[Senate Hearing 118-161] [From the U.S. Government Publishing Office] S. Hrg. 118-161 IMPROVING FEDERAL COLLABORATION TO PROTECT OUR K-12 SCHOOLS FROM CYBERATTACKS ======================================================================= FIELD ROUNDTABLE BEFORE THE SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT OF THE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED EIGHTEENTH CONGRESS FIRST SESSION __________ AUGUST 21, 2023 __________ Available via the World Wide Web: http://www.govinfo.gov Printed for the use of the Committee on Homeland Security and Governmental Affairs [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] U.S. GOVERNMENT PUBLISHING OFFICE 53-993 PDF WASHINGTON : 2023 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS GARY C. PETERS, Michigan, Chairman THOMAS R. CARPER, Delaware RAND PAUL, Kentucky MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma JACKY ROSEN, Nevada MITT ROMNEY, Utah ALEX PADILLA, California RICK SCOTT, Florida JON OSSOFF, Georgia JOSH HAWLEY, Missouri RICHARD BLUMENTHAL, Connecticut ROGER MARSHALL, Kansas David M. Weinberg, Staff Director Zachary I. Schram, Chief Counsel William E. Henderson III, Minority Staff Director Laura W. Kilbride, Chief Clerk Ashley A. Gonzalez, Hearing Clerk SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT MAGGIE HASSAN, New Hampshire, Chairman KYRSTEN SINEMA, Arizona MITT ROMNEY, Utah JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma JON OSSOFF, Georgia RICK SCOTT, Florida Jason M. Yanussi, Staff Director Jillian R. Joyce, Professionsal Staff Member Scott Maclean Richardson, Minority Staff Director John A. Poulson, Minority Professional Staff Member Kate Kielceski, Chief Clerk C O N T E N T S ------ Opening statements: Page Senator Hassan............................................... 1 WITNESSES Monday, August 21, 2023 Daniel King, Chief of Cybersecurity, Region 1 (New England) Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security................................ 3 Richard Rossi, Cybersecurity Advisor, New Hampshire Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security....................................................... 5 Timothy Benitez, Resident Agent in Charge, Manchester, NH, U.S. Secret Service, U.S. Department of Homeland Security........... 7 Denis Goulet, Commissioner and Chief Information Officer, State of New Hampshire Department of Information Technology.......... 8 Kenneth Weeks, Chief Information Security Officer, State of New Hampshire Department of Information Technology................. 9 Pamela McLeod, Chair, Alton School Board......................... Alphabetical List of Witnesses Benitez, Timothy: Testimony.................................................... 7 Goulet, Denis: Testimony.................................................... 8 King, Daniel: Testimony.................................................... 3 McLeod, Pamela: Testimony.................................................... Rossi, Richard: Testimony.................................................... 5 Weeks,, Kenneth: Testimony.................................................... 9 IMPROVING FEDERAL COLLABORATION TO PROTECT OUR K-12 SCHOOLS FROM CYBERATTACKS ---------- MONDAY, AUGUST 21, 2023 U.S. Senate, Subcommittee on Emerging Threats and Spending Oversight, of the Committee on Homeland Security and Governmental Affairs, Washington, DC. The Subcommittee met, pursuant to notice, at 11:00 a.m., St. Anselm's College, The New Hampshire Institute of Politics, 100 St. Anselm Drive, Hon. Maggie Hassan, Chairwoman of the Subcommittee, presiding. Present: Senators Hassan [presiding]. OPENING STATEMENT OF SENATOR HASSAN Senator Hassan. This hearing will come to order. Good morning, everybody. The Subcommittee on Emerging Threats and Spending Oversight (ETSO) of the United States Senate Committee on Homeland Security and Governmental Affairs (HSGAC) is here today to examine the coordination efforts of Federal agencies, State and local governments, and nongovernment entities to improve the cybersecurity of our K-12 schools. As Chair, I am pleased to bring the work of the Subcommittee on cybersecurity home to the Granite State. On that note, I would like to take a moment to recognize the New Hampshire Institute of Politics at St. Anselm's College for hosting us today. Thank you to everyone here, the staff who made this event possible. Additionally, while Ranking Member Mitt Romney could not be with us today, I would like to thank him for his cooperation in holding this hearing, and thank his staff for the work that they have done to help organize today's event. Now on to today's topic. As we prepare for the new school year, it is an important time to take a look at the cybersecurity of our school systems and see what can be done to increase their security and their resiliency. Criminals and criminal organizations continue to target our K-12 schools with disruptive cyberattacks. We have seen cyberattacks on schools all across the country, including right here in New Hampshire. For example, in May, the Nashua School District experienced a significant cyberattack which took their systems offline. Across the country, according to one report, K-12 schools publicly reported 166 cybersecurity incidents during calendar year 2021. This includes 62 ransomware incidents, which has quickly become the most common type of cybersecurity incident for K-12 schools. However, the actual number of cybersecurity attacks is likely significantly higher than what is publicly reported because schools, and other victims of cyberattacks, too, fear the consequences of reporting cybersecurity incidents. By one estimate, the true number of incidents may be 10 to 20 times higher than the publicly reported number. Regardless of the actual number of attacks, though, these attacks disrupt student learning and can take schools months to recover from. These attacks are not just disruptive; they are also costly. Restoring computers and networks after a cyberattack often costs the school and community over a million dollars. Additionally, digital criminals who penetrate school systems sometimes steal sensitive information about students. In addition to holding access to computer systems hostage, also ransom the private information for money, threatening our children's privacy. The more positive news, though, is that while cyberattacks continue to threaten our schools, Federal, State, and local governments have taken steps to combat these threats. For example, over the last few years, my colleagues and I worked to pass into law a State and local cybersecurity grant program (SLCGP) and to create the position of cybersecurity coordinator in every State. Just 2 weeks ago, the White House announced new initiatives by Federal agencies and the private sector to protect K-12 schools from cyberattacks. One of these initiatives is something that I pushed for, the creation of a government coordinating council to focus on K-12 cybersecurity. This council will coordinate activities and policies among Federal, State, and local governments in order to improve the cyber resiliency of our schools. In Congress, we have provided resources to Federal agencies like the Secret Service and Cybersecurity and Infrastructure Security Agency (CISA), to support the cybersecurity of State and local governments, including public schools. Today we will hear from a panel of experts who have all played different roles in improving K-12 cybersecurity in New Hampshire, representing Federal, State, and local levels of government. The panelists will discuss innovative and collaborative cybersecurity efforts among the offices and agencies charged with protecting our schools, as well as how we can continue to work together to address remaining cybersecurity challenges. As students in New Hampshire head back to school this year, I hope that today's conversation highlights the importance of continuing to work together to improve K-12 cybersecurity and inform our communities about this critical issue. Now on to the panel. I will introduce each panelist and ask them to provide their remarks, and then we will go into the question section of the panel discussion. Our first panelist today is Daniel King. Mr. King serves as the chief of cybersecurity for region 1 covering New England for the Cybersecurity and Infrastructure Security Agency (CISA). Prior to his time in CISA, Mr. King was global lead for International Business Machines (IBM) security command, and served 30 years on active duty with the United States Army. Welcome, Mr. King, and thank you for your years of service. You are recognized for your opening remarks. TESTIMONY OF DANIEL KING, CHIEF OF CYBERSECURITY, REGION 1 (NEW ENGLAND) CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. King. Thank you, Madam Chair. It is a pleasure to be here today and this opportunity to participate in today's roundtable. This format lends itself to meaningful dialogue, and, for that, we are grateful for a conversation that otherwise may not occur in a more formal question and answer format. CISA region 1 is headquartered in Boston. We have a team of 50 and 9 cybersecurity advisors joining both protective and chemical security advisors supporting the six States and 10 tribal territories and nearly 15 million citizens of New England. CISA is very effective despite its relatively small size within Department of Homeland Security (DHS) because we live in and support the communities that we serve. We are here through fair and foul in commitment and partnership with State, local, tribal, territorial (SLTT) entities across our great nation. CISA's regional advisors support and assist and assess organizations to reduce risk and improve security because management and prevention of threats is far, far less expensive than the alternative. In 2023 alone, the security advisors of region 1 have engaged, assessed, and supported nearly 200 K-12 organizations across New England, and that number speaks to CISA's focus on this vital part of our community and our Nation. Each engagement, assessment, and assist visit improves awareness and opens the path to reduction of risk and improvement of resiliency. But as our schools now rely foundationally upon the Internet connective information system technologies we have as a core capability, with that dependency comes significant