[Senate Hearing 118-161]
[From the U.S. Government Publishing Office]
S. Hrg. 118-161
IMPROVING FEDERAL COLLABORATION TO
PROTECT OUR K-12 SCHOOLS FROM CYBERATTACKS
=======================================================================
FIELD ROUNDTABLE
BEFORE THE
SUBCOMMITTEE ON
EMERGING THREATS AND SPENDING OVERSIGHT
OF THE
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
AUGUST 21, 2023
__________
Available via the World Wide Web: http://www.govinfo.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
53-993 PDF WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
ALEX PADILLA, California RICK SCOTT, Florida
JON OSSOFF, Georgia JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
William E. Henderson III, Minority Staff Director
Laura W. Kilbride, Chief Clerk
Ashley A. Gonzalez, Hearing Clerk
SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT
MAGGIE HASSAN, New Hampshire, Chairman
KYRSTEN SINEMA, Arizona MITT ROMNEY, Utah
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
JON OSSOFF, Georgia RICK SCOTT, Florida
Jason M. Yanussi, Staff Director
Jillian R. Joyce, Professionsal Staff Member
Scott Maclean Richardson, Minority Staff Director
John A. Poulson, Minority Professional Staff Member
Kate Kielceski, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Hassan............................................... 1
WITNESSES
Monday, August 21, 2023
Daniel King, Chief of Cybersecurity, Region 1 (New England)
Cybersecurity and Infrastructure Security Agency, U.S.
Department of Homeland Security................................ 3
Richard Rossi, Cybersecurity Advisor, New Hampshire Cybersecurity
and Infrastructure Security Agency, U.S. Department of Homeland
Security....................................................... 5
Timothy Benitez, Resident Agent in Charge, Manchester, NH, U.S.
Secret Service, U.S. Department of Homeland Security........... 7
Denis Goulet, Commissioner and Chief Information Officer, State
of New Hampshire Department of Information Technology.......... 8
Kenneth Weeks, Chief Information Security Officer, State of New
Hampshire Department of Information Technology................. 9
Pamela McLeod, Chair, Alton School Board.........................
Alphabetical List of Witnesses
Benitez, Timothy:
Testimony.................................................... 7
Goulet, Denis:
Testimony.................................................... 8
King, Daniel:
Testimony.................................................... 3
McLeod, Pamela:
Testimony....................................................
Rossi, Richard:
Testimony.................................................... 5
Weeks,, Kenneth:
Testimony.................................................... 9
IMPROVING FEDERAL COLLABORATION TO
PROTECT OUR K-12 SCHOOLS FROM CYBERATTACKS
----------
MONDAY, AUGUST 21, 2023
U.S. Senate,
Subcommittee on Emerging Threats and
Spending Oversight,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 11:00 a.m.,
St. Anselm's College, The New Hampshire Institute of Politics,
100 St. Anselm Drive, Hon. Maggie Hassan, Chairwoman of the
Subcommittee, presiding.
Present: Senators Hassan [presiding].
OPENING STATEMENT OF SENATOR HASSAN
Senator Hassan. This hearing will come to order.
Good morning, everybody. The Subcommittee on Emerging
Threats and Spending Oversight (ETSO) of the United States
Senate Committee on Homeland Security and Governmental Affairs
(HSGAC) is here today to examine the coordination efforts of
Federal agencies, State and local governments, and
nongovernment entities to improve the cybersecurity of our K-12
schools.
As Chair, I am pleased to bring the work of the
Subcommittee on cybersecurity home to the Granite State. On
that note, I would like to take a moment to recognize the New
Hampshire Institute of Politics at St. Anselm's College for
hosting us today. Thank you to everyone here, the staff who
made this event possible.
Additionally, while Ranking Member Mitt Romney could not be
with us today, I would like to thank him for his cooperation in
holding this hearing, and thank his staff for the work that
they have done to help organize today's event.
Now on to today's topic. As we prepare for the new school
year, it is an important time to take a look at the
cybersecurity of our school systems and see what can be done to
increase their security and their resiliency.
Criminals and criminal organizations continue to target our
K-12 schools with disruptive cyberattacks. We have seen
cyberattacks on schools all across the country, including right
here in New Hampshire. For example, in May, the Nashua School
District experienced a significant cyberattack which took their
systems offline. Across the country, according to one report,
K-12 schools publicly reported 166 cybersecurity incidents
during calendar year 2021. This includes 62 ransomware
incidents, which has quickly become the most common type of
cybersecurity incident for K-12 schools.
However, the actual number of cybersecurity attacks is
likely significantly higher than what is publicly reported
because schools, and other victims of cyberattacks, too, fear
the consequences of reporting cybersecurity incidents. By one
estimate, the true number of incidents may be 10 to 20 times
higher than the publicly reported number.
Regardless of the actual number of attacks, though, these
attacks disrupt student learning and can take schools months to
recover from. These attacks are not just disruptive; they are
also costly. Restoring computers and networks after a
cyberattack often costs the school and community over a million
dollars.
Additionally, digital criminals who penetrate school
systems sometimes steal sensitive information about students.
In addition to holding access to computer systems hostage, also
ransom the private information for money, threatening our
children's privacy.
The more positive news, though, is that while cyberattacks
continue to threaten our schools, Federal, State, and local
governments have taken steps to combat these threats. For
example, over the last few years, my colleagues and I worked to
pass into law a State and local cybersecurity grant program
(SLCGP) and to create the position of cybersecurity coordinator
in every State.
Just 2 weeks ago, the White House announced new initiatives
by Federal agencies and the private sector to protect K-12
schools from cyberattacks. One of these initiatives is
something that I pushed for, the creation of a government
coordinating council to focus on K-12 cybersecurity. This
council will coordinate activities and policies among Federal,
State, and local governments in order to improve the cyber
resiliency of our schools.
In Congress, we have provided resources to Federal agencies
like the Secret Service and Cybersecurity and Infrastructure
Security Agency (CISA), to support the cybersecurity of State
and local governments, including public schools.
Today we will hear from a panel of experts who have all
played different roles in improving K-12 cybersecurity in New
Hampshire, representing Federal, State, and local levels of
government. The panelists will discuss innovative and
collaborative cybersecurity efforts among the offices and
agencies charged with protecting our schools, as well as how we
can continue to work together to address remaining
cybersecurity challenges.
As students in New Hampshire head back to school this year,
I hope that today's conversation highlights the importance of
continuing to work together to improve K-12 cybersecurity and
inform our communities about this critical issue.
Now on to the panel. I will introduce each panelist and ask
them to provide their remarks, and then we will go into the
question section of the panel discussion.
Our first panelist today is Daniel King. Mr. King serves as
the chief of cybersecurity for region 1 covering New England
for the Cybersecurity and Infrastructure Security Agency
(CISA). Prior to his time in CISA, Mr. King was global lead for
International Business Machines (IBM) security command, and
served 30 years on active duty with the United States Army.
Welcome, Mr. King, and thank you for your years of service.
You are recognized for your opening remarks.
TESTIMONY OF DANIEL KING, CHIEF OF CYBERSECURITY, REGION 1 (NEW
ENGLAND) CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. King. Thank you, Madam Chair. It is a pleasure to be
here today and this opportunity to participate in today's
roundtable. This format lends itself to meaningful dialogue,
and, for that, we are grateful for a conversation that
otherwise may not occur in a more formal question and answer
format.
CISA region 1 is headquartered in Boston. We have a team of
50 and 9 cybersecurity advisors joining both protective and
chemical security advisors supporting the six States and 10
tribal territories and nearly 15 million citizens of New
England.
CISA is very effective despite its relatively small size
within Department of Homeland Security (DHS) because we live in
and support the communities that we serve. We are here through
fair and foul in commitment and partnership with State, local,
tribal, territorial (SLTT) entities across our great nation.
CISA's regional advisors support and assist and assess
organizations to reduce risk and improve security because
management and prevention of threats is far, far less expensive
than the alternative.
In 2023 alone, the security advisors of region 1 have
engaged, assessed, and supported nearly 200 K-12 organizations
across New England, and that number speaks to CISA's focus on
this vital part of our community and our Nation. Each
engagement, assessment, and assist visit improves awareness and
opens the path to reduction of risk and improvement of
resiliency. But as our schools now rely foundationally upon the
Internet connective information system technologies we have as
a core capability, with that dependency comes significant risk
from cyber threats.
