[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
CYBER INCIDENT RESPONSE: BRIDGING THE GAP BETWEEN CYBERSECURITY AND
EMERGENCY MANAGEMENT
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON EMERGENCY
PREPAREDNESS, RESPONSE,
AND COMMUNICATIONS
and the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 30, 2013
__________
Serial No. 113-39
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
87-116 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Richard Hudson, North Carolina Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON EMERGENCY PREPAREDNESS, RESPONSE, AND COMMUNICATIONS
Susan W. Brooks, Indiana, Chairwoman
Peter T. King, New York Donald M. Payne, Jr., New Jersey
Steven M. Palazzo, Mississippi, Yvette D. Clarke, New York
Vice Chair Brian Higgins, New York
Scott Perry, Pennsylvania Bennie G. Thompson, Mississippi
Mark Sanford, South Carolina (ex officio)
Michael T. McCaul, Texas (ex
officio)
Eric B. Heighberger, Subcommittee Staff Director
Deborah Jordan, Subcommittee Clerk
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Jason Chaffetz, Utah Filemon Vela, Texas
Steve Daines, Montana Steven A. Horsford, Nevada
Scott Perry, Pennsylvania, Vice Bennie G. Thompson, Mississippi
Chair (ex officio)
Michael T. McCaul, Texas (ex
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Susan W. Brooks, a Representative in Congress From
the State of Indiana, and Chairwoman, Subcommittee on Emergency
Preparedness, Response, and Communications..................... 1
The Honorable Donald M. Payne, Jr., a Representative in Congress
From the State of New Jersey, and Ranking Member, Subcommittee
on Emergency Preparedness, Response, and Communications:
Oral Statement................................................. 12
Prepared Statement............................................. 13
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 10
Prepared Statement............................................. 11
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security.............................................. 14
Witnesses
Ms. Roberta Stempfley, Acting Assistant Secretary, Office of
Cybersecurity and Communications, National Protection and
Programs Directorate, U.S. Department of Homeland Security:
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Charley English, Director, Georgia Emergency Management
Agency, Testifying on Behalf of National Emergency Management
Association:
Oral Statement................................................. 22
Prepared Statement............................................. 23
Mr. Craig Orgeron, CIO and Executive Director, Department of
Information Technology Services, State of Mississippi,
Testifying on Behalf of National Association of State Chief
Information Officers:
Oral Statement................................................. 27
Prepared Statement............................................. 29
Mr. Mike Sena, Director, Northern California Regional
Intelligence Center, Testifying on Behalf of National Fusion
Center Association:
Oral Statement................................................. 32
Prepared Statement............................................. 34
Mr. Paul Molitor, Assistant Vice President, National Electrical
Manufacturers Association:
Oral Statement................................................. 38
Prepared Statement............................................. 39
For the Record
The Honorable Susan W. Brooks, a Representative in Congress From
the State of Indiana, and Chairwoman, Subcommittee on Emergency
Preparedness, Response, and Communications:
Statement of National Governors Association.................... 3
Appendix
Questions From Chairwoman Susan W. Brooks for Roberta Stempfley.. 65
Questions From Chairwoman Susan W. Brooks for Charley English.... 67
Questions From Chairwoman Susan W. Brooks for Craig Orgeron...... 68
Questions From Chairwoman Susan W. Brooks for Mike Sena.......... 69
Question From Chairwoman Susan W. Brooks for Paul Molitor........ 70
CYBER INCIDENT RESPONSE: BRIDGING THE GAP BETWEEN CYBERSECURITY AND
EMERGENCY MANAGEMENT
----------
Wednesday, October 30, 2013
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emergency Preparedness,
Response, and Communications, and
Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies,
Washington, DC.
The subcommittees met, pursuant to call, at 10:07 a.m., in
Room 311, Cannon House Office Building, Hon. Susan W. Brooks
[Chairwoman of the Emergency Preparedness, Response, and
Communications subcommittee] presiding.
Present from Subcommittee on Emergency Preparedness,
Response, and Communications: Representatives Brooks, Palazzo,
Payne, and Clarke.
Present from Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies: Representatives Meehan,
Clarke, and Horsford.
Mrs. Brooks. The Subcommittees on Emergency Preparedness,
Response, and Communications and Cybersecurity, Infrastructure
Protection and Security Technologies will come to order.
I would like to welcome our witnesses, everyone in the
audience, and those who are watching this webcast to our joint
hearing today on Cyber Incident Response.
I would like to start out by thanking Chairman Meehan and
Ranking Member Clarke for working with me and Ranking Member
Payne, who we anticipate both of those Members will be here
shortly, on this important issue.
I would like to thank our witnesses for their patience as
we have worked to reschedule this hearing, in addition in the
slight delay this morning.
I would also like to thank the staffs who have worked
together in preparing us for this very important hearing this
morning.
October is Cybersecurity Awareness Month, and I think it is
so very important that we observe this month in part of our
awareness because it must be our ability to not only protect
our networks and our critical infrastructure from intrusions,
but also, what is our ability to respond should an intrusion
become successful? After all, we do know that the threat of a
cyber attack is real and in a speech just prior to her
resignation former Secretary of Homeland Security Janet
Napolitano discussed that threat. She forecasted that our
country will face a major cyber event that will have a serious
effect on our lives, our economy, and the everyday functioning
of our society.
Now, earlier this past week National Geographic Channel
aired a program entitled ``American Blackout''--a program which
I watched with some interest on Sunday evening. It explored the
cascading effects of a Nation-wide 10-day power outage caused
by a cyber attack. For the Members of the committee, if you
have not seen that I strongly recommend that you watch this
show.
The movie was eye-opening and quite scary and happened to
be on a topic that I had discussed just recently with Hoosier
Power Companies in my district just last month. The effects of
the blackout depicted in this movie caused serious public
health and public safety issues, including severely impacting
the food and water supply; the availability of fuel, which we
also saw during Hurricane Sandy, which just 1 year ago
yesterday when that horrific hurricane came upon our shores;
the ability of hospitals to function; the ability to access
money from ATM machines or to use credit cards; and most
importantly, the ability to enforce the law and maintain civil
society.
Now, I agree with the former Secretary when she noted that
we have made some great strides in addressing cyber threat, but
clearly more work must be done and must be done quickly. This
assessment that work remains was echoed at a hearing we held in
the Emergency Preparedness Subcommittee last month.
The 2013 National Preparedness Report released by FEMA
earlier this year again highlighted States' concerns about
their own cybersecurity capabilities. The 2013 report noted
gains in cybersecurity at the State level but that the States
continue to report that cybersecurity is among the lowest of
their capabilities. Let me repeat that: It is among the lowest
of the States' capabilities.
At that hearing California's homeland security advisor,
Mark Ghilarducci, noted that cybersecurity is an emerging and
evolving threat that everybody is still grappling to get their
arms around. He noted that the Federal Government's ability to
provide guidance to States has been rather limited.
I agree this is not an easy task, but information sharing
about the threat and actions to take before, during, and after
a cyber attack is critical. I hope that Ms. Stempfley will tell
us about the Department's efforts to share information with
State and local authorities including emergency managers,
fusion centers, and the private sector to help them work to
address and elevate the importance of this evolving threat; and
that I hope that our State and local witnesses will also
discuss how they share information and coordinate with relevant
officials in their States and localities and with the private
sector, which, I must note, controls at least 85 percent of our
Nation's critical infrastructure. We must ensure that this
coordination is taking place now so we are prepared to respond
to a cyber incident that will have physical consequences.
I am also interested in learning today how DHS, working
with other Federal agencies and departments and exercise
participants, is working to address the lessons that were
learned in the National-level exercise exercised in 2012, which
simulated a large-scale cyber attack.
Just as I have noted the challenges we face in addressing
the cyber threat, we must also discuss the progress that is
being made. In my own district I am proud to say that the
Indianapolis division of Homeland Security has established a
cyber defense force to improve the overall cybersecurity
preparedness of the Indianapolis metropolitan area, and the
State of Indiana has included cybersecurity in its threat and
hazard identification and risk assessment, or in its own THIRA.
The National Emergency Management Association is working
also with Texas A&M to develop cybersecurity awareness training
programs for emergency managers. Fusion centers are also
becoming much more engaged in cybersecurity.
States are also taking innovative steps to address the
threat. For example, Michigan has established the role of a
chief security officer, which has oversight of both
cybersecurity and physical security.
The National Guard is becoming much more engaged in
cybersecurity as well. In Maryland the Air National Guard's
175th Network Warfare Squadron is assisting with the
development of State cybersecurity assessments and has worked
with Maryland Emergency Management on cybersecurity exercises.
Next month the North American Electric Reliability
Corporation, or NERC, will hold GridEx 2013, an exercise that
will test the electricity subsector's readiness to respond to a
cyber incident including physical consequences.
These are all critically important steps, but as I noted
earlier, much work remains to ensure we are prepared to respond
to a cyber attack.
Chairman McCaul and Chairman Meehan have been working to
develop thoughtful, effective cybersecurity legislation this
Congress. I am pleased the draft bill that that committee has
worked on includes provisions addressing cyber incident
response and it is my hope that today's hearing will help to
further inform that committee's work.
Before I conclude, I would like to ask unanimous consent to
include in the record a statement from the National Governors
Association, which provides greater details on steps States are
taking to enhance their cybersecurity posture.
[The information follows:]
Statement of National Governors Association
October 30, 2013
On behalf of the Nation's governors, thank you for the opportunity
to comment on bridging the gap between cybersecurity and emergency
management. Protecting the Nation from cyber threats and their
potential consequences requires strong partnerships among all levels of
government, law enforcement, the military, and the private sector. Over
the past several years, Governors have been working to improve the
cybersecurity posture of their States and to improve State-Federal
coordination. Based on these efforts and States' interaction with the
Federal Government, we are pleased to offer the recommendations below.
state efforts to address cybersecurity
Since the terrorist attacks of September 11, 2001, and Hurricane
Katrina in 2005, National preparedness and response activities have
emphasized a ``whole community'' approach. Despite this progress,
State-Federal coordination efforts for cybersecurity are still in their
early stages. In the absence of unified Federal guidance, States are
moving forward to develop methods, strategies, and partnerships to
improve their cyber resiliency and strengthen capabilities to prepare
for, respond to, and recover from potential cyber attacks.
Governors are leading efforts to expand collaboration and drive
change at both the State and Federal level. This is taking place
through initiatives such as the National Governors Association (NGA)
Resource Center for State Cybersecurity and the Council of Governors.
Through these collaborative forums, Governors have identified a number
of areas where enhanced Federal support and engagement could further
assist States in this National effort. For instance, the Federal
Government should:
Enhance Federal coordination and consultation with States
and recognize that Governors have emergency powers and
authorities that can benefit the Federal Government.
Leverage all available resources, such as the National
Guard, to support both Federal and State cybersecurity
missions.
Provide flexibility for State investments in cybersecurity
through reform of Federal grant programs and support for
innovative State solutions that leverage existing resources
such as fusion centers.
Clarify Federal statutes, roles, and authorities to address
cyber incident response, taking into consideration the role of
States and the impact on current State laws and regulations.
Improve information sharing and State access to Federal
cybersecurity resources, such as those for technical support,
education, training, and exercises.
encouraging action and promoting best practices
Governors' efforts are focused on the need to improve not just
States' cybersecurity, but that of the Nation. To help Governors
address this challenge, NGA formed the Resource Center for State
Cybersecurity in 2012. The Resource Center, co-chaired by Maryland
Governor Martin O'Malley and Michigan Governor Rick Snyder, brings
together experts from key State and Federal agencies and the private
sector to provide strategic and actionable recommendations Governors
can use to develop and implement effective State cybersecurity policies
and practices.
On September 26, 2013, the NGA released Act and Adjust: A Call to
Action for Governors for Cybersecurity, a paper that provides strategic
recommendations Governors can immediately adopt to improve their
State's cybersecurity posture (attached). NGA also released an
electronic dashboard designed to provide Governors with an overview of
their State's cybersecurity environment and assist them in monitoring
implementation of the paper's recommendations. The dashboard is
currently being pilot tested in Maryland and Michigan in conjunction
with the Multi-State Information Sharing & Analysis Center (MS-ISAC).
Through the Resource Center, Governors are exploring other vital areas
as well, including:
The role of fusion centers in collecting and disseminating
real-time information on cyber threats to State agencies and
law enforcement;
Enhancing the cybersecurity of energy systems and the
electrical grid in coordination with utility commissions,
owners, and operators at the State level; and
Developing a trained and enduring cyber workforce within
State government.
leveraging resources government-wide
Identifying innovative solutions to address cybersecurity and
secure the Nation against the growing cyber threat requires engagement
by senior leaders at all levels of government. In addition to their
work within their respective States, Governors also have engaged
directly with the Federal Government through the Council of Governors
(Council). Currently co-chaired by Governor O'Malley and Iowa Governor
Terry Branstad, the Council brings together 10 Governors and the
Secretaries of Defense and Homeland Security to address issues
regarding the National Guard and homeland defense.
Since it was formally established in 2010, the Council has served
as a valuable forum to facilitate coordination between State and
Federal military activities, such as a 2010 agreement establishing
dual-status command authority during major disasters. This authority
was employed during recent events such as Hurricane Sandy and the
Colorado floods. The Council is now working to turn this commitment to
collaboration into similar actions to address State-Federal
coordination on cybersecurity and the development of National Guard
cyber capabilities.
Governors firmly believe the Guard's unique status serving both
Governors and the President and its access to civilian-acquired
skillsets makes it an ideal and cost-effective resource to address our
Nation's growing cyber vulnerabilities. With the flexibility to support
both Federal and State-related cyber missions, the Guard can be a force
multiplier in support of the Department of Defense, the Department of
Homeland Security (DHS), the Federal Bureau of Investigation and
States. While the National Guard's role in cybersecurity is still being
deliberated, Guard cyber units across the country are already
demonstrating their unique capabilities including:
Serving as a key coordinating hub between various
stakeholder groups.--Several National Guard cyber units are
actively engaged with their Governor's office, State emergency
management agencies, State Chief Information Officers and other
State, local, and Federal officials in the development of State
cyber incident response plans. Several States have also
integrated Guard units within their fusion center.
Providing key support services in planning, testing,
training, and exercises.--Guard unit participation is
continuing to grow in State and National-level cyber exercises
such as Cyber Guard, Cyber Storm, and Cyber Shield. Several
State Guard units also are providing risk assessment and
vulnerability testing support to State agencies and local
critical infrastructure owners and operators.
Providing a readily available and highly-trained
workforce.--National Guard cyber units include personnel from a
significant number the Nation's top cybersecurity and
information technology companies such as Microsoft, Cisco,
Siemens, Intel, GE, Boeing, IBM, and Google. This access
provides a unique opportunity to leverage and sustain ``leading
edge'' civilian-acquired cyber skillsets not readily available
or easily built from within the Federal Government.
Earlier this year, Governors secured the commitment of former U.S.
Department of Homeland Security Secretary Janet Napolitano and
departing U.S. Department of Defense Deputy Secretary Ash Carter to
work with them to identify new opportunities to strengthen the State-
Federal partnership on cybersecurity and to better leverage existing
resources such as the National Guard. This work is on-going, and we
look forward to providing the committee an update on our progress early
next year.
opportunities for state-federal engagement
As the development of Federal legislation to address cybersecurity
continues, Governors urge Congress to consider the following
recommendations:
Ensure coordination and consultation with States.--Like all
disasters, response and recovery begins at the State and local
level. Federal cyber incident response guidance such as the
National Cyber Incident Response Plan (NCIRP) must not be
developed using a Federal-centric approach, but must integrate
key State officials and consider Governors' authorities
throughout the process.
Promote the role of the National Guard to support both
Federal and State cybersecurity missions.--This includes
ensuring that the National Guard is considered concurrently
with active duty forces in any new cyber force structure
developed by U.S. Cyber Command and the military services.
Support State investments in cybersecurity through reform of
homeland security preparedness grants.--In recent years,
decreased funding levels across preparedness grant programs
combined with their current rigid requirements has limited
States' ability to address emerging threats, such as
cybersecurity, or provide adequate support to fusion centers.
Address ambiguities with cyber incident response.--This
includes clarifying current statutory authorities governing
disaster management, such as the Stafford Act and the Economy
Act. Roles and responsibilities of the various Federal agencies
with cybersecurity coordination and operational authority
during an incident should be better-defined and corresponding
guidance to State and local authorities (such as the NCIRP)
should be updated accordingly.
Improve information sharing with States to provide real-time
intelligence on threats.--Improving existing information-
sharing capabilities such as the MS-ISAC and State and local
fusion centers can further support this effort. DHS also can
provide more structured and coordinated access to Federal
cybersecurity initiatives such as workforce and training
programs, Federal cybersecurity exercises, and forums for
public-private partnerships.
cybersecurity is a shared responsibility
Governors recognize the critical need to improve our Nation's
cybersecurity posture. This is an immense challenge that requires an
unprecedented level of coordination among all levels of government and
the private sector. Governors are committed to addressing this
challenge within their States and are actively seeking to partner with
their Federal counterparts. As the committee continues to consider the
legislative path forward for cybersecurity, NGA stands as a ready
resource for innovative policy solutions that will both support
Governors' efforts and enhance the State-Federal partnership to address
our Nation's most pressing cybersecurity challenges.
Attachment.--NGA Paper
act and adjust: a call to action for governors for cybersecurity
September 2013, Thomas MacLellan, Division Director, Homeland Security
& Public Safety Division, NGA Center for Best Practices
Cybersecurity remains one of the most significant challenges facing
the Nation. Although implementing policies and practices that will make
State systems and data more secure will be an iterative and lengthy
process, Governors can take a number of actions immediately that will
help detect and defend against cyber attacks occurring today and help
deter future attacks.
Those actions include:
Establishing a governance and authority structure for
cybersecurity;
Conducting risk assessments and allocating resources
accordingly;
Implementing continuous vulnerability assessments and threat
mitigation practices;
Ensuring that the State complies with current security
methodologies and business disciplines in cybersecurity; and
Creating a culture of risk awareness.
By implementing those recommendations immediately, Governors can
greatly enhance States' cybersecurity posture.
Guiding Principles
This Call to Action, as well as the work of the NGA Resource Center
for State Cybersecurity (Resource Center), is guided by a set of core
principles:
Support Governors.--The work of the Resource Center is
singular in its focus on supporting Governors' efforts to
improve cybersecurity. The Resource Center marks the first
large-scale effort exclusively focused on the role of Governors
in improving cybersecurity.
Be Actionable.--The goal of the Resource Center is to
provide to Governors recommendations and resources that promote
actions that reduce risk.
Reduce Complexity.--Cybersecurity policy is designed and
implemented in a complex environment. The Resource Center aims
to reduce that complexity by looking for common principles and
practices that are effective in that environment.
Protect Privacy.--The recommendations made through the
Resource Center aim to both improve cybersecurity and protect
the privacy, civil rights, and civil liberties of citizens.
Employ Technologically Neutral Solutions.--The
recommendations made through the Resource Center emphasize
nonproprietary, open standards.
Focus on the State as Enterprise.--The work of the Resource
Center aims to improve Governors' understanding of the State as
an enterprise including the interdependencies among State
agencies; between the public and private sector; and regionally
across State boundaries.
Promote Flexible Federalism.--To the extent possible, the
Resource Center emphasizes the benefits of and opportunities
for flexibility within Federal programs to allow for tailored
State solutions.
Rely on Evidence-Based Practices.--The Resource Center makes
recommendations that build on evidence-based practices.
Use and Generate Metrics.--The Resource Center promotes
recommendations that use dynamic performance metrics to manage
and improve State processes and practices.
Promote the Use of Incentives.--The Resource Center makes
recommendations that promote the use of incentives to improve
cybersecurity practices in a State.
Immediate Actions to Protect States
Domestic and international actors are launching a significant
number of cyber attacks against States. Although many of the actions
necessary to reduce the Nation's vulnerabilities to cyber attacks
require long-term structural improvements and business redesign,
Governors can take actions now that can immediately improve their
State's cybersecurity posture. Implementation of the actions described
below will help to ensure strong governance and oversight, a baseline
of cybersecurity capabilities, and quicker identification of attacks
and threats; it also will help to improve basic cybersecurity
practices.
Establish a governance structure for cybersecurity.--Because State
systems and networks are interconnected, developing a robust
cybersecurity posture will require an enterprise-wide approach. To that
end, Governors need to ensure that they have a strong State-wide
governance structure with some degree of central authority that
provides a framework to prepare for, respond to, and prevent cyber
attacks. Several recent attacks reveal that States which fail to put in
place a strong governance structure are at a distinct disadvantage.
For many States, chief information security officers (CISOs), who
are responsible for developing and carrying out information technology
(IT) security policies, have only limited responsibility and authority
over State-wide cyber networks. CISOs can operate in federated or
decentralized environments where technology and security resources are
dispersed across various agencies and departments. In addition, the
sharing of cyber threat information with the private sector and local
governments is handled by State homeland security agencies, further
complicating the overall cybersecurity governance structure.
According to a survey conducted by Deloitte for the National
Association of State Chief Information Officers (NASCIO), 56 percent of
State CISOs indicate that they have authority over only their executive
branch agencies, departments, and offices.\1\ Although most States have
a CISO, if they do not have a visible agency-level security posture,
they can encounter obstacles to implementing an effective cybersecurity
program. Among the elements of an effective program are enforcement
mechanisms to ensure compliance with security policies and audit
findings. States without governance structures to build and operate
effective programs will be limited in their ability to identify an on-
going cyber attacks and respond in a coordinated way.
---------------------------------------------------------------------------
\1\ ``State Governments at Risk: A Call for Collaboration and
Compliance,'' Deloitte and the National Association of State Chief
Information Officers, October 26, 2012, accessed March 10, 2013, http:/
/www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/
AERS/us_aers_nascio% 20Cybersecurity%20Study_10192012.pdf, 10.
---------------------------------------------------------------------------
Governors can grant their chief information officers (CIOs) or
CISOs the authority to develop and steer a coordinated governance
structure (for example, a task force, commission, or advisory body)
that can greatly improve coordination and awareness across agencies
that operate State-wide cyber networks. Such an approach also helps
enable the CIO or CISO to take actions to prevent or mitigate damage in
the event of a cyber breach.
Michigan has created a centralized security department run by a
chief security officer (CSO) that brings together both physical
security and cybersecurity. Directors, managers, and employees within
each agency coordinate through the centralized governance structure to
focus on each agency's need for both physical security and
cybersecurity. Governance of that type is especially important during
an incident or a disaster. The approach allows the CSO and CIO to work
closely to manage the State's cyber networks and infrastructure and to
ensure that effective governance practices are in place.
Although a central authority is essential, it does not obviate the
importance of collaboration among local governments, nongovernmental
organizations, and the private sector. Those relationships are
essential to understanding the culture, operations, and business
practices of various agencies and organizations with cyber assets
within the State. In Michigan, for example, in addition to dedicated
and full-time State employees in the Office of Cybersecurity, a risk
management team leverages many resources around the State to gather
information and resolve an incident efficiently and effectively.
Minnesota is another example of a State that adopted a governance
framework that stresses teamwork and communication between a
centralized information technology organization and stakeholders. The
State CIO works collaboratively with the Governor, the Technology
Advisory Committee, and other agency leaders. Minnesota also has
several governing bodies that have an agency CIO, providing a direct
link to the State CIO and operational decisions made at the different
agency team levels.\2\
---------------------------------------------------------------------------
\2\ ``State of Minnesota IT Governance Framework,'' http://mn.gov/
oet/images/StateofMinnesotaITGovernanceFramework.pdf (June 2012).
---------------------------------------------------------------------------
Recognizing the need to foster collaboration at all levels of
government and with the private sector, California recently created the
California Cybersecurity Task Force. The task force focuses on sharing
information to improve the security of Government and private-sector IT
assets.\3\
---------------------------------------------------------------------------
\3\ ``California Launches Cybersecurity Task Force,'' http://
www.govtech.com/security/California-Launches-Cybersecurity-Task-
Force.html (May 17, 2013).
---------------------------------------------------------------------------
Conduct risk assessments and allocate resources accordingly.--
Governors and other key State actors need a comprehensive understanding
of the risk and threat landscape to make accurate and timely decisions
when allocating scarce resources. Without a comprehensive understanding
of the risks, including the interdependencies among critical assets,
States are vulnerable to interruptions in business operations as well
as financial and data losses. To gain this awareness, States must
develop security strategies and business practices by conducting risk
assessments that identify information assets, model different threats
to those assets, and allow for planning to protect against those
threats.\4\
---------------------------------------------------------------------------
\4\ ``5 Steps to Cybersecurity Risk Assessment'' http://
www.govtech.com/security/5-Steps-to-Cyber-Security.html?page=1 (June
24, 2010).
---------------------------------------------------------------------------
In addition to establishing sound business practices and using
existing resources, States also must conduct hands-on activities and
exercises as a part of their assessments. Those practices include
regular penetration testing and vulnerability scanning and should be
referenced in security policies. States can take advantage of resources
from Federal and private entities to conduct those activities. Once an
independent State-wide assessment has been conducted, Governors can
make necessary decisions on where scarce resources should be allocated
to prevent the loss of essential information and resources and to
protect critical infrastructure and assets. The initial assessment also
will help determine the frequency of such assessments in the future,
based on the risk profile of agencies. As an example, agencies with
sensitive citizen data might require annual assessments and quarterly
follow-up in their corrective action plan.
Additionally, Governors and their senior staff who have appropriate
security clearances should receive regular classified cybersecurity
threat briefings. The Department of Homeland Security (DHS) can assist
States in planning these briefings.
Implement continuous vulnerability assessments and threat
mitigation practices.--Consistently monitoring threats and
vulnerabilities will help Governors proactively defend cyber networks.
Every day, States are exposed to phishing scams, malware, denial-of-
service attacks, and other common tactics employed by cyber attackers.
Governors must ensure that mission-critical systems are equipped with
technologies and have implemented business practices that will identify
potential threats, track all stages of cyber attacks in real time, and
offer mitigation techniques and options for any resulting loss or
damage.
Maryland leverages the cybersecurity capabilities of the Maryland
Air National Guard 175th Network Warfare Squadron to support its
cybersecurity assessments. State agencies participate in collaborative
web penetration training exercises with the Maryland Air Guard
Squadron. The exercises that feature simulated attacks from malicious
outsiders or insidious insiders are useful in evaluating the security
of selected State websites and portals. Security issues uncovered
through the penetration tests lead to technical and procedural
countermeasures to reduce risks. The Guard also provides network
vulnerability assessment services to various State agencies while, in
return, it receives beneficial training for the squadron's members. A
number of other States have similar practices in place.
The Multi-State Information Sharing and Analysis Center (MS-ISAC)
has been designated by DHS as a key resource for cyber threat
prevention, protection, response, and recovery for the Nation's State,
local, territorial, and Tribal governments. Through its state-of-the-
art Security Operations Center, available 24 hours a day, 7 days a
week, the MS-ISAC serves as a central resource for situational
awareness and incident response. The MS-ISAC also provides State,
local, Tribal, and territorial governments with managed security
services, which are outsourced security operations that include on-
going monitoring of networks and firewalls for intrusions.