risk from cyber threats. Unfortunately, and due to very narrow operating margins, our K-12 entities are clearly cyber target rich and resource poor. Criminal actors recognize how vulnerable schools are to cyberattack. To them, this is an opportunity. To us, this is a crime exploiting the innocent. We have seen it, as you mentioned, Senator, here in New Hampshire and across New England, and it will continue until we adopt better cybersecurity practices and make defending our schools in cyberspace a public priority. CISA is focused upon securing the nation's criminal infrastructure like K-12 by providing resources that enable the U.S.'s over 13,000 school districts to better protect and defend their students and employees against cyberattacks. What are we doing here in region 1? Our most impactful work is before the incident, working with schools to identify, manage, and reduce risk, working to ensure that when they are hit by a cyber incident, they are prepared, have a plan, and can mitigate the impacts of the incident. School safety and K-12 cybersecurity can be complex and often unique to the communities they serve, so our efforts must be collaborative, built upon dialogue, information sharing, and, most importantly, trust. We cannot do this without strong partnerships across Federal, State, and local levels. Perhaps this is one of the strongest examples you can see here today of all of us sitting shoulder to shoulder against this threat. In addition to the recent DHS, Department of Education, Health and Human Services (HHS), and Department of Justice (DOJ) announcement of school safety awareness, CISA released a report that provides recommendations and resources to help K-12 schools and school districts effectively reduce their risk, an evolving disruption and damaging cybersecurity threat landscape. This report and new K-12 digital toolkit provides clear recommendations and resources to help K-12 organizations to effectively reduce their continuously evolving cyber risk. These national efforts, along with your continued support, Senator, of the State and local cybersecurity grant program, help States, and specifically rural and local communities, to address cybersecurity risks. I would also add that New Hampshire was the very first that submitted their proposal for the grant program, and was approved. At the regional level, we leverage impactful national investment to deliver the last mile, a rare thing from a Federal perspective, where our regional security advisors meet with and provide direct support to our local partners, specifically for K-12 regional advisors, engaged leaders, educators, and technical staff, by assisting them to recognize the importance of implementation of multifactor authentication, identification of critical systems and data to ensure that those systems are assured by backup and resilient to disruption, to implement CISA's cyber performance goals and alignment of cybersecurity plans to enlist approved guidelines and perhaps, most importantly, shape the development of plans, training, and exercises to illuminate cyberrisk and reduce impact. Beyond providing direct services, cybersecurity advisors enable access to national-level resources such as no-cost vulnerability scanning of Internet-facing infrastructure and the ransomware vulnerability pilot, along with other programs that provide actionable early warning before an attack happens. When a cyber incident does happen, our advisors are there with our State and local and tribal partners alongside with law enforcement at all levels to support the recovery of the victim. In sum, CISA and its personnel in region 1 are reducing risk and improving resilience to critical infrastructure, and, yet, K-12 schools represent perhaps our most vital of all critical infrastructures. Our schools and their students are truly our future. We work side by side with our State and local partners to reduce risk, and with your continued support, Senator, to protect this most precious resource. Thank you. Chairman Hassan. Thank you very much, Mr. King. Now, I would like to introduce our next panelist who joins us today also from CISA. Mr. Richard Rossi has been with the Department of Homeland Security for more than 17 years and currently serves as the first-ever cybersecurity advisor for New Hampshire, a position he's been in for approximately 2 years. Having led bipartisan efforts to create this important position in each State, I am very glad that you are in this role and here today, Mr. Rossi, and I am extremely grateful for your service to the Granite State. You are now recognized for your opening remarks. TESTIMONY OF RICHARD ROSSI, CYBERSECURITY ADVISOR--NEW HAMPSHIRE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Rossi. Madam Chair, thank you for convening this group today to discuss protecting K-12 schools from cyberattacks. I appreciate the opportunity to discuss the efforts of the Cybersecurity and Infrastructure Security Agency to improve the cybersecurity of K-12 schools in New Hampshire. Over the past several years, K-12 schools and school districts have adopted advanced Internet-connected technologies and cloud resources that facilitate learning and make school more efficient and effective. This technological gain, however, is accompanied by heightened risks, and greatly increases, both in scope and complexity, the cyberattack surface a school district needs to defend. Malicious cyber actors are targeting K-12 education organizations across the country with potentially catastrophic impacts on students, their families, teachers, and administrators. An October 2022 report from the Government Accountability Office (GAO) found that more than 1.2 million students were affected in 2020 alone with lost learning ranging from 3 days to three weeks, and recovery time from 2 months to 9 months. Nearly one in three U.S. school districts had been breached by the end of 2021, according to a survey by the Center of Internet Security, with incidents including student data breaches, ransomware attacks, business email compromise, data breaches involving teachers and school community members, denial of service attacks, website and social media defacement, as well as online class and school meeting invasions. The lack of funding and investment in K-12 cybersecurity continues to work against school districts' ability to plan for, prepare against, and mitigate the effects of cyber attacks. In its 2023 annual survey, the Consortium for School Networking (CoSN), of which the New Hampshire Chief Technology Officer (CTO) Council is an affiliate, found that 66 percent of districts nationally lacked a full-time cybersecurity position, and half do not have adequate staff to integrate technology into the classroom. The same survey highlighted that just nine percent of districts spend more than 1/10th of their information technology (IT) budget on cybersecurity defense, while 48 percent of districts dedicated less than 2 percent of their IT budget to security. A full 12 percent dedicated zero budget to cybersecurity. The scale and scope of the cybersecurity threat environment is such that no one individual or agency is equipped to address the issues on their own. As the CISA cybersecurity advisor and State coordinator assigned to New Hampshire, I enjoy tremendous collaborative relationships in the mission to improve K-12 cybersecurity. None of this work is done in a siloed fashion, and I want to recognize the New Hampshire Department of Information Technology (DoIT), Primex, The ATOM Group, and the U.S. Secret Service (USSS) for their steadfast partnership in these efforts. There is a plethora of free cybersecurity resources from Federal and State government for K-12 schools, and I am confident with the collaborative construct we have developed in New Hampshire, contact from any one of these agencies brings to bear the full resources of all of us. Within the State of New Hampshire, CISA efforts to improve K-12 cybersecurity have come in many forms. Broader communication campaigns on cybersecurity threat best practices and resources have been presented in larger forums including the New Hampshire Chief Technology Officer Council clinic which is compromised of K-12 IT directors from throughout the State, and the New Hampshire Association of School Business Officials made up of business officials and administrators from the K-12 school districts throughout New Hampshire. Thanks to your continued support, Senator, New Hampshire K-12 school districts will also benefit from the Cybersecurity and Information Security Agency--Federal Emergency Management Agency (CISA-FEMA) jointly administered State and local cybersecurity grant program through leadership with the State Cybersecurity Planning Committee, by Commissioner Goulet, and chief information security officer Ken Weeks. While there are common cybersecurity challenges among K-12 schools, each district is unique. That uniqueness is leveraged as an opportunity to have a one-on-one conversation with each individual K-12 IT director seeking to improve their cybersecurity posture. That provides insight to the challenges, concerns, and priorities within a given district. That insight is then leveraged by CISA to develop a tailored roadmap to improve cybersecurity and resiliency within school networks. CISA's support to improving K-12 cybersecurity in the State has come in many forms, including onsite cybersecurity and ransomware readiness assessments, assistance of policy development, tailored advice, cybersecurity training, support for cybersecurity tabletop exercises, penetration testing, continuous cyber hygiene vulnerability scanning, implementation assistance with technical controls and tools, reviewing public- facing websites for information that can be used in social engineering and fraud schemes, among other areas. Through the cybersecurity assessment process locally, it's strongly encouraged that school district leadership attend the assessment findings outreach, and the vast majority of district administrators have done so. This format is in recognition that cybersecurity is not just the IT department's problem, but rather whole of organization business problem. Changes in K-12 cybersecurity must come from the top. Leaders must establish and reinforce a cybersecurity culture while recognizing and actively addressing resource