Unfortunately, and due to very narrow operating margins,
our K-12 entities are clearly cyber target rich and resource
poor. Criminal actors recognize how vulnerable schools are to
cyberattack. To them, this is an opportunity. To us, this is a
crime exploiting the innocent.
We have seen it, as you mentioned, Senator, here in New
Hampshire and across New England, and it will continue until we
adopt better cybersecurity practices and make defending our
schools in cyberspace a public priority.
CISA is focused upon securing the nation's criminal
infrastructure like K-12 by providing resources that enable the
U.S.'s over 13,000 school districts to better protect and
defend their students and employees against cyberattacks.
What are we doing here in region 1? Our most impactful work
is before the incident, working with schools to identify,
manage, and reduce risk, working to ensure that when they are
hit by a cyber incident, they are prepared, have a plan, and
can mitigate the impacts of the incident.
School safety and K-12 cybersecurity can be complex and
often unique to the communities they serve, so our efforts must
be collaborative, built upon dialogue, information sharing,
and, most importantly, trust. We cannot do this without strong
partnerships across Federal, State, and local levels. Perhaps
this is one of the strongest examples you can see here today of
all of us sitting shoulder to shoulder against this threat.
In addition to the recent DHS, Department of Education,
Health and Human Services (HHS), and Department of Justice
(DOJ) announcement of school safety awareness, CISA released a
report that provides recommendations and resources to help K-12
schools and school districts effectively reduce their risk, an
evolving disruption and damaging cybersecurity threat
landscape. This report and new K-12 digital toolkit provides
clear recommendations and resources to help K-12 organizations
to effectively reduce their continuously evolving cyber risk.
These national efforts, along with your continued support,
Senator, of the State and local cybersecurity grant program,
help States, and specifically rural and local communities, to
address cybersecurity risks. I would also add that New
Hampshire was the very first that submitted their proposal for
the grant program, and was approved.
At the regional level, we leverage impactful national
investment to deliver the last mile, a rare thing from a
Federal perspective, where our regional security advisors meet
with and provide direct support to our local partners,
specifically for K-12 regional advisors, engaged leaders,
educators, and technical staff, by assisting them to recognize
the importance of implementation of multifactor authentication,
identification of critical systems and data to ensure that
those systems are assured by backup and resilient to
disruption, to implement CISA's cyber performance goals and
alignment of cybersecurity plans to enlist approved guidelines
and perhaps, most importantly, shape the development of plans,
training, and exercises to illuminate cyberrisk and reduce
impact.
Beyond providing direct services, cybersecurity advisors
enable access to national-level resources such as no-cost
vulnerability scanning of Internet-facing infrastructure and
the ransomware vulnerability pilot, along with other programs
that provide actionable early warning before an attack happens.
When a cyber incident does happen, our advisors are there
with our State and local and tribal partners alongside with law
enforcement at all levels to support the recovery of the
victim.
In sum, CISA and its personnel in region 1 are reducing
risk and improving resilience to critical infrastructure, and,
yet, K-12 schools represent perhaps our most vital of all
critical infrastructures.
Our schools and their students are truly our future. We
work side by side with our State and local partners to reduce
risk, and with your continued support, Senator, to protect this
most precious resource. Thank you.
Chairman Hassan. Thank you very much, Mr. King. Now, I
would like to introduce our next panelist who joins us today
also from CISA. Mr. Richard Rossi has been with the Department
of Homeland Security for more than 17 years and currently
serves as the first-ever cybersecurity advisor for New
Hampshire, a position he's been in for approximately 2 years.
Having led bipartisan efforts to create this important
position in each State, I am very glad that you are in this
role and here today, Mr. Rossi, and I am extremely grateful for
your service to the Granite State.
You are now recognized for your opening remarks.
TESTIMONY OF RICHARD ROSSI, CYBERSECURITY ADVISOR--NEW
HAMPSHIRE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY,
U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Rossi. Madam Chair, thank you for convening this group
today to discuss protecting K-12 schools from cyberattacks. I
appreciate the opportunity to discuss the efforts of the
Cybersecurity and Infrastructure Security Agency to improve the
cybersecurity of K-12 schools in New Hampshire.
Over the past several years, K-12 schools and school
districts have adopted advanced Internet-connected technologies
and cloud resources that facilitate learning and make school
more efficient and effective. This technological gain, however,
is accompanied by heightened risks, and greatly increases, both
in scope and complexity, the cyberattack surface a school
district needs to defend.
Malicious cyber actors are targeting K-12 education
organizations across the country with potentially catastrophic
impacts on students, their families, teachers, and
administrators.
An October 2022 report from the Government Accountability
Office (GAO) found that more than 1.2 million students were
affected in 2020 alone with lost learning ranging from 3 days
to three weeks, and recovery time from 2 months to 9 months.
Nearly one in three U.S. school districts had been breached
by the end of 2021, according to a survey by the Center of
Internet Security, with incidents including student data
breaches, ransomware attacks, business email compromise, data
breaches involving teachers and school community members,
denial of service attacks, website and social media defacement,
as well as online class and school meeting invasions.
The lack of funding and investment in K-12 cybersecurity
continues to work against school districts' ability to plan
for, prepare against, and mitigate the effects of cyber
attacks. In its 2023 annual survey, the Consortium for School
Networking (CoSN), of which the New Hampshire Chief Technology
Officer (CTO) Council is an affiliate, found that 66 percent of
districts nationally lacked a full-time cybersecurity position,
and half do not have adequate staff to integrate technology
into the classroom. The same survey highlighted that just nine
percent of districts spend more than
1/10th of their information technology (IT) budget on
cybersecurity defense, while 48 percent of districts dedicated
less than 2 percent of their IT budget to security. A full 12
percent dedicated zero budget to cybersecurity.
The scale and scope of the cybersecurity threat environment
is such that no one individual or agency is equipped to address
the issues on their own. As the CISA cybersecurity advisor and
State coordinator assigned to New Hampshire, I enjoy tremendous
collaborative relationships in the mission to improve K-12
cybersecurity. None of this work is done in a siloed fashion,
and I want to recognize the New Hampshire Department of
Information Technology (DoIT), Primex, The ATOM Group, and the
U.S. Secret Service (USSS) for their steadfast partnership in
these efforts.
There is a plethora of free cybersecurity resources from
Federal and State government for K-12 schools, and I am
confident with the collaborative construct we have developed in
New Hampshire, contact from any one of these agencies brings to
bear the full resources of all of us.
Within the State of New Hampshire, CISA efforts to improve
K-12 cybersecurity have come in many forms. Broader
communication campaigns on cybersecurity threat best practices
and resources have been presented in larger forums including
the New Hampshire Chief Technology Officer Council clinic which
is compromised of K-12 IT directors from throughout the State,
and the New Hampshire Association of School Business Officials
made up of business officials and administrators from the K-12
school districts throughout New Hampshire.
Thanks to your continued support, Senator, New Hampshire
K-12 school districts will also benefit from the Cybersecurity
and Information Security Agency--Federal Emergency Management
Agency (CISA-FEMA) jointly administered State and local
cybersecurity grant program through leadership with the State
Cybersecurity Planning Committee, by Commissioner Goulet, and
chief information security officer Ken Weeks.
While there are common cybersecurity challenges among K-12
schools, each district is unique. That uniqueness is leveraged
as an opportunity to have a one-on-one conversation with each
individual K-12 IT director seeking to improve their
cybersecurity posture. That provides insight to the challenges,
concerns, and priorities within a given district. That insight
is then leveraged by CISA to develop a tailored roadmap to
improve cybersecurity and resiliency within school networks.
CISA's support to improving K-12 cybersecurity in the State has
come in many forms, including onsite cybersecurity and
ransomware readiness assessments, assistance of policy
development, tailored advice, cybersecurity training, support
for cybersecurity tabletop exercises, penetration testing,
continuous cyber hygiene vulnerability scanning, implementation
assistance with technical controls and tools, reviewing public-
facing websites for information that can be used in social
engineering and fraud schemes, among other areas.
Through the cybersecurity assessment process locally, it's
strongly encouraged that school district leadership attend the
assessment findings outreach, and the vast majority of district
administrators have done so. This format is in recognition that
cybersecurity is not just the IT department's problem, but
rather whole of organization business problem.
Changes in K-12 cybersecurity must come from the top.
Leaders must establish and reinforce a cybersecurity culture
while recognizing and actively addressing resource constraints.
