerging as our digital and our physical infrastructure
increasingly converge. Earlier this year, we saw the Colonial Pipeline
attack shutter gas stations along the East Coast and the JBS attack
cause certain food prices to rise. We have also seen ransomware attacks
on schools, police departments, hospitals, and small businesses around
the country, and they are growing in number, scale, and sophistication.
Disrupting this scourge requires a whole-of-Nation effort, and the
Department of Homeland Security (DHS) helps lead that effort, and led
the development of a whole-of-Government website, stopransomware.gov,
which provides users with a central, authoritative source for guidance,
toolkits, and other resources from across the Federal Government.
CISA's mission focuses on raising awareness before disaster strikes,
and supporting victims when it does. We help potential victims
understand their risk, reduce vulnerabilities, and mitigate the impact
if they are attacked. When attacks threaten our critical infrastructure
or National critical functions, we offer on-site assistance to help
victims get back on their feet and share operationally relevant
information with our partners and the public to prevent the spread to
other potential victims and sectors. Our partners can use these
resources to reduce the risk and impact of ransomware attacks.
While cyber intrusions and ransomware dominate the recent
headlines, physical threats to our people and our critical
infrastructure remain a top concern. Terrorism, mass shootings, and
other forms of targeted violence continue to threaten our schools,
places of business, houses of worship, and other soft targets and
crowded places. In 2020 alone, there were more than 12,000 explosive-
related incidents and more than a 70 percent increase in domestic
bombings, according to the Department of Justice's U.S. Bomb Data
Center. These types of physical threats can cause mass casualties, lead
to hundreds of millions of dollars in damage, and cause cascading
damage across vital physical and cyber infrastructure. From a broader
perspective, as modern threats become more sophisticated, it is
important to stay vigilant and take proactive measures to enhance the
security and resilience of our communities and critical infrastructure.
The risks we face today are complex. They are dispersed both
geographically and across a variety of stakeholders. They are
challenging to understand, and even more difficult to address. But here
at CISA we have an incredible team ready to execute our mission in
collaboration with a diverse group of partners across all sectors. CISA
will continue to support and empower our partners to secure and defend
America's cyber ecosystem and critical infrastructure. While we face an
array of cyber and physical threats, our adversaries continue to push
mis- and disinformation in an attempt to divide Americans and cast
doubts about the legitimacy of our elections and our democratic
processes, among other issues. These are just a few of the threats we
face, and tackling them is no easy feat. It will take teamwork and a
relentless dedication to our mission. Fortunately, in my first 100+
days at CISA, it's become clear that we are up to the challenge.
priorities
For me, it was clear from my first days as director that people are
CISA's No. 1 asset. My goal is for CISA to be the place where our
Nation's best cyber defenders and security professionals want to work.
I am intently focused on building a culture of excellence that prizes
teamwork and collaboration, innovation and inclusion, ownership and
empowerment, transparency and trust. To that end, we are committed to
attracting and retaining world-class talent by implementing a vibrant,
and providing an end-to-end talent management ecosystem that spans from
recruiting and hiring, to on-boarding and integration, mentorship and
coaching, certification and training, recognition and promotion, and
succession planning and retention.
Even as we focus on cultivating our workforce of today, it is
important to recognize that our efforts also play an important role in
helping build the cyber workforce of tomorrow. On November 15, 2021,
the Department will launch the Cybersecurity Talent Management System
(CTMS) and begin hiring employees in the DHS Cybersecurity Service
(DHS-CS). DHS, including CISA, will use this system to grow the future
cybersecurity workforce with greater flexibility to attract and retain
the best cyber talent.
As one of the early women graduates of West Point, I have a deep
appreciation for the importance of having diversity of background and
experiences represented in the room when key decisions are made. That
is why I am focused on keeping hiring centered around diversity by
hosting specialized events, applying innovative sourcing techniques,
and implementing branding campaigns as a means of attracting top
talent. I will continue working to employ new and innovative
recruitment and hiring strategies that cut the time to fill positions,
reduce bias, and decrease unnecessary assessment while enhancing the
diversity of our workforce. My vision is to make CISA a leader in
diversity among both the Federal Government and the broader tech
workforce.
Collaboration to achieve these workforce and diversity goals is
fundamental. So are our efforts to build relationships, trust, and
connectivity with State and local officials, private sector, and our
interagency partners. CISA is meant to be an agency that is agile,
flexible, and able to respond quickly to changing threats through
collaboration with both the public and private sectors. And, to this
end, we sustain our trusted and effective partnerships between
Government and the private sector, which are the foundation of our
collective effort to protect the Nation's critical infrastructure. With
large portions of critical infrastructure in our country owned and
operated by the private sector and municipalities, those partnerships
are vital to ensuring a safe and secure America. Our partners bring
expertise and a unique ability to drive climate change impact and cyber
defense activities in their jurisdictions, and it is precisely this
assembly of knowledge that will allow us to be better prepared to
achieve deep operational collaboration that ultimately reduces the
greatest risks to our Nation.
updates and accomplishments
There is a lot of good work being done at CISA. I am particularly
proud of the agency's efforts to stand up a new initiative called the
Joint Cyber Defense Collaborative or JCDC, meet important deadlines
from President Biden's Executive Order on Improving the Nation's
Cybersecurity, and expand and strengthen key partnerships during my
first 100 days. Allow me to elaborate on each of these accomplishments.
In August, CISA launched the JCDC, which unifies cyber defense
capabilities currently spread out across multiple Federal agencies,
many State and local governments, and countless private-sector
entities. It also leads the development of our Nation's cyber defense
plans by working across the public and private sectors to unify
deliberate crisis and action planning, while coordinating an integrated
execution of these plans. Our goal with the JCDC is to bring together
key Federal partners with private sector and SLTT partners who have
critical visibility and ability to understand the threat landscape by
virtue of their businesses and responsibilities, and to plan and
exercise against the most serious threats to our Nation.
The JCDC's initial focus is on tackling ransomware and developing a
planning framework to coordinate incidents affecting cloud service
providers. Almost 2 months into this collaboration, we are already
seeing good progress. Our relationships with our private-sector
partners continue to grow as we share more information and collaborate
around key operational issues. We are also validating and sharing
information daily across broad swaths of partners in multiple sectors.
For example, last month, CISA, the Federal Bureau of Investigation, and
the National Security Agency issued guidance to help critical
infrastructure entities protect themselves against BlackMatter
ransomware as a service, using information provided by JCDC members.
While it is early days, the JCDC is already leveraging the skill
sets, expertise, capabilities, and visibility of its members to better
protect critical assets against cyber threats. This shifting paradigm
will enable us to transform public-private partnerships into public-
private joint action, and information sharing into information
enabling--timely, relevant, and actionable. Together, Government at all
levels, industry, and our international allies--because cybersecurity
does not begin or end at our borders--will bring to bear our collective
capabilities to sustainably shift the balance of power in favor of
cyber defenders. We will plan together, exercise together, and act in
unison to address both immediate threats and overcome longer-term
strategic and systemic cybersecurity challenges. Ultimately, we
envision that this integrated public-private collaboration will drive
the collective defense of cyber space to create a secure and resilient
cyber ecosystem for all Americans, and we look forward to expanding
this operational collaboration going forward.
Election security also remains a top priority for CISA. As you
know, a number of elections concluded just yesterday as part of the
2021 cycle, including prominent gubernatorial races in Virgina and New
Jersey. In support of our election security efforts, CISA hosted an
Election Operations Room at our Arlington Office, and virtually around
the country, to present an integrated Federal coordination point for
support to State and local election officials holding elections this
cycle. Partners from the interagency and the election community
collaborated in real time to share information about election risks and
be prepared to respond as needed. In addition, I recently announced
that secretary of state Kim Wyman will be joining CISA as our new
election security lead. Kim has recently been the secretary of state in
Washington, and she is joining to help ensure that we have a senior
member of the election community guiding our efforts to address a range
of threats to America's democratic process to include cyber and
physical threats, as well as mis- and disinformation. I am extremely
excited to welcome Kim to CISA.
Another area I want to highlight is CISA's on-going work to
implement the May 12, 2021, Executive Order 14028, Improving the
Nation's Cybersecurity signed by President Biden. This Executive Order
aims to directly address the persistent and increasingly sophisticated
malicious cyber threats the Nation has faced over the past several
months, and tasks Federal agencies to make bold changes to improve the
Nation's cyber posture. The efforts outlined in the Order aim to
improve Federal cybersecurity posture and incident response
capabilities, limit supply chain risk to the Federal Government, and
increase CISA's visibility across Federal and contractor networks. CISA
has been tasked with leading or supporting over 35 unique efforts, many
with short time lines highlighting the urgency of the work to be done.
I am proud to say that CISA met all of our deadlines in support of the
Executive Order, to include:
Driving adoption of modern, secure, and resilient networks,
including through the Cloud Technical Reference Architecture,
released for public comment earlier this month and co-developed
with the U.S. Digital Service and GSA's FedRAMP program;
Advancing the adoption of leading security practices
necessary to address highly adaptive adversaries in
collaboration with OMB and other Federal partners, including
publication of a Secure Cloud Technical Reference Architecture
and a Zero-Trust Maturity Model;
Raising the bar for incident response by publishing a
Vulnerability and Incident Response Playbook to Federal
agencies, which will ensure that all agencies will operate from
the same sheet of music during incidents, and enable a
coordinated a whole-of-Government incident response effort,
building on lessons learned in recent incidents;
Ensuring that CISA has access to all necessary information
about incidents affecting Federal agencies by providing
recommendations to the Federal Acquisition Regulatory Council
that require broader sharing of data by Government contractors,
in response to incidents. Such sharing will include the Federal
agency holding the contract, as well as with CISA. The
recommendations to the FAR also establish procedures for
sharing appropriate information with interagency partners to
aid in their collective, on-going cyber defense operations;
Establishing a plan to dramatically expand our visibility
into cybersecurity risks affecting Federal networks through
deployment of endpoint detection and response (EDR)
capabilities and enabling ``persistent hunt'' activities as
authorized by Section 1705 of the fiscal year 2021 National
Defense Authorization Act; and
Prioritizing Federal supply chain security by working with
OMB to direct a review of over 650 unique cybersecurity-related
contract clauses in place across the agencies and recommending
to the FAR Council a baseline for cybersecurity that Federal
contractors must meet to lower risk to the Federal systems they
support.
The work outlined in the Executive Order is no small task; the
administration asked CISA and agencies to rethink how we approach
vulnerability and incident response, how we approach purchasing IT
goods and services, how we design and secure our networks, and how we
work together to share information. Our work applies not only to the
Federal Government, but also to government at all levels, and the
private sector, as we seek to work to ensure that we collectively drive
adoption of strong security practices to materially reduce
cybersecurity risks.
Building on the Executive Order, this summer, the President also
issued a National Security Memorandum on Improving Cybersecurity for
Critical Infrastructure Control Systems. The reality is that
cybersecurity needs vary among critical infrastructure sectors, but we
cannot evolve our Nation's cybersecurity posture without baseline
cybersecurity goals that are consistent across all sectors.
Additionally, there is also a need for security controls for select
critical infrastructure that is dependent on control systems. Working
in partnership with the National Institute of Standards and Technology
(NIST), at the end of last month, we issued the preliminary
cybersecurity performance goals based on 9 categories of best
practices. These goals are part of a whole-of-Government effort to meet
the scale and severity of the cybersecurity threats facing our country.
Our safety and security rely on the resilience of the companies that
provide essential services such as power, water, and transportation and
these performance goals should be the standard cybersecurity practices
and postures that the American people can trust and should expect for
such essential services. It takes all of us committed to action, and
that requires harnessing the power of operational collaboration.
Our successes would not be possible without the outstanding and
dedicated CISA workforce. For me, it is all about the people--we will
be successful because of our people. While I am committed to working to
attract and retain world-class talent, one of my top priorities is also
to build a workforce that looks like America and has the skills needed
to meet the threats of the future. To that end, I am very proud that,
in addition to DHS's collaboration with the Girl Scouts of the USA,
CISA recently announced a partnership with Girls Who Code, with the
intent of closing the gender gap in cybersecurity and developing
pathways for young women to pursue careers in cybersecurity and
technology. Partnering with Girls Who Code will provide real solutions
to tackle diversity disparities and bring together a stronger community
of women in technology and cyber. CISA and Girls Who Code will work
hand-in-hand to improve the awareness of these careers in cyber, while
building tangible pathways for young women, especially young women of
color, to get hands-on experience and find opportunities--whether in
the private sector, non-profit sector, or part of Government.
conclusion
Our Nation faces unprecedented risk from cyber attacks undertaken
by both nation-state adversaries and criminals, and CISA is at the
center of our National call to action. In collaboration with our
partners and with the support of Congress, we will make progress in
addressing this risk and maintain the availability of services critical
to the American people.
Thank you again for the opportunity to appear before the committee.
I look forward to answering your questions.
Chairman Thompson. I thank the witnesses for their
testimony.
I remind each Member that he or she will have 5 minutes to
question the witnesses.
I now recognize myself for questions.