constraints. I am confident the dialogue in these briefings has led to an increased awareness of the cybersecurity threat and vulnerabilities in a given district, as well as the initial development of a cybersecurity culture that will ultimately benefit all. This collaborative work alongside New Hampshire school districts has led to mitigation of vulnerabilities cyber threat actors leverage to conduct damaging cyberattacks. Thank you for the opportunity to be here today, and I look forward to the roundtable discussion. Senator Hassan. Thank you so much. Our third panelist today joins us from the Secret Service. Mr. Tim Benitez serves as the resident agent in charge for Manchester, New Hampshire. Resident Agent Benitez has over 24 years of law enforcement experience, and currently supervises the New Hampshire Cyber Fraud Task Force's digital forensic incident response team. Resident Agent Benitez, you are recognized for your opening remarks. Thank you for being here. TESTIMONY OF TIMOTHY BENITEZ, RESIDENT AGENT IN CHARGE, MANCHESTER, NH, U.S. SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Benitez. Thank you. Good morning, Senator Hassan, Members of the panel, and attendees here today. I thank you for the opportunity to discuss the ongoing efforts of the U.S. Secret Service to protect the nation's financial infrastructure. I serve as a supervisory special agent in Manchester, New Hampshire, where I'm responsible for managing our integrated mission of physical protection and investigating cyber-enabled financial fraud. In New Hampshire, our cyber fraud task force (CFTF), is a collaboration between the public and private sector whose mission is to prevent, detect, and mitigate complex cyber- enabled financial crimes against payment systems and critical infrastructure. Participating State and local law enforcement, prosecutors and judges have received specialized digital forensic cyber investigation and cryptocurrency tracing training at the National Computer Forensic Institute (NCFI) in Hoover, Alabama. The Secret Service established the center in 2008 and we are grateful that Senator Hassan co-sponsored the NCFI Reauthorization Act which provides funding through 2028. In fiscal year 2022, New Hampshire personnel have attended over 47 courses, receiving almost $300,000 in equipment. We are currently on track to match those numbers for fiscal year 2023. There is no cost to attend the NCFI, and many courses include significant equipment issuance. For example, mobile device forensic examiner course provides $28,000 in equipment. The basic computer evidence recovery training course provides $35,000 in equipment. The graduates of these courses return to their respective departments to investigate criminal activity and strengthen prosecution utilizing digital evidence recovery methods. While at their departments, the CFTF continues to collaborate and provide necessary resources. The Internet Crime Complaint Center (IC3.gov), 2022 statistics reports indicates that New Hampshire is experiencing an increase in cyberattacks and cyber-enabled financial fraud schemes. While these statistics are significant, they are underreported since many victims fail to report or are reporting to other entities. In 2022, 1,416 New Hampshire complainants lost $29.3 million, an increase of $14 million from 2021. Nationwide, cyberfraud totaled $10.3 billion, with business email compromised totaling $2.7 billion; investment scams, $3.3 billion; tech call center scams, $1 billion; and ransomware, $35.3 million. This ransomware number does not include the business revenue lost and the significant cost of incident response and repair services. Cyber attacks can be complex, or executed successfully by preying on individuals that are susceptible. As a world becomes increasingly digital, it is important that individuals and organizational leaders understand and mitigate cybersecurity risks utilizing both training and technological solutions. I look forward to discussing these topics further and how law enforcement can be more impactful. Thank you. Senator Hassan. Thank you very much. Now our next panelist is Mr. Denis Goulet. As Governor, I had the pleasure of appointing Mr. Goulet as Commissioner and Chief Information Officer (CIO) for the State of New Hampshire Department of Information Technology in 2015. He has since been reappointed for two additional 4-year terms by Governor Sununu. Commissioner Goulet brings nearly 30 years of private sector IT experience to his public service. Welcome, Commissioner. You are recognized for your opening remarks. TESTIMONY OF DENIS GOULET, COMMISSIONER AND CHIEF INFORMATION OFFICER, STATE OF NEW HAMPSHIRE DEPARTMENT OF INFORMATION TECHNOLOGY Mr. Goulet. Thank you, Madam Chair. Thank you, first of all, from the bottom of my heart for, in 2015, trusting me with the most interesting, challenging, and rewarding job I have had in my career. Also, thank you for your leadership in the cybersecurity space. I think it might not have been 10 minutes into my role as Commissioner for the Department of Information Technology that then Governor Hassan and her office were talking to me about cyber. We have seen that leadership move through her change to the role of Senator and now national leadership where we have our friend and colleague, Rick Rossi. Thank you very much for your leadership on that. That has been a tremendous help. I think Rick is a credit to his organization in his role in the State, and also the work on the State and local cybersecurity grant program. We are going to make sure that is a game changer in New Hampshire for K-12s and the municipalities as well. As we walk around and do our jobs every day, we often hear from our colleagues, ``Who owns cyber?'' You know, it's as if it should be an organizational or a thing where, there is this centralized authority for cybersecurity. Answer is we all do. We all do. Early in my tenure here in New Hampshire, myself and then Director of Homeland Security and Emergency Management, Perry Plummer, coined the phrase ``There is no 'I' in cyber.'' We live that in New Hampshire. We are the live free or die State, right? You would think, oh, we are fiercely independent. In some ways, we are. But what I found is that the ability to team on important things in New Hampshire is exceptional, and we are seeing that here in New Hampshire on cybersecurity. You have heard it already from all of the panelists so far, the level of collaboration we have. We all have each other on speed dial. Whoever finds out first, we pull each other in. What that is resulted in is even though there were quite a few administrative hoops to jump through to actually access the year one SLCGP, State and local cybersecurity grant program monies, New Hampshire was first in the Nation to both get plan approval as well as to accept the money. That is great for K-12s because we are operationalizing that already in our process of rolling out the plan. Now, when you look at that grant, it is a large amount of money by any measure, nationally, but when it comes down to each State, it is an amount that needs to be managed carefully. We cannot afford to use that money in a wasteful way. Fortunately, what has happened in our case, we already had that collaborative environment that we were working on together. The focus on our use of that money is very much on making the most of it, bringing it to the K-12s and municipalities in a way that they can leverage it, and doing it through programs versus subgrants. We are, nationally, one of the first to do it that way as well, and it is being recognized that that is the way to do it. The other thing I want to comment on is, do I have enough money in my State budget to do everything I would like to do from a cybersecurity perspective? Do I? Mr. Weeks. No, sir, you don't. Mr. Goulet. OK. Despite that, we are taking the SLCGP monies. We are allowed to use 20 percent of those for State. We are not doing that in New Hampshire. Because even though I do not have enough money, I am in better shape than the K-12s and the municipalities. Other than a relatively small percentage that we are using to operate the program, all of that money is going down to the folks who need it the most. This is a great chance for us to all discuss how we are doing that and how we can all make each other better. Thank you. Senator Hassan. Thank you very much, Commissioner. Our fifth panelist works closely with Commissioner Goulet, as you just heard, for the State of New Hampshire. Mr. Ken Weeks serves as the chief information security officer for the New Hampshire Department of Information Technology. Prior to that, Mr. Weeks spent most of his adult life as a naval officer special duty cryptology information warfare, retiring as a captain. Mr. Weeks, welcome. Thank you for your service. You are recognized for your opening remarks. TESTIMONY OF KENNETH WEEKS, CHIEF INFORMATION SECURITY OFFICER, STATE OF NEW HAMPSHIRE DEPARTMENT OF INFORMATION TECHNOLOGY Mr. Weeks. Good morning. Thank you, Chair Hassan. It is a real pleasure to be here this morning. When I first took this job, I would been in my role for a little over a year now, two very strong-willed ladies--one of whom happens to be sitting to my left--and another one named Sonja Gonzalez, on our first very meeting, said, ``Hey, Ken. We appreciate how you can help and how the State will try to help us, but we do not need someone to tell us what to do. We need help actually doing it.'' That resonated with me and stuck with me. I spend an awful lot of time listening and developing relationships with the New Hampshire Chief Technology Officer organization--there's members in the audience here, and Pam used to be a member of that organization--as well as the New Hampshire Municipal Association. What that did was allow us to have insight on what individual SAUs, K-12s across the State, needed. Because what we quickly found out was that if you knew one, you knew one. You did not necessarily know all. There were some commonalities, but they had very different problem sets and were going to require a very different tailored set of services to get them what they need to protect their student data, enable staff, and to, quite honestly, keep the schools open. Those relationships have grown over time. We also, here in New Hampshire, as you very well