I am confident the dialogue in these briefings has led to
an increased awareness of the cybersecurity threat and
vulnerabilities in a given district, as well as the initial
development of a cybersecurity culture that will ultimately
benefit all. This collaborative work alongside New Hampshire
school districts has led to mitigation of vulnerabilities cyber
threat actors leverage to conduct damaging cyberattacks.
Thank you for the opportunity to be here today, and I look
forward to the roundtable discussion.
Senator Hassan. Thank you so much.
Our third panelist today joins us from the Secret Service.
Mr. Tim Benitez serves as the resident agent in charge for
Manchester, New Hampshire. Resident Agent Benitez has over 24
years of law enforcement experience, and currently supervises
the New Hampshire Cyber Fraud Task Force's digital forensic
incident response team.
Resident Agent Benitez, you are recognized for your opening
remarks. Thank you for being here.
TESTIMONY OF TIMOTHY BENITEZ, RESIDENT AGENT IN CHARGE,
MANCHESTER, NH, U.S. SECRET SERVICE, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Benitez. Thank you. Good morning, Senator Hassan,
Members of the panel, and attendees here today. I thank you for
the opportunity to discuss the ongoing efforts of the U.S.
Secret Service to protect the nation's financial
infrastructure.
I serve as a supervisory special agent in Manchester, New
Hampshire, where I'm responsible for managing our integrated
mission of physical protection and investigating cyber-enabled
financial fraud.
In New Hampshire, our cyber fraud task force (CFTF), is a
collaboration between the public and private sector whose
mission is to prevent, detect, and mitigate complex cyber-
enabled financial crimes against payment systems and critical
infrastructure.
Participating State and local law enforcement, prosecutors
and judges have received specialized digital forensic cyber
investigation and cryptocurrency tracing training at the
National Computer Forensic Institute (NCFI) in Hoover, Alabama.
The Secret Service established the center in 2008 and we are
grateful that Senator Hassan co-sponsored the NCFI
Reauthorization Act which provides funding through 2028.
In fiscal year 2022, New Hampshire personnel have attended
over 47 courses, receiving almost $300,000 in equipment. We are
currently on track to match those numbers for fiscal year 2023.
There is no cost to attend the NCFI, and many courses
include significant equipment issuance. For example, mobile
device forensic examiner course provides $28,000 in equipment.
The basic computer evidence recovery training course provides
$35,000 in equipment.
The graduates of these courses return to their respective
departments to investigate criminal activity and strengthen
prosecution utilizing digital evidence recovery methods. While
at their departments, the CFTF continues to collaborate and
provide necessary resources.
The Internet Crime Complaint Center (IC3.gov), 2022
statistics reports indicates that New Hampshire is experiencing
an increase in cyberattacks and cyber-enabled financial fraud
schemes.
While these statistics are significant, they are
underreported since many victims fail to report or are
reporting to other entities.
In 2022, 1,416 New Hampshire complainants lost $29.3
million, an increase of $14 million from 2021. Nationwide,
cyberfraud totaled $10.3 billion, with business email
compromised totaling $2.7 billion; investment scams, $3.3
billion; tech call center scams, $1 billion; and ransomware,
$35.3 million. This ransomware number does not include the
business revenue lost and the significant cost of incident
response and repair services.
Cyber attacks can be complex, or executed successfully by
preying on individuals that are susceptible. As a world becomes
increasingly digital, it is important that individuals and
organizational leaders understand and mitigate cybersecurity
risks utilizing both training and technological solutions.
I look forward to discussing these topics further and how
law enforcement can be more impactful. Thank you.
Senator Hassan. Thank you very much.
Now our next panelist is Mr. Denis Goulet. As Governor, I
had the pleasure of appointing Mr. Goulet as Commissioner and
Chief Information Officer (CIO) for the State of New Hampshire
Department of Information Technology in 2015. He has since been
reappointed for two additional 4-year terms by Governor Sununu.
Commissioner Goulet brings nearly 30 years of private
sector IT experience to his public service. Welcome,
Commissioner. You are recognized for your opening remarks.
TESTIMONY OF DENIS GOULET, COMMISSIONER AND CHIEF INFORMATION
OFFICER, STATE OF NEW HAMPSHIRE DEPARTMENT OF INFORMATION
TECHNOLOGY
Mr. Goulet. Thank you, Madam Chair. Thank you, first of
all, from the bottom of my heart for, in 2015, trusting me with
the most interesting, challenging, and rewarding job I have had
in my career. Also, thank you for your leadership in the
cybersecurity space.
I think it might not have been 10 minutes into my role as
Commissioner for the Department of Information Technology that
then Governor Hassan and her office were talking to me about
cyber. We have seen that leadership move through her change to
the role of Senator and now national leadership where we have
our friend and colleague, Rick Rossi. Thank you very much for
your leadership on that. That has been a tremendous help. I
think Rick is a credit to his organization in his role in the
State, and also the work on the State and local cybersecurity
grant program. We are going to make sure that is a game changer
in New Hampshire for K-12s and the municipalities as well.
As we walk around and do our jobs every day, we often hear
from our colleagues, ``Who owns cyber?'' You know, it's as if
it should be an organizational or a thing where, there is this
centralized authority for cybersecurity. Answer is we all do.
We all do.
Early in my tenure here in New Hampshire, myself and then
Director of Homeland Security and Emergency Management, Perry
Plummer, coined the phrase ``There is no 'I' in cyber.'' We
live that in New Hampshire. We are the live free or die State,
right? You would think, oh, we are fiercely independent. In
some ways, we are. But what I found is that the ability to team
on important things in New Hampshire is exceptional, and we are
seeing that here in New Hampshire on cybersecurity.
You have heard it already from all of the panelists so far,
the level of collaboration we have. We all have each other on
speed dial. Whoever finds out first, we pull each other in.
What that is resulted in is even though there were quite a
few administrative hoops to jump through to actually access the
year one SLCGP, State and local cybersecurity grant program
monies, New Hampshire was first in the Nation to both get plan
approval as well as to accept the money.
That is great for K-12s because we are operationalizing
that already in our process of rolling out the plan.
Now, when you look at that grant, it is a large amount of
money by any measure, nationally, but when it comes down to
each State, it is an amount that needs to be managed carefully.
We cannot afford to use that money in a wasteful way.
Fortunately, what has happened in our case, we already had that
collaborative environment that we were working on together. The
focus on our use of that money is very much on making the most
of it, bringing it to the K-12s and municipalities in a way
that they can leverage it, and doing it through programs versus
subgrants. We are, nationally, one of the first to do it that
way as well, and it is being recognized that that is the way to
do it.
The other thing I want to comment on is, do I have enough
money in my State budget to do everything I would like to do
from a cybersecurity perspective? Do I?
Mr. Weeks. No, sir, you don't.
Mr. Goulet. OK. Despite that, we are taking the SLCGP
monies. We are allowed to use 20 percent of those for State. We
are not doing that in New Hampshire. Because even though I do
not have enough money, I am in better shape than the K-12s and
the municipalities.
Other than a relatively small percentage that we are using
to operate the program, all of that money is going down to the
folks who need it the most. This is a great chance for us to
all discuss how we are doing that and how we can all make each
other better. Thank you.
Senator Hassan. Thank you very much, Commissioner.
Our fifth panelist works closely with Commissioner Goulet,
as you just heard, for the State of New Hampshire. Mr. Ken
Weeks serves as the chief information security officer for the
New Hampshire Department of Information Technology. Prior to
that, Mr. Weeks spent most of his adult life as a naval officer
special duty cryptology information warfare, retiring as a
captain.
Mr. Weeks, welcome. Thank you for your service. You are
recognized for your opening remarks.
TESTIMONY OF KENNETH WEEKS, CHIEF INFORMATION SECURITY OFFICER,
STATE OF NEW HAMPSHIRE DEPARTMENT OF INFORMATION TECHNOLOGY
Mr. Weeks. Good morning. Thank you, Chair Hassan.
It is a real pleasure to be here this morning. When I first
took this job, I would been in my role for a little over a year
now, two very strong-willed ladies--one of whom happens to be
sitting to my left--and another one named Sonja Gonzalez, on
our first very meeting, said, ``Hey, Ken. We appreciate how you
can help and how the State will try to help us, but we do not
need someone to tell us what to do. We need help actually doing
it.''