This is a question to both of you. The recent surge of
high-profile cyber attacks, from Colonial Pipeline to JBS, has
called into question the Federal Government's voluntary
framework for securing critical infrastructure. Certainly the
security directives issued by TSA earlier this year marks a
significant shift in the Federal Government's approach. Just
last week, as I indicated in my opening statement, the
administration urges Congress to give EPA more authority over
cyber standards for water.
With that in mind, do you envision the administration
moving to impose security standards on additional critical
infrastructure sectors? If so, and I guess my--do you envision
it, yes or no?
Mr. Inglis. Mr. Chairman, thank you very much for the
question. It is an important question.
I would say that the answer to the question is yes. I think
the context matters greatly. This must be done in partnership
and collaboration with the private sector insomuch as we work
together to determine what the shape, the form, the function is
of digital infrastructure to ensure that innovation, capacity,
generation, continues to take place in the private sector. We
allow market forces and the leadership of the private sector to
take their proper role. Then, by exception, when necessary
impose the further non-discretionary standards that are
required. We have done that in other industries, like the
aviation safety industry or the automobile industry. I think
that this is an equally appropriate place to do that for the
critical services that our Nation depends on.
Chairman Thompson. Well, thank you. So you said yes and
then you went on to define the role. So thank you very much.
Director Easterly.
Ms. Easterly. Thank you for question, Chairman.
I would agree with everything that National Cyber Director
Inglis said. I would add two points. As we know, 85 percent of
critical infrastructure is in private hands. So this really is
based on a voluntary regime, as you pointed out. We know that
collaboration and trust is absolutely critical to the model of
how CISA works with the private sector. So we are going to
continue to build that trust and build that collaboration.
Notwithstanding whatever regulations may come into place, we
are going to focus on the collaboration piece.
I would add though, in order to support any regulation that
may come into force, we are doing a lot of work on articulating
what are the cybersecurity baseline standards and goals. At the
end of September we released those goals specific to industrial
control systems and we are working on other goals that were
tasked out by the White House National Security Memorandum.
So we are at least at a minimum letting all of our critical
infrastructure sectors know what is expected to ensure the
security and resilience of their infrastructure.
Chairman Thompson. Thank you very much.
I think, Director Inglis, you kind-of addressed this
question, but--in your opening statement--do you have the
necessary authorities and resources to do your job?
Mr. Inglis. Mr. Chairman, thank you very much for that
question.
I believe that I have sufficient authorities and resources,
given the appropriations that we expect in the very near term,
to make the difference that is expected. We will, based upon
experience, come back and determine whether or not they need to
be refined in some way, shape, or form. But for the moment I
believe I have the authorities and expected resources to make
the difference expected.
Chairman Thompson. Director Easterly.
Ms. Easterly. Well, first of all, thank you very much to
this committee because you have done a lot to give us the
authorities and resources. But we appreciate what is in
potential upcoming legislation, to include cyber incident
reporting, a recognition of grant programs for our State and
local partners, the codification of CyberSentry and our role in
ICS.
To the resource question, we have gotten a lot of resources
and I think it is great to get resources specifically for cyber
defenders and infrastructure defenders. I would say though what
is also very important to us are those mission enablers that
will help us execute the resources and the funding that we are
getting, human resources, our people, our chief human capital
officer, our finance, our acquisition authorities. So we are
going to need to bolster those mission enablers to enable us to
actually execute everything that you have given us.
Chairman Thompson. Thank you.
So if I hear you correctly, with that you are going to
still have to find some bodies, right, to carry that mission
forward?
Ms. Easterly. Say that again, Chairman.
Chairman Thompson. I think you are going to have to have
some people or bodies to carry the missions forward.
Ms. Easterly. Absolutely.
Chairman Thompson. As a committee we have heard quite often
that somehow we don't have enough qualified individuals to
staff our agency. Do you find the lack of staff is a potential
problem for CISA?
Ms. Easterly. We are working hard to build out our
capability and capacity. We have a lot of vacancies that we are
working very hard to fill. Two of the things that I am trying
to do deal with this, first of all to really do an analysis of
how we can accelerate our hiring. All of the steps that are
required, how do we actually create some efficiencies on that
because having just come from 4\1/2\ years in the private
sector, I think it takes way too long to be able to bring
people into the Federal Government. I think that is incredibly
important to be able to streamline that process, sir.
The second thing that we are doing is really leaning into
cyber talent management system authorities, which come into
force the 15th of November that will give us greater
flexibility to be able to hire based on aptitude and attitude,
not based on degrees or certifications. It will allow us to be
able to pay closer to market. So that flexibility I think will
really help us close the gap to enable us to bring on the
talent that will make us the agency that the Nation deserves.
Chairman Thompson. Thank you.
I yield to the Ranking Member.
Mr. Katko. Thank you, Mr. Chairman.
Director Inglis, a quick question for you.
It is pretty clear that the authorities that CISA has and a
cyber director are pretty well laid out and I understand the
interaction between you two. One of the ones I kind-of struggle
with is what is the role of the National Security Council
within the cyber realm? If there are some issues that we need
to work on there, what are they?
Mr. Inglis. Yes, thank you for that question. That is a
question we are asked on a fairly frequent basis and one that I
think deserves a solid crisp answer.
I would say that as we look at it--I believe I am speaking
for both Jen and myself--there actually is the need for a
National Security Council leadership role in cyber for the
following reasons: Typically in any domain of interest, cyber
being one of those, we should consider bringing all instruments
of power to bear, our intelligence assets, our diplomats, our
financial abilities, our legal remedies. Typically bringing
those instruments to bear in a coordinated fashion to achieve
the appropriate desired conditions in the domain of interest,
cyber being one of them, is traditionally the role of the
National Security Council. We believe that that that remains
appropriate in this space and therefore our colleague, deputy
national security advisor for cyber emergency technology, Anne
Neuberger, we think appropriately and fully fills that role as
a complement to what Jen and I then do within the realm of
cyber space.
Mr. Katko. OK. I will leave it at that.
Director Easterly, I mentioned in my opening statement, I
mentioned it several times before, we are getting to the point
now where we are going to start having more requirements on the
private sector. We also ask them many times to get us more
information. I think the more information they get on their
cyber attacks the better you can understand the playing field.
The better you can understand the playing field, the better you
can help them going forward. A common refrain you heard from
the private sector is a lot of stuff goes to CISA--and this is
before you time, mind you--a lot of information goes to CISA
and not a lot of operational information comes back.
How are you doing trying to fix that issue and what do you
plan to do going forward?
Ms. Easterly. Thanks for the question, Ranking Member
Katko.
So it has been about 110 days. I think we are doing pretty
good. But it is just a start.
Mr. Katko. You don't have everything fixed in 110 days?
Ms. Easterly. I know, I failed miserably.
You know, I have a great appreciation for those comments
because I spent the past 4\1/2\ years in the private sector and
sometimes my observations were that the Government seemed
disjointed, not coherent, and a black hole. So, frankly, I
think we are doing a lot under Director Inglis' leadership and
the leadership across the Federal Government to really ensure a
coherent approach, that we are speaking with a coherent voice
to the private sector. Frankly, it is one of the reasons why I
am so excited about the Joint Cyber Defense Collaborative, the
JCDC, because by statute it is the only cyber entity that
brings together CISA and NSA and FBI and DoD and DoJ and ODNI
and the Secret Service and the National Cyber Director. So that
is a place where the private sector can come and expect
accountability in one place and can go and say, we have given
you this information, what are we getting back?
So that real-time conversation is happening. I will tell
you we are already leveraging those partnerships from cloud
security providers, from cybersecurity companies, to take that
information to enrich what the Federal Government has and then
to get that back, both to those companies, but importantly to
critical infrastructure owners and operators and the State and
local. As I said in my statement, we are looking to do not just
sharing, but truly enabling. Because if we can't get
information to network defenders in a timely way that allows
them to use that information and that it is relevant and
actionable, there is really no point in sharing information.
So we are looking to change that paradigm and I am very
focused on ensuring that we are giving feedback and enriching
what we get from the private sector.
Mr. Katko. Thank you very much.
Following up on the critical infrastructure. I appreciate
our discussion last week at CSIS on the importance of CISA
having the capability to identify the most critical of critical
infrastructure. Because, as you know, if everything is critical
infrastructure then nothing is, right.
So while we may disagree on the best acronym for the
effort, I think you said PSIES is a new one--Mr. Chairman we
have got to learn now another one--it is clear we are seeking
the same outcome here, right. It is paramount that we are
understanding the single points of failure and layers of
systemic importance across this ecosystem that have the
potential for a cascading impact of compromise.
So can you briefly just discuss with me the importance and
current state of play with CISA's Systemically Important
Critical Infrastructure effort?
Ms. Easterly. Yes. Thanks very much for the question.
I do think it is incredibly important that we are able to
articulate that infrastructure that is absolutely critical to
Americans' way of life. We look at the lifeline sectors, water,
transportation, communications, energy, we look at all of the
16 infrastructure sectors, but we also analyze them, sir,
through the lens of National critical functions. Because, as we
know, in today's society everything is connected, everything is
interdependent, and therefore everything is potentially
vulnerable as it rides on that technology backbone.
So, you know, inspired by some of the good work that came
out of the Cyberspace Solarium Commission, the Systemically
Important Critical Infrastructure, SICI, we have done some work
on what we are calling PSIES which does sound like a better
acronym, the Primary Systemically Important Entities. Again,
those that have economic centrality, network centrality, and
have logical dominance in those National critical functions. So
we think it will end up to be about 150-200 entities that we
really focus in on to be able to provide information. It goes
back to the benefits and burdens question, but I absolutely
think that we need to codify this.
So, to your point, sir, if everything is a priority,
nothing is a priority. So I am a big proponent of the effort.
Mr. Katko. Thank you very much.
Before I yield back I just want to note it is very
important that you continue your collaborative relationship. I
think the way you have things set up, you should be very proud
and, like I said, you are a symbol for other agencies to
follow. Instead of having turf battles you are getting things
done and that is important.
Also know that with the Chairman and myself, don't wait for
hearings, if you need something just pick up the phone and call
us, OK.
All right. I yield back, Mr. Chairman.
Ms. Easterly. Thank you, sir.
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentleman from Rhode Island, Mr.
Langevin, for 5 minutes.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank you
for holding this hearing today and thank you and the Ranking
Member for your bipartisan collaboration on cyber and many
other issues.
I could not be more pleased to have the two witnesses we
have before us today, two outstanding appointments. Take great
pride in seeing the Nation's first National Cyber Director
before us after more than a decade of trying to establish that
position. I am glad it is finally established and that Director
Inglis is the first inaugural director.
Five minutes is going to go by fast, so I am going to get
right into my questions. But deeply appreciate the leadership
you are both providing that are protecting the Nation's cyber
space.
Director Inglis, I will start with you. In your testimony
you mentioned that we can expect the Office of the National
Cyber Director to ``Issue more routine explicit statements of
priorities and guidance on a year-to-year basis to support
departments and agencies in their own planning and operational
prioritization.'' I commend you for initiating this work. These
year-to-year statements of priorities and guidance will address
gaps in our medium-term planning that translate our cyber
strategy into day-to-day work carried out by agencies.
Incidentally, this kind of activity is exactly what
Congress intended for the National cyber director.
So on the subject of your Office's roles and
responsibilities you testified before the Senate Homeland
Security and Government Affairs Committee about a possible
Executive Order in development that would delineate processes
for your office, including around setting these yearly cyber
priorities.
Can you update the committee on any plans to issue such an
order?
Mr. Inglis. Yes, Congressman Langevin. Thank you very much
for the question.
I think that the statute has gone a long way and the
policies that we have described have gone a further distance in
describing what the roles and responsibilities are of the
various players in this space. An Executive Order, we believe,
is the essential capstone to that, to crisp up, at least for
the moment, based upon the experience and the expectations we
have, where we should then take this further. We are in
discussion within the White House about when and how to effect
an Executive Order that would bring additional clarity to these
roles and responsibilities. I am confident that we will work
our way through in weeks' to months' time to deliver such a
thing.
Mr. Langevin. Very good. Thank you. I do also want to
commend you and thank you for your work on this Cyberspace
Solarium Commission. It is a privilege to serve with you on
that Commission.
Director Easterly, first of all congratulations and I thank
you for the BOD that was issued earlier today. It is exactly
the type of thing we need to do to get out ahead of cyber
vulnerabilities, so thank you and CISA for that leadership.
We had a discussion a little bit earlier about the public-
private collaboration, JCDC. So I was very pleased when you
announced the creation of the Joint Cyber Defense
Collaborative, or JCDC, in August and I think the JCDC will
significantly improve the ability of the public-private sectors
to collaborate on cyber defense efforts.
I would be curious on your further views on the importance
of the public-private collaboration and I hope you can share--
and, again, any further updates on CISA's progress in standing
up JCDC. Anything you would like to add.
Ms. Easterly. No, sir. I mean we are really, really
appreciative of those authorities. I know you championed the
Joint Cyber Planning Office, which is a significant part of the
Joint Cyber Defense Collaborative. I think it is really the
thing that will make the difference, being able to be proactive
as opposed to reactive in planning against the most serious
threats to the Nation. I think it is something unique across
the Federal Government from a cyber defense perspective. So I
am really looking forward to putting that into action.