Another related resource available to State and local governments
is DHS's newly-launched Continuous Diagnostics and Mitigation (CDM)
program. The CDM program at the Federal level works by expanding
deployment of automated network sensors that feed data about an
agency's cybersecurity vulnerabilities into a continuously updated
dashboard. To support States in improving their capabilities to prevent
and detect intrusions, the CDM has a blanket purchasing agreement that
reduces the cost to States of purchasing tools and services that
enhance their cybersecurity. It is important to note that such
purchases are most effective when coordinated with MS-ISAC's managed
security services so as to maintain collective situational awareness
across State and local governments.
Ensure that your State complies with current security methodologies
and business disciplines in cybersecurity.--States can turn to two
industry standards for a baseline of effective cybersecurity practices.
First, the Council on CyberSecurity's Critical Controls for Effective
Cyber Defense is an industry standard that provides States with a
security framework that can strengthen their cyber defenses and
ultimately protect information, infrastructure, and critical assets.
Compliance with that standard will provide a baseline of defense, deter
a significant number of attacks, and help minimize compromises,
recovery, and costs. The controls are based upon five guiding
principles: Using evidence-based practices to build effective defenses,
assigning priorities risk reduction and protection actions,
establishing a common language that measures the effectiveness of
security, continuous monitoring, and automating defenses.\5\ The
controls also identify key network components and how to secure them.
---------------------------------------------------------------------------
\5\ ``CSIS: 20 Critical Security Controls,'' http://www.sans.org/
critical-security-controls/guidelines.php.
---------------------------------------------------------------------------
The second standard is the Information Technology Infrastructure
Library (ITIL). An ITIL is a set of practices for information
technology service management (ITSM) that are designed to align
information technology (IT) with core business requirements. The latest
editions of ITIL, which were published in July 2011, form the core
guidance of best management practices and can greatly strengthen
States' IT practices. The ITIL has been adopted by companies in many
private-sector industries, including banking, retail services,
technology, and entertainment. For States, an ITIL will help ensure
that States' IT assets correlate with their critical assets.\6\
---------------------------------------------------------------------------
\6\ ``ITIL: The Basics,'' http://www.best-management-practice.com/
gempdf/ITIL_The_Ba- sics.pdf.
---------------------------------------------------------------------------
Create a culture of risk awareness.--The best firewalls and most
advanced antivirus software cannot deter a cyber attack if the
individuals using a network are either careless or inattentive to basic
security practices. The strongest door and most secure lock will not
keep a burglar out if the door is left open or unlocked.
Governors have the opportunity to promote a culture of
cybersecurity awareness that will help to minimize the likelihood of a
successful cyber attack. Building a strong cybersecurity culture means
making individuals aware of the many risks and on-going threats facing
their networks. Those individuals must understand the potential
negative implications of their activities or inattentiveness. To
develop a strong cybersecurity culture, focus should be put on
increasing awareness, setting appropriate expectations, and influencing
day-to-day security practices of end-users. Awareness can be created by
including relevant training and content in the orientation process of
new staff as well as annual review of current staff. Expectations about
users' behaviors can also be set by adding cybersecurity components to
job responsibilities.
However, creating a culture of awareness will be an on-going
process that will require constant attention and on-going training.
Governors have the opportunity to use the bully pulpit to make
cybersecurity the responsibility of all, including ordinary citizens.
In Delaware, State employees conduct cybersecurity presentations for
elementary school students to reinforce the importance of internet
safety practices. The State also hosts video and poster contests that
encourage the public to create materials that promote cybersecurity
awareness.\7\
---------------------------------------------------------------------------
\7\ See http://www.dti.delaware.gov/information/
cybersecurity.shtml.
---------------------------------------------------------------------------
Effective awareness training and education for end-users is
recognized as the single most effective factor in preventing security
breaches and data losses. States such as Michigan have launched
security awareness training for all State employees and have posted on-
line guides that are available to the public with the goal of reducing
risk.\8\ More than 50,000 users and partners are currently enrolled in
Michigan's training program, an on-line interactive program consisting
of a dozen 10-minute lessons. Other organizations, such as the MS-ISAC,
also offer training resources that are readily available on-line.
---------------------------------------------------------------------------
\8\ See State of Michigan Security Office website.
---------------------------------------------------------------------------
Michigan also has recently launched a research, test, training, and
evaluation facility for cybersecurity and cyberdefense. In partnership
with State universities, the private sector, and State and local
governments, Merit Network Inc., a 501(c)(3) nonprofit organization,
built and developed the state-of-the-art center to further advance
cybersecurity training in Michigan. A wide variety of course offerings
includes certifications in incident handling, disaster recovery,
forensics, and wireless security. Dozens of technical staff have
already completed training and received certifications.
In addition to offering training, States like Maryland conduct
table-top exercises to raise the awareness and response capabilities of
key State actors. Maryland, through the State's Emergency Management
Administration (MEMA), facilitated an initial cabinet-level table-top
exercise in which cybersecurity and continuity of operations awareness
and readiness were assessed. In addition to MEMA, DHS and the National
Security Agency Cyber Command assisted in hosting this exercise.
The Path Forward
The actions described above are a first step for Governors to
improve cybersecurity for State-owned and -operated systems. However, a
secure cybersecurity fabric will require an enterprise-wide approach
that includes coordination and partnerships with critical
infrastructure owners and operators, private industry, and the public.
Over the course of the next year, the NGA Resource Center for State
Cybersecurity will issue a series of reports focusing on critical areas
for mid- to long-term actions Governors can take to strengthen their
States' cyber posture. Those areas include improving coordination
between State and Federal governments, leveraging State fusion centers
to respond to cyber threats, enhancing the cybersecurity of critical
energy systems and infrastructure, and developing a skilled
cybersecurity workforce.
In addition to the work of the Resource Center, NGA also is leading
efforts through the Council of Governors to collaborate with the
Departments of Defense and Homeland Security on how the National Guard
could be used to better protect both State and Federal networks. The
National Guard's unique role serving Governors and the President,
combined with its ability to attract and retain individuals who have
full-time employment in IT and related fields, make it an ideal
solution to help address the shortage of highly-skilled personnel
necessary to protect critical networks and systems.
Across the country, several States have established National Guard
cyber capabilities that are closely aligned with civilian agencies and
coordinate regularly with public utility commissions, owners and
operators of critical infrastructure, and other public and private-
sector partners.
The NGA Resource Center for State Cybersecurity is made possible
through the generous support from our grant makers, including the
American Gas Association, Citi, Deloitte, Edison Electric Institute,
Good Technology, Hewlett-Packard, IBM, Northrop Grumman, Nuclear Energy
Institute, Symantec, and VMware.
Mrs. Brooks. With that, I look forward to hearing from our
distinguished panel of witnesses.
The Chairwoman now will recognize the gentlelady from New
York, Ms. Clarke, for any opening statement she may have.
Ms. Clarke. I thank Chairwoman Brooks and Ranking Member
Payne as well as Chairman Meehan for holding today's joint
subcommittee hearing.
We all know that cybersecurity is a matter of National,
economic, and societal importance. Present-day attacks on the
Nation's computer systems do not simply damage an isolated
machine or disrupt a single enterprise system, but current
attacks target infrastructure that is integral to the economy,
National defense, and daily life.
Computer networks have joined food, water, transportation,
and energy as critical resources for the functioning of the
National economy. When one of these key cyber infrastructure
systems is attacked, the same consequences exist for a natural
disaster or terrorist attack.
National or local resources must be deployed. Decisions are
made to determine where to deploy resources. The question is:
Who makes these decisions?
The data required to make and monitor the decisions and the
location of available knowledge to drive them may sometimes be
unknown, unavailable, or both. Indeed, computer networks are
the central nervous system of our National infrastructure and
the backbone of emergency management is a robust cyber
infrastructure. These systems enable emergency management
agencies to implement comprehensive approaches to natural
disasters, terrorist attacks, and law enforcement issues.
Mr. Payne has introduced a bill, the SMART Grid Study Act,
that will give a fuller picture of the smart grid's role and
our reliance on it, especially during an event where emergency
management response is key to our resilience. I am glad to see
the strong support that the National Electrical Manufacturers
have given this bill and I especially look forward to their
testimony today.
There is a general lack of understanding about how to
describe and assess the complex and dynamic nature of emergency
management tasks in relation to cybersecurity concerns. There
are many issues involving knowledge integration and how to help
managers improve emergency management task performance.
Ever since the first computer virus hit the internet it has
been apparent that attacks can spread rapidly. Just as society
has benefited from the nearly infinite connections of devices
and people through the U.S. cyber infrastructure, so has
malicious parties with the intent of taking advantage of this
connectivity to launch destructive attacks.
We must find a way to develop tools that we can use to
improve emergency management successes through effective
handling, cyber complexity, cyber knowledge, and cyber
integration at the ground level of our first responders.
Madam Chairwoman, I look forward to today's testimony and I
yield back.
[The statement of Ranking Member Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
We all know that cybersecurity is a matter of National, economic,
and societal importance. Present-day attacks on the Nation's computer
systems do not simply damage an isolated machine or disrupt a single
enterprise system, but current attacks target infrastructure that is
integral to the economy, National defense, and daily life.
Computer networks have joined food, water, transportation, and
energy as critical resources for the functioning of the National
economy. When one of these key cyber infrastructure systems is
attacked, the same consequences exist for a natural disaster or
terrorist attack.
National or local resources must be deployed. Decisions are made to
determine where to deploy resources. The question is: Who makes these
decisions? The data required to make and monitor the decisions, and the
location of available knowledge to drive them may sometimes be unknown,
unavailable, or both.
Indeed, computer networks are the ``central nervous system'' of our
National infrastructure, and the backbone of emergency management is a
robust cyber infrastructure. These systems enable emergency management
agencies to implement comprehensive approaches to natural disasters,
terrorist attacks, and law enforcement issues.
Mr. Payne has introduced a bill, the Smart Grid Study Act, that
will give a fuller picture of the smart grid's role and our reliance on
it, especially during an event where emergency management response is
the key to our resilience. I'm glad to see the strong support that the
National Electrical Manufacturers have given this bill, and I
especially look forward to their testimony today.
There is a general lack of understanding about how to describe and
assess the complex and dynamic nature of emergency management tasks in
relation to cybersecurity concerns. And there are many issues involving
knowledge integration and how it helps managers improve emergency
management task performance. Ever since the first computer virus hit
the internet, it has been apparent that attacks can spread rapidly.
Just as society has benefited from the nearly infinite connections
of devices and people through the U.S. cyber infrastructure, so have
malicious parties with the intent of taking advantage of this
connectivity to launch destructive attacks.
We must find a way to develop tools that we can use to improve
Emergency Management successes through effectively handling cyber
complexity, cyber knowledge, and cyber integration at the ground level
for our first responders.
Mrs. Brooks. Thank you.
I thank the Ranking Member of the Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies and I now turn to the Ranking Member for the
Emergency Preparedness, Response, and Communications, the
gentleman from New Jersey, Mr. Payne, for any opening
statements.
Mr. Payne. Thank you, Madam Chairwoman. Let me apologize
for my tardiness, but Amtrak didn't cooperate this morning, so
I apologize for that.
I would like to thank Chairwoman Brooks and Chairman Meehan
for calling this hearing today.
Yesterday marked the 1-year anniversary of Super Storm
Sandy, which devastated communities all along the Eastern
Coast, especially in my home State of New Jersey. Although the
people of New Jersey, with a lot of help from the Federal
Government, have begun the long effort to rebuild what was
lost, much work remains. I know that I am not alone when I say
that the people affected by Hurricane Sandy can be sure that
members of this panel will continue to work to make sure that
the communities are rebuilt and the lessons learned are
incorporated into future disaster plans.
With that, I will turn to the topic of today's hearing,
responding to cyber attack. Last month the Subcommittee on
Emergency Preparedness, Response, and Communications held a
hearing reviewing the findings of the Federal Emergency
Management Agency's 2013 National Preparedness Report. For the
second year in a row, States indicated that of the 31 core
capabilities, cybersecurity is one of the capabilities about
which they are least confident.
The threats posed by a cyber attack are not new, but the
impact of a cyber attack becomes more grave as every aspect of
Government and the private sector become more reliant on cyber
technologies. For example, communications essential to an
effective emergency response, from the emergency alert system
to E-911 and eventually FirstNet, all are vulnerable to cyber
attack. The data networks and computer systems used to
coordinate an efficient response to ensure that adequate
resources are deployed to the appropriate locations are
similarly vulnerable to a cyber breach.
A cyber attack on any of these systems could severely
undercut Federal, State, and local abilities to respond to
disasters effectively. Moreover, we have seen a significant
increase in cyber threats to our critical infrastructure.
We know that disasters like Super Storm Sandy can wreak
havoc on our power systems but rarely consider the harm that a
malicious cyber attack could do to our electrical grid.
Accordingly, I have introduced the SMART Grid Study Act, which
will provide a comprehensive assessment of actions necessary to
expand and strengthen the capabilities of our electrical power
systems to prepare for and respond to, mitigate, and recover
from a natural disaster or cyber attack to the electric grid.
My legislation will go a long way to provide sector-specific
awareness of cyber vulnerabilities and how to address them.
We must help State governments undertake similar efforts to
understand the cyber threats posed to their networks and how to
address them. It is no secret that a lack of funding has
contributed to the lack of confidence States have in their
cybersecurity capabilities. I would be interested in learning
how cuts to homeland security grant funding since 2011 has
affected States' cybersecurity efforts.
I have also heard that States have struggled to implement
governing structure for cybersecurity and that finding a
workforce with the appropriate training has proven difficult.
So I would be interested to learn how the Department of
Homeland Security is helping States identify best practices for
an effective cybersecurity governance structure and improve
training for State cybersecurity workforces.
I look forward to learning more about how State emergency
managers are working with State chief information officers to
understand the role each play in responding to a cyber
incident.
I want to thank the witnesses for being here today and I
look forward to their testimony.
Madam Chairwoman, I yield back the balance of my time.
[The statement of Ranking Member Payne follows:]
Statement of Ranking Member Donald M. Payne, Jr.
October 30, 2013
Yesterday marked the 1-year anniversary of Super Storm Sandy, which
devastated communities all along the East Coast, and especially in my
home State of New Jersey. Although the people of New Jersey--with a lot
of help from the Federal Government--have begun the long effort to
rebuild what was lost, much work remains.
I know I am not alone when I say that the people affected by
Hurricane Sandy can be sure that members of this panel will continue to
work to make sure that the communities are rebuilt and the lessons
learned are incorporated into future disaster plans.
With that, I will turn to the topic of today's hearing: Responding
to a cyber attack. Last month, the Subcommittee on Emergency
Preparedness, Response, and Communications held a hearing reviewing the
findings of the Federal Emergency Management Agency's 2013 National
Preparedness Report. For the second year in a row, States indicated
that--of the 31 core capabilities--cybersecurity is one of the
capabilities about which they are least confident.
The threats posed by a cyber attack are not new. But the impact of
a cyber attack becomes more grave as every aspect of Government and the
private sector become more reliant on cyber technologies. For example,
communications essential to an effective emergency response, from the
Emergency Alert System, to E9-1-1, and eventually FirstNet, are all
vulnerable to a cyber attack.
The data networks and computer systems used to coordinate an
efficient response and ensure that adequate resources are deployed to
the appropriate location are similarly vulnerable to a cyber breach. A
cyber attack on any of these systems could severely undercut Federal,
State, and local abilities to respond to disasters effectively.
Moreover, we have seen a significant increase in cyber threats to
our critical infrastructure. We know that disasters like Super Storm
Sandy can wreak havoc on our power systems but we rarely consider the
harm that a malicious cyber attack could do to our electric grid.
Accordingly, I have introduced the SMART Grid Act, which would
provide for a comprehensive assessment of actions necessary to expand
and strengthen the capabilities of the electrical power system to
prepare for, respond to, mitigate, and recover from a natural disaster
or cyber attack to the electric grid.
My legislation will go a long way to provide sector-specific
awareness of cyber vulnerabilities and how to address them. We must
help State governments undertake similar efforts to understand the
cyber threats posed to their networks and how to address them. It is no
secret that a lack of funding has contributed to the lack of confidence
States have in their cybersecurity capabilities.
I will be interested in learning how cuts to Homeland Security
Grant funding since 2011 have affected State cybersecurity efforts. I
have also heard that States have struggled to implement a governance
structure for cybersecurity and that finding a workforce with the
appropriate training has proven difficult.
So I will be interested to learn how the Department of Homeland
Security is helping States identify best practices for an effective
cybersecurity governance structure and improve training for State
cybersecurity workforces. I look forward to learning more about how
State Emergency Managers are working with State Chief Information
Officers to understand the role each play in responding to a cyber
incident.
Mrs. Brooks. Thank you.
Other Members of the subcommittee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
October 30, 2013
In 2010, former White House Counterterrorism Advisor Richard Clarke
stated that this country's lack of preparation for a cyber attack could
lead to a breakdown in our critical infrastructure system that would be
like an ``electronic Pearl Harbor.'' While some may consider his
assessment a bit exaggerated, I think we would do well to remember it
as we begin today's hearing.
We should also recall that in the 112th Congress, this committee
marked up cybersecurity legislation. Unfortunately, the Republican
leadership of the House did not allow that legislation to come to the
floor of the House. In January, the President issued an Executive Order
requiring certain basic steps that will improve this Nation's ability
to protect and defend against cyber attacks.
While I applaud the President's efforts, I must point out that an
Executive Order cannot expand existing legal authorities. In May of
this year, the Department of Homeland Security testified before this
committee that the ``United States confronts a dangerous combination of
known and unknown vulnerabilities in cyberspace.'' DHS also told us the
Department processed approximately 190,000 cyber incidents involving
Federal agencies, critical infrastructure, and the Department's
industry partners--a 68 percent increase from 2011.
Mr. Chairman, I think that we should all have concern about cyber
attacks on critical infrastructure--especially attacks that could
disable the electric grid. For most of us, spending a day or two
without electricity is an inconvenience. For others, it can be a matter
of life or death. That is why I am pleased that Rep. Payne, Jr.
introduced H.R. 2962, the SMART Grid Study Act. If enacted, the bill
will require a comprehensive study to examine the construction, job
creation, energy savings, and environmental protections associated with
fully upgrading to a SMART Grid System. The information gathered in the
study may help us reduce the frequency and severity of outages during
disaster events. I urge my colleagues to support this bill.
Still, there is more to be done. We cannot begin to address the
current threats or anticipate future vulnerabilities if we have not
invested in the kind of education and training necessary to develop the
next generation of cyber professionals. Federal, State, and local
governments and the private sector are each vulnerable to cyber
attacks. While the threats from and sophistication of hackers continues
to grow, initiatives to address this mutual vulnerability must be
comprehensive and coordinated. This country's history has repeatedly
shown that a shared commitment to a common goal is necessary to achieve
progress--from bringing electricity to the Nation to walking on the
moon. Today, the same kind of commitment and collaboration is necessary
to address the cyber threat.
Like every previous movement that resulted in progress, this first
step must be education. That is why I am pleased that yesterday, this
committee marked up Rep. Clarke's bill, H.R. 3107, the Homeland
Security Cybersecurity Boots-on-the-Ground Act. This bill will help
foster the development of a National security workforce capable of
meeting current and future cybersecurity challenges, and it will
outline how DHS can improve its recruitment and retention of
cybersecurity professionals.
Mr. Chairman, I urge this committee to continue to put forward the
kind of legislation that will help this Nation resolve our known
vulnerabilities. More than any other committee, we must be on the
forefront of proposing innovations and pushing forward common-sense
solutions.
Mrs. Brooks. We are pleased to have a very distinguished
panel before us today on this important topic. So with that, I
will begin the introductions of our panelists.
Ms. Bobbie Stempfley is the acting assistant secretary of
the Office of Cybersecurity and Communications, where she plays
a leading role in developing the strategic direction for CS&C
and its five divisions. Ms. Stempfley previously served as the
deputy assistant secretary for CS&C and as director of the
National Cybersecurity Division, a legacy CS&C division. Prior
to her work at CS&S, Ms. Stempfley served as the chief
information officer for the Defense Information Systems Agency.
Next on our panel is Mr. Charley English, who was appointed
director of the Georgia Emergency Management Agency/Homeland
Security in February of 2006. He has served in the agency since
1996. He began his career in public service as a local police
officer in 1980.
Other current responsibilities include serving as the
president of the national Emergency Management Association,
chair of the Governor's Commission on 9-1-1 Modernization, and
State point of contact for the Nation-wide Public Safety
Broadband Network. He earned a master's degree in homeland
defense and security from the Naval Postgraduate School in
2004.
I now will yield to the gentleman from Mississippi, Ranking
Member of our subcommittee, or I am sorry, vice chair of our
subcommittee, Mr. Palazzo, to introduce our next witness.
Mr. Palazzo. Thank you, Madam Chairwoman.
It is my pleasure to introduce Dr. Craig Orgeron. Dr.
Orgeron is the chief information officer and executive director
of the State of Mississippi's Department of Information
Technology Services. He also has the honor of serving as the
president of the National Association of State Chief
Information Officers.
Dr. Orgeron has over 24 years of information technology
experience in both the private sector and the Federal and State
level of the public sector. He began his career as a
communications computer systems officer in the United States
Air Force, serving from 1988 to 1992.
Dr. Orgeron holds a bachelor's degree in management
information systems, a master's degree and a doctorate in
public policy and administration from Mississippi State
University. Dr. Orgeron is a certified public manager and a
graduate of the John C. Stennis State Executive Development
Institute as well as the Institute of International Digital
Government Research and the Harvard University John F. Kennedy
School of Government executive education series ``Leadership
for a Networked World.''
Thank you, Dr. Orgeron, for being here today, and I look
forward to hearing your testimony.
I yield back.
Mrs. Brooks. Thank you.
Next up is Mr. Mike Sena, who is the director of the
Northern California Regional Intelligence Center and serves as
president of the National Fusion Center Association. He has
served in law enforcement for nearly 20 years, including the
California Bureau of Investigation Intelligence, the California
Bureau of Narcotics Enforcement, and the California Department
of Alcoholic Beverage Control. Mr. Sena received his bachelor
of arts degree in criminal justice from California State
University, San Bernardino.
I now recognize the gentleman from New Jersey, Ranking
Member Payne, to introduce our next witness.
Mr. Payne. Thank you, Madam Chairwoman.
Paul Molitor serves as the assistant vice president of
smart grid and special projects for the National Electrical
Manufacturers Association. For 450 member companies of NEMA, he
is responsible for monitoring the National smart grid effort
and interfacing with electrical utilities, manufacturers,
Federal agencies, and the U.S. Congress.
Paul was the first plenary secretary of the NIST Smart Grid
Interoperability Panel, is active in the SGIP cybersecurity and
internet protocol working groups and the International
Electronical Commission Strategy Group 3 on the smart grid.
Welcome, sir.
Say that fast three times.
Mrs. Brooks. The witnesses' full written statements--I want
to thank you all for your written statements--they will appear
in the record. Just as a reminder with the lighting system, you
each will have 5 minutes and when you get to 1 minute you will
see the yellow light and then the red light when your time is
up.
So I will now recognize Ms. Stempfley for her 5 minutes.
STATEMENT OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY,
OFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION
AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Stempfley. Thank you very much, Chairwoman Brooks,
Chairman Meehan, Ranking Members Payne and Clarke, and
distinguished Members of the committee. It certainly is a
privilege to appear before you today to discuss the Department
of Homeland Security's coordination with State, local, Tribal,
and territorial emergency managers on cybersecurity issues.
As the Chairwoman pointed out, it is National Cybersecurity
Awareness Month. In fact, it is the 10th anniversary of the
beginning of National Cybersecurity Awareness Month. This week
is an important week for us because we also transition in
November to National Critical Infrastructure Security and
Resilience Month, further demonstrating the alliance--the
integration and necessary responsibility for looking at cyber
and physical issues in a cohesive and coherent manner.
This month of October is the month where we get to further
engage in public and private-sector stakeholder conversations
about how to create safe, secure, and resilient cyber
environment. Everyone has a role to play in cybersecurity and I
am pleased to discuss the Department's efforts to engage State
and local emergency managers as they build cybersecurity
resilience into the networks and systems which they depend on
in a daily basis.
America's cybersecurity is inextricably linked to our
National economic viability. IT systems are interdependent,
interconnected, and critical to our daily lives, from
communications, travel, powering our homes, running our
economy, and obtaining Government services.
DHS serves as the lead civilian Department responsible for
coordinating National protection, prevention, mitigation, and
recovery from cyber incidents, and we work regularly with
business owners and operators to take steps to strengthen
facilities and communities including the Nation's physical and
cyber infrastructure. We are also committed to ensuring cyber
space is supported by a secure and resilient infrastructure,
enabling open communications, innovation, and prosperity while
protecting privacy, confidentiality, and civil rights and civil
liberties by design.
Protecting this infrastructure against growing and evolving
cyber threats requires a layered approach. The Government's
role in this effort is to share information and encourage
enhanced security and resilience while identifying and
addressing gaps not filled by the marketplace.
Providing effective cybersecurity services requires
fostering relationships with those who own and operate
communications infrastructure, members in the emergency
responder community, and Federal, State, local, Tribal, and
territorial partners. Indeed, as many of the communication
technologies currently used by public safety and emergency
services organizations are moving to internet-based--protocol-
based environments there is an increasing awareness of the
cyber limitations and vulnerabilities that our emergency
service providers will face in conduct of their mission. It is
important, therefore, for the Department to engage not just
with chief information officers or chief information security
officers at the State and local level, but also the emergency
management and other officials for whom a cyber environment is
equally important to accomplishing their mission.
The Department has initiated several activities focusing on
ensuring State, local, Tribal, and territorial emergency
managers are able to build cybersecurity resilience into those
information and technology networks and systems upon which they
depend.
Several of these efforts include production and delivery of
a cyber infrastructure risk assessment for both the Nation-wide
Public Safety Broadband Network and the emergency services
sector; local pilot projects with emergency managers and
critical infrastructure partners to better understand
interconnections between those cyber and physical
infrastructures and potential risks presented to the Nation;
updating the National Emergency Communications Plan in
coordination with the public safety community, which will
discuss how cybersecurity has become a key consideration for
public safety officials in these new IP-enabled technologies as
that is more readily integrated into their operations; and the
deployment of regionally-based advisors to promote
cybersecurity awareness, program and policy coordination,
information sharing, and risk analysis to their partners.
These cybersecurity advisors directly engage with State and
local emergency centers; and partnerships with non-Federal
public-sector stakeholders to protect critical network--for
example, the Multi-State Information-Sharing and Analysis
Center, which opened its Cybersecurity Operations Center in
November 2010 and has enhanced the Department's situational
awareness at the State and local level and allows the
Department to provide cyber risk, vulnerability, and mitigation
data quickly to State and local governments.
Specifically, since 2009 the National Cybersecurity and
Communications Integration Center has responded to nearly half
a million incident reports and has released more than 26,000
actionable cybersecurity alerts to public and private-sector
partners. Of that, 7,270 were released in fiscal year 2013
alone. That is more than 20 a day.