That resonated with me and stuck with me. I spend an awful
lot of time listening and developing relationships with the New
Hampshire Chief Technology Officer organization--there's
members in the audience here, and Pam used to be a member of
that organization--as well as the New Hampshire Municipal
Association. What that did was allow us to have insight on what
individual SAUs,
K-12s across the State, needed. Because what we quickly found
out was that if you knew one, you knew one. You did not
necessarily know all. There were some commonalities, but they
had very different problem sets and were going to require a
very different tailored set of services to get them what they
need to protect their student data, enable staff, and to, quite
honestly, keep the schools open.
Those relationships have grown over time. We also, here in
New Hampshire, as you very well know, ma'am, have the luxury
that almost all of the school districts within New Hampshire
are part of one public risk management exchange. That also
allows us to leverage things that are already known through the
Primex processes as far as what the needs are. Again,
individually, not just generically and across the board.
The attitude that we have taken--and we will get into more
detail about this in the question and answer--for both the
State and local cybersecurity grant program as well as the
State Homeland Security grant program, is that we want to
provide additive services and go out of our way to not
duplicate anything that is already available through Primex or
some other means that folks already have access to.
I think that goes to Commissioner Goulet's point of trying
to maximize the effectiveness of the money by ensuring there is
no duplication.
The last thing that I would say, it is come up a couple of
times from other panelists, but the importance of a partnership
and collaboration between the Federal level, the State level,
and the local level with the SAUs and those chief technology
officers and those administrators directly. Routinely, Mr.
Rossi, Mr. Benitez, Mr. Casey, who's in the audience and is a
risk manager at Primex, and Mr. Sgro, who is the senior partner
at ATOM and the chairman of the board for the newly formed
Overwatch Foundation, and myself, are talking to groups of
chief technology officers and local representatives, in every
forum that you can imagine from the Primex annual meeting to
the New Hampshire Chief Technology Officer meetings that are
held quarterly, as well as the New Hampshire Municipal
Association meetings. That is allowed us to very effectively
team and bring all the resources from our different agencies to
bear on the cybersecurity problems of New Hampshire.
Thank you very much for an opportunity to be here. I look
forward to the question and answer period, ma'am.
Senator Hassan. Thank you very much.
Our final panelist today is Ms. Pam McLeod. Ms. McLeod
currently serves as chair of the Alton school board. Prior to
that, she spent 19 years as an administrator in New Hampshire
public schools. Most recently, she was the director of
technology and chief information security officer for the
Concord school district. Ms. McLeod founded the New Hampshire
Chief Technology Officers' Council and the Student Privacy
Alliance. Ms. McLeod, welcome. You are recognized for your
opening remarks.
TESTIMONY OF PAMELA MCLEOD, CHAIR, ALTON SCHOOL BOARD
Ms. McLeod. Thank you. Thank you for having me. I want to
echo our appreciation for all of your work on cybersecurity,
Chair. It really is noticed amongst our school districts in New
Hampshire.
First, I want to say I served 10 years in a small K-8
district in Alton as the director of technology before moving
on to Concord. I am currently a board member in that same
school district, so I really do have the perspective of our
many small school districts at heart in a lot of what we do.
IT has changed a lot. Our IT leaders are not hiding in a
closet. We are not boxes and wires people anymore. We have some
of those working for us. But, we are collaborative. I think the
thing that New Hampshire is getting noticed for around the
country is really the collaboration, the grassroots efforts
that we have particularly related to student data privacy.
Our student data privacy initiative----completely
volunteer--has covered over 1,500 ed tech vendors since 2018,
since New Hampshire's student data privacy law was passed in
2018. We work with four other States in that initiative, and we
serve at least 82 percent of New Hampshire's public school
students. I am not sure what the other 20 percent are doing, 18
to 20 percent. But it has been noticed around the country and
has been very successful.
We appreciate the tight working relationship that we have
with the State CIO and chief information security officer
(CISO), with CISA, and particularly Rick Rossi. Multistate
Information Sharing and Analysis Center (MS-ISAC) has been
fabulous. The U.S. Secret Service, Primex, and the ATOM Group.
It is that kind of collaboration that really enables us to
survive when it comes to cybersecurity.
I am here to talk about what we need. Some of the things
that we need are, we do not need more documents and more
instructions. What we need are resources. Time and money, of
course, are always the issue in schools.
I have long thought that regional cybersecurity experts--
``regional'' in terms of New Hampshire's regions: North
Country, Lakes Region, Southeast, et cetera--who can actually
go into schools and configure settings for them would be a
really great advantage for schools. It would really help both
schools and municipalities address the cybersecurity issues
that they have.
I think having funding possibly through E-rate--and I
really appreciate FCC Commissioner Rosenworcel's commitment to
K-12, and potentially funding cybersecurity would be fabulous.
Funding Managed Detection and Response (MDR) or Security
Operations Center (SOC) services would be amazing for school
districts. Really offloading that task of watching logs, of
watching intrusions off to a service would be fabulous.
As I left Concord, we had taken advantage. CISA does have a
K-12 discount on SOC services with CrowdStrike, and we were
just implementing that as I left Concord earlier this summer.
But that really is potentially a game changer for school
districts.
I think what New Hampshire has done with the grant programs
has been amazing, and as they prepare to roll out YubiKeys for
multi-factor authentication (MFA), .Gov in a Box, security
training, really fabulous. One of my colleagues from another
State, when they heard about New Hampshire's grant application,
said, ``Well, what my State gave me is a waiver.'' We really
appreciate the efforts of the State in that respect.
Then I think there is a lot on the vendors. I think it is
really important for our ed tech vendors not to hide security
behind a paywall. I am a strong user of both Google and
Microsoft's tools, but both services hide security features,
which should be basic, behind a paywall. That is an important
change that really needs to happen.
After watching the White House events a couple of weeks
ago, fantastic to see the attention paid to K-12 cybersecurity.
As I watched the vendors' offerings, I felt they were a little
fluffy. I really like to give some kudos to Cloudflare, which
has a really tangible offering for districts under 2,500
students.
I have no association with Cloudflare. I have never used
their services. But they really stood out in terms of actually
offering something to school districts.
Then I think there is a lot on the districts as well.
School districts must require phish-resistant multifactor
authentication. It is way past time to fight that battle. I
think the State's grant program is going to help that a lot.
Teachers' unions need to get on board with that particular
initiative as well. School districts need to prepare with
security audits. CISA will come and do some auditing for free.
The ATOM Group, who is our forensic first responder through
Primex, will do it at a very reasonable rate. Fantastic
opportunities for districts there.
IT staffing is a huge problem. Turnover is a huge problem
in
K-12 with IT. I think there are practical things that can be
done which may not cost a lot of money.
In my role as a school board member, we work to do market
adjustments for IT staff to really make sure that everybody
knows your compensation in the public sector is not going to
match what you can get in the private sector. However, there is
still a lot you can do to really build things up and make your
staff happier.
Monetary and nonmonetary. Things like work-from-home hybrid
models. Different kinds of benefits as well as some adjustments
to compensation. I do not know the answer to that, but it
certainly is a big issue that we have in school districts.
I guess I would leave with districts know how to employ
teachers. They are really good at employing teachers. They
really do not know how to compete for IT staff. Perhaps there
could be some partnerships with the Federal Government and the
State in terms of developing salaries, scales, and steps, other
kinds of initiatives. Denis has done a fantastic job with that
at the State of New Hampshire to really maintain that staffing.
Thank you very much for having me.
Senator Hassan. Thank you very much for that testimony. Now
I am going to pose some questions to the panel. I have a number
of them. My final question will be, essentially, is there
anything that we did not get to that you all wanted us to get
to, or anything you wanted to add to somebody else's comments?
As you are listening, if there is something that strikes
you, feel free to make a note, and I will come back to give
everybody a chance to add final thoughts at the end of the
questions.
I want to start with a question to you, Mr. King.
Cyberattacks continue to target K-12 schools across the
country. According to information from two nonprofit
organizations, the Multistate Information Sharing and Analysis
Center and the K-12 Security Information Exchange (SIE), there
have been more than 1,000 cybersecurity incidents impacting K-
12 schools since 2016. This does not include incidents that are
not reported publicly.
Mr. King, for school administrators and parents, how would
you describe the current cybersecurity threat for K-12 schools
in New Hampshire and New England?
