[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY CHALLENGES FOR STATE AND LOCAL GOVERNMENTS: ASSESSING HOW
THE FEDERAL GOVERNMENT CAN HELP
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
JUNE 25, 2019
__________
Serial No. 116-29
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
38-782 PDF WASHINGTON : 2020
--------------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas Mike Rogers, Alabama
James R. Langevin, Rhode Island Peter T. King, New York
Cedric L. Richmond, Louisiana Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey John Katko, New York
Kathleen M. Rice, New York John Ratcliffe, Texas
J. Luis Correa, California Mark Walker, North Carolina
Xochitl Torres Small, New Mexico Clay Higgins, Louisiana
Max Rose, New York Debbie Lesko, Arizona
Lauren Underwood, Illinois Mark Green, Tennessee
Elissa Slotkin, Michigan Van Taylor, Texas
Emanuel Cleaver, Missouri John Joyce, Pennsylvania
Al Green, Texas Dan Crenshaw, Texas
Yvette D. Clarke, New York Michael Guest, Mississippi
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
Hope Goins, Staff Director
Chris Vieson, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Cedric L. Richmond, Louisiana, Chairman
Sheila Jackson Lee, Texas John Katko, New York, Ranking
James R. Langevin, Rhode Island Member
Kathleen M. Rice, New York John Ratcliffe, Texas
Lauren Underwood, Illinois Mark Walker, North Carolina
Elissa Slotkin, Michigan Van Taylor, Texas
Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio)
officio)
Moira Bergin, Subcommittee Staff Director
Sarah Moxley, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Oral Statement................................................. 5
Prepared Statement............................................. 5
The Honorable Mike Rogers, a Representative in Congress From the
State of Alabama, and Ranking Member, Committee on Homeland
Security:
Oral Statement................................................. 6
Prepared Statement............................................. 7
Witnesses
Ms. Keisha Lance Bottoms, Mayor, City of Atlanta:
Oral Statement................................................. 8
Prepared Statement............................................. 10
Mr. Thomas Duffy, Chair, Multi-State Information Sharing and
Analysis Center (MS-ISAC), Senior Vice President of Operations,
Center for Internet Security:
Oral Statement................................................. 12
Prepared Statement............................................. 14
Mr. Ahmad Sultan, Affiliated Researcher, Center for Long-Term
Cybersecurity, School of Information, University of California,
Berkeley:
Oral Statement................................................. 18
Prepared Statement............................................. 20
Mr. Frank J. Cilluffo, Director, McRary Institute for Cyber and
Critical Infrastructure, Auburn University:
Oral Statement................................................. 30
Prepared Statement............................................. 32
For the Record
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Statement of Talib I. Karim, CEO STEM4US!, Inc................. 49
CYBERSECURITY CHALLENGES FOR STATE AND LOCAL GOVERNMENTS: ASSESSING HOW
THE FEDERAL GOVERNMENT CAN HELP
----------
Tuesday, June 25, 2019
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 3:07 p.m., in
room 310, Cannon House Office Building, Hon. Cedric L. Richmond
(Chairman of the subcommittee) presiding.
Present: Representatives Richmond, Langevin, Rice,
Underwood, Slotkin, Thompson (ex officio), Katko, Taylor, and
Rogers (ex officio).
Mr. Richmond. The Subcommittee on Cybersecurity,
Infrastructure Protection and Innovation will come to order.
The subcommittee is meeting today to receive testimony on
cybersecurity challenges for State and local governments,
assessing how the Federal Government can help.
Good afternoon. I want to welcome the panelists to today's
hearing on cybersecurity at the State and local level. This is
a topic that I believe deserves far more attention than it
gets.
Since joining this subcommittee, I found that, while we can
all agree that cybersecurity is an important topic, it can
start to feel unapproachable to people on the ground. As
Chairman, I want to spend some time looking at how
cybersecurity impacts real people, like the ones I represent in
the Second Congressional District of Louisiana. I know that my
constituents work long hours and have hard jobs, sometimes more
than one. Many of them are not thinking about phishing emails
or ransomware or whether a hostile foreign government has
gained access to the networks that control their drinking
water, their transportation, or their medical care.
While the Federal Government has an important role to play
in securing these networks, State and local governments own
them. The staffing, structure, and resources available to State
and local agencies vary across the country, but many of them
are operating with a shoestring budget. Like Federal agencies,
they are increasingly being targeted with sophisticated cyber
attacks. Time and time again, we have seen that these attacks
can be debilitating, taking out the tools and services people
need to access health benefits, buy a home, or even call 9-1-1.
As any city official who has recovered from one of these
cyber disruptions can tell you, the aftermath can have a hefty
price tag. This is a drain on taxpayer dollars, time, and
labor, all of which are in short supply at the State and local
levels.
We also know that these attacks are becoming more frequent
and more advanced. According to the security firm, Recorded
Future, there have been at least 170 ransomware attacks carried
out on county, city, or State governments since 2013, including
20 reported so far this year. That is just the incidents that
were reported. The actual numbers are probably far higher.
But there is another problem as well. Today, we rely on the
internet to an extent that we never have before. Access to
connected devices and an understanding of how to use them
securely is the very foundation of economic mobility. Yet we
also know that many in our communities do not have the same
means, access, or opportunity to build a level of comfort with
technology.
While we talk a lot about how automation might impact the
work force, we talk less about how poor cyber hygiene and low
tech literacy can present a real economic barrier to entry.
Right, now studies show that the most vulnerable underserved
among us, low-income, immigrants, or elderly populations, are
the most likely to fall victim to an on-line scam or click the
wrong link. These mistakes can be costly, especially for
someone on the margins. Negative experiences like these may
also lead many to steer clear of important on-line services,
like on-line banking, health management tools, or even email.
This response, left unchecked, will only serve to deepen
economic divides and allow our most vulnerable populations to
fall further behind. We have to confront this head-on. I look
forward to hearing from this panel on how we might do that.
This is not a State or local problem but a National one,
and we should invest accordingly at the Federal level.
Ultimately, we cannot expect underresourced, understaffed State
and local governments to defend their networks from State-
sponsored hackers from Russia, China, and Iran. Toward that
end, I am working on a comprehensive package to improve the
cybersecurity posture of our State and local governments.
I look forward to hearing from our witnesses today about
opportunities to address this important National security
issue.
[The statement of Chairman Richmond follows:]
Statement of Chairman Cedric L. Richmond
June 25, 2019
This is a topic that I believe deserves far more attention than it
gets. Since joining this subcommittee, I have found that--while we can
all agree that cybersecurity is an important topic--it can start to
feel unapproachable to people on the ground. As Chairman, I want to
spend some time looking at how cybersecurity impacts real people--like
the ones I represent in the 2d District of Louisiana. I know that my
constituents work long hours and have hard jobs, sometimes more than
one. Many of them are not thinking about phishing emails or ransomware
or whether a hostile foreign government has gained access to the
networks that control their drinking water, transportation, or medical
care. And, while the Federal Government has an important role to play
in securing these networks, State and local governments own them. The
staffing, structure, and resources available to State and local
agencies vary across the country--but many of them are operating with a
shoestring budget. And, like Federal agencies, they are increasingly
being targeted with sophisticated cyber attacks.
Time and again, we've seen that these attacks can be debilitating--
taking out the tools and services people need to access health
benefits, buy a home, or even call 9-1-1. As any city official who has
recovered from one of these cyber disruptions can tell you, the
aftermath can have a hefty price tag. This is a drain on taxpayer
dollars, time, and labor--all of which are in short supply at the State
and local levels. We also know that these attacks are becoming more
frequent and more advanced. According to security firm Recorded Future,
there have been at least 170 ransomware attacks carried out on county,
city, or State governments since 2013--including over 20 reported so
far this year. That's just the incidents that were reported. The actual
numbers are probably far higher.
But there's another problem, as well. Today, we rely on the
internet to an extent that we never have before. Access to connected
devices--and an understanding of how to use them securely--is the very
foundation for economic mobility. Yet we also know that many in our
communities do not have the same means, access, or opportunity to build
a level of comfort with technology. While we talk a lot about how
automation might impact the workforce, we talk less about how poor
cyber hygiene and low tech literacy can present a real economic barrier
to entry. Right now, studies show that the most vulnerable, under-
served among us--low-income, immigrants, or elderly populations--are
the most likely to fall victim to an on-line scam or click on the wrong
link. These mistakes can be costly, especially for someone on the
margins. And, negative experiences like these may also lead many to
steer clear of important on-line services--like on-line banking, health
management tools, or even email. This response, left unchecked, will
only serve to deepen economic divides and allow our most vulnerable
populations to fall further behind. We have to confront this head-on,
and I look forward to hearing from this panel on how we might do that.
This is not a State or local problem, but a National one--and we should
invest accordingly, at the Federal level.
Ultimately, we cannot expect under-resourced, under-staffed State
and local governments to defend their networks from state-sponsored
hackers from Russia, China, and Iran. Toward that end, I am working on
a comprehensive package to improve the cybersecurity posture of our
State and local governments. I look forward to hearing from our
witnesses today about opportunities to address this important National
security issue.
Mr. Richmond. With that, I now recognize the Ranking Member
of the subcommittee, the gentleman from New York, Mr. Katko,
for an opening statement.
Mr. Katko. Thank you, Mr. Chairman.
Thank you, all of our witnesses, for being here today. It
is an important topic that couldn't possibly be more timely, as
you all well know.
Our State and local governments are prime targets for cyber
attacks. A May 2019 report by Record Future found that
ransomware attacks on State and local governments increased by
39 percent in 2018 to 53 attacks. You know that all too well,
Ms. Bottoms. In the first 4 months of 2019 alone, there have
already been 21 attacks, including my home State of New York.
In 2018, the National Association of State Chief
Information Officers found that many States typically spend
only 1 or 2 percent of their budgets on cybersecurity. Most
employ fewer than 15 full-time cyber professionals. It is not
surprising, particularly given the burgeoning budget challenges
many State and local governments face and the talent pipeline
issues we have discussed in previous hearings.
It will take work on a collective level from Federal,
State, and local governments, as well as outside stakeholders,
to improve the situation. But it is clear that action is needed
and needed now.
This hearing today is an important step, and I commend the
Chairman for convening it. I look forward to hearing from our
witnesses about their ideas about how to help.
I will soon introduce a bill, the State and Local
Cybersecurity Improvement Act, which will direct the
Cybersecurity and Infrastructure Security Agency, or CISA,
within the Department of Homeland Security to develop a
resource guide for State and local officials to navigate the
challenges of protecting their networks.
My bill will also create two new grant programs. The first
is a one-time grant for State and local governments to identify
their high-value assets and system critical architecture. To
protect something, you must know it is worth protecting. The
second grant program that will be part of this bill will help
State and local governments conduct exercises to train,
prepare, and evaluate their ability to respond to an attack.
Working through an exercise allows a government to identify
weaknesses in their current plan and establishes protocols and
procedures to be prepared in the worst-case scenarios. My bill
will help State and local governments be better prepared to
defend their cyber networks. But the work we need to do to
address this issue does not end with my bill. This is a
collaborative effort. It is Democrats and Republicans. It is
all of you at the table and everyone at every level of
government. That is what we are going to need to attack this
problem in an effective manner.
I look forward to working with my colleagues on this issue
moving forward, and I want to thank the Chairman and our
witnesses for speaking with us today.
Mr. Chairman, I yield back.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
June 25, 2019
Our State and local governments are prime targets for cyber
attacks. A May 2019 report by Record Future found that ransomware
attacks on State and local governments increased by 39 percent in 2018,
to 53 attacks. And in the first 4 months of 2019 alone, there have
already been 21 attacks, including in my home State of New York.
In 2018, the National Association of State Chief Information
Officers found that many States typically spend only 1 to 2 percent of
their budget on cybersecurity. Most employ fewer than 15 full-time
cyber professionals.
This is not surprising, given the budgeting challenges many State
and local governments face and the talent pipeline issues we have
discussed in previous hearings.
It will take work from Federal, State, and local governments, as
well as outside stakeholders, to improve this situation, but it is
clear that action is needed.
This hearing today is an important step, and I look forward to
hearing from our witnesses about their ideas about how to help.
I will introduce a bill, the State and Local Cybersecurity
Improvement Act, which directs the Cybersecurity and Infrastructure
Security Agency within the Department of Homeland Security, to develop
a resource guide for State and local officials to navigate the
challenges of protecting their networks.
My bill also will create two new grant programs. The first is a
one-time grant for State and local governments to identify their High-
Value Assets and system-critical architecture. To protect something,
you must know what is worth protecting.
The second grant program helps State and local governments conduct
exercises to train, prepare, and evaluate their ability to respond to
an attack. Working through an exercise allows a government to identify
weaknesses in their current plan and establishes protocols and
procedures to be prepared in case the worst happens.
My bill will help State and local governments be better prepared to
defend their cyber networks. But the work we need to do to address this
issue does not end with my bill. I look forward to working with my
colleagues on this issue.
Mr. Richmond. The gentleman from New York yields back.
I now recognize the Chairman of the full committee on
Homeland Security for 5 minutes.
Mr. Thompson. Good afternoon. I want to thank Chairman
Richmond for holding today's hearing on an especially timely
topic, the cybersecurity challenges in the State and local
governments.
Just last week, Riviera Beach, a small city in Florida,
agreed to pay a $600,000 ransom demand after hackers crippled
city computer systems. Unfortunately, Riviera Beach is not
alone. Hackers have been wreaking havoc on cities from Atlanta
to Baltimore to Albany, and actually many more. These bad
actors range from unaffiliated cyber criminals to sophisticated
state actors, including Iran, and their interest in breaching
State and local networks is only growing.
Since the Russian Government engaged in a historic campaign
to meddling in the 2016 elections, officials at all levels of
government have devoted time and resources to improve the
security of election infrastructure. For its part, Congress
appropriated $380 million, a down payment, for foreign grants
to State and local election officials to replace unsecure
election equipment, improve network security, and provide
cybersecurity training to election officials. Additionally, for
2 fiscal years, Congress has provided the Cybersecurity and
Infrastructure Security Agency additional funding to provide
cybersecurity services upon request to election officials.
But administering elections is only one of the many
important responsibilities carried out by State and local
governments. These attacks that have come about have disrupted
networks and local police departments, officers that process
real estate transactions, and public health department, just to
name a few.