Mr. Langevin. Very good. Thank you.
Also, Director Easterly, one idea to further the public-
private collaboration developed by the Cyberspace Solarium
Commission and adapted by Congressman Gallagher and into an
amendment in this year's NDAA would create critical technology
security centers to evaluate and test the security of devices
and technologies underpinning our Nation's critical functions.
I would be curious to hear about your thoughts on this
measure and how it could complement JCDC?
Ms. Easterly. I am very supportive of that measure,
Congressman. I think it is incredibly important that we have an
ability to understand. In particular, given everything that we
have seen with respect to intrusions in our supply chains, that
we understand the technology that is underpinning all of these
infrastructures. So fully supportive. Would want to be able to
leverage the JCDC and the partners within the JCDC to be able
to understand some of the information that could be tested at
some of those technology centers. So would look forward to
that.
Mr. Langevin. Last, very quickly, I took note of your
comments that Aspen Cyber Summit on bureau cyber statistics and
the need for better cyber metrics, your thoughts on potentially
housing that at CISA?
Ms. Easterly. I am a huge fan of that. I think it is hard
to say that you have reduced risk unless you know how to
measure it. So believe we should have that Bureau of Cyber
Statistics and I think it would make sense to house it at CISA.
Mr. Langevin. Very good.
Thank you again for your answers, your outstanding
leadership. I look forward to our future collaborations.
Mr. Chairman, I yield back. Thank you.
Chairman Thompson. The gentleman yields back.
The Chair recognizes Mr. Garbarino for 5 minutes.
Mr. Garbarino. Thank you, Mr. Chairman, thank you, Ranking
Member Katko, for having this hearing and thank you, Directors
Inglis and Easterly for both coming today.
Director Easterly, I really enjoyed our conversation last
week. We talked about a lot of different things, even with my
babysitters I thought it was pretty productive. We talked
about, and you brought it up in your opening testimony, about
the cybersecurity pipeline and what you have been planning. You
have talked now about--you know, and it is not all under your
control, but it is a concern that you show that it is you show
that you are fully staffed and now with the cyber talent
management system coming on-line with the rules. What do you
see as your job or the CISA's Office of the Chief Human Capital
Officer, taking those rules and making sure that they work to
make sure that CISA is fully staffed and properly staffed with
the right people?
Ms. Easterly. Yes. Thank you for that question, because you
know I think it something we are both passionate about.
I should first say we have fabulous people at CISA and this
really is the best job in Government. But I believe that there
is nothing more important than people. So we have actually
spent a lot of the last 3\1/2\ months doing a couple of things.
First, defining the core values and the core principles that
underpin CISA's culture, identifying how we are going to build
a talent management ecosystem that allows us not just to
recruit the best people, but to ensure that we are training and
certifying and mentoring and coaching and retaining those best
people. That is incredibly important. We have done a careful
analysis of all of the 20-plus steps that it takes to actually
hire somebody into the Federal Government, which is way too
onerous. You know, we were able to reduce by 13 percent the
number of days that it takes to hire somebody, but it is still
way too long. It is over 200. In the private sector I could
bring somebody in like 60 days. So we need to fix all of that.
But we are making progress on that. We have hired 500-some
people, whereas last year it was just 200-some. So we are
getting there, but not fast enough in my view.
So we are going to figure out how to fix the current
process. I may come back to you and ask for your help if I need
it.
Then we are going to aggressively implement CTMS, which
allows me much greater flexibility, both to hire but also to
figure out how to retain people and incentivize them. At the
end of the day people want to come to CISA to defend their
Nation, but given the competitive environment we also want to
be able to pay closer to market.
So these new authorities will allow us to do that, sir.
Mr. Garbarino. I appreciate it. Sounds like it is easier to
get elected to Congress than to hire someone at CISA.
On a separate note, Ranking Member Katko and I have
increasingly been concerned about the security of the Nation's
information and communications technology. Specifically, we are
concerned about the lack of progress from the Federal
Acquisitions Security Council. We appreciate the transparency
that CISA has provided to the committee regarding its role in
FASC, but we understand that CISA is only one part of it.
Director Inglis, can you speak to the lack of progress we
have seen from FASC and why now 3 years in there isn't much to
show for it?
Mr. Inglis. Yes. So thank you for the question. It is an
important question, especially given the role that the Federal
Acquisition Management Supply Chain Committee plays on the
acquisition of the material that underpins the digital
infrastructure that underpins our critical missions.
Having said all of that, 3 years is a long time, but I am
pleased to report that in August of this year we concluded the
rule-making process, gave CISA a leadership role on the FASC,
have now charged the leader of that committee, who is one and
the same as the deputy for Federal cybersecurity within the
National cyber director, but at these same time the Federal
chief information security officer, to move off in beginning to
apply those rules, those processes, to determine how we manage
the Federal supply chain.
We have a solid agenda for fiscal year 2022, the year that
we are in, and we have every expectation that we will make
significant progress in the time ahead. I would be happy to
come back to this committee or to deal personally with any
committee Member who is interested as to what those specific
plans are, but to demonstrate progress in the very near-term.
Mr. Garbarino. Great.
Well, and for either your or Director Easterly, with the
authorization of FASC coming back in 2023, is there something
that Congress should consider changing or--you know, you giving
CISA a more essential role or is there something we should do
differently in the re-authorization or change?
Mr. Inglis. I think it is a very appropriate question. I
think that you should hold us accountable for delivering value
with the process and the authorities that we have at the
moment. I do believe that it should be sustained past fiscal
year 2023. We will come back to you to tell you what
refinements we think are necessary.
Mr. Garbarino. Director Easterly.
Ms. Easterly. Nothing to add.
Mr. Garbarino. Great. I appreciate that.
I yield back. Thank you.
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentleman from New Jersey, Mr.
Payne, for 5 minutes.
Mr. Payne. Thank you, Mr. Chairman and Ranking Member, for
having this timely, timely hearing.
Let us see. The Colonial Pipeline ransomware attack was a
stark reminder that cyber attacks on critical infrastructure
can have physical real-world consequences that ripple across
sectors throughout the economy. The longer it takes to restore
operations, the more of those downstream effects can snowball
in ways that matter for the health, safety, and financial
stability of individuals and families and communities.
Director Easterly, what is CISA doing to promote not just
the security but also the resiliency of critical infrastructure
like pipelines to make sure they are able to get back up and
running in the event of a cyber-related disruption?
Ms. Easterly. Well, thanks very much for that question.
You are absolutely right. What we have seen this year is
cyber attacks that are manifesting against our critical
infrastructure and having real effects on the American people,
whether it is gas at the pump or food at the grocery store or
money at the banks. So couldn't agree with you more that we
really need to lean into CISA's statutory role as the National
coordinator for critical infrastructure resilience and
security.
So a lot of this is--we have two main roles actually. We
are what I call ``left of boom'', as a retired military
officer. We are focused on resilience and prevention of
attacks. Then we are there to be able to respond effectively to
a victim to help them recover and to mitigate risk to their
business and to also leverage the information that we get in an
anonymized way so that we can warn other victims and prevent
them from being hacked. But it comes down to our ability to
work very closely with our partners at the State and local
level and within critical infrastructure to ensure that they
have the resources, the technical assistance, and the
information that they need to be able to protect themselves.
Because at the end of the day we know that over 90 percent of
successful cyber attacks start with a phishing email and that
you are 99 percent less likely to get hacked if you implement
multi-factor authentication.
So all of these standards and goals and information that we
put out, working closely with the critical infrastructure
owners and operators, incredibly important. That is why we work
closely with TSA as they articulated new standards specifically
to pipelines. That is why we are working with 20-plus pipeline
CEOs twice a month to help them instantiate the technology that
they need to protect their networks and systems and assets.
Mr. Payne. Thank you. Thank you.
How will the Joint Cyber Defense Collaborative help build
our National resiliency by fostering collaboration, planning,
and exercising to prepare for specific cyber attack scenarios?
Ms. Easterly. Yes, great question.
I am super excited about the JCDC. I really think this is a
different and unique capability for the Nation. It is the place
that by statute brings together the full power of the Federal
Government with the innovation, imagination, and ingenuity of
the private sector. The reason why we chose those plank-holder
partners, the infrastructure companies, the cloud security
providers, cloud service providers, and the cybersecurity
vendors is because they afford global visibility into
infrastructure that the Government doesn't have and shouldn't
have. So that is how we see the dots, connect the dots, and
then reduce risk at scale.
So that is how that collaboration in near-real time,
information being shared to enable security and resilience, and
also to inform planning against the most serious threats to the
Nation so we can drive down risk at scale. It is one of the
things that I am most excited about and we are already seeing
dividends form the JCDC, sir.
So thanks for the question.
Mr. Payne. Well, thank you for those responses.
With that, Mr. Chairman, I yield back 20 seconds.
Chairman Thompson. The gentleman is so kind.
The Chair recognizes the gentleman from Louisiana, Mr.
Higgins, for 5 minutes.
Mr. Higgins. Thank you, Mr. Chairman. I thank the Ranking
Member and our witnesses for being here today.
Everyday importance of our cybersecurity systems grows as a
matter of National security. The number of publicly-reported
cyber attacks and breaches for 2021 unfortunately on track to
be the highest and most impactful in history. The cost of
ransomware damage is expected to reach $265 billion by 2031--
and personally I think that is a light number.
Our foreign adversaries are rapidly increasing their cyber
skills and stealth. We are also currently seeing the disastrous
consequences involved with supply chain vulnerability. Supply
chain cyber attacks have risen by 42 percent just in the first
quarter of this year. According to BlueVoyant, a third-party
cyber risk management company, 97 percent--97 percent of firms
have been negatively impacted by cybersecurity breach in their
supply chain. Further, 1 out of 5 small businesses fall victim
to a cyber attack in the United States, and of those 60 percent
go out of business within 6 months. This is a serious problem.
Our adversaries should have a clear understanding that the
United States can and will execute effective and timely
consequences if they attack our National critical cyber
infrastructure.
Deterrence and response, in my opinion, are critical
aspects to our mission to address the cyber threats that we are
currently experiencing and the threats of tomorrow.
Director Inglis, non-state criminal actors are responsible
for many cyber attacks in the United States, including last
year's ransomware attacks on our hospital systems and the
Colonial Pipeline attack. The United States has had difficulty,
however, in the past to executing counter attack strikes
against cyber terrorists. For example, in 2016 the U.S. Cyber
Command worked to destroy ISIS communications and remove pro-
ISIS propaganda which only worked for a couple of days. They
were right back up. Certainly wasn't an effective counter
strike.
So, in your professional opinion, is the United States
capable of launching an effective cyber counter strike against
cyber criminals world-wide? Because this is the question that
Americans want to know, can we strike back? Do we have the
will, do we have the capability? If we do have the will and the
capability, then why are we not lighting these criminals up
with counter strike cyber attacks?
I ask you for your response.
Mr. Inglis. Congressman, thanks very much for the question.
I am sure that is the question on the mind of many people who
are aware and watching the growing threat in cyber space.
I agree with your characterization of the growing
seriousness of these threats and the perception that we are
falling further behind.
I would offer that it is important to bring transgressors
to justice. I would offer that the set of tools we should bring
to bear is considerably larger than simply finding and shooting
at them using cyber activities in and through cyber space. So
that is an important part of the solution, but equally
important is a campaign that covers all the ways that we can
thwart their efforts. We need to begin with increased
resilience and robustness in the technology, in the skills of
our people, in the doctrine, in the roles and responsibilities.
We are talking a lot today about how do we collaborate as
opposed to achieve simply a division of effort such that these
transgressors have to beat all of us to beat one of us. Having
established a defensible enterprise, we then need to actually
defend it. That is a very proactive set of endeavors. Jen
Easterly at CISA and other sector risk management agencies are
leading the collaboration of the Federal enterprise with the
critical information and critical sector to do just that.
Finally, we need to align actions to consequences. An
important piece of that, as you suggest, is finding and
bringing to justice these transgressors, stopping their further
efforts. But we need to use all the instruments of power at our
disposal. We need to be able to----
Mr. Higgins. Thank--sir, in the interest of time--I have 10
seconds remaining. Let me just close. Thank you for your
answer.
In my opinion we need to have a lightening-fast cyber
counterstrike. There needs to be immediate consequences. Then
we still bring them to justice. That takes a long time.
Mr. Chairman, I yield and I encourage my colleagues to
support a very proactive and aggressive cyber counterstrike as
we face these on-going attacks.
Thank you for holding this hearing today.
Mr. Inglis. Mr. Chair, I would be happy to follow up----
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentleman from Missouri, Mr.
Cleaver, for 5 minutes.
Mr. Cleaver. Thank you, Mr. Chairman, for the hearing, for
a variety of reasons.
I am on the Homeland Security, but I am also on Financial
Services and we also have a great deal of interest in and
ability to work with CISA.