Mr. King. Thank you, Madam Chair. It is hard to understate
how great a threat and a risk there is to schools. It is a
condition of how we manage our municipalities and how we
deliver education in this country that we are forced to make
hard choices about how to spend a dollar for education, and as
we have adopted these more increasingly advanced and convenient
technologies, some of them at a complexity level that obscures
risk entirely. We have certainly leveraged those technologies
to navigate the impact of Coronavirus Disease 2019 (COVID-19)
and successfully mitigate those impacts. Unfortunately, as we
have stepped down that path, we have inherited all the risk
associated with it.
Our environments for education have changed. Because of our
reliance on these technologies, we have to look at a completely
different understanding of risk and resiliency when it comes to
utilization of these technologies within our schools.
Senator Hassan. Thank you.
Ms. McLeod, I asked Mr. King about the cybersecurity threat
landscape really so that Granite Staters can get a sense of the
size and scope of the threats we are facing. I think it is also
important that people understand the impacts of a cyberattack
on a K-12 school system. You are on the Alton school board and
you previously served as director of technology of the Concord
school district and have other school district experience, so
you have experience addressing cybersecurity gaps.
Can you explain how a cyberattack impacts a K-12 school?
What are the consequences for school budgets, for student
privacy, and for classroom time?
Ms. McLeod. Yes, so in Concord, we were, I consider,
fortunate to be breached early in 2016. That really enforced
and influenced our approach to cybersecurity after that. We had
a breach of all of our staff W-2's. Every single staff member
in the district has had their data privacy compromised. Many of
those staff members were, for instance, refugee students who
were working as summer custodians for the district. Not just
adults, but also student employees as well.
It is devastating. It really takes all of the district's
time and resources to handle an attack like that for a period
of 2 to 4 weeks. It really is all-consuming. In the meantime,
you are trying to keep a whole infrastructure going. You are
trying to run a school district. You are trying to keep all of
your other business going. You are already stretched very thin.
It really is devastating.
Senator Hassan. In at least some cases can interrupt
student learning time, too.
Ms. McLeod. Absolutely. Yes.
Senator Hassan. In terms of school budgets, do you remember
what the impact was on Concord back in 2016, or do you have
examples to share?
Ms. McLeod. I do not remember what the impact was. I am
sorry, I did not come with the number.
Senator Hassan. That is all right.
Ms. McLeod. I know that many school districts are reporting
impacts in the millions of dollars to recover.
In terms of today's ransomware attacks--that is why I say
we were fortunate, because this was not a ransomware attack. In
terms of today's ransomware attacks, you have to bring in
cybersecurity experts, and, in some cases, rebuild many of your
systems. It is absolutely just all-consuming, and cost range
certainly in the several hundreds of thousands into the
millions of dollars to do that quickly.
Senator Hassan. Thank you.
Mr. Benitez, we started this conversation talking about the
threat and then we talked about the impact on the local
community. Before we start talking about specific solutions, I
would like to hear from you about why it is important for
victims to report incidents and how law enforcement and
cybersecurity experts can help victims when they do.
Most people know of the Secret Service as the men and women
in suits who protect the President of the United States, but
the Secret Service also has an important role in combating
cybercrime. How does the Secret Service help K-12 schools
prepare for or respond to cyberattacks?
Mr. Benitez. Yes. Thank you for that question. To echo
everybody's sentiments up here, first and foremost is working
together in a preventative approach prior to an incident.
Oftentimes, like you just spoke about, the budget constraints
of an incident occurring, that money would be better spent, and
school boards should realize that that money should be better
spent on the front end for preventative measures. Prevention is
definitely key for cybersecurity.
How the Secret Service--why it is extremely important to
report is--it's important when we respond, when we receive a
call from a victim, we will always respond to that victim in
the State of New Hampshire. The reason being--to respond is we
want to get in contact with the IT staff, maybe prior to the
incident response team getting there, work with the incident
response team, work with the insurance company, work with the
third-party lawyer, to work with all those people that are
involved so we can obtain those indicators of compromise
(IOCs), and tactics, techniques, and procedures (TTPs), so we
can share that with the community.
It is important that we, in New Hampshire, do a better job
moving forward that the public and the community understands
reporting and getting everyone in this room involved early on
and getting your local law enforcement, who have been through
specialized training in NCFI, involved maybe even prior to an
incident occurring so you are familiar with them, so
intelligence that Rick does a great job sharing that comes from
throughout the country could be shared to your information
technology professional, if it is not in a formal document
but--for example, when Nashua happened, I reached out to Wade
Brown in Concord, and Wade reached out to Pam McLeod and said,
``Hey, there is something happening.'' Luckily, she knew about
it already. But these relationships are extremely important.
As a final thought of obtaining and providing these
indicators of compromise to the community so there is not other
victims, is there usually another victim. After Nashua hit,
there was somebody in the Upper Valley that was hit a week
later. It does happen in waves. Mostly there are some technical
reasons. There is probably a recent exploit which has not been
patched yet, which is understandable.
But, last, I wanted to mention is these crimes, everyone in
the public, in the United States, need to realize these are
usually transnational criminal organizations (TCOs) that are
overseas that will be long-term investigations. You may not see
a result tomorrow, but we have ascertained information in New
Hampshire, provided it to task forces that are working globally
to arrest suspects. We may not arrest somebody in New
Hampshire, but we provide crucial data to further their
investigation.
In addition, we are tracing and tracking cryptocurrency
because it is available and open on the block chain to trace
and track in perpetuity.
So it is important to cooperate and to coordinate, and do
not be afraid to share this information. It is really a
defense. It is really an individual defense and a national
security defense to be cooperating with local, State, and
Federal Government.
Senator Hassan. Thank you very much both on the prosecution
side of things, but on the prevention side of things for
similar attacks to continue.
Is there a particular person a K-12 administrator should
contact about a cyberattack?
Mr. Benitez. Yes. The easiest way, like I said, is contact
the U.S. Secret Service at any time. We would like to meet you
beforehand and work with Rick to go over your incident response
plan. As we all have seen, personal relationships are a key to
success. That is what we are about in New Hampshire. But also,
to make it very simple, just search U.S. Secret Service in New
Hampshire. There is a phone number, 24/7/365, you can get
somebody live on the phone. We will respond.
Senator Hassan. I take to heart the relationship-building
part of it when you speak with task forces post terrorist
events, for instance. We find that the most successful
responses and the best way to prevent future attacks is when
people have ongoing relationships and have worked together to
prepare for the event, and that way, when the event happens,
people are ready to go and they know what to do.
Go ahead.
Mr. King. Madam Chair, I would like to add that in addition
to the Secret Service's reporting capabilities, the Federal
Bureau of Investigation (FBI) also runs IC3 and CISA has
reporting capabilities. The important thing is is that any one
of these resources that you contact, you are going to get us.
We will collaborate effectively as to who is in the best
location at the best time, place, and to be able to provide
assistance as best we are able. It is very flat and it is very
responsive.
Senator Hassan. On that note, let me turn to the person
whose job it is to make sure that these relationships continue
and are flat.
Continuing this discussion of coordination and
collaboration, Mr. Rossi, I want to again, say how grateful I
am for your service and how pleased I am to welcome you to this
panel as the first-ever cyber coordinator for New Hampshire.
You have been on the job now for 2 years. Could you tell us
what you have been focusing on to help K-12 schools improve
their cybersecurity?
Mr. Rossi. Thank you, Madam Chair. The bulk of the work
that I have been doing at this point is before an incident,
working with IT directors to identify, manage, reduce cyber
risk to their district. As most of the panelists have pointed
out, every district is unique. Everybody has different
problems. Everybody has different solutions. I have not been to
a district that does not have a unique problem or a unique
solution. That crosspollination of ideas is one thing, making
those connections useful.
The primary area we are using right now is onsite
cybersecurity assessments to identify vulnerabilities and
provide mitigation guidance to districts before attacks happen.
That looks at anything from preventing cyber-enabled fraud
schemes, ransomware attacks, and cyber intrusions. We do a
debriefing with the district, strongly recommending that senior
leadership in the district is in the room to make sure that
everybody has skin in the game. This is not a one-person IT
director's problem. This is something we are making progress on
over time. To conquer this is going to be a cybersecurity
culture change.
We also connect them with no-cost technical resources,
including CISA cyber hygiene vulnerability scanning, malicious
domain blocking reporting for domain name system (DNS)
filtering, as well as CISA's Secure Cloud Business Applications
(SCuBA )gear, which is a more recent offering to assess optimal
Microsoft 365 security configuration baselines, getting right
to Pam's point that currently things are not secure by default.
That is a major agency effort right now. Secure by design.
Secure by default.