know, ma'am, have the luxury that almost all of the school districts within New Hampshire are part of one public risk management exchange. That also allows us to leverage things that are already known through the Primex processes as far as what the needs are. Again, individually, not just generically and across the board. The attitude that we have taken--and we will get into more detail about this in the question and answer--for both the State and local cybersecurity grant program as well as the State Homeland Security grant program, is that we want to provide additive services and go out of our way to not duplicate anything that is already available through Primex or some other means that folks already have access to. I think that goes to Commissioner Goulet's point of trying to maximize the effectiveness of the money by ensuring there is no duplication. The last thing that I would say, it is come up a couple of times from other panelists, but the importance of a partnership and collaboration between the Federal level, the State level, and the local level with the SAUs and those chief technology officers and those administrators directly. Routinely, Mr. Rossi, Mr. Benitez, Mr. Casey, who's in the audience and is a risk manager at Primex, and Mr. Sgro, who is the senior partner at ATOM and the chairman of the board for the newly formed Overwatch Foundation, and myself, are talking to groups of chief technology officers and local representatives, in every forum that you can imagine from the Primex annual meeting to the New Hampshire Chief Technology Officer meetings that are held quarterly, as well as the New Hampshire Municipal Association meetings. That is allowed us to very effectively team and bring all the resources from our different agencies to bear on the cybersecurity problems of New Hampshire. Thank you very much for an opportunity to be here. I look forward to the question and answer period, ma'am. Senator Hassan. Thank you very much. Our final panelist today is Ms. Pam McLeod. Ms. McLeod currently serves as chair of the Alton school board. Prior to that, she spent 19 years as an administrator in New Hampshire public schools. Most recently, she was the director of technology and chief information security officer for the Concord school district. Ms. McLeod founded the New Hampshire Chief Technology Officers' Council and the Student Privacy Alliance. Ms. McLeod, welcome. You are recognized for your opening remarks. TESTIMONY OF PAMELA MCLEOD, CHAIR, ALTON SCHOOL BOARD Ms. McLeod. Thank you. Thank you for having me. I want to echo our appreciation for all of your work on cybersecurity, Chair. It really is noticed amongst our school districts in New Hampshire. First, I want to say I served 10 years in a small K-8 district in Alton as the director of technology before moving on to Concord. I am currently a board member in that same school district, so I really do have the perspective of our many small school districts at heart in a lot of what we do. IT has changed a lot. Our IT leaders are not hiding in a closet. We are not boxes and wires people anymore. We have some of those working for us. But, we are collaborative. I think the thing that New Hampshire is getting noticed for around the country is really the collaboration, the grassroots efforts that we have particularly related to student data privacy. Our student data privacy initiative----completely volunteer--has covered over 1,500 ed tech vendors since 2018, since New Hampshire's student data privacy law was passed in 2018. We work with four other States in that initiative, and we serve at least 82 percent of New Hampshire's public school students. I am not sure what the other 20 percent are doing, 18 to 20 percent. But it has been noticed around the country and has been very successful. We appreciate the tight working relationship that we have with the State CIO and chief information security officer (CISO), with CISA, and particularly Rick Rossi. Multistate Information Sharing and Analysis Center (MS-ISAC) has been fabulous. The U.S. Secret Service, Primex, and the ATOM Group. It is that kind of collaboration that really enables us to survive when it comes to cybersecurity. I am here to talk about what we need. Some of the things that we need are, we do not need more documents and more instructions. What we need are resources. Time and money, of course, are always the issue in schools. I have long thought that regional cybersecurity experts-- ``regional'' in terms of New Hampshire's regions: North Country, Lakes Region, Southeast, et cetera--who can actually go into schools and configure settings for them would be a really great advantage for schools. It would really help both schools and municipalities address the cybersecurity issues that they have. I think having funding possibly through E-rate--and I really appreciate FCC Commissioner Rosenworcel's commitment to K-12, and potentially funding cybersecurity would be fabulous. Funding Managed Detection and Response (MDR) or Security Operations Center (SOC) services would be amazing for school districts. Really offloading that task of watching logs, of watching intrusions off to a service would be fabulous. As I left Concord, we had taken advantage. CISA does have a K-12 discount on SOC services with CrowdStrike, and we were just implementing that as I left Concord earlier this summer. But that really is potentially a game changer for school districts. I think what New Hampshire has done with the grant programs has been amazing, and as they prepare to roll out YubiKeys for multi-factor authentication (MFA), .Gov in a Box, security training, really fabulous. One of my colleagues from another State, when they heard about New Hampshire's grant application, said, ``Well, what my State gave me is a waiver.'' We really appreciate the efforts of the State in that respect. Then I think there is a lot on the vendors. I think it is really important for our ed tech vendors not to hide security behind a paywall. I am a strong user of both Google and Microsoft's tools, but both services hide security features, which should be basic, behind a paywall. That is an important change that really needs to happen. After watching the White House events a couple of weeks ago, fantastic to see the attention paid to K-12 cybersecurity. As I watched the vendors' offerings, I felt they were a little fluffy. I really like to give some kudos to Cloudflare, which has a really tangible offering for districts under 2,500 students. I have no association with Cloudflare. I have never used their services. But they really stood out in terms of actually offering something to school districts. Then I think there is a lot on the districts as well. School districts must require phish-resistant multifactor authentication. It is way past time to fight that battle. I think the State's grant program is going to help that a lot. Teachers' unions need to get on board with that particular initiative as well. School districts need to prepare with security audits. CISA will come and do some auditing for free. The ATOM Group, who is our forensic first responder through Primex, will do it at a very reasonable rate. Fantastic opportunities for districts there. IT staffing is a huge problem. Turnover is a huge problem in K-12 with IT. I think there are practical things that can be done which may not cost a lot of money. In my role as a school board member, we work to do market adjustments for IT staff to really make sure that everybody knows your compensation in the public sector is not going to match what you can get in the private sector. However, there is still a lot you can do to really build things up and make your staff happier. Monetary and nonmonetary. Things like work-from-home hybrid models. Different kinds of benefits as well as some adjustments to compensation. I do not know the answer to that, but it certainly is a big issue that we have in school districts. I guess I would leave with districts know how to employ teachers. They are really good at employing teachers. They really do not know how to compete for IT staff. Perhaps there could be some partnerships with the Federal Government and the State in terms of developing salaries, scales, and steps, other kinds of initiatives. Denis has done a fantastic job with that at the State of New Hampshire to really maintain that staffing. Thank you very much for having me. Senator Hassan. Thank you very much for that testimony. Now I am going to pose some questions to the panel. I have a number of them. My final question will be, essentially, is there anything that we did not get to that you all wanted us to get to, or anything you wanted to add to somebody else's comments? As you are listening, if there is something that strikes you, feel free to make a note, and I will come back to give everybody a chance to add final thoughts at the end of the questions. I want to start with a question to you, Mr. King. Cyberattacks continue to target K-12 schools across the country. According to information from two nonprofit organizations, the Multistate Information Sharing and Analysis Center and the K-12 Security Information Exchange (SIE), there have been more than 1,000 cybersecurity incidents impacting K- 12 schools since 2016. This does not include incidents that are not reported publicly. Mr. King, for school administrators and parents, how would you describe the current cybersecurity threat for K-12 schools in New Hampshire and New England? Mr. King. Thank you, Madam Chair. It is hard to understate how great a threat and a risk there is to schools. It is a condition of how we manage our municipalities and how we deliver education in this country that we are forced to make hard choices about how to spend a dollar for education, and as we have adopted these more increasingly advanced and convenient technologies, some of them at a complexity level that obscures risk entirely. We have certainly leveraged those technologies to navigate the impact of Coronavirus Disease 2019 (COVID-19) and successfully mitigate those impacts. Unfortunately, as we have stepped down that path, we have inherited all the risk associated with it. Our environments for education have changed. Because of our reliance on these technologies, we have to look at a completely different understanding of risk and resiliency when it comes to