Director Easterly, thank you. You know, since CISA was
created back a couple of years ago, you know, the agency now
has a recognizable name. I think when CISA first was created, a
lot of people, who you said CISA and they thought it was a hip
hop band. But, you know, now I think it is recognizable. You
know, you are serving a great purpose with security, public and
private.
You know, but you have a far-flung and almost cryptic kind
of a mission. You know, I am wondering, you know, what would
you want your grandchildren to brag about when they become
adults as it relates to what you were able to do at CISA? I
mean what do you envision down the road as something that is
significant that you really want to do and may even need the
help of the Chair, the Ranking Member, and this entire
committee in getting it done?
Ms. Easterly. Thank you for that great question, sir.
My son is 17 and I often tell him how excited I am to
someday be a grandmother, which I think it is a little off-
putting to him since he is a junior in high school, but I am
excited for that day because I like babies.
But it is a great question. You know, I have thought about
this through my career, through 21 years in the military,
several combat tours, working at the White House, working in
the intelligence community. Much of what I am doing is
motivated so that my parents and my brothers and sisters and my
son and my husband are proud of me. I would hope that my
grandkids could say she helped make America safer. So that is
my goal, to ensure the security and resilience of the
infrastructure that Americans rely on every hour of every day,
to get power, to get water, to get food at the grocery store,
to get money at the bank, to get gas at the pump. These are the
networks that underpin our lives and my mission is to ensure
that they are secure and resilient.
Mr. Cleaver. Is there a priority? Is there something that
is so critically important to the agency that you want a direct
as much attention to it as possible? The No. 1 thing. Or is the
mission so massive that it is difficult to set anything aside?
Ms. Easterly. Well, I don't think it is--I mean it is a big
mission and I think it is a critically important issue, sir.
Mr. Cleaver. It is.
Ms. Easterly. But I think it is pretty simple. You know,
our mission is to lead the National effort to understand,
manage, and reduce risk to cyber and physical critical
infrastructure. We do that in two main ways. We are the
operational lead for Federal cybersecurity and we are the
National coordinator for critical infrastructure security and
resilience.
My top priority to ensure that this agency is successful is
to make sure that we have the talent we need to be able to
operationalize our various missions. But my goal, again, is to
really ensure that infrastructure, whether it is owned by--
critical infrastructure owners at the State and local level or
with the Federal Government is secure and resilient to cyber
attacks from nation-state actors and cyber criminals.
Mr. Cleaver. Thank you very much.
Mr. Chairman, I would like to beat Mr. Payne and I will
yield back 50 seconds.
Chairman Thompson. The gentleman is real kind.
The Chair recognizes the gentleman from South Carolina, Mr.
Norman, for 5 minutes.
Mr. Norman. Thank you, Chairman Thompson.
I want to thank our guests for testifying and for being
here. From reading your backgrounds for both of you, you all
really have the background to do a great job with what I
consider the threat that this country is facing every day. You
know, we have got so many that we know about, but the ones we
don't know about--and I am from small business and know a lot
of businesses that would not report the attacks on their
particular company because of loss of stock value. You know,
the fact that they just do not want it publicized. But with--
and I know you all have not been on the job but, you know, 6-8
months, but if what you put in place, and since you have been
there for the time that you have, would the Colonial attack be
able to occur now or do you have the mechanisms in place to
stop that?
Mr. Inglis. Mr. Congressman, thank you very much for the
question. It is an excellent question.
I can't say for certain whether we would prevent the next
Colonial Pipeline attack. I believe that we are in a much
better position to detect it, if not deter it. The things we
have done ensure that to the extent that any one of us has a
small piece of understanding about what might be transpiring in
the share domain of cyber space, we are now in a better
position to share that richly, quickly, and a granularity that
it is then useful, it is actionable intelligence.
We are also able at this point to better respond to those
activities, such that we can surge support to the point of need
and restore not simply resilience and robustness to the system
quickly, but confidence that the systems will work on our
behalf. But I have to be quite clear, quite honest about saying
the technical debt--the lack of investment for so many years is
long in the making. It won't be turned around in a fortnight.
We need to make sure at this moment we are making best use of
the components, the authorities, and that we apply those in an
integrated and collaborative fashion, such that increasingly an
adversary needs to beat all of us to beat one of us. That
should be a daunting proposition for them.
Mr. Norman. What about--you know, we have got an open
border. This country is petrified of what is going on with the
border. Anybody and everybody from any country is coming in. We
don't know who they are, we don't what country they represent.
All we know is we are not doing any background, we just--they
basically are coming across the border unfettered. How you--and
this is for either one of you--how are you all dealing with
that and what threat is this that we face known or unknown that
you see?
Mr. Inglis. Mr. Congressman, I will start with a question.
I assume that you are extending that analogy into cyber space.
I think it is quite apt. You know, cyber is essentially a set
of open borders which we might confer some degree of
jurisdiction based upon geography. But in cyber space geography
means very little absent the authorities that are bound within
the United States, based upon that geography. So we have to
make sure that we understand what is happening across those
borders, that we can better identify the transgressors who come
at us from across those borders, and that we can better deal
with the sum of the authorities we bring to bear based upon
both domestic and National security authorities. All of that is
a very daunting proposition, the borderless space of cyber
space. I believe we have the means to do that, but we have to
better identify those threats, better security the
infrastructure that we mean to defend, and collaborate on top
of that to bring all our resources to bear.
Ms. Easterly. Would only add, absolutely. I mean some of
the complexity--a large part of the complexity of our job, sir,
is that we are dealing with cyber space, which is borderless.
But just to add to Director Inglis' comments from earlier,
I think we are making progress in ensuring that there are fewer
Colonial Pipeline-type hacks, but at the end of the day, the
Government can only do so much. A lot of this is the private
sector making sure that they are implementing the standards and
the cyber hygiene that they need to protect their systems and
networks. We are here as a trusted partner to provide
assistance, to provide standards, to provide information, but a
lot of this has to be the basics of cyber hygiene.
So I look forward to continuing to work with small
businesses, the private sector so that they have the
information that they need to be able to protect themselves.
Mr. Norman. Yes. You all play a vital role with that and I
hope you--I realize cybersecurity doesn't have a border, but
what we are doing is letting people in that are embedded in our
communities that are coming to our country. We have got Duke
Power in my district and EMP attacks, which is--an attack on
this country is of great concern to all of us.
Thank you so much. I think my time is up.
I yield back, Mr. Chairman.
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentlelady from New York, Ms.
Clarke, for 5 minutes.
Ms. Clarke. Thank you, Mr. Chairman. I thank our Ranking
Member and our witnesses for appearing today and lending their
expertise to the subject matter.
Let me start with Director Inglis. As you know, Congress
established the Office of National Cyber Director in part to
address the long-standing inter-agency coordination challenges
and turf wars that existed between CISA, sector risk management
agencies, and other Federal agencies with cyber missions. Can
you distinguish between the role ONCD plays as opposed to the
role played by the National Security Council and CISA's role as
the lead Federal coordinator for critical infrastructure
protection?
Mr. Inglis. Yes, Congresswoman. That is I think an
important question and so I think the answer would be that
those roles are complementary, they are applied concurrently.
They are not necessarily hierarchical. At the same time that
CISA is the on-field quarterback equipped with resources and
authorities to coordinate the defense within the Federal
enterprise and the support of the Federal Government to the
critical infrastructure, the National cyber director has to
make sure that the roles and responsibilities, as you indicate,
of CISA and the sector risk management agencies is clear, that
they are prepared to act in a complementary fashion, and that
their performance is up to par in terms of our expectations. At
the same time, the National Security Council, and in the form
of Anne Neuberger, who is the deputy National security advisor
for cyber and emerging technology, applies instruments of power
that are outside of cyber space to bring about desired
conditions inside cyber space, our intelligence assets, our
military assets, our diplomatic assets, our legal assets, our
financial assets. All of that is traditionally the role of the
National Security Council.
If we do those three roles concurrently they can complement
one another such that the sum of the parts is greater than the
arithmetic sum.
Ms. Clarke. Wonderful.
So in your experience thus far as the first-ever U.S.
National cyber director, how confident are you that ONCD will
be able to unify Federal cyber efforts around a common vision
and shared purpose?
Mr. Inglis. I think I am not in a position to ultimately
judge my own performance, but I think that we can make a
difference. I think that that is the point of accountability
that should be imposed on me. Did the system perform better,
are we in fact more coherent, cohesive in the application of
these very impressive pieces at the end of the day? I think we
can and will make a difference.
Ms. Clarke. Awesome.
Director Easterly, would you care to weigh in on the
dynamics between ONCD and CISA and whether you see these roles
as complementary of each other and any areas for improvement?
Ms. Easterly. Thanks so much for the question,
Congresswoman.
As Chris and I have talked about--and we go back about 15
years, so we have known each other for a while--and I think--
you know, I often say technology is easy, people are hard. So
you have to have that trust to build that collaborative
partnership. Fortunately Chris and I have been friends for a
long time. We talk about our relationship as he being the
coach, me being the quarterback, but we know that there are all
players on the field. I think even in just the last 3\1/2\
months we have forged a highly collaborative, highly cohesive
relationship with our teammates across the Federal Government.
You know, this is about one team, one fight, cyber is a
team sport, no drama, no ego, no tribalism, no turf. It is
about getting the job done. So it is not Cobra Kai versus
Miyagi-Do, it is Cobra Kai and Myagi-Do against all the bad
guys.
Ms. Clarke. Wonderful. It is so refreshing to hear that
response. We are maturing as an agency.
Director Inglis, in the wake of the Colonial Pipeline
ransomware attack we saw what I would describe as a breakdown
of the PPD-41 framework and a failure to execute the National
Cyber Incident Response Plan. Specifically, the Department of
Energy was given the lead role in the Federal Incident Response
efforts despite being neither the lead for asset response under
PPD-41 nor the sector risk management agency for the pipeline
sub-sector.
What guardrails have been put in place since then to ensure
that the next time the United States has to respond to a
significant cyber attack on our Nation's critical
infrastructure the lines of effort articulated under PPD-41
will be observed?
Mr. Inglis. Thank you for the question.
As you indicate, PPD-41 remains a quite useful and
appropriate document to guide our efforts in the moment of
contingency or crisis, say a repeat, god forbid, of the
Colonial Pipeline. I think that what we have done since then,
and certainly in the last 3\1/2\ months now that Director
Easterly and I have assumed these roles, is to double down on
our efforts to understand what the role of CISA is--it is
increasingly clear what the role is, it is the coordinator--to
double down on how then that relates to the sector risk
management agencies to understand what the lanes of effort are,
how they complement one another such that in the heat of the
next contingency or crisis we will be based upon not simply
what the rules are laid out in PPD-41, but tested and exercised
roles and relationships based upon not simply professional
trust but the personal relationships that we have established
to know how we would respond in that crisis.
Ms. Clarke. I thank you, Mr. Chairman. Thank you for your
indulgence.
I yield back.
Chairman Thompson. So, Mr. Inglis, so let me understand
what you just said. You said personal relationships. Are you
saying those personal relationships override the policy?
Mr. Inglis. I do not, sir. So thank you for your question
and the opportunity to clarify.
I think those professional relationships are well described
in law, in policy, and ultimately in the administrative roles
that are established. The personal relationships can complement
those and ensure that you affect those not simply as a division
of effort, but in a collaborative fashion.
I spend quite a lot of time trying to understand what the
challenges and the authorities are of Jen Easterly or the
sector risk management agencies so that I can put myself in
their stead and understand what I need to do to support them.
That is based upon personal trust as much or more as executing
fully and faithfully the authorities and the rules that are
inculcated in statute and policy.
Chairman Thompson. But you do recognize that the policies
at the end of the day----
Mr. Inglis. I do, sir, without equivocation----
Chairman Thompson [continuing]. Should be the driving force
behind what you do.
Mr. Inglis. Without equivocation.
If I might, I would just say that I think that a
transformative feature of what we are proposing is that we can
fully and faithfully execute the law and the policies in a way
that might equate to a division of effort, that we then meet at
seams that are defined by those laws and policies, which are
very important. But we also need to go further to try to
understand what more we can do to aid and abet the activities
to the left of us, to the right of us, to achieve a degree of
collaboration, which means that we have to work harder and
essentially have a degree of personal addition to those as
opposed to subtraction from those.
Chairman Thompson. But somebody has to be in charge.
Mr. Inglis. At any moment in time we need to know who is is
accountable for what, yes, sir.
Chairman Thompson. Absolutely.
The Chair recognizes the gentleman from Georgia, Mr. Clyde,
for 5 minutes.
Mr. Clyde. Thank you, Mr. Chairman.
Our Nation's safety and security are being challenged by
our enemies through cyber space. As we have seen over the last
year, these attacks can lie dormant for many months before
being detected and can have devastating consequences on our
economy and our way of life.
Further complicating these threats is the fact that cyber
attacks can be carried out by both state and non-state actors
and can be relatively inexpensive to execute. There seems to be
limited tools at our disposal that enable us to immediately
respond to a cyber attack and hold perpetrators accountable. In
many ways cyber attacks have emerged as a near-perfect weapon
against our Nation--especially the civilians in our Nation.
