[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
GAO HIGH RISK FOCUS: CYBERSECURITY
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
AND THE
SUBCOMMITTEE ON
GOVERNMENT OPERATIONS
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
JULY 25, 2018
__________
Serial No. 115-110
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
http://oversight.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
32-932 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
Committee on Oversight and Government Reform
Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland,
Darrell E. Issa, California Ranking Minority Member
Jim Jordan, Ohio Carolyn B. Maloney, New York
Mark Sanford, South Carolina Eleanor Holmes Norton, District of
Justin Amash, Michigan Columbia
Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts
Virginia Foxx, North Carolina Jim Cooper, Tennessee
Thomas Massie, Kentucky Gerald E. Connolly, Virginia
Mark Meadows, North Carolina Robin L. Kelly, Illinois
Ron DeSantis, Florida Brenda L. Lawrence, Michigan
Dennis A. Ross, Florida Bonnie Watson Coleman, New Jersey
Mark Walker, North Carolina Raja Krishnamoorthi, Illinois
Rod Blum, Iowa Jamie Raskin, Maryland
Jody B. Hice, Georgia Jimmy Gomez, Maryland
Steve Russell, Oklahoma Peter Welch, Vermont
Glenn Grothman, Wisconsin Matt Cartwright, Pennsylvania
Will Hurd, Texas Mark DeSaulnier, California
Gary J. Palmer, Alabama Stacey E. Plaskett, Virgin Islands
James Comer, Kentucky John P. Sarbanes, Maryland
Paul Mitchell, Michigan
Greg Gianforte, Montana
Michael Cloud, Texas
Sheria Clarke, Staff Director
William McKenna, General Counsel
Meghan Green, Counsel
Troy Stock, Information Technology Subcommittee Staff Director
Julie Dunne, Government Operations Subcommittee Staff Director
Sharon Casey, Deputy Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Information Technology
Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking
Darrell E. Issa, California Minority Member
Justin Amash, Michigan Jamie Raskin, Maryland
Steve Russell, Oklahoma Stephen F. Lynch, Massachusetts
Greg Gianforte, Montana Gerald E. Connolly, Virginia
Michael Cloud, Texas Raja Krishnamoorthi, Illinois
------
Subcommittee on Government Operations
Mark Meadows, North Carolina, Chairman
Jody B. Hice, Georgia, Vice Chair Gerald E. Connolly, Virginia,
Jim Jordan, Ohio Ranking Minority Member
Mark Sanford, South Carolina Carolyn B. Maloney, New York
Thomas Massie, Kentucky Eleanor Holmes Norton, District of
Ron DeSantis, Florida Columbia
Dennis A. Ross, Florida Wm. Lacy Clay, Missouri
Rod Blum, Iowa Brenda L. Lawrence, Michigan
Bonnie Watson Coleman, New Jersey
C O N T E N T S
----------
Page
Hearing held on July 25, 2018.................................... 1
WITNESSES
The Honorable Gene L. Dodaro, Comptroller General of the United
States, U.S. Government Accountability Office
Oral Statement............................................... 4
Written Statement............................................ 6
Ms. Suzette Kent, Federal Chief Information Officer, U.S. Office
of Management and Budget
Oral Statement............................................... 45
Written Statement............................................ 47
APPENDIX
Response from Mr. Dodaro, Government Accountability Office, to
Questions for the Record....................................... 78
Response from Ms. Kent, Office of Management and Budget, to
Questions for the Record....................................... 81
GAO HIGH RISK FOCUS: CYBERSECURITY
----------
Wednesday, July 25, 2018
House of Representatives,
Subcommittee on Information Technology joint with
Subcommittee on Government Operations,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 2:25 p.m., in
Room 2154, Rayburn House Office Building, Hon. Will Hurd
[chairman of the Subcommittee on Information Technology]
presiding.
Present: Representatives Hurd, Mitchell, Hice, Amash,
Massie, DeSantis, Blum, Kelly, Connolly, Raskin, Maloney, and
Norton.
Mr. Hurd. The Subcommittee on Information Technology and
the Subcommittee on Government Operations will come to order.
And, without objection, the presiding member is authorized to
declare a recess at any time.
I would like to now recognize my friend and partner in
crime, the distinguished gentlewoman from the great State of
Illinois, for her opening remarks.
Ms. Kelly. Thank you, Mr. Chair. And not too much crime.
Thank you, Mr. Chairman and Chairman Meadows, for holding
this important hearing. Ms. Kent, welcome to today's hearing,
and thank you for testifying today and sharing your vision for
cybersecurity as a new Federal COI, and it's great to meet you
in my office.
And, Mr. Dodaro, special thanks to you for the extensive
work you and all the dedicated professionals at GAO put into
providing this special midcycle high-risk report on
cybersecurity, and it was nice meeting with you also.
GAO's newly issued report raises serious concerns about our
Nation's ability to confront cybersecurity risk. GAO found key
deficiencies that could hinder the government's progress in
strengthening the Nation's cyber defenses. For example, GAO
found that the Trump administration's plans failed to include
basic components needed to carry out a national strategy for
protecting critical cyber infrastructure.
Among the missing components were details about performance
measurements and milestones for determining whether the
country's cyber objectives are being met and the resources that
would be needed to carry out those objectives. GAO's report
highlights the need for the administration to develop and
execute a more comprehensive Federal strategy for national
cybersecurity and global cyberspace. It underscores the
importance of having a cybersecurity coordinator in the White
House to develop a more robust cybersecurity strategy for the
country.
But, here again, the Trump administration is not rising to
the challenge. Two months ago, the President's National
Security Advisor, John Bolton, eliminated the position of White
House cybersecurity coordinator. This decision was contrary to
a prior GAO recommendation to have a White House cybersecurity
coordinator in the Executive Office of the President develop an
overarching Federal cybersecurity strategy at a time when our
Nation is facing persistent cyber threats ranging from foreign
adversaries who seek to undermine our elections to criminal
hackers who steal sensitive data. The administration's decision
to eliminate the key cybersecurity position in the White House
should raise alarm.
Today's report also shows that the number of Americans
whose personal information has been compromised and government
and private sector data breaches is growing. And there's a need
for stronger measures and congressional action to protect
consumer privacy. GAO found that the vast number of individuals
potentially affected by data breaches at Federal agencies and
private sector entities in recent years increases concerns that
personally identifiable information is not being properly
protected.
GAO's findings is supported by two recent reports that
highlight the heightened, challenged public and private sector
organizations are facing in securing sensitive data. In April,
Verizon issued a report showing that in the past 12 months
alone, there with over 53,000 incidents and 2,216 confirmed
data breaches. And just last week, the Attorney General's
Cyber-Digital Task Force released a report showing that there
were at least 686 data breaches reported in the first quarter
of 2018, resulting in the theft of as many as 1.4 billion
records.
Last year, data breaches at Equifax in which over 143
million Americans had their personal information stolen and the
2015 breach at OPM, which affected approximately 22.1 million
individuals, illustrates the massive scale of harm to privacy
and security that these breaches have. To address the growing
concerns about privacy, GAO recommended that Congress
straighten out privacy laws, the majority of which were written
well before the development of new technologies, ranging from
the use of social networking sites, the facial recognition
technologies, and many mobile applications. Congress should
heed GAO's recommendations and reexamine how our privacy laws
can be strengthened to ensure that consumers' personal privacy
is adequately protected.
I want to thank our witnesses for testifying today. And I
normally would say I look forward to hearing your testimony,
but I have to leave. But I look forward to reading it on how we
can improve the Nation's cybersecurity.
And thank you again, my friend, Mr. Chairman.
Mr. Hurd. Good afternoon, y'all. Today's hearing returns to
a familiar field for this subcommittee, an area of top
bipartisan concern and focus, and that's the cybersecurity of
the Federal Government. The Federal Government and our Federal
agencies, like everything else in today's digital society, are
dependent on IT systems and electronic data, which make them
highly vulnerable to a wide and evolving array of cyber
threats.
Federal civilian agencies report over 35,000 information
security incidents to the US-CERT last fiscal year. This
represents a 14 percent increase over the previous year.
Securing Federal systems and data is vital to the Nation's
security, prosperity, and well-being. It should concern all of
us, therefore, that the GAO has concluded in the interim high-
risk report, that spurred this hearing, that urgent actions are
needed to address ongoing cybersecurity challenges in the
Federal Government.
In this report, the GAO identified four major cybersecurity
challenges: establishing a comprehensive cybersecurity strategy
in performing effective oversight, securing Federal systems and
information, protecting cyber critical infrastructure, and
protecting privacy and sensitive data. To address these four
challenges, GAO identified 10 critical actions the Federal
Government entities need to take. I'm looking forward to
exploring those 10 items.
Since 2010, GAO has made over 3,000 recommendations to
agencies aimed at addressing these four cybersecurity
challenges. And as of June of this year, nearly 1,000 of those
recommendations have not been implemented. It's not acceptable
given the threat we face. These open, lingering vulnerabilities
put us at incredible risk, as we saw with the devastating data
breaches at OPM.
While I do not expect Ms. Kent or anyone else to have all
the answers today, I want to hear from GAO, the most critical
open recommendations, and from Ms. Kent, concrete plans to
close them. I want to commend Mr. Dodaro and his team at GAO
for issuing this report. Midcycle updates to the high-risk list
are not common. I recommend all agency CIOs read this report
and apply the applicable recommendations to the respective
agencies and systems, because guess what, we're going to be
asking you about them.