So I am looking forward to the testimony from our witnesses
today. As a former mayor myself, I understand the problems
cities have, and mayors more specifically. So I look forward to
Mayor Bottoms' testimony. But I am also eager to hear from MS-
ISAC, which serves as the cyber threat information-sharing hub
for State and local governments and spearheads State and local
coordination on securing election infrastructure.
Finally, I look forward to understanding the disperate
impact of cybersecurity incidence on vulnerable populations and
how the Federal Government can partner with State and local
government to address them.
I thank our witnesses for being here today, and I yield
back the balance of my time.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
June 25, 2019
Just last week, Riviera Beach--a small city in Florida--agreed to
pay a $600,000 ransom demand after hackers crippled city computer
systems. Unfortunately, Riviera Beach is hardly alone. Hackers have
been wreaking havoc on cities from Atlanta to Baltimore to Albany.
These bad actors range from unaffiliated cyber criminals to
sophisticated state actors--including Iran--and their interest in
breaching State and local networks is only growing. Since the Russian
government engaged in a historic campaign to meddling in the 2016
elections, officials at all levels of government have devoted time and
resources to improve the security of election infrastructure. For its
part, Congress appropriated $380 million--a down payment--to fund
grants to State and local election officials to replace unsecure
election equipment, improve network security, and provide cybersecurity
training to election officials.
Additionally, for 2 fiscal years, Congress has provided the
Cybersecurity and Infrastructure Security Agency additional funding to
provide cybersecurity services--upon request--to election officials.
But administering elections is only one of the many important
responsibilities carried out by State and local governments. So far
this year, there have been over 20 reported cyber attacks against
government agencies. These attacks disrupted networks in local police
departments, offices that process real estate transactions, and public
health departments, just to name a few. The impacts ranged from
jeopardizing 9-1-1 calls, grinding real estate transactions to a halt,
and preventing health officials from warning the public when a bad
batch of illegal drugs causes overdoses. Unfortunately, the
sophistication of hackers is outpacing the speed at which State and
local governments can implement IT modernization programs and phase out
legacy technologies. Moreover, the attack surface is growing as more
jurisdictions are integrating ``smart city'' technologies into the
execution and delivery of government services.
As other sectors improve their cybersecurity posture, State and
local governments struggling to keep pace with technology are becoming
low-cost, high-value targets. It is time for the Federal Government to
do more. Every year, States assess cybersecurity as one of the 32 core
capabilities in which they are least proficient. At the same time,
States rarely use their Homeland Security Grant to invest in
cybersecurity as they stretch these funds to support traditional
terrorism preparedness and response capabilities.
Make no mistake, State and local governments need to invest in
security, especially as they invest in smart city technology. But it is
time to improve the way the Federal Government helps them. Toward that
end, I am pleased that Mayor Keisha Lance Bottoms is here today to
share the lessons learned from the ransomware attack in Atlanta and to
understand how the Federal Government can better help victims prevent,
respond to, and recover from cyber attacks. I am also eager to hear
from the MS-ISAC, which serves as the cyber threat information-sharing
hub for State and local governments, and spearheads State and local
coordination on securing election infrastructure. Finally, I look
forward to understanding the disparate impacts of cybersecurity
incidents on vulnerable populations and how the Federal Government can
partner with State and local governments to address them. Addressing
the cybersecurity challenges ahead will require strong partnerships
among all levels of government, and I am eager to understand how
Congress can help ensure that Federal resources are most effectively
leveraged.
Mr. Richmond. The gentleman from Mississippi yields back.
I now recognize Mr. Rogers, the Ranking Member of the full
committee on Homeland Security, for 5 minutes.
Mr. Rogers. Thank you, Mr. Chairman.
I thank our witnesses for being here today, especially Mr.
Cilluffo from Auburn University's McCrary Institute for Cyber
and Critical infrastructure security located in my district.
The McCrary Institute serves as an invaluable resource to
our State and the Nation with its cybersecurity and critical
infrastructure work. Cybersecurity is a tremendous challenge
facing all levels of government.
Our State level governments have seen first-hand through
increased ransomware attacks that leave citizens without
services and cities in panic. I am glad that our hearing today
will discuss how Federal Government is already lending a
helping hand and how we can improve the level of assistance.
I appreciate Mr. Cilluffo highlighting the great work we
are doing in Alabama to help address these issues, like the
cyber magnet school to address the talent shortage, and the
Alabama Security Operations Center, which provides centralized
cybersecurity management for Alabama's State agencies. I had
the honor of visiting there about a month ago; it was pretty
impressive.
In many ways, Alabama is setting the example for other
States as we confront the challenges of cybersecurity.
With that, I yield back, Mr. Chairman.
[The statement of Ranking Member Rogers follows:]
Statement of Ranking Member Mike Rogers
Thank you, Mr. Chairman.
And thank you to our witnesses for being here today. Especially Mr.
Cilluffo, from Auburn's McCrary Institute for Cyber and Critical
Infrastructure Security in my district.
The McCrary Institute serves as an invaluable resource to our State
and the Nation with its cybersecurity and critical infrastructure work.
Cybersecurity is a tremendous challenge facing all levels of
government.
Our State and local governments have seen that first-hand through
increased ransomware attacks that leave citizens without services and
cities in a panic.
I am glad that our hearing today will discuss how the Federal
Government is already lending a helping hand and how we can improve the
level of assistance.
I appreciate Mr. Cilluffo highlighting the great work we are doing
in Alabama to help address these issues--like our Cyber Magnet School
to address the talent shortage and the Alabama Security Operations
Center, which provides centralized cybersecurity management for
Alabama's State agencies.
In many ways, Alabama is setting the example for other States as we
confront the challenges of cybersecurity.
Thank you Mr. Chairman. I yield back.
Mr. Richmond. The gentleman from Alabama yields back.
I would like to remind other Members of the subcommittee
that, under the rules, opening statements may be submitted for
the record.
I want to welcome our panel of witnesses here today. First,
I am very pleased to welcome Mayor Keisha Lance Bottoms of the
city of Atlanta, Georgia, who oversaw the city's response to a
major ransomware attack in March 2018. Under Mayor Bottoms'
leadership, the city took a number of bold corrective actions
to manage and mitigate damage and prevent future attacks.
Thank you, Mayor, for your participation and your
willingness to share the lessons you have learned in cyber
incident response.
Next, we have Mr. Thomas Duffy from the Center for Internet
Security, who is currently serving as the chair of the Multi-
State Information Sharing Analysis Center, MS-ISAC. The MS-ISAC
serves as an important partner and liaison between DHS and
State and local officials when it comes to sharing information
and coordinating around cyber threats. I look forward to
hearing his insights on how we might tackle this problem.
Next, we also have Mr. Ahmad Sultan, who is here today in
his personal capacity to discuss the research conducted while
serving at UC Berkeley's Center for Long-Term Cybersecurity.
His research focused on how underserved residents, including
low-income residents, seniors, and foreign language speakers,
face higher than average risk of becoming victims of cyber
attacks and are less equipped to respond. I am sure that his
comments will shed light on an important area of cybersecurity
that is typically overlooked.
Last but certainly not least, I would like to welcome Mr.
Frank Cilluffo, the director of the McCrary Institute for Cyber
and Critical Infrastructure at Auburn University. Mr. Cilluffo
previously served as a Presidential appointee in the Department
of Homeland Security, as an adviser to former director Tom
Ridge. He has also testified before this committee and
elsewhere on the Hill dozens of times.
Welcome back to the committee, Mr. Cilluffo, and thank you
for your testimony.
Without objection, the witnesses' full statements will be
inserted in the record.
I now ask each witness to summarize his or her statement
for 5 minutes, beginning with you, the Honorable Keisha Lance
Bottoms.
STATEMENT OF KEISHA LANCE BOTTOMS, MAYOR, CITY OF ATLANTA
Ms. Bottoms. Good afternoon. My name is Keisha Lance
Bottoms, and I am the mayor of Atlanta, Georgia, the cradle of
the civil rights movement and the 10th largest economy in the
United States. Thank you to Chairman Richmond and to Chairman
Thompson and to each of you for having me here today. It is an
honor to join you.
In the early morning hours of March 22, 2018, 77 days into
my term as mayor and only 4 days into the tenure of our new
COO, Atlanta's government experienced a ransomware cyber attack
which impacted our operations and our ability to provide
services to our residents and our visitors.
To paint a broader picture of that day, the city of Atlanta
has nearly 9,000 employees, and it goes without saying that
many rely on technology to do their jobs and to keep the city
running. We were incapacitated.
Fortunately, our daily mission-critical services, such as
fire, police, and ambulance, were not severely impacted, and
neither was our water supply. However, some departments and
government entities suffered irreparable damage, including our
police department which lost stored dash cam video footage. The
Atlanta Municipal Court had to cancel and reschedule hearings.
Our customer service interface, known as ATL311, was knocked
off-line. Many other applications were impacted or affected,
delaying the delivery of city services.
As the first day unfolded, it became clear to us that
criminals had attacked the city's computer systems, and we
moved quickly to mitigate those circumstances. The first few
hours of the attack were critical for limiting damage and
determining our steps going forward. We notified law
enforcement and key partners, including our insurance carrier,
our government partners, the media, and the public.
We also needed to learn in detail what systems, functions,
and operations were impacted. That may sound simple, but during
an emergency, the process of identifying every compromised
system was challenging, especially without the assistance of
technology.
Out of an abundance of caution, we took some systems off-
line and hired an outside security firm to assist with our
response. We soon discovered that attackers were demanding a
ransom payment of $51,000 in bitcoins to unlock our systems. We
refused to pay.
The cost of recovery, to date, has been approximately $7.2
million, and that number is still climbing. Some costs have
been reimbursed under our cyber insurance policies, which,
thankfully, for the first time, we had obtained just a few
months before the attack.
Last November, Federal authorities charged two Iranians
with the attack and outlined their massive scheme to breach
computer networks of local governments, health care systems,
and other public entities.
Our cyber attack was not unique. Digital extortion is now a
common occurrence affecting many organizations in the public
and private sectors, and cyber threats are becoming much more
hostile and frequent. We must continue to understand how to
protect ourselves against these attacks when they occur.
The good news is that Atlanta is rebounding from this
attack and sharing its experience with other cities. But the
reality is that, as elected officials, we often make
investments in infrastructure that people can see. In my nearly
2-year campaign for mayor, not once did a constituent ask me
about my investment in cybersecurity.
Following our unfortunate experience, we have been advising
other cities to help them better understand the continuity
measures that are needed. We are adopting a more flexible and
hardened infrastructure using advanced technologies and the
cloud to diversify and minimize our risk. We are also
emphasizing the importance of cross-functional response teams,
including our Federal and State government partners.
But no city can do this effectively without strong
partnerships. Through our process, Atlanta has worked with the
FBI, Department of Homeland Security, the Secret Service, and
the private sector. The work we did to prepare for the Super
Bowl earlier this year is a great example of that
collaboration. We are staying proactive so that we can
understand and better manage this ever-changing landscape.
We have also learned that you can never completely protect
your computer network. Quite frankly, that remains our biggest
challenge. Atlanta is more prepared and resilient than ever,
but we continue to need strong partnerships. Many cities,
especially small cities, simply lack the resources needed to
develop the safety net that is needed to protect against these
attacks.
The Federal Government should also expand programs that
share real-time threat information, which is often critical in
avoiding and mitigating threats. Also, we should have Federal
programs in place to provide cybersecurity disaster relief
funding that will help offset some of these costs. Last, we
need your help to ensure the safety and security of the
electoral process as city and State governments administer the
elections that are the foundation of our democracy.
With the support and assistance of partners such as the
Department of Homeland Security and this distinguished
committee, all of our cities and our country can be safer and
better prepared.
Thank you.
[The prepared statement of Ms. Bottoms follows:]
Prepared Statement of Keisha Lance Bottoms
June 25, 2019
Good afternoon. My name is Keisha Lance Bottoms and I am the mayor
of Atlanta, Georgia, the cradle of the Civil Rights Movement and the
anchor of the 10th-largest economy in the United States.
I want to thank Chairman Bennie Thompson and Subcommittee Chairman
Cedric Richmond for inviting me today to testify at this important
hearing. I am honored to be here.
In the early morning hours of Thursday, March 22, 2018--77 days
after I was sworn in as the 60th Mayor of Atlanta--the city experienced
a ransomware cyber attack which impacted our operations and our ability
to provide services to our residents and visitors.
Fortunately, mission-critical services such as fire, police, and
ambulance services, and our water supply, were not affected.
However, some departments and governmental entities suffered
irreparable damage.
The Atlanta Municipal Court had to cancel and reschedule hearings,
suffering a major interruption. ATL311, our customer service interface
for our residents, was knocked off-line.
Many other applications were impacted or affected, delaying the
provision of services by the city.
As that first day unfolded and the city learned more details about
the disruption, it became clear to us that criminals had attacked the
city's systems.
As this committee knows, one of the most common and successful ways
that criminals can attack entities is through phishing. Phishing scams
use social engineering to trick a user into clicking on a link which
can then infect the system with malware. Depending on the malware used,
it can take over and encrypt the user's computer. Ransomware can also
delete or permanently corrupt files and destroy them forever, something
we experienced in Atlanta.
The city of Atlanta moved quickly to address the impacts and to
mitigate the attack, notifying law enforcement and key partners,
including our insurance carrier, outside counsel, Government partners,
and the media. We also hired an outside cybersecurity firm to assist
with our response.
While like other crimes, in the case of a cybersecurity attacks, it
can take days and even months to fully understand the depth and breadth
of what may have been impacted.
The city assessed which systems, functions, and operations were
impacted. That might sound simple, but during an emergency, identifying
every compromised system was difficult to accomplish, especially
without the assistance of technology.
Although the overall impact was not substantial throughout our
infrastructure, we took some systems off-line out of an abundance of
caution.
The city soon learned that the attackers were demanding a ransom
payment of $51,000 in Bitcoin to unlock our systems, which we refused
to pay.
The cost of recovery to date has been about $7.2 million and we
expect it will go higher.
Some costs have been reimbursed under Atlanta's cyber insurance
policies, with the hope that more will be reimbursed.