So both of you, thank you for continuing to provide
valuable insight into what steps are needed to strengthen our
cybersecurity and to respond appropriately when the attacks are
successful.
As my colleague from Louisiana, Mr. Higgins, highlighted, I
think the best defense is a good offense, but we definitely
need both. The civilian sector needs a stronger defense, but
they have got to know what resources are there to help them
too.
So my first question is for CISA Director Easterly.
Director Easterly, this past month was cybersecurity awareness
month and CISA launched their annual effort to educate the
public on good cyber hygiene practices and the resources that
CISA offers. Numerous Members in Congress, including myself,
did what we could to amplify your agency's message with our
constituents. Things like public service announcements,
speaking on the House floor directing people to your CISA
website for further education, speaking to local clubs,
including Rotaries and that sort of thing, but what other steps
can Members take to support CISA's mission in each of our
district? Because, you know, honestly, when I spoke to a local
Rotary, there was only one person in that room--and there was a
number of folks there that actually knew what CISA was. You
know, you bring tremendous resources to the table. How can we
make America more aware of what you have got?
Ms. Easterly. Yes. So first of all, thank you very much for
your leadership and your support. It is great to have Members
weighing in on this important issue. So thanks for that.
You know, we are the newest agency in the Federal
Government. We are going to have our third birthday here on
November 16. so it is probably not terribly surprising that
some folks don't know who CISA, what CISA is, how to correctly
pronounce CISA. But at the end of the day, I do think, sir, we
are making progress. Part of that is the help of Congress, but
also we have a fantastic field force. We have over 500 people,
cybersecurity advisors, protected security advisors out there
working with State and local, your constituents, other
constituents, and critical infrastructure owners and operators
to render assistance, to ensure they have the information they
need to be able to protect themselves. So we are going to
continue with this campaign, but I agree with you, we need a
campaign like ``Click It or Ticket'', or ``Smokey the Bear'',
or ``This is your brain on drugs'', something that really makes
an impact on the American people so they know exactly what they
need to do to protect themselves and to implement multi-factor
authentication.
Mr. Clyde. Thank you.
Follow up on that, you recently discussed CISA's initial
work to map out our Nation's primary systemically important
entities. As you know, there are legislative proposals that
would require CISA to accomplish this goal, including one
authored by Ranking Member Katko and Mr. Garbarino. I applaud
your agency for taking the initiative without Congress having
to get involved. However, could you tell me, has CISA run into
any obstacles in identifying these entities that are critical
to our Nation's security and do you believe legislation would
help CISA overcome these obstacles? Is there any way that we
can help in that regard?
Ms. Easterly. You know, as I have said, I think it would be
very useful to codify systemically important critical
infrastructure, or what we call PSIES, Primary Systemically
Important Entities, but we are going to do that work
notwithstanding. We have not hit any obstacles, but I will tell
you, I mean we want to do this right. So ensuring we have the
rigorous methodology to be able to identify these systemically
important entities based on network centrality, economic
centrality, logical dominance, and National critical functions.
That is a tough effort. It is an important effort. But we have
to be able to identify them and then we have to measure how we
reduce risk. This can't just be about advising on risk or
managing risk, it has to be about reducing risk. We have to
measure what matters, and part of that is being able to
articulate those SICIs or PSIES in the first principles.
Mr. Clyde. All right. Thank you.
In just a couple of seconds left, Director Inglis, you
know, as I said, I am very interested in and support a great
offense.
Chairman Thompson. The gentleman's seconds have expired.
Mr. Clyde. OK. Thank you.
I yield back.
Chairman Thompson. The Chair recognizes the gentleman from
Texas, Mr. Green, for 5 minutes.
Mr. Green. Thank you very much, Mr. Chairman. I thank the
Ranking Member. I think this has been a very informative
hearing and I regret that I have been in another hearing and
have not been able to follow all of what has been--and I am
still being in two places at once, it is difficult to achieve.
Let us start with what I believe the public perceives as an
issue. Just the mere notion that the Federal Government cannot
protect its networks. It is probably hard for the typical
consumer to understand how the Federal Government can't protect
its networks and if it can't, then there is probably a belief
that it is going to be difficult for the private sector to
secure its networks.
Perhaps this has been answered, but do we have--in
collaborating with the private sector, have we identified the
private-sector networks that are so important to our country
that we the Federal Government should have a greater hand in
protecting them?
Whoever would like to respond.
Mr. Inglis. Congressman, if I could start with that and
then defer to my counterpart, Jen Easterly, to complete the
answer.
I think first and foremost you properly point to the
public's expectation that Federal networks will be properly
built, properly defended to deliver the functions, the services
that they expect. We have taken aggressive effort to that. The
Executive Order in May, the finding operational directive that
Ms. Easterly talked about earlier in this hearing are both
aimed at doing just that. But we have further work to do.
As to whether we should take then further effort to define
the critical functions that serve the public, both within and
without, within the private sector, there is further work to be
done in that regard. We call that systemically critical
infrastructure. It is a challenge to define what that is, given
there are so many possibilities and therefore so many
components that underpin those possibilities. But CISA has
taken that work on. With the support of this Congress and this
committee in particular, I think that we can make progress.
Mr. Green. Does the lady desire to have a comment?
Ms. Easterly. Sir, is that for me?
Mr. Green. Yes, ma'am. Sorry. Did you have a response?
Ms. Easterly. Yes, thank you.
You know, I would just add to Director Inglis' points, we
are in fact moving out on identifying that primary systemically
important entities. It is a serious and complex effort. We are
working through it and so I am hopeful that we will have a
preliminary view on that in the coming months.
I would absolutely agree with you that the Federal
Government has to lead by example. The private sector can't
look at us and expect us to not be able to defend our own
networks. So all of the work we are doing pursuant to the
President's EO to modernize our Federal civilian Executive
branch networks to create visibility to ensure that we can
actually manage that enterprise as an enterprise, not as 102
separate little tribes, we are working very aggressively to do
that and I am optimistic that we are going to make a real
difference. Because I think we all know that the status quo is
unacceptable.
Mr. Green. Thank you.
With my 1 minute and 10 or so seconds left, let us talk
quickly about diversity, work force diversity. It is my
understanding that CISA recently announced a $2 million grant
or grants to bring cybersecurity training to rural and diverse
communities. What are the processes that we are putting in
place to make sure that we do this in an efficacious way? My
concern is that rural and minority communities too often are
left behind and this is a great opportunity to make sure that
they are brought into the fold.
Can you give me some sense of what the process will be to
make sure that we are doing this appropriately from past
attempts?
Thank you.
Ms. Easterly. Yes, thanks for asking that question. I am
hugely passionate about this. I am a big believer that you have
to build a talent management ecosystem that allows you to tap
into diverse pipeline because that diversity that looks like
America will enable us to solve the toughest problems. I have
always believe that since my early days as one of the few women
at West Point and in my time in the private sector where I
built an organization that was 50 percent women, 25 percent
black and Hispanic. So the kind of things that we are moving
out on are lessons that I have drawn from previous aspects in
my career.
You point to the GREAT grants--$1 million for N Power, $1
million for the Cyber Warrior Foundation focused on developing
unrealized talent in under-served communities. That is just the
beginning. We are also working to create a pipeline with things
like the Girl Scouts. We just created a collaborative
relationship with Girls Who Code. I am looking forward to
working with folks on this committee to be able to tap in to
historically black colleges and universities to create a
vibrant pipeline there. I am open to all great ideas.
So I would love to work with you, Congressman, if this is a
passion of yours as well.
Mr. Green. It is a passion.
Mr. Chairman, thank you so much for the time.
That is one of the better answers that I have heard. I look
forward to working with you, ma'am. If you will contact my
office.
Thank you so much.
Ms. Easterly. Thank you, sir.
Chairman Thompson. The gentleman's time has expired.
The Chair recognizes the gentleman from Mississippi, Mr.
Guest, for 5 minutes.
Mr. Guest. Thank you, Mr. Chairman.
Director Inglis, in your written testimony on page 4 you
talk about 3 categories of threat that warrant continued effort
and attention. I want to specifically talk about the third
category. You say that we must remain laser-focused on
maintaining the integrity of our information and
telecommunications infrastructure against high-risk actors.
Large portions of the hardware supply chain underpinning our
most critical--such technologies are located in countries that
could leverage it for intelligence gathering or disruption at
global scale.
So can you talk a little bit about the supply chain
challenges that we are seeing today?
Mr. Inglis. Thank you very much for that question.
I think that there is a growing awareness that the digital
infrastructure that supports critical functions, or for that
matter, personal functions broadly across our society is at
risk. It is at risk because it has not been built to be by
design resilient and robust. It is at risk because we don't
collaborate and integrate in the defense of that. Essentially
the stove pipes that sit side-by-side-by-side add primary value
to those supply chains without understanding what the
resilience and robustness is from start to finish across those
supply chains. As you have indicated, many of those lie outside
our physical boundaries, our borders, such that we have to then
depend upon the collaboration of others, other nations to
effect the resilience, robust, and assume the defense of same.
Approaching that then means that we have to reconsider how
do we build those supply chains, invest resilience and
robustness in those supply chains, how do we defend those
supply chains? An important piece of that will be collaboration
between the private sector and the public sector. Some of that
might mean that we have to re-shore some of those supply chains
to find places where we can build the key components,
manufacture, and add value to those components with like-minded
nations or within this Nation. All of that work before us I
think transcends both cyber and the physical space. So it is in
fact a strategy that is under way and it is a collaborative
activity between the private and the public sector.
Mr. Guest. Yes, outside of Congress incentivizing companies
to return and manufacture many of these critical components in
the United States, is there anything else that we can do as a
Congress to try to bring those supply chains back here
domestically so we are not depending upon countries,
particularly countries in the Far East? I think of China and
the growing threat of China, how many of the components that we
need for things that we do on a regular basis are manufactured
in China. We have seen the CCP continue to grow. You even list
here in your testimony that countries can use some of the
hardware manufactured in other countries for intelligence
gathering.
So I guess my first question is outside of incentivizing
companies, giving tax relief, tax breaks for companies to bring
production back to the United States, is there anything that we
can do as a Congress to continue to encourage that?
Mr. Inglis. I think there are three broad points of
influence that we can bring to bear. You mentioned one of
those, incentives. Trying to create market forces that will
essentially push, right, these supply chains, these supply
lines in the right direction for resilience and robustness and
the confidence that pertains.
Another is simply awareness. There is insufficient
awareness about what the true challenge is, where these supply
chains lie. We then find ourselves surprised, right, in a Solar
Winds escapade to understand where this comes from and how
perhaps adversaries might insinuate themselves into that. The
Congress can be very helpful and this committee has been
specifically and particularly helpful in that regard.
Finally, some degree of accountability. When market forces
fail, when incentives fail, we need to understand what are the
truly critical functions that our Nation depends upon and
ensure that those parties who are responsible for delivering
that and defending that are specifically held accountable.
Director Easterly and I sit before you as accountable
parties to kind-of make sure that the Federal Government is
doing its part. The private sector also has a part to play. By
exception we need to understand what those roles and
responsibilities are and affect accountability.
Mr. Guest. Have you seen specific instances where countries
have used their supply chain being a critical component for
intelligence gathering? I know you list that here in your
written testimony. First, have you seen examples of that and
then, No. 2, are there any that you could share with this
committee? I know there may be things which you have awareness
of that you are not able to share in this type of setting. But
just specifically if there are any that you could share, I
would appreciate that.
Mr. Inglis. I would be pleased in the appropriate setting
to speak to intelligence matters that would kind-of point to
the opportunities that various nations might have given the
current disposition of supply chains. Unfortunately, for the
purposes of this discussion, those are matters that are likely
Classified in terms of those opportunities.
Mr. Guest. Yes, sir. Thank you very much.
Mr. Chairman, I yield back.
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentlelady from Michigan, Ms.
Slotkin, for 5 minutes.
Ms. Slotkin. Great. Thank you, Mr. Chairman. A warm welcome
to our witnesses. Really glad to have excellent experts. I echo
Ranking Member Katko's comment that I feel like we have the
best team in place and we are working in a really positive
bipartisan way on something that is an issue that really
connects high policy in Washington to every family back home in
our districts. It is rare that that happens. But after the
attacks on Colonial Pipeline and JBS, I find myself
increasingly in front of communities, often in rural
communities, where I am, you know, there to talk about
something very different and the first question they ask me,
from farmers to school teachers and superintendents is, what
are we doing to protect ourselves from this onslaught of
attacks. I would note, I had a big group of superintendents in
my office yesterday and every single one of them had had
ransomware attacks and many had paid the ransom to get the
school data back.
But what I want to know I think echoes some of my
colleagues. I want to be able to tell people back home that we
are doing everything we can to defend them. I understand that a
lot of our offensive things are Classified and we don't talk
about them in public, but I am interested in the defensive
side. In particular what the President laid down on the 16
different categories of infrastructure that he told Vladimir
Putin were off-limits.
Can you lay out for us, since the summit between the
President and Putin and the President laying down that marker,
have we seen attacks from Russian-based groups, particularly
those groups that were responsible for some of our biggest, you
know, disruptions, have you seen a decrease, an increase, or no
change in their level of attempts to attack us?