And, as always, I'm honored to explore these issues in a
bipartisan fashion with Ranking Member Kelly, Chairman Meadows,
and Ranking Member Connolly. The four of us have worked
together for years on these issues, and I'm honored to be
joined here with them throughout today's hearing.
Now, it's a pleasure to introduce our witnesses. The
Honorable Gene Dodaro, comptroller general of the United States
Government Accountability Office. You always hold a special
place in my heart because you were my first hearing being in
Congress. Mr. Dodaro is accompanied by Mr. Gregory C.
Wilshusen, the director of Information Security Issues at GAO,
who will also be sworn in. And Ms. Suzette Kent, Federal chief
information officer at the Office of Management and Budget. I
think this is your first time here. I don't think it's the
first time testifying in Congress, but welcome.
Pursuant to committee rules, all witnesses will be sworn in
before they testify. So please stand and raise your right hand.
Do you solemnly swear or affirm that the testimony you're
about to give is the truth, the whole truth, and nothing but
the truth, so help you God?
Thank you.
Please let the record reflect that all witnesses answered
in the affirmative.
And in order to allow time for discussion, please limit
your testimony to 5 minutes. The entire written statement has
been made part of the record. And as a reminder, the clock will
show your time remaining. When it's yellow, you have 30
seconds. When it's red, your time is up. And remember to press
the button.
And we'll start with Mr. Dodaro. You're now recognized for
5 minutes.
WITNESS STATEMENTS
STATEMENT OF GENE L. DODARO
Mr. Dodaro. Thank you very much, Mr. Chairman, Ranking
Member Kelly, members of the committees that are here today. I
very much appreciate the opportunity to be here to discuss this
important topic.
This is an area that's been of long concern to me. We at
GAO designated cybersecurity across the Federal Government as a
high-risk area in 1997. So nobody could say we didn't warn
people that this was going to be a problem. In 2003, we
expanded that high-risk designation to include critical
infrastructure protection. And, in 2015, we included the need
to protect personally identifiable sensitive information as
well.
Now, the government has taken a number of actions,
especially since the OPM breach. Mr. Chairman, as you
mentioned, there's been executive orders, strategies, document
studies, but there still needs--much more needs to be done in
this area.
As you referenced in your opening statement, since 2010,
we've made over 3,000 recommendations. While two-thirds of
those have been implemented, there's still 1,000
recommendations that need action. Now, the four areas that we
identified I think are especially important.
First is establishing a comprehensive strategy, and
importantly, having effective mechanisms in place to oversee
its effective implementation. And this is to include global
supply chain issues; critical workforce issues; and in dealing
with emerging technologies that are going to bring new risk,
such as artificial intelligence, the internet of things,
quantum computing.
Secondly, there needs to be more urgent action to secure
the Federal information systems. There needs to be more
effective implementation of governmentwide efforts like
continuous diagnostics and mitigation. Agencies need to fix
their systems. There needs to be more attention in responding
effectively when incidents do occur. Over time, we've seen
agencies be slow to implement the effective actions over times.
On critical infrastructure protection, and this is an area
that needs a lot more Federal attention. Now, in many areas,
the Federal Government has some regulatory responsibilities in
this area, but by and large critical infrastructure protection
is a voluntary effort by the private sector. The National
Institutes of Standards and Technology have developed an
approach that the private sector can use, but it's all
voluntary. So there's really not a clear picture, in my
opinion, across the different sectors. And there's 16 different
sectors of the economy that make up critical infrastructure,
including electricity grid, telecommunications, nuclear issues,
utilities, et cetera, the financial market areas as well.
So these are vital to our economic health. They're vital to
public health and safety. And there needs to be more
collaboration and a better understanding of to what extent have
these voluntary standards been implemented by the various
sectors, and what is their state of readiness to deal with
these issues?
The fourth area deals with privacy. Now, here, Federal
agencies themselves need to better secure sensitive
information. We've issued reports recently on a need to protect
Medicare beneficiary data, for example, electronic health
information systems, data on Federal student loans, there's a
lot of personal data there, financial data that families
submit. So that needs to be dealt with definitely. And we need
to think about what information the Federal Government will
collect going forward. We've made some recommendations on need
to eliminate unnecessary use of Social Security information,
for example.
We also have recommendations to the Congress in this area.
The Privacy Act that was passed in 1974. The Electronic
Government Act was passed in 2002, they need updated as well.
And I'd also--we've recommended, since 2013, that the Congress
establish a consumer privacy framework for the private sector.
In those areas, the Federal Government has put out, in some
sectors, healthcare and, you know, credit reporting, some
requirements for the private sector. But by and large the
Federal Government has not set requirements for this area,
particularly as it relates to information resellers as well.
So, again, Mr. Chairman, I want to thank you for the
opportunity to be here today. I asked our team to put together
this special report because I don't think the Federal
Government's moving at a pace commensurate with the evolving
threat in this area, and we need all to work harder, faster to
address this issue.
Thank you very much.
[Prepared statement of Mr. Dodaro follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Dodaro.
Ms. Kent, you're now recognized for 5 minutes for opening
remarks.
STATEMENT OF SUZETTE KENT
Ms. Kent. Chairman Hurd, Chairman Meadows, Ranking Member
Kelly, Ranking Member Connolly, and members of the committee,
thank you for having me here today. I am honored to be here to
speak with you, and I appreciate all the forums that inspire
more aggressive actions towards improving Federal
cybersecurity.
My goal today is to share with you the progress that has
been made against the areas highlighted by the comptroller
general, but more important, to share the perspectives on what
still needs to be done. And I'd like to engage your continued
support on that.
Advancement of our cybersecurity posture, both at agency
levels and across the Federal enterprise, is one of the most
important parts of my job. Tomorrow will actually mark 5 months
serving at OMB as the Federal chief information officer. And I
joined from the financial services industry where the bar is
high for cybersecurity and data protection, and I bring that
same high bar of expectations to my role as Federal CIO.
I was fortunate to come into the role when the
administration was setting out the President's Management
Agenda that focuses on technology modernization, data
accountability and transparency, and building the workforce of
the 21st century.
Cybersecurity is a core component of the PMA's IT
modernization goals. It's also embedded in the work that we are
driving under other goals. The goals for sharing quality
services and improving IT spending have elements that drive the
use of modern technologies and industry best practices to
improve our overall cyber posture.
Additionally, the PMA stresses strategies for recruiting,
retaining, and re-skilling our Federal IT and cybersecurity
workforce, because our current status is as much a people issue
as it is a technology issue. While the PMA outlines the
critical areas of focus, OMB's statutory cybersecurity roles
are predominately defined by the E-Government Act of 2002 and
the Federal Information Security Modernization Act of 2014.
Our roles align to three main things: development of policy
and oversight for the Federal civilian systems, Assisting
agencies with data analysis and budget, and gathering evidence
that promotes solutions that achieve these policies and
standards. To carry out the responsibilities, we work closely
with agency technology leaders, DHS, NIST, DOD, the
intelligence community, and the National Security Council.
But because cybersecurity requires deep expertise both
about technology and the mission functions, it does take a
collaborative approach to address both the agency-specific and
enterprise demands. I am united with the Federal Inspector
General community in the mission of securing our systems and
data on a journey that actually doesn't end.
The improvements in Federal cybersecurity outlined in GAO's
report are due to a focus on accountability, and it's my goal
to further advance the culture of continuous evolution of our
cyber capabilities and our workforce to tackle the things that
we still must do.
In May of 2017, the President signed Executive Order 13800
regarding strengthening cybersecurity of Federal networks. This
executive order recognized that we need to defend the security
of citizen information and ensure the agencies consider
cybersecurity as a vital part of their core mission. As part of
this EO, the White House also published a report to the
President on Federal IT modernization, which included 52 tasks,
such as safeguarding high-value assets, network consolidation,
use of commercial cloud solutions, and strengthening identity
management tactics. I share with you today that 37 of those 52
tasks have been completed, many of them ahead of schedule, and
we intend to complete the remaining tasks by the end of the
year.
Executive Order 13800 also directed OMB to develop the
Federal Cybersecurity Risk Determination Report and an action
plan. Together, OMB and DHS conducted agency risk management
assessments to measure agency cybersecurity capabilities, and
very specifically, their risk mitigation approaches. This
report did evidence that there's still much to do to improve
the awareness of the threat environment, and we're using these
finding to prioritize both the investments and the focus of
resources.
There are other key initiatives I'll quickly highlight. As
chair of the Technology Modernization Board, I'm excited by the
way this vehicle supports acceleration of modernization, and we
appreciate the funding that Congress provided this year, and we
hope to receive funding for next year. We are focused on
enhancing CIO authorities.
And, lastly, and most importantly, we are updating old
policies, policies that are not effective given the current
state of technology capabilities. We're delivering new policies
for high-value assets, data centers, continuous monitoring
cloud technologies, and network optimization in the next coming
months.
In closing, I'm fortunate to take on this role with a clear
and focused technology agenda. Cybersecurity has to underpin
everything we're doing, from acquisition to operations, because
the battle is continuous and our effort to raise the bar and
outpace our adversaries is a mission imperative for every
agency.
I look forward to working with Congress and the leaders
across the Federal Government agencies to be aggressive and
relentless about approving Federal cybersecurity. And I thank
you for the opportunity to talk with you today.
[Prepared statement of Ms. Kent follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Ms. Kent.
Now we'll go to the first round of questions. The
distinguished gentleman from Georgia is now recognized for 5
minutes.