DHS's servicing capabilities are designed to support
emergency managers at all levels of engagement across
education, planning, cyber incident response, and recovery
activities. They are integral parts of reducing risk and
building capabilities of our partners. As necessary, these
relationships have to be leveraged in operational response
efforts in order to meet those immediate and critical needs.
I thank you for the opportunity to testify with you today
and I look forward to answering your questions.
[The prepared statement of Ms. Stempfley follows:]
Prepared Statement of Roberta Stempfley
October 30, 2013
Chairwoman Brooks and Chairman Meehan, Ranking Members Payne and
Clarke, and distinguished Members of the committee, it is a pleasure to
appear before you today to discuss the Department of Homeland
Security's (DHS) coordination with State, local, Tribal, and
territorial (SLTT) emergency managers on cybersecurity issues. This
October marks the 10th anniversary of National Cyber Security Awareness
Month, which is an opportunity to further engage public and private-
sector stakeholders to create a safe, secure, and resilient cyber
environment. Everyone has a role to play in cybersecurity and I am
pleased to discuss the Department's efforts to engage SLTT emergency
managers as they build cybersecurity resilience into those networks and
systems upon which they depend on a daily basis.
America's cybersecurity is inextricably linked to our Nation's
economic vitality--IT systems are interdependent, interconnected, and
critical to our daily lives--from communication, travel, and powering
our homes, to running our economy, and obtaining Government services.
DHS is the lead Federal civilian department responsible for
coordinating the National protection, prevention, mitigation, and
recovery from cyber incidents and works regularly with business owners
and operators to take steps to strengthen their facilities and
communities, which include the Nation's physical and cyber
infrastructure. We are also committed to ensuring cyberspace is
supported by a secure and resilient infrastructure that enables open
communication, innovation, and prosperity while protecting privacy,
confidentiality, and civil rights and civil liberties by design.
cybersecurity support to sltt emergency managers
Protecting this infrastructure against growing and evolving cyber
threats requires a layered approach. The Government's role in this
effort is to share information and encourage enhanced security and
resilience, while identifying and addressing gaps not filled by the
marketplace. Providing effective cybersecurity services requires
fostering relationships with those who own and operate the
communications infrastructure, members of the emergency responder
community, and Federal, State, local, Tribal, and territorial partners.
Indeed, as many of the communications technologies currently used by
public safety and emergency services organizations move to an Internet
Protocol (IP)-based environment, there is an increase in the cyber
vulnerabilities of our emergency services providers in the conduct of
their mission. It is important, therefore, for the Department to engage
not just Chief Information Officers (CIO) or Chief Information Security
Officers (CISO) at the SLTT level, but also the emergency managers and
other officials for whom a secure cyber environment is equally as
important to accomplishing their mission.
The Department has initiated several activities focused on ensuring
SLTT emergency managers are able to build cybersecurity resilience into
those information and technology networks and systems upon which they
depend. Cyber dependencies and interdependencies require interactions
between several different DHS organizations and SLTT partners in order
to address this complex need. DHS has been forward-thinking as the
reliance upon cyber systems has grown and our engagements have been on-
going.
previous efforts
Regionally-Based Cybersecurity Advisors.--The Cybersecurity
Advisors (CSA) program was created and implemented by CS&C in
2010. The regionally-deployed personnel promote cybersecurity
awareness, program and policy coordination, information
sharing, and risk analysis to their partners, including
emergency managers. Over the last year, CSAs have had direct
engagement with 13 State or local emergency centers. In
addition, the Department has conducted Cyber Resilience Reviews
and assessments and provided support to numerous National
Security Special Events, including planning for events such as
the Super Bowl, and the G8 with the City of Chicago's Office of
Emergency Management & Communications.
Emergency Services Sector Cyber Risk Assessment.--
Encompassing a wide range of emergency response functions
carried out by five disciplines,\1\ in 2012 the Emergency
Services Sector completed a Cyber Risk Assessment, which
provides a risk profile to enhance the security and resilience
of the Emergency Services Sector disciplines. It is an effort
to establish a baseline of cyber risks across the sector, to
ensure Federal resources are applied where they offer the most
benefit for mitigating risk, and to encourage a similar risk-
based allocation of resources within State and local entities
and the private sector. Emergency managers from local, State,
and Federal government actively participated in the development
process to ensure the assessment provided practical guidance
for the public safety community. The Department continues to
meet with officials from stakeholder associations such as the
National Emergency Management Association to discuss next
steps, including developing a workforce training program for
emergency managers in order to increase cybersecurity
capabilities within the emergency management community.
---------------------------------------------------------------------------
\1\ Law Enforcement; Fire and Emergency Services; Emergency
Management; Emergency Medical Services; and Public Works.
---------------------------------------------------------------------------
Local Pilot Projects with Emergency Managers and Critical
Infrastructure Partners.--DHS is conducting three pilots to
better understand the interconnections between cyber and
physical infrastructure and the potential risks to the Nation.
The first pilot, initiated in 2012, worked closely with
Charlotte, NC emergency planners and neighboring communities to
examine how a potential cyber attack could disrupt
communications or other infrastructure operations. The work
provided additional ways for planners to mitigate potential
cyber impacts and, as a result of the pilot, commercial
facilities adopted additional security practices to shore up
potential weaknesses.
The second pilot is underway with the State of New Jersey examining
the interrelationship between IT, communications, and physical
security. The pilot involves five water and wastewater
facilities and has received praise from the State Office of
Homeland Security and our water sector partners. As a result of
initial findings, water facilities have taken immediate action
to mitigate previously unknown vulnerabilities.
The third pilot is a joint cyber-physical assessment of a Federal
facility in Washington, DC to develop a common approach for
identifying cybersecurity vulnerabilities affecting security
systems of Federally-protected facilities, including
electrical, HVAC, water, telecommunications, and security
control systems.
The lessons from these pilots have been incorporated into our
integrated physical and cyber Regional Resiliency Assessment
Program (RRAP). This is helping strengthen the partnership we
already have; build new relationships between SLTT CIOs, first
responders, and critical infrastructure owners and operators;
and lay the foundation increased collaboration to increase
cybersecurity resilience.
Nation-wide Public Safety Broadband Network (NPSBN) Cyber
Infrastructure Risk Assessment.--The development and deployment
of an IP-based network for public safety will represent a leap
forward in communications capabilities for first responders,
law enforcement, and other users of the NPSBN. However, the
move to such a network presents a challenge for the emergency
management community to identify threats to and vulnerabilities
of cyber infrastructure in the NPSBN that could affect the
network's reliability and security. DHS is working with the
First Responder Network Authority (FirstNet) and the public
safety community to identify cyber risks and develop potential
responses to those risks. In 2013, OEC developed the NPSBN
Cyber Infrastructure Risk Assessment to provide FirstNet with a
how-to guide to address the top cyber risks that the network
may face, and is now working with FirstNet to ensure a more
resilient network design that will integrate security and
resilience into the overall physical and cyber aspects of the
NPSBN.
Cyber Threat Information Sharing.--In June 2013, DHS
established ``sharelines'' in compliance with Executive Order
(EO) 13636 and Presidential Policy Directive (PPD)-21 to help
increase the volume, timeliness, and quality of cyber threat
information shared with U.S. private-sector entities, to
include SLTT owners and operators, so that these entities may
better protect and defend themselves against cyber threats.
Sharelines ``facilitate the creation and dissemination of
unclassified cyber threat reports to targeted private-sector
entities owned or operating within the United States, as well
as Federal, State, local, Tribal, and territorial partners'' in
a timely manner.
on-going efforts
DHS continues to build upon the relationships we have established
throughout the Emergency Services Sector through strategic and
operational efforts to provide solutions to our SLTT partners. On-going
efforts within DHS consist of:
Update to the National Emergency Communications Plan.--DHS
is updating the National Emergency Communications Plan (NECP)
in coordination with the public safety community to enhance
planning, preparation, and security of broadband technologies
used during response operations. The Plan will discuss how
cybersecurity has become a key consideration for public safety
officials as new IP-enabled technology is increasingly
integrated into operations. The NECP will endorse a multi-
faceted approach to ensure the confidentiality, integrity, and
availability of sensitive data. For example, comprehensive
cyber training and education on the proper use and security of
devices and applications, phishing, malware, other potential
threats, and how to stay on guard against attacks will be
recommended.
9-1-1 Centers: Next Generation 9-1-1 and Telephonic Denial
of Service.--Updated 9-1-1 infrastructure utilizes public
voice, data, and video capabilities, which introduce new
vulnerabilities into 9-1-1 systems. Separately, 9-1-1 centers
have been targeted by telephonic denial of service (TDOS)
attacks that overwhelm Public Safety Answering Points'
administrative lines. These attacks inundate a 9-1-1 call
center with a high volume of calls, overwhelming the system's
ability to process calls and tying up the system from receiving
legitimate calls. DHS, through the NCCIC, has worked on the
development and dissemination of techniques for mitigating and
managing these TDOS attacks in order to allow emergency
management agencies to continue to provide these critical
services to the public.
Protective Security Advisors (PSAs).--Within the Office of
Infrastructure Protection, PSAs serve as the nexus of our
infrastructure security and coordination efforts at the
Federal, State, local, Tribal, and territorial levels and serve
as DHS's on-site critical infrastructure and vulnerability
assessment specialists. PSAs have also been working with CS&C
to better coordinate assessments and as a result approximately
half of cybersecurity site assessments administered by CS&C
were conducted in tandem with PSAs--an example of how we are
working to better and more effectively integrate our physical
and cybersecurity efforts across NPPD and the Department.
Multi-State Information Sharing and Analysis Center (MS-
ISAC).--DHS builds partnerships with non-Federal public-sector
stakeholders to protect critical network systems. For example,
the Multi-State Information Sharing and Analysis Center (MS-
ISAC) opened its Cyber Security Operations Center in November
2010, which has enhanced the National Cybersecurity &
Communications Integration Center (NCCIC) situational awareness
at the State and local government level and allows the Federal
Government to quickly and efficiently provide critical cyber
risk, vulnerability, and mitigation data to State and local
governments. Since 2009, the NCCIC has responded to nearly a
half a million incident reports and released more than 26,000
actionable cybersecurity alerts to our public and private-
sector partners.
Membership in the MS-ISAC consists of State and local CISOs and
other leadership from all 50 State governments, the District of
Columbia, 373 local governments, three territories, five
Tribes, and 24 educational institutions. It provides valuable
information and lessons learned on cyber threats,
exploitations, vulnerabilities, consequences, incidents, and
direct assistance with responding to and recovering from cyber
attacks and compromises. The MS-ISAC runs a 24-hour watch and
warning security operations center that provides real-time
network monitoring, dissemination of early cyber threat
warnings, vulnerability identification and mitigation, along
with education and outreach aimed to reduce risk to the
Nation's SLTT government cyber domain. This year the MS-ISAC
developed a plan to increase engagement with emergency managers
and fusion centers.
operational efforts
Assuring the security and reliability of critical information
networks is vital across all critical infrastructure sectors, including
the Emergency Services Sector, which is charged with saving lives,
protecting property and the environment, assisting communities impacted
by disasters, and aiding recovery from emergencies. DHS is uniquely
positioned to improve the cybersecurity posture of our stakeholders.
national protection and programs directorate
The Offices of the National Protection Programs Directorate
interact daily with State and local officials and emergency managers on
communications and cybersecurity issues to strengthen infrastructure,
educate citizens, and respond to and recover from on-line threats and
attacks.
Cybersecurity and Communications.--CS&C maintains an overall
focus on reducing risk to the communications and information
technology infrastructures and the sectors that depend upon
them, as well as providing threat and vulnerability information
and enabling timely response and recovery of these
infrastructures under all circumstances. We execute our mission
by supporting 24�7 information sharing, analysis, and incident
response through the National Cybersecurity Communications
Integration Center (NCCIC); facilitating interoperable
emergency communications through our Office of Emergency
Communications (OEC); advancing technology solutions for
private and public-sector partners; providing tools and
capabilities to ensure the security of Federal civilian
Executive branch networks; and engaging in strategic level
coordination for the Department with stakeholders on
cybersecurity and communications issues. Additionally OEC has
strong ties to emergency managers through its outreach to
State-Wide Interoperability Coordinators (SWIC) who State
officials who are the primary points of contact for
communications interoperability issues. These produce State-
Wide Interoperability Plans which establish governance,
processes, and procedures to support first-responder
communication. These strong relationships also help SLTT
leverage other resources such as fusion centers.
Office of Infrastructure Protection.--The Office of
Infrastructure Protection within NPPD leads and coordinates
National programs and policies on critical infrastructure,
including through implementation of the National Infrastructure
Protection Plan (NIPP). The NIPP establishes the framework for
integrating the Nation's various critical infrastructure
protection and resilience initiatives into a coordinated
effort, and provides the structure through which DHS, in
partnership with Government and industry, implements programs
and activities to protect critical infrastructure, promote
National preparedness, and enhance incident response. As the
NIPP is updated based on the requirements of Presidential
Policy Directive 21, Critical Infrastructure Security and
Resilience, NPPD will work with critical infrastructure
stakeholders to focus the revision on enhanced integration of
cyber and physical risk management, requirements for increased
resilience, and recognition for the need for enhanced
information-sharing and situational awareness. As we work to
update the NIPP we will support the Emergency Services Sector
to ensure that we inform first responders in their preparation
for cyber incidents.
coordinated cyber/physical response
While the National Cybersecurity Communications Integration Center
(NCCIC) processes incident reports, issues actionable cybersecurity
alerts, and deploys on-site incident response fly-away teams to
critical infrastructure organizations to assist with analysis and
recovery efforts of a cyber incident, the National Infrastructure
Coordinating Center (NICC) provides situational awareness of threats to
physical critical infrastructure, incident response support, and
business reconstitution assistance. In addition to this coordination,
as incidents or threats occur, PSAs living in communities across the
country provide the Department with a 24/7 capability to assist in
developing a common operational picture for critical infrastructure.
NPPD efforts to integrate physical and cybersecurity have provided
benefits during incidents including:
Hurricane Sandy.--NPPD operational efforts were able to
facilitate much-needed fuel deliveries to critical
telecommunication sites in lower Manhattan in order to fuel
generators and keep the facilities operational in recent events
like Hurricane Sandy. After PSAs were notified of the fuel
supply shortage, NPPD provided analysis on the wide-spread
impact if the telecommunications facility lost power, while the
NCCIC worked with its public and private-sector partners to
identify a fuel supply and coordinate its delivery to the
critical site.
Boston Marathon Bombing.--OEC worked closely with public
safety agencies in the Metro Boston Homeland Security Region
and with the Commonwealth of Massachusetts on several key
emergency communications initiatives prior to the 2013 marathon
including observing public safety communications during
previous marathons and events and offering suggestions to help
strengthen the region's capabilities and improve coordination.
Three years later, DHS saw many of the recommendations from
this assessment in action in response to the bombings,
including the region's use of a detailed communications plan
(ICS Form 205) for the event that assigned radio channels to
various agencies and functions.
conclusion
DHS provides a variety of services and capabilities designed to
support emergency managers at all levels of engagement, across
education, planning, cyber-incident response, and recovery activities.
The services and capabilities are all integral parts of reducing risk
and building capacity of our SLTT partners. As necessary, those
relationships are leveraged in operational response efforts in order to
meet immediate, critical needs. As technologies continue to advance and
the dependencies and interdependencies between the sectors and systems
continue to advance along with them, DHS will continue to work with
emergency managers in a holistic fashion to plan, prepare, mitigate,
and build resilience into those information and technology networks and
systems upon which they depend on a daily basis. Thank you for this
opportunity to testify, and I look forward to answering any questions
you may have.
Mrs. Brooks. Thank you, Ms. Stempfley.
The Chairwoman now recognizes Mr. English for 5 minutes.
STATEMENT OF CHARLEY ENGLISH, DIRECTOR, GEORGIA EMERGENCY
MANAGEMENT AGENCY, TESTIFYING ON BEHALF OF NATIONAL EMERGENCY
MANAGEMENT ASSOCIATION
Mr. English. Thank you, Chairman Brooks, Chairman Meehan,
and Ranking Members Payne and Clarke, for your foresight in
having this hearing on bridging the gap between emergency
management and the cybersecurity profession.
You know, in my profession we all have come to believe that
the cyber threat is a very real threat but what we disagree on
sometimes is what the extent of the consequences of that
particular threat could be, whether or not it is just a matter
of espionage or hackers trying to steal intellectual property
or nation-states trying to uncover some type of technology that
we have, or whether it is more of a theft of credit card and
bank accounts and things of that nature, or whether or not, as
Mr. Payne mentioned, the 9-1-1 system might be compromised in
the middle of an event.
So we still have a differing opinion on that but the one
thing that we don't have a difference of opinion on, and that
is we can never again underestimate the creativity of those who
want to harm us. Because if there is that will they will find a
way, whether it is the lone hacker behind the computer screen,
whether it is a group of terrorists that want to compromise one
of our water treatment plants or dams, or if it is a nation-
state trying to threaten us, we know that it would be a big
mistake to underestimate that creativity and to underestimate
the organizational skills of our enemies.
Of course in emergency management we are all about the
business of warnings and managing the consequences of an event.
As I was thinking about our friends in the cybersecurity
business I thought, you know, it would be great if we could
develop a relationship that exists between the CIOs in the
State and emergency managers and across the country that is
similar to that of the meteorologists. You know, that
relationship is on autopilot. They are monitoring the weather.
The conversation exists on a daily basis.
I thought about, well, you know, we have forged a new
relationship in this country in the past 12 or 14 years with
the law enforcement and the intel community and the emergency
management profession. Early on that was a tough relationship
to forge because of the security clearances and the lack of
reciprocity and the whole information sharing and we were
putting together a clash of cultures, if you will, because the
emergency manager wants every agency and every person available
to help alleviate the pain and suffering after an event and to
help keep people out of harm's way. Naturally there are secrets
that need to be kept, and so sometimes there was a little clash
of cultures.
But we have made tremendous progress in the past 12 or 13
years in that regard and I think the same is true with the
cybersecurity professionals and the emergency management
community. This is a relationship that will mature and it is
not a matter of that no one really wanted to--or didn't want to
work together. I think everybody wanted to work together; we
just weren't sure how we were supposed to work together.
So I think the challenge moving forward is not necessarily
to create a new agency or start a new grant program, but maybe
it is on us to teach one another about our professions and
foster that relationship for the betterment of our country.
With that, I will yield the rest of my time. Thank you.
[The prepared statement of Mr. English follows:]
Prepared Statement of Charley English
October 30, 2013
introduction
Chairman Brooks, Chairman Meehan, Ranking Members Payne and Clarke,
and distinguished members of this panel--thank you for holding this
hearing today on one of the most critical issues currently facing our
Nation. Cybersecurity and the resultant vulnerabilities and
consequences could easily match the impact of any significant natural
disaster, so we must analyze these threats carefully and plan to manage
them accordingly.
The establishment of this committee came about more than a decade
ago in the wake of an attack which came from an under-appreciated
threat. This morning, we stand at the precipice of another such
attack--one from a potentially nameless, faceless, and equally under-
appreciated adversary. The threat of a cyber attack not only surrounds
us, but also poses the additional threat of compromising the response
and recovery efforts to the consequences of such an attack.
Last summer, the Chairman of the House Intelligence Committee said
he expects what he called ``a catastrophic cyber attack in the next 12
to 24 months.''
Earlier this year, former Secretary Napolitano said an incident on
the scale of September 11 could happen ``imminently.''
The Defense Science Board went even further saying ``coming cyber
attacks could present an existential threat to the country.''
As emergency managers, we operate in a world of consequence
management. Accordingly, we must understand threats, protect
vulnerabilities, and know how to manage consequences. As we examine the
cyber threats facing this Nation, we cannot fall into a September 10,
2001, mindset. Our actions must be pro-active and consider all
potential outcomes. We must never say, ``it cannot happen here'' nor
shall we fear being labeled an ``alarmist'' by merely acknowledging the
potential devastating consequences of this already validated threat.
the threat
Plenty of experts remain ready and willing to provide thoughts and
hypotheses regarding the current cybersecurity threat. The
vulnerabilities and resulting consequences we face in these threats
represent the ``bottom-line'' for the emergency management community.
Vulnerabilities are points of attack and weaknesses to be exploited.
The emergency management community must address the consequences of
vulnerabilities being exploited, not just the existence of
vulnerabilities themselves. In his report to Congress of March 12,
2013, Director of National Intelligence James Clapper outlined how ``we
are in a major transformation because our critical infrastructures,
economy, personal lives, and even basic understanding of--and
interaction with--the world are becoming more intertwined with digital
technologies and the internet.''
Such analyses are especially concerning as we continue witnessing a
metamorphosis of the cyber threat. Once a means by which to conduct
espionage and steal information, the realm of cybersecurity must now
include an analysis on the security and viability of our critical
infrastructure. At the RSA Cybersecurity Conference on March 1, 2012,
former FBI Director Robert Mueller stated ``to date, terrorists have
not used the internet to launch a full-scale cyber attack. But we
cannot underestimate their intent. In one hacker recruiting video, a
terrorist proclaims that cyber warfare will be the warfare of the
future.'' Only through good fortune have organized terrorist groups not
yet taken a greater interest in cyber attacks. But such a day is
certainly coming.
Earlier this year, Anonymous petitioned the White House to
recognize hacking attacks as a legitimate form of protest. Their
solicitation argued hacking is no different than marching in an Occupy
Wall Street protect. We must consider how such an approach can be
combatted through our current systems and processes. Even though some
experts believe Anonymous represents no true threat, others believe
such an organization could bring down part of the U.S. electric power
grid. Most recently, the homeland security community has been concerned
with and has devoted significant resources to combatting Homegrown
Violent Extremists (HVE). It is reasonable to conclude that these
individuals, acting alone or in small groups, certainly have the
motivation and expertise to conduct a cyber attack.
Unfortunately, cyber threats represent risks far more diverse than
most any other we face. While nation-states like Iran present a
significant cyber threat, the greatest cyber threat from a nation
likely comes from China where hacking stands as an official policy.
Just recently, the Chief of Staff of the People's Liberation Army put
the cyber threat into perspective when he suggested such an attack
could be as serious as a nuclear bomb. Even though in his report to
Congress Director Clapper said ``advanced cyber actors--such as Russia
and China--are unlikely to launch such a devastating attack against the
United States outside of a military conflict or crisis that they
believe threatens their vital interest,'' the threat alone should be
enough to garner the attention of the homeland security and emergency
management community.
addressing vulnerabilities & consequences
Emergency managers stand increasingly concerned regarding the
inter-connectedness of the threat and everyday life in America.
Citizens can evacuate in anticipation of a hurricane. Strong building
codes and safe rooms can protect lives in anticipation of earthquakes
or tornadoes. But as we consider the breadth and depth of our reliance
on the cyber infrastructure, the emergency response efforts regarding
consequence management could easily overwhelm local, State, and Federal
assets due to the interdependencies of critical infrastructure and key
resource protection as well as the ease of vulnerability exploitation
from a cyber attack. Consider this short list of potential hazards and
vulnerabilities:
Computer-controlled dams protecting a low-lying community,
National power grids and nuclear power plants,
Emergency Alert Systems (EAS) and 9-1-1 systems,
Traffic systems utilized to evacuate a population,
Banking systems ranging from Wall Street to basic on-line
transfers and ATM withdrawals,
The National airline and air traffic control network,
Complex and simple communications systems from Emergency
Operations Centers to the basic smartphone, and
Water supply networks and waste management systems.
Even many of today's commonly-used Global Positioning System (GPS),
which relies heavily on a cyber structure, represents a potential
target vulnerable to attack. Taken by themselves, each of these threats
could have devastating effects. But emergency managers must consider a
potential event impacting any number of combinations of these systems.
The connectivity of systems today makes the consequences of a cyber
attack more significant at all levels of government and throughout the
private sector. Admittedly, emergency managers often defer
cybersecurity issues to information technology (IT) officials; yet
State IT professionals and other leaders will rely on emergency
managers to respond to the consequences of an attack. The emergency
management and IT communities must establish relationships and engage
in coordinated planning and information sharing long before an event
occurs.
States such as Michigan continue taking a keen interest in how to
manage the cybersecurity threat. Through robust coordination and
planning at the State level, Michigan approaches cybersecurity with the
same concepts as those employed when preparing for and responding to
natural or terrorist threats.
The Michigan Cyber Initiative brings together many State agencies
including the Michigan National Guard, State Police, and Department of
Technology, Management, and Budget in a coordinated effort to enhance
detection of cyber attacks and integrate response systems. The Michigan
Cyber Initiative integrates the Michigan Cyber Command Center, Michigan
Cyber Defense Response Team, and Michigan Intelligence Operations
Center to enhance prevention, early detection and rapid response, and
control, management, and restoration. The Michigan Online Cyber Toolkit
raises awareness and preparedness for all the components of the cyber
ecosystem. The toolkit provides best practices and easy steps for
safeguarding a vulnerable environment. It also offers the chance for
users to quiz themselves, download posters and calendars, and obtain
tip sheets on how to solve on-line problems. The toolkit is broken down
by sectors including homes, businesses, Government, and schools.
Michigan is clearly working hand-in-hand with various components in
ensuring the addressing of cybersecurity across all disciplines. Even
as these relationships continue developing in other States, however, we
must examine how the consequences of a cyber attack will be addressed.
Furthermore, we must complete an honest assessment of necessary
authorities and whether they represent adequate resources to respond to
such an attack.
current authorities
As NEMA received briefings on the Quadrennial Homeland Security
Review (QHSR ) of the Department of Homeland Security (DHS), we
inquired as to whether the Department would examine physical impacts of
cybersecurity. They informed us that while the QHSR would include some
examination of the consequences of a cyber attack, the Department's
analysis of past cyber attacks reveal very few physical impacts
constituting a significant threat to safety and life. We want to ensure
that all potential consequences of a cyber attack are thoroughly
considered. We feel like anything less is short-sighted and
underestimates the ability and creativity of the enemy whether the
enemy is foreign or domestic. Our country has on several occasions
witnessed the creativity of those who are intent on harming us. There
have been shoes, printer cartridges, underwear, and pressure cookers
used as bombs and, of course, airplanes used as missiles.
But even States struggle in addressing this threat. In a survey
completed in February of this year, NEMA learned:
79.1 percent of States interpret the consequences of a cyber
attack under statutes as ``All Hazards'' versus 20.9 percent
which list it as a specific hazard.
62.8 percent of States do not maintain a law enforcement-
specific component to any of the State statutes relating to
cyber-response.
No clear best practice exists in assigning responsibility of
coordination of resources to prepare for, respond to, or
recover from a cyber attack with only 41.9 percent of States
citing such a directive. Of the 41.9 percent responsibility
ranges from the emergency management to IT, homeland security,
and the fusion center.
With States remaining somewhat unclear on the appropriate course of
action, the current lack of a cohesive National strategy at the Federal
level is not surprising. We hope that the response strategy matures the
Federal Government will not over-bureaucratize the process and bury
State and local governments in a sea of reports, guidance documents,
and processes.