However, cyber insurance policies vary greatly, and not all
policies cover the wide-ranging impacts that a cyber attack can do to a
company or a city. It is critical to seek expert advice and counsel to
ensure that the policies purchased can cover the damages that can be
sustained.
As this committee knows, in November 2018, the U.S. Department of
Justice charged two Iranians with the attack and outlined the wide-
ranging plan they crafted to attack countless local governments, health
care systems, and other public entities.
Unfortunately, the city of Atlanta's cyber attack was not an
isolated occurrence. As organizations integrate technology into every
aspect of our lives, cybersecurity risk is ever present. If not
secured, systems across public and private entities will continually be
subject to attack and digital extortion.
Cities such as Savannah, Georgia; Dallas, Texas; and Baltimore,
Maryland have been attacked. The attack in Baltimore affected its 9-1-1
system, which further underscores how these attacks threaten the actual
health and safety for each of us.
Cyber threats are becoming more hostile and frequent, so all
organizations must understand how to protect themselves against these
attacks when they do occur.
The good news is that the city of Atlanta is using its experience
to become a ``model city'' for how municipalities can protect against,
and prepare for, cyber attacks.
We are adopting a more flexible and hardened infrastructure by
utilizing advanced technologies in order to diversify and minimize
risk.
We are emphasizing the importance of cross-functional incident
response teams that include Federal and State government partners.
We are strengthening our human capital to make certain that the
best and the brightest are guarding our systems.
We are in a good place going forward. Atlanta and the State of
Georgia represent one of the Nation's elite cybersecurity hubs, ranking
third in the Nation with companies that focus on information security,
and generating more than $4.7 billion in annual revenue.
More than 115 cybersecurity firms call Georgia home, including
Cybersecurity 500-ranked Secureworks, Pindrop, NexDefense, and Ionic
Security.
Based on the city's ``lessons learned'' we can now help other
cities to take cybersecurity seriously and plan to put in place manual
processes for mission-critical applications and services to
specifically address cyber risks.
This includes ensuring cities have carried out a thorough risk
assessment of their systems, including both infrastructure and business
practices.
No city can do this effectively without partnerships. The city of
Atlanta has worked with the FBI, the Department of Homeland Security,
the Secret Service, and the private sector. The work done to prepare
for Super Bowl LIII (53) was a great example of these collaborative
efforts.
The priority at the city of Atlanta is to build a culture of
cybersecurity where all our technology experts and partners are around
the table.
We intend to stay pro-active in order to understand and manage the
ever-evolving landscape.
We are re-focusing on operational basics--Detection, Response, and
Recovery.
On detection, we need to be able to quickly identify anomalies and
potential issues; on response, once a problem is identified, we need to
rapidly seek to contain the risk; and on recovery, we will better
understand the impacts of an attack and have cyber-specific recovery
and business-continuity plans in place ready to be deployed
immediately.
One component of a ``down to the basics'' plan is to have an on-
going program to educate employees and help them identify a phishing
email; as well as require the use of strong passwords, and prioritize
funding and empower cyber leadership, as we have done in Atlanta.
Regardless of the protective measures that are employed,
cybersecurity risks are now part of our everyday lives. We've learned
that you can never completely protect a computer network.
But there are steps that can be taken.
For example, cities should establish clear processes and be ready
to implement their cyber incident-response plan, just as they do in
anticipation of other emergencies.
While the city of Atlanta is more prepared and more resilient, many
local and State governments are not, and need the help of the Federal
Government.
Specifically, the Federal Government can help by passing
legislation and providing funding to assist State and local governments
in preventing, preparing for, and responding to cyber threats and
incidents. It is also important to emphasize the need for the Federal
Government to provide emergency funding and support during an actual
cyber attack. Having access to funds at the time of an attack would not
only accelerate responsiveness and restoration; but, would also result
in fewer municipalities paying ransoms and ultimately decrease the
occurrence of local governments as targets.
Second, the Federal Government can assist by empowering its
agencies to develop and share best practices with State and local
governments. Many small municipalities do not have the resources
necessary to development and implement these best practices.
Third, the Federal Government should expand its programs that share
real-time threat information with State and local governments as this
information is often critical in avoiding or mitigating threats.
Next, when an attack does occur, the Federal Government should have
programs in place to provide cybersecurity disaster relief funding to
help offset recovery and restoration costs borne by State and local
governments.
Last, many State and local governments administer elections and
need help in ensuring the safety and security of the electoral process.
We are living in a different digital world now. Nation-state actors
and other foreign adversaries are attacking our State and local
governments and we need a strong Federal partner to defend against
those threats.
We know the threats will continue. What we're planning for today
may look different tomorrow.
With the support and assistance of partners such as the U.S.
Department of Homeland Security and this distinguished committee, all
our cities, and our country, can be safer by being prepared.
Thank you.
Mr. Richmond. Thank you, Mayor Bottoms, for your testimony.
I now want to recognize Mr. Duffy to summarize his
statement for 5 minutes.
STATEMENT OF THOMAS DUFFY, CHAIR, MULTI-STATE INFORMATION
SHARING AND ANALYSIS CENTER (MS-ISAC), SENIOR VICE PRESIDENT OF
OPERATIONS, CENTER FOR INTERNET SECURITY
Mr. Duffy. Thank you.
Chairman Thompson, Chairman Richmond, and Ranking Member
Katko, and Members of the subcommittee, thank you for inviting
me here today. My name is Thomas Duffy, and I am the chair of
the Multi-City Information Sharing and Analysis Center, or MS-
ISAC, which is operated by the Center for Internet Security.
We have a cooperative agreement with the Department of
Homeland Security to work with State, local, Tribal, and
territorial governments across the country. We serve as a focal
point for cyber prevention, protection, response, and recovery
of the Nation's State, local, Tribal, and territorial
governments.
I have spent my career in service to State and local
governments, including the past 15 years with the MS-ISAC.
Today, I will discuss the current level of cyber maturity in
State and local governments, the major security concerns, and
the recommendations on how the Federal Government can help.
Membership in the MS-ISAC and the more recently created
Elections Infrastructure ISAC has tripled in the past year-and-
a-half, which is a clear indication that the State and local
governments have a growing need for assistance, guidance, and
support. We conduct an annual cybersecurity maturity assessment
called the Nation-wide Cybersecurity Review, which measures the
gaps and capabilities of cyber programs of the State and local
governments.
So what have we learned from these annual reviews? We have
learned that the States continue to report higher overall
maturity scores than the local counterparts. Not surprising.
While improvements have been noted, there is still much to be
done at all levels of government.
We have also learned that the same top 5 security concerns
dominate this discussion year after year. No. 1 concern in 2018
was lack of sufficient funding; No. 2 was the increasing
sophistication of threats; No. 3 was the lack of documented
processes; No. 4 was emerging technologies; and No. 5, as
mentioned earlier, is the inadequate supply of cybersecurity
professionals.
Addressing these challenges requires resources as well as
State and National strategies. We need to increase a pool of
cybersecurity professionals, plan for investments in our IT
infrastructure, and secure that security is built into the
products and services.
So what can the Federal Government do to assist? First, let
me note that DHS has been very supportive and proactive in
addressing the increasing cyber challenges faced by State and
local governments, especially in the election sector. There are
two areas I would recommend for cyber support, one that
requires funding, which you are used to, and one that only
requires some interagency cooperation, which would be nice to
see.
First, the Federal Government should consider establishing
a dedicated State and local cybersecurity grant program. When
the initial Homeland Security grants were created,
cybersecurity threat is not what it is today. Most of the funds
were dedicated to antiterrorism activities, which was
appropriate. Over time, the grant funds have decreased while
the cyber threat has expanded exponentially, and the terrorism
threat still exists. Thus, there is a smaller pool of funding
for a much larger pool of threats. More money is going to
sustain activities, leaving less money for new initiatives.
I would suggest if a cyber grant program is established,
priority be given or funds set aside to programs that support
State and local partnerships. Leveraging the combined resources
of State and local partnerships will serve as a force
multiplier. Really, you get the value out of the funds.
Second, the Federal Government should adopt a single audit
approach when auditing State programs for compliance with
security guidelines with the cognizant Federal agencies. In
1984, the Single Audit Act was passed, which proved to be a
cost-effective method to audit non-Federal entities. Once one
audit is conducted in lieu of multiple audits of individual
programs, then the single audit standard is applied. The same
should apply to cybersecurity audits of State programs by
Federal agencies. This would save resources, both at the State
level and the Federal level, resources that could be reinvested
to improving our cybersecurity posture.
While State and local governments have made progress in key
areas, so have our adversaries. The dizzying array of
cybersecurity requirements has made it difficult to develop
effective programs, a lack of funding stalls progress, and a
lack of capable talent compounds the negative impacts of
ransomware and other attacks. We must do better.
In closing, our success or failure will be determined on
our ability to work together at all levels of government to
evade, counter, or neutralize the endless risk that State and
local governments face. Each of these efforts requires
resources--time, money, and energy--that are currently in short
supply. If we are to make the progress required of us in
meeting our collective missions, we must work together on this
National problem.
I thank you for the opportunity to address the subcommittee
today.
[The prepared statement of Mr. Duffy follows:]
Prepared Statement of Thomas Duffy
June 25, 2019
Chairman Thompson, Chair Richmond, Ranking Member Katko, and
Members of the subcommittee, thank you for inviting me today to this
hearing. My name is Thomas Duffy and I serve as the senior vice
president of operations and security services at the Center for
Internet Security, a global nonprofit focused on improving
cybersecurity for public and private organizations. I also serve as the
chair of the Multi-State Information Sharing and Analysis Center (MS-
ISAC), which is the focal point for cyber threat prevention,
protection, response, and recovery for the Nation's State, local,
Tribal, and territorial governments as well as all 79 Fusion Centers.
I have spent my career in service to State and local governments,
including the past 15 years with the MS-ISAC. I appreciate the
opportunity today to share our thoughts on the current state of
cybersecurity in State and local governments, focusing on how the
Federal Government can help. I look forward to offering ideas on how we
can collectively build on the progress being made to secure the State
and local government cyber infrastructure.
In short, I will: (1) Introduce you to the current level of cyber
maturity in and local governments (2) the major challenges faced by and
local governments and (3) recommendations on how the Federal Government
can help.
about center for internet security and the ms-isac
The Center for Internet Security's (CIS') was established in 2000
as a nonprofit organization and its primary vision is to lead the
global community to secure our connected world through the
identification, development, validation, information sharing, and
sustainment of best practice solutions for cyber defense. CIS was
instrumental in establishing the first guidelines for security
hardening of commercial IT systems at a time when there was little
security standards, best practices, or leadership.
The MS-ISAC was formed in 2004 under the auspices of the State of
New York, and transitioned to CIS in 2010. The Elections Infrastructure
Information Sharing and Analysis Center (EI-ISAC) was formed in 2018,
in response to the need to have a dedicated focus on protecting our
Nation's election infrastructure.
Today, CIS works with the global security community using
collaborative deliberation processes to define security best practices
for use by Government and private-sector entities. The approximately
200 professionals at CIS provide cyber expertise in three main program
areas: (1) The Multi-State and more recently the Elections
Infrastructure Information Sharing and Analysis Center, the MS-ISAC and
EI-ISAC respectively; (2) the CIS Benchmarks; and (3) the CIS Critical
Security Controls. I describe each briefly below.
MS-ISAC.--\1\In 2010, the U.S. Department of Homeland Security
(DHS), under the then-National Protection and Programs Directorate
(NPPD), partnered with CIS to host the MS-ISAC, which has been
designated by DHS as the focal point for cyber threat prevention,
protection, response, and recovery for the Nation's State, local,
Tribal, and territorial governments as well as all 79 Fusion Centers
Nation-wide. MS-ISAC members include all 56 States and territories and
more than 5,000 other State and local government entities. MS-ISAC's
24x7 cybersecurity operations center provides: (1) Cyber threat
intelligence that enables MS-ISAC members to gain situational awareness
and prevent incidents, consolidating and sharing threat intelligence
information with the DHS National Cybersecurity and Communications
Information Center (NCCIC); (2) early warning notifications containing
specific incident and malware information that might affect them or
their employees; (3) IP and domain monitoring (4) incident response
support; and (5) various educational programs and other services.
Furthermore, MS-ISAC provides around-the-clock network monitoring
services with our so-called ``Albert'' network monitoring sensors for
many State and local government networks, analyzing over 1 trillion
event logs per month. Albert is a cost-effective Intrusion Detection
System (IDS) that uses open-source software combined with the expertise
of the MS-ISAC 24x7 Security Operations Center (SOC) to provide
enhanced monitoring capabilities and notifications of malicious
activity. In 2018, MS-ISAC analyzed, assessed, and reported on over
56,000 instances of malicious activity to over 6,000 MS-ISAC members.
---------------------------------------------------------------------------
\1\ Find out more information about the MS-ISAC here: https://
msisac.cisecurity.org/. List of MS-ISAC services here: https://
www.cisecurity.org/wp-content/uploads/2018/02/MS-ISAC-Services-Guide-
eBook-2018-5-Jan.pdf.
---------------------------------------------------------------------------
EI-ISAC.\2\.--In 2018 CIS was tasked by DHS to stand up an
information sharing and analysis center focused on the Nation's
elections infrastructure. Leveraging the resources of the MS-ISAC, CIS
established the Elections Infrastructure Information Sharing and
Analysis Center (EI-ISAC). The EI-ISAC is now fully operational with
all 50 States participating and over 1,700 total members, including
elections vendors. The EI-ISAC provides elections officials and their
technical teams with regular updates on cyber threats, cyber event
analysis, and cyber education materials. During the 2018 primaries and
mid-term elections the EI-ISAC hosted the National Cyber Situational
Awareness Room, an on-line collaboration forum to keep elections
officials aware of cyber and non-cyber incidents and potential cyber
threats. More than 600 elections officials participated in these
forums. Moreover, the MS-ISAC was processing data from 135 Albert
sensors monitoring the networks, which supported on-line elections
functions such as voter registration and election night reporting. The
Albert sensors processed 10 petabytes of data during 2018, resulting in
over 3,000 actionable notifications to elections offices.
---------------------------------------------------------------------------
\2\ A list of EI-ISAC services can be found here: https://
www.cisecurity.org/ei-isac/ei-isac-services/.