Mr. Hice. Thank you very much, Mr. Chairman. Thank you both
for being here. Mr. Dodaro, good seeing you again. And, Ms.
Kent, congratulations on your recent position.
Last year, fiscal year 2017, Federal civilian agencies
reported over 35,000 information security incidents. That's a
stunning number, about a 15 percent increase from the previous
year.
This is really to both of you to begin with. What's driving
that increase?
Mr. Dodaro. I think there's at least two things. One,
there's a better awareness on the part of the agencies to
report incidents, which do occur. But I also think that it's
being driven in part by more aggressive activity on the part of
state and non-state actors to try to penetrate the Federal
Government systems. This applies to critical infrastructure
protection as well. And so I think it's, you know, both--both
factors are at play here at a minimum.
Ms. Kent. I concur. And we do see an increase across the
entire industry in threats, but you also see the increase in
reporting, and that's something that we need to continue to
move more aggressively across all of the agencies.
Mr. Hice. All right. So it's both, and we're having more
incidents, more attacks, and we're also getting better at
detecting them?
Ms. Kent. Yes.
Mr. Hice. All right. Can you walk me through some of the
various means that attackers use to initiate some sort of cyber
attack, the threat vectors? What's most common? What's most
preventable?
Mr. Dodaro.
Mr. Dodaro. Yeah. There's--you know, phishing attacks have
been particularly prominent lately in terms of somebody sending
an email to someone in the hopes that they'll download
malicious code or other factors. There's, you know, social
engineering that takes place in those areas as well. There's--
one of the largest categories, though, in the reporting is
other. And other includes they don't know what the threat
vector was and how people were able to penetrate the system.
That is one of the most concerning aspects of this.
Mr. Hice. All right. I want to get there. What are the
vectors? When you talk about vectors, what--you've got
phishing, you got--what else? What are we dealing with?
Mr. Dodaro. Yeah, we have a pie chart in our testimony. Let
me just pull that up here.
Ms. Kent. Improper usage, email and phishing.
Mr. Dodaro. Right.
Ms. Kent. Loss and theft of equipment and other web-based
attacks.
Mr. Hice. Okay. So those comprise more or less 70 percent.
Then you mentioned 31 percent----
Mr. Dodaro. Right.
Mr. Hice. --other. So does that mean we have no idea how
they're breaking in or what they're doing, or what does that
mean?
Mr. Dodaro. That means that there's--it's unknown, and in
some of these cases how these things have occurred. I mean,
that's the concerning part of this, and that's one of the
points that we make in the report. That's why it's important to
have an effort to detect these things when they occur. What's
been reported in these cases, I mean, the attacks happen in a
matter of minutes, but the detection doesn't occur for months
later. And that impairs the ability to determine exactly what
happened that led to this attack situation.
Mr. Hice. All right. Ms. Kent, do you want to add to that,
your definition or whatever of other?
Ms. Kent. I would just add to the last point that Mr.
Dodaro made, is that we have identified that we have to move
much more quickly when an attack is identified, to not only
share that threat information across agencies, but to act and
begin immediate remediation of those issues.
Mr. Hice. All right. Once an attack comes in, particularly,
I'm with you, concerned about the other where we have no idea
how they're getting in. Is there any way of tracking where
they're coming from?
Mr. Dodaro. Some of that's possible with some forensics,
but in some cases there's not clear audit trails in the systems
that are created in the documentation there. One of the big
problems, Congressman, here is that, you know, the Federal
Government and a lot of agencies are saddled with these legacy
financial systems that are like a millstone around their neck.
They're old systems. They were designed before security was a
prominent area. Some of them at IRS are from the sixties. And
so there's not good documentation and, therefore, there's not a
good audit trail to follow to figure out how things were
introduced.
Mr. Hice. Which is surprising to me and kind of inexcusable
seeing that 10 and 10 and 10 of millions of dollars we give for
IT on an annual basis around here. It just amazes me that we're
still using such legacy systems. It seems like----
Mr. Dodaro. Well, of the billions of dollars that you give
every year, $80-$90 billion, 75 percent of it goes to maintain
these legacy systems.
Mr. Hice. Rather than get updated.
Mr. Dodaro. Rather than get updated. That's why we added IT
acquisitions and operations across the government as a high-
risk area in 2015.
Mr. Hice. My time has expired. Mr. Chairman, thank you so
much.
Mr. Hurd. The representative from the District of Columbia,
Ms. Holmes Norton, you're now recognized for 5 minutes.
Ms. Norton. Thank you very much.
And I must say, not only do I appreciate our guests
appearing, I appreciate the committee for having this hearing,
because frankly, I think Americans are increasingly terrified,
wondering if anybody is protecting their cybersecurity. And the
reason I think so is what we're hearing even on mass media.
This is really an old problem. How many years ago was it
this very committee had a hearing on how our Federal employees
had been penetrated, and the Congress actually, at that time,
gave Federal employees 10 years of protection against further
penetration by way--I'm sure that's running, I'm not sure how
long it has to go. I have a bill called the Recover Act. In
light of the negligence of the Federal Government, it seems to
me that the very least we could do would be to give lifetime
coverage. And that's been sufficiently long ago, more than 5
years ago. I think it's going to come up against soon and we're
going to be faced with that question for our own employees.
Now, this committee had a recent hearing, and if you want
to get--if you want to frighten our people, the head of the
DHS, Under Secretary, testified that the Russians were already
scanning--it's the word he used--all 50 States. He couldn't
tell me that all 50 States, they were doing something in all 50
States. It sounds like reconnaissance. We're looking to see
when to hop and whom to hop upon.
So I'm very interested, I think because I represent so many
Federal employers that were among those first implicated.
And, Mr. Dodaro, I'd like to ask you about Federal
strategy. I'd like to be able to say I left this hearing and I
learned something that should put some of my own constituents
at ease.
Would you tell me what the Federal strategy is for
protecting national cybersecurity here and penetration globally
from outside of the United States? Do you have access to such a
national strategy?
Mr. Dodaro. There are several documents that have been put
forward by the executive branch. DHS----
Ms. Norton. Would you call that a national cybersecurity
strategy? And what do you mean by documents? Would you tell us
what a document does?
Mr. Dodaro. Sure. Sure. Sure. You know--well, first of all,
our main point today is there's a need for a more comprehensive
national strategy.
Ms. Norton. There must be something, if you say a more
comprehensive----
Mr. Dodaro. Right, right. There has been a foundation laid
by the government for these strategies. DHS has a strategy that
they put forward, they're responsible for coordinating across
the Federal Government, and with critical infrastructure
protections, and they've laid out a number of components of
that strategy. But we found they need--they didn't identify who
the--what resources they needed, how they were going to
determine they were making progress----
Ms. Norton. Since several agencies would be involved, who
should be in charge of coordinating the development of a
strategy--cybersecurity strategy?
Mr. Dodaro. Well, it needs----
Ms. Norton. National cybersecurity strategy.
Mr. Dodaro. Yeah. You need to have either an individual or
an entity or a process in order to have somebody to
coordinate----
Ms. Norton. For example, with more than a number of
agencies involved, who would you suggest? You, the GAO, might
be----
Mr. Dodaro. Well, it needs to be led out of the White
House, in my opinion.
Ms. Norton. It needs to be led out of the White House. Back
and forth.
Mr. Dodaro. Because you're dealing with national and global
issues in this case.
Ms. Norton. That's where the coordination needs to happen,
and I appreciate that.
Mr. Dodaro. Well, it needs to happen at all levels, but
the----
Ms. Norton. Now, somebody needs to be in charge. My
concern, Mr. Dodaro, is I can't say to my constituents, don't
worry about it. Either some agency is in charge or somebody in
the White House is in charge.
What about milestones? Are there at least and what has been
put forward by individual agencies, milestones, so that I could
say to my own constituents, well, they're this far along and
here's an example? That's what people are looking for. Assure
me. Reassure me.
Mr. Dodaro. No, we would like to see more milestones. DHS
has told us, for example, they're working on their strategy,
it's supposed to be out next month, that would identify
milestones that would include the resources and the performance
measures. So we'll wait to see. But that's supposed to be
forthcoming.
Ms. Norton. Ms. Kent, finally, let me ask you, because you
are dealing with the IT strategy for the Federal Government. Do
you have milestones? And where are we when it comes to helping
agencies operationalize these policies so that there is at
least governmentwide such an IT strategy? Are they milestones?
Who's implementing them? Who's in charge? Are you in charge?
You're the chief financial officer, or please detail that.
Ms. Kent. There are indeed milestones, and many of the
points that have been made around deployment of continuous
diagnostic and monitoring tools, securing agency data,
modernizing their technology are part of the milestones that we
are tracking. You did see in the report that we are behind
across the agencies on some of those. So we have a very
specific focus.
There was a milestone set for deployment of the continuous
diagnostic and monitoring tools. We have not met that
milestone, and we're working very aggressively with the----
Ms. Norton. What are monitoring tools, please?
Ms. Kent. To be able to--for all of the agencies to have
implemented tracking capability so that they know what is on
their network.
Ms. Norton. Yeah. I'm worried about the scanning, for
example.
Ms. Kent. Yes. So that we know who is accessing their
network----
Ms. Norton. Yeah.
Ms. Kent. --and what. And so we are working very
aggressively with DHS. And one of the critical things that we
did as part of the President's Management Agenda was reassess
high-value assets. I am pleased to say that we had 100 percent
participation from every agency to identify those assets that
are most critical, applications and data, and we're working
with DHS on those that are most critical for next set of
activities.