We think it is prudent to continue the insistence of metrics and
return on investment calculations on the millions of dollars in
initiatives funded at DHS. Some organizations, however, such as the
Office of Cybersecurity and Communication (CS&C) within DHS continue
admirable work in their outreach to State and local officials. The
effort must be comprehensive and coordinated in order to ensure all the
nuances of the threat receive appropriate attention. Federal efforts
must be structured in concert with States and locals rather than
adopting a top-down approach.
But underlying statutory authorities are equally unclear. During
the NEMA Annual Emergency Management Policy & Leadership Forum in
Seattle, Washington last year, a panel of experts addressed the
statutory issue. According to the panelists including a former Adjutant
General, a DHS Deputy Assistant Secretary, and several State Homeland
Security Advisors, the Civil Defense Act of 1950 (81-950) represents
the only law potentially applicable to a potential cyber attack. Since
the original intent of this Act provided for the response to a nuclear
attack from the Soviet Union, the time to explore the efficacy of our
current statutory authorities is now. Current statutory authorities are
lacking regarding cyber attacks and are currently under revision;
however, the recent remark by President Obama that a cyber attack can
now be classified as an ``act of war'' significantly changes the
``environment.'' This recent change should be taken into consideration
when speaking of statutory authorities and can be used to further
illustrate the fluid and uncertain nature of the issue.
Most emergency managers will turn to the Robert T. Stafford
Disaster Relief and Emergency Assistance Act (Pub. L. 92-288). Unless
the consequences of a cyber attack truly have catastrophic and physical
consequences, however, the Stafford Act will be limited. Unfortunately,
too many of the legislative fixes currently under consideration in
Congress only address the prevention and preparedness side of
cybersecurity. While the pre-event aspects of cybersecurity maintain a
high level of importance, so too will the post-event considerations.
moving forward
The purpose of this hearing is to ensure consequence management
resulting from a cyber attack is recognized as a priority with emphasis
equal to preparedness measures. As Congress considers legislative
options, the needs of the State and locals ultimately responsible for
the consequences of a cyber attack must be first and foremost. In May
of last year, NEMA joined with the American Public Works Association,
Council of State Governments, International City/County Management
Association, National Association of Counties, National Association of
State Chief Information Officers, National Association of
Telecommunications Officers and Advisors, National Conference of State
Legislatures, the National League of Cities, and the International
Association of Emergency Managers to ask Congress for your
consideration of key principles and values when considering
cybersecurity legislation. The outlined principles and values include:
1. State and local governments must be viewed as critical
stakeholders in National cybersecurity efforts.--Both execute
programs overseen and funded by Federal agencies, and
frequently are custodians of Federal data. They also operate
and manage critical infrastructure including data centers and
networks which are necessary for basic homeland security and
emergency management functions. Therefore, the Federal
Government must work with State and local government to share
threat information and to provide technical support to protect
computer networks and other related critical infrastructure.
2. The Federal Government must avoid unfunded mandates on State and
local partners.--Public budgets are still strained at all
levels of government, and while State and local stakeholders
wish to contribute to the overall cybersecurity effort, the
ability to independently fund initiatives at this time is
unlikely. Likewise, Federal program requirements and directives
have traditionally hindered State and local governments from
potentially achieving economies of scale.
3. Federal, State, and local governments should collaborate to
invest in cybersecurity awareness, education, and training for
public-sector employees, contractors, and private citizens.
4. The civil liberties and privacy of all citizens must be
maintained while also establishing the safety and stability of
the internet and electronic communications.--This is especially
critical as governments continue to expand on-line and
electronic services. Safeguarding public-sector data that
includes personal information of citizens will require
cooperation and collaboration on data standards and
cybersecurity methodology at all levels of government.
5. Many Federal initiatives fund internet and information security
programs.--However, without cross-cutting communication and
coordinated assets, the efforts will not realize maximum
efficiency and impact. If there are privacy and security
requirements that are pre-conditions of Federal programs and
funding they must be uniformly interpreted and implemented
across all agencies and levels.
Earlier this year, NEMA attempted an effort to address
cybersecurity consequences simply from the emergency management
standpoint. A workgroup comprised of many NEMA members has worked since
March in developing a doctrine for emergency management directors to
consider. Unfortunately, even this effort proved more difficult than
originally anticipated, and instead of continuing alone, NEMA has since
joined forces with the National Governors Association (NGA) in their
cybersecurity efforts.
NGA recently released a ``Call to Action for Governors for
Cybersecurity.'' The document outlines guiding principles, immediate
actions to protect States, provides multiple examples from various
States, and discusses a path forward. The guiding principles include
supporting Governors, remaining actionable, reducing complexity,
protecting privacy, employing technologically-neutral solutions,
promoting flexible federalism, generating metrics, and promoting the
use of incentives. NEMA looks forward to continuing our work with NGA
as this complex issue gains increased attention.
The combined capacity of Federal, State, and local governments to
adequately safeguard the Nation's critical infrastructure systems
remains essential to ensuring effective operations across the full
spectrum of the threats we face. Furthermore, in order for communities
to effectively manage emergency situations, cyber systems must be
resilient to acts of terrorism, attacks, and natural disasters.
conclusion
Cybersecurity represents the most complex threat and advanced
vulnerabilities we as a Nation face. We must ensure consequence
management resulting from a cyber attack is recognized as a priority
with emphasis equal to preparedness measures. The challenge for all of
us will be to examine it through a new prism, for we will fail if we
respond the same way as always. This is not a traditional threat and
reaches across sectors of our society which may have never before
worked together. Cyber threats can only be addressed through
collaboration, planning, and a deep understanding of the potential
consequences. For if we fail either through prevention or response, the
impacts truly could be disastrous.
Thank you.
Mrs. Brooks. Thank you, Mr. English.
The Chairwoman now recognizes Dr. Orgeron for 5 minutes.
STATEMENT OF CRAIG ORGERON, CIO AND EXECUTIVE DIRECTOR,
DEPARTMENT OF INFORMATION TECHNOLOGY SERVICES, STATE OF
MISSISSIPPI, TESTIFYING ON BEHALF OF NATIONAL ASSOCIATION OF
STATE CHIEF INFORMATION OFFICERS
Mr. Orgeron. Thank you Chairs Brooks and Meehan, Ranking
Members Payne and Clarke, and Members of the committee, for
inviting me to speak today. I am truly honored by the
invitation.
As the executive director of the Mississippi Department of
ITS, Information Technology Services, as well as president of
the National Association of State Chief Information Officers,
better known as NASCIO, I can report that each year States are
facing greater numbers of evolving and sophisticated cyber
threats. The State of Mississippi's IT systems, like systems
from all States, face cyber attacks ranging from a few thousand
attempts to as many as 10 million a day--some domestic, many
international. To win this on-going battle, State IT experts
have to be right every time while hackers need to be only right
once.
As these attacks continue to grow more sophisticated, both
public and private-sector entities will need to develop better
tools and increase collaboration to both deter attacks and plan
a coordinated response to contain the damage from successful
attacks. This ultimately requires a multi-sector approach with
all levels of Government and private industry working together.
State CIOs are, indeed, at the table in securing State
systems. Each year NASCIO surveys its membership. Our 2013
survey, which I have attached to my written testimony, shows
how State CIOs are taking important steps toward building a
more secure State IT environment. However, there are still
known gaps.
According to our survey data, the State CIO role in
disaster recovery appears to be increasing yearly. State CIOs
generally coordinate with other State officials in restoring
and maintaining infrastructure and communication services to
help their State respond to and recover from natural and man-
made disasters. When asked about their concerns, State CIOs put
increasingly sophisticated threats to their systems followed
closely by a lack of funding and inadequate availability of
security professionals at the top of their list.
As the Federal Government and private sector ramp up their
defenses against sophisticated hackers, State governments are
becoming prime targets of foreign state-sponsored entities and
international crime syndicates. These hackers can remain in
State systems monitoring data and waiting to unleash
significant harm. In worst-case scenarios, a sophisticated hack
on public safety systems or critical infrastructure could
coincide with a physical attack or a natural disaster to impede
the ability of authorities to respond to one or both events.
It is well-known that when compared with the private sector
and the Federal Government, States do not have comparable
resources and tools to provide similar levels of protection to
their systems despite the fact that they often maintain the
same sensitive information and key critical infrastructure.
This is only partly a financial issue; it is also a policy and
a skilled personnel issue. On the latter two fronts, there is a
great deal the Federal Government can do to help State
governments improve preparedness and respond to cyber attacks.
I have included many of NASCIO's policy recommendations in
my testimony but here are five areas: First, flexibility at the
State level. Federal resources in support to States must
respect and bolster the State organizations. Public-sector
cybersecurity is in its infancy. Best practices must be shared
but diverse approaches, particularly when it comes to
governance, information sharing, and methodology, should be
nurtured.
Second, increasing the workforce: Expanding Federal
scholarships to study cybersecurity in exchange for working
several years in the Federal Government or for State or local
governments has a two-fold benefit of both better protecting
our citizens and expanding available talent pools of
cybersecurity experts.
Third, modernizing Federal regulations: Congress should
consider working with NASCIO and the States to update the
Federal Information Security Management Act, or FISMA, with
cybersecurity rules that better conform to universal, outcome-
based standards that would provide both Federal agencies and
States with better security as well as greater efficiencies.
Updating homeland security funding: Efforts to utilize
existing Federal programs to better State governments in
protecting the Nation against cyber attacks should also be
explored. More than 10 years out from September 11, 2001,
homeland security grants should be reformed to reflect the
current threats faced by our States and localities.
Last, applying what we know: NASCIO believes the National
Cybersecurity Review, or NCSR, is an excellent opportunity to
review our National preparedness and provide resources and
technical assistance to fill the gaps in our defenses. Holding
hearings such as this one and finding ways to share information
and resources will be crucial moving forward.
We ask that Congress continue to work with the States in
identifying ways to protect our Nation's digital assets.
Thank you for the opportunity to testify and your time
today.
[The prepared statement of Mr. Orgeron follows:]
Prepared Statement of Craig Orgeron
October 30, 2013
Thank you Chairs Brooks and Meehan, Ranking Members Payne and
Clarke, and Members of the committee, for inviting me to speak to you
today. I am honored by the invitation. As we wrap up Cybersecurity
Awareness Month it is timely that we are having this hearing on one of
our Nation's most significant vulnerabilities.
As executive director of the Mississippi Department of Information
Technology Services (ITS), as well as president of the National
Association of State Chief Information Officers, better known as
NASCIO, I can report that each year States are facing greater numbers
of evolving and sophisticated cyber attacks. In addition to States
serving as a repository of sensitive data about our citizens and
homeland, States increasingly utilize the on-line environment to
deliver vital services, maintain critical infrastructure such as public
utilities, and ensure our first responders receive the data they need
in crisis situations. State government IT systems are a vital component
of the Nation's critical infrastructure.
Today, with this testimony, I want to provide the committee
information on the readiness of our State governments to defend against
and respond to major cyber attacks, as well as opportunities to
collaborate to minimize the risk to our Nation. I hope to give you a
sense of the threat landscape and how States and the Federal
Government, along with the private sector, can work together to better
secure our homeland.
State governments are at risk from a host of new and aggressive
security threats that require a formal strategy, adequate resources,
and constant vigilance. Cybersecurity continues to be one of the major
``hot button'' issues for State CIOs and one that receives increasing
attention from Governors and other elected officials.
State CIOs are taking the lead in securing State systems. According
to NASCIO's 2013 survey of State CIOs conducted by in collaboration
with TechAmerica and Grant Thornton LLP, significant improvements have
been made in the last few years. Over three-quarters of States have
adopted a cybersecurity framework, implemented continuous vulnerability
monitoring capabilities, and developed security awareness training for
employees and third-party contractors. These are key steps toward
building a more secure State cyber environment. Unfortunately, less
than half of States are documenting the effectiveness of the
cybersecurity program they have in place, and even fewer have developed
a cybersecurity disruption response plan.
In the same survey, CIOs were asked about the major barriers they
faced in addressing cybersecurity. The increasing sophistication of
threats, followed closely by a lack of funding and inadequate
availability of security professionals, topped the list. Additionally,
the survey data reveals that only 8 percent of States have implemented
identity and access management of State data systems across the
enterprise, although 42 percent of respondents noted an in-process
implementation.
The State CIO role in disaster recovery appears to be increasing
each year. According to the NASCIO 2013 survey almost two-thirds of
States pursue a federated strategy to disaster recovery, with
responsibilities split between the CIO and State departments and
agencies. The survey also queried State CIOs regarding their role in
helping their State respond to and recover from a natural or man-made
disaster. The survey results show almost all CIOs see their role as one
of coordinating with other State officials and restoring and
maintaining infrastructure and communications services. I have attached
the full results of this survey to my testimony today, along with the
2012 Deloitte-NASCIO Cybersecurity Study entitled ``State governments
at Risk,'' for your further review.*
---------------------------------------------------------------------------
* The information has been retained in committee files.
---------------------------------------------------------------------------
The State of Mississippi's IT systems, like systems from all
States, face cyber attacks every day, ranging from a few thousand
attempts to as many as 10 million per day--some domestic, many
international. To win this on-going battle, State IT experts have to be
right every time, while hackers need to only be right once. As these
attacks continue to grow more sophisticated, both public and private-
sector entities will need to develop better tools and increase
collaboration to both deter attacks and plan a coordinated response to
contain the damage from successful attacks. This ultimately requires a
multi-sector approach, with all levels of government and private
industry working together. Securing systems in cyberspace, and
responding to successful hacking attempts, has little in common with
traditional emergency management after a disaster. Advanced cyber
threats are much more akin to an aggressive, new strain of virus: The
threat is diffuse, and almost impossible to prevent before it comes
into being. In addition, just like a new viral strain, it takes time to
properly identify and contain the virus, educate the populous about how
to avoid contracting it, and treat those infected.
As the Federal Government and private sector ramp up their defenses
against sophisticated hackers, State governments are becoming a prime
target of foreign, state-sponsored entities, and international crime
syndicates. Sophisticated hackers may hide in IT systems for years--
creating what is referred to as an ``advanced persistent threat.''
These hackers can remain in State systems monitoring data and waiting
to unleash significant harm to our Nation's financial systems,
transportation systems, supply chain, and key utilities such as the
electrical grid, and pipelines, to name a few. In worst-case scenarios,
a sophisticated hack on public safety communication systems or critical
infrastructure could coincide with a physical attack or natural
disaster to impede the ability of authorities to respond to one or both
events.
Elected leaders at all levels have come to understand that
cybersecurity is a significant issue that requires their attention. The
National Governors Association (NGA) is working with the National
Emergency Management Association (NEMA), NASCIO, and members of the
private sector, to build upon this greater understanding. Based on this
collaboration, NGA released ``A Call to Action for Governors for
Cybersecurity,'' which provides strategic recommendations Governors can
immediately adopt to improve their State's cybersecurity posture. By
gaining support from the Governor's office, a State can tackle key
issues of governance and create an authority structure that builds
comprehensive cybersecurity across the State enterprise. It is well-
known that when compared with the private sector and the Federal
Government, States do not have comparable resources and tools to
provide similar levels of protection to their systems, despite the fact
that they often maintain the same sensitive information and key
critical infrastructure.
This is only partially a financial issue--it is also a policy and
skilled personnel issue. On the latter two fronts, there is a great
deal the Federal Government can do to help State governments improve
preparedness and response to cyber attacks.
On policy, perhaps the single key to ensuring a substantial attack
does not blindside us is the Federal Government facilitating greater
information sharing between Federal agencies, the private sector, and
State and local partners. NASCIO believes the implementation of
Executive Order 13636 and Presidential Policy Directive 21 will be a
first step to achieving these goals.
As each State's cybersecurity level of maturity and governance is
different, NASCIO would be concerned about any effort by the Federal
Government to designate a single State entity as the responsible point
for sharing and disseminating information between State and Federal
entities. Such decisions should ultimately be left to each State's
Governor to fit their model of cyber governance. Just as each State has
different geography and vulnerabilities to extreme weather or man-made
disasters, State Information Technology systems and the governance of
those IT systems are very different. Federal resources and support to
States must respect and bolster the State organizations.
States rely on multiple external resources for threat information,
such as the Multi-State Information Sharing and Analysis Center (MS-
ISAC), United States Computer Emergency Readiness Team (US-CERT), and
FBI's InfraGuard. States then act on this information through various
channels: Some States have built a sophisticated cyber capacity at
their State fusion center, others have bolstered the authority of their
Office of Information Technology, and some coordinate with a cyber
division of their State National Guard. The Federal Government should
support all these approaches. Public sector cybersecurity is in its
infancy; best practices must be shared, but diverse approaches--
particularly when it comes to governance and methodology--should be
nurtured.
Due to the diverse landscape at the State level, the Federal
Government must be as inclusive as possible in disseminating threat
information, and work outside the public safety and intelligence
sector's traditional one-to-many comfort zone. Cybersecurity works best
when more people have an understanding of the threats. Therefore,
NASCIO and its members applaud the on-going effort to provide greater
declassification of cyber threat information. We hope this will be
followed by collaborative effort to standardize information exchange
models for sharing threat data.
Classified threats will always exist, though, and therefore,
greater access to classified information is needed at the top echelons
of State government. As of now, the U.S. Department of Homeland
Security (DHS) will only provide State governments with two Top Secret
clearances. Typically, these go to the Governor and their homeland
security advisor or director of public safety. This means in many
States, chief information officers or their chief information security
officers are not cleared to the appropriate level to receive vital
information from the intelligence community on the most advanced
international threats against our networks. This should be remedied.
Additionally, while opportunities for limited Federal assistance
for cyber threats have been included in the National Preparedness Grant
Program (NPGP), the formulaic structure of the program means States do
not have enough funding to do much more than maintain legacy homeland
security investments and administer grants to local governments. For
NPGP to meet the current threats faced by our States and localities,
changes will need to be made by Congress and the administration.
Besides fixing funding models to meet the current threat, there are
other policy efforts that can be undertaken to maximize the impact of
existing cybersecurity resources. NASCIO believes the National Cyber
Security Review, or NCSR, is an excellent opportunity to review our
National preparedness and provide resources and technical assistance to
fill gaps in our defenses.
The NCSR is a voluntary self-assessment survey designed to evaluate
cybersecurity management within State, local, Tribal, and territorial
governments. At the request of Congress, DHS has partnered with MS-
ISAC, NASCIO, and the National Association of Counties (NACo) to
develop and conduct the NCSR. The survey is now in the field and we
expect final results to be provided in the first quarter of next year.
Much like the Threat and Hazard Identification and Risk Assessment
(THIRA) provides a guide for investment in traditional homeland
security gaps, the NCSR could be followed up with the promise of
Federal technical assistance to State and local participants who lag
behind in vital areas. This will have the dual benefit of safeguarding
citizen data and encouraging greater participation in National-level
vulnerability assessments.
NASCIO also supports efforts to include State governments as a
participant in programs that build the public sector cybersecurity
workforce. One of the greatest difficulties States face is attracting
and retaining talent in this information security sector. States cannot
compete with the salaries provided by the private sector, or the allure
of positions in the U.S. Federal intelligence services. Federal
scholarships to study cybersecurity in exchange for working several
years in the Federal Government, or for State or local governments, has
the two-fold benefit of better protecting our citizens and expanding
the available talent pool of cybersecurity experts. Scholarships should
be expanded to ensure those who take advantage of them can work at any
level of government protecting IT systems.
As many successful cyber attacks could be prevented by good cyber
hygiene and security practices, Federal collaboration with State and
local governments to create a culture of awareness and preparedness
would also be a significant step forward. Just like ``see something,
say something,'' clicking one's seat belt before driving, or even
covering your mouth when you sneeze, public awareness and habit is one
simple way to significantly reduce the threat.
The Federal Government can also take steps to reduce burdens on
State and local governments by harmonizing cybersecurity standards and
requirements across Federal programs so State governments can provide
more efficient and effective security of programs at a lower cost to
taxpayers. Under the Federal Information Security Management Act,
better known as FISMA, States are required to check certain boxes
regarding security when taking Federal grant dollars. However, Federal
agencies interpret these rules differently, and require different
security standards. This often means that States must spend money on
redundant systems to comply with a patchwork of Federal rules. It also
means a lack of compatibility between various systems that States
manage, which could otherwise be consolidated and more secure. Congress
should work with NASCIO and the States to replace FISMA with
cybersecurity rules that better conform to universal, outcome-based
standards that would provide both Federal agencies and States with
better security as well as greater efficiency.
Cybersecurity is a complex issue, and we have a long road ahead of
us to making our Nation's systems more secure. There is no single
solution here--or in tech speak, there isn't a ``killer app.'' With the
diffuse threat and diverse actors, cybersecurity requires a many-to-
many approach. Most public safety response efforts are command-and-
control, line-of-command efforts. Such efforts will not work when it
comes to cybersecurity and response. With cyber attacks and the
resultant impact, there is rarely a front line and the ``path of the
storm'' is usually not obvious.
Holding hearings such as this one and finding ways to share
information and resources will be crucial moving forward. We ask that
Congress continue to work with the States in identifying ways to
protect our Nation's digital assets, including rapidly maturing threat
information-sharing entities and developing a common framework that can
serve as a roadmap and provide funding justification for State
cybersecurity. Thank you for the opportunity to testify and your time
today.
Mrs. Brooks. Thank you, Dr. Orgeron.
The Chairwoman now recognizes Mr. Sena for 5 minutes.
STATEMENT OF MIKE SENA, DIRECTOR, NORTHERN CALIFORNIA REGIONAL
INTELLIGENCE CENTER, TESTIFYING ON BEHALF OF NATIONAL FUSION
CENTER ASSOCIATION
Mr. Sena. Thank you, Chairman Brooks and Chairman Meehan
and Members of the subcommittees. On behalf of the National
Fusion Center Association I would like to thank you for the
opportunity to share our perspective on this increasingly
important issue.
Back in July the Majority staff of this committee released
a report on the National Network of Fusion Centers after
visiting more than 30 of them. The report noted that nearly 200
JTTF investigations have been created as a result of the
information provided by fusion centers and nearly 300 terrorist
watch list encounters reported through fusion centers enhanced
existing terrorism cases.
Those successes were enabled because the National Network
has developed into a mechanism for regular exchange of criminal
intelligence and terrorism threat information across
jurisdictions. This mechanism is ready made for information
sharing on cyber threats as well, but we have a long way to go.
We need to recognize a couple of realities. First, a
streamlined system of reporting, analyzing, and sharing threats
and incidents requires leadership at the State and local level
and the clear acceptance of what roles different partners can
and should play. While the systems of interaction will vary
from State to State, we need to structure relationships so that
our personnel know where information should be flowing from and
disseminated to.
Second, our human resource base at the State and local
levels has not adapted quickly enough to address the increased
cyber threats. State and local law enforcement, homeland
security, and emergency management functions, including fusion
centers, must have personnel who are adequately trained to
respond quickly and share information rapidly so that
additional crimes can be prevented.
The NFCA has been working over the past year with the
International Association of Chiefs of Police, the program
manager for the information-sharing environment, the Department
of Homeland Security Office of Intelligence and Analysis,
private-sector partners, and other associations to develop a
pilot program. The pilot will be funded by the PM-ISE through
DHS to the Center for Internet Securities, MS-ISAC.
The pilot will address needs identified by a wide range of
stakeholders including the need for increased time lines,
volume, and quality of information the Federal Government
shares with State, local, and private-sector partners; the need
for standardization of information-sharing processes among
various levels of government; and the development of cyber
response best practices; leveraging current counterterrorism
tools and processes for cyber incident handling and
intelligence sharing; and promoting private-sector cooperation
and information sharing.
We expect the pilot to get underway soon and we look
forward to updating the committee on our progress.
I want to raise four issues that we think this committee
should be aware of and help us think through.
First, enhanced cooperation by Federal partners through
more information sharing and Unclassified levels would help
connect dots and lead to faster action. Our Federal partners
tend to operate on the high side, but since threat information
is coming into fusion centers from State, local, and private-
sector customers who expect timely responses, operating in a
classified environment can slow down information flow.
When the Classified document is created, an Unclassified
version must also exist for dissemination. We need to get
classification issue right so that we can be responsive to our
communities while safeguarding critical infrastructure and key
resources and information assets from exploitation.
Second, building training and maintaining a strong cyber
analyst cadre within fusion centers and law enforcement should
be a priority. We have great partners like the United States
Secret Service, whose Hoover, Alabama facility provides cyber
training for fusion centers and other analysts. That program
should be a priority for new investment in the immediate future
so that the training can reach a greatly expanded audience.
Third, the Terrorism Liaison Officer program is a
successful partnership between fusion center and State and
local law enforcement, fire service, first responder, public
health, and private-sector communities within their areas of
responsibility. This system maximizes situational awareness and
provides a clear mechanism for ground-level suspicious and
criminal activity to quickly funnel leads to investigative
agencies.
The success of the TLO program in the physical domain
should be extended to the cyber domain in the form of a cyber
TLO program. Trained TLOs know what to do in the world of
physical threats; the same should happen with cyber threats.
City, county, and State governments, as well as CIKR owners
and operators should be part of the cyber liaison program. This
mechanism would ensure that investigative leads filter up to
the appropriate agencies while regular reporting on the latest
cyber threats can be pushed down through the network.
Finally, every fusion center should have the ability to
triage threat reports and develop products to help partners
mitigate threats. Ideally, we need a constantly-updated
automatic system that provides partners with the threat
information--both machine- and human-readable--in real time,
action to identify the attack, identify the associated
indicators of compromise, and disseminate those indicators of
compromise to partners in a timely manner. That is essential.
Thank you again for this opportunity to share our thoughts.
I encourage you to continue to reach out to your fusion center
in your State or region and find out about their challenges and
best practices.
Thank you.
[The prepared statement of Mr. Sena follows:]
Prepared Statement of Mike Sena
October 30, 2013
Chairman Brooks, Chairman Meehan, Members of the subcommittees, my
name is Mike Sena and I am the director of the Northern California
Regional Intelligence Center (NCRIC), which is the fusion center for
the San Francisco Bay and Silicon Valley region. I currently serve as
president of the National Fusion Center Association (NFCA). On behalf
of the NFCA and our executive board, thank you for the opportunity to
share our perspective on the analysis and sharing of information on
threats from the cyber domain that we are seeing at a rapidly
increasing pace.
The National Network of Fusion Centers (National Network) includes
78 designated State and major urban area fusion centers. Every center
is owned and operated by a State or local government entity. The
majority of operational funding for fusion centers comes from State or
local sources, while Federal grants--primarily through the Homeland
Security Grant Program at FEMA--are a major source of additional
support. Our centers are focal points in the State, local, Tribal, and
territorial (SLTT) environment for the receipt, analysis, gathering,
and dissemination of threat-related information between the Federal
Government, SLTT, and private-sector partners.
As the report on fusion centers that was released in July of this
year by the Majority staff of the full House Homeland Security
Committee noted, nearly 200 FBI Joint Terrorism Task Force
investigations have been created as a result of information provided to
the FBI through fusion centers in recent years, and nearly 300
Terrorist Watchlist encounters reported through fusion centers enhanced
existing FBI terrorism cases. Most fusion centers are ``all-crimes''
centers, meaning that they do not focus on just terrorism-related
threats. Most centers are supporting law enforcement and homeland
security agencies in their States and regions through analysis and
sharing of criminal intelligence to address organized criminal threats
and to support intelligence-led policing.