Everything is tailored. That is, anything from assistance
to policy development, support to tailored assistance for each
district, as well as technical assistance in looking at things
like segmentation on a network.
Bottom line, ma'am, we take a look at where a district is,
work with them where they are at instead of where they should
be, and help get them on a roadmap to progress them toward a
more secure posture.
Senator Hassan. Excellent. I know that you have met with a
lot of school officials, but what message would you share with
school officials who may not have had a chance yet to meet?
Mr. Rossi. Appreciate the question, Madam Chair. The bottom
line is CISA stands ready to partner with any of those
districts. One of the common things that I keep hearing is ``We
are too small. It will never happen here.'' The message is the
adversary gets a vote in that. While you may not think you are
a great target, the adversary may think you are a fantastic
target. Your ability to pay what you think is not a significant
amount of money may be a significant amount of money to an
overseas actor.
We are here to partner with you. One thing that I would
point out is in one of my first school assessments, a
superintendent said, ``This is not what I was expecting at all.
I was expecting multimillion-dollar projects that we do not
have the budget for,'' whereas we are coming in and addressing
some of the issues Pam just brought up, enabling security
configuration within tools that are already paid for.
Ninety-five percent of cyberattacks involve human error.
What we are trying to do is build a culture of cyber awareness
leveraged onsite, and, again, that roadmap. We will start out
with what is going to be lower costs, lower manpower hours, and
start working our way up to things that are going to require
greater financial investment.
Senator Hassan. Great. Thank you so much for that.
Ms. McLeod. May I follow up on that really quick?
Senator Hassan. Sure.
Ms. McLeod. Rick has been a fantastic resource for us. We
need more of him. He is definitely overscheduled, scheduled far
out. We definitely need more similar resources.
Senator Hassan. OK. That is helpful. I will take that back
to the appropriators.
Ms. McLeod. Thank you.
Senator Hassan. Commissioner Goulet, with your help, 2
years ago, I spearheaded an effort to create a Federal grant
program specifically targeted at improving the cybersecurity of
State and local governments. This grant program was enacted as
part of the bipartisan infrastructure law. Your work and
support were critical in that effort.
I know that the Department of Homeland Security has only
just begun awarding money under the program, but could you tell
us how the grant program is helping K-12 schools improve their
cybersecurity?
Mr. Goulet. Right off the bat, in advance of actually going
through all the internal New Hampshire administrative hoops, we
started moving on the multifactor authentication without
actually having the money yet. One of the things I like to do
is and one of the challenges with government in general is that
there is a lot of administrative things that slow down
progress, but sometimes you can legitimately get ahead of it.
While I am still waiting for the last couple of
administrative steps so I can actually expend the money, we are
actually out there giving out these little keys that allow you
to do multifactor authentication. I am like, ``Why would you do
a key? Because you could do it on your phone. You can do it
through an authenticator application.''
Pam brought up one of the reasons is that this idea from a
union perspective that your personal device should not be used
for work really does get in the way of that. We are addressing
that very specifically with those keys.
But the other programs that we are implementing through the
planning committee, .Gov in a Box, and the technical training
are both shovel-ready, locked and loaded, and once we get
through the last couple of steps--you know them well, Senator,
in New Hampshire--then we will be actually ready to rock and
roll on that.
Senator Hassan. That is great. We have all spoken about it,
but there are obviously a variety of State and local
cybersecurity needs. How are K-12 schools involved in the
process of applying for and awarding this Federal grant in New
Hampshire?
Mr. Goulet. It starts with building community. The more
effort we put into building community, the more people know
what is going on and what opportunities exist out there. So
that is where it starts. We will continue that forever.
Second, it is through the committee, the planning
committee, and having representation on the committee that
allows us to properly represent the needs of K-12s and the
services we offer. That was, I think, a pretty huge deal.
We had a list of, I think, seven or eight projects. We put
that before the committee, and they were like, ``Oh, this is
what we should do.'' It was a very collaborative process. Then
making sure that we do not bundle. We have K-12s. We have
municipalities. We have unincorporated places. Do not bundle
them in a single thought pattern, but look at them
individually. As Rick mentioned, you see some individual stuff
everywhere. Again, I loved what you said about taking them from
where they are and bringing them forward versus having this
assumption of a certain level of competence.
Senator Hassan. Got it. I have another question for you,
Commissioner, and then I will follow up to Ms. McLeod.
In 2018, the New Hampshire legislature passed a law
requiring the State Department of Education to establish
minimum standards for the privacy and security of student data.
Commissioner Goulet, what, in your view, has been the
impact of this law on K-12 cybersecurity in New Hampshire?
Mr. Goulet. I am going to tag-team. We are going to go
``boom, boom'' here.
Senator Hassan. OK.
Mr. Goulet. But, initially, the impact was again, we had to
look at it and say, ``All right. What's happening out there?''
There was a lot of thrash going on. The main thing we did
at first was how can we create a standard that was reasonable
to implement?
There were a couple things on that. One was looking at
Federal guidelines. Another was, taking an approach that was
not too overly complicated and technical. The other was
actually changing legislation, in other parts of State
government, proposing changes so that it potentially minimized
the cost to K-12s in the sense that adherence to the standard
was not layering cost.
I would ask Ken and Pam to talk about the downstream
results of that.
Senator Hassan. Yes, please.
Mr. Weeks. If you do not mind, I think one of the big
things that I came into this job looking at was risk that was
being assumed by doing business with others. The CTO Alliance
was ahead of that game. They had written up data standards,
student privacy data standards, and insisted that vendors
adhered to these and signed off on them before doing business
with individual districts, et cetera.
My role in this was sort of acting as an advocate with
other entities at the State level to ensure that the State did
not undermine those efforts by having a standard that was
significantly less, and potentially putting that same exact
dataset at risk.
Senator Hassan. Got it. Ms. McLeod.
Ms. McLeod. I will make one point first which is that New
Hampshire's law also covers staff personal information. It is
one of the few in the country that does. First we went into
panic mode because this was massive for us.
Senator Hassan. These new laws, requirements, right?
Ms. McLeod. Yes. In 2018. It was really overwhelming. We
were not aware of it until almost after it passed. We did work
with the legislators to kind of tone it down a little bit.
Ken's predecessor, Dan Dister, and Ken, have just been a huge
support for us in terms of developing those standards. They are
based on network and information systems (NIS). They need to be
revised at this point. It has been a few years. Really helping
to understand how they apply to everything.
The grassroots effort was really because we had sort of no
way to centralize this effort, so we, through the New Hampshire
CTO council, which is our professional organization, and it's a
State affiliate of CoSN, we developed a model which districts
pay in just over a dollar per student per year, so it's a cost-
sharing model. Very inexpensive, and it scales. We are all
working together on these data privacy agreements. We have made
huge progress. It has been really incredibly successful.
Senator Hassan. Is it fair to say--I am looking at kind of
how we talk about what K-12 schools in New Hampshire, what
steps they have taken to date to implement this law. It is data
privacy agreements. Anything else you would add to that?
Ms. McLeod. I would add that there is work from the Student
Data Privacy Consortium, who we were a member of, on a national
data privacy agreement that, from what I hear from the vendors,
would be really significant for them. If we could get all of
the States working together on one instrument that covered
everybody? It is very difficult for the vendors to say, ``Oh,
we are going to meet this standard for New Hampshire, and this
standard for California, and this standard for Texas.''
That work is in progress, but if something could be
developed maybe at the U.S. Department of Education, I think
that that would really help vendors comply with the standards.
Senator Hassan. Got it. Denis, you wanted to add?
Mr. Goulet. Just a quick follow-up, too. Like
cybersecurity, privacy is a cultural thing. We need tools
downstream, but if the culture is not supportive, it is hard to
be successful. I think that cybersecurity culture evolution is
a bit ahead of privacy cultural evolution in organizations, or
at least in public sector organizations. I feel like building
that culture is really important.
Business leaders, as was mentioned, you have to have your
business leaders involved in cyber. Same thing with privacy. It
is all of our responsibility to take care of that data.
Ms. McLeod. I could add, I found it, in Concord, very
important to explain to our teachers, to put it in terms of
what would happen if your child or your grandchild's identity
was breached? They go to buy a car when they are 18, and
somebody's purchased a house for them in some other State,
under their identity.
Really putting it in those terms and helping them to
understand how to freeze their credit, how to do those basic
steps to protect accounts in their personal lives really helped
reinforce with teachers that culture around privacy.