Ms. Norton. Thank you very much.
Mr. Chairman, I think the committee needs to do more to
press the milestone notion so that we can reassure the American
people that we're getting there and how soon we're going to get
there. Thank you very much.
Mr. Hurd. Thank you.
The gentleman from Michigan is now recognized for 5
minutes.
Mr. Mitchell. Thank you, Mr. Chair.
I'd like to pursue a little bit the questioning that my
colleague had a few moments ago about these 35,000-plus, quote,
incidents. Can you define, Mr. Dodaro, a little more carefully
what an incident is, in your interpretation?
Mr. Dodaro. I'm going to ask Mr. Wilshusen, our expert in
this area, to explain those.
Mr. Mitchell. Turn your mic on, sir.
Mr. Dodaro. Oh, I'm sorry. I'm going to ask Mr. Wilshusen
to explain those. He's our expert in that area.
Mr. Mitchell. Because these aren't--incidents aren't just
someone tinkering around trying to scan in your system. Please
define them a little more carefully.
Mr. Wilshusen. Right. These would be incidents that
actually have impacted an agency operation or so. They were
able to gain access, and they do this through a number of
different mechanisms. One of the more common ones, it's just
through what is known as a phishing attack.
Mr. Mitchell. Phishing, sure.
Mr. Wilshusen. In which you send an email with a link and
someone clicks on it and it sends them to a----
Mr. Mitchell. Sends malware.
Mr. Wilshusen. --or download some suspicious software.
Mr. Mitchell. Okay.
Mr. Wilshusen. It can also be the loss or theft of
equipment that contains sensitive information as well.
Mr. Mitchell. Sure.
Mr. Wilshusen. So there are a number of different types of
incidents, but these are ones that do have an impact or can
have an impact on the agency.
Mr. Mitchell. Now, Mr. Dodaro, you referenced earlier that
state and non-state actors has been suggested as discussions
already started that, again, we're back to Russia. These state
actors, examples of state actors impacting our systems go far
beyond Russia, do they not?
Mr. Dodaro. Yes, they do. I mean, some of the intelligence
community has singled out, you know, Russia, China, Iran, North
Korea, as you know, actors in this area as well.
Mr. Mitchell. I'll run the risk of offending some people by
saying that I believe occasionally some of our allies actually
occasionally are trying to wander around our systems too.
Mr. Dodaro. It could be. I mean, I would defer to the
intelligence community for those responses.
Mr. Mitchell. I'll let them get into it. I want to stress,
the reality is we face threats both internally and externally
through cybersecurity.
When an incident happens, Ms. Kent, how--what's the
timeframe by which you're informed we have some level of an
incident?
Ms. Kent. There are various timeframes depending on the
incident and when the agency identifies the particular
activity. Like you just heard, there's different types of
issues and incidents. Some of those may be very quick, others
may be a longer timeframe. And as Mr. Dodaro indicated,
particularly in situations where there is some type of malware
or an attempt to----
Mr. Mitchell. Let me stop you. I appreciate it. You've
got--I understand they can't inform you until they know about
them; that's problem one. We'll get to that in a moment.
Problem two is that the time from when they have knowledge of
the incident, what's the general--what's the expectation--let
me change that--what's the expectation that you put out, the
White House has put out to inform you that we have an incident
of some form? What's the expectation?
Ms. Kent. The expectation is that the agency informed DHS,
who is looking at our enterprise risk, and we are tracking
all----
Mr. Mitchell. What's the timeframe on that? Once more, what
is the timeframe on that?
Ms. Kent. As immediately as they know.
Mr. Mitchell. So, theoretically, the same day, next day,
that night, whatever the case may be?
Ms. Kent. As quickly as they have identified the incident.
Mr. Mitchell. When do you find out about it?
Ms. Kent. I find out in reports from DHS?
Mr. Mitchell. Which is--takes what kind of timeframe?
Ms. Kent. Depends on the type of incident.
Mr. Mitchell. Go ahead, give me examples.
Ms. Kent. I don't actually have an example.
Mr. Mitchell. Okay. Let me ask you a question, if I can,
Mr. Dodaro. The FISMA audits that are done, in your opinion,
are they sufficient, and are actions being taken on those
audits at this point in time?
Mr. Dodaro. They're a starting point because they're
supposed to identify a comprehensive information security
system. We find that there are deficiencies in all aspects,
access control, segregation duties, configuration management,
contingency planning, so--and they're not remedied as quickly
as possible. So there are serious security weaknesses that have
existed for years, and a number of the FISMA audits at the
agencies are in place. But there needs to be more done, because
they need to have better response when they find incidents.
Mr. Mitchell. Who's responsible for those--for that
followup?
Mr. Dodaro. Well, each agency is responsible for their own
actions, and this is an issue, because they're not correcting
the problems fast enough, in my opinion. That's why we have it
as a designated high-risk area across the entire Federal
Government. Virtually every agency has serious weaknesses. And
I don't think enough attention's focused by agency managers on
getting these areas fixed. We've made recommendations to OMB
that they send out more guidance to the agencies to hold senior
leaders accountable for getting these weaknesses fixed.
Mr. Mitchell. One of the things that astonished me, and my
time expired here, but let me finish this one comment, Mr.
Chair, is that when I first joined Congress and joined this
committee, I was astonished by the number of agency chief
information officers that--how do you get someone leading when
you've got all of these people doing their own thing? I mean,
you----
Ms. Kent, you were in the private sector, and I am short on
time so I can't--that didn't happen in your world, now, did it?
Ms. Kent. It did not. And that's also one of the focuses
that we have had both under FITARA as well as the recent
executive order to have a single CIO that has accountability,
responsibility, and visibility across the entire agency, so
that we can move the types of things that we were talking about
much more quickly.
Mr. Mitchell. And with that, when there's an incident, they
should tell DHS and they should tell you at the same time.
Ms. Kent. Yes.
Mr. Mitchell. Thank you. I will yield back. Thank you, Mr.
Chair, I'm sorry.
Mr. Hurd. The distinguished gentleman from Iowa is now
recognized for 5 minutes.
Mr. Blum. Thank you, Chairman Hurd.
Mr. Dodaro, good to see you again. Ms. Kent, good to see
you. Thank you for appearing today.
I'm going to change gears a little bit, and I'd like to
hear from you your expertise on cloud computing. I understand
the Department of Defense is going to have a private company in
the private sector host, via the cloud, a lot of government
data. And I don't know, my first reaction is, you know, it
concerns me a little bit, it concerns people in my district
when they hear that. Maybe I shouldn't assume anything.
Do you feel confident that this data will be more secure
than if it were with the Federal Government, and why?
Mr. Dodaro. Cloud computing offers the potential for, first
of all, cost savings, and a more rapidly updating of the
systems that are used in place. You know, as we mentioned, you
know, these legacy systems have been in the Federal Government
for a long period of time, and that's a big problem. If you go
to the cloud, then the updating of those systems become the
responsibility there.
Now, that being said, there are cost efficiencies and other
efficiencies that could be gained. The security is a paramount
issue that needs to be addressed. We're looking now, there is a
program that's supposed to ensure that there's security over
the cloud operations. It's called FedRAMP, is the acronym for
it. And we're looking to see if it's an effective tool to make
sure there's adequate security in the cloud operations.
Now, the last point I'd make is that the Federal
Government's own record of security is pretty abysmal. So, you
know, as a starting point--so I don't think, you know,
everybody--everybody have a total confidence that everything's
fine now, and it may be worse later if we move to the cloud.
But you have to be careful in making the move to the cloud
environment to make sure there's adequate security.
Mr. Blum. So more secure is what you feel, I guess?
Mr. Dodaro. It could be, but we need to take care to make
sure the requirements are there, they're set properly, there's
adequate testing, there's certification, there's requirements
and operations. It offers a lot of potential for savings, cost
savings for the Federal Government, and more up-to-date systems
that are better patched properly and in place. But the security
remains as much of a concern with the cloud environment as it
does with the Federal agencies, and we need to take due care.
Mr. Blum. Ms. Kent.
Ms. Kent. Yes, sir. I agree that it can be--it can
definitely be secure. And in many cases, it is maintained in a
way that we've--we have seen--we have not necessarily done
across some of the Federal systems.
I would add two other things to what Mr. Dodaro said, is
that there's a discipline around understanding the data and
what we're moving to the cloud and how we control access to
that. And that is the discipline that we're trying to drive
with the agencies as they're considering their transformations
and the cloud technologies that they're using. So it's a
combination of the security that's available with the
technology, what we're putting there, and how we manage access
to that information.
And so those are the disciplines that we are--that my
office is working directly with the agencies as they consider
these acquisitions.
Mr. Blum. Mr. Dodaro, we often hear things like the Federal
Government was slow to respond to an emerging threat,
especially cybersecurity threats. What have you found in that
regard, and why?
Mr. Dodaro. It brings a new definition of slowness, okay.
In this area, you know, we first designated it as a high-risk
area across the Federal Government in 1997. So I've been trying
for over 20 years to get attention to this area. You know, we
actually built a computer lab facility that could simulate the
operating environment of agencies in the early nineties, and
actually did a penetration testing to get people's attention
that there could be issues that needed to be dealt with.
And we very, very--it took a long time, but we finally
convinced the Congress, legislation began being introduced in
2000, 2002, creating the Federal Information Management Act,
the FISMA Act, that was updated. And it really wasn't until the
OPM breach that a lot of--in 2015--this is, you know, so many
years later that agencies began to move and the administration
began to move.