Because the National Network of Fusion Centers has developed into a
mechanism for regular exchange of criminal intelligence and threat
information across jurisdictions, we are increasingly involved in
addressing cyber threats. My center--the NCRIC--is actively involved in
cyber threat analysis and information sharing with our Federal
partners, other fusion centers, State and local governments in our
region, and private-sector partners. As with any other successful law
enforcement or intelligence effort, good relationships are at the heart
of the matter. We must develop strong and trusting relationships with
our customer agencies as well as with the private sector to ensure
timely information flow. As an example of partnership development, the
NCRIC is working with a major utilities service provider--that faces
significant persistent cyber attacks--to assign personnel inside the
fusion center. Once in place, this partnership will result in the
development of capabilities to improve internal security for the
company, but also new threat analysis and prevention capabilities for
other critical infrastructure partners across the sector. The NCRIC
hosts a working group including private-sector CIKR owners that meets
regularly to discuss threats and share information.
But my center is not the norm across the National Network. Today,
less than half of the fusion centers have a dedicated cyber program. We
expect that number to grow as the threats grow, but we must have
additional resources to support the specialized training and personnel
to further that mission. We cannot take away from our established
missions to tackle new ones. We also must coordinate closely with other
entities that play roles in cyber threat awareness, analysis, and
information sharing--including the organizations my fellow panelists
here today represent.
The reality is that we are dealing with a growing category of
criminal activity featuring different impacts as compared to
traditional crime. Because the impacts are ``quieter'' and--to date--
most often bloodless, it is more difficult to make a clear case for
investments in systematic improvements in law enforcement and criminal
intelligence capacity to deal with these threats.
But as we all know, the threats and their consequences are very
real. And the threats are growing--from small, targeted operations that
impact a family's finances to large operations that threaten an
electric grid. Large critical infrastructure owners know who to call
when something happens--they are likely to have existing partnerships
with Federal law enforcement and investigative bodies. But who does a
family call when they notice they have been violated? What about a
small business or, even more concerning, a smaller vendor that may be
part of an important supply chain? State and local law enforcement
across the country are reporting increased calls related to cyber
crime. Questions related to jurisdiction and investigative capacity are
difficult to answer in many of these cases. But the analysis and
sharing of threat information is essential to prevent more
victimization.
As the NFCA has worked with our partners in State and local law
enforcement on this issue over the past year, it has become clear that
we have significant needs for capability and capacity enhancements. As
I wrote in a blog post for the Program Manager for the Information
Sharing Environment (PM-ISE) last week, the NFCA is working with the
International Association of Chiefs of Police (IACP), the PM-ISE,
private-sector partners, and other professional associations to assess
needs across the country. I want to specifically acknowledge the office
of the Program Manager for the Information Sharing Environment, DHS
Intelligence & Analysis, and FEMA for their recognition of the
importance of this effort, and for moving the ball downfield. These are
outstanding partners in our efforts and we rely on them daily.
In August 2012, the NCRIC hosted a roundtable for cybersecurity
stakeholders that included representatives from the financial and IT
sectors, as well as Federal, State, and local officials. These
participants identified two types of information sharing: (1) Fusion
centers engaged in sharing tactical information on company or sector-
specific situational awareness; and (2) fusion centers sharing
strategic information on threats, risks, and trends through strategic
forums that involve both the public and private sectors. IACP partnered
with the Department of Homeland Security to facilitate a December 2012
roundtable to further clarify requirements for cybersecurity
information sharing.
Building on the momentum of the August and December events, the
NCRIC and the IACP held the Cybersecurity Evaluation Environment Pilot
Kick-off Event in February 2013. The first day of this 2-day event
focused on soliciting cybersecurity information-sharing requirements
from industry partners and developing potential Federal, State, and
local government processes for cybersecurity information sharing with
the private sector. Participants also discussed Government requirements
for cybersecurity information sharing. On the second day, the
Government participants worked to design a ``cybersecurity pilot'' that
would advance fusion center cybersecurity information-sharing
capabilities.
The pilot will be funded by DHS through the Multi-State Information
Sharing and Analysis Center (MS-ISAC) and executed in coordination with
all appropriate stakeholders. It will focus on addressing needs
identified by stakeholders including:
the need for increasing the timeliness, volume, and the
quality of the information the Federal Government shares with
State/local/Tribal government and private-sector partners;
the need for standardization of information-sharing
processes between the Federal and State/local/Tribal
governments and the development of cyber response best
practices;
leveraging current counterterrorism-developed tools and
processes for cyber incident handling and intelligence sharing;
enhancing the protection of State/local/Tribal networks;
supporting cyber crime investigations; and
promoting private-sector cooperation and information
sharing.
We expect the pilot to get underway soon and we look forward to
keeping the committee apprised of our actions.
We believe it is important to recognize a couple of realities.
First, a streamlined system for reporting, analyzing, and sharing
threats and incidents requires leadership at the State level in each of
our States and a clear acceptance of what roles fusion centers can and
should play. Roles, responsibilities, and capabilities should be
clearly understood--including by private-sector partners--and we have
to acknowledge that we are not where we need to be. That is why efforts
like the pilot project we are about to engage in with the leadership of
PM-ISE and IACP are so important. While the systems of interaction may
vary from State to State, we need structured relationships so that our
personnel know where information should be flowing from and
disseminated to.
Second, our human resource base in investigative and intelligence
settings at the State and local levels has not adapted quickly enough
to address the increased cyber threat. Again, citizens report crimes to
law enforcement no matter the type. Federal agencies cannot possibly
investigate all of those crimes, even as they have a need to be aware
of them in case they relate to other incidents in other locations.
State and local law enforcement, homeland security, and emergency
management functions--including fusion centers--must be resourced to
respond to those crimes quickly and share information rapidly so that
additional crimes can be prevented.
As the July, 2013 committee staff report on fusion centers noted,
``Ultimately, it is the FBI's responsibility to conduct
counterterrorism investigations. However, no single government entity
has the mission and capacity to coordinate, gather, and look
comprehensively across the massive volume of State and locally-owned
crime data and SARs and connect those `dots', particularly those
related to local crime and, potentially, the nexus between those
criminal activities and terrorist activity. This is the principal value
proposition for the National Network.'' This reality extends to the
cyber threat domain.
Next week the National Fusion Center Association will host a major
event across the river in Alexandria, Virginia. The NFCA Annual
Training Event will bring together fusion center directors and analysts
from nearly all 78 centers, as well as Federal partners including DHS,
partner associations from State and local law enforcement and emergency
response, fire service representatives, and industry to receive
training and share best practices. Among the training sessions are two
separate sessions on cyber threat analysis and information sharing.
Representatives from the Kanas City Terrorism Early Warning Group, the
Orange County (CA) Intelligence Assessment Center, the Louisiana State
Analytical and Fusion Exchange (LA-SAFE), the San Diego Law Enforcement
Coordination Center, and my center--the NCRIC--will present to other
fusion centers on effective practices and partnerships they are
implementing in their centers. This indicates the level of interest
across the National Network in advancing our capabilities to address
cyber threats.
The State of Louisiana's fusion center--LA-SAFE--has taken an
active role in cyber threat analysis and information sharing. State,
local, and private entities reach out to LA-SAFE when a cyber event
occurs in their AOR. The fusion center's lead cyber analyst
disseminates block-list information to those partners to quickly help
strengthen their protections. LA-SAFE conducts analysis of cyber
threats and develops intelligence reports for dissemination to relevant
partners. To date, the LA-SAFE Cyber Unit has developed more than 40
reports that have been shared with Federal, State, and local partners.
Feedback to LA-SAFE--including from our Federal partners--clearly
indicates that the information coming out of the fusion center is of
high value.
In one example from earlier this year, the Louisiana State
legislature was receiving numerous phone calls from a foreign
individual asking for the payment of a supposed debt. The numerous
malicious calls clogged the phone lines, preventing legitimate calls
from going in or out. The ``telephone denial-of-service attack''
disrupted the legislature's communications. LA-SAFE determined that
this TDOS attack was similar to others that had occurred across the
United States and produced and disseminated an advisory to its
partners. Immediately afterwards LA-SAFE received numerous phone calls
and emails from public safety answering points (PSAPs) across the
country that had suffered similar attacks. LA-SAFE was contacted by the
deputy manager of the National Coordinating Center for Communications
(NCC). The NCC had received the LA-SAFE advisory from the NCCIC and
expressed serious concern. The NCC then initiated a conference call
with LA-SAFE, the NCRIC, NCC, NCCIC, Association of Public-Safety
Communications Officials (APCO), National Emergency Number Association
(NENA), FBI, and other industry representatives to coordinate a
response.
As a result of the coordination, multiple advisories were
distributed from participating organizations to their customer bases.
It has since been determined that over 200 of these attacks have been
identified Nation-wide. These attacks have targeted various businesses
and public entities, including the financial sector and other public
emergency operations interests, such as air ambulance, ambulance, and
hospital communications.
This example of cyber threat analysis and information sharing is
occurring on a more frequent basis across the National Network of
Fusion Centers. Some fusion centers are collecting and analyzing
instances of cyber attacks in their AOR, and developing products that
are sent to other fusion centers, which enables a much larger set of
stakeholders to prevent damaging attacks.
LA-SAFE's recent experiences demonstrate both the opportunity and
the need for additional focus and capacity within the network. Like
other fusion centers that provide cyber threat analysis and sharing
services, LA-SAFE needs more cyber analyst positions. The increasing
threat level has already translated into increased demand for
investigative and analytical services from fusion centers, and there is
no sign of any slowing-down in that demand. A significant challenge for
LA-SAFE and other centers is that cyber analysts are typically more
expensive than traditional analysts. While physical terror threats and
criminal activity are the primary focus of most fusion centers, the
growing category of cyber crime means that cyber threat analysis
resources must be strengthened at all levels of government.
In addition, LA-SAFE and other centers believe that the system for
interacting with Federal partners on cyber threats needs to be
improved. Enhanced cooperation by Federal partners through more
information sharing at the Unclassified or Sensitive-But-Unclassified
levels would help connect dots and lead to faster information sharing
to prevent attacks. Our Federal partners tend to operate on the ``high
side,'' but since threat information is coming to fusion centers from
State, local, and private-sector customers who expect timely responses,
operating in a classified environment can slow down information flow.
Speed is important in all investigations and prevention activities--
especially in the cyber domain. We must work with our partners to
identify the right path forward on classification so that we can be
appropriately responsive to our communities while safeguarding CIKR and
information assets from inappropriate exploitation.
Building, training, and maintaining a strong cyber analyst cadre
within fusion centers and law-enforcement entities should be a
priority. We have great partners like the United States Secret Service
whose Hoover, Alabama training facility provides beginning and
intermediate training for fusion center and other analysts. That
program should be prioritized for new investment in the immediate
future so that its training can reach a greatly expanded audience. The
Multi-State Information Sharing and Analysis Center (MS-ISAC) provides
training to State and local law enforcement to enhance cyber awareness
and analytical capabilities. We need more of this type of training to
ensure our analysts have the skills required to act quickly so that
accurate, timely information can be shared broadly.
The Terrorism Liaison Officer (TLO) program is a successful
partnership between fusion centers and the State and local law
enforcement, first responder, public health, and private-sector
communities within their AORs. TLO programs train thousands of
individuals on indicators of possible terrorist activity and reinforce
a system of reporting of suspicious activity through the fusion centers
and the Nation-wide Suspicious Activity Reporting (SAR) Initiative.
This system maximizes situational awareness and provides a clear
mechanism for ground-level suspicious activity to quickly funnel up to
lead investigative agencies.
The success of the TLO program in the physical terrorism domain
should be extended to the cyber domain in the form of a ``cyber TLO''
program. Trained TLOs know what to do in the world of physical threats.
The same should happen with cyber threats. City governments, county
governments, State governments, and CIKR owners and operators should be
part of this network. Again, maximizing situational and threat
awareness through a systematized reporting mechanism will ensure that
investigative leads filter up to lead investigative agencies, while
regular reporting on the latest cyber threats by fusion centers and
other partners can be pushed down through that network.
Every fusion center should have the ability to triage threat
reports and develop products to help State, local, and private-sector
entities to mitigate the threats. Ideally, we need a constantly updated
automated system that provides partners information--machine and human-
readable--in real time as events are happening. Investigation into the
source of cyber attacks will occur after the fact, but action to
identify the attack, identify the associated indicators of compromise,
and disseminate those indicators of compromise to partners in a timely
manner is essential.
It will take time and money for that vision to be realized--and we
have too little of both in the near term. In the mean time, the
partners at this table and around the country must work together
through the pilot project and other settings to develop policies,
protocols, and requirements that will result in the kind of information
sharing and threat analysis our citizens expect. In addition, a concept
called analytical centers of excellence is being built out across the
National Network. If a particular fusion center does not have dedicated
cyber capabilities, then that center's personnel should know exactly
where to go for support. Relationships should be developed and
formalized so that centers with cyber capacity can be tapped when
needed by other members of the National Network. This same concept is
being applied to traditional criminal intelligence information by
fusion centers today.
On behalf of the National Fusion Center Association, thank you
again for the opportunity to testify today. The members of the NFCA
executive board and I are happy to provide you with on-going input and
answer any questions you have. I also encourage you to reach out to the
fusion center in your State or region and find out about their
particular challenges and best practices related to cyber and other
threats. We look forward to working with you on this issue.
Mrs. Brooks. Thank you, Mr. Sena.
The Chairwoman now recognizes Mr. Molitor for 5 minutes.
STATEMENT OF PAUL MOLITOR, ASSISTANT VICE PRESIDENT, NATIONAL
ELECTRICAL MANUFACTURERS ASSOCIATION
Mr. Molitor. Thank you, Madam Chairwoman, Mr. Chairman, and
the Ranking Members and all of the committee Members and staff
who have joined us today. We would like to acknowledge the
subcommittee for holding this important hearing on a very
timely topic, which is cybersecurity and emergency management.
NEMA sees safe and reliable electric power as an enabler
for first responders and supporting life-sustaining services
like communications, food, fuel, and water in the event of a
cyber attack. As we discuss the impacts of the cyber attack,
direct parallels can be drawn to grid outages caused by natural
disasters. Nothing shapes the discussion more than the lessons
learned through the 2003 Northeastern blackout, the recent
tsunami in Japan, the recent earthquake in Haiti, and the two
events which affected the Congressional districts of many of
the Members here today, Hurricanes Sandy and Katrina.
Large-scale outages are extremely disruptive to the health
and well being of the affected population regardless of the
cause. The question becomes: What are the most effective steps
we can take to prepare for and mitigate this impact?
In much the same way as new information in communications
technologies are reshaping how we work, learn, and stay in
touch with one another, these same technologies are being
applied to the electric grid, giving utilities new ways to
manage the flow of power. Many people refer to this as the
smart grid. This allows us to minimize the footprint of an
outage, maintain power to critical facilities, identify those
affected, shunt around downed power lines to increase public
safety, and enable faster restoration of services.
Many of these technologies are detailed in a storm
reconstruction guide that we produced in the wake of Hurricane
Sandy a year ago, and we had a seminar on Capitol Hill earlier
this year where we went through this in a fair amount of
detail.
When the U.S. Department of Energy established their seven
characteristics for smart grid in 2008 it included: Optimize
asset utilization and operate efficiently; anticipate and
respond to system disturbances--essentially, be self-healing;
and also, operate resiliently against attack and natural
disaster. The key to this kind of performance is rooted in
consensus-based industry standards.
Standards define the interaction between entities to create
both interoperability and cybersecurity. They allow electrical
manufacturers to build security into the grid, which is
preferable to installing free and open devices that are secured
after installation. We want security built into the objects and
not bolted on afterwards. Moreover, the standards-based
monitoring features of the smart grid will facilitate
communications between grid operators, emergency crews, and
first responders.
The bill introduced by a Member of this committee, the
SMART Grid Study Act, by Congressman Payne, would go a long way
to evaluating the breadth and effectiveness of the solutions
that have been deployed to date. Since 2009 we have invested
billions of dollars in the smart grid, and if you want to
improve something you need the measurement. We have been
building; it is time to measure.
Additional considerations for the cyber future of the grid
are contained in Executive Order 13636 and the National
planning scenarios developed by the various sector-specific
agencies of the Federal Government in conjunction with the
Department of Homeland Security. Scenario 15 is entitled
``Cyber Attack'' and it provides a doomsday scenario for a
pervasive attack on major elements of the Nation's
communications infrastructure, weighing this scenario against
the cybersecurity framework being developed by NIST under
Executive Order 13636, the implementation of which is being
supervised by DHS. This will give our industry an appropriate
platform to ensure that we are as prepared as possible for an
attack.
Finally, as a 20-year veteran of the U.S. Army and a former
company commander and battalion operations officer I can say
that it is one thing to have a plan but another thing to
execute it. We should regularly conduct large-scale virtual
exercises, like the National-level exercises in 2012, to test
our response capabilities under the cyber attack scenario or
the natural disaster planning scenario or a combination of the
two. The greatest fear of our industry is that someone would
launch a cyber attack in conjunction with a natural disaster,
which would increase its impact.
The military performs these kind of exercises with great
frequency and great success. It would be a good idea for us to
figure out how we can structure regional, more detailed
exercises under DHS for the civilian agencies and companies
associated with the critical infrastructure, like the upcoming
NERC event you mentioned earlier.
I want to thank the subcommittees for allowing us to
testify today and I look forward to your questions and
comments.
[The prepared statement of Mr. Molitor follows:]
Prepared Statement of Paul Molitor
October 30, 2013
Chairmen Brooks and Meehan and Ranking Members Payne and Clarke, I
thank you and the Members of the subcommittees for inviting me to
testify today on cybersecurity and emergency management.
I am Paul Molitor, assistant vice president at the National
Electrical Manufacturers Association (NEMA). NEMA is the association of
electrical equipment and medical imaging manufacturers, founded in 1926
and headquartered in Arlington, Virginia. Its 400-plus member companies
manufacture a diverse set of products including power transmission and
distribution equipment, lighting systems, factory automation and
control systems, and medical diagnostic imaging systems. The U.S.
electroindustry accounts for more than 7,000 manufacturing facilities,
nearly 400,000 workers, and over $100 billion in total U.S. shipments.
On behalf of the 400-plus member companies of NEMA, I am
responsible for all internal and external communications relating to
NEMA's Smart Grid strategic initiative including interfacing with
electrical utilities, manufacturers, State and Federal agencies, and
the U.S. Congress. Prior to coming to NEMA, I had an established career
in the communications industry building data networks in Top Secret
environments and large, commercial public networks for the internet
divisions of both BellSouth in the southeastern U.S. and globally for
WorldCom. More recently, I spent time working with artificial
intelligence systems in several Federal programs dealing with systems
of systems, intelligence analysis, and National defense. Having this
background has been a good fit for Smart Grid as we seek to bring
additional communications and intelligence to the electric grid.
I was the first plenary secretary of the NIST Smart Grid
Interoperability Panel (SGIP), founded the SGIP's International Task
Force, participated in the cybersecurity committee, and served as the
founding director for SGIP's industry-operated successor SGIP 2.0, Inc.
I've also served as secretary of the U.S. Technical Advisory Groups for
the International Electrotechnical Commission (IEC TAGs) for the Smart
Grid strategy group (SG3) and the Smart Grid user interface committee
(PC 118). I was named to the Canadian Task Force on Smart Grid
Technologies and Standards (TF-SGTS) and serve on the Carnegie Mellon
University Software Engineering Institute's Smart Grid Maturity Model
(SGMM) stakeholder panel.
NEMA believes this hearing is incredibly important. Our Nation
faces unprecedented cybersecurity threats that endanger not only our
way of life, but our very health and safety as well.
One year ago Superstorm Sandy struck the eastern seaboard and had a
devastating impact on so many lives and the economies of a wide swath
of States. Sandy brought out the best in our first responders,
emergency managers, Government officials, and everyday Americans.
The electric grid is essential to public health and welfare. So
when Sandy knocked out power for millions of Americans, first
responders, utility operators, and emergency managers sprung into
action. Restoring power is part and parcel of emergency management.
Of course, it is not difficult to imagine a scenario in which the
electric grid is shut down not by a natural disaster but instead,
through a cyber attack.
Whatever the cause, resilient and reliable power is critical for
first responders, communications, health care, transportation,
financial systems, water and wastewater treatment, emergency food and
shelter, and other vital services.
Much of our electric grid was built in the 20th Century but is
facing 21st Century threats. New technologies are being manufactured
and implemented today to transform the grid. When smart technologies
are in place, power outages are avoided or minimized and lives, homes,
and businesses are better protected.
the smart grid's role
In much the same way as new information and communications
technologies are reshaping how we work, learn, and stay in touch with
one another, these same technologies are being applied to the
electrical grid, giving utilities new ways to manage the flow of power.
A Smart Grid is an electrical transmission and distribution system
that uses technologies like digital computing and communications to
improve the performance of a grid, while enabling the features and
applications that directly benefit the consumer.
A Smart Grid is not an all-or-nothing proposition; there are
gradations of ``smartness.'' As the electrical grid is modernized with
advanced technologies, it becomes smarter. Given the diversity in
electrical systems and the wide range of available Smart Grid
technologies, there is no one method to measure the smartness of an
electrical system. What matters is performance.
The basic operation of Smart Grid technologies is designed to give
the utility company and the consumer (residential, commercial, and
industrial) more control over the electricity supply.
On the consumer side, this means more information about--and thus
greater control over--the charges that appear on individuals' electric
bills.
For utility companies and other grid operators, this means
acquiring better situational awareness to know what is happening on the
grid and to better manage it.
By applying information and communications technologies and basic
computing power to the electrical grid, utilities can not only minimize
the footprint of an outage, but also identify those affected, shunt
around downed power lines to increase public safety, and enable faster
restoration of services.
For example, when disturbances are detected in the power flow,
modern circuit breakers can automatically open or close to help isolate
a fault. Much like a motorist using his GPS to find an alternate route
around an accident, this equipment can automatically route power around
the problem area allowing electricity to continue to flow to the
customer.
Circuit breakers and other electrical devices in the field have the
ability to communicate their status to help utilities identify
potential problem areas, including outages or conditions that might
result in an outage. Coupling this kind of automated activity with
feedback from advanced electric meters would help restore service to
the greatest number of customers even before the first truck rolls out
of the utility service shop.
The Cyber Threat and the Electric Power Industry's Response
Like any infrastructure that is connected to a network, the
electric grid faces cybersecurity threats which are increasing as each
day goes by.
Protecting the Nation's electric grid and ensuring a reliable,
affordable supply of power are the electric power industry's top
priorities. Cybersecurity incidents have the potential to disrupt the
flow of power to customers or reduce the reliability of the electric
system. Key to the success of this effort is the ability to protect the
grid's digital overlay against interruption, exploitation, compromise,
or outright attack of cyber assets, whether through physical or cyber
means, or a combination of the two.
The electric power industry takes cybersecurity threats very
seriously. While new digital automation and technological advancements
can introduce new vulnerabilities, these technologies also provide
better situational awareness and help detect threats before an attack.
As such, protecting the grid requires a collaborative effort among
electric utility companies, the Federal Government, and the suppliers
of critical electric grid systems and components--both hardware and
software. Utilities are required to deliver affordable, reliable, and
secure electricity, while manufacturers have an obligation to ensure
that the same qualities are present in their equipment.
An infrastructure as massive as the electric grid which has been
referred to as the world's largest machine cannot be simply taken out
and replaced with the ultimate in cybersecurity. In other words, we
cannot ``gold plate'' the entire electric grid, implementing the
highest levels of security at every point along the distribution
network. But a few techniques that have proven to be effective in
sensitive operating environments in the Nation's Information Technology
(IT) infrastructure will help ensure greater resiliency.
The first is segmentation. In order to control the cost of
deployment, regulators need to consider the overall security
architecture in their rulemaking decisions. As with the electric grid
itself, the ability to isolate security issues and insulate core grid
functionality from their effects is equally important as the strength
of the security measure.
A second is layering. As with segmentation, the aspect of security
layering needs to be considered during rulemaking. Individual security
measures should not be considered in a vacuum, but rather in the
context of how they contribute to the overall security architecture of
the system. It would be important to define rules and guidelines for
the levels of layered security required as a function of the
criticality of a device, its functions, the impact on the surrounding
segments of the grid, etc.
A third is decentralization. When we think about the computing
environment of the 1960's, 70's, and 80's, it was dominated by
mainframe systems and centralized control of information and
processing. With the advent of the personal computer, this migrated to
a much more decentralized model in the 1990's and beyond making access
to computing resources much easier and more reliable for everyone. The
same hold true with electricity as distributed generation, energy
storage, microgrids, and net-zero energy designs and technologies
become more available.
When an outage strikes, the effects often stretch far beyond the
initial impact zone. Regional outages inhibit the ability to protect
those in danger and provide basic needs such as food, sanitation, and
shelter. We could recover more quickly if islands within each area
could maintain power and serve as centers for critical services and
recovery.
A microgrid can isolate itself via a utility branch circuit and
coordinate generators in the area, rather than having each building
operating independently of grid and using backup generators. Using only
the generators necessary to support the loads at any given time ensures
optimum use of all the fuel in the microgrid area.
Importance of Codes for Grid Resiliency
Of course, electric infrastructure isn't only transmission lines,
substations, and transformers. It doesn't stop at the electric meter
outside the building. Indeed, you could argue the grid extends to any
end-use device you have plugged into an electrical outlet. Buildings
consume some 70% of all energy produced and are the place where so much
of modern life exists.
Emergency managers should recognize the importance of adopting the
latest electrical code. The National Electrical Code (NEC) ensures that
new construction and major renovations are built with the latest
technology; which will make a facility as safe as possible for either
those who become trapped in it during the emergency as well as the
first responders who may have to breach the building envelope in order
to stage a rescue operation. A robust emergency plan involves ensuring
that updated codes are in place today to improve the outcome should
disaster strike.
A corollary here is the energy efficiency of a building; energy
codes establish baseline levels of efficiency. In the event of cyber
attack, the best-prepared buildings will have a degree of back-up
generation or may be part of a microgrid which is connected to some
back-up generation. It stands to reason that a given amount of
generation during the wider grid outage will be able to power more
critical electrical loads or a given number of electrical loads for a
longer period of time, as those loads' levels of energy efficiency are
improved. In other words, energy efficiency allows us to do more with
less during a grid outage.
NEMA is encouraging States and localities to stay current on code
adoption.
Recent Congressional Activity
Some recent Congressional activity is worth noting.
Speaking of energy efficiency, Sen. Gillibrand has legislation
which amends the Stafford Act to allow a recipient of assistance
relating to a major disaster or emergency to use the assistance to
replace or repair a damaged product or structure with an energy-
efficient product or energy-efficient structure. When disaster strikes
we should take the opportunity to prepare for future disasters by
rebuilding the smart way, and energy efficiency is part of this, as
described earlier.