Mr. Inglis. I will start with that.
Thank you very much for that excellent question. I am sure
on the minds of most, if not all, of our citizens.
I think that, answering the question head-on, we have seen
a discernible decrease. It is too soon to tell whether that is
because of the material efforts undertaken by the Russians or
the Russian leadership. It may well be that the transgressors
in this space have simply kind-of lain low understanding that
this is for the moment a very hot time for them. We need to
make sure that that continues to be the case, that we continue
to build resilience and robustness in our infrastructure, we
continue to work hard to understand who is transgressing across
that infrastructure and use all of the resources at our
disposal to bring them to justice.
I think in the longer term we will be able to measure in a
qualitative and a quantitative fashion what the diminishment of
those efforts are. For the moment, I think it is too soon to
tell. We therefore need to ensure that our strategy is
solidified and brought to bear.
Ms. Slotkin. OK. So I would just ask for your commitment.
Since we know that some of these groups sometimes go dark for a
short time while the media's attention is on them and then they
come back to life. I would offer we should have that
conversation again iteratively in this committee to make sure
that the Russians are living up to a basic commitment to stop
what is going on based out of their territory.
I think the other issue I think Ms. Easterly is--I think
one of my colleagues mentioned--you know, I don't think the
American public knows the 9-1-1 number to call when their
school, when their farm, when their processing plant, when
their local government is attacked. Of course there are State
offices that handle some of these things, but is it appropriate
to think of CISA as the Federal 9-1-1 that we call when we see
one of our infrastructure nodes being attacked?
Ms. Easterly. Certainly. We welcome first of all the cyber
incident reporting legislation where if there is an attack of
some sort people would come to us and let us know because we
are there to render assistance, but we can also use that
information to prevent others from being hacked. So I would
want people to recognize CISA both as those people that you
call to get help, but really those people who are helping to
raise the whole cybersecurity baseline and creating goodness
for the entire defense of the Nation. So I hope to get to that
point, Congresswoman, and I would love to partner with you on
that.
Ms. Slotkin. Yes. Then last I would say, you know, the
best, you know, offense is a good defense. We know that our
private sector has an important role to play. Do the companies
you engage with get that they are part of our National security
apparatus, that they have a role to play, particularly in
infrastructure, in protecting the United States, and therefore
have to maintain the highest standards, unlike some of our
pipelines and others that we have seen recently?
Ms. Easterly. Yes. I would certainly say that I have been
incredibly encouraged, both from my time in the private sector
within finance, but since then I arrived at CISA and have been
working directly with private-sector companies, to include ISP,
CSP, cybersecurity vendors, infrastructure providers, who get
that this is a National security imperative. So have been
encouraged, am optimistic, but we are going to continue to
collaborate and strengthen those partnerships to make sure that
this is really a National endeavor to protect the country.
Ms. Slotkin. Thank you very much.
I yield back.
Chairman Thompson. The gentlelady yields back.
The Chair recognizes the gentlelady from Iowa, Ms. Miller-
Meeks, for 5 minutes.
Ms. Miller-Meeks. Thank you, Chairman Thompson, Ranking
Member Katko. I appreciated the questions by all of my
colleagues and Representative Slotkin, who just spoke,
especially in reference to cyber attacks and ransomware.
So JBS is in my district and it was affected--less so the
plant within my district than, you know, the entire
infrastructure of JBS. I have also, as a State senator, worked
on legislation for ransomware attacks that our local government
had experienced when they had been hacked. Interestingly
enough, when people communicated to me in my district about the
provision in the reconciliation bill with the increase in IRS
agents and looking into accounts where there was a $600
transaction, often I was asked about hacking and did this make
us less secure.
So I think this is an extraordinarily important topic and I
appreciate Chairman Thompson bringing this forward today.
Director Easterly, on the topic of the new CISA authorities
provided in last year's NDAA, one of the more important
provisions authorizes CISA to subpoena internet service
providers to obtain contact information for critical
infrastructure operators where CISA has identified vulnerable
devices on the internet and so that these devices can be
secured before they are attacked.
Can you provide the committee a status update on the
implementation, how many subpoenas has CISA issued to date?
Ms. Easterly. Yes. Thanks for the question.
It is a really, really important authority. We have issued
over I believe 35 administrative subpoenas to date and we have
seen--because we go back and we re-scan the infrastructure
where we saw those vulnerabilities--we have re-scanned that and
we saw those vulnerabilities actually get closed. So we believe
this tool is enabling us to mitigate and remediate
vulnerabilities and to make folks aware of vulnerabilities that
they probably were not tracking.
So we have used that aggressively since we have gotten it
and I am really pleased to say that we have operationalized it
in a way that is helping us reduce risk.
Ms. Miller-Meeks. So you answered one of my follow-up
questions, so I am going to go to the next one.
Have you identified any shortcomings of the program that
you think need to be addressed?
Ms. Easterly. Well, since we are just in the--I guess about
6 months, 9 months of operationalization, I have not yet seen
specific shortcomings, but I will absolutely come back to you
and let you know if we need something different or more from
this authority.
Ms. Miller-Meeks. I think with the recent attacks, you
know, people are much more aware of this now, so it is a topic
of conversation.
So thank you. We would appreciate the feedback.
I also think that we are--all of us are in agreement that
we need to double-down on our efforts to provide proactive
vulnerability identification to critical infrastructure
entities, particularly those that identify as being
particularly critical for economic and National security. I
think we have heard this from several Members.
We don't want a single point of failure resulting in
cascading impact for the country at large. Do we have the
processes and technology in place to execute on this proactive
vulnerability identification and notification at scale? Are we
effectively looking at vulnerabilities across critical
infrastructure community through the eyes of an attacker?
Ms. Easterly. I will start and happy for Director Inglis to
weigh in.
I think it is exactly the right question. As we know,
everything is connected, everything is interdependent these
days. Everything sits on that technology baseline and therefore
everything is potentially vulnerable. So we work very hard to
make sure that business owners, small and large, critical
infrastructure owners and operators, State and local, the
American people have a good understanding of what they need to
do to ensure that their software is patched, to ensure that we
are taking care of vulnerabilities, and to have the basics that
we need.
I would also commend the incredible research community,
those researchers, those academics, those hackers out there who
were doing yeoman's work in being able to help identify these
vulnerabilities, bring them to us through the coordination
vulnerability disclosure platform, because that helps make us
all safer and more secure.
I would point to the Binding Operational Directive, ma'am,
that we issued today that I think is really groundbreaking in
that for the first time this is really giving time lines to
remediate those specific vulnerabilities that we know have been
actively exploited by adversaries, not just all
vulnerabilities, but the ones that we think are most dangerous.
I think that can make a real difference, not just for Federal
agencies, but from a signaling perspective for our critical
infrastructure owners and operators and for businesses, large
and small around the country.
Ms. Miller-Meeks. Thank you so much.
Director Inglis, I apologize. I have run out of time so I
won't be able to get your answer to this. But thank you so much
and thank you, Chairman Thompson.
I yield back.
Chairman Thompson. The gentlelady yields back.
The Chair recognizes the gentlelady from Texas, Ms. Jackson
Lee, for 5 minutes.
Ms. Jackson Lee. Mr. Chairman, if I could, I have to run to
vote in another committee. I would like to delay my 5 minutes.
Thank you very much. I will come back to the committee when
I finish voting. Thank you.
Chairman Thompson. The Chair recognizes the gentlelady from
Nevada, Ms. Titus, for 5 minutes.
Ms. Titus. Thank you, Mr. Chairman. I didn't realize I was
going to be next, but I appreciate it.
I would like to ask Mr. Inglis and Ms. Easterly both a
couple of questions.
One is in our Subcommittee on Transportation and Marine
Policy, last week we learned that there are many cybersecurity
vulnerabilities in our travel hubs, including airports. I
represent McCarran Airport and we know that as people travel we
want them to be safe physically, but we also want their data to
be safe. You see everybody plugging in their computers
everywhere and working on them. Then when they get on the plane
they continue to use wifi from the airlines for in-flight
services. I wonder if you two could address what we might be
doing to make that more secure?
Mr. Inglis. Thank you very much for the question. I will
start and Director Easterly, I am sure, will complement that.
I think there are at least two dimensions to this. One is,
as per some earlier conversations we have had, there are in
these locations systemically critical infrastructure upon which
the public depends. How do we coordinate the flow of air
traffic, how do we ensure that flight plans are securely
communicated, how do we make sure that the data flows that
underpin the safety of that industry is properly defended? The
work that CISA and others are doing to determine what those
systemically critical components are and the entities
responsible for those will allow us to focus the very precious
resources we have in a prioritized way to increase resilience
and robustness in the defense of safe.
To the extent that individuals make use of individual
services for their personal and perhaps their business
activities, we need to make sure that as a matter of the
commodities provided to them that security is built in. We also
need to make sure that they are aware of what their
alternatives are and that in the case where there is a risk
that we haven't found a way to buy down, that they understand
that that is a risk that they can choose to take or not take.
So some degree of cyber education, training, and awareness
is also essential and we need to kind-of get that into our
people skills at the earliest possible moment.
Ms. Easterly. Yes. I would only add--I completely agree
with that. A lot of this, clearly from a standards perspective,
we work closely with TSA as they are the sector risk management
agency for aviation, for rail, but this also comes down to
public awareness, making sure people understand the basics of
password hygiene, updating their software, implementing multi-
factor authentication, making sure that if you are a business
you are patching those vulnerabilities.
So we have got to come at it from both angles, from a
personal angle but also from a Government Federal agency angle.
It has got to be a team sport.
Ms. Titus. Thank you.
Speaking of Government agencies working with others, I
would ask you about the relationship with universities and how
we can strengthen that. I represent the University of Nevada,
Las Vegas and they have a cyber center that has been recognized
by DHS and the NSA as the National--it is a National center of
academic excellence in cyber defense education. They are
working to create a clinic where students can help small
businesses if they get hacked because we know if a small
business is hacked, 60 percent of them go out of business as a
result of that.
So could you talk about maybe how we could strengthen the
relationship between the Federal Government and the
universities to do things like help small businesses?
Ms. Easterly. Sure, absolutely.
First of all, I love that clinic idea. I would love to come
visit, if that is cool.
Ms. Titus. You are welcome any time.
Ms. Easterly. Awesome. So you mentioned the centers of
academic excellence that is sponsored by both DHS and NSA. It
is a fantastic program and it is really part of our strategy to
be able to tap into these schools, as well as community
colleges, historically Black universities and colleges to
create that pipeline for the next generation of cyber talent.
So the kind of things that you are doing are exactly what we
want to amplify. We want to tap into some of those students
that are already cyber superstars. Our cyber talent management
system will allow us to hire these folks based on their
aptitude and their collaborative attitude as opposed to
somebody having to get a Ph.D. or a Master's degree.
Mr. Inglis. If could double down on that and commend the
clinic in a particular and specific way, which is the clinic
idea actually has many, many beneficiaries. Of course it
benefits the local businesses that are serviced by those
clinics, of course it is a component of those students, but
importantly, it bridges the gap between education and practice
in ways that so many institutions have been challenged. When a
student arrives with a degree or a certificate that the front
door of a business that they want to work for, they often lack
the experience necessary to prove that they can do the job at
the very first moment. So I think you have solved a number of
challenges in one fell swoop. So I would commend that for
others to follow.
Ms. Titus. Well, thank you. I am glad to hear that. I will
let UNLV know your comments.
Thank you, Mr. Chairman, I yield back.
Chairman Thompson. The gentlelady yields back.
The Chair recognizes the gentleman from Kansas, Mr.
LaTurner, for 5 minutes.
Mr. LaTurner. Thank you, Mr. Chairman. Good afternoon.
I was on the phone conversation yesterday--phone call
yesterday with a constituent of mine who owns a small business
in Kansas. He had a ransomware attack and they asked for
$900,000, which is a lot for this business--it is a lot for any
business, but certainly a lot for this one. I asked the
question, I said did your insurers or did the lawyers or the
technical experts at any stage tell you you need to report this
to a Federal agency, that you need to make this known. He said,
no, to the contrary, they said it is a waste of time.
Now, I don't think you would agree that it is a waste of
time and I would like you to address that. Assuming that you
don't think it is a waste of time, how do we begin to change
this narrative across the country?
Ms. Easterly. I am happy to start. Or you go ahead, please.
Mr. Inglis. Go ahead.
Ms. Easterly. So first of all, I have great empathy for
these small businesses that are getting hacked. They are put in
a terrible position and I think they often do pay. Now, we say
as a Government, you should not pay because it incentivizes
that criminal ecosystem, but a lot of these folks----
Mr. LaTurner. They got it down to $600,000, but they were
losing $2 million a day, you know.
Ms. Easterly. Yes, it is an incredibly tough decision.
Mr. LaTurner. So it is a tough spot.
Ms. Easterly. I totally hear you.
So part of this is making sure that businesses have
everything that they need to prevent getting hacked. Frankly
the resources and assistance and information we provide can
help with that. But at the end of the day we have a field force
that can actually render assistance to help folks understand if
they get hacked what they can do about it, how they can recover
and mitigate risk. If they do report to us, I think very
importantly--which is why I am a fan of this legislation--we
can use that information to prevent others from being hacked.