But even then, to this day, I'm not sure OPM has fixed all
the weaknesses that led to the original data breach. We went in
a couple of times and we haven't found the problem. So it's
perplexing to me that there hasn't been enough urgency
associated with dealing with this issue. And I'm pleased to
hear from Ms. Kent and others that they're going to sort of up
the game here to be aggressive in this area.
But there's no question that there has been adequate
warnings about these areas that GAO has been given that has
been on our top risk list for many years, both within the
Federal Government, but also critical infrastructure
protection. We put that on in 2003. And concern about the
electricity grid, the financial markets, telecommunications,
and we're moving in that area, but that's--you know, right now,
it's all voluntary on the part of the private sector, and I can
understand that, but we need to have a partnership and more
information exchange between the private sector and the other
sector.
I mean, this is a national security issue, not just, you
know, a privacy issue. And privacy has been slow too. You know,
we've recommended that the Congress change the--update the
privacy laws. The original privacy Act is 1974. E-Government
Act in 2002. Many things have changed since then that there
needs to be updated information. And while the Congress has
only identified some sectors of the economy, healthcare, credit
reporting, to put in place rights for consumers about data
that's collected about them, there is no consumer privacy
framework. We've recommended that Congress consider creating
one since 2013.
So, you know, we've been urging for a long time now more
attention to this area. I'm glad that we're having this
hearing, but I think the pace of change needs to pick up quite
a bit, because the threats are evolving way faster than the
government's ability to deal with it.
Mr. Blum. I heard the phrase, and I'll end with this, the
warfare of the future may not be bombs, it may be bits and
bytes, not bombs. And I know we spend a lot of money on bombs,
and we should, but I think we need to give attention to bits
and bytes, cybersecurity as well.
Mr. Dodaro. Yeah, absolutely. Absolutely. You know, in
conventional warfare the first thing people do is take out your
communication systems, take out your transportation structure,
your ability to have power. But to do that you'd have to
physically invade the country. Today that's not exactly the
same. You can do it from your own country.
Mr. Blum. Thank you for your insights. And I yield back the
time I do not have, Mr. Chairman.
Mr. Hurd. I generally try to have a PMA, a positive mental
attitude. My dad taught me that. And I think there has been
some bright spots over the last 3-1/2 years since I've been in
Congress.
Federal CIOs have more power than they have in the past.
They're getting more involved in the procurement process,
because we can't hold Federal CIOs accountable if they don't
have the responsibilities on what goes on their network. And
that's something that this committee has fought for in a very
bipartisan way.
I believe when we first started this committee, there were
only four CIOs that reported to the agency head or deputy
agency head. I think now there's only four that do not. And I
believe by the end of the year, there would only be one that is
probably not reporting. So, again, empowering the men and women
in the CIO.
I've been surprised over the last few months, I've had a
number of businesses say that they are happy with improved
sharing of intelligence threat information between the Federal
and the private sector. Now, that's part of DHS's role, and I
think DHS is the only entity that can get into that mode of
need to share. And we are seeing what DHS is able to do. And
their technical capabilities to help across the other 24 CFO
agencies, I think, are improving. And one of the things that is
leading to and causing us to see the number of threats
increase, because, guess what, DHS is doing their job. Right?
Now, having done this kind of work before, guess what, I'm
always going to get in. How quickly can you detect me, How
quickly can you quarantine me, and how quickly can you kick me
out is the mentality that we need to be in. But why are some
basic things--MEGABYTE Act. The MEGABYTE Act says every agency
should know what software they have on their networks. Is that
hard to do, Mr. Dodaro?
Mr. Dodaro. No.
Mr. Hurd. Ms. Kent, is that a hard thing to do to be able
to catalog the software that you have on your system?
Ms. Kent. No, sir, we have an opportunity to do much
better.
Mr. Hurd. And so what is the--what more do we need to do to
drive that behavior? Megabyte is important, knowing what your
software is, and that's why we've added it on to the FITARA
scorecard. The FITARA scorecard is evolving into a digital
hygiene scorecard. Naming and shaming is really what we're
doing. We're trying to give CIOs the authority with MGT, the
Modernizing Government Technology Act, to get out of this
notion of if you don't use it, you lose it. So now there's
motivation to--motivation to modernize.
What other carrot sticks should we be using or do you need
in order to compel compliance on some very basic things, like
knowing what software you have?
Ms. Kent. First, I have to applaud and say thank you for
the continuous focus on the FITARA scorecard because having
that level of transparency does make it a priority.
To your point on MEGABYTE, there are tools and technologies
that we can do that with, especially if it's a priority.
One of the things that I would ask that would be of great
assistance is the continued focus on workforce activities. In
many cases, we still have almost a 25 percent gap in the number
of cybersecurity resources that we need across Federal agencies
and what we actually have in place. And, particularly, we have
some gaps in leadership and individuals--places where we have
open positions that are key leaders. In many cases, the
individuals, when we get them in, their tenure is less than 12
to 18 months.
So there are multiple workforce actions, both at entry
level and at leadership, and there are things that we continue
dialogs with the private sector to see if we can fill those
gaps.
Mr. Hurd. Do we still believe it's--is the number still
15,000, roughly, IT positions that are unfilled across the
Federal Government?
Ms. Kent. Yes. Yes, sir.
Mr. Hurd. How is the process going to catalog what those
positions are? Because we don't have common job descriptions
across the Federal Government. This is something that OPM was
supposed to be working on. I'd welcome an update on this
initiative.
Ms. Kent. We are making good progress on that at clarifying
the specific positions, as well as common nomenclature.
Particularly, the CIO Council recently published a CISO
Handbook to ensure that we are holding our cybersecurity teams
accountable for the same standards of behavior across all of
the agencies, but we still have work to do to fill those
positions. And particularly in the entry levels to ensure that
potentially we are identifying other skill sets in the Federal
Government that we can move into some of those positions.
Mr. Hurd. So when will we have a common picture of what
positions are open and what these positions are going to be?
Ms. Kent. I know that it is in the works, and I will get
the date back to you.
Mr. Hurd. Mr. Dodaro, you mentioned in your written
remarks, the national initiative for cybersecurity education,
cybersecurity workforce framework. Is that ringing a bell?
Mr. Dodaro. It will ring Mr. Wilshusen's, it will ring his
bell.
Mr. Hurd. It will ring his bell. All right.
Mr. Wilshusen. It does.
Mr. Hurd. What is that? Where are we--you know, the report
recommends, and y'all's report recommends that this is
something that is not being addressed properly. Can you give us
a little bit more context to this?
Mr. Wilshusen. Sure, absolutely. The NIST's Cybersecurity
Workforce is an attempt to kind of have a common language and
designation for cybersecurity and IT-related activities. And
the intent under the Federal Cybersecurity Workforce Assessment
Act, Federal agencies are required to assess their
cybersecurity workforce, identify the specific functions
associated with each of those positions, or their IT and cyber
positions, and then assign codes to it in the attempt to
identify critical areas of need as it relates to cyber.
We issued a report last month that showed that 13 out of
the 23--24 agencies that we examined had not performed all of
the activities that they were required to do. And we ended up
making about 30 recommendations to those 13 agencies. We have
ongoing work continuing--following up on the status of those
recommendations and agencies' actions to finish implementation
of the requirements of that Act.
Mr. Hurd. Good copy. We will come back on a round two. And
now, I'd like to recognize my friend from New York, Mrs.
Maloney, for her 5 minutes.
Mrs. Maloney. Thank you very much, Mr. Chairman and Mr.
Ranking Member, and all of the panelists.
Mr. Dodaro, in the high-risk report that GAO issued today,
it states that the vast number of individuals potentially, if
affected by data breaches at Federal agencies and private
sector outlets, increases concern considerably that personally
identified information is not being properly protected. And I
think I agree with you completely too. Given the breaches that
we've seen with Verizon in April, they released a report
showing that in the past 12 months alone, there was a total
over 53,000 incidents, and over 2,200 confirmed data breaches.
And then in 2017, we saw the really awful data breach at
Equifax, which was over 143 Americans had their personal
information stolen. And the 2015 breach at OPM, which affected
approximately 22 million individuals. It demonstrates the
absolute massive scale of harm to privacy and security that
data breaches can have, and this doesn't even get into the
alleged foreign governments that are hacking into our private
material.
The high-risk reports states, and I quote, that the laws
are currently written may not consistently protect personally
identified information in all circumstances of its collection
and use, end quote.
Can you briefly explain how our current privacy laws and
framework for protecting individuals' privacy is not adequate?
Obviously, it's not adequate with this large number of breaches
taking place. There's some reports that every person in
government has been hacked. That everybody's breaking in
everywhere. So could you respond to that?
Mr. Dodaro. Absolutely. First, the Privacy Act was
originally passed in 1974, so it's very dated and did not have
anywhere near the context of the current computing environment
in place, and what is likely to occur in the future. There was
the E-Government Act in 2002 that took a couple of steps, but
not sufficient.
Here's two examples. One is that the current definition
deals with a system of records that the government's
responsibility is protecting that. That doesn't say anything
about data mining, it doesn't say anything about databases that
are used and scanned and scraped and whatever definition you
want to use. So the ability now to be able to manipulate the
data doesn't really--is not contemplated under current law.