utilization of these technologies within our schools. Senator Hassan. Thank you. Ms. McLeod, I asked Mr. King about the cybersecurity threat landscape really so that Granite Staters can get a sense of the size and scope of the threats we are facing. I think it is also important that people understand the impacts of a cyberattack on a K-12 school system. You are on the Alton school board and you previously served as director of technology of the Concord school district and have other school district experience, so you have experience addressing cybersecurity gaps. Can you explain how a cyberattack impacts a K-12 school? What are the consequences for school budgets, for student privacy, and for classroom time? Ms. McLeod. Yes, so in Concord, we were, I consider, fortunate to be breached early in 2016. That really enforced and influenced our approach to cybersecurity after that. We had a breach of all of our staff W-2's. Every single staff member in the district has had their data privacy compromised. Many of those staff members were, for instance, refugee students who were working as summer custodians for the district. Not just adults, but also student employees as well. It is devastating. It really takes all of the district's time and resources to handle an attack like that for a period of 2 to 4 weeks. It really is all-consuming. In the meantime, you are trying to keep a whole infrastructure going. You are trying to run a school district. You are trying to keep all of your other business going. You are already stretched very thin. It really is devastating. Senator Hassan. In at least some cases can interrupt student learning time, too. Ms. McLeod. Absolutely. Yes. Senator Hassan. In terms of school budgets, do you remember what the impact was on Concord back in 2016, or do you have examples to share? Ms. McLeod. I do not remember what the impact was. I am sorry, I did not come with the number. Senator Hassan. That is all right. Ms. McLeod. I know that many school districts are reporting impacts in the millions of dollars to recover. In terms of today's ransomware attacks--that is why I say we were fortunate, because this was not a ransomware attack. In terms of today's ransomware attacks, you have to bring in cybersecurity experts, and, in some cases, rebuild many of your systems. It is absolutely just all-consuming, and cost range certainly in the several hundreds of thousands into the millions of dollars to do that quickly. Senator Hassan. Thank you. Mr. Benitez, we started this conversation talking about the threat and then we talked about the impact on the local community. Before we start talking about specific solutions, I would like to hear from you about why it is important for victims to report incidents and how law enforcement and cybersecurity experts can help victims when they do. Most people know of the Secret Service as the men and women in suits who protect the President of the United States, but the Secret Service also has an important role in combating cybercrime. How does the Secret Service help K-12 schools prepare for or respond to cyberattacks? Mr. Benitez. Yes. Thank you for that question. To echo everybody's sentiments up here, first and foremost is working together in a preventative approach prior to an incident. Oftentimes, like you just spoke about, the budget constraints of an incident occurring, that money would be better spent, and school boards should realize that that money should be better spent on the front end for preventative measures. Prevention is definitely key for cybersecurity. How the Secret Service--why it is extremely important to report is--it's important when we respond, when we receive a call from a victim, we will always respond to that victim in the State of New Hampshire. The reason being--to respond is we want to get in contact with the IT staff, maybe prior to the incident response team getting there, work with the incident response team, work with the insurance company, work with the third-party lawyer, to work with all those people that are involved so we can obtain those indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs), so we can share that with the community. It is important that we, in New Hampshire, do a better job moving forward that the public and the community understands reporting and getting everyone in this room involved early on and getting your local law enforcement, who have been through specialized training in NCFI, involved maybe even prior to an incident occurring so you are familiar with them, so intelligence that Rick does a great job sharing that comes from throughout the country could be shared to your information technology professional, if it is not in a formal document but--for example, when Nashua happened, I reached out to Wade Brown in Concord, and Wade reached out to Pam McLeod and said, ``Hey, there is something happening.'' Luckily, she knew about it already. But these relationships are extremely important. As a final thought of obtaining and providing these indicators of compromise to the community so there is not other victims, is there usually another victim. After Nashua hit, there was somebody in the Upper Valley that was hit a week later. It does happen in waves. Mostly there are some technical reasons. There is probably a recent exploit which has not been patched yet, which is understandable. But, last, I wanted to mention is these crimes, everyone in the public, in the United States, need to realize these are usually transnational criminal organizations (TCOs) that are overseas that will be long-term investigations. You may not see a result tomorrow, but we have ascertained information in New Hampshire, provided it to task forces that are working globally to arrest suspects. We may not arrest somebody in New Hampshire, but we provide crucial data to further their investigation. In addition, we are tracing and tracking cryptocurrency because it is available and open on the block chain to trace and track in perpetuity. So it is important to cooperate and to coordinate, and do not be afraid to share this information. It is really a defense. It is really an individual defense and a national security defense to be cooperating with local, State, and Federal Government. Senator Hassan. Thank you very much both on the prosecution side of things, but on the prevention side of things for similar attacks to continue. Is there a particular person a K-12 administrator should contact about a cyberattack? Mr. Benitez. Yes. The easiest way, like I said, is contact the U.S. Secret Service at any time. We would like to meet you beforehand and work with Rick to go over your incident response plan. As we all have seen, personal relationships are a key to success. That is what we are about in New Hampshire. But also, to make it very simple, just search U.S. Secret Service in New Hampshire. There is a phone number, 24/7/365, you can get somebody live on the phone. We will respond. Senator Hassan. I take to heart the relationship-building part of it when you speak with task forces post terrorist events, for instance. We find that the most successful responses and the best way to prevent future attacks is when people have ongoing relationships and have worked together to prepare for the event, and that way, when the event happens, people are ready to go and they know what to do. Go ahead. Mr. King. Madam Chair, I would like to add that in addition to the Secret Service's reporting capabilities, the Federal Bureau of Investigation (FBI) also runs IC3 and CISA has reporting capabilities. The important thing is is that any one of these resources that you contact, you are going to get us. We will collaborate effectively as to who is in the best location at the best time, place, and to be able to provide assistance as best we are able. It is very flat and it is very responsive. Senator Hassan. On that note, let me turn to the person whose job it is to make sure that these relationships continue and are flat. Continuing this discussion of coordination and collaboration, Mr. Rossi, I want to again, say how grateful I am for your service and how pleased I am to welcome you to this panel as the first-ever cyber coordinator for New Hampshire. You have been on the job now for 2 years. Could you tell us what you have been focusing on to help K-12 schools improve their cybersecurity? Mr. Rossi. Thank you, Madam Chair. The bulk of the work that I have been doing at this point is before an incident, working with IT directors to identify, manage, reduce cyber risk to their district. As most of the panelists have pointed out, every district is unique. Everybody has different problems. Everybody has different solutions. I have not been to a district that does not have a unique problem or a unique solution. That crosspollination of ideas is one thing, making those connections useful. The primary area we are using right now is onsite cybersecurity assessments to identify vulnerabilities and provide mitigation guidance to districts before attacks happen. That looks at anything from preventing cyber-enabled fraud schemes, ransomware attacks, and cyber intrusions. We do a debriefing with the district, strongly recommending that senior leadership in the district is in the room to make sure that everybody has skin in the game. This is not a one-person IT director's problem. This is something we are making progress on over time. To conquer this is going to be a cybersecurity culture change. We also connect them with no-cost technical resources, including CISA cyber hygiene vulnerability scanning, malicious domain blocking reporting for domain name system (DNS) filtering, as well as CISA's Secure Cloud Business Applications (SCuBA )gear, which is a more recent offering to assess optimal Microsoft 365 security configuration baselines, getting right to Pam's point that currently things are not secure by default. That is a major agency effort right now. Secure by design. Secure by default. Everything is tailored. That is, anything from assistance to policy development, support to tailored assistance for each district, as well as technical assistance in looking at things like segmentation on a network. Bottom line, ma'am, we take a look at where a district is, work with them where they are at instead of where they should be, and help get them on a roadmap to progress them toward