Senator Hassan. That is great. Thank you.
Mr. Weeks, I want to turn to you because the Commissioner
just told us that one of the ways the State and local
cybersecurity grant program is helping New Hampshire
communities is through the .Gov in a Box tool that you created.
How does the .gov domain improve cybersecurity for local
governments, including K-12 schools, and how did you come up
with this idea?
Mr. Weeks. First of all, I do not want to--it would be
impossible for me to take sole credit for that. That was also a
team sport. I will explain that a little bit.
But what .gov does is provides a verifiable identity for
entities; whether that is a municipality, whether that is a K-
12 district, it does not matter. It is verifiable. It is not
easy to spoof. We have school districts and this is not
pejorative, it is just the reality on the ground--that are
.org, that are dot something, .US, I mean, you pick a domain,
right?
Senator Hassan. Right.
Mr. Weeks. More and more, as some of these things age, they
are easy to spoof. That can result in business email
compromises. It can result in even more phishing attacks than
if you are in a .gov domain.
The reason I say these other attacks is distributed denial
of service (DDoS), et cetera--for example, if you go on NH.gov,
we have that cloud hosted, and we apply DNS security to all of
those domain names. That is a recent security improvement that
we have implemented in the State.
Every K-12 that would sign up for .Gov in a Box--and I
realize I might be getting ahead of myself a little bit here--
would automatically have those protections as well. The
identity verification, the nonspoofability, and the additional
security that we will provide by our hosting mechanism are
three great benefits for a
K-12.
As far as .Gov in a Box, based on some data from the New
Hampshire Municipal Association, only 26 percent of the
eligible entities within the State of New Hampshire were on a
.gov domain. The commissioner and I and a couple of other
people looked at each other, and we looked at the notice of
funding opportunity (NOFO) and the priorities from CISA for the
grant program, and one of the top ones was transition to .gov
domains for those who are eligible.
We said, ``Well, that is fine to tell them, but in New
Hampshire we can not mandate them. We can just recommend
this,'' as you very well know.
And so myself and Mr. Sgro kind of sat down and said,
``What are all the reasons people would say no?'' We started
writing them down. We said, ``Well, let us just add all that to
the scope of services.''
Regardless of where a K-12 or a municipality starts, at the
end of the process, we will give you a turnkey solution to
transition to .Gov in a Box, including your first box of
stationery with your new website and email addresses on it.
Senator Hassan. Got it. Yes.
Mr. Weeks. Again, it was about what are all the reasons
that someone may say no? Let us add that to the scope of
services and concentrate on equity of outcome rather than an
equal application of services.
Senator Hassan. Got it. Thank you for that. Thank you to
the whole team that has made .Gov in a Box possible. It is
really exciting.
Mr. King, I want to turn back to you. Two years ago, I
urged the Department of Homeland Security and Department of
Education to improve their coordination efforts to protect K-12
schools from cyberattacks. The recommendation was to create a
government-coordinating council which would work with Federal,
State, and local governments to strengthen the cyberresilience
of K-12 schools. I am pleased that the Department of Education
recently announced it would be doing just that.
Can you explain, please, how the creation of this council
will help Federal, State, local, and private sector entities
coordinate their efforts to protect K-12 schools from
cyberattacks? How is CISA working with the council?
Mr. King. Thank you very much, Madam Chair. I think Pamela
actually teed this up earlier. We are looking at how the
Department of Education is trying to address these evolving
lines, the dependencies within these technologies in order to
still achieve their educational outcomes.
The important thing here is that--and Mr. Rossi mentioned
this as well--that 95 percent of these risks are human related.
Education is absolutely all about helping people understand how
to best handle these challenges. It is an alignment that
frankly, should have happened a lot sooner. But to bring both
of these organizations together and then deliver that locally
is absolutely critical.
You have seen what those here on the panel have said about
Mr. Rossi. I see that consistently across the region, and my
fellow chiefs across the country consistently see how important
it is to have that trust and confidence in an individual or a
group of individuals that are available and accountable for
helping guide organizations along those paths to better
security.
Senator Hassan. Thank you.
Mr. Benitez, the National Computer Forensics Institute,
which is operated by the Secret Service, offers training and
equipment for State and local enforcement, for judges and
prosecutors to combat cybercrime. You have mentioned it a
couple of times. I am pleased to be part of that bipartisan
group in Congress that pushed to reauthorize the Institute. I
am glad it is reauthorized through 2028.
How has the National Computer Forensic Institute supported
training investigations and other efforts here in New
Hampshire?
Mr. Benitez. Yes. The NCFI--and kudos to the law
enforcement professionals, judges, and prosecutors that have
attended NCFI--they have really taken to understand
cybersecurity, understand digital forensics. These are complex
fields for law enforcement to get involved in and understand.
But we have been able to use those resources. I think one of
the overarching themes that is very positive to hear today is
the NCFI, like the grant program, gives people like Pam
actionable hands-on things to work on cybersecurity. We give
the training. We provide the training free of charge. We
provide the equipment, and it is brought back to the community
to work on cybersecurity, the coordination with the other
people throughout the country, the network of cybersecurity
professionals to learn. Our law enforcement professionals will
go down to Hoover, Alabama, and know that we have a group of
people here--CISA, the State--and explain that to other law
enforcement professionals in other States and develop those
relationships throughout the country.
That is important, it is positive for New Hampshire and I
am grateful that you are able to support that endeavor.
Senator Hassan. Thank you very much. Again, trying to build
awareness to what help is out there from a variety of different
places and sectors to meet people where they are and help them
get trained. It is really important.
Last question before the wrap-up question is to you, Ms.
McLeod. As chair of the Alton school board, and as a former
director of technology for a school district, you, I think--and
you have demonstrated this--have a really unique insight into
the budget resource challenges of K-12 cybersecurity.
In your view, what are the biggest challenges when
considering resource allocation for K-12 cybersecurity and
which budget items tend to be the most difficult to find
funding for?
Ms. McLeod. I do not know if it is easily solvable, but I
think staffing is the biggest issue. During the last year in
Concord, I was spending about 75 percent of my time on
cybersecurity and related sort of hardening cybersecurity and
data privacy issues. That had increased gradually over the
years.
There is also a massive infrastructure to run in Concord,
so it is very difficult to give up the time. I think finding
ways to supplement staffing or to free up staffing or bring in
more staffing at sort of entry levels so it rolls up and the
person doing cybersecurity has more time is the biggest issue.
Senator Hassan. Great. Can you share with us some of the
ways that New Hampshire schools have worked together to reduce
the burden of expensive cybersecurity tools and services? You
referenced some of them, but I think it is worth a little bit
of focus.
Ms. McLeod. Yes. First of all, it is the collaboration. It
is just massive. Some of my colleagues are in the audience. I
have worked with many of these folks before that are up on the
stage. But school districts where the IT folks are siloed, and
do not collaborate, and do not sort of reach out, they are at
most risk of cybersecurity issues. It is really important, I
would say, for districts when they are selecting IT leaders to
make sure that that person is collaborative and is going to
reach out and work with others, because you can not do
everything that you need to do.
Senator Hassan. It is fair to say that when the spirit of
collaboration is working among school districts and among
various levels of government and various agencies, there are
ways to share experience and share best practices that help
each individual school--for instance, school district--lower
its budget allocation for this, or at least try to save money
and be as efficient as they can; is that fair?
Ms. McLeod. Absolutely. I think my colleagues are all
really skilled at grabbing everything they can that's free, or
grant funded. To give you an example, as I left Concord, I
mentioned CISA's CrowdStrike offering. We did that through the
little bit that was remaining out of our COVID ESSER funds. It
is a pilot program, but we were able to put that into place.
Actually, we put three or four layers of cybersecurity tools in
place with those funds.
Everything you can grab from anybody just really makes up
the difference, but it does take more time.
Senator Hassan. Collaboration and coordination takes time.
Ms. McLeod. Yes.
Senator Hassan. That is always one of the things we forget.
Mr. Weeks, did you want to say something?
Mr. Weeks. One thing I will add is, I think, Senator, that
all of the IT folks and the technical folks at the schools are
very aware of the problem. One of the things is that we have
tried to do--and it is a grant-funded training we have created
cybersecurity training for both elected officials that school
boards could take advantage of, as well as for more senior
executives. Superintendents, principals could get this
training. It is grant funded. Cost nothing to the municipality
or the school district.