Second, it gives the Federal agencies the ability to only,
you know, use the data for, quote, authorized purposes. Now,
that doesn't necessarily give the individuals whose data is
being collected an understanding of what is an authorized
purpose. So there's really not clarity about what the Federal
Government's limits or abilities are to be able to deal with
these things.
Mrs. Maloney. What would you say is an authorized purpose?
Mr. Dodaro. Well, it's--every agency is allowed to define
it in their own way, which is what----
Mrs. Maloney. Well, that's not right.
Mr. Dodaro. Well, that's what we're saying. Basically,
there needs to be more clarity on exactly----
Mrs. Maloney. Can you get back to the committee with an
explanation or a recommended definition of this?
And you went on to say in your report that--that we needed
to strengthen our consumer privacy laws. Is that right?
Mr. Dodaro. Yes.
Mrs. Maloney. Could you get back to us on how you would
expect us, or to me, on how you'd like us to strengthen it?
And if Congress does move forward with amending and
updating the Nation's privacy laws, which we should, what are
the key changes that you believe must be achieved?
Mr. Dodaro. Yeah. We will definitely provide all that
information to you in detail.
On the consumer privacy framework, really, there isn't one,
except in the healthcare area and HIPAA, for example, or
Federal credit reporting, or some other information--
everything--nothing else is really covered, including
information reselling of data.
And with other technologies, facial recognition technology
and other things, there is no consumer financial privacy--or
consumer privacy framework in place, and we recommended that it
be put in place. So we can give you some examples of that.
Mrs. Maloney. Please do. Please do give it.
And I do want to get to OMB for a moment, Ms. Kent. What is
the administration's timeline for implementing GAO's
recommendations? Are you implementing these recommendations
they put out?
RPTR KEAN
EDTR HUMKE
[3:24 p.m.]
Ms. Kent. We're in process of many of the recommendations,
particularly the ones that are in the area of Federal systems
and information and, actually, in the privacy and security area
that you just talked about.
One of the key elements around how we secure data and
citizen data is the efforts under IT modernization.
It is very difficult or complex to secure data in systems
that are over 20 years old. And as we modernize, we have better
tools for data encryption and management of the data both at
rest and in movement, and that is one of the ways that we
protect all information that we have within our Federal agency
purview against any type of threat.
Mrs. Maloney. And very briefly, how can Congress assist you
in this really huge effort and very, very important one? It
used to be privacy was utmost concern on everyone's mind. And
now with terrorism, attacks, and other things, it's not taken
the really important level that it should in our country. And I
want to express my appreciation for your report. But how can we
help you?
Ms. Kent. Congress can continue to help us through funding
of the teams that focus on these efforts, through creative
vehicles like the Technology Modernization Fund that let us
actually advance the modernization activities much more
quickly, as well as the efforts that I spoke of earlier on
workforce.
Mrs. Maloney. I'm way past time.
Thank you for indulging, Mr. Chairman. I yield back. Thank
you.
Mr. Hurd. The distinguished gentleman from the Commonwealth
of Virginia and ranking member is now recognized for his first
5 minutes of questioning.
Mr. Connolly. Thank you, Mr. Chairman. Thank you for your
commitment to this subject matter.
Mr. Dodaro, I want to thank you and GAO for elevating this
particular part of the issue to your high risk grouping.
Because it forces us to at least talk about it, hopefully do
something about it, and you've been instrumental in the past in
supporting our FATAR legislation and our scorecard efforts and
the like. And I really credit GAO with helping us make the
progress we've made.
Last May, the Trump Administration, however, eliminated the
White House cybersecurity coordinator position from the
National Security Council. In light of your elevation of this
as a high risk category, in retrospect, was that a prudent
move? Was that a welcome move in the context in which you've
delineated this subject matter?
Mr. Dodaro. I think, just for clarification, we've had this
on the high risk list since 1997, so this isn't a recent
elevation. I'm concerned that there hasn't been enough progress
in addressing this issue. I was, you know, surprised that the
position was eliminated. I've been told that those
responsibilities have been divided among two people. I haven't
had a chance, since it's a recent activity, to look into it
more. We plan to do that in the future.
So once we look into it and see how they're planning to
approach it with the elimination of that position, I'll be in a
better position to advise the Congress on what to do.
We've never really evaluated this cybersecurity coordinator
role. We've been more focused on getting a national strategy in
place and making clarifications. And I haven't really examined
fully what that position did, what kind of resources they had
available and what their accomplishments were during that
period of time.
So it's an area that I'm concerned about. You always want
to have good leadership, and you can have good leadership in a
number of different ways, but I want to look at it more
carefully before I advise on exactly what would need to be done
differently from what they're contemplating doing.
Mr. Connolly. Yeah, you may be right. I mean, maybe
diffusing responsibility or splitting responsibility allows us
to have a sum greater--you know, the whole greater than the sum
of the parts.
On the other hand, you know, there was a report in Politico
that said since its creation in 2009, the White House
cybersecurity coordinator position has been key in resolving
conflicts among agencies, preparing cabinet leaders to make
major policy decisions, and responding to crises.
As you know, Mr. Dodaro, sometimes--maybe more often than
not--in government, you need a central focus. You need some
champion who is vested with authority and responsibility for
moving an agenda, for advocating for a cause. And absent that,
often in big bureaucracies, you know, something we all think is
a good thing just kind of dies on the vine for lack of
attention and championship.
So I would welcome you looking at that because I think we
would want to know, did the Trump Administration make a good
decision or did it make a mistake in abolishing this position.
Ms. Kent, do you have views on that? I'm sure you do.
Ms. Kent. Sir, I don't know that I would--what I would
reflect is that the activities for the Federal agencies are
directed by Homeland Security Advisor Fears. And in fact, my
chief information security officer has a dual reporting
relationship between he and I, so that there is no miss or time
in translation for things that we need to take action on.
And I think I have a very clear set of mandates of actions
that we need to take across the Federal agencies.
Mr. Connolly. Well, I'm glad to hear that. Do you know how
long it took to get a CTO?
Ms. Kent. To get a--I'm sorry?
Mr. Connolly. A chief technology office or a CIO for the
Federal Government?
Ms. Kent. Yes, sir, I do.
Mr. Connolly. In this administration, it is over a year.
Ms. Kent. Yes, sir.
Mr. Connolly. So I have to tell you, given that record, it
is not exactly confidence-building that, you know, you've got
it and you're moving an agenda--not you personally--but the
administration. I mean, words are nice but actions are
important.
If I may, Mr. Chairman, because I think I'm going to have
to run, I have one other subject that is of deep concern to me.
And again, I'm going to ask you, Mr. Dodaro, to look into this.
And I agree with what you said, Ms. Kent, we've been
champions about the need to upgrade legacy systems or replace
them, and to, you know, come into this part of the 21st Century
so that we can encrypt, we can protect.
But what is, you know, the purpose of technology is to do
the job better. It's to be deployed. It is to give us
capabilities we otherwise might not have. One of those
capabilities is telework.
And I can tell you as someone who lived through 9/11 and
has lived through lots of hurricanes and other kinds of things
here in the Nation's Capitol, telework increasingly becomes
critical to continuity of operations, without which, government
shuts down.
And what has disturbed me is that the Trump Administration
seems to be going in exactly the wrong direction with respect
to telework. The Department of Education issued new guidelines
that seem to severely curtail our robust program.
USDA, which is highly touted by Jared Kushner and Chris
Liddell--and I met with them and had a good meeting--but I did
bring to their attention that I felt Secretary Purdue was going
in the wrong direction on telework. He actually curtailed that
program there.
And then your office issued guidelines that, from the White
House, that actually would limit, as I understand it, telework
to be defined as no more than one day a week.
Now, I don't know anyone in the telework profession who
would agree with that definition. No one. Telework is to be
encouraged more than one day a week. It's a structured program.
It's not a spontaneous, like ``gee, I feel like teleworking
today.'' That's not how it works. But we want to get the
maximum benefits and we want to deploy technology, and we want
to make sure this is part of the offering for the next
generation of Federal employee. Because millennials expect that
as part of the offering.
So what is going on here in terms of the reluctance to
encourage rather than constrain telework in this
administration? I have to confess to you, and then I'll shut
up, I was really particularly bothered by this because we
actually had a good meeting at the White House where we found
common ground. And I reassured Mr. Kushner and Mr. Liddell
that, frankly, if they continued going in the direction they
described they would have our support, which is not an every
day occurrence. And then this happened.
And this seems to fly in the face of the kind of progress
we thought we were going to make in common.
Ms. Kent. Sir, I'm not informed on the specific decisions
that the agencies made around their policies.
I do know that one of the things that we are focused on as
part of the President's management agenda and specific goal is
the elimination of paper across the various processes in the
government to actually free up the ability for individuals to
not be dependent on being in a specific physical spot to do
that work and drive other efficiencies.
In addition, some of the investments that we're making in
digital capabilities and new workforce tools actually enable
work to be done from a broader reach of locations.
Mr. Connolly. Well, I mean, there's actually explicit
policy guidance that has been drafted that would curtail
telework in your administration. And I'll be glad to get it to
you, if you haven't seen it.
Mr. Dodaro, I would just ask that you look into this,
because I think it flies in the face of the progress we've
tried to make. And, you know, the whole point here is to deploy
the capability, not constrain it, and would welcome GAO to look
into this and see if we can't----
Mr. Dodaro. I'd be happy to do so.
Mr. Connolly. I thank you so much. And Mr. Chairman, thank
you for your indulgence. I'm sorry.
Mr. Hurd. Mr. Mitchell, round two.