---------------------------------------------------------------------------
CIS Benchmarks.--CIS is also the world's largest producer of
authoritative, community-supported, and automatable security
configuration benchmarks and guidance. The CIS Security Benchmarks
(also known as ``configuration guides'' or ``security checklists'')
provide highly-detailed security setting recommendations for a large
number of commercial IT products, such as operating systems, database
management systems, virtual private cloud environments, and for most of
the major vendors network appliances. These benchmarks are vital for
any credible security program. The CIS Security Benchmarks are
developed though a collaborative effort of public and private-sector
security experts. Over 200 consensus-based Security Benchmarks have
been developed and are available in PDF format free to the general
public on the CIS or NIST web site. An automated benchmark format along
with associated tools is also available through the purchase of a
membership. CIS has also created a number of security configured cloud
environments, called ``hardened images'' that are based on the
benchmarks that we are deploying in the Amazon, Google, and Microsoft
cloud environments. These hardened images help ensure that cloud users
can have confidence in the security provided within the cloud
environment they select. The CIS-hardened images are used world-wide by
organizations ranging from small, nonprofit businesses to Fortune 500
companies.
The CIS Security Benchmarks are referenced in a number of
recognized security standards and control frameworks, including:
NIST Guide for Security-Focused Configuration Management of
Information System
Federal Risk and Authorization Management Program (FedRAMP)
System Security Plan
DHS Continuous Diagnostic Mitigation Program
Payment Card Industry (PCI) Data Security Standard v3.1
(PCI) (April 2016)
CIS Critical Security Controls.
CIS Controls.--\3\In 2015, CIS became the home of the CIS Critical
Security Controls, previously known as the SANS Top 20, the set of
internationally-recognized, prioritized actions that form the
foundation of basic cyber hygiene and essential cyber defense ground
truth. They are developed by an international consensus process and are
available free on the CIS web site. The Critical Security Controls or
just the CIS Controls have been assessed as preventing up to 90 percent
of pervasive and high risks cyber attacks.\4\ The CIS Controls act as a
blueprint for system and network operators to improve cyber defense by
identifying specific actions to be done in a priority order--achieving
the goals set out by the NIST Cybersecurity Framework (CSF). Moreover,
the CIS Controls are specifically referenced in the NIST CSF as one of
the tools to implement an effective cybersecurity program.\5\
---------------------------------------------------------------------------
\3\ Find out more information about the CIS Controls and download
them for free here: https://www.cisecurity.org/critical-controls.cfm.
\4\ Up to 91 percent of all security breaches can be auto-detected
when release, change, and configuration management controls are
implemented. IT Process Institute: https://www.sans.org/cyber-security-
summit/archives/file/summit-archive-1533052750.pdf.
\5\ NIST Framework, Appendix A, page 20, and throughout the
Framework Core (referred to as ``CCS CSC''--Council on Cyber Security
(the predecessor organization to CIS for managing the Controls)
Critical Security Controls).
---------------------------------------------------------------------------
The MS-ISAC, and more recently the EI-ISAC, are operated pursuant
to a Cooperative Agreement with Department of Homeland Security.
Members include all 50 States, all 50 State election directors, almost
6,000 local governments, 88 Tribal governments, all 5 U.S. territories
and the District of Columbia. Local government members represent over
80 percent of the U.S. population.
cybersecurity challenges faced by state and local governments
Cyber protections at all levels of government are critical, and
central to the fiduciary responsibility to protect the data that is
entrusted to Government by our citizens and businesses. Local
governments connect to State governments, State governments connect to
the Federal Government. All levels of government have a shared
responsibility for safeguarding information. Data on citizens is
tracked from cradle to grave, from the issuance of your birth
certificate, to the filing your death certificate.
Regarding the question ``has the cybersecurity posture of and local
governments improved?''--the answer is yes. There are, however, other
related and equally important questions that should be asked. If the
question is ``have and local governments kept pace with advancing
threats and the rapidly expanding cyber infrastructures that need to be
protected?'', the answer is probably not. If the question is ``are
State and local governments prepared to build, maintain, and evolve
their cybersecurity programs commensurate with the risks that they will
face in the future?'', the answer is again, probably not. Both State
and local governments continue to make news for ransomware, cyber
crime, and other cybersecurity-related issues every week.
The cyber threat landscape continues to evolve faster than our
preparedness activities and protective measures, and the number of
entry points to our systems continues to grow at an accelerated rate.
We are constantly playing a game of catch up. There is no silver bullet
to solve the problem. Software providers continue to issue patches for
system vulnerabilities daily! Keeping up with this is an enormous
challenge for all organizations, large and small.
The MS-ISAC conducts an annual cybersecurity maturity assessment,
called the Nation-wide Cybersecurity Review (NCSR), of State and local
governments. The NCSR, based on the NIST Cybersecurity Framework, is a
self-assessment tool developed by CIS in concert with State and local
cybersecurity professionals.
What have we learned from the annual NCSR over the past few years?
The assessment uses a scale of 1-7 to measure cybersecurity
maturity, and establishes a score of 5 as the minimum-security level
organizations should strive for. The State average in 2018, was 4.7,
with 44 percent States achieving the baseline of 5. The local
government average is 3.4, with only 18 percent achieving the baseline
minimum of 5. There have been improvements over time, with the States
improving by 5 percent over the past 3 years and local governments
improving by 17 percent. States on average report higher maturity
scores than local governments. While improvements have been noted,
there is much that still needs to be done, especially at the local
government level.
One constant finding of the NCSR has been the top 5 security
concerns, which remain unchanged for the past 5 years, the only
difference being that the order of priority has changed every year. The
top 5 concerns in 2018 were:
1. Lack of sufficient funding.--State and local governments
struggle with balancing operational needs to improve their IT
infrastructure and providing adequate cyber defense
simultaneously. Threat actors continually attacking State and
local governments with ransomware and breaching their legacy
defense mechanisms to steal private data, causing an increase
need to provide incident response, improve IT network defense,
and reprioritize budgets to implement security best practices
and security controls that often require major operating system
and proprietary software migrations. The cybersecurity budget
must to compete with other programs, such as education,
infrastructure like roads and bridges, health care and law
enforcement, for funding. The value of security investments is
not obvious to public. Public officials don't run on a platform
of ``I am going to upgrade our IT infrastructure!''. It is only
after it is too late, that they realize a missed opportunity to
prevent a major compromise, that requires a major investment in
cybersecurity.
2. Increasing sophistication of threats.--It is no secret that
threat actors, threat groups, and/or advanced persisted threats
funded by nation states to carry out cyber espionage are
increasing. Sophisticated malware like Emotet, which
``reinvents'' itself weekly to avoid detection by traditional
defenses, is a good example of the bad guys making cyber
defense a 24x7x365 job. In addition, threat actors are using
realistic and effective spear phishing and phishing campaigns
to gain access to State and local government systems and end-
users' workstations and mobile devices.
3. Lack of documented processes.--Mature organizations have
formally documented policies, standards, and procedures.
Implementation is tested, verified, and reviewed regularly to
ensure continued effectiveness. This not found in most State
and local governments. Many processes in managing government
systems remain ad hoc. This is well-documented in the NCSR. The
priorities are to ``keep the lights on'', respond to
emergencies, managing new projects, roll out new technologies,
etc. One of the enhancements planned for 2019 in the NCSR is to
included links to policies and standards where this is
identified as a need in the NCSR submission. However, resources
will be required to implement the policies and standards and
ensure they are tested, verified, and reviewed regularly.
14. Emerging technologies.--The future is now. Major urban areas
are in the progress of building 5G communications
infrastructures to support the rapidly growing need for
connectivity to support autonomous vehicles, data streaming
services, consumer electronics, and smart devices. IoT devices
are now finding their way into daily government operations.
HVAC systems are now connected to the internet as are medical
devices. Drone technology is being deployed across all levels
of government. Each of these technologies require organizations
to expand the scope of protective measures that need to be
implemented, tested, and verified regularly. They also
introduce new opportunities for attackers to exploit networks
looking for vulnerabilities or lapses in security. Status quo
will not protect your network. The defenses need to continually
evolve. We must proactively put in place security measures that
effectively defend against current and future cyber threat
attacks.
5. Inadequate supply of security professionals.--The NCSR clearly
highlights what is a National problem--the shortage of skilled
cybersecurity professionals. This impact of this lack of talent
is even more impactful for State and local governments entities
due to lower pay. State and local governments are at a major
disadvantage in recruiting cybersecurity professionals. Vacant
positions mean some critical work may not be accomplished.
Each year, the DHS issues a National Preparedness Report on the
challenges that all organizations, public and private, face in
preparedness. It includes a capabilities assessment in 32 core areas
reported by every State. The 2018 report noted:
1. Cyber threats are a rapidly-evolving threat, joining nation-
state threats and terrorism as an area of significant public
concern.
2. Since 2012, States and territories have consistently reported
cybersecurity as their least proficient capability.
Just this past weekend CISA reported on ``a recent rise in cyber
activity directed at United States industries and government agencies
by Iranian regime actors and proxies.'' Improving our cybersecurity
posture will take time. We must act now.
recommended actions for the federal government
Addressing these challenges requires resources as well as State and
National strategies. We need to: Increase the pool of cybersecurity
professionals, plan for investments in our IT infrastructure, and
ensure that security is built into products and services.
What can the Federal Government do to assist State and local
governments?
DHS has been very supportive in addressing the increasing
challenges of State and local governments posed by expanding cyber
threats, including funding of the Multi-State ISAC and Election
Infrastructure ISAC, allowing State and local governments to
participate in the Federal Virtual Training Environment (FedVTE),
allowing State and local governments to participate the Scholarship for
Service Program sponsored by the National Science Foundation. It has
also developed the National Cybersecurity and Technical Services
program that provides network scanning and penetration testing among
its many service offerings. It has been very active in improving the
security of our Nation's election infrastructure and developing and
sponsoring local, State, and National cyber exercises. A National-level
election exercise sponsored by DHS last week.
There are two areas that I would recommend consideration be given
to additional Federal cyber support to the State and local community.
First, DHS should establish a dedicated State and local government
cybersecurity grant program. When the initial Homeland Security Grant
programs were created, the cybersecurity threat was not what it is
today. Most of the funds were dedicated to anti-terrorism efforts, as
was appropriate. Over time the grant funds have decreased, while cyber
threat has expanded exponentially and the terrorism threat still
exists. Thus, a smaller pool of funding is available for a large pool
of threats. More money is going to sustain activities, leaving less
money for new initiatives. If a cyber grant program is established,
priority should be given, or funds set aside, to programs that support
State and local partnerships. Leveraging the combined resources of
State and local governments will serve as force multiplier. There are
several great examples of State and local partnerships including the
Wisconsin Cyber Response Team that was organized by the State to
recruit local government staff to be regional cyber incident responders
for local governments. Local government staff that met minimum
qualifications were chosen to be part of the regional teams and
received advance training by the State, that led to led to incident
response certifications. The regional teams have responded to over 30
incidents since its inception.
Second, the Federal Government should adopt a ``single audit''
approach when auditing State programs for compliance with the security
guidelines of the cognizant Federal agencies. In 1984, the Single Audit
Act was passed. The Act refers to a ``single audit'' because it
consolidated multiple audits of non-Federal agencies required for each
award into a single audit. The stated purpose was to promote sound
financial management of Government funds by non-Federal organizations,
promote uniform guidelines for audits, and reduce the burden on
nonprofits by promoting efficient and effective use of audit resources.
It proved to be a cost-effective method audit of non-Federal entities.
One audit is conducted in lieu of multiple audits of individual
programs and single audit standard is applied. The same should apply to
the security audits of State programs by Federal agencies.
The following are some of the Federal agencies that audit State
systems: Centers for Medicare & Medicaid Services, Internal Revenue
Service, Social Security Administration, Department of Agriculture, and
Department of Health and Human Services. Although the compliance/audit
requirements are often based on NIST SP 800-53, they vary in the amount
of time required by the State to meet the requirements. For example,
some Federal agencies send an on-site audit team to the State to review
security controls while other Federal agencies rely on the completion
of a written questionnaire. Regardless, there are multiple audits being
conducted that duplicate each other, and place a drain on scarce State
resources dedicated to protecting State systems. Let these resources be
freed up to develop and implement new cyber protective measures. The
``single audit'' concept would create savings for both the Federal and
State governments, savings that could be re-invested to enhance their
cybersecurity posture.
closing
Defending our Nation from rapidly-advancing cyber threats has
become a critical, yet incredibly difficult task. The overwhelming
vulnerability inherent in the ``internet of everything'' caught us off
guard, forcing most organizations into reactive mode, and the asymmetry
of cyber warfare ensures that the good guys are always at a
disadvantage. All this while we increasingly rely on a safe, secure,
and trustworthy internet to do everything from ordering groceries to
ordering drone strikes.
And while State and local governments have made progress in key
areas, so have our adversaries. The dizzying array of cybersecurity
requirements has made it difficult to develop effective programs, a
lack of funding stalls progress and a lack of capable talent compounds
the negative impacts of ransomware and other attacks. We must do
better.
Our success or failure will be determined by our ability to have
all levels of government work together to evade, counter, or neutralize
the endless risks that State and local governments state face. Each of
these efforts require resources--time, money, and energy--that are
currently in short supply. If we are to make the progress required of
us in meeting our collective missions, we must work together.
Mr. Richmond. Thank you, Mr. Duffy, for your testimony.
I now recognize Mr. Sultan to summarize his statement in 5
minutes. Thank you.
STATEMENT OF AHMAD SULTAN, AFFILIATED RESEARCHER, CENTER FOR
LONG-TERM CYBERSECURITY, SCHOOL OF INFORMATION, UNIVERSITY OF
CALIFORNIA, BERKELEY
Mr. Sultan. Chairman Thompson, Ranking Member Rogers,
Chairman Richmond, Ranking Member Katko, and Members of the
subcommittee, thank you for inviting me to testify on the topic
of cybersecurity challenges for State and local governments. My
name is Ahmad Sultan, and I am testifying in my personal
capacity as the author of a white paper published by the Center
for Long-Term Cybersecurity and which was facilitated by the
city and county of San Francisco.
The findings of my research detailed in my written
testimony are alarming, but they are not surprising.
Underserved respondents in San Francisco defined as low-income
earners, seniors, or immigrants have poor cybersecurity
outcomes. Poor outcomes is a researcher's way of saying that
their devices have been infected with viruses and malware,
hacked, or phished for money. They don't follow best practices
for preventative care and they don't have enough knowledge
about curative care.