a more secure posture. Senator Hassan. Excellent. I know that you have met with a lot of school officials, but what message would you share with school officials who may not have had a chance yet to meet? Mr. Rossi. Appreciate the question, Madam Chair. The bottom line is CISA stands ready to partner with any of those districts. One of the common things that I keep hearing is ``We are too small. It will never happen here.'' The message is the adversary gets a vote in that. While you may not think you are a great target, the adversary may think you are a fantastic target. Your ability to pay what you think is not a significant amount of money may be a significant amount of money to an overseas actor. We are here to partner with you. One thing that I would point out is in one of my first school assessments, a superintendent said, ``This is not what I was expecting at all. I was expecting multimillion-dollar projects that we do not have the budget for,'' whereas we are coming in and addressing some of the issues Pam just brought up, enabling security configuration within tools that are already paid for. Ninety-five percent of cyberattacks involve human error. What we are trying to do is build a culture of cyber awareness leveraged onsite, and, again, that roadmap. We will start out with what is going to be lower costs, lower manpower hours, and start working our way up to things that are going to require greater financial investment. Senator Hassan. Great. Thank you so much for that. Ms. McLeod. May I follow up on that really quick? Senator Hassan. Sure. Ms. McLeod. Rick has been a fantastic resource for us. We need more of him. He is definitely overscheduled, scheduled far out. We definitely need more similar resources. Senator Hassan. OK. That is helpful. I will take that back to the appropriators. Ms. McLeod. Thank you. Senator Hassan. Commissioner Goulet, with your help, 2 years ago, I spearheaded an effort to create a Federal grant program specifically targeted at improving the cybersecurity of State and local governments. This grant program was enacted as part of the bipartisan infrastructure law. Your work and support were critical in that effort. I know that the Department of Homeland Security has only just begun awarding money under the program, but could you tell us how the grant program is helping K-12 schools improve their cybersecurity? Mr. Goulet. Right off the bat, in advance of actually going through all the internal New Hampshire administrative hoops, we started moving on the multifactor authentication without actually having the money yet. One of the things I like to do is and one of the challenges with government in general is that there is a lot of administrative things that slow down progress, but sometimes you can legitimately get ahead of it. While I am still waiting for the last couple of administrative steps so I can actually expend the money, we are actually out there giving out these little keys that allow you to do multifactor authentication. I am like, ``Why would you do a key? Because you could do it on your phone. You can do it through an authenticator application.'' Pam brought up one of the reasons is that this idea from a union perspective that your personal device should not be used for work really does get in the way of that. We are addressing that very specifically with those keys. But the other programs that we are implementing through the planning committee, .Gov in a Box, and the technical training are both shovel-ready, locked and loaded, and once we get through the last couple of steps--you know them well, Senator, in New Hampshire--then we will be actually ready to rock and roll on that. Senator Hassan. That is great. We have all spoken about it, but there are obviously a variety of State and local cybersecurity needs. How are K-12 schools involved in the process of applying for and awarding this Federal grant in New Hampshire? Mr. Goulet. It starts with building community. The more effort we put into building community, the more people know what is going on and what opportunities exist out there. So that is where it starts. We will continue that forever. Second, it is through the committee, the planning committee, and having representation on the committee that allows us to properly represent the needs of K-12s and the services we offer. That was, I think, a pretty huge deal. We had a list of, I think, seven or eight projects. We put that before the committee, and they were like, ``Oh, this is what we should do.'' It was a very collaborative process. Then making sure that we do not bundle. We have K-12s. We have municipalities. We have unincorporated places. Do not bundle them in a single thought pattern, but look at them individually. As Rick mentioned, you see some individual stuff everywhere. Again, I loved what you said about taking them from where they are and bringing them forward versus having this assumption of a certain level of competence. Senator Hassan. Got it. I have another question for you, Commissioner, and then I will follow up to Ms. McLeod. In 2018, the New Hampshire legislature passed a law requiring the State Department of Education to establish minimum standards for the privacy and security of student data. Commissioner Goulet, what, in your view, has been the impact of this law on K-12 cybersecurity in New Hampshire? Mr. Goulet. I am going to tag-team. We are going to go ``boom, boom'' here. Senator Hassan. OK. Mr. Goulet. But, initially, the impact was again, we had to look at it and say, ``All right. What's happening out there?'' There was a lot of thrash going on. The main thing we did at first was how can we create a standard that was reasonable to implement? There were a couple things on that. One was looking at Federal guidelines. Another was, taking an approach that was not too overly complicated and technical. The other was actually changing legislation, in other parts of State government, proposing changes so that it potentially minimized the cost to K-12s in the sense that adherence to the standard was not layering cost. I would ask Ken and Pam to talk about the downstream results of that. Senator Hassan. Yes, please. Mr. Weeks. If you do not mind, I think one of the big things that I came into this job looking at was risk that was being assumed by doing business with others. The CTO Alliance was ahead of that game. They had written up data standards, student privacy data standards, and insisted that vendors adhered to these and signed off on them before doing business with individual districts, et cetera. My role in this was sort of acting as an advocate with other entities at the State level to ensure that the State did not undermine those efforts by having a standard that was significantly less, and potentially putting that same exact dataset at risk. Senator Hassan. Got it. Ms. McLeod. Ms. McLeod. I will make one point first which is that New Hampshire's law also covers staff personal information. It is one of the few in the country that does. First we went into panic mode because this was massive for us. Senator Hassan. These new laws, requirements, right? Ms. McLeod. Yes. In 2018. It was really overwhelming. We were not aware of it until almost after it passed. We did work with the legislators to kind of tone it down a little bit. Ken's predecessor, Dan Dister, and Ken, have just been a huge support for us in terms of developing those standards. They are based on network and information systems (NIS). They need to be revised at this point. It has been a few years. Really helping to understand how they apply to everything. The grassroots effort was really because we had sort of no way to centralize this effort, so we, through the New Hampshire CTO council, which is our professional organization, and it's a State affiliate of CoSN, we developed a model which districts pay in just over a dollar per student per year, so it's a cost- sharing model. Very inexpensive, and it scales. We are all working together on these data privacy agreements. We have made huge progress. It has been really incredibly successful. Senator Hassan. Is it fair to say--I am looking at kind of how we talk about what K-12 schools in New Hampshire, what steps they have taken to date to implement this law. It is data privacy agreements. Anything else you would add to that? Ms. McLeod. I would add that there is work from the Student Data Privacy Consortium, who we were a member of, on a national data privacy agreement that, from what I hear from the vendors, would be really significant for them. If we could get all of the States working together on one instrument that covered everybody? It is very difficult for the vendors to say, ``Oh, we are going to meet this standard for New Hampshire, and this standard for California, and this standard for Texas.'' That work is in progress, but if something could be developed maybe at the U.S. Department of Education, I think that that would really help vendors comply with the standards. Senator Hassan. Got it. Denis, you wanted to add? Mr. Goulet. Just a quick follow-up, too. Like cybersecurity, privacy is a cultural thing. We need tools downstream, but if the culture is not supportive, it is hard to be successful. I think that cybersecurity culture evolution is a bit ahead of privacy cultural evolution in organizations, or at least in public sector organizations. I feel like building that culture is really important. Business leaders, as was mentioned, you have to have your business leaders involved in cyber. Same thing with privacy. It is all of our responsibility to take care of that data. Ms. McLeod. I could add, I found it, in Concord, very important to explain to our teachers, to put it in terms of what would happen if your child or your grandchild's identity was breached? They go to buy a car when they are 18, and somebody's purchased a house for them in some other State, under their identity. Really putting it in those terms and helping them to understand how to freeze their credit, how to do those basic steps to protect accounts in their personal lives really helped reinforce with teachers that culture around privacy. Senator Hassan. That is great. Thank you. Mr. Weeks, I want to turn to you because the Commissioner just told us that one of the ways the State and local cybersecurity grant program is helping New Hampshire