Mr. Mitchell. Thank you, Mr. Chair.
Mr. Connolly, you may want to stay for this conversation--
it's the beginning of it--because we're talking about legacy
systems.
Mr. Dodaro, have you looked at or done any analysis----
Mr. Connolly. I would say to my friend, I would, but I
belong to two committees that believe no human problem cannot
be improved with another hearing. And my other committee is
practicing that as we speak.
Mr. Mitchell. Only two committees are doing that? I'm
shocked.
It's getting near district work period and it's gone, the
wheels have come off the bus around here, okay?
Let's talk about legacy systems for a moment. Have you done
any analysis, any examples of the current cost of maintaining
legacy systems versus just making a transition to a new system,
and what is the comparison?
If you could give me some examples, that would be great.
Mr. Dodaro. Well, overall, what we've said of the annual
Federal investment, which is about $80, $90 billion a year, 75
percent of that goes to support the legacy systems as opposed
to, you know, making investments and modern approaches in
systems.
So, you know, we've looked at a lot of individual cases,
and I'd be happy to provide those for the record, but, you
know, it definitely, you know, the government's track record in
implementing new systems and being able to retire legacy
systems isn't, you know, very good. But it needs to be better.
And I think the legislation this committee has sponsored is
helping move in that right direction. And, you know, I had
always approach this with a PMA as well, a positive mental
attitude, but I also have a view of what the realistic track
record has been of the agencies. I'm hoping they do better. I
hope the CIOs will do better in this area, but we need to make
a better job in those areas.
So the short answer to your question is the legacy systems
involve a lot of spending and are sucking up a lot of the
Federal government's investment, and we need to get new systems
in place. But every time there's an effort to do that, there's
a failure on the part of many agencies.
Now, hopefully with Ms. Kent's leadership and elevating the
CIOs to have more responsibility in the agencies, we'll see a
different outcome going into the future. I certainly hope so.
Mr. Mitchell. Well, I would like to see those examples, so
if you can get those to the committee with things you've looked
at, we would like to look at. Because at some point in time
what we're doing is we're paying costs, workforce costs to work
on legacy systems that should, in fact, be better----
Mr. Dodaro. Yeah, I mean, a good example. We just issued a
report about the Coast Guard system that was supposed to be put
in place that failed. The VA, they spent, you know, over $1
billion dollars trying to improve the current electronic
healthcare system, that hasn't been successful as well.
I mean, we've got a long list of activities where money has
been invested, you know, in a lot of cases millions, hundreds
of millions of dollars, and it hasn't produced the new system
yet properly to retire the legacy system.
So we'll get you a list. I'm confident we have one, and it
will touch virtually every agency in the Federal Government.
Mr. Mitchell. We just had a hearing a bit ago on the
Census. And as you are well aware, they are well behind, in
terms of developing it's what they do in systems and they're
over-budget. So it doesn't surprise me, but we need to start to
look at that, so I'd like to see it.
Ms. Kent, could I ask you, you mentioned the vacancies you
have, about 15,000 vacancies of technical, cybersecurity
personnel; is that connect?
Ms. Kent. Yes, sir.
Mr. Mitchell. What are the primary drivers of those
vacancies.
Ms. Kent. I'm sorry. Say that again?
Mr. Mitchell. What are the primary drivers, causes of the--
--
Ms. Kent. Of the vacancies?
Mr. Mitchell. Yes.
Ms. Kent. The primary drivers of the vacancies is that
cybersecurity skills are one of the hottest skills in the
industry right now and we're competing with the private sector,
as well as the cybersecurity professionals have an expectation
of quick mobility, large challenges and some ability to move
very quickly in their profession. And some of those things
don't align well.
Mr. Mitchell. We've got big challenges. I can guarantee
that.
Ms. Kent. It is a very big challenge, but it's an area
where there are many avenues that we're pursuing, both at
entry-level positions as well as leadership positions, and
continuing to explore exchanges with private sector to fill
those gaps.
Mr. Mitchell. When we had people leave my company, we
always did a survey of, kind of get an idea of why you're
going. I mean, I'm sure you did as well.
What is the primary--average 10 years about 18 months and
they're gone.
What's the primary causes that people are up and leaving
once you get them here?
Ms. Kent. It is a highly valuable set of skills in the
private sector industry. So many times it is a question of
compensation.
What we have to offer is an exciting mission and the
ability--we have many very motivated professionals that come in
because they believe in the missions that our agencies are
focused on.
Other times, they are leaving because they want more
mobility. And mobility as they progress through, you know, the
professional ranks.
Mr. Mitchell. Have there been many recognitions made, Mr.
Dodaro, on what we do in terms of compensation skill or a
career structure for cybersecurity personnel in the Federal
system?
Mr. Dodaro. No. I mean, this is an area where we've had
strategic human capital management on high risk since 2001.
You know, one of the areas----
Mr. Mitchell. What have you not had on high risk since
2001?
Mr. Dodaro. Well, there are things that aren't high risk.
You know, we----
Mr. Mitchell. Okay.
Mr. Dodaro. But, you know, the problem here is the
classification system that OPM has in place. I mean, there's
really not been, I mean that system was created many years ago.
It didn't contemplate cybersecurity. They've not adapted over
time. And so right now the phase 1 of what the administration
is currently doing is to take stock of what cybersecurity
skills exists across the government.
I mean, we should have known this for years earlier and
developed new systems in place.
Now, Congress has been very good where they've given a lot
of special authorities to the agencies. But we found that they
have over 100 special hiring authorities but they only use
about a dozen or so. And so it's really OPM hasn't looked at
whether or not the special hiring authorities are being
effective or not.
And so, you know, this means more attention. I'm very glad
that the President's reorganization proposals focused on
cybersecurity workforce.
Mr. Mitchell. Can you share with OPM, at least my opinion--
not necessarily the committee opinion--but my opinion that--I
ran a fair-sized company. The chief technology officer reported
to me. They reported to me for a reason. And we had a deal. His
phone never went off.
And as soon as something went sideways, you know, he gave
warning systems and you're well aware, Ms. Kent, what those
are. And the deal was, he immediately went in and dealt with
the issues. And the next thing he did was he called me. Because
there is nothing that's more important than securing our data.
We're a school group. We have the information on 6,500
students at any point in time, their financial information,
their parents' financial information. And that getting hacked
is a serious issue, never mind the issues we have here.
So suggest to OPM they may want to up the anti on this and
make it a little more important because people aren't trusting
the government because they don't believe their data is secure.
Never mind the issues it creates for us in terms of national
security.
Thank you. I am out of time as well. Thank you, sir.
Mr. Hurd. Ms. Kent, one of the recommendations that GAO
suggests, needs to be improved, is this global supply chain of
information that's on our Federal infrastructure.
So if we take the narrow view of the supply chain of
software or hardware that is put on a system responsible in the
dot-gov domain, who is responsible for making sure that those
widgets are secure?
Ms. Kent. One of the things that I agree with the point
around supply chain is ensuring that we have a mechanism, not
only to know what is on our network, but to allow Congress and
other bodies to make recommendations and have a structured way
that we identify both hardware and software, where is it being
used, and we have a structured way to pull those things out.
As we worked through the Kaspersky situation, we had to
create an entire process, communicate that information, and
manage it one-by-one, across all of the agencies. And we did
not have a systematic way to do that.
Since we have now had additional concerns and, you know,
those may continue, what we would like to have in place is a
structured way to do that in ongoing identification by
agencies.
Mr. Hurd. So let me rephrase the question. Right now can
you tell right now agency X, You've got to remove all this
stuff? You as the Federal CIO can make that directive and X-
agency would have to comply with that.
Ms. Kent. We have been taking directives from the National
Security Council or from others, but, yes, that is the way that
we have been executing the ones for which we've been given a
directive to date.
Mr. Hurd. Can the CIO for that agency make that decision
and say, All this stuff is coming out?
Ms. Kent. The CIOs have responsibility for the security
posture of their agencies, so if they decide to take a more
aggressive stance on some situation or, you know, for some
reason that aligns with their mission, that is within their
authority.
Mr. Hurd. So let's say an agency has a device on their
network that they shouldn't have, who should be in trouble? Who
is responsible for having allowed that to happen? Or not
finding that out in advance?
Ms. Kent. That's a good question. We do hold agencies
accountable for knowing what is on their network. And if there
has been a directive to remove actions and a specific date by
which to act, we are holding them accountable from an oversight
perspective.
Mr. Hurd. Mr. Dodaro, do you have any opinions on this?
Critical infrastructure, I mean excuse me, supply chain
within the dot.gov space. Let's start with that.
Mr. Dodaro. Yeah, right, right. I think, you know,
individual agencies are always the first line of responsibility
in these cases to know what they're buying and what is in
place.
DHS has responsibility and has the ability to issue binding
operational directives to agencies, across government, if need
be, to remove devices or to do certain things as well. So DHS
has some responsibilities.
I would ask Greg to come up. He just testified on a supply
chain issue recently, see if he has any additional thoughts.
Mr. Hurd. While he is coming up, describe your vision, the
future state that needs to happen in order for this to be
removed from the GAO high risk report.
Mr. Dodaro. On supply chain or the whole----
Mr. Hurd. On supply chain over dot-gov.
Mr. Dodaro. Yeah, there needs to be, you know, a clearer
plan for determining the supply chain operations, you know, in
terms of identification of vulnerabilities, and there needs to
be greater accountability for enforcing that over time.
Mr. Hurd. Who should do that?