So for today's hearing, I will focus on ways in which we
reconcile the macro with the micro, reconciling Government's
attempts to enhance National security with a play of
individuals and their struggle to use digital devices to
improve social mobility. Stated simply, while organizations and
Government invest millions of dollars to defend themselves from
cyber attacks, a critical part of society is falling through
the cybersecurity cracks, underserved and vulnerable
populations.
This comes at a time when an increasing number of our daily
activities are governed by internet services. Low levels of
cyber hygiene, which refers to best practices that improve on-
line security, pose serious challenges to the well-being of
underserved populations.
Fear of cyber threats creates a distinct on-line experience
filled with fear, low confidence, and distrust. It prevents
underserved users from taking advantage of economic
opportunities on the internet. These include job search
services, listing platforms, social networking, and email.
These services are crucial to remaining competitive in today's
job market.
Like a mirror to the physical world, low levels of cyber
hygiene and knowledge are associated with low-income household
and low-educational attainment. Most figures on poor
cybersecurity outcomes are also underreported. In fact, most
underserved respondents I surveyed and spoke to didn't even
know about basic concepts: Spam, viruses, or on-line scams.
Internet evangelists had promised a digital reality that would
even the playing field across demographics.
But today, we are replicating the same gender and race-
based patterns of inequality on-line that the existing social
structures around us enforce off-line. This inequality in
outcomes is a form of market failure that governments need to
correct.
The reason cybersecurity experts adapt concept from public
health literature like cyber hygiene is because of the unique
interconnectedness of networks and society. Poor cybersecurity
practices can cause viruses and malware to spread. This, in
turn, can impact people, businesses, and infrastructure. It
deepens inequalities for those already most vulnerable to
existing economic and social forces but also reduces trust in
on-line services for all.
Take, for example, the concept of zombie botnets. Hackers
can control hundreds of thousands of devices without the device
owner's knowledge or consent. They can program them to attack
specific targets, including businesses and infrastructure. Even
local government staffs suffer from porous practices. The
increasing frequency of ransomware attacks on local government
systems is a testament to that fact, and these attacks are
bound to increase as more city services are digitized.
The risk of ignoring cyber preparedness is too high. 5G
networks and AI systems promise smart cities. Important
municipal services will be powered by strong mobile connections
and trained machine learning systems. We need to pursue a
holistic approach where cybersecurity concerns are addressed at
a societal level, much like public health issues.
While the underprivileged in society are disproportionately
affected and most likely to be targeted by attackers and
scammers, awareness of cybersecurity threats and best practices
needs to seep into public discourse. Digital literacy is not
enough; it needs to be paired with cybersecurity awareness.
This is not just a State and local government problem.
Cyber vulnerabilities are not bound by geographical boundaries.
It is incumbent upon Federal, State, and local governments to
collaborate to solve the problem.
But State and local governments face many constraints of
increasing awareness. These include fiscal and budgetary
challenges, lack of social and technical expertise, low
organizational capacity, and geographically-bound networks.
Promoting cyber hygiene through trainings, public service
initiatives, and public-private partnerships can lead to
significant gains in the life of underserved populations, while
protecting businesses and Government systems from cyber
threats. But to achieve these gains, State and local
governments will require financial support and guidance from
the Federal Government. It is my hope that policy makers
recognize the challenges ahead and rise to the occasion.
Thank you again, Chairman Richmond and Representative
Katko. I am happy to answer any of your questions.
[The prepared statement of Mr. Sultan follows:]
Prepared Statement of Ahmad Sultan
June 25, 2019
Chairman Richmond, Ranking Member Katko, and Members of the
subcommittee. Thank you for inviting me here today to testify on the
topic of cybersecurity challenges for State and local governments.
My name is Ahmad Sultan and I am testifying in my personal capacity
as the author of a white paper published by the Center for Long-Term
Cybersecurity. This paper was adapted from my Master's thesis at UC
Berkeley's Goldman School of Public Policy, titled ``Cybersecurity
Awareness for the Underserved Population of San Francisco''. The
research was funded by the Center for Long-Term Cybersecurity, and it
was commissioned by the city and county of San Francisco's Committee on
Information Technology. The scope of my testimony is based on my
expertise in cybersecurity before joining ADL. Any views presented here
are not on behalf of or necessarily reflective of ADL positions or
beliefs.
The topic of today's hearing should be of interest to Government
policy makers, researchers, and to individual targets of cyber attacks.
Thanks to the rise of mobile devices, the ``digital divide'' which is
the gap between those who have access to on-line services and those who
do not--has been shrinking, yet there exists a stark contrast in the
on-line experience of low-income and high-income individuals.\1\ As the
adoption of digital services becomes more wide-spread, a new divide has
emerged between those who can manage and mitigate potential
cybersecurity threats and those who cannot.
---------------------------------------------------------------------------
\1\ Digital gap between rural and nonrural America persists.
(n.d.). Retrieved from https://www.pewresearch.org/fact-tank/2019/05/
31/digital-gap-between-rural-and-nonrural-america-persists/.
---------------------------------------------------------------------------
While the increasing frequency of cyber attacks, which caused
catastrophic data breaches \2\ have led to organizations and
governments investing billions of dollars to defend themselves, a
critical part of society is falling through the cybersecurity cracks:
Underserved populations, defined as low-income earners, seniors, or
immigrants.
---------------------------------------------------------------------------
\2\ Includes the 2015 Office of Personnel Management breach in
which an estimated 21.5 million records of personally identifiable
information were stolen, and the 2014 Sony Pictures Hack, which
included 47,000 unique Social Security numbers.
---------------------------------------------------------------------------
This comes at a time when an increasing number of Americans' daily
activities are facilitated and governed by internet services. Low
levels of cyber-hygiene, which refers to the best practices and steps
that internet users take to maintain system health and improve on-line
security, pose serious challenges to the economic, social, and
emotional well-being of underserved populations, weaken the security of
systems in businesses and government, and pose existential threats to
the democratic values of liberty, equality, and justice for all.
The findings of my own research into the topic of cybersecurity
awareness, detailed later in this testimony, are alarming but not
surprising. Underserved respondents in San Francisco have poor
cybersecurity outcomes and do not follow best practices. A large number
of respondents do not know about the existence of common threats like
viruses and on-line scams.
Yet, the interconnected nature of on-line networks means that poor
cybersecurity outcomes for underserved populations can affect countless
others. It not only deepens inequalities for those already most
vulnerable to existing economic and social forces, but reduces trust in
on-line services for all. With 5G networks and Artificial Intelligence
systems promising smarter cities where key Government services are
powered by strong mobile connections and trained machine learning
algorithms, the risk of ignoring poor cybersecurity outcomes are at an
all-time high.\3\ It is imperative that we work diligently toward
raising awareness and educating underserved populations about
cybersecurity.
---------------------------------------------------------------------------
\3\ Toward AI Security: Global Aspirations for a More Resilient
Future--CLTC UC Berkeley Center for Long-Term Cybersecurity. (n.d.).
Retrieved from https://cltc.berkeley.edu/towardaisecurity/.
---------------------------------------------------------------------------
Solutions exist but they require close coordination between
Federal, State, and local governments.
why should government care?
A large number of Americans from low-income households have low
digital literacy and cybersecurity skills, and many do not own
internet-connected devices or have broadband internet at home. While
internet adoption has been sporadic over the last few years,\4\
improved internet access in cities across the country means millions of
Americans are expected to become active internet users, many of whom
will have little knowledge on cybersecurity. Even as connectivity
increases, the cybersecurity divide threatens to exacerbate existing
inequalities.
---------------------------------------------------------------------------
\4\ Demographics of Internet and Home Broadband Usage in the United
States. (2019, June 12). Retrieved from https://www.pewinternet.org/
fact-sheet/internet-broadband/.
---------------------------------------------------------------------------
According to recent estimates by Pew,\5\ roughly 3-in-10 American
adults with household incomes below $30,000 a year (29 percent) do not
own a smartphone. More than 4-in-10 do not have home broadband services
(44 percent) or a traditional computer (46 percent). And a majority of
lower-income Americans are not tablet owners. By comparison, each of
these technologies is nearly ubiquitous among adults in households
earning $100,000 or more a year, coupled with higher levels of
educational attainment and cybersecurity outcomes.
---------------------------------------------------------------------------
\5\ Digital divide persists even as lower-income Americans make
gains in tech adoption. (n.d.). Retrieved from https://
www.pewresearch.org/fact-tank/2019/05/07/digital-divide-persists-even-
as-lower-income-americans-make-gains-in-tech-adoption/.
---------------------------------------------------------------------------
The lack of cybersecurity preparedness for large swathes of
underserved populations is concerning for a variety of reasons. These
include:
Cybersecurity inequality.--Underserved populations who tend
to be the most vulnerable to real-world social and economic
forces are also the most vulnerable to cyber threats like
scams, viruses, harassment, and disinformation. Like a mirror
to the physical world, low levels of cyber hygiene and
cybersecurity knowledge are associated with low-income
households and low education attainment. Most figures on poor
cyber outcomes are also underreported. This is because many
underserved users are unaware of cyber threats and do not know
if their devices have been hacked or if they have been victim
to a cyber scam. This inequality in cybersecurity outcomes is a
form of market failure that governments need to correct through
trainings and strategic public-private partnerships.
Digital Inequality.--Internet users exist on a cybersecurity
spectrum that includes users who can defend against cyber
threats and those who cannot. Low levels of cyber hygiene
create a distinct on-line experience filled with fear, low
confidence, and distrust that I have seen lead to a complete
withdrawal from internet use. Without addressing the underlying
causes for the distinct differences in the on-line experience,
underserved populations are being denied a wide range of
opportunities and conveniences.
Diminished Economic Opportunities.--Fearing cyber threats,
large numbers of underserved users are not taking advantage of
economic opportunities on the internet. These include job
search services like LinkedIn, listing platforms like
Craigslist, social networking, email, or on-line banking. All
these services are crucial to remaining competitive in today's
job market. They are also excluded from obtaining lower prices
through on-line shopping, on-line health services, and digital
financial inclusion services.
First Amendment Protections.--The internet, and social media
platforms in particular, are viewed as the new public squares.
Cyber threats can be used to silence speech, create fear, and
disrupt key Democratic processes.
Yet, poor cybersecurity outcomes are not exclusive to underserved
populations as the lack of awareness of best practices and capacity for
negligence exists at all levels of society. A holistic approach is
required where cybersecurity outcomes are addressed at a societal
level, much like public health issues. This is because poor
cybersecurity practices can cause viruses, scams, and data breaches to
spread and impact countless people, devices, infrastructure and entire
organizations in unpredictable ways. The increasing frequency of
attacks on local government systems are a product of poor cyber
hygiene, even in populations that have higher digital literacy. In just
the last 3 years, the State and local governments of Colorado,
Baltimore, Atlanta, San Francisco, Jackson County, Riviera Beach,
Imperial County, Sammamish have had to deal with ransomware attacks.\6\
\7\
---------------------------------------------------------------------------
\6\ Calvert, S., & Kamp, J. (2019, June 07). Hackers Won't Let Up
in Their Attack on U.S. Cities. Retrieved from https://www.wsj.com/
articles/u-s-cities-strain-to-fight-hackers-11559899800.
\7\ As More Governments Get Hacked, Concerns Grow Over Mounting
Costs. Retrieved from https://www.governing.com/topics/finance/gov-
government-costs-hacked.html.
---------------------------------------------------------------------------
The reason cybersecurity researchers and experts adapt lessons and
concepts, like cyber hygiene, from public health literature is because
of the unique interconnectedness of society and networks. Human error
is the weakest link in both fields and has the potential to
inadvertently cause unimaginable damage. While the underprivileged in
society are disproportionately affected and most likely to be targeted
by attackers and scammers, awareness of cybersecurity threats and best
practices needs to seep into public discourse at a societal level.
Digital literacy is not enough, it needs to be paired with
cybersecurity awareness.
This is not just a State and local government problem. Cyber
vulnerabilities exist across the country, and cyber attacks can flow
seamlessly between State and city lines. It is incumbent upon Federal,
State, and local governments to provide programs and engage in
strategic partnerships that aim to improve cybersecurity outcomes.
how can the federal government help?
State and local governments face many constraints to improving
cybersecurity awareness. These include fiscal and budgetary challenges,
lack of social and technical expertise, low organizational capacity,
and geographically-bound networks. While I provide a detailed list of
recommendations in a later section of this document, some ways that the
Federal Government can assist State and local governments include:
Direct funds toward local cybersecurity awareness
trainings.--Local governments can partner with nonprofits to
roll out trainings aimed at improving the cybersecurity
knowledge and outcomes for underserved residents. These
trainings can be expensive as they require devices and
equipment, qualified trainers, monetary or other incentives for
participants, and fixed locations scattered throughout the
city. Local government budget might not be able to justify
prioritizing these expenses.
Design baseline training programs.--Not all State and local
governments have the capacity or expertise to design a
cybersecurity training program. The Federal Government should
work with local governments to design a baseline training
program which details the core topics that all training
programs should address. While the Federal Government should
design the baseline topics and curriculum, the programs should
be informed by and tailored to the ground realities of each
city and should not limit any government from going further
than its selected baseline topics.
Develop and rollout public awareness campaigns.--Public
awareness campaigns are more cost-effective and can scale
better to reach larger audiences when developed centrally. This
streamlines the process of disseminating content to schools,
broadcast TV, on-line and physical publications, social media
platforms, and radio.
Coordinate public-private partnerships.--The Federal
Government is uniquely positioned to work with private
technology companies to create advice resources, cross-company
collaborations in areas like phishing scams and coordinated
disinformation campaigns, and technological solutions like
cybersecurity chat bots and apps for smart phones that no
longer receive security updates. As I will explain later in
this testimony, underserved populations tend to place a high
level of trust on advice resources provided by private
technology companies. It would be highly inefficient for every
State and local government to individually approach technology
companies for their own respective solutions.
study: cybersecurity awareness for underserved populations
A growing number of cities across the United States have invested
in digital literacy training programs that aim to educate underserved
populations in the basics of computer usage and commonly-used
software.\8\ Such programs often combine the provision of digital
services, such as free public wi-fi, with digital literacy training to
help groups who are at risk of digital and social exclusion. These
initiatives are often led by nonprofits and local governments and aim
to improve citizens' skills and confidence, as well as increase their
motivation to engage in on-line activity.