Emergency managers and State and local officials are on the front
lines for weeks after a major disaster. Often they are supported by the
Federal Government in terms of resources, coordination, and manpower,
but also in terms of funding to rebuild.
In the wake of Superstorm Sandy, NEMA encouraged Congress to allow
Federal rebuilding funds to be used not only to replace damaged
electrical equipment but to replace it with advanced technologies that
allow the grid to become more resilient going forward.
The Senate version (H.R. 1, 112th Congress) of the Sandy
Supplemental appropriations bill included the following language.
``SEC. 1105. Recipients of Federal funds dedicated to reconstruction
efforts under this Act shall, to the greatest extent practicable,
ensure that such reconstruction efforts maximize the utilization of
technologies designed to mitigate future power outages, continue
delivery of vital services and maintain the flow of power to facilities
critical to public health, safety and welfare.''
Unfortunately the bill that passed the House and was signed into
law did not include such language. This approach should be considered
in the any future disaster bill as a way to boost the resiliency of the
electric system and ultimately lessen the impact of cybersecurity and
other grid-impacting events.
Finally, on a much broader level, NEMA believes that Congressman
Donald Payne's SMART Grid Study Act (H.R. 2962), which authorizes a
study of the costs and benefits of developing a Smart Grid, would go a
long way in proving the case--to those who remain unconvinced--that the
Smart Grid is an investment worth making to make the electric grid
stronger, safer, and more resilient. Investment in the Smart Grid is
happening today across the country and around the world. Yet policy
barriers remain to its full implementation.
A comprehensive study such as this, to be conducted by the National
Research Council with input from the Department of Homeland Security
and other relevant agencies, includes an in-depth review of the
vulnerabilities of the electric grid to cyber attack.
the importance of industry-led standards
In addition to the obvious human toll a breach in cybersecurity
could bring, from a manufacturers perspective it could involve
countless hours of research and development staff time, contractors,
and consultants, which would be a considerable financial burden on the
utilities and manufacturers alike. The implementation of those patches
would involve potential changes to the manufacturing process,
deployment of patches to the installed base, product recalls, rebates
and many other expensive options, not to mention the potential for
lawsuits, both valid and frivolous, based on the potential outages
described above.
An additional interest of the manufacturers is standardizing on
common approaches to cybersecurity across utility areas of control as
well as State boundaries. It is critical to invest the time and
resources upfront to select the optimal architecture, minimize risks,
and attain a reasonable balance between costs and security.
Additionally, there exists a need for States to work together in order
to provide utilities with a uniform security implementation approach.
If public utility commissions do not lead with a common approach, then
it will be very difficult for utility companies, manufacturers, the
National Institute of Standards and Technology (NIST), and Standards
Development Organizations (SDOs) to coordinate their security standards
development efforts increasing the level of difficulty for
manufacturers to provide interoperable solutions. The corresponding
drop in interoperability could also lead to a lower quality of service
to electricity customers.
The key to achieving the kinds of success described in this
testimony is to rely on proven, industry-based standards. NEMA, along
with a number of our NGO peers retains accreditation through the
American National Standards Institute as a standards developing
organization (SDO). Products made from consensus-based industry
standards are the first step in achieving interoperability.
Smart Grid Interoperability Panel: Private-sector-led Voluntary
Standards Processes for Cybersecurity
Because we live in an increasingly-connected world,
interoperability has become a bedrock concept. The NIST effort through
their Smart Grid Interoperability Panel (SGIP) focused on industry
standards and their role in delivering the features and functionality
for Smart Grid. Consensus-based standards ensure that devices achieve a
minimum level of performance, whether that is in terms of safety or
electricity delivery, with consistency and reliability. They also
provide a uniform management information base (MIB) that allows
operators to seamless trade management data to achieve successful
operations in the segmented, layered, and distributed environment
described above. Industry-based security standards further ensure that
security measures can be properly vetted by the global security
community. The practice of ``security by obscurity'', where security
measures were individually developed and implemented without review, is
not nearly as reliable as a publicly-tested and fully-vetted security
scheme. Identifying cybersecurity standards through a body like NIST
allows manufacturers to make sure that cybersecurity is built into the
productions and solutions they offer rather than being bolted-on by the
grid operator at installation.
NIST Cybersecurity Framework
The recently-released Executive Order for cybersecurity in the
critical infrastructure (EO 13636) provides a template for the
relationship between industry and Government. EO 13636, along with its
predecessor legislation the National Technology Transfer and
Advancement Act (NTTAA, Pub. L. 104-113) and its implementation through
OMB Circular A-119 describe the role of Federal agencies for securely
implementing information technologies in the Federal Government.
Essentially these laws stipulate that the Government shall use industry
standards to the greatest extent possible, vetted through NIST, and
installed under the practices identified by the sector-specific Federal
agency. The NIST framework developed under the guidance of EO 13636
adheres to this convention establishing an effective public-private
partnership for the implementation of cybersecurity measures in
critical infrastructure.
Incentives for Voluntary Participation in NIST Framework and/or
Information Sharing
As we've seen in the information technology industry, information
sharing about persistent electronic threats is a key component of
security performance. When an electronic attack is in process,
companies like Internet Security Systems and Dell SecureWorks detect
and analyze those threats and provide that threat information to their
customer base. The only way they can be successful in this is if their
customers openly and willingly provide threat and attack information to
them.
In order for threat analysis of critical infrastructure to be
successful, electric utilities and others involved in the electricity
supply chain need to be similarly forthcoming. This may mean that some
form of inducement may be necessary in order to secure maximum
participation. These don't necessarily need to come in the form of tax
policy or direct financial incentives from the Federal Government, but
something as simple as liability limitations for manufacturers and grid
operators who have access to threat information that share it willingly
with DHS or the appropriate sector-specific agency.
Privacy
NEMA member companies are dedicated to the protection of
electricity subscriber privacy and personally identifiable information
(PII). This is another area where consensus-based industry standards
will play a role. Effective legislation or regulation regarding
subscriber privacy needs to be based on common terminology and privacy
concepts. This has previously been applied to other areas such as
patient information in the administration simplification section of the
Health Insurance Portability and Accountability Act (HIPAA, Pub. L.
104-191). Adaptations of these principles should apply to the
electrical subscribers.
responding to a cyber event
A front-line resource from the manufacturers of electrical
equipment during any emergency is the NEMA Field Representative
Program. NEMA field reps are building code and electricity subject
matter experts. As experience masters in electrical systems, they have
the kind of jack-of-all-trades knowledge necessary to deal with
emergency situations. The NEMA field reps serve as a gateway to all
400-plus members of the association and can provide company- and
product-specific advice as well as contacts within member companies who
can help respond. The member company technical resources can then work
with their utility company customers to safely restore power and
ultimately repair the damage.
National Planning Scenarios Must Focus on Interoperability
DHS's work on the National Planning Scenarios gives them an
appropriate entry point into the cybersecurity policy discussion.
Scenario 15 of the National Planning Scenarios is titled ``Cyber
Attack'' and includes the following General Description:
``This scenario illustrates that an organized attack by the Universal
Adversary (UA) can disrupt a wide variety of internet-related services
and undermine the Nation's confidence in the internet, leading to
economic harm for the United States. In this scenario, the UA conducts
cyber attacks against critical infrastructures reliant upon the
internet by using a sophisticated C2 network built over a long period
of time.''
This, coupled with their role as defined in EO 13636 makes DHS the
ideal place to host the analysis and evaluation of emergency
preparedness testing for all elements of the critical infrastructure
based on the current global threat profile.
NEMA has worked with DHS in this capacity in the past including a
contract for the Digital Imaging for Communications in Security (DICOS)
protocol associated with TSA electronic screening systems for airport
operations. Two important features of DICOS are that it contains the
appropriate protections for information privacy (being based on a
corresponding medical imaging protocol named DICOM), and that an
integrated threat model was part of the design consideration.
Essentially all of the tools and roles for DHS exist in other
contexts, so the challenge will be to bring them together for the
participation in cybersecurity event management. A future consideration
should be a large-scale virtual exercise to test our response
capabilities under the cyber-attack or natural disaster planning
scenarios, or a combination of the two. The military performs this kind
of exercise frequently with great success. It would be a good idea for
us to figure out how we can structure a counterpart under DHS for the
civilian agencies and companies associated with the critical
infrastructure. Performed in real time, DHS can inject cyber events
into the scenario exercise that would stress the communications and
management capabilities of infrastructure service providers as well as
Federal, State, and local agencies. The participants would then be
compelled to respond to make sure they had the appropriate protections
and contingency plans in place.
In closing, let me restate NEMA's commitment to improving the
resiliency of the electric grid. We are willing partners with
Government and industry in the effort to protect Americans from the
threat of cyber attack and to help our country respond when disasters
strike.
Mrs. Brooks. Thank you, Mr. Molitor.
I now will recognize myself for 5 minutes of questions.
Like to start out with Ms. Stempfley.
The After-Action Report for the National Level Exercise
2012 was released this summer. Can you please give us an update
on the Office of Cybersecurity and Communications' efforts to
work with other Federal agencies--specifically FEMA--as well as
the State, local, and private-sector stakeholders to address
the issues that were identified after this cyber exercise?
Ms. Stempfley. Thank you, ma'am. Yes. Absolutely.
The National-Level Exercise was the first exercise where we
had a cyber and physical scenario performed at this level. It
was the attempt to bring together all of our stakeholders and
look at how clear we had put roles, responsibilities, and
execution and resources towards the specific problem. We were
pleased to learn a number of lessons from that exercise, to
include how to partner and the role the private sector must
play in this very important mission area.
We have been undergoing a series of after-action
activities, which range from the development of specific, more-
focused exercises and action plans so that when a particular
event might occur either in a sector or at a location we have
playbooks available for that. These are being developed as a
community, so not just DHS with FEMA but DHS with our
stakeholder partners in the private sector, as well, with State
and locals and other activities.
As a matter of fact, we worked with the energy sector to
execute what we called the Poison Apple exercise not too long
ago, which was one of these exercises testing a playbook of a
particular scenario in the electric sector.
Mrs. Brooks. Specifically, I am glad you bring up the
electric sector, because as I mentioned, I just met with
representatives from our energy sector just this last month and
an issue that they brought up, which actually came up in a
mark-up of bills yesterday, involved security clearances and
the difficulty and the backlog in the issuance of security
clearances for the private sector.
Can you please discuss that issue a bit and whether or not
you are aware of the clearance backlog on the issuance process
and are there anything that we can do to help you address--
because it was my understanding from--and I had a number of
private-sector companies that expressed that frustration, and
it seems to me that if we are truly going to have this
partnership, particularly with respect to a response, can you
address this issue of security clearances?
Ms. Stempfley. So one of the things that we all know and my
colleague pointed out is we are not going to clear ourselves
into solving these problems. So we are actively working on
share lines and reducing information to FOUO and Unclassified
activities. That is not to say that there are not times when
clearances are required nor are we walking away or any of that
from the security clearance issue.
My colleague, the assistant secretary for infrastructure
protection, is very focused on this. Respectfully, I would like
to take the question for the record and have her help----
Mrs. Brooks. Who would that be?
Ms. Stempfley. Caitlin Durkovich.
Mrs. Brooks. Okay. Thank you. We would be very interested
because it appears to be an issue that is causing a lot of
concern in the private sector and we certainly respect the
importance of security clearances but we must find a way to
communicate and work together.
Ms. Stempfley. Yes, ma'am.
Mrs. Brooks. Thank you.
Like to ask Mr. Sena: When you talked about the fusion
centers--and I have visited my fusion center and also would
encourage others on the committees to visit their fusion
center--yours is one of the small number of fusion centers in
the National Network proactively incorporating cybersecurity
into its mission, and I applaud you for that. What Federal,
State, and local partnerships have you developed to help the
NCRIC contribute to this important mission?
Mr. Sena. Thank you, Madam Chairwoman.
As far as the development of our fusion center capability--
sorry. Thank you.
As far as our--still getting a little feedback here, but--
the development of our center, we have been able to work
closely with actually centers across the country to develop a
cyber information network for exchanging information and then
developing partners from the private sector to collaborate and
actually provide them with timely information as well as
working with our Federal partners from the FBI, from our
partners in the Secret Services who are working the criminal
angles of cyber threats, to be able to develop a network.
We are actually in the process right now of bringing in
private-sector personnel to support that effort so that they
are in an environment where we can share that information with
them and develop products that they need. We have been working
on that over the past year-and-a-half to develop a program and
we are working right now to that National pilot to involve
other centers and really develop centers of analytical
excellence in the field of cybersecurity.
Mrs. Brooks. Well, we look forward to you sharing that work
with other fusion centers around the country.
I see that my time is expired and I am now going to
recognize the gentleman from New Jersey, Mr. Payne, for any
questions he might have.
Thank you.
Mr. Payne. Thank you, Chairwoman Brooks.
First I would like to thank Ms. Stempfley for discussing
the New Jersey pilot project with critical infrastructure and
emergency managers. I am very interested in learning, you know,
about the pilot and hope that you can come back and discuss
that with me at a later date.
Let's see. This question is for you, as well. Each witness
here has discussed the urgent threat a cyber attack poses and
that it is critical that the Government and the private sector
take immediate action to beef up its cybersecurity efforts.
Earlier this month the Government was shut down for 16 days
and I am interested in learning how that affected our cyber
activities. Can you discuss how the Government shut-down
affected cybersecurity efforts and which programs were
furloughed and what projects were delayed as a result of that?
Ms. Stempfley. Certainly the Government shut-down was a
traumatic event for the staff in the Office of Cybersecurity
and Communications. Important functions that were considered
exempt associated with immediate loss of life or property were
sustained during that period, including functions in the
National Cybersecurity and Communications Integration Center,
so our important information-sharing activities on threats that
were on-going in that moment continued during this time frame.
Unfortunately, we had to suspend efforts in some other
important activities, including workforce development,
including outreach and awareness, and including engagement with
many of our partnership and stakeholder engagement efforts. So
all of our sector-coordinating council activities and planning
activities were suspended during this time period.
Mr. Payne. Okay. So those are the programs that were
furloughed?
Ms. Stempfley. Yes, sir.
Mr. Payne. Okay. So how did it affect us in terms of our
ability to thwart off these attacks?
Ms. Stempfley. We focused during the furlough period on
those efforts that were instantaneous or immediate--those
monitoring of Government networks against threats and
protection and defense measures about activities that were
currently on-going. No progress was made during that period on
programmatic activities and so future efforts nor planning
activities occurred. So during this period we were required to
focus exclusively on the near-term and real-time efforts of the
Department.
Mr. Payne. So we could only focus on what was right before
us at that time.
Ms. Stempfley. Yes, sir. The requirement was we had to
consider as exempt activities only things were about the
immediate loss of life or property.
Mr. Payne. Would you consider us being more vulnerable at
that time?
Ms. Stempfley. It certainly was a time where there were not
as many eyes on the Federal networks and it was a period where
the vulnerability and the threat environment are something we
are concerned about.
Mr. Payne. At our full capability do you feel there are
enough eyes on it when we are at full deployment?
Ms. Stempfley. I don't believe you will hear anyone from
the Office of Cybersecurity and Communications acknowledge that
the resources in this particular mission area are commiserate
with the threat that we undergo, and so there certainly is more
work to be done in that area. We have important programs,
including continuous diagnostics and mitigation and the
Einstein programs, which are a part of helping put automation
into the Federal networks, and the Enhanced Cybersecurity
Service, which is about helping to share information for
protection with critical infrastructure.
Mr. Payne. Okay. Thank you.
Mr. Molitor, as you know, I have been a strong proponent of
smart grid technology. Can you talk about how smart grid
technology will improve resiliency in the event of a cyber
incident?
Mr. Molitor. Yes, sir. Thank you.
The nature of a smart grid--and it comes from those
performance objectives that were laid out by D.E., the whole
idea that the grid should be able to react to disturbances and
be somewhat self-healing. So the idea that if a cyber attack
happens when the more intelligent grid than what we have today
will be able to do is to be able to shunt around the areas that
are affected. It doesn't matter whether that is an effect that
is caused by a natural disaster, a man-made disaster, or a
cyber attack.
So ideally what we want to do is contain the damage, and
Madam Chairwoman this morning cited the television program this
weekend, and that is an example of a cascading event, and what
we really want to do is avoid that and that is what the
technologies through the smart grid will enable.
Mr. Payne. Right. So in layman's terms, I, you know, was
interested, you know, when you say you have a blackout at your
home, you contact the utility, utility has to contact workers
to go out to your home and start from that point and work their
way back.
Mr. Molitor. Right.
Mr. Payne. What the smart grid technology would allow is
almost for that affected area to contact the utility to say,
``There is a problem in this area,'' which alleviates that
working back and finding the issue and then figuring out what
was wrong and then correcting it and getting it--so the smart
grid technology would allow us to be proactive in protecting
the grid and almost alerting us prior to the issue being
created.
Mr. Molitor. Yes. Absolutely. The analogy that we have used
in the past is like the dashboard on your car. You know, you
have got the regular speedometer, tachometer, all of the things
that tell you how the grid is functioning at the time.
But what we are really adding with the smart grid are the
idiot lights--the things that come on when your oil pressure
gets dangerously low and those kind of things. So yes, those
are the automated notifications that can come off the grid and
it can actually tell the emergency response crews in the
utility companies where to go in order to fix and restore power
to the greatest number of people.
There is a great example from Vermont Electric Cooperative,
who was hit by Hurricane Irene in 2011 and then again by
Hurricane Sandy in 2012. They had rebuilt smart in the interim
period, and so they had a much easier time restoring service
and they had much fewer consumers who were affected as a result
of Hurricane Sandy than they were during Hurricane Irene. So we
know that it works just exactly the way you described.
Mr. Payne. All right. Thank you.
Mrs. Chairman, I yield back.
Mr. Meehan [presiding]. I thank the gentleman from New
Jersey and I want to thank each of the panelists for being
here.
I am pleased to share the podium today with my colleagues
from both sides of the aisle but particularly Mrs. Brooks. She
and I served together as United States attorneys prior to our
service in Congress, and as a result of that had the
opportunity to work with a number of the fusion centers and
others in the beginning of the process of creating what we
hoped would be a robust capacity to respond to threats of
terrorism both on the National as well as the local level.
One of the things that is eye-opening has been the
tremendous success that has been realized in this country by
virtue of, since September 11, we have been relatively free of
the same kind of scope of a threat actually carrying itself
out. But we have seen so many of the natures of the threats
change, and I think this area of cyber is the one that probably
creates, in my mind, the greatest concern. So there is a lot of
effort that is going on and I am interested in hearing a little
bit about your perspectives.
Let me start with you, Mr. Molitor, first. Just, you know,
we have spent a great deal of time working here on cyber
legislation, the purpose of which is to ease the ability for
the private sector to communicate in a meaningful, two-way
communication through the National--what we call the NCIC, the
Cyber Information Center, with real-time information, and also
the ability for you to be able to work it through in a way in
which there are protections for sharing information and
otherwise.
Have you had a chance to look at some of the proposed
legislation and do you have any sense as to whether it would be
beneficial to member companies like your companies within your
organization and others similar across the country?
Mr. Molitor. Yes, absolutely. We are at the tip of the
spear--the electrical manufacturers--in terms of cyber attacks.
So when the attack comes in they are going after our members'
gear as it sits in the electric grid. We need to be able to
capture that information and then forward it, so that the folks
at the fusion centers and the other panelists at this table can
respond and react to it.
So it would be extremely helpful, just in terms of clearing
the communications. During my opening testimony I mentioned
something about how industry-based standards are the best way
to do that. So we have to be able to communicate across
multiple entities, between the electric utilities, between the
Government agencies.
So yes, absolutely. It would be most helpful so that we
know how to communicate with each other so we can standardize
the messages and respond to the threat.
Mr. Meehan. Well, we are already dealing with it in real
time, and I appreciate that. I think one of the realities is
there is almost a triage, as you often do when you are dealing
with an issue, and because of the threats that took place
against the banking system and the, you know, in New York and
other kinds of sort of major threats, the concern has been how
we alleviate the potential for the drastic attack. But there is
a lot of things that are going on that are impacting, as I
think was well-articulated, State and local authorities who
have a great deal of information, have a great deal of assets,
are equally being probed, and otherwise.
So how are things working today with regard to the sharing
of information? You have expressed some frustrations and some
hopes, and I would like you to spend a little bit more time
saying, well, suppose something happens right now.
Mr. English, Mr. Orgeron, and Mr. Sena, you are already, in
various capacities, your fusion centers are working with some
of the State and local organizations. Let us say you have an
enterprise from another country--a criminal enterprise that is
probing your data systems. How are you communicating today and
what is it that allows you to work effectively together, or
not?
Mr. Orgeron. Mr. Chairman, from a CIO perspective, I think
that we are communicating with our fusion center. But one of
the things that we have advocated is governance structures that
are more clearly defined in terms of paths of communication.
The cyber component is, for all intents and purposes, is
sort of the newer thing that we are adding into these threats,
building into the processes that exist. So if there is an
emergency management plan there should be a cyber annex to it
in terms of key actors and what the roles those actors have----
Mr. Meehan. Are you telling me now that that is what your
concern is, that that is not clearly identified right now?
Mr. Orgeron. I don't think that the governance is clearly
identified across the States from a CIO perspective. That is
certainly something, when we worked with NEMA and the National
Governors Association in the cybersecurity call to action, that
we certainly advocate. Governance was the top of the list in
terms of paying close attention to authority and
responsibility.
To your point about that, you know, what is happening at
the State level, how those flows of communications are
happening is something that we still think needs effort.
Mr. Meehan. What is your idea of a way to make it work?
Mr. Orgeron. I think you have to have a framework, and I
think the framework has to be something that can be easily
communicated in----
Mr. Meehan. What would it spell out?
Mr. Orgeron. Well, as an example, one of the things from a
technology perspective is the NIST framework.
Mr. Meehan. Yes.
Mr. Orgeron. You know, a more common framework with which
you can have a very effective conversation----
Mr. Meehan. Have you been following the meetings that have
been taking place in California and other places and you are
satisfied that they are working towards that direction?
Mr. Orgeron. It certainly seems so from the CIO
perspective.
Mr. Meehan. Good. Good.
Mr. Sena.
Mr. Sena. Yes, sir.
Mr. Chairman, we do have an issue. You know, it took us a
long time to get suspicious activity reporting worked out with
a unified message, and there is currently a unified message
task team working on the issue of cyber. But at the National
level we have six different cyber centers and people are all
saying, ``Well, who do you call?''
Right now the message that is being developed, ``Call any
of them.''
Mr. Meehan. Is this among your fusion centers--six of them
are cyber centers, as well?
Mr. Sena. This is Nationally, at the Federal level--those
different cyber centers that--and trying to work on who do you
call?
Mr. Meehan. Who do you include as the National cyber
centers? Because one of the parts of the legislation--and Ms.
Stempfley's working very, very hard on this with DHS--is to
create the NCIC as that central point, which everybody knows
they go to one place.
Mr. Sena. Well, we have the NCIC and then there are
investigative--National cyber investigative joint task force
that is out there along with some of the other organizations
that we have that have investigative responsibilities and
agency responsibilities within their organizations.
Mr. Meehan. Who would you consider to be among them?
Mr. Sena. Within DHS, within FBI, within Secret Service----
Mr. Meehan. You are not trying to say there is any kind of
jurisdictional issues going on among the Federal agencies----
Mr. Sena. Not at all. They are working very diligently
together but it still causes confusion.
At the local level when you ask folks--when you go to an
organization the companies that we have brought in said, ``Who
do you call?'' and they go, ``We have a rolodex of 100
people.''
Mr. Meehan. Well, that is just counter to any kind of
effective capacity to do things, isn't it?
Mr. Sena. Absolutely, sir. That is what we have been
striving to do is to say, all right, let's create a unified
message on where this information should go--and not just the
telephone calls, but also the machine-readable information.
This information moves quickly. The threat moves quickly. We
have to respond to that as quickly.
Mr. Meehan. In fact, and I am--my time is up--but that is
actually, in real time we do not have the ability, if we are
responding to a threat which is happening in the cyber world,
to rely on telephone calls to do it. It needs to be, in many
ways, as they say in the old days, machine-to-machine to be
able to mitigate these things, and oftentimes just identifying
the nature of the threat, where it is emanating from and how we
alleviate it in and of itself requires that kind of tremendous
engagement.
Mr. Sena. Absolutely, sir.
Mr. Meehan. Well, I am grateful. That is a very, very good
point. We are appreciative of your testimony today because this
is exactly the kinds of things that we need to be able to look
at to create that connection that works effectively, and that
is something that we will work towards.
I am going to, appropriately, if you know anything about--
Mrs. Brooks is going to take over the chairmanship of this
hearing again. I am going to get back in my rightful place to
her right.
So at this point in time I will return the chairmanship of
the hearing to Mrs. Brooks and I thank you for your testimony.
Mrs. Brooks [presiding]. Thank you, Chairman Meehan, for
sitting for me while I quickly went to another hearing. This
happens to us occasionally here as Members of Congress. We are
called to other hearings that are also important and I actually
may be called back because they were not ready for me. So we
may be doing this musical chairs once again.
I now will, I believe, recognize the gentleman from
Mississippi, Mr. Palazzo, for 5 minutes of questions. Thank
you.
Mr. Palazzo. Thank you, Madam Chairwoman.
Again, I want to thank the chairs for holding this joint
hearing. I believe that cyber attacks could be as devastating
as 9/11 and more widespread.
Just look at what happened a few weeks ago in Louisiana
when the EBT card system went down for just a few hours.
Widespread panic and confusion ensued. Just imagine what a
cyber attack on our power grids or utilities would do to the
stability of this Nation.
It is vital to America's interests to address our
cybersecurity risks sooner rather than later. I think we must
utilize all of our resources in preparing and responding to a
cyber attack. It is not a matter of ``if''; it is a matter of
``when'' that will happen.
I believe a good resource we could use is our Nation's
National Guard. I am a proud original cosponsor of H.R. 1640,
the Cyber Warrior Act. This bill establishes a cyber and
computer network incident response team within the National
Guard of every State and the District of Columbia, allowing the
National Guard to assist in responding to cyber attacks.
It would also allow the Governor of the State to activate
the incident response team to help train State and local law
enforcement and other responders in cybersecurity and help them
develop best practices. I am going to ask all the questions to
weigh in on what they think of that bill and the utilization of
the National Guard.
But before I do that I would like to ask Dr. Orgeron, could
you speak to what Mississippi has done to prepare for a cyber
attack?
Mr. Orgeron. Thank you, Congressman. Be happy to.
One of the things that we advocate at NASCIO and that we
have done in Mississippi is risk assessment. So with the help
of the Department of Homeland Security, in August of this year
we had a tabletop exercise in our State. That tabletop brought
in multiple agencies, our fusion center, and others to kind-of
run through a scenario--multiple scenarios over about 2\1/2\
days.
It is in our document--in our call to action document that
NASCIO worked with with NEMA and NGA. One of the things that is
advocated is looking at what that risk portfolio looks like.