Mr. Dodaro. It has to be led by DHS or out of the White
House to be enforced. I mean, it has to be. I mean, you know--
and there are separate issues at DOD, all right, on this issue,
you know, for national security purposes, and they hold the
prime contractors responsible. But there is a lot of
subcontractors kind of issues.
But in the civilian side of the government, I think it's
got to come from DHS primarily, would be where I would start.
Mr. Hurd. Mr. Wilshusen.
Mr. Wilshusen. Yeah. It would need to be, I think, also
DHS, but also certainly with input, collaboration with the
intel community as well as DOD as they collect intelligence and
information about the particular supply chain direct to
particular components or systems that might be in use at
Federal agencies.
DHS has used its authority under the Federal Information
Security Modernization Act to issue binding operational
directives to require and compel all Federal agencies to remove
Kaspersky Lab-type products, as was referenced earlier.
We have been requested and we plan to start an engagement
later this year to look at the process by which DHS determines
when to issue a binding operational directive, how it comes
about that decision and then what oversight mechanisms it has
to ensure that its directives are actually being implemented
and implemented effectively by the agencies.
Mr. Hurd. Shifting gears on privacy. If the IRS database
got hacked--and let's say a portion of American citizen's
information was stolen--what is the responsibility of IRS to
notify those individuals and notify Congress?
What is the breach notification rules that IRS would be
following in that case?
Mr. Wilshusen. It depends. IRS would need to make--and this
is under guidance provided by the Office of Management and
Budget, indeed on how to respond to particular data breaches.
Part of it is to conduct, at first, a risk assessment in
which it looks at the scope of the breach and the potential
harm that could occur to, say, in this case taxpayers, if their
information is indeed compromised.
And then it's supposed to make a risk assessment and then
determine what type of actions to take. Part of that could
include notification to those individuals that their
information has been breached. It could also include providing
some other remedies such as credit monitoring services and
others----
Mr. Hurd. So this is the standard written by OMB?
Mr. Wilshusen. That's correct.
Mr. Hurd. So if students' loan information at Department of
Education was stolen, would that be the same notification
responsibilities and privacy----
Mr. Wilshusen. Yes, those guidelines are for all Federal
agencies.
Mr. Hurd. So OMB has issued breach standard notification
across the Federal Government to include intel and militaries
across all Federal agencies or is it just the dot-gov space?
Mr. Wilshusen. I guess it would be dot-gov space.
Mr. Hurd. Ms. Kent, do you have any opinions on this topic?
Ms. Kent. It is not a topic that I am familiar with, all
the specifics. I do recognize, though, in the description is,
the process is very similar to industry and the notification
process, identifying risks, understanding the risk of the
individuals, and then determining if there are other mitigating
factors that should be offered to those individuals.
Mr. Hurd. Ms. Kent, changing gears here. OMB released its
agency self-reported data on the status of their information
security controls. We have found that agencies tend to present
a prettier picture than their own IGs in those FISMA audits.
Have you noticed this discrepancy? Are you working to make
this accurate reporting? Are you acknowledging these problems?
How do we plan to work with agencies to implement some of these
basic cybersecurity requirements.
Ms. Kent. I concur with your assessment. That was actually
when I looked at the reports, one of the early things that I
asked in joining.
It is actually a conversation that I have had with the GAO
team about how we can automate and actually extract data on
some of the specific points versus asking for a self-reporting
mechanism. And we'll continue the dialogue about how to improve
that.
Mr. Hurd. This is one of my final questions. It's a very
broad basic question, and it's broad and basic for a reason.
And we'll start with you Ms. Kent, and then we'll go down the
line.
Who is responsible for defending the digital infrastructure
of the Federal Government?
Ms. Kent. Say that again?
Mr. Hurd. Who is responsible for defending the digital
infrastructure of the Federal Government?
Ms. Kent. The agencies are responsible for defending the
digital infrastructure at their agency, and DHS is responsible
for defending across the enterprise. And there's an interlock
of responsibilities between the agencies and their
communication with DHS in ensuring that DHS has visibility to
issues, incidents, and what they are detecting going on in
those individual agencies.
Mr. Hurd. What is the role of the Federal Government in
helping to defend the 16 areas that we consider to be critical
infrastructure?
Ms. Kent. I don't know that I'm following your question.
Are you talking about the external industry?
Mr. Hurd. So the 16 areas that we think are critical
infrastructure, financial services, utilities, election
infrastructure, go down the line, what is the Federal
government's role in helping to defend those infrastructures?
Ms. Kent. I see those as the responsibility of DHS. So I
don't know that I am informed to comment. DHS and our National
Security Council. And from a Federal agency perspective, I know
when we expect that they are sharing threat information from
those industries with us inside the Federal agency side so that
we can react to those.
Mr. Hurd. Got you. Mr. Dodaro, who's in charge?
Mr. Dodaro. Well, in the Federal space, I would agree. I
mean, the agencies are primarily responsible according to
FISMA. That's the agency heads. I mean, Congress has
established that in law. It has given DHS responsibility and
law. And OMB sort of passed that responsibility to DHS years
ago and without the authority.
Now, Congress corrected that and gave DHS the authority,
gives them the ability to issue these binding operational
directives. And then OMB has responsibility as well for policy
matters in a lot of these areas.
So in the Federal space, I think that's pretty clear. In
the critical infrastructure protection space, less so.
Now, in some of the critical infrastructures, for example,
in the nuclear area, there are regulatory responsibilities. So
the Federal government's role is a little clearer in that area.
They have more authority to put in place requirements. But for
by and large, for most of the 16 sectors for critical
infrastructure, it's voluntary.
And what we found is that the--there each has a Federal
coordination point and a lot of the Federal coordinators really
didn't know what the status was of the implementation of the
voluntary standards.
When we talked to a number of people in the sectors, you
know, they were basically saying that they had challenges. They
didn't have enough people, they didn't understand all the
requirements. So that's the area I'm most concerned about.
Mr. Hurd. So describe that future state when it comes to
critical infrastructure that if we achieved you would pull this
off as one of the four major challenges facing the Federal
Government.
Mr. Dodaro. Yeah. Well, number one, I would have to have
some metrics and measures to know what the state of readiness
really is in those areas.
Right now, you don't have that. No one can answer that
question, I believe, to say across the 16 sectors were ready.
And here is why I believe that.
So to me, you need that in place to provide the level of
assurance that would be necessary in order to do that. And so
that's, you know, a tall order. And then you would need to
have, you know, a clearer understanding of information sharing.
You know, our understanding of what's going on, you
referenced this earlier about businesses being happy with
information they're getting from DHS. I'm not too sure that
that information flow is going two ways. And I think we need
to, from the Federal Government standpoint, need to have
greater assurance that there's a two-way dialogue here, and
that we're really communicating and understanding what's going
on with the risk in those areas.
So to me, you need a clear metric understanding of what the
status of readiness is for each of the 16 areas, and there
would be different metrics for different sectors. I'm not
suggesting there would just be one sector, but somebody has got
to be in that position to know that.
And right now, that's very sketchy at best. And as a
result, I think we're very vulnerable in the Nation. I know
there's a lot of policy issues about the Federal role,
respecting the private sector, whatever. But I think we're
getting to a point with the threats from state and non-state
actors that we need to have more of a grownup conversation
about the real risk to the country in those areas and a meeting
of the minds on how best to protect our country for everybody.
Mr. Hurd. Has GAO thought through what are those Doomsday
scenarios that we should be prepared for? Because if there are
unclear roles between the public and private sectors in
response to a Doomsday scenario, we need to be thinking through
what are those Doomsday scenarios that we need to be prepared
for.
Have you all spent some time on that? Have you all seen an
entity that has designed that?
Ms. Kent, you have seen stuff?
I know there are some exercises. DHS does a few. But I feel
like we haven't done enough, because if we're truly going to
escape to a future state, we need to figure out what that is
we're trying to be prepared for.
If we're going to develop contingency planning, what
contingency are we planning for?
And Mr. Wilshusen you came up here, so I hope you have some
interesting things to say.
Mr. Wilshusen. I hope I can interest you.
One, is DHS has developed a response plan, and it's tested
annually, in which it is a test against different types of
scenarios.
And I do believe in some of the guidance at least--well,
from the National Institute of Standards and Technology and
some of its guidance, it does identify different threat
scenarios for different types of potential attacks that can
affect organizations and systems.
Now, that's generally guided towards Federal agencies, but
those same types of attacks can also be applied against
critical infrastructure owners and operators in the systems
that they operate.
And so there are different threat scenarios that have been
identified and those are things that both I think DHS and NIST
has identified.
Mr. Hurd. Well, Mr. Dodaro, you've heard me say this
before. I'm a big fan of GAO. Whenever there's a new topic I am
working on, I always start with whatever reports you all have
developed.
So thank you for you and your team and you all's service to
making sure our government is responsive to the people that we
serve. It's always a pleasure to have you here.
Ms. Kent, any final words?
Ms. Kent. I thank you for the opportunity. And as I said in
the opening, every chance that we have to elevate the
conversation around cybersecurity and the resources that we
need to be in a position to protect our security posture, I
greatly appreciate.
Thank you.
Mr. Hurd. Well, I thank our witnesses for appearing before
us today.
The hearing record will remain open for two weeks for any
member to submit a written opening statement or questions for
the record.
And if there's no further business, without objection, the
subcommittee stand adjourned.
[Whereupon, at 4:01 p.m., the subcommittee was adjourned.]
APPENDIX
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]