---------------------------------------------------------------------------
\8\ https://www.digitalinclusion.org/digital-inclusion-
trailblazers/.
---------------------------------------------------------------------------
San Francisco has a digital literacy initiative under its Office of
Digital Equity,\9\ where the city government works with local partners
in the nonprofit space to provide digital literacy training to its
residents, the vast majority of whom come from low-income households,
are immigrants, and seniors. Early discussions with city residents were
revealing: They expressed frustration at their inability to prevent and
resolve cyber attacks such as phishing scams, viruses, and harassment.
They were afraid of using important on-line services like banking apps
and social media platforms.
---------------------------------------------------------------------------
\9\ https://sfcoit.org/digitalequity.
---------------------------------------------------------------------------
The theory of change in digital literacy programs normally involve
encouraging internet use to increase employment, education, creativity,
and entrepreneurship. But vulnerable populations are easily discouraged
from using important internet services when faced with complex threat
vectors.
We widen digital inequities and reduce the efficacy of digital
literacy trainings when we do not actively teach cybersecurity.
Moreover, by neglecting the duty to educate and inform, we leave a
large portion of the population at the mercy of bad actors who can
exploit digital vulnerabilities for their own gain.
research findings
I conducted a survey of underserved residents in the city and
county of San Francisco to understand the scope and nature of the
underserved communities' cybersecurity outcomes, and to create
evidence-based solutions. These residents were either low-income
earners ($25,000 household income or less), senior citizens (65 years
of age or older), or foreign language speakers (whose primary spoken
language is not English). The 48-question survey was designed to gauge
the scope and nature of residents' cybersecurity outcomes, and to
understand their cybersecurity knowledge and abilities.
A total of 295 respondents were surveyed. This included 153
respondents from the underserved population. While this is not
technically a representative sample, these were the maximum number of
respondents I could survey who were enrolled in digital literacy
programs across San Francisco. Their experiences revealed through
surveys, semi-structured interviews and roundtable discussions reflect
social and structural inequities that have persisted for too long. In
addition to the 153 underserved respondents, 142 respondents from the
comparison group were also surveyed.
POOR CYBERSECURITY KNOWLEDGE AND SKILL LEVEL
Underserved respondents generally have a poor understanding of
basic cybersecurity concepts such as on-line scams and viruses. They
also have low skill level and motivation to follow best practices as
gauged by cyber hygiene-relevant questions. These include setting a
complex password for on-line accounts and employing preventative
methods when reading and interacting with the contents of an email.
I designed a Knowledge and Skill index to make meaningful
comparisons between the underserved and comparison group respondents.
The maximum combined score for the Knowledge and Skill index is 18.0.
Average cybersecurity Knowledge and Skill index score for
the underserved respondents = 9.0/18
Average (and Median) cybersecurity Knowledge and Skill index
score comparison group respondents = 15.0/18
Underserved respondents struggle with fundamental cybersecurity
knowledge questions. When asked about their knowledge of core
cybersecurity concepts, 20 percent indicated they did not know about
on-line crime, 21 percent were not familiar with email spam, 26 percent
did not know about computer or phone ``viruses,'' and 31 percent did
not know about anti-virus software. Respondents indicated they did not
understand the risks associated with sharing their private account
passwords or writing down their passwords on paper.
VICTIMS OF CYBER CRIME
A large number of respondents from the underserved group reported
being targets of cyber scams and internet viruses. Respondents provided
information about the types of personal information that has either
been stolen from them on-line, or that they have divulged to a complete
stranger on-line. Together, these results paint a picture of an
underserved population in San Francisco that is highly vulnerable to
internet fraud.
Nearly 26 percent of the underserved respondents reported
that they have been a target of a cyber scam, compared with 15
percent for the comparison group.
Nearly a third (31 percent) of those scammed have been
scammed 3 times or more.
Forty percent of underserved respondents reported that their
computer and/or phone has been infected by a virus at least
once.
AWARENESS OF CYBER CRIME VICTIMHOOD
Although many underserved respondents reported being a victim of
cyber crime, an equally large number of respondents are not aware
whether they have been a victim to a cyber scam, if their devices have
ever had a virus, or if they ever provided personal information to a
complete stranger on-line.
Nineteen percent of underserved respondents do not know if
they have ever been a victim to a cyber scam.
Forty-one percent do not know if their device has ever had a
virus.
Forty-four percent think they have provided personal
information to complete strangers on-line but cannot remember
the exact details.
INTERNET WITHDRAWAL IS RELATED TO LOW CONFIDENCE
A significant portion of the underserved sample self-assess as
having either ``high confidence'' (36 percent) or ``low confidence''
(38 percent) in their ability to protect themselves from on-line crime.
High-confidence respondents can be described as being ``over-
confident'' in their cybersecurity skills while demonstrating poor
levels of precaution and possessing low levels of cybersecurity
knowledge, while ``low-confidence'' respondents can be described as
being ``overly concerned'' about existing risks on-line while
possessing and demonstrating above-average cybersecurity knowledge and
precaution.
Self-assessed ``low-confidence'' underserved respondents are
more concerned about the existence of cyber crime than
underserved and comparison group respondents.
For example, 47 percent of low-confidence underserved
respondents do not use on-line banking due to cyber crime,
compared to 8 percent in the comparison group. These services
also include social media use, downloading software, and email.
This suggests that trust and security play a larger role in
determining on-line service usage for the underserved as
compared to the comparison group.
CYBERSECURITY ADVICE RESOURCES DETERMINE CYBERSECURITY OUTCOMES
Underserved respondents tend to rely on informal resources for
advice about cybersecurity which leads to worse cybersecurity outcomes.
In fact using on-line resources for advice on cybersecurity is expected
to increase a respondent's cybersecurity index score by roughly 0.23
points. The only other predictor with a statistically significant
coefficient is Educational Attainment--the higher the level of
schooling achieved, the higher will be the cybersecurity index score.
39 percent of underserved respondents rely on friends/
relatives for cyber advice
Only 21 percent of underserved respondents refer to
websites, and 7 percent refer to Government websites.
More than a third of respondents (34 percent) do not seek
cybersecurity advice from any resource. Comparison group
respondents are more likely to seek help (82 percent) and are
more than twice as likely to rely on websites for cybersecurity
advice (48 percent).
recommendations
Federal, State, and local governments have a variety of options and
approaches available to improve cybersecurity awareness of underserved
populations.
GAIN AN UNDERSTANDING OF THE SITUATION IN YOUR COMMUNITY
The Federal Government should work with cities seeking to improve
cybersecurity awareness of local underserved populations to gain a
baseline understanding of their specific situation. They can do this by
designing and directing funds toward surveys or informational workshops
to assess major areas of interest and/or lack of knowledge among
residents. Based on my experience, I recommend partnering with local
community organizations that serve low-income residents, English
language learners, and senior citizens. In addition to assessing
cybersecurity awareness, use this initial outreach as an opportunity to
assess what modes of training (e.g. 1-hour workshops, half-day
workshops, etc.) might be most suitable for different constituencies.
It is also important to identify what translation or technology
resources might be required to facilitate trainings for the largest
number of underserved citizens.
DEVELOP TAILORED TRAININGS TO BOOST CYBERSECURITY AWARENESS
Many cities already offer (or are planning to offer) digital
literacy trainings. My findings suggest that such programs should
include explicit targeted cybersecurity awareness and training
components, which the Federal Government can direct funds toward. A
customized cybersecurity awareness program that is tailored to the
specific needs of the community--with topics and content prioritized on
research-based understanding of the local community's specific needs--
could help improve the knowledge and skill level of participants, which
would improve cybersecurity outcomes and increase internet service
engagement. Potential long-term benefits include improved economic and
social indicators for members of the underserved population.
Trainings should be customized for different audiences, and should
target areas where citizens possess lower levels of digital literacy.
Trainers should also incorporate an awareness of the cultural
sensitivities and trust habits of the disparate communities. Analysis
of survey responses from San Francisco, for example, suggests that
respondents from different communities access different knowledge
sources. For example, while a larger percentage of Hispanic/Latino
respondents rely on teachers for advice on matters of cybersecurity,
African American and Caucasian respondents said they are more likely to
refer to websites, while Asian respondents are more likely to refer to
friends and relatives.
DEVELOP A PUBLIC SERVICE CYBER HYGIENE CAMPAIGN
The Federal Government can promote cyber-hygiene awareness and
suggest best-practices through public service announcements and a
cybersecurity campaign on television, in schools, digital platforms,
public libraries, radio, and other communication channels.
PUBLIC-PRIVATE PARTNERSHIPS
In addition to providing training to residents directly, the
Federal Government has the opportunity to partner with private-sector
technology companies and service providers to address system-level
cybersecurity concerns, such as the technological protections that are
built into devices and systems. Effective system-level protections make
it easier for residents to maintain good cyber hygiene.
DEVELOP A CYBERSECURITY ADVICE WEBSITE
Members of the public already have access to reliable and free
resources for cybersecurity, including the United States Computer
Emergency Readiness Team advice website.\10\ Yet in many cities,
information about cybersecurity and related resources is disaggregated
and difficult to find.
---------------------------------------------------------------------------
\10\ ``Tips.'' Virus Basics/US-CERT. Accessed September 11, 2018.
https://www.us-cert.gov/ncas/tips.
---------------------------------------------------------------------------
The Federal Government can work with private-technology firms to
develop reliable websites that provide cybersecurity advice. It may be
feasible to develop a phone chatbot that can help residents with basic
information security questions.\11\ Such chatbots can be designed to
communicate in several languages, and provide clearly defined answers
on core cybersecurity knowledge questions, as well as offer step-by-
step instructions based upon best practices. Chatbots should also be
designed to be highly secure and transparent, with reminders to users
not to share personally identifiable information, as this software
could in theory be vulnerable to attacks aimed at capturing data and
subverting the quality of information provided.\12\
---------------------------------------------------------------------------
\11\ Security chatbots have become increasingly popular over the
last few years. For example, Endgame developed Artemis, a language
agnostic platform that integrates to Amazon's virtual assistant Alexa
and provides cybersecurity advice to analysts. See ``Four Ways Chatbots
Are Transforming Cybersecurity.'' Endgame. June 16, 2017. Accessed
September 11, 2018. http://www.endgame.com/blog/executive-blog/four-
ways-chatbots-are-transforming-cybersecurity.
\12\ ``Expect a New Battle in Cyber Security: AI versus AI.''
Symantec. Accessed September 11, 2018. http://www.symantec.com/blogs/
expert-perspectives/ai-versus-ai.
---------------------------------------------------------------------------
PARTNER WITH COMPANIES TO DEVELOP APPS FOR USE ON OLDER AND UNSUPPORTED
PHONES
Underserved populations tend to use older smartphones that are
often unsupported by software makers. As a result, older smartphones
are not guaranteed to get new security updates, and some software
updates for older devices are not compatible with new phones.\13\ This
is especially a problem for users with Android phones, where the market
consists of hundreds of smartphone manufacturers using different and
modified versions of Android's OS. According to Google's own figures,
two-thirds of Android devices world-wide run older versions of the OS
that are no longer receiving security updates.\14\ For Apple's iOS
devices, that figure is 5 percent.\15\ Apple does provide software
updates to phones older than 5 years. Even if they follow best
practices in cyber hygiene, users with older smartphones are still
highly vulnerable to cyber crime because patches are not automatically
installed for known vulnerabilities.
---------------------------------------------------------------------------
\13\ For more on security updates and smartphone compatibility,
refer to Emspak, Jesse. ``When Does an Old Smartphone Become Unsafe to
Use?'' Tom's Guide. April 09, 2017. Accessed September 11, 2018. http:/
/www.tomsguide.com/us/oldphones-unsafe,news-24846.html.
\14\ ``Distribution Dashboard/Android Developers.'' Android
Developers. Accessed September 11, 2018. https://developer.android.com/
about/dashboards/.
\15\ Apple Inc. ``App Store.'' Purchase and Activation--Support--
Apple Developer. Accessed September 11, 2018. https://
developer.apple.com/support/app-store/.
---------------------------------------------------------------------------
The Federal Government should engage smartphone manufacturers like
Apple, Google, and Samsung to develop workarounds that protect older
smartphones that cannot accept the latest round of security updates.
These workarounds could include prompting older smartphones to activate
device encryption settings, password manager apps, virtual private
networks (VPN), and two-factor authentication software. Companies that
develop operating systems should also be asked to develop stricter app
security review and enforcement guidelines that can review the catalog
of existing apps as well as newly-submitted apps for security bugs.
As a potential challenge, Google has little control over the
updates sent to Android phones in which the OS has been heavily
modified by the manufacturer, who in many cases retains control over
software updates. The Federal Government will need to develop a
strategy with Google to reach smartphone manufacturers who are outside
of the Google software update landscape.
CREATE A DIGITAL PHISHING/SCAM COALITION
More than half of all emails are spam \16\--and that figure
continues to rise. Spam is the primary delivery mechanism for cyber
attacks like phishing and malware.\17\ And while phishing attacks
disguised as fake invoice emails are a popular form of phishing, there
are 9 other forms of phishing emails that are harder to spot, such as
Mail Delivery Failure emails and order emails. In fact, reports of W-2
tax filer phishing scams--one of the most dangerous and effective email
phishing scams, according to the IRS \18\--increased by 870 percent
between 2016 and 2017.
---------------------------------------------------------------------------
\16\ ``Latest Intelligence for August 2017.'' Symantec. Accessed
September 11, 2018. https://www.symantec.com/connect/blogs/latest-
intelligence-august-2017.
\17\ ``2018 Internet Security Threat Report.'' Symantec. Accessed
September 11, 2018. http://www.symantec.com/securitycenter/threat-
report.
\18\ ``Dangerous W-2 Phishing Scam Evolving; Targeting Schools,
Restaurants, Hospitals, Tribal Groups and Others.'' Internal Revenue
Service. Accessed September 11, 2018. http://www.irs.gov/newsroom/
dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-
hospitals-tribal-groups-and-others.