I think making those decisionmakers aware of these problems
and the potential security weaknesses could influence budgetary
decisions and administrative decisions going forward.
Senator Hassan. And priorities, yes.
Ms. McLeod. Absolutely.
Senator Hassan. All right. The wrap-up question here is to
each and all of you. If you feel like you have already talked
about it and, you do not have anything to add, that is fine,
too, because I think this has been a really fulsome discussion
and I am really grateful for it.
The final question to each of you is what more should
Federal, State, and local leaders do to strengthen
cybersecurity in schools? Anything else you would like to add?
We will go in this order. We will start with you, Mr.
Benitez, and we will work this way.
Mr. Benitez. Thank you very much. Thank you for hosting
this event today. I think, from a law enforcement perspective,
we try to stay on the preventative side, but we would really
like to see, especially in New Hampshire, a grant-like program
like the Internet Crimes Against Children (ICAC) has for
cybersecurity in the public and private sector. What we are
hearing here is it's hard to train and keep specialized people
in information technology in the public sector and to keep law
enforcement that has the skill set in law enforcement and not
to go to the private sector.
I know in the Secret Service, for instance, we have a
retention bonus. It would be nice to move some of these things
that we learned in the Federal Government to the local
government where we are providing money for people with
specialized skills, increasing salaries where we can through
bonuses.
Additionally, what many people do not realize, it is
extremely expensive to purchase these software licenses. New
Hampshire really needs to colocate our personnel. The Secret
Service is working on this now. But, once again, it is
difficult. There is not many personnel. People are strapped
just for their normal duties rather than cybersecurity. But if
we could coordinate from the public, Federal side, and the
local law enforcement side together, colocated, saving money
and spending on licenses at one location, I think that would be
a tremendous asset for the citizens of New Hampshire to get
more bang for their buck for response for cybersecurity.
One of the last things that we have done, we are in the
midst of hiring someone who is not law enforcement but is a
specialist in digital forensics, cryptocurrency tracing, and
incident response, to work in our office as a Secret Service
employee who would be there full-time, responsible to respond
for the citizens of New Hampshire and work in a collaborative
approach.
Thank you for your time today and hosting this event and
very pertinent discussion.
Senator Hassan. Thank you so much. Mr. Rossi.
Mr. Rossi. Thank you, ma'am. Two things I would point out.
We have already discussed resources. As the cybersecurity
coordinator, I focus on K-12, but not just K-12. Even if I was
just focused on K-12, you are talking a ratio of one
cybersecurity coordinator to 90 school districts.
Additional resources. As we talked about the collaboration
part, we all like each other, but we are almost forced to
collaborate when there's one person here, one person there in
the different agencies.
The last area I would hit on is having conversations like
you have put together today here, Senator. Many school
districts still view publicly disclosing a cyber incident as
taboo, which, unfortunately, keeps the growing problem hidden.
We are starting to talk about this in a national-level
conversation. If someone broke into a classroom and stole all
their computers, switches, and other technology, law
enforcement would be notified, and that would likely be on the
front page of the news. But when we have a cyberattack of the
same magnitude, that is often swept under the rug and
decisionmakers do not have the information on just how grave of
a problem this is.
Again, Madam Chair, having conversations like this further
the agenda. Thank you for having me today.
Senator Hassan. Thank you very much. Mr. King.
Mr. King. Thank you, Madam Chairwoman. Again, my
compliments to bringing this forum together. I think it has
been extraordinarily fruitful.
As you mentioned earlier, I previously worked in the
commercial sector. When I worked with boards and senior
executives, I would begin many of my conversations with ``I
want you to think about one aspect of your core business model
that does not rely on information technology.''
In the 3 years I have worked with that corporation, I never
once got an answer. I occasionally got some functions that were
not, but, bottom line was that very gradually, we have become
completely dependent on these technologies.
We have to fix this. We have to get this right. We have to
continue to try to reinforce this because the next wave is
bringing even more complexity. If we can not get this right
now, it is just going to get worse.
Senator Hassan. I appreciate that very much. Thank you.
Commissioner?
Mr. Goulet. A couple things. One is, with the advent of
SLCGP, our traditional grant funding stream, which some years
ago, the Homeland Security grants that are administered by the
Department of Safety in New Hampshire and most other States,
had a carve-out for cybersecurity.
There's now consideration in DC to kind of remove that
because of the State and local cyber grant program which we
have--we are not in favor of. I will say that very clearly.
I would like to work with you and anybody else on that and
try to get visibility to it. We are also talking to the
National Association of State Chief Information Officers
(NASCIO) community as well to make sure there's visibility
there.
The other thing is that part of the legislative intent is--
for SLCGP, was get State and local governments used to
investing in cybersecurity. I have spent some time in New
Hampshire trying to do that. We have a State match in this
biennium so that we can help our K-12s and municipalities. I
want to keep that going.
From a local government perspective, I will be advocating
for a continued investment. Because it harms us all it is not,
``Oh, well, that school district got harmed.'' It is not a
State issue. It really is. It harms us all when an individual
entity is breached, when extra money is spent on what is
essentially unproductive behavior, right? I will be advocating
for that, and any support there is greatly appreciated.
Senator Hassan. Thank you. Mr. Weeks.
Mr. Weeks. Thank you, ma'am. We all, including all the K-
12s across New Hampshire, have a significant amount of
cybersecurity risk imposed on us by the fact that we have to do
business with others. I won't beat around the bush.
Specifically, the risk centers around software. The more that
the Federal Government can help us by putting the pressure on
vendors to be secure by design, secure by default. We, at the
State level, do not have large enough voice to influence that
conversation with the massive software vendors. Only the
Federal Government can do that, in my opinion.
Helping us do that and not allowing them to continue
putting security features behind paywalls that local
governments, K-12s, and State governments have a hard time
affording and budgeting for would be a tremendous assistance.
The only analogy that I would use is if we bought a bunch
of tanks and airplanes and artillery pieces that were as
unsecured by design as the software had to be fixed, every
taxpayer in the country would be up in arms over that.
Senator Hassan. That's fair.
Mr. Weeks. Thank you, ma'am.
Senator Hassan. Thank you. Ms. McLeod, I wanted to give our
representative of local government the last word here because
this is really ultimately----
Ms. McLeod. No pressure.
Senator Hassan. This is ultimately the level of which the
impact of cyber breaches is felt the most directly. It really
harms our kids and our schools and the staff and our taxpayers.
Ms. McLeod. Absolutely. To Daniel's point, IT touches every
single aspect of a school district. There is not one part of a
district that cannot be operated without technology. It is not
just student personal information, but it is also behavior
data, special education data, very sensitive data that we have
seen breached in some of the big breaches like LA and in
Minnesota. Stuff that people do not want to be splashed around
the Internet.
One thing that districts can do is--that we have done in
our district is put funds into a trust annually that's
reactive, but to build something up to handle an emergency
should it come up, whether it be infrastructure or
cybersecurity. Federally, I think continuing the grants. I
would love to see E-rate just focus much more on
cybersecurity--actually, it does not build that focus on
cybersecurity, cover MDR and SOC services, especially; cover
other software pieces that can help secure the district; more
Federal resources on the ground, like Rick; pushing the vendors
to be secure by design. I think that's so important.
There is a paywall. Let districts pay for advanced features
that they want, but not for cybersecurity. With both Google and
Microsoft, you cannot even prevent an overseas login without
going to features that are behind the paywall.
Other ed tech vendors have to pay attention to this as
well, the smaller vendors.
Everything needs to be single sign-on or have multifactor
authentication. That has to be built into every single tool
that kids use. That is just really critically important to
schools.
Senator Hassan. I truly appreciate the discussion today. I
thank you all for coming before the Subcommittee to discuss
what is clearly a really important topic to a lot of us. I
appreciate your hard work and your dedication to protect our
communities, and specifically our kids from cyberattacks,
especially right now as everybody's gearing up to return to
school.
I think, the biggest takeaway I hope people watching today
or listening to this or reading about it will take is that this
is a responsibility that rests with each and every one of us,
and we have to get more and more aware of the danger of
cyberattacks. I think we have to invest time and resources and
attention to prioritizing this, because the tools that we have
in terms of education, in terms of what the digital world can
provide educationally are really important and good, but we
have to be able to engage in this space securely.
I thank you all very much, and I look forward to continuing
to work with all of you. With that, this panel is adjourned.
[Whereupon, at 12:25 p.m., the roundtable was adjourned.]
[all]