communities is through the .Gov in a Box tool that you created. How does the .gov domain improve cybersecurity for local governments, including K-12 schools, and how did you come up with this idea? Mr. Weeks. First of all, I do not want to--it would be impossible for me to take sole credit for that. That was also a team sport. I will explain that a little bit. But what .gov does is provides a verifiable identity for entities; whether that is a municipality, whether that is a K- 12 district, it does not matter. It is verifiable. It is not easy to spoof. We have school districts and this is not pejorative, it is just the reality on the ground--that are .org, that are dot something, .US, I mean, you pick a domain, right? Senator Hassan. Right. Mr. Weeks. More and more, as some of these things age, they are easy to spoof. That can result in business email compromises. It can result in even more phishing attacks than if you are in a .gov domain. The reason I say these other attacks is distributed denial of service (DDoS), et cetera--for example, if you go on NH.gov, we have that cloud hosted, and we apply DNS security to all of those domain names. That is a recent security improvement that we have implemented in the State. Every K-12 that would sign up for .Gov in a Box--and I realize I might be getting ahead of myself a little bit here-- would automatically have those protections as well. The identity verification, the nonspoofability, and the additional security that we will provide by our hosting mechanism are three great benefits for a K-12. As far as .Gov in a Box, based on some data from the New Hampshire Municipal Association, only 26 percent of the eligible entities within the State of New Hampshire were on a .gov domain. The commissioner and I and a couple of other people looked at each other, and we looked at the notice of funding opportunity (NOFO) and the priorities from CISA for the grant program, and one of the top ones was transition to .gov domains for those who are eligible. We said, ``Well, that is fine to tell them, but in New Hampshire we can not mandate them. We can just recommend this,'' as you very well know. And so myself and Mr. Sgro kind of sat down and said, ``What are all the reasons people would say no?'' We started writing them down. We said, ``Well, let us just add all that to the scope of services.'' Regardless of where a K-12 or a municipality starts, at the end of the process, we will give you a turnkey solution to transition to .Gov in a Box, including your first box of stationery with your new website and email addresses on it. Senator Hassan. Got it. Yes. Mr. Weeks. Again, it was about what are all the reasons that someone may say no? Let us add that to the scope of services and concentrate on equity of outcome rather than an equal application of services. Senator Hassan. Got it. Thank you for that. Thank you to the whole team that has made .Gov in a Box possible. It is really exciting. Mr. King, I want to turn back to you. Two years ago, I urged the Department of Homeland Security and Department of Education to improve their coordination efforts to protect K-12 schools from cyberattacks. The recommendation was to create a government-coordinating council which would work with Federal, State, and local governments to strengthen the cyberresilience of K-12 schools. I am pleased that the Department of Education recently announced it would be doing just that. Can you explain, please, how the creation of this council will help Federal, State, local, and private sector entities coordinate their efforts to protect K-12 schools from cyberattacks? How is CISA working with the council? Mr. King. Thank you very much, Madam Chair. I think Pamela actually teed this up earlier. We are looking at how the Department of Education is trying to address these evolving lines, the dependencies within these technologies in order to still achieve their educational outcomes. The important thing here is that--and Mr. Rossi mentioned this as well--that 95 percent of these risks are human related. Education is absolutely all about helping people understand how to best handle these challenges. It is an alignment that frankly, should have happened a lot sooner. But to bring both of these organizations together and then deliver that locally is absolutely critical. You have seen what those here on the panel have said about Mr. Rossi. I see that consistently across the region, and my fellow chiefs across the country consistently see how important it is to have that trust and confidence in an individual or a group of individuals that are available and accountable for helping guide organizations along those paths to better security. Senator Hassan. Thank you. Mr. Benitez, the National Computer Forensics Institute, which is operated by the Secret Service, offers training and equipment for State and local enforcement, for judges and prosecutors to combat cybercrime. You have mentioned it a couple of times. I am pleased to be part of that bipartisan group in Congress that pushed to reauthorize the Institute. I am glad it is reauthorized through 2028. How has the National Computer Forensic Institute supported training investigations and other efforts here in New Hampshire? Mr. Benitez. Yes. The NCFI--and kudos to the law enforcement professionals, judges, and prosecutors that have attended NCFI--they have really taken to understand cybersecurity, understand digital forensics. These are complex fields for law enforcement to get involved in and understand. But we have been able to use those resources. I think one of the overarching themes that is very positive to hear today is the NCFI, like the grant program, gives people like Pam actionable hands-on things to work on cybersecurity. We give the training. We provide the training free of charge. We provide the equipment, and it is brought back to the community to work on cybersecurity, the coordination with the other people throughout the country, the network of cybersecurity professionals to learn. Our law enforcement professionals will go down to Hoover, Alabama, and know that we have a group of people here--CISA, the State--and explain that to other law enforcement professionals in other States and develop those relationships throughout the country. That is important, it is positive for New Hampshire and I am grateful that you are able to support that endeavor. Senator Hassan. Thank you very much. Again, trying to build awareness to what help is out there from a variety of different places and sectors to meet people where they are and help them get trained. It is really important. Last question before the wrap-up question is to you, Ms. McLeod. As chair of the Alton school board, and as a former director of technology for a school district, you, I think--and you have demonstrated this--have a really unique insight into the budget resource challenges of K-12 cybersecurity. In your view, what are the biggest challenges when considering resource allocation for K-12 cybersecurity and which budget items tend to be the most difficult to find funding for? Ms. McLeod. I do not know if it is easily solvable, but I think staffing is the biggest issue. During the last year in Concord, I was spending about 75 percent of my time on cybersecurity and related sort of hardening cybersecurity and data privacy issues. That had increased gradually over the years. There is also a massive infrastructure to run in Concord, so it is very difficult to give up the time. I think finding ways to supplement staffing or to free up staffing or bring in more staffing at sort of entry levels so it rolls up and the person doing cybersecurity has more time is the biggest issue. Senator Hassan. Great. Can you share with us some of the ways that New Hampshire schools have worked together to reduce the burden of expensive cybersecurity tools and services? You referenced some of them, but I think it is worth a little bit of focus. Ms. McLeod. Yes. First of all, it is the collaboration. It is just massive. Some of my colleagues are in the audience. I have worked with many of these folks before that are up on the stage. But school districts where the IT folks are siloed, and do not collaborate, and do not sort of reach out, they are at most risk of cybersecurity issues. It is really important, I would say, for districts when they are selecting IT leaders to make sure that that person is collaborative and is going to reach out and work with others, because you can not do everything that you need to do. Senator Hassan. It is fair to say that when the spirit of collaboration is working among school districts and among various levels of government and various agencies, there are ways to share experience and share best practices that help each individual school--for instance, school district--lower its budget allocation for this, or at least try to save money and be as efficient as they can; is that fair? Ms. McLeod. Absolutely. I think my colleagues are all really skilled at grabbing everything they can that's free, or grant funded. To give you an example, as I left Concord, I mentioned CISA's CrowdStrike offering. We did that through the little bit that was remaining out of our COVID ESSER funds. It is a pilot program, but we were able to put that into place. Actually, we put three or four layers of cybersecurity tools in place with those funds. Everything you can grab from anybody just really makes up the difference, but it does take more time. Senator Hassan. Collaboration and coordination takes time. Ms. McLeod. Yes. Senator Hassan. That is always one of the things we forget. Mr. Weeks, did you want to say something? Mr. Weeks. One thing I will add is, I think, Senator, that all of the IT folks and the technical folks at the schools are very aware of the problem. One of the things is that we have tried to do--and it is a grant-funded training we have created cybersecurity training for both elected officials that school boards could take advantage of, as well as for more senior executives. Superintendents, principals could get this training. It is grant funded. Cost nothing to the municipality or the school district. I think making those decisionmakers aware of these problems and the potential security weaknesses could influence budgetary decisions and administrative decisions going forward. Senator Hassan. And