But I would tell you, you should tell your constituent go to
stopransomware.gov, which has been looked at uniquely almost
500,000 times. There is a huge amount of information, what
ransomware is, how do you deal with it, how do you prevent
yourself from getting hacked.
Mr. Inglis. It is hard for me to add value to that answer.
I think it is a complete and fulsome answer. I think that they
should call such that then we can better support them in the
time of need, that we can take the information necessary and
invest in the future. But it our job as the Federal Government
working in collaboration with the private sector to prevent
these events in the future. Stopransomware.gov in an excellent
kind of body of information to allow individuals, businesses to
kind of act in their own defense, but there is more that we can
do to get ahead of this to make sure that we are left of that
event.
Mr. LaTurner. But you are both certainly aware of that
attitude being very prevalent throughout the country in the
business sector?
Mr. Inglis. We are. The Government needs to actually--it
needs to lead with the practice such that when you call the
Government, the Government actually responds with meaningful
support. What Director Easterly has laid out is an initiative,
a set of initiatives across the Federal Government that had
begun to do that. But we need to demonstrate that value such
that the first thinking of an individual business or citizen is
I need to call the Government because they have shown
themselves willing and able to assist me in this time of need.
Mr. LaTurner. Let us talk about the JCDC. So I know it just
launched in August officially. Talk about the promise of that
and how you think that is going to help the coordination.
Because that is one of the big concerns that I have is that
there is so many different departments that have a piece of
this. You know, for example, the White House chose the
Department of Energy to deal with the Colonial attacks. So what
is the promise of that and how are you going to make sure that
we are actually coordinating and that Congress in our oversight
function can actually hold someone accountable? Because it is
incredibly frustrating when it is so spread out.
Ms. Easterly. Yes, absolutely. It is a great question.
I am incredibly motivated on this one, sir. I will come
back and ask this committee for help if I need it. You can hold
me accountable if the JCDC fails, but I will tell you, I am
motivated because even though I spent 27 years in Government
before I went to the private sector, when I showed up in the
private sector it felt like you needed a Ph.D. in Government to
deal with the U.S. Government, right. You were getting
different signal, different information from different
agencies, it was totally unhelpful and incoherent, even as good
as Government agencies and well-meaning as they are. So the
beauty of the JCDC is by law it brings together the power of
the Federal Government, not just CISA, but NSA and FBI and DoD
and DoJ and ODNI and Secret Service and the National Cyber
Director as one entity to collaborate with State and local,
with critical infrastructure owners and operators and with
those cybersecurity companies, ISPs and CSPs that have the
global visibility to allow us to illuminate those dots so we
can connect them and drive down risk at scale.
This is not about just weekly meetings on partnership, hey,
how are you, let us have coffee together. It is really about
how do we operationally collaborate in a professional intimate,
shoulder-to-shoulder--whether that is virtual or physical--way
to make a difference for this defense of our Nation.
Mr. LaTurner. I appreciate that. I want you both to succeed
and am happy to do anything that I can to help along the way.
Mr. Inglis. Thank you, sir.
If I could, at the risk of 10 more seconds, simply add that
I think that the JCDC is different in kind than what we have
done before. This essentially is an agreement to collaborate
essentially to find dots, to co-discover threats that no one
can find alone. That is different. Authorized by the Congress,
substantiated in law, we are now beginning to effect that.
Mr. LaTurner. Thank you both for your time.
I yield back, Mr. Chairman.
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentleman from New York, Mr.
Torres, for 5 minutes.
Mr. Torres. Thank you, Mr. Chair.
I must admit I continue to have a lack of clarity about
cyber jurisdiction. I know you have been asked this question a
few times, but the National Security Council exists to play a
coordinating role on matters of National security, which
increasingly include cybersecurity. What is the central
difference between the coordinating role of the National cyber
director and the coordinating role of the National security
advisor for cybersecurity? Earlier, in response to
Congressmember Clarke you said the two roles are complementary.
But I am interested in knowing what makes them distinct, not
complementary.
Mr. Inglis. At the end of the day if there is an event that
requires the application of instruments of power outside of
cyber space, the various instruments kind-of in the hands of
Government, like intelligence or military or diplomacy, that is
the traditional and sustained role of the National Security
Council. My job is to ensure that the resources inside of cyber
space are prepared, complementary, and effected for the purpose
intended such that chief information security officers, CISA,
sector risk management agencies, all of whom operate inside
cyber space, that they do the job that is required.
Mr. Torres. I want to revisit a point that Congressmember
LaTurner made. So there are 16 critical infrastructure sectors
and each sector has a sector risk management agency. The role
of CISA is to partner with those sector risk management
agencies to secure critical infrastructure. Even though the TSA
is the sector risk management agency for pipelines, the Federal
Government designed the Department of Energy as the lead agency
on response to the Colonial incident.
Do you worry, as I do, that the designation of the
Department of Energy as the lead agency perpetuates confusion
about who exactly is in charge, about cyber jurisdiction?
Mr. Inglis. Congressman, I think is an excellent question.
Neither Director Easterly nor I were here at the time and
therefore are unable to illuminate that choice. I would say
that from this day forward, from the moment we got here, we
strongly relayed that the playbook should be followed. That
when we allocate roles and responsibilities, to the question
asked earlier, policy matters. It must be effected as intended.
Therefore in the future we intend to exercise, allocate, and
essentially respond according to those policies and laws.
Mr. Torres. To be clear, who in the administration decides
which agency takes the lead on a cyber incident response?
Mr. Inglis. I think that we define that ahead of the time,
such that that agency knows at the moment that that occurs that
that is in fact what they should do. Again, within cyber space
my responsibility is to ensure that those agencies understand
those roles, they are prepared, and that they then execute
those roles. As the on-the-field quarterback Jen Easterly would
then ensure that that is actually being effected.
Mr. Torres. Director Easterly, I appreciated your allusion
earlier to Cobra Kai.
Ms. Easterly. Thank you.
Mr. Torres. I am a fan of the show. You said earlier there
is a limit to what we can do in Government, that there is no
substitute for cyber hygiene from the private sector. I agree
with your assessment. It seems to me the breach of both
Colonial Pipeline and JBS demonstrates that the laissez-faire
approach to cybersecurity that the Federal Government has long
taken has been a profound failure. A voluntary framework will
only take you so far. There is no substitute for mandates.
So I have a few questions. Should every owner and operator
of critical infrastructure report major cyber incidents to the
Federal Government? Yes or no?
Ms. Easterly. Yes.
Mr. Torres. Should every owner and operator of critical
infrastructure have a chief information security officer?
Ms. Easterly. Yes.
Mr. Torres. Should every said owner and operator have
multi-factor authentication?
Ms. Easterly. Yes.
Mr. Torres. Should every owner and operator have password
updates and software updates and third-party assessments?
Ms. Easterly. Yes.
Mr. Torres. So if you agree that every owner and operator
of critical infrastructure should adopt these cross-sector
standards of cyber hygiene, as you describe them, then when is
the administration going to mandate them universally?
Ms. Easterly. Well, we have begun a lot of that work with
mandating it within the Federal Government. That is the work
that we are doing with the EEO. All of those things are part of
on-going efforts and that is signaling to our private-sector
partners, who own that infrastructure and--you know, as you
know, it is not owned by the Federal Government, but we are
doing everything we can to ensure that we are signaling by
leading by example and then by articulating the goals and
standards that private infrastructure needs to implement to
make themselves safe----
Mr. Torres. With respect, signaling is different from
mandating. Like the only reason we have mandates for pipeline
cybersecurity is Colonial Pipeline. There is a sense in which I
feel like we are reacting to events rather than governing. I
want to govern proactively.
Ms. Easterly. Yes. I think there is--I agree with you,
bottom line. I think there is a role for insuring that we are
holding those who own and operate critical infrastructure
accountable for ensuring that their systems and networks are
secure and resilient. I think you are starting to see some of
that being implemented here by the Government.
Mr. Torres. I want to quickly squeeze in a question. I am
curious, Director Inglis, what is your opinion on General
Nakasone's cyber strategy of defense forward and what impact,
if any, has Solar Winds had on your opinion on that strategy?
Mr. Inglis. I think the strategy, which has now been in
place for 3\1/2\ years is an appropriate strategy. It follows
on the heels of what we have done in other domains of interest.
NATO is defend-forward, the pre-positioning of U.S. Forces in
South Korea is defend-forward. It should be followed by the
application of all instruments of power in a similar fashion
such that we have an early discernment of threats against us
and early action to engage those threats such that we no longer
wait on shore to receive those threats as they arrive in a
distributed fashion.
Chairman Thompson. Thank you very much. You see why he is
Vice Chair of the Committee, right?
The Chair recognizes the gentleman from Michigan, Mr.
Meijer, for 5 minutes.
Mr. Meijer. Thank you, Mr. Chairman, and thank you to our
Ranking Member and our witnesses for being here today.
I actually want to follow up on what the subcommittee Vice
Chair was asking about regarding that strategy, and
specifically, you know, there have been prior question around
the concept of deterrence, so I don't want to go back and
rehash that ground, but I serve on both Homeland Security and
Foreign Affairs and a lot of these issues really--cybersecurity
issues are at that nexus when it comes to foreign adversaries,
you know. I know we have been working on a broader multilateral
strategy deterrence on the diplomatic side, but there are also
unique vulnerabilities--or I should say unique protections
within the United States and the way that our intelligence
community is structured that I think can be--are very well-
intended, but could have negative consequences.
So I guess for both witnesses, are our foreign adversaries
exploiting restrictions of our intelligence community by using
U.S.-based tech firms in order to launch attacks using virtual
private servers?
Ms. Easterly. I think we saw that pretty clearly in both
Solar Winds, as well as Microsoft Exchange. It is not a
surprise. These adversaries are sophisticated, they are going
to do everything they can. They are entrepreneurial. So it is
one of the reasons why we have put together the Joint Cyber
Defense Collaborative with those companies that have the
visibility into domestic and global infrastructure that we
don't want the intelligence community or the U.S. Government to
have. These companies are able to provide this information in
an anonymized way so the privacy is protected, but that we
understand those vulnerabilities and then we can do something
about it as rapidly as possible.
Mr. Meijer. Would you say that would level out the benefit
to our adversaries of using U.S.-based platforms rather than
using foreign platforms that may fall under a different set of
guidelines for IC?
Ms. Easterly. Well, certainly it will help increase our
visibility as we know we have better visibility overseas given
some of our intel capabilities. But I think actors have shown
themselves to try and take advantage of the blind spots. So we
need to use creative ways to be able to create those dots,
connect the dots to drive down risk at scale.
Mr. Meijer. Are there legislative solutions that may help
to further drive down that risk at scale and connect those dots
further?
Ms. Easterly. At this point in time I really don't know. I
don't think so. We need to get this model right and ensure that
the information is shared in a way that is enabling and
collaborative. But I will definitely come back to you, sir, if
I think we need more authorities to instantiate this visibility
that we need to defend the Nation.
Mr. Meijer. Thank you. I would welcome that conversation. I
think, you know, as you saw we are passionately committed to
doing what we can on talent, recruitment, and retention, on
making sure that authorities are in place on recognizing that
this is a critical and pressing vulnerability for our country.
So I think there is strong bipartisan support to do what we can
to shore it up, but some of that may trip into other areas that
I think we are happy to discuss on-line or off-line.
Then, Director Inglis, in your testimony you identified
burden reallocation across the cyber ecosystem as a major key
objective. In order to take those unfair responsibilities off
of the most vulnerable entities in cyber space, such as
individuals or small businesses, you know, local governments
that may have the least amount of resources are least well-
equipped to deal with the magnitude of the threat--I guess, to
put it briefly, how are you approaching this problem, which
stakeholders in this space do you feel should bear the largest
share of responsibility for systemic cyber risk in the digital
ecosystem?
Mr. Inglis. Thank you very much for the question.
I think that if you are an individual consumer of cyber
services far too often you have to provide for your own
security in a way that a consumer of an automobile does not. A
consumer of an automobile does not have to go out and negotiate
for an airbag or anti-lock breaks, they are built in. So we
need to start with that. The systems that we provide to our
citizens, to users, have to actually be resilient and robust by
design, at scale, commodity scale.
No. 2, we need to make sure that those who would
transgress, who would essentially hold them at risk all the
same, that we understand who they are, how they operate, and
that we find them and bring them to justice using all the
instruments at our disposal, legal means, financial sanctions,
diplomacy. This is an international threat.
We also need to make sure that in a time of extremis,
contingency, or crisis, that the Government provides resources
as appropriate to help those individuals or businesses at that
moment in time. All of those combined I think can make a
determinative difference in the life and the progress of our
individual citizens and businesses in using this, and increase
confidence that those systems will be used for the purposes
intended and not for transgressors.
Mr. Meijer. Thank you.
Thank you, Mr. Chairman. I yield back.
Chairman Thompson. The gentleman yields back.
The Chair recognizes the gentlelady from Texas for 5
minutes, Ms. Jackson Lee.