---------------------------------------------------------------------------
To address this challenge, the Federal Government should build
coalitions of organizations that can target popular and successful
phishing scams. Models for such public-private initiatives include the
Digital PhishNet initiative, developed jointly by the FBI's National
Cyber-Forensics & Training Alliance,\19\ and the Advance Fee Fraud
Coalition, developed by African Development Bank, Microsoft, Yahoo, and
the Western Union Company.\20\ Companies should target overlapping
scams and phishing efforts by utilizing contacts in the private sector.
---------------------------------------------------------------------------
\19\ The Digital Phishnet (DPN) collects and develops intelligence
regarding high priority and sophisticated phishing and identify theft
schemes. DPN uses threat intelligence received from approximately 300
companies. For more visit: http://www.ncfta.net/.
\20\ The collaborative effort was designed to educate internet
users so they are better able to protect themselves against fraudulent
activities on-line and to improve INTERPOL's data collection efforts on
cyber fraud. For more on this: http://www.affcoalition.org/.
---------------------------------------------------------------------------
Federal Government officials can also partner with international
initiatives such as the Unsolicited Communications Enforcement Network
(UCENET),\21\ which identifies and shares threats to the broad on-line
community and facilitates enforcement compliance checks. Private-sector
representatives are encouraged to designate a spam enforcement contact,
coordinate with law enforcement agencies, and report on new technology
trends that affect anti-spam strategies.
---------------------------------------------------------------------------
\21\ Formerly known as the London Action Plan (LAP): https://
www.ucenet.org/history/.
---------------------------------------------------------------------------
conclusion
It has been an honor to appear before this distinguished panel of
policy makers and practitioners. Thank you, Chairman Richmond and
Ranking Member Katko, for your dedication to addressing cybersecurity
vulnerabilities, and for thinking about ways in which the Federal
Government can assist State and local efforts.
Promoting cyber hygiene through trainings, public service
initiatives, and public-private partnerships can lead to significant
gains in the lives of underserved populations and protect businesses as
well as Government systems from cyber threats. But to achieve these
gains, State and local governments will require support and guidance
from the Federal Government. It is my hope that policy makers recognize
the challenges ahead and rise to the occasion. Thank you and I will be
happy to answer any of your questions.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Richmond. Thank you, Mr. Sultan.
We now have Mr. Cilluffo.
STATEMENT OF FRANK J. CILLUFFO, DIRECTOR, MC RARY INSTITUTE FOR
CYBER AND CRITICAL INFRASTRUCTURE, AUBURN UNIVERSITY
Mr. Cilluffo. Thank you, Chairman Richmond, Ranking Member
Katko. A real privilege to have Chairman Thompson here. Of
course, the great Ranking Member and Congressman from the State
of Alabama, Mr. Rogers. It is a privilege to join you today.
As we all know, cybersecurity challenges are daunting
enough to deal with at the Federal level. At the State and
local, Tribal and territorial levels, where resources and, in
many cases, expertise are in relatively shorter supply, these
challenges are exponentially more difficult to tackle.
Recognizing this mismatch and taking steps to address it is an
absolute imperative. Your leadership in confronting this issue
head-on today and in legislation that I am happy to hear coming
from both the Chairman and the Ranking Member that is
reportedly under discussion is commendable.
For too long, State and local have been an afterthought in
our National cybersecurity planning efforts. This must change.
States and localities perform many essential functions, as you
mentioned, Mr. Chairman, that affect real people every day 24/
7. The potential consequences are serious. Bear in mind that
cyber threat actors can cause loss of life, property damage,
and, of course, financial loss by disrupting critical
infrastructure or using ransomware and other forms of malware.
The bad guys have taken notice, including that State and
local are softer targets and are increasingly in their
crosshairs. The ransomware incidents that victimized in Atlanta
and Baltimore are case in point but are by no means the end of
the story.
The scale and scope of the problem is striking. Data on
reported ransomware attacks reveal that 48 States and the
District of Columbia have been hit. Targets include police and
sheriff departments, schools and libraries, health agencies,
transit systems, courts, and the list goes on and on and on. No
jurisdiction is too small or too large.
While ransomware might be front and center right now, and
understandably so, we need to recognize that the cyber threat
landscape includes many more disruptive and destructive
modalities of attack. Quite honestly, ransomware is at the low
end of the most concerning cyber potential attacks we can
witness. Cyber attackers will continue to target weak links.
That is the bottom line.
Cyber needs at the State and local level are truly many.
More money, more experts, more tools, more threat intelligence
information sharing and awareness, more collaboration between
governments and industry, among governments, and regionally,
just to name a few.
Against this background and backdrop, what should the
Federal Government do? I think Mr. Duffy hacked my email
because my recommendations are very similar to his.
First, as things now stand, less than 4 percent of grant
monies from the Homeland Security Grant Program are directed to
cybersecurity. This is clearly not reflective of current threat
environment. Congress should enact a dedicated Federal grant to
shore up State and local cybersecurity capabilities through
CISA at the Department of Homeland Security. It should be risk-
based, have built-in metrics, and include a level of matching
funds, since simply throwing money at the problem is not the
answer. Topping the list of needs include identifying highest-
value assets, exercises, training, and, of course, technical
support.
Second, CISA should expand its field presence to provide
technical assistance and incident response support. In effect,
a geek squad for those really bad days so the mayor could call
someone.
No. 3, pull a page and leverage lessons learned from the
emergency management community by building regional approaches
to capacity building and pooling of resources and expertise
among States to offer mutual assistance. The EMAC model in
emergency preparedness environment has serves us well and I
think ought to be replicated and tweaked for cyber.
No. 4, obviously circumscribed election assistance since
trust and faith in the electoral process is the very bedrock of
our democracy. Some good momentum here, but we need to continue
doubling down and make sure we are ready for the next round of
elections.
So while I touched largely on technology training, incident
response, and work force, this is by no means exhaustive.
I want to close on a little bit of a good news story, and
that is this is not all the Federal Government's problem, of
course. The Federal Government can, must, and should do more to
support our men and women at State and local, but ultimately
there is a lot of good activity occurring at the State and
local level, and I think it should be recognized.
One in particular I am proud of, and I might be biased,
because I serve as a trustee, but in the State of Alabama, they
have created a new magnet school focused 7 through 12 grade for
cyber and engineering. This is what we need to do. When we talk
work force, it is not only at the collegiate level, at the
places of higher learning like my great university, but it is
really at the K-12 level. I think we need to be spending more
time, more money, more resources to be able to get them and get
them young, because they are the women and men who are going to
be driving the solution sets going forward.
So I have never had an unspoken thought. I can go on
forever, but I will close here. The one thing, Mr. Chairman, I
should say is, while I am testifying on behalf of the McCrary
Institute, a lot of these thoughts came from a committee I
chaired for the Homeland Security Advisory Council that I was
co-chair. I am just not speaking on behalf of DHS.
So thank you, Mr. Chairman.
[The prepared statement of Mr. Cilluffo follows:]
Prepared Statement of Frank J. Cilluffo
June 25, 2019
Chairman Richmond, Ranking Member Katko, and distinguished Members
of the subcommittee, thank you for this opportunity to testify before
you today. As we all know, cybersecurity challenges are daunting enough
to deal with at the Federal level. At the State, local, Tribal, and
territorial (SLTT) levels, where resources and in many cases expertise
are in relatively shorter supply, these challenges are exponentially
more difficult to tackle. Recognizing this mismatch and taking steps to
address it is an absolute imperative in a country as large, varied, and
decentralized as the United States.
Your leadership in confronting this issue head-on today and in
legislation that is reportedly under discussion \1\ is deeply
commendable as these are important steps in breaching a real and
pressing gap in our National and economic security posture. We must
work to safeguard the continuity of commerce and the delivery of
mission-critical services for the American people. Unless and until we
foster and have in place a robust baseline capability across the board,
from a State and local standpoint, we will remain more vulnerable than
we ought to be to nation-state and non-state cyber actors with
malicious intent.
---------------------------------------------------------------------------
\1\ Maggie Miller, ``House Homeland Security Republicans to
introduce slew of cybersecurity bills,'' The Hill (June 18, 2019),
https://thehill.com/policy/cybersecurity/448971-house-homeland-
security-republicans-to-introduce-slew-of-
cybersecurity?wpisrc=nl_cybersecurity202&- wpmm=1.
---------------------------------------------------------------------------
In testifying before you today, I will be sharing thoughts about
how to move forward smartly. These ideas pertain only to those Federal
entities that fall within the jurisdiction of the committee. Moreover,
a number of these recommendations are based on the May 2019 Interim
Report of the Homeland Security Advisory Council's State, local,
Tribal, and territorial cybersecurity subcommittee.\2\ I served as co-
chair of that effort, together with Paul Goldenberg (co-chair) and
Robert Rose (vice-chair). However, I testify before you today in my
capacity as director of Auburn University's McCrary Institute for Cyber
and Critical Infrastructure Security.
---------------------------------------------------------------------------
\2\ https://www.dhs.gov/sites/default/files/publications/
19_0521_final-interim-report-hsac-state-local-tribal-territorial-
subcommittee.pdf.
---------------------------------------------------------------------------
setting the scene
State and local governments face the full panoply of threats that
the Federal Government does, from hostile nation-state actors to cyber
criminals and everything in between. To the extent that the Federal
Government is effectively outgunned and outmatched in this fight, the
State and local level are all the more so. The potential consequences
are serious: Bear in mind that cyber threat actors can cause loss of
life, property damage, and financial loss by disrupting critical
infrastructure operations or other means.
Nor is the cyber threat spectrum static. It continues to expand and
evolve, sharpening focus on State and local targets. The ransomware
incidents in Atlanta \3\ and Baltimore \4\ that disrupted city
operations are cases in point and by no means will they be the end of
the story. To the contrary, the scale and scope of the problem is
striking, affecting everywhere from relatively robust States to major
metropolitan areas to smaller cities and counties. Data on reported
ransomware attacks reveal that 48 States and the District of Columbia
have been hit. Targets include police and sheriff departments, schools
and libraries, health agencies, transit systems, and courts--the list
goes on and seemingly, no jurisdiction is too small or too large to go
unaffected. The first known case of ransomware targeted the Swansea
Police Department in Massachusetts in November 2013 and since then
entities from Anchorage to Augusta have joined the ranks.\5\
---------------------------------------------------------------------------
\3\ Benjamin Freed, ``One year after Atlanta's ransomware attack,
the city says it's transforming its technology,'' StateScoop (March 22,
2019), https://statescoop.com/one-year-after-atlantas-ransomware-
attack-the-city-says-its-transforming-its-technology/.
\4\ Emily Stewart, ``Hackers have been holding the city of
Baltimore's computers hostage for 2 weeks,'' Vox (May 21, 2019),
https://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbin-
hood-mayor-jack-young-hackers.
\5\ Allan Liska, ``Early Findings: Review of State and Local
Government Ransomware Attacks'' (Recorded Future: 2019), https://
go.recordedfuture.com/hubfs/reports/cta-2019-0510.pdf.
---------------------------------------------------------------------------
Cyber attackers and adversaries will continue to target weaker
links in the U.S. chain so long as it remains profitable or otherwise
beneficial to these threat actors to do so. To make matters worse, the
internet of things with all that it entails from smart cars to smart
cities and beyond will expand the surface of attack by orders of
magnitude. Security must therefore be more than a footnote or
afterthought, especially where critical infrastructure is concerned. In
addition, both cyber and physical infrastructure are vulnerable to
attack, and the one can cause disruption or destruction in the other.
This convergence of cyber domain and the physical world is another
significant feature of the threat landscape.
Looking ahead, State and local infrastructure and the cyber
vulnerabilities that inhere in it will take on added salience for
defenders and attackers alike. Election year 2020 reinforces the point:
States and local communities will again be at the tip of this spear,
taking a multiplicity of approaches to administering voting. There is
no one model or mechanism of cybersecurity governance in use at the
State level, whether for elections or taken more broadly. Approaches
are varied and so too are capabilities. The same is true at the local
level, only more so.
There are examples and pockets of State and local government
cybersecurity excellence to be sure; but there are also significant
gaps and seams where the Federal Government can help and can do so
without subverting the principle that the level of government that is
closest to the people knows best how to serve them. Cyber needs at the
State and Local level are many: More money, more experts, more tools,
more information/awareness and more collaboration (between Government
and industry, and among governments and regions)--to name just a few.
Against this background what can and should the Federal Government
do? How best can the Federal Government leverage its resources in the
broadest sense of the word, to help State and local governments amplify
their strengths and mitigate their weaknesses? Enhancing the pool of
financial resources available to support a range of cybersecurity
purposes is just one--albeit very important--way. Other ideas are set
out below.
moving forward smartly
Directed Federal Funding
Funding is crucial of course and building capability is impossible
without it. Purchasing, maintaining and upgrading equipment, hardware,
and software comes at a financial cost. So too does recruiting and
retaining skilled workers. Educating the next generation and expanding
the cyber workforce by training or retraining the existing talent pool
also requires an investment of dollars, time, and effort. For all of
these purposes and more, a Federal grant program to shore up State and
local cybersecurity capabilities is needed and long overdue. As things
now stand, less than 4 percent of grant monies from the Homeland
Security Grant Program are directed to cybersecurity. This is not a
tenable situation. Nor is the answer to redirect existing monies for
cyber purposes. Robbing Peter to pay Paul simply will not work.
A dedicated Federal grant program should have built-in safeguards
to ensure that there is return on Federal investment in the form of
measurable State/local and by extension National capabilities. Simply
throwing Federal money at the problem is not the answer. Instead, there
must be a thoughtful strategy and accompanying metrics to support the
request for funds and any subsequent grant. The program would therefore
be risk-based and tailored to particular context. Among the purposes
that such a program could and should support would be both State-level
and regional exercises. Notably momentum for directed Federal funding
is building as evidenced for example by the recommendations in the May
2019 Interim Report of the Homeland Security Advisory Council's State,
local, Tribal, and territorial cybersecurity subcommittee.\6\
---------------------------------------------------------------------------
\6\ https://www.dhs.gov/sites/default/files/publications/
19_0521_final-interim-report-hsac-state-local-tribal-territorial-
subcommittee.pdf.