priorities, yes. Ms. McLeod. Absolutely. Senator Hassan. All right. The wrap-up question here is to each and all of you. If you feel like you have already talked about it and, you do not have anything to add, that is fine, too, because I think this has been a really fulsome discussion and I am really grateful for it. The final question to each of you is what more should Federal, State, and local leaders do to strengthen cybersecurity in schools? Anything else you would like to add? We will go in this order. We will start with you, Mr. Benitez, and we will work this way. Mr. Benitez. Thank you very much. Thank you for hosting this event today. I think, from a law enforcement perspective, we try to stay on the preventative side, but we would really like to see, especially in New Hampshire, a grant-like program like the Internet Crimes Against Children (ICAC) has for cybersecurity in the public and private sector. What we are hearing here is it's hard to train and keep specialized people in information technology in the public sector and to keep law enforcement that has the skill set in law enforcement and not to go to the private sector. I know in the Secret Service, for instance, we have a retention bonus. It would be nice to move some of these things that we learned in the Federal Government to the local government where we are providing money for people with specialized skills, increasing salaries where we can through bonuses. Additionally, what many people do not realize, it is extremely expensive to purchase these software licenses. New Hampshire really needs to colocate our personnel. The Secret Service is working on this now. But, once again, it is difficult. There is not many personnel. People are strapped just for their normal duties rather than cybersecurity. But if we could coordinate from the public, Federal side, and the local law enforcement side together, colocated, saving money and spending on licenses at one location, I think that would be a tremendous asset for the citizens of New Hampshire to get more bang for their buck for response for cybersecurity. One of the last things that we have done, we are in the midst of hiring someone who is not law enforcement but is a specialist in digital forensics, cryptocurrency tracing, and incident response, to work in our office as a Secret Service employee who would be there full-time, responsible to respond for the citizens of New Hampshire and work in a collaborative approach. Thank you for your time today and hosting this event and very pertinent discussion. Senator Hassan. Thank you so much. Mr. Rossi. Mr. Rossi. Thank you, ma'am. Two things I would point out. We have already discussed resources. As the cybersecurity coordinator, I focus on K-12, but not just K-12. Even if I was just focused on K-12, you are talking a ratio of one cybersecurity coordinator to 90 school districts. Additional resources. As we talked about the collaboration part, we all like each other, but we are almost forced to collaborate when there's one person here, one person there in the different agencies. The last area I would hit on is having conversations like you have put together today here, Senator. Many school districts still view publicly disclosing a cyber incident as taboo, which, unfortunately, keeps the growing problem hidden. We are starting to talk about this in a national-level conversation. If someone broke into a classroom and stole all their computers, switches, and other technology, law enforcement would be notified, and that would likely be on the front page of the news. But when we have a cyberattack of the same magnitude, that is often swept under the rug and decisionmakers do not have the information on just how grave of a problem this is. Again, Madam Chair, having conversations like this further the agenda. Thank you for having me today. Senator Hassan. Thank you very much. Mr. King. Mr. King. Thank you, Madam Chairwoman. Again, my compliments to bringing this forum together. I think it has been extraordinarily fruitful. As you mentioned earlier, I previously worked in the commercial sector. When I worked with boards and senior executives, I would begin many of my conversations with ``I want you to think about one aspect of your core business model that does not rely on information technology.'' In the 3 years I have worked with that corporation, I never once got an answer. I occasionally got some functions that were not, but, bottom line was that very gradually, we have become completely dependent on these technologies. We have to fix this. We have to get this right. We have to continue to try to reinforce this because the next wave is bringing even more complexity. If we can not get this right now, it is just going to get worse. Senator Hassan. I appreciate that very much. Thank you. Commissioner? Mr. Goulet. A couple things. One is, with the advent of SLCGP, our traditional grant funding stream, which some years ago, the Homeland Security grants that are administered by the Department of Safety in New Hampshire and most other States, had a carve-out for cybersecurity. There's now consideration in DC to kind of remove that because of the State and local cyber grant program which we have--we are not in favor of. I will say that very clearly. I would like to work with you and anybody else on that and try to get visibility to it. We are also talking to the National Association of State Chief Information Officers (NASCIO) community as well to make sure there's visibility there. The other thing is that part of the legislative intent is-- for SLCGP, was get State and local governments used to investing in cybersecurity. I have spent some time in New Hampshire trying to do that. We have a State match in this biennium so that we can help our K-12s and municipalities. I want to keep that going. From a local government perspective, I will be advocating for a continued investment. Because it harms us all it is not, ``Oh, well, that school district got harmed.'' It is not a State issue. It really is. It harms us all when an individual entity is breached, when extra money is spent on what is essentially unproductive behavior, right? I will be advocating for that, and any support there is greatly appreciated. Senator Hassan. Thank you. Mr. Weeks. Mr. Weeks. Thank you, ma'am. We all, including all the K- 12s across New Hampshire, have a significant amount of cybersecurity risk imposed on us by the fact that we have to do business with others. I won't beat around the bush. Specifically, the risk centers around software. The more that the Federal Government can help us by putting the pressure on vendors to be secure by design, secure by default. We, at the State level, do not have large enough voice to influence that conversation with the massive software vendors. Only the Federal Government can do that, in my opinion. Helping us do that and not allowing them to continue putting security features behind paywalls that local governments, K-12s, and State governments have a hard time affording and budgeting for would be a tremendous assistance. The only analogy that I would use is if we bought a bunch of tanks and airplanes and artillery pieces that were as unsecured by design as the software had to be fixed, every taxpayer in the country would be up in arms over that. Senator Hassan. That's fair. Mr. Weeks. Thank you, ma'am. Senator Hassan. Thank you. Ms. McLeod, I wanted to give our representative of local government the last word here because this is really ultimately---- Ms. McLeod. No pressure. Senator Hassan. This is ultimately the level of which the impact of cyber breaches is felt the most directly. It really harms our kids and our schools and the staff and our taxpayers. Ms. McLeod. Absolutely. To Daniel's point, IT touches every single aspect of a school district. There is not one part of a district that cannot be operated without technology. It is not just student personal information, but it is also behavior data, special education data, very sensitive data that we have seen breached in some of the big breaches like LA and in Minnesota. Stuff that people do not want to be splashed around the Internet. One thing that districts can do is--that we have done in our district is put funds into a trust annually that's reactive, but to build something up to handle an emergency should it come up, whether it be infrastructure or cybersecurity. Federally, I think continuing the grants. I would love to see E-rate just focus much more on cybersecurity--actually, it does not build that focus on cybersecurity, cover MDR and SOC services, especially; cover other software pieces that can help secure the district; more Federal resources on the ground, like Rick; pushing the vendors to be secure by design. I think that's so important. There is a paywall. Let districts pay for advanced features that they want, but not for cybersecurity. With both Google and Microsoft, you cannot even prevent an overseas login without going to features that are behind the paywall. Other ed tech vendors have to pay attention to this as well, the smaller vendors. Everything needs to be single sign-on or have multifactor authentication. That has to be built into every single tool that kids use. That is just really critically important to schools. Senator Hassan. I truly appreciate the discussion today. I thank you all for coming before the Subcommittee to discuss what is clearly a really important topic to a lot of us. I appreciate your hard work and your dedication to protect our communities, and specifically our kids from cyberattacks, especially right now as everybody's gearing up to return to school. I think, the biggest takeaway I hope people watching today or listening to this or reading about it will take is that this is a responsibility that rests with each and every one of us, and we have to get more and more aware of the danger of cyberattacks. I think we have to invest time and resources and attention to prioritizing this, because the tools that we have in terms of education, in terms of what the digital world can provide educationally are really important and good, but we have to be able to engage in this space securely. I thank you all very much, and I look forward to continuing to work with all of you. With that, this panel is adjourned. [Whereupon, at 12:25 p.m., the roundtable was adjourned.] [all]