I will tell you that the outcome of that table-top really
proved out some of the things that we have talked about here
today--the fuzziness in some instances of understanding who
needs to communicate with who, where those lines of authority
and responsibility start and stop. We were very appreciative to
the Department of Homeland Security for coming down to our
great State and working with us and facilitating that process.
We found it of great value.
It is one of the things that made its way into the call to
action of States doing those kinds of exercises, so I certainly
would advocate for that. I think the great State of Mississippi
has benefited from it.
Mr. Meehan. Will the gentleman yield for 1 second on this?
Mr. Orgeron--
Mr. Palazzo. Can you give me extra time towards--fantastic.
I yield to the Chairwoman.
Mr. Meehan. I just cleared that with the Chair.
Did you do an After-Action Report after you----
Mr. Orgeron. I believe my chief security officer did, yes,
sir.
Mr. Meehan. Would you make that available to us, please?
Mr. Orgeron. Of course.
Mr. Meehan. I would like that. Thank you.
Mr. Palazzo. Dr. Orgeron, did the State CIOs typically have
access to Top Secret security clearances to help protect their
State from cyber attacks?
Mr. Orgeron. No, sir, typically not. It is my understanding
that there are, I believe, two designated in each State--of
course the Governor, many times it is the director of homeland
security or potentially public safety. NASCIO certainly
advocates that, given the rise of the impact of cyber that the
State CIO be considered if more clearances were going to be
allocated.
Mr. Palazzo. So you say States get two clearances?
Mr. Orgeron. That is my understanding, Congressman.
Mr. Palazzo. Ms. Stempfley, would you like to add to that,
and why they only receive two security clearances?
Ms. Stempfley. Sir, I am not familiar with the limitation
in that situation. I know we have actively worked to get
clearances at the Secret level for State CIOs so that we can
share the threat information, and generally that includes
fulsome content for protection measures. So we have been
actively working with NASCIO and others to get State CIOs
cleared at that Secret level.
Mr. Palazzo. Well, I have been to the TS/SCI process and I
know it is lengthy, but you don't want to cut corners because
you do want to make sure we have the proper people accessing
that information. So, of course, if we could lift any undue
restrictions that would be nice so the States can be well
prepared to access these threats.
If I may sneak in a question, you know, begin the
utilization of the National Guard, the Cyber Warrior Act, if--I
would just like if you all would want to share your thoughts? I
will start with Mr. Molitor on the end, a fellow soldier.
Mr. Molitor. Yes, absolutely. I spent some time in the
Wisconsin National Guard so I appreciate that. That is an ideal
place. When I heard it earlier during the testimony I thought
that is an ideal place to house that kind of capability because
that State Governor can call on the National Guard for the
response locally. That is where you bring together the civilian
assets, the intelligence assets, and also the military assets
to address natural disasters.
I was actually called out one time after a tornado in
Wisconsin for recovery efforts, so it is the same kind of thing
in my previous testimony, where the parallels between natural
disasters and cyber attacks are--it is the same impact on the
citizenry, and that would be a great place, I think, to house
that kind of capability on each State.
Mr. Palazzo. I definitely agree with you.
I guess we will keep going down anybody that wants to
volunteer until the Chairwoman takes away my time.
Mrs. Brooks. Important topic, so----
Mr. Sena. From the fusion center perspective, and also
being a high-intensity drug trafficking area director in my
center, we have had great support from the National Guard. They
have been very good. That is the one thing that we are
lacking--those folks that can go out there and help support,
either through assessments or actually in reacting and
responding to the threat issues.
Every day we are bleeding a million cuts from the cyber
attacks. They are doing telephone denial of services combined
with cyber attack on institutions and really cutting us to the
core. They move much quicker than we can.
But having the Guard, having additional resources to deal
with those threats is tremendous, so I appreciate that. Thank
you, sir.
Mr. Orgeron. Same sentiment, Congressman. I know Chairwoman
Brooks mentioned in the beginning, Maryland. Maryland is one of
the States highlighted in document that has a relationship with
our National Guard.
My own personal experience post-Hurricane Katrina was the
formation of a wireless commission in our State, of which the
National Guard had a seat at the table. We have built 144
towers across the State to communicate in the event of another
disaster. That partnership has been wonderful for the States. I
would certainly expect that this one would be equally as good.
Mr. English. Congressman, we certainly support that in
Georgia and our troops are readying for that mission as we
speak. I would say, though, that we need to give consideration
to it being a symbol, similar to the civil support teams and
the homeland security response forces that are now known as a
full-time effort on a daily basis that we can work with all the
time versus a weekend-type assignment.
Mr. Palazzo. That is a good point.
Ms. Stempfley. We have heard this morning about the need
for competent, skilled resources in the cyber environment. I
know in the National Initiative for Cybersecurity Education we
have really been focused on understanding the State and local
needs in cybersecurity, as well. I understand the Defense
Department and DHS and others are studying how to best apply
these particular resources and these patriots to this problem.
Mr. Palazzo. I want to thank our witnesses.
Madam Chairwoman, I yield back.
Mrs. Brooks. Thank you. A very important point with respect
to the National Guard and the critical role they could play and
that they do play in many States.
I am going to start on our second round of questioning, and
if I--and this is to Mr. English. As I mentioned in my opening
statement, you know, I did watch that movie that aired--not
certain if others did--the ``American Blackout,'' this past
weekend, and it really did portray the physical consequences of
a cyber attack on the electrical grid. One of the issues that
was highlighted in that movie and that I actually had a
discussion with folks in my district last week was the impact
on hospitals.
As a leader in emergency management, I recently visited
with representatives from a hospital, and as I was getting a
tour of this hospital, and particularly in the emergency
department, we began talking about if there were to be an
incident of a cyber attack and its effect on a hospital system.
While the physicians talked about the fact that, you know, they
have operated, you know, until most recently without electronic
medical records and could certainly perform their duties, what
they would have the most difficulty with were their diagnostic
equipment--the imaging technology and all of the ability to get
all of the diagnostics that they now are so accustomed to
receiving in real time, very, very fast turnaround, whether it
is test results or lab results.
So I am curious from the emergency manager's perspective
and the cybersecurity professionals, how do you coordinate with
hospital systems and has there been a focus on that beyond
making sure they have back-up generators and the fuel? What
kind of coordination are we really doing with our hospitals?
Because I have to tell you, this emergency department, while it
has been discussed, I think they acknowledged and recognized
that most have not really prepared for that possibility.
Any discussion on that, Mr. English?
Mr. English. Yes, ma'am.
Whereas we can always do a lot more work--that is for
sure--the NEMA, the association I represent, and the State
public health directors have been, for the past 18 months,
involved in a relationship where we meet at least twice a year
with the leadership and discuss issues. Most recently, one of
the issues that we are talking about are--is mission-ready
packaging for hospitals so that in a disaster they have already
quantified the type of assets that they need through our mutual
aid compact that can go from one State to the next, or from a
impacted area to a--or a non-impacted area to an impacted area.
So I feel like the relationship is good. I am thankful that
throughout the past 10 years that States have been able to get
more capability with the grant programs that have been
available, and certainly a lot of those have gone toward
hospitals and readiness and communication.
Now, the issue of the imaging and that type of thing, I am
not familiar with that. But I do know that the dialogue exists.
Mrs. Brooks. Well, and I--the hospitals certainly said they
have done a tremendous amount of exercising on triaging and
mass casualty events and so forth, but I think the possibility
of truly a power--a significant and/or long-term power outage,
I am just curious whether or not anyone else has discussed with
their hospital systems this very potential possibility.
Anyone else have any discussions with their hospitals or
with their public health officials about that possibility?
Mr. Molitor.
Mr. Molitor. Well, I haven't had those specific discussions
but there was an article in a magazine about 2 years ago
focusing on a hospital in Japan in the wake of the tsunami
there, and they had a micro-grid in place, and so this goes to
Mr. Payne's point about the smart grid. A micro-grid is a self-
sustaining--it includes electricity generation and also
management for the load so that you can fuel critical loads
like imaging diagnostics during an outage.
So this whole idea of a micro-grid, a self-contained,
powered administration unit within the hospital is a very real
prospect. It exists today and there are hospitals, even in the
wake of Hurricane Sandy, that were able to continuously operate
in the middle of the rest of the area where the power was down
because they had those kind of micro-grids, that smart grid
technology in place.
Mrs. Brooks. Do you have any idea roughly how many
hospitals in our country might actually employ micro-grids?
Mr. Molitor. I do not, but we have a medical imaging
division within my NEMA--you have got two NEMAs up here; get a
little confusing.
Mrs. Brooks. Sure.
Mr. Molitor. But we have a medical imaging division and I
can certainly check with them to see if they have any data and
report back.
Mrs. Brooks. Okay. Thank you very much.
At this time I will ask Ranking Member Mr. Payne if he
might have any further questions.
Mr. Payne. Thank you.
Let's see. Mr. English and Mr. Orgeron--I am sorry.
Mr. Orgeron. Orgeron.
Mr. Payne. Orgeron. I apologize.
Mr. Orgeron. That is okay.
Mr. Payne. In 2013, the National Preparedness Report,
States reported to FEMA that the lack of funding to develop
robust cybersecurity capabilities significantly contributed to
the lack of confidence in State cybersecurity capabilities. Can
you talk about the role of Homeland Security--the homeland
security grant money in developing State cybersecurity programs
and how reduced funding levels have affected the States'
efforts to develop those cybersecurity capabilities?
Mr. English. The lack of funding I don't think--or the
cutback in funding hasn't impacted that situation, in my
opinion. I think Mr. Orgeron mentioned earlier that maybe if
the grant guidance was a little broader and could entertain a
more robust effort in the cybersecurity realm would be what we
would like to see. Not necessarily more money, but maybe
flexibility within the money that we get to be able to build
out the cybersecurity assets.
Currently in my State we do use grant money to provide
cybersecurity analysts to our fusion center, but that is really
a drop in the bucket on the financial side.
Mr. Orgeron. Mr. Payne, we would agree. I mean, I think our
basic position is that the formulaic nature with the way the
grants work, it may not be as appropriate in terms of the cyber
threat, and we think some alterations there, much to Mr.
English's point, would benefit programmatically as a whole
cyber initiatives in States.
I should mention, too--it may be a good point to mention,
too, that, I mean, the States are struggling with workforce
issues as well. Not exactly related, but, you know, it is very
difficult to recruit credentialed and excellent people.
There is, I have been told, in essence nearly zero
unemployment in this sector. So, you know, we have a very
difficult time in recruitment, as well, which can impact
mission.
Mr. Payne. Okay. For you gentlemen, as well, with respect
to the activities aimed at helping States prepare for, prevent,
respond to, and mitigate the effect of cyber attack, what is
the Federal Government doing well and what needs to be
improved?
Mr. English. I have got to sing the MS-ISAC praises. I
think they are doing very well, and without great detail, had
up-close and personal experience with their deployment to our
State, along with our chief CIO--our CIO and the FBI and DHS
and others. So I am more aware that that really worked well.
Mr. Orgeron. I agree. We have a great relationship with MS-
ISAC.
Two other quick points: I mentioned our table-top cyber
exercise that the Department--we got funding for, I think is a
great, great tool at the State level to bring parties together
to kind-of walk through, you know, exercises of various sorts.
I think it is exceedingly beneficial to us.
Mr. Payne. The other end, what needs to be improved?
Speak now.
[Laughter.]
Mr. English. I really don't have a lot of heartburn with
what is going on in the coordination effort. I think we always
want to make sure that States and local governments are
included in the plans before they are made so that we can have
input and that we are at the table. As I mentioned earlier,
creating those reasons to collaborate I think go a long way.
Mr. Payne. So you say we are doing everything right?
Mr. English. Out of ignorance, I would say yes.
Mr. Payne. Okay.
Mr. Orgeron. Well, you know, being the IT guy at the table,
I think we want to be at the table when those conversations
happen. I think it does vary from State to State on how those
dialogues occur, but I think whether it is talking about the
clearance issue or formulaic changes in grant programs, I think
CIOs, or maybe even the chief security officers if not the CIO,
certainly we would want them to be at the table during some of
those dialogues, given the threats that we face.
Mr. Payne. Thank you.
Thank you, Mrs. Chairman. I yield back.
Mr. Meehan [presiding]. Thank you. I appreciate the
gentleman from New Jersey exploring those areas.
Let me ask about the relationship that exists with the
private sector, because one of the realities is 85 to 90
percent of the resources are really tied up in the private
sector. We have heard numerous concerns about resources that
are available, both with trained personnel and otherwise. Yet
oftentimes--Mr. Molitor may be able to speak to--there are a
lot of members of industries and others who have already made
significant investment in individuals with skills who are there
to--if we can share information appropriately--it also includes
expertise.
What is your experience in terms of--Mr. Molitor, you can
jump into this question but I am interested in those who are
representing State or fusion centers--what is your experience
in terms of working with the private sector and how you are
taking advantage of any of their assets or information sharing
in your local regions?
Mr. Sena. From my perspective I am probably the most
blessed because my fusion center is in Silicon Valley area, so
we have got some of the best technology companies in the world
there. So we have got lots of resources and oftentimes they
know better and more ways about dealing with a threat than we
do in the Government or could ever think of.
So trying to, you know, bring them on-board to make them
partners with what we are doing in the fusion center, so that
way when they ask us a question we can provide them with an
answer. If they have the answer we can share that answer with
others.
They have, you know, bonded together over the last few
decades in building Silicon Valley and the resources there, but
the networks go well beyond there; they go across our country
and across the world where they have, you know, resources. So
trying to work closely with them, trying to give them those
resources.
The question always comes up about the clearances, and even
within the fusion center ourselves, it takes us a long time to
get our own people clearances, so but also trying to get them
up to speed and actually physically bringing them in so we can
give them briefings and actually help them solve these problems
together. That is my goal.
Mr. Meehan. So are there parts of your fusion center which
include a regular seat from private industry as a member?
Mr. Sena. We have. In fact, one of our first folks that we
brought in was from the health care industry. So right now we
are working with some of our power partners and utility
partners to bring them into the center to get them the
backgrounds, to get them the resources they need.
Oftentimes some of these people already had worked in
Government for one of the other, you know, organizations that
dealt with cyber and now they are working for the private
sector. So we are trying to use those resources they have to
help us in our center.
Mr. Meehan. Mr. Orgeron, are you working at all with the
individuals in the private sector in your capacity?
Mr. Orgeron. We do, Mr. Chairman. You know, States rely on
telecom providers, big system integrators daily to get the work
done in the States, so that reliance is absolutely there. I
would expect not only in my State but in many of the States the
need for dialogue and inclusion is imperative.
Mr. Meehan. Have you worked with CERT teams at all?
Mr. Orgeron. We have.
Mr. Meehan. Have they been helpful?
Mr. Orgeron. They have.
Mr. Meehan. Ms. Stempfley, Secretary, you have been a
stalwart supporter of efforts to do some of these things, but
one of the council recommendations from your own advisory
council was taking advantage of some of the skilled alumni in
DHS, among other things, and there was an idea of trying to do
outreach to make some of them available. Has there been any
progress made in the idea of looking for those who have been in
service at DHS and are no longer there but are still able to
lend a hand at times of crises?
Ms. Stempfley. I regret, sir, I am not familiar with the
recommendation that you speak of. But one of the things we work
very closely with is keeping in touch with both former DHS
colleagues and those individuals in the private sector who are
a part of the owners and operator community of critical
infrastructure, particularly those in the IT, communications,
energy, electric, and other sectors.
I know you have been to our National Cybersecurity and
Communications Integration Center, where we are very focused on
integrating our private-sector partners into our operations
activities and we work very closely with our private-sector
partners in not just protection and planning efforts but in the
response efforts, as well.
Mr. Meehan. Yes. This was a recommendation that was called
the Cyber Reserve Program that was run through DHS, and it may
or may not be implemented. I know what happens. There are a lot
of good ideas that sound--they get laid on your plate in the
midst of all of these, and I just wondered if you had any
insight on that program.
Ms. Stempfley. Thank you for making that connection in my
brain. We actually post that set of recommendations. The then-
deputy secretary established a task force to look at all of the
recommendations from that Homeland Security Advisory Council--
set of recommendations on workforce activities. We have moved
forward on many of them. The cyber reserve efforts and the
potential utilization of current and former DHS colleagues in
execution of this mission is one that planning activity has
been underway.
Mr. Meehan. All right. Well I thank you for that
clarification.
My time is expired and I will turn to the gentleman from
Nevada, Mr. Horsford.
Mr. Horsford. Thank you very much, Mr. Chairman, to you, to
Chairwoman Brooks, to the Ranking Member Mr. Payne and Ranking
Member Clarke, for holding this important and crucial hearing.
I want to commend my colleague, Mr. Payne, for his
legislation on the study for the smart grid. I know in my State
and in regions throughout the country we have heard time and
time again about the need to protect critical infrastructure,
including, you know, our electric grid and water systems and
other things that play into the grid. So I look forward to
working with you on that legislation and commend you and your
leadership for bringing it forward.
After hearing the opening remarks I wanted to delve into a
couple of questions that aren't on my prepared questions.
Mr. Sena, right?
Mr. Sena. Sena, sir.
Mr. Horsford. So I have been in my fusion center. I am from
Las Vegas--40 million visitors a year, 2 million residents in
Clark County, and sheriff took me on a tour, met with all of
our emergency management, first responders--local, State,
Federal, and private-sector participants at that fusion center.
What is troubling to me is you say all the right things
operationally for what is needed--the integration, the sharing
of information--but then we have policy that doesn't support
that approach. For example, the UASI money. In my State, Las
Vegas was eliminated from the top-tier funding communities for
our fusion center and lost several million dollars. My hope is
we will get that back and I am working with the Department and
FEMA and other agencies to make the case, but the policy
doesn't support the practice that you envision.
So I would like for you to touch on how funding like UASI
is critical in supporting your needs, particularly with the
cybersecurity focus, which, as far as I reviewed in the primary
factors of the UASI money allocation, I didn't hear
cybersecurity come up enough even though it is the most
emerging threat to our critical infrastructure. So can you
speak to that, please?
Mr. Sena. Absolutely, sir. Congressman, just to let--as you
know, with the reductions in UASIs and the inconsistencies and
how the funding goes for those grant projects to support fusion
centers, fusion centers are owned and operated by State and
local agencies. I myself work for the San Mateo County
sheriff's office. But it is up to those regions how they
develop those programs and some are highly dependent on Federal
funding.
We have some fusion centers that totally support their
operations based on their own State budgets, local budgets. But
when we are trying to develop programs that have a National
importance, that have--meet those National priorities, those
National missions, we have to develop the funding stream to
support those programs.
Basing it on--and UASIs have been great across the country,
but if you have no money they have got no way to give anything
to the fusion center, and therefore the fusion center cannot
support their programs. That is where we are at right now.
The other issue we have is the grant time line cycle of 2
years now, which basically means that once you get through with
all the management issues of trying to move funding you have
about 8 months to spend your money. Well, most people's
salaries go for 12 months. That creates a little bit of a
problem.
But we have those huge issues between how the money gets to
the fusion centers and how it gets devoted to those programs.
Right now there is no consistency across the country in how
that money is delved through. Not just in the case of the Las
Vegas fusion center, but other fusion centers across the
country that lost their UASI funding--to the point of some, 30
percent. How do you run an operation when you have lost 30
percent of your money or 100 percent?
Mr. Horsford. Right.
Mr. Sena. It is difficult.
Mr. Horsford. Well, it is difficult when you have these
emerging threats, which are ever changing. Everything you all
talked about today is, you know, the people we are trying to
prevent from attacking us are more creative, more resourceful,
are working around the clock, and yet we are not putting in the
resources to combat that.
I think the UASI funding, Mr. Chairman, is one area that
needs to still be reviewed and, you know, I am committed to
doing my part in bringing forward solutions for how it needs to
be reviewed. But I think the cybersecurity factor in how
communities rank should be reevaluated. So I will put that on
the table.
Mr. Chairman, can I have just 1 more minute?
Mr. Meehan. Yes. The Chairman will recognize the gentleman
for a follow-up question.
Mr. Horsford. I just want to ask about this interrelation
between State and Federal entities. Given the inherently
interconnected nature of the cyber landscape, why is it that
harmonizing standards for the Federal Government is beneficial
but requiring the same of State governments which may interface
with Federal systems is not? I wanted Mr. Orgeron to answer
that question.
Mr. Orgeron. Sure. We talked about NIST earlier, and I
think from a framework perspective we certainly think that
having a common framework would be most beneficial, whether it
is at the State level or the Federal level. Certainly a
framework that would help the two entities communicate, you
know, I think we believe would be a good thing.
Mr. Horsford. Thank you.
Mr. Meehan. I thank the gentleman.
The Ranking Member has a follow-up question and so I
recognize the Ranking Member for----
Mr. Payne. Thank you, Mr. Chairman.
This was a question that Congresswoman Clarke had:
Cybersecurity technologies have made a major advancement over
the last decade, just as the IT industry has. But the
electrical grid has been built over the course of 100 years.
So, Mr. Molitor, in terms of cybersecurity, how do we deal
with the legacy equipment that was installed before anyone was
thinking about cyber threats and what was to come and is here
now?
Mr. Molitor. Yes. That is a great question. Fortunately, a
lot of the legacy gear doesn't have the kind of communications
capabilities that makes it hackable to begin with. But if you
have got a dead zone in the middle where you don't have
cybersecurity capabilities built in you have to build your
cyber perimeter around it. So the objective is--and especially
through these smart grid technologies--is that you have the
communications ability and the sensing ability on the adjacent
devices so that you can identify when that device in the middle
starts to underperform. So that would be the best indication
that you have.
The challenge that we have is that a lot of these assets
that were installed in the electric grid have a 20-, 30-, or
40-year life span before they can be replaced by the utility
companies. So, you know, part of the cure to this is being able
to fix the accounting rules and the other financial rules so
that they can depreciate those assets, get them out of the
grid, and replace them with the ones that can respond properly
to a cyber attack.
Mr. Payne. So in your opinion--and I will close with this
and I will ask each of the witnesses--you know, the legislation
I have introduced, the SMART Grid Study Act, do you think that
is the direction we should go so we can understand what we need
to do to ensure the critical infrastructure is cyber safe?
Mr. Molitor. Absolutely. I am a firm believer that if you
want to improve something you need to measure it. You provide
the mechanism to obtain that measurement.
Mr. Payne. Mr. Sena? Same question.
Mr. Sena. We definitely--I mean, for years we have been
building a great castle with physical--sorry, sir--building a
great castle with physical security issues, but we have got
this moat around us that has a stream that goes right into our
critical infrastructure and we are so vulnerable, but the
resources are not going there. We do have to have that
capability.
We do have to have better electronic resources to deal with
threat in real time but we also need analysts and people that
can accept the information and know what we are looking for.
Right now that is our big problem, from the high-end technical
side to the people who are operating the computers within the
locations, whether it is Government, whether it is critical
infrastructure, you know, spear fishing, opening up the wrong
e-mail can open up your network to huge issues.
When it is considered to be the electrical grid or any of
our other critical infrastructure, that can be our fall down.
My goal is to prevent that as best we can, so thank you.
Mr. Payne. Mr. Orgeron.
Mr. Orgeron. I agree. I mean, State government, especially
from a technology perspective, whether it is consolidated data
centers or networks, are highly reliable on the grid, so
absolutely.
Mr. Payne. Mr. English.
Mr. English. Absolutely. We have to have the power to make
things work, and thank you for doing that.
Mr. Payne. Okay.
Ms. Stempfley.
Ms. Stempfley. So we certainly have talked about the
linkages between the cyber and physical environment, and one of
the things that we are focused on at DHS is helping as
infrastructures are upgraded--as our aging infrastructure is
upgraded and takes advantage of the technology that exists
today, helping them understand how to be more resilient in this
cyber environment. So I think that is an important focus area.
Mr. Payne. Well, I thank all of you witnesses.
Just for the record, this study would not cost any more
money. The money is already in place and we have offsets that
would take care of the cost of the study.
I yield back.
Mr. Meehan. I thank the gentleman.
I am just about prepared to gavel the hearing down but I
have one question that I want to ask for those who are involved
in the State side, because I know that there has been some
discussion about the need we have for people who are capable of
working with you in both understanding and then addressing
these kinds of concerns, and then simultaneously we have got,
year after year, students that are graduating from colleges and
universities, junior colleges all throughout our country and
they are looking for a job.
It stuns me that we have educational institutions on the
one side that are already--not looking for grant programs; they
are already taking tuition. Some of these kids are going into
debt to do this, and then they come out and they are saying,
``Where do I get my first job?''
Then here you are running organizations which are saying,
``Boy, we need people in here.'' What are you doing even with
your own State university systems to implement some kind of
connection between the training that could take place and the
availability of a workforce?
Mr. Sena. Sir, I have to mention--and thanks in great part
to our partners in the Department of Homeland Security, MS-
ISAC, and our other State organizations--we actually had a
pilot, you know, internship program this summer--brought some
of the most brilliant people into my center. Great employees,
great interns. Did some tremendous work for us.
So we brought them in but, of course, we have no funding to
pay for interns. We have no money to pay for, you know, those
analysts. You know, eventually we are getting some money from
our UASI to bring on some analytical staff, but, you know, we
brought in eight interns who did great work and those interns
across the country were also deployed--recruited by DHS,
recruited through, you know, cyber exercises that they would do
on the weekends to see who could, you know, do the best
infiltration of systems.
So we had the best minds out there but we have no money to
hire these people and that is--you know, that is the tragedy of
it. You know, great interns and, you know, free labor force for
us, but we need them long-term and there is just no sustainment
for that right now.
Mr. Meehan. Do they get directed to private-sector
opportunities?
Mr. Sena. We do. We give them, you know, pass their
information along to the private sector. But as was said
previously, you find very few open jobs in that sector. But
right now it would be great if we had that ability even to pay
the interns for the time they spend with us, but also to bring
them into Government work. They are just--you know, from the
State perspective, you know, money has always been tight, and
especially nowadays it has been tight, so trying to have
funding to bring in those brilliant minds is difficult.
Mrs. Brooks. Would the Chairman yield one moment?
Mr. Meehan. Sure. Absolutely.
Mrs. Brooks. I am curious, before others might respond,
whether or not you are educating your governors, your mayors,
your councils who appropriate the funds for your departments to
understand what the cyber threat might be? Because obviously,
you know, there is always a push for more police officers on
the street, more fire fighters, but yet there needs to be--and
when we may be calling them analysts is part of the problem in
that they appear to be support staff when, in fact, they are a
cyber force and can be like a street officer. How are you
educating the executives and those, you know, with the
appropriations authority to, you know, make sure that they
understand what the needs are, just out of curiosity?
Mr. Sena. I can tell you that after we made a presentation
to our UASI on what the threat was, it immediately voted to
give us $400,000 right off the bat. So they see the threat. But
that is only if they have the funding available to allocate,
and in this case they had the funding.
That funding may not be there next year, but that is the
problem we have. There has to be a funding source and currently
most States don't have the funding source other than
potentially through those Federal grants. Those, the allocation
varies between those centers, like in Las Vegas, that they just
don't have any money for it.
Mr. Orgeron. We certainly do advocate with the Governor,
elected officials, the legislature, the importance of a topic
like this and potentially the disconnect between really doing
great Government and needing great people to do great
Government that have the right skills, and this is a marked gap
to the point.