Ms. Jackson Lee. Thank you very much, Mr. Chairman, and to
the Ranking Member for holding this important hearing.
Congratulations to Director Easterly and Director Inglis for
their ascending to important responsibilities.
I believe that we are in an era that Dr. King wrote about
as relates to civil rights. I think that era has raised its
head again as relates to civil rights, why we can't wait. I
think as it relates to the whole issue of cybersecurity, we are
at a time and place in America and around the world that we
cannot wait to be aggressive in addressing the questions that
are going to come at us or the issues that we are going to
confront rapidly.
So, Director Easterly, you mentioned key stats from 2020
about attacks against America. In 2020 alone there were more
than 12,000 explosive-related incidents and more than a 70
percent increase in domestic bombings, according to the
Department of Justice and U.S. Bomb Data Center. My question to
you would be where CISA is in the role of prevention but also
aggressiveness as relates to the cyber engagement in that. Do
you believe that the mindset of CISA should be aggressive in
its protection and engagement with the entities around the
Nation, but more importantly in its collaboration of the
incidents that may come from outside of the United States?
Director Easterly.
Ms. Easterly. Yes, ma'am. It is a really important
question. Thank you for asking it.
You know, one thing that I didn't realize before I came to
CISA was the power of our field force. We actually have over
500 folks and based on the force structure analysis that we are
doing I suspect that number should grow. But these are our
front-line defenders for both infrastructure and cyber. Our
cybersecurity advisors, our State coordinators, our protective
security advisors that are there working to ensure that at the
State and local level, at the small business level, at a
critical infrastructure owner and operator level, that all of
these individuals have the guidance, the information, the
resources that they need to be able to protect themselves. So I
think those field forces are a very important part of what
gives the magic to CISA to allow us to reduce risk to the
Nation's cyber and physical infrastructure.
Ms. Jackson Lee. Thank you.
Director, do you sense with the administration--and you are
obviously a voice for the policy of the administration and
actions--sense the urgency of creative policies and the why we
can't wait concept? Are you all creatively meeting and looking
at ways to meet this aggression in addition to the able staff
that comes under CISA?
Ms. Easterly. Yes, ma'am. I believe we really have that
sense of urgency, that sense of aggressiveness. Director Inglis
and I are on the phone regularly. We are in contact with all of
our partners across the Federal Government, and importantly,
our partners at State and local and at private sector. I think
everybody--you can't look at Solar Winds and Microsoft Exchange
and Pulse Secure and Kaseya and JBS and Colonial Pipeline and
get anything but a sense of urgency. So we are powerfully
motivated to defend the Nation and we are working at it every
minute of every day.
Ms. Jackson Lee. Thank you.
This question will go to both, but I would like Director
Inglis--and congratulations on your position. The pace of
innovation and integration of new technologies are posing new
challenges to cybersecurity. So how are you, the
administration, and working with CISA integrating emerging
threats and risks into the strategy for keeping security
measures currently and focused on nimbleness? 5G, deep
learning, artificial intelligence, and quantum computing
advancements are just a few of the challenges.
I have been steady on the issue of zero-day occurrences.
Obviously we are sort-of advanced beyond that, but you
understand the concept, which is when all things go awry.
Director Inglis.
Mr. Inglis. Thank you very much for that question,
Congresswoman. I think that that is a very, very important
dynamic.
In the earlier question you I think suggested that as
opposed to simply responding to the transgressions, the
initiatives of others who would hold us at risk, we need to
establish our own initiative, we need to make sure that we
reacquire the sense as to what we want this domain to do for
us, not to us, and to achieve that. Technology, innovation, and
best practices are a place where the United States--and like-
minded nations, but the United States in particular can and
must lead. The technologies you have addressed will play a
critical role in that and American innovation will play a
critical role in understanding how those might make a
difference. We need to do that and therefore our investments
need to be made accordingly, such that we build in resilience
and robustness and this domain then can achieve our
aspirations, not our worst dreams.
Chairman Thompson. The gentlelady's time has expired.
The Chair recognizes----
Ms. Jackson Lee. I thank you, Mr. Chairman.
Chairman Thompson [continuing]. The gentlelady from
Florida, Ms. Cammack, for 5 minutes.
Ms. Cammack. Well, thank you, Mr. Chairman. Thank you to
all my colleagues for this very important discussion here
today.
I would be remiss if I didn't mention that the work that I
did as a student at the United States Naval War College was
centered around cyber, so this topic is very exciting to me.
I would love to just use my time to talk about an
initiative that is very near and dear to my heart. I would love
for Director Inglis as well as Director Easterly to weigh in on
the concept, logistics, challenges of potentially the creation
of the next service academy of the United States, the United
States Cyber Academy. We have worked to create a framework that
would address more of our cyber work force challenges and I
would love to hear from you about what something like that
might look like that would be beneficial in meeting the needs
from both a military standpoint, but also Federal service, as
well as the public-private partnership that we need with our
private partners in this space. How we might be able to better
develop this and take advantage of the incredible talent that
we have amongst our youth.
I think it is very exciting about next generation of cyber
warriors that we can foster, educate, and deploy into this
space through the creation of a next generation Cyber Academy a
la West Point or the Naval Academy.
So I am just going to start with Director Inglis first and
then, Director Easterly, if you want to weigh in. I am all
ears.
Mr. Inglis. Well, thank you, Congresswoman for the
question. You are probably aware that both of us are service
academy graduates. I am sure you meant to say the Air Force
Academy first, but that being said--so we are both clearly
aware of the value that a deep and sharp education in a
disciplined domain of interest holds. I think we are also aware
that the proponency that is provided by the parent service is
essential. So if we were to define a service academy construct
for cyber, we would have to attend not simply to the work that
would take place there that would inculcate the sense of what
the technology, the doctrine, the practices, would bring to
bear, but we would have to make sure that we attended to the
generation of what is the mandate that should be taught and
inculcated there and who would then receive the proceeds from
that.
Now, in the case of cyber, you probably have many claimants
on the graduate of those institutions such that they could then
take that forward. You would then have to determine whether you
are going to physically instantiate this in a single place or
whether you broadly would separate or spread this across, you
know, many institutions that have already shown themselves able
to do it.
But I think your idea is very solid insomuch as we need to
dedicate time and attention to understanding the domain of
cyber space and the practices that best work inside of it such
that we can then avail ourselves of a cadre of people who have
thought their way through this. I would tell you that cyber was
declared a domain by the United States Department of Defense
not because the intention was to militarize it, but because it
was sufficiently different, it was sufficiently new and novel,
that unless we study it and understand how it works and how it
behaves, we will continue to be befuddled by it.
I think that there are a number of institutions who have
done yeoman's work in helping us get to that place, but there
is further work to be done.
Ms. Cammack. I appreciate your comments.
Ms. Easterly. Yes, I would only add first, beat Air Force,
because it is that time of year.
But also I think it is incredibly important to explore
creative solutions. You know, I stood at the Army Cyber
Battalion in 2008. We helped--Chris and I helped to build
United States Cyber Command. I think there is a lot of
creativity in the services that we can benefit from and some
really good ideas out there.
I am very proud to say that CISA is 42 percent veterans.
Particularly proud to say that during Veterans Appreciation
Month. But I think there is so much innovation and creativity
in the military that we should figure out how we can create
connectivity with that community and really amplify and
emphasize it.
Ms. Cammack. I appreciate both of your comments. As the
sister to a career airman, I appreciate the nod and hat tip to
the Air Force.
Of course, one of the things that we have always struggled
with I believe is that joint operability across the services.
Then, of course, as the space has gotten bigger, how do we
navigate that divide between Federal service and the various
intelligence agencies, as well as the military and then beyond.
So I think there is something really here and you will
definitely be hearing from my office as we continue to build up
a framework for this.
Thank you again for your time and testimony today. Much
appreciated.
With that, I yield back.
Mr. Inglis. We will look forward to working with you on
that.
Ms. Easterly. Thank you.
Chairman Thompson. The gentlelady yields back.
The Chair recognizes the Ranking Member.
Mr. Katko. Thank you, Mr. Chairman, for indulging me for a
moment.
Before we close, I just wanted to say thank you again for
the great conversation and testimony today. I think it is very
helpful. It is very encouraging to see everyone on the same
page and trying to do the right thing here.
As you may know, I issued in the past what I consider the
five pillars of how we fight the cyber intrusions in this
country. The last one has to do with offensive capabilities, or
clapping back against bad guys. I don't want to talk about them
in this setting, but, Director Inglis, I am asking you
specifically on behalf of my colleagues, many of whom have
asked me this very question, if we could get a briefing in a
secure setting on where we stand with respect to our offensive
cyber capabilities so we can have a better understanding of the
entire playing field. Obviously I don't want to do it here, but
I want to ask you a commitment to set something up soon to
brief all of us on the committee.
Mr. Inglis. We will commit to doing that in the appropriate
venue.
Mr. Katko. Thank you very much.
I yield back.
Chairman Thompson. The gentleman yields back.
One of the things I would like to thank both witnesses for
is your frankness and your willingness to address the known and
unknown challenges. I think the Academy prepared both of you
for the ability to make adjustments.
Part of what the Vice Chair talked about is some of the
going-forward challenges that I think we will have to meet. The
fact that if we have a policy, we need to follow it. That is
it. If not, change the policy.
So what we saw with the Colonial Pipeline situation is a
concern, but from both of you we have heard a commitment to
follow the policy and to try to get other partners to do
likewise so that they understand it. That is important.
The other part is to the extent--piggybacking on the
Ranking Member's comment--some of the countries who give us the
most heartburn we have to continue to engage with. The public
is somewhat befuddled that here we know nation-states are doing
things to us, but yet we are still engaging them on a daily
basis. We go into space together, we do a lot of other things
together, and sometimes we have to be clearer with our
messaging so the public is not confused.
Last, this notion of work force, it is an absolute concern.
Congressman Green left the confines of his office to come to
the end of the hearing because he is not going to let you get
away without closing that deal today. But that is the point,
that we are all interested in helping building the work force
because we are in this together. To the extent that we can make
that work force look like America, the better off we are.
So I join Mr. Green in that effort also.
But just let me thank you for your testimony and the
Members for their excellent questions today.
The Members of the committee may have additional questions
for the witnesses and we ask that you respond expeditiously in
writing to those questions.
The Chair reminds Members that the committee record will
remain open for 10 business days.
Without objection, the committee stands adjourned.
[Whereupon, at 12:22 p.m., the committee was adjourned.]
A P P E N D I X
----------
Question From Honorable Michael Guest for Jen Easterly
Question. Director Easterly, the time line for entities to report
has been a significant point of contention during the debate on
mandatory cyber incident reporting legislation. As you know, both the
House and Senate Homeland bills have a 72-hour time line. You have
served a significant amount of your career in Government, but also
recently in the private sector. How do we strike the right balance here
of not overburdening industry, but still getting CISA the information
it needs to protect others?
Answer. The private sector, which owns and operates most of the
Nation's critical infrastructure, plays a vital role in working with
CISA to improve our Nation's cybersecurity. A mandatory incident
reporting law would increase visibility into the cybersecurity threat
environment, which in turn would inform and augment the U.S.
Government's ability to develop and disseminate actionable information
to help protect our Government and private-sector partners. CISA, in
concert with other Federal agencies responsible for responding to
cybersecurity incidents, look forward to working with both Congress and
industry to make cyber incident reporting legislation a reality.
CISA's goal is to avoid overwhelming companies and our own Federal
team. The balance should be between getting meaningful and relevant
information in a timely manner that can then be analyzed and provided
to industry in an actionable format while avoiding undue burden on a
company trying to manage a live cyber incident. Timely information can
be the difference between containing an incident and seeing its effects
cascade across sectors and the economy impacting thousands of other
companies. Without timely notification to CISA, critical analysis,
mitigation guidance, and information sharing is severely delayed,
leaving our Nation and our critical infrastructure vulnerable.
For example, CISA estimates that hundreds of millions of devices in
use around the world were potentially susceptible to the Log4j
vulnerability. We know malicious actors are actively exploiting this
vulnerability in the wild. However, the Federal Government simply does
not have the level of information it needs to definitively understand
the breadth or nature of intrusions occurring as a result of this
severe vulnerability. A cybersecurity incident reporting law would help
the Government and our partners receive timely information about
successful exploitation of critical infrastructure networks quickly
after they are discovered, enabling us to help victims mitigate the
effects, stop the spread to additional victims, and better track the
size, scope, and scale of any adversary campaigns to exploit wide-
spread vulnerabilities like Log4j.
Hearing from all stakeholders, through a formal and consultative
rule-making process with publicly-sought input, will achieve balance by
accounting for the concerns of industry and the benefits to the whole
Nation. We recognize that Government agencies across critical
infrastructure sectors have a need for cyber incident reporting for
regulatory and other purposes. We believe that it is important that
Congress support CISA's role in coordinating a National incident
reporting system so that a thoughtful and consistent approach can be
applied across the entire economy. CISA is built on a partnership model
and we are committed to working with Congress and with industry to
strike the right balance with these principles in mind.
[all]