To the other question, all the things Mr. Sena said--
working with universities on co-op programs to get students in,
internship programs. It is really at the local level--at the
local-State level--I think more, you know, just that you can
get them interested. I mean, States are doing phenomenal things
across all kinds of projects, especially in our State with a
new data center.
It tends to be keeping them is the thing. They are great
kids, and so we do. We go to the universities regularly, go to
recruiting fairs regularly, and so--and we will continue both
of those things.
Mr. Meehan. Well, I want to say, I think on behalf of all
of my colleagues here, we appreciate your service. In many ways
you, as was articulated by one bit of testimony, are out of
there on the tip of the spear, and the experiences that you
have, as well, not only in what you are doing each day but by
virtue of analyzing the nature of the threat and the challenges
that we have, and then by taking the time to both prepare your
testimony and be responsive to our questions helps us educate--
helps you educate us to be your partners in working for better,
more efficient, more effective ways to deal with what we all
agree, I believe, is one of the great challenges that we face
here and an emerging and ever-changing nature of the threat,
different from, in many ways, from those which we have been
addressing over the course of the recent decade.
So I thank the witnesses for your valuable testimony and
the Members for their questions. The Members may have--from the
subcommittee may have additional questions for the witnesses,
and if they do we ask that you would take the time to respond
in writing. We are certainly free for any further follow-up
information you would like to forward to us for the record. We
will keep the record open for 10 days for that purpose.
So without objection, the subcommittees stand adjourned.
Thank you for your testimony.
[Whereupon, at 11:52 a.m., the subcommittees were
adjourned.]
A P P E N D I X
----------
Questions From Chairwoman Susan W. Brooks for Roberta Stempfley
Question 1a. FEMA has a number of incident annexes to the National
Response Framework, including a Cyber Incident Annex. The current Cyber
Incident Annex was developed in 2004, nearly 10 years ago, when
technology and the cyber threat were very different.
The draft NCIRP states that it was developed in conjunction with
the update of the Cyber Incident Annex. However, according to FEMA, the
Annex has not yet been updated and will be not updated until later this
fiscal year, with an anticipated completion in fiscal year 2015.
Will CS&C be involved in this update?
Answer. The Office of Cybersecurity and Communications (CS&C),
working with a broad set of partners, to include the Federal Emergency
Management Agency, will continue to advance the dialogue around
coordinated planning through development of operational playbooks and
other planning frameworks. We anticipate that CS&C would be deeply
involved in any updates to the National Response Framework's Cyber
Incident Annex.
Question 1b. In a broader sense, how do you work to coordinate
cyber doctrine within the Department to ensure that the plans and
procedures in place are up-to-date and applicable to the current
threats we are facing?
Answer. CS&C works with the Department of Homeland Security (DHS)
Headquarters and other DHS components on a continuous and on-going
basis to coordinate cyber issues. Many of these interactions take place
at the working level in order to keep pace with the dynamic cyber
threat environment. There are weekly leadership meetings consisting of
both internal DHS organizations as well as our interagency partners
specifically to coordinate on cyber issues.
In November 2011, DHS completed the Blueprint for a Secure Cyber
Future: The Cybersecurity Strategy for the Homeland Security Enterprise
(Blueprint). The Blueprint provides a process to create a safe, secure,
and resilient cyber environment for the homeland. The Blueprint
identified capabilities necessary to achieve DHS's cybersecurity goals.
The development of the Blueprint was truly a cross-organizational,
integrated process that brought together elements of the following
components and sub-components of DHS:
DHS/NPPD Office of Strategy and Policy (S&P);
DHS/PLCY Office of Strategy, Policy, Analysis, and Risk
(SPAR);
DHS/CFO Office of Program Analysis and Evaluation (PA&E);
DHS/Office of Intelligence and Analysis;
DHS/Office for Civil Rights and Civil Liberties (CRCL);
DHS/Office of Operations Coordination and Planning (OPS);
DHS/NPPD Office of Budget, Finance, and Acquisition;
DHS/NPPD Office of Cybersecurity and Communications (CS&C);
DHS/NPPD Office of Infrastructure Protection (IP);
DHS/Science and Technology Directorate (S&T).
Accompanying the Blueprint is a Mission Management Plan that
prioritizes the Blueprint capabilities that DHS will mature over the
next several years. The Mission Management Plan serves as a baseline
for coordination and assignment of tasks based upon the capabilities
and responsibilities across the Department. An example of this would be
leveraging the skills and resources of the U.S. Secret Service along
with Immigrations and Customs Enforcement to investigate cyber
criminals. The results of these efforts are used internally within DHS
as well as a baseline for discussions with our partners across the
interagency, State, local, Tribal, and territorial governments and the
private sector.
Question 2a. In reviewing the National Cyber Incident Response Plan
(NCIRP), I am a little unclear of the link and cooperation between the
NCCIC and FEMA and have a couple questions regarding that link and
cooperation.
Does FEMA currently have personnel that are stationed full-time at
the NCCIC?
Answer. The Federal Emergency Management Agency (FEMA) does not
currently have personnel who are stationed full-time at the National
Cybersecurity and Communications Integration Center (NCCIC).
The DHS Office of Operations Coordination and Planning has a full-
time employee stationed at the NCCIC and another full-time employee
stationed at the FEMA National Response Coordination Center (NRCC). The
National Operations Center (NOC) is also staffed by a full-time desk
officer from the NCCIC and another full-time desk officer from the FEMA
NRCC. This exchange of personnel facilitates real-time coordination and
collaboration in the event of a cyber-related incident. The NOC, NCCIC,
and NRCC continuously share information and have access to the DHS
Common Operating Picture (COP) for situational awareness. Additionally,
the NOC receives and integrates daily reporting from the NCCIC and the
NRCC. Also, the three operations centers conduct coordination calls at
least three times daily via the NOC's Operations Centers conference
calls (NOC Blast Calls).
Question 2b. If ``YES'': Who is this person--from what office
within FEMA? If ``NO'': Do you think it would be a good idea to have a
FEMA representative at the NCCIC?
Answer. Recognizing the potential significance of a cyber-physical
event and the value of close FEMA-NCCIC synchronization, staffs from
the two organizations meet often to discuss planning and exercise
activities and to maintain watch center-to-watch center communications.
In response to Emergency Support Function-2 activations, NCCIC
regularly deploys staff to FEMA operations centers. In the event of a
significant cyber incident, FEMA would deploy appropriate staff to the
NCCIC.
Question 2c. How does the NCCIC communicate with FEMA on the
potential threats the NCCIC is seeing and their possible consequences
that may require FEMA to respond?
Answer. NCCIC and FEMA communicate via watch center-to-watch center
communications. FEMA receives NCCIC situational reports and awareness
products, which highlight more significant cyber and communications
incidents and the NCCIC receives FEMA situation reports on a recurring
and routine basis.
The DHS NOC, NCCIC, and NRCC all have access to the DHS Common
Operating Picture (COP) and Homeland Security Information Network
(HSIN). The COP and HSIN are the primary systems used for sharing and
viewing Unclassified information along with other situational awareness
products. Also, all three operation centers participate in coordination
calls at least three times daily via the NOC's Operation Centers
conference calls (NOC Blast Calls).
Question 3. The draft National Cyber Incident Response Plan (NCIRP)
states that it ``was developed in close coordination with Federal,
State, local, territorial, and private-sector partners.'' I am
interested in hearing more about the Department's outreach process
during the development of the NCIRP because we have heard from
stakeholders that there wasn't sufficient outreach and that this is
more of a ``Federal plan'' than a ``National plan.''
Answer. The Department of Homeland Security (DHS) developed the
National Cyber Incident Response Plan (NCIRP) in close coordination
with public and private-sector stakeholders. During the early stages of
development, DHS asked for volunteers through the Cross-Sector Cyber
Security Working Group (CSCSWG), which includes Federal and private-
sector representatives from each of the critical infrastructure sectors
and convenes under the auspices of the Critical Infrastructure
Partnership Advisory Council. The Department also sought collaboration
through intergovernmental partners, the information sharing and
analysis organization community and among Federal interagency partners.
DHS drafted the document by sending out discussion papers--generally
draft sections of the NCIRP starting with scope and purpose--and
captured notes from subsequent discussions with public and private-
sector participants. In addition to incorporating review comments into
iterative drafts of the NCIRP, DHS also held table-top exercises and
the Cyber Storm III National Exercise to further inform versions of the
draft plan. Among the participants in the table-top exercises were the
Information Technology Information Sharing and Analysis Center (ISAC),
the Communications ISAC, the Financial Services ISAC, and the Multi-
State ISAC (MS-ISAC). The MS-ISAC includes among its membership the
chief information security officers from each of the 50 States as well
as several U.S. territories and local Government representatives. Cyber
Storm III included participation from eight Cabinet-level departments,
13 States, 12 international partners, and 60 private-sector companies
and coordination bodies. Together, these entities participated in the
design, execution, and post-exercise analysis of the cyber exercise.
Participation focused on the information technology, communications,
energy (electric), chemical, and transportation critical infrastructure
sectors and incorporated various levels of play from other critical
infrastructure sectors. In addition, Cyber Storm III included the
participation of States, localities, and coordination bodies, such as
ISACs, and international governments to examine and strengthen
collective cyber preparedness and response capabilities. During the
exercise, the participant set included 1,725 Cyber Storm III-specific
system users.
Questions From Chairwoman Susan W. Brooks for Charley English
Question 1a. How are State officials responsible for cybersecurity
and emergency management coordinating to ensure awareness of the cyber
threats you face?
Answer. The type and scope of coordination occurring between State
officials responsible for cybersecurity and emergency management
officials vary widely by State. In a survey NEMA conducted in February
2013, we learned no clear best practice exists in assigning
responsibility of coordination of resources to prepare for, respond to,
or recovery from a cyber attack. Only 41.9 percent of States cited a
specific director. Of the 41.9 percent, responsibility ranges from the
emergency management officials to IT, homeland security, and the fusion
center. Where those responsibilities diverge, coordination occurs much
in the same way as it would with any other all-hazards risk.
Question 1b. What support are you getting from DHS in that regard?
Answer. Programmatic offices such as the Office of Cybersecurity
and Communications (CS&C) within DHS continue admirable work in their
outreach to State and local officials. The larger challenge however is
that the overall DHS effort, to include agencies such as FEMA, must be
comprehensive and coordinated in order to ensure all the nuances of the
threat and impact of consequences receive appropriate attention. In
recent years, as the issue of cybersecurity grows, agencies have a
tendency to create niches within the Department instead of adopting a
comprehensive approach. Without a cohesive strategy from the National
level addressing the consequences of a cyber attack, we run the risk of
being unprepared should an event occur.
Question 1c. What more could they be doing?
Answer. DHS must recognize the impacts of a cyber attack extend
beyond public-private relationships or simply securing networks. To
date, the Department offers little guidance on the potential depth and
breadth of cyber consequences. A deeper analysis must be accomplished
on current disaster-related statutes such as the Stafford Act to
consider whether such attacks would be eligible for Federal assistance.
If so, guidance must be provided to the States. If not, an on-going
dialogue must occur so all interested parties understand the current
limitations of State and local governments in these economically-
constrained times.
Question 1d. Is there anything Congress can do to help?
Answer. As Congress considers legislative options, the needs of the
State and locals ultimately responsible for the consequences of a cyber
attack must be first and foremost. In May of last year, NEMA joined
with nine other associations to ask Congress for your consideration of
key principles and values when considering cybersecurity legislation.
In addition to consideration of the principles and values, Congress
must work with DHS ensuring all potential consequences of a cyber
attack are thoroughly considered in appropriate authorities such as the
Stafford Act.
Question 2. A movie titled ``American Blackout'' that aired in
October portrayed the physical consequences of a cyber attack on the
electrical grid. One of the major issues highlighted was the impact on
hospitals.
I recently visited with representatives from a hospital in my
district and we discussed cybersecurity. The doctors, particularly
those from the emergency department, are extremely concerned with their
ability to function in the event of a cyber attack that impacts their
power supply. This goes beyond medical records. They are very concerned
about access to imaging technology that saves lives.
In the event of a cyber incident that impacts the electric grid,
how would emergency managers and cybersecurity professionals coordinate
with each other and the private sector to determine how soon the
problem could be fixed and in turn properly identify necessary
resources to assist hospitals beyond the generators and fuel they
regularly keep on hand?
Answer. We would typically treat this type of incident just as any
other. Emergency managers operate in an all-hazard environment and
would coordinate with the cybersecurity professionals as we would any
other Emergency Support Function (ESF). The resources would be done the
same way. There are many disasters that affect our power grid, from ice
storms to major storm fronts. It takes a Federal-State coordinated
approach to create and improve a threat-specific annex to State
Emergency Operation Plans. Emergency management plans are intended to
address impacts of all hazards, regardless of cause.
Question 3. States have repeatedly identified cybersecurity as the
lowest core capability in their State preparedness reports. To your
knowledge, when developing this assessment, were State chief
information officers or chief information security officers involved in
the process?
Answer. While the exact number is not known, the collaboration and
inclusion between chief information officers and emergency management
officials is increasing due to the threat and the increasing awareness
of the issue. For example, in the State of Ohio, the State Security
Information Officer was involved in the responses to cybersecurity in
the State preparedness report. In Arkansas, the Chief Information
Officers as well as the Chief Information Security Officers are
involved in the process of identifying core capabilities.
Questions From Chairwoman Susan W. Brooks for Craig Orgeron
Question 1a. How are State officials responsible for cybersecurity
and emergency management coordinating to ensure awareness of the cyber
threats you face?
Answer. Coordination on cybersecurity varies drastically from State
to State. This has to do with different models of State governance and
centers of authority for cybersecurity response and emergency
management. This is not only reflective of the different maturities
regarding readiness to respond to cyber threats in the States, but also
the diverse topography of State governments. There is increasingly
coordination between State CIOs with emergency managers and other
agency officials regarding disaster continuity, recovery, and emergency
management. As referred to in my testimony, NASCIO's 2013 State CIO
Survey states:
``Not surprisingly, disaster recovery and business continuity are
issues that continue to receive increased attention in the State CIO
community . . . We asked CIOs how they approached these initiatives
within their State. As Figure 13 shows, almost two-thirds of States
pursue a federated strategy with responsibilities split between the CIO
and State departments and agencies.''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
While our research shows increasing collaboration between State
emergency managers and State CIOs, it is difficult to describe how a
State would react to a cyber incident impacting a hospital as described
in the question. The primary reason: With public-sector cybersecurity
being such a nascent area, States have divergent governance and
procedures in place to deal with significant attacks on critical
infrastructure. Virtually every State has some means to provide
support, whether through State police, its fusion center, or another
State agency.
Further complicating matters, data does not exist to make extensive
claims to best practices when it comes to governance. While several
States have held cybersecurity exercises and learned from the
experiences, the effectiveness of one governance model over another has
not been thoroughly and publicly tested by real-world events.
Beyond this uncertainty, there are significant legal questions to
be considered. For instance, a private hospital may not be able to take
advantage of certain public resources. It is unclear a private entity
could receive support from the National Guard without the declaration
of a state of emergency by a Governor. Other questions come into play,
as well: Legal liabilities, cyber forensics of a virtual crime scene,
and more. The area simply has not been defined. The legal implications
is an area that is ripe for Congress to explore.
Question 1b. What support are you getting from DHS in that regard?
Answer. There are several venues and tools from DHS or funded by
DHS that provide State governments with additional awareness of and
support in thwarting cyber threats. Perhaps the most prominent of these
are the National Cybersecurity and Communications Integration Center
(NCICC), United States Computer Emergency Readiness Team (US-CERT), and
Multi-State Information Sharing and Analysis Center (MS-ISAC).
Complementing and supporting State fusion centers and similar technical
support is also of significant value as long as DHS ensures it is
supporting the State's cybersecurity governance model. Broader efforts
such as the National Initiative for Cybersecurity Education (NICE) are
also vital for States to receive the type of talent they need to secure
their systems, and should be expanded.
Question 1c. What more could they be doing?
Answer. In many States, neither Chief Information Officers nor
their Chief Information Security Officers are cleared to the Top Secret
level--only the Secret level. Therefore, they cannot receive vital
information from the intelligence community on the most advanced
international threats against our networks without explicit intention
and additional pre-clearance. While DHS certainly would include a State
CIO or his CISO in such a conversation, it is not so certain the rest
of the intelligence community would know to reach out to the State CIO
and clear them for such a briefing. This should be remedied.
NASCIO hopes that greater information sharing and better tools to
disseminate this information will be released as part of the
implementation of Executive Order 13636 and Presidential Policy
Directive 21. NASCIO and its members are pleased with the on-going
effort to provide greater declassification of cyber threat information
as part of the EO, and look forward to seeing greater results.
In addition, we believe the National Cyber Security Review could be
followed up with the promise of Federal technical assistance to State
and local participants who lag behind in vital areas. This will have
the dual benefit of safeguarding citizen data and encouraging greater
participation in National level vulnerability assessments.
Efforts to provide support for cyber education among public
employees in the States and broader social awareness of on-line
threats, similar to public awareness campaigns in the vein of ``see
something, say something,'' are also valuable.
Question 1d. Is there anything Congress can do to help?
Answer. While opportunities for limited Federal assistance for
cyber threats have been included in the National Preparedness Grant
Program (NPGP), its shrinking pool of resources coupled with a
formulaic structure that favors hardening targets against attacks at
the jurisdictional level means States typically only have enough
funding to maintain legacy homeland security investments and administer
grants to local governments. For NPGP to meet the current threats faced
by our States and localities, changes will need to be made to this
program by Congress.
Greater resources for technical programs that support information
sharing, technical assistance, and cyber threat exercises would be
valuable, as well. Efforts to increase the public sector cyber
workforce, ranging from targeted initiatives such as the DHS National
Initiative for Cybersecurity Education to supporting computer science
education in schools at every level, are extremely valuable. Such
programs should be expanded and supported--both for the sake of our
Nation's homeland security and our economic security. Larger public
service campaigns to increase knowledge of the risks on-line, in the
model of ``see something, say something'' or ``click-it or ticket''
would help reduce risk to both public and private-sector networks.
Question 2. As you may know, as a condition of receiving State
Homeland Security Grant Program funding, the State Administrative
Agency (SAA), which is usually either the State Homeland Security
Advisor or Emergency Manager, must complete a Threat and Hazard
Identification and Risk Assessment, which, as the name suggests,
details threats and hazards facing each State. Some States, including
my home State of Indiana, have included cybersecurity in their THIRAs.
To your knowledge, have your colleagues been included in this
process to ensure the SAAs have the best picture of the cyber threats
they face?
Answer. Unfortunately, NASCIO has no data on how many States
include cybersecurity in their THIRAs, and whether SAAs have included
their State CIOs in the THIRA process. NASCIO will to review this
question with its membership and attempt to provide the committee with
a well-researched answer in the near future.
Questions From Chairwoman Susan W. Brooks for Mike Sena
Question 1a. Your fusion center is one of a small number of fusion
centers in the National Network proactively incorporating cybersecurity
into its mission. I applaud you and your fusion center's efforts in
this challenging environment.
What Federal, State, and local partnerships have you developed to
help the NCRIC contribute to this important mission?
Answer. Response was not received at the time of publication.
Question 1b. What analytical products and situational awareness
reports has the NCRIC produced? Do you have a sense as to how have
these products been perceived by your partners?
Answer. Response was not received at the time of publication.
Question 1c. How is the National Fusion Center Association working
to advance cybersecurity efforts across the National Network?
Answer. Response was not received at the time of publication.
Question From Chairwoman Susan W. Brooks for Paul Molitor
Question. Mr. Molitor, in your testimony you mention the NEMA Field
Representative Program.
Would you please tell us more about this program and how, if at
all, these experts are available as a resource to emergency management
officials during an emergency?
Answer. NEMA is the association of electrical equipment and medical
imaging manufacturers, founded in 1926 and headquartered in Rosslyn,
Virginia. Its 400-plus member companies manufacture a diverse set of
products including power transmission and distribution equipment,
lighting systems, factory automation and control systems, and medical
diagnostic imaging systems. The U.S. electroindustry accounts for more
than 7,000 manufacturing facilities, nearly 400,000 workers, and over
$100 billion in total U.S. shipments.
The NEMA Field Representative Program is geared toward providing
information and training to government officials (including building
code officials, electrical inspectors, and emergency managers),
maintaining the lines of communications between these individuals and
the manufacturing community, and assisting in the wake of disasters.
The relationships forged in advance of the disaster are invaluable in
the ensuing confusion and turmoil. As advocates of safe electrical
systems and installations, NEMA Field Representatives make a valuable
contribution to public safety.
NEMA has four Field Representatives located in regional offices
around the country. Their regions of coverage are aligned with the
International Association of Electrical Inspectors (IAEI) Section
Regions. The representatives are:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
(1) Mike Stone.--Region: AK, AZ, CA, HI, ID, MT, NV, NM, OR, UT,
WA.
(2) Donald Iverson.--Region: WY, CO, ND, SD, NE, KS, MN, IA, MO,
AR, WI, IL, MI, IN, KY, OH, WV.
(3) Paul Abernathy.--Region: TX, OK, LA, MS, TN, AL, FL, GA, SC,
NC, VA.
(4) Jack Lyons.--Region: ME, NH, VT, NY, MA, RI, CT, NJ, PA, MD,
DE, DC.
preparing for emergencies
One of the most important functions of the field representatives is
to support a 3-year adoption cycle by States and local jurisdictions
for National model building codes--including electrical, life safety,
and energy--to coincide with the 3-year National revision cycles. These
codes are:
NFPA 70 National Electrical Code;
NFPA 101 Life Safety Code;
NFPA 99 Health Care Facilities Code;
NFPA 72 National Fire Alarm and Signaling Code;
NFPA 720 Carbon Monoxide Detection Code;
International Building Code (IBC);
International Residential Code (IRC);
International Energy Conservation Code (IECC);
International Green Construction Code (IgCC);
International Fire Code (IFC).
National model building codes provide the blueprint for
constructing residential, commercial, and institutional buildings and
other structures. They prescribe the minimum safety and performance
standards which allow occupants to live and operate in a safe and
optimally-performing building. Model building codes also prescribe the
latest advancements in energy efficiency, resiliency in building
structure, and life safety through the use of hazardous elements
detection. The codes are revised through an open and transparent
stakeholder process led by the International Code Council (ICC) and
National Fire Protection Association (NFPA) every 3 years to
incorporate advances in safety and technology in homes and buildings.
Therefore, timely adoption in accordance with the National model
revision schedule is vitally important.
Direct adoption and enforcement of the latest building codes every
3 years provides:
enhanced safety to homeowners and building occupants through
the use of the latest technology and knowledge in life safety
(i.e., emergency lighting; fire, smoke, and carbon monoxide
detection) and electrical hazard protection (i.e., arc fault
circuit interrupters, ground fault circuit interrupters);
utilization of the latest advancements in technology,
enabling the use of on-site energy generation for back-up power
and for ensuring the structural integrity of buildings.
Proper installation of electrical equipment is key to safety and
resiliency. The NEMA Field Representative Program provides training to
State and local code officials, inspectors, and installers on the
latest codes and on the proper installation and use of NEMA member
products.
recovering from disasters
While preparation is essential, loss of life and damage to property
will inevitably occur. One responsibility of a NEMA Field
Representative is to make himself available to Government officials
after a natural disaster.
Because safety is of paramount importance to our member companies,
all time, travel, and materials associated with the Field
Representative Program is paid for by NEMA members. In years past, NEMA
Field Representatives have visited areas destroyed by Hurricanes Irene,
Katrina, and Sandy. They've also responded to both flood and snow
emergencies in the Midwest, as well as the Colorado flood earlier this
year. In January of 2010, NEMA offered its Field Representatives to
assist in Haiti after its devastating earthquake.
When disaster strikes, NEMA promotes a number of resources for
public officials addressing major infrastructure damage. NEMA's user-
friendly Evaluating Water-Damaged Electrical Equipment \1\ and
Evaluating Fire- and Heat-Damaged Electrical Equipment guides are
critical resources for protecting life and property after a disaster.
Additionally, Storm Reconstruction: Rebuild Smart offers strategies for
reconstructing electrical infrastructure in such a way that mitigates
future disasters. All of these resources are available on NEMA's
website, www.nema.org.
---------------------------------------------------------------------------
\1\ http://www.nema.org/Standards/Pages/Evaluating-Water-Damaged-
Electrical-Equipment.- aspx#download.
---------------------------------------------------------------------------
As rebuilding commences, NEMA Field Representatives assist in
solving problems involving the installation of NEMA member products by
serving as intermediaries between Government officials and NEMA member
companies. Decision makers should involve NEMA in the wake of disasters
and a recent example highlights this.
In the wake of Superstorm Sandy, the New Jersey Department of
Consumer Affairs (DCA) issued a directive for installers. The DCA
stated that for wiring that had been submerged under water, ``If
undamaged, no replacement is necessary.''\2\ This directive is at best
unclear and the DCA implied on its web page the continued use of
previously submerged wire is fine by stating that equipment was safe to
use for 90 days.
---------------------------------------------------------------------------
\2\ http://www.nj.gov/dca/divisions/codes/alerts/pdfs/
hurricane_sandy_guidance_11_- 2012.pdf.
---------------------------------------------------------------------------
This position does not comport with the NEMA recommendations in
Evaluating Water-Damaged Electrical Equipment.
The guide states:
``Electrical equipment exposed to water can be extremely hazardous if
reenergized without performing a proper evaluation and taking necessary
actions. Reductions in integrity of electrical equipment due to
moisture can affect the ability of the equipment to perform its
intended function. Damage to electrical equipment can also result from
flood waters contaminated with chemicals, sewage, oil, and other
debris, which will affect the integrity and performance of the
equipment. Ocean water and salt spray can be particularly damaging due
to the corrosive and conductive nature of the salt water residue.
`` . . .
``4.6 Wire, Cable and Flexible Cords When any wire or cable product is
exposed to water, any metallic component (such as the conductor,
metallic shield, or armor) is subject to corrosion that can damage the
component itself and/or cause termination failures. If water remains in
medium voltage cable, it could accelerate insulation deterioration,
causing premature failure. Wire and cable listed for only dry locations
may become a shock hazard when energized after being exposed to water.
``Any recommendations for reconditioning wire and cable in Section 1.0
are based on the assumption that the water contains no high
concentrations of chemicals, oils, etc. If it is suspected that the
water has unusual contaminants, such as may be found in some
floodwater, the manufacturer should be consulted before any decision is
made to continue using any wire or cable products.''
NEMA Field Representatives expressed their objection to the DCA
directive after it was issued, but NEMA's concerns were not addressed,
and have yet to be. Subsequent to issuance of the directive, tragedy
struck Seaside Park and Seaside Heights, New Jersey, when more than 50
businesses on the boardwalk were destroyed by fire. Investigators have
ruled the fire accidental and believe electrical wiring that had been
submerged by seawater during Superstorm Sandy is the culprit.
NEMA continues to advocate for electrical safety in New Jersey and
across the country.