---------------------------------------------------------------------------
Amplify Training Opportunities
The Federal Government could further assist by providing
opportunities for State and local officials to gain and hone
cybersecurity skills, as well as how to identify and counter foreign
influence. While education and training programs certainly do exist
they are neither as numerous nor as evenly available across the country
as would be ideal. A National focal point where those whose community
is underserved by training opportunities could advance their skills and
career and by extension the National interest, would serve us all
well.\7\ All the equipment, tools, and resources in the world will be
of little assistance if the technical expertise needed to employ them
to full advantage is not cultivated in the requisite official quarters.
---------------------------------------------------------------------------
\7\ Note also that the HSAC's SLTT Cybersecurity Subcommittee
Interim Report recommends the creation of a National Cybersecurity
Academy to train SLTT Government employees--an idea whose time has
come.
---------------------------------------------------------------------------
Among the beneficiaries of such training could be State and Major
Urban Area Fusion Centers, whose cyber-specific capabilities have long
lagged behind their other homeland security and law enforcement
capabilities.\8\
---------------------------------------------------------------------------
\8\ Frank J. Cilluffo, Joseph R. Clark, Michael P. Downing, and
Keith D. Squires, Counterterrorism Intelligence: Fusion Center
Perspectives (June 2012).
---------------------------------------------------------------------------
Leverage Lessons Learned
Over the past 20 years, the country has learned many lessons about
preparing for, responding to, and bouncing back from major incidents
such as terrorist attacks and natural disasters. These experiences have
ultimately made us smarter, stronger, and more resilient as a Nation,
though we still have a ways to go. Among these lessons is the value of
taking a regional approach to capacity building and mutual assistance,
which builds upon existing relationships and arrangements, and follows
logically and naturally from proximity and geography, rather than
duplicating efforts and according formal borders/boundaries undue
influence. The EMAC--Emergency Management Assistance Compact--concept
is as relevant here as in the traditional emergency management context.
Pioneered in the South, use of the construct has expanded over time \9\
and would transpose well to the cyber domain. The basic idea is to pool
resources and expertise in order to offer mutual assistance.
---------------------------------------------------------------------------
\9\ EMAC Overview (August 2006), https://www.fema.gov/media-
library-data/20130726-1726-25045-0915/060802emac.pdf.
---------------------------------------------------------------------------
When it comes to cybersecurity, such an approach would for example
have States undertake planning, incident response, and resilience
enhancement measures from a regional perspective. Here the Federal
Government could and should act in support of these efforts including
by acting to expand awareness of best practices and guidance on how
best to implement them.\10\
---------------------------------------------------------------------------
\10\ Note that the HSAC's SLTT Cybersecurity Subcommittee Interim
Report also highlights the value of a regional approach.
---------------------------------------------------------------------------
A further lesson learned over time relates to recognizing the
importance of being out in the field rather than at headquarters. There
is no substitute to having boots on the ground. To this end, the
Department of Homeland Security's Cybersecurity and Infrastructure
Security Agency (CISA) should extend its operations and work toward
having State cybersecurity coordinators for all 50 States to provide
technical assistance and incident response support. This would broaden
and complement existing DHS efforts and field personnel (State
Cybersecurity Advisors) focused on community engagement and awareness
as well as the provision of enhanced strategic advisory services. The
arrangements proposed here would also help convey and highlight the
Federal consequence management capabilities and tools that can support
and supplement State capabilities--in effect a bad day ``geek squad.''
Circumscribed Election Assistance
One of the most significant cybersecurity challenges to State
governments relates to the 2020 election and in particular preparing to
administer the vote and ultimately doing so. Protecting the integrity
of the process from beginning to end is of paramount importance as this
exercise provides the bedrock for our democracy; trust and faith in the
process is the glue that binds us together. The Federal Government can
and should share more widely and actively its unique informational and
other assets with State-level counterparts for the targeted purposes of
identifying and mitigating threats in this context.\11\
---------------------------------------------------------------------------
\11\ But note that the Multi-State Information Sharing and Analysis
Center (MS-ISAC) does yeoman's work in terms of amplifying situational
awareness (for example by providing threat alerts to all 50 States and
manifold localities); and helping to coordinate incident response. For
details, see https://www.cisecurity.org/ms-isac/.
---------------------------------------------------------------------------
To be clear, this would involve concerted Federal efforts to create
and maintain a rich picture of the threat from the National perspective
and a companion effort to support State officials in responding
effectively and timely to that dashboard as it specifically pertains to
them/their State.\12\ Such a division of labor is properly respectful
of the division of powers and capitalizes upon the strengths that
reside at each level of government. By working together in this way,
the Nation stands the best chance of defeating adversary attempts to
exploit not just our technology but also our hearts and minds, by means
of weaponizing information and influence. Fortunately, we are seeing
some positive indicators already, with (DHS) CISA deepening its
outreach to and work with the Nation's Governors.
---------------------------------------------------------------------------
\12\ A variation of this idea is proposed in the HSAC's SLTT
Cybersecurity Subcommittee Interim Report.
---------------------------------------------------------------------------
This series of recommendations focuses on technology, training,
incident response, and the workforce. The list is not exhaustive and
speaks instead to the actions that could have the highest impact on the
cybersecurity challenges of greatest priority in the context of State
and local government.
ending on a good news story
In addition to assessing how the Federal Government can help State
and local governments to address cybersecurity challenges, it is
important to acknowledge that there is good work under way outside the
Federal sphere and that State and local entities are taking substantial
steps to help themselves. Keep in mind that States have a correlative
and on-going responsibility to lead and lean forward, and should not
expect the Federal Government to supplant State efforts or to be there
all the time. In this regard consider for example the Alabama School of
Cyber Technology and Engineering (full disclosure: I serve on the
School's Board of Trustees). This magnet school for grades 7 through 12
will stand up in August 2020 in the Huntsville Research Park. Our
vision for the ASCTE is to ``educate, develop, and inspire the next
generation of leading National professionals and technologists in
engineering and cyber technology.''\13\
---------------------------------------------------------------------------
\13\ https://www.alabamasce.org/school.
---------------------------------------------------------------------------
This effort complements the many cybersecurity programs and
initiatives including partnerships with industry and government that
are under way at Auburn University and other educational institutions
within the State of Alabama and in the Southeast more broadly. While
the coasts of this country tend to garner the bulk of attention when it
comes to coverage of cyber and science & technology matters more
generally, it is important to recognize that other jurisdictions are
quietly plowing ahead on significant efforts in these same issue areas
that are so critical to our National security. These under-reported
successes serve us all well since Federal measures alone will not get
us to goal or keep us there even if they could.
Thank you once more for this opportunity to participate in this
important conversation and assessment.\14\ I look forward trying to
answer any questions that you may have.
---------------------------------------------------------------------------
\14\ I would also like to thank my colleague Sharon Cardash, deputy
director of the Center for Cyber and Homeland Security, for her
assistance in preparing this testimony.
Mr. Richmond. Thank you, Mr. Cilluffo.
I thank all the witnesses for their testimony.
I will remind each Member that he or she will have 5
minutes to question the panel. I will now recognize myself for
questions.
The first question, I will just direct it to you, Mayor
Bottoms. Historically, cities and States have spent a much
smaller percentage of their overall budgets on cybersecurity
than Federal agencies and similarly situated private entities.
A recent study from National Association of State Chief
Information Officers shows that most States spend only 1 to 2
percent of their overall IT budget on cybersecurity.
So the question for you would be, in Atlanta, what are the
limitations does your city face when trying to develop and
implement robust cybersecurity controls, strategies, and
resource plans?
Ms. Bottoms. Thank you for the question. When we
experienced our cyber attack, it was very clear to us that we
simply were not prepared. It was not where we had made the
necessary investments.
People don't see cybersecurity. They see sidewalks, they
see potholes. We were allocating our resources accordingly and
we were also putting patches on gaping holes.
That being said, it is the reason that we did not pay our
ransomware, because we knew that we needed to build a stronger,
safer system. We have allocated resources accordingly. Now
there is also an expectation from the public that it is
necessary for us to budget for our cybersecurity network in the
same way that we budget for our other priorities within the
city.
We are also messaging that to the public, that this is
equally a priority, and that messaging is a lot easier now,
because the public has felt that impact. In many ways, people
are becoming very sensitized to cyber attacks.
We are continuing to work with our private partners as
well. We are very fortunate in Atlanta that we have a very
booming tech industry, also with Georgia Tech and the Atlanta
University Center. So there is an interest in helping us in
ways that other cities may not have that benefit. But also, it
is important that Federal funding trickle down into our cities
to allow cities like Atlanta, and especially our smaller
cities, opportunities to purchase cyber insurance and in the
same way that we did to be able to actually bill the system
that is needed. Because in so many cities, that system simply
does not exist at this point.
Mr. Richmond. As a chief executive of a city, how hard is
it to retain the cybersecurity professionals and the talent
that you need to do this when we have a severe shortage of
cybersecurity professionals and the private sector pays a lot
more than the public sector? So how are you addressing that
challenge, and how can we help with that?
Ms. Bottoms. It is extremely difficult for us, because we
are competing with the private sector. We really are looking
for people and are fortunate that we have people who actually
are interested in public service. But funding is always
necessary and would be extremely helpful for us to offset and
to be able to compete accordingly.
We have increased our budget in our DIT department, but it
is still not enough. It is always a challenge for us to attract
and retain talent, because we simply cannot pay what the
private sector pays.
Mr. Richmond. You mentioned it a second ago and you said
that now you are fortunate. When I look at our cities, and I
will just take my own, for example, that constituents are
concerned with sanitation being on time, street lights, police
officers, and potholes. The city of Atlanta is now very keenly
aware of the threat of cybersecurity.
What advice would you have for other mayors who have not
been attacked yet but still face those competing pressures of
real brick-and-mortar infrastructure compared to cyber
infrastructure?
Ms. Bottoms. You have to plan and prioritize accordingly.
We were very fortunate in that it was not our 9-1-1 system, but
it very well could have been. Ironically, our public may say
that they received a bit of a reprieve because they couldn't
pay traffic tickets and they couldn't pay their water bills.
But that being said, our cities must prioritize and
anticipate in the same way that we anticipate for any other
major disaster to hit our cities, because, really, that is what
it is. It is simply a disaster when it hits your city.
Mr. Richmond. Well, I see that my time has expired, so I
want to thank the witnesses.
I will now recognize the Ranking Member, Mr. Katko, for 5
minutes of questioning.
Mr. Katko. Thank you, Mr. Chairman.
I want to make a couple of observations before I ask some
questions. First of all, Mayor Bottoms, I want to commend you
for having the political courage to stand up to this ransomware
attack and not pay the ransom. That takes guts, and I commend
you for that.
Just out of curiosity, you said there was two Iranians that
were charged with this?
Ms. Bottoms. There were two Iranians.
Mr. Katko. Have they been brought to justice yet?
Ms. Bottoms. They have been charged. I am not sure what the
status is. But we were very fortunate in that they were
actually identified, which is very unusual, as I understand it.
Mr. Katko. Very unusual. That is why I am curious. Were
they in the United States or don't you know?
Ms. Bottoms. They were not.
Mr. Katko. OK. All right. Well, that is just a great
example of the threats that we face.
Mr. Duffy and Mr. Cilluffo, I think you both kind-of
touched on this, the importance of the Federal, State, and
local partnerships. You know, as a Federal organized crime
prosecutor, I would be dead without Federal, State, and local
task forces. It is really the same concept. The synergistic
qualities of having all these different players come to the
table, work together under the same roof, there is no
substitute for that. They all bring different strengths to the
table. I commend you for understanding how important that is as
well.
Mr. Cilluffo, I am very disturbed about the less than 4
percent of Homeland Security funds grant money going toward
cybersecurity. You know, I was thinking back to pre-9/11. We
had plenty of alarms out there, and we didn't pay enough
attention or prioritize those alarms, and we paid a dear price
for that.
It kind-of seems like we are doing the same thing again
here. We understand the concerns. The alarm bells are going off
awfully loud. Before we have a catastrophic cyber event, we
better get our act together and prioritize with more funding
and more attention.
On a somewhat smaller but important scale, that is what
that bill I was talking about to you all was about. It would
develop basically a front page for CISA so any State or local
government could go to that page and understand exactly where
the resources are instead of trying to fish around for them. So
that is step 1 of the bill.
Step 2 are to grant programs for State and local grants to
identify high-value assets so you can prioritize what needs to
be protected most, and then we can address those accordingly.
The third thing would be is to grant State and local
governments--to provide grants to State and local governments
to conduct exercises, tabletop and what have you, to train,
prepare, and evaluate responsibilities.
So those are the things that I think are important. I would
like to hear feedback from all of you, if we have time, as to
what you think about the bill and whether it would help. Mr.
Duffy, you could start.
Mr. Duffy. Yes, I certainly think the bill would be very
helpful. You know, certainly the exercises are critical. I can
say that DHS and FEMA have been pretty active in the exercise
area. They just held the National-level election exercise last
week. I know some of the House member staffs were participating
in that.
There is a National cyber storm exercise coming up. There
is a guard exercise coming up. Certainly, more exercises are
needed. More participants need to be active in the exercise
program.
I think the State and local partnership is critical. A lot
of States--I mean, 5 years ago, the States weren't doing much
with the local government relative to cybersecurity. That has
changed quite a bit. You know, they do recognize that the local
system is connected to State. So local problems can become
State problems in a hurry. State systems connect to Federal
Government. So, again, State problems could be Federal problems
in a hurry.
A lot of States, such as New York, Wisconsin, Iowa, have
been using the Homeland Security money to help the local
governments. I know New York State just released a $50,000
grant to counties. So they are working on that.
Mr. Katko. Right.
Mr. Duffy. Certainly, Wisconsin is doing it with the State-
wide incident response team with using members of local
government as volunteers. So there is money out there, but they
need more of that.
Mr. Katko. All right. Message received.
Mr. Cilluffo.
Mr. Cilluffo. Well, Mr. Katko, I think the legislation, as
you laid it out, nails it. I mean, every one of those items is
needed and needed desperately. There is an old adage: Policy
without resources is rhetoric. But it is more than just the
resources. The resources are important. That puts skin in the
game. But at the end of the day, you do need to get to the
point that you can build the relationships.
The Joint Terrorism Task Forces, the JTTFs, those entities
are worth more than any weight in gold in terms of building
trust between the women and men who have to work together in
very tough situations. So I do think that exercises--we
shouldn't be picking up the playbooks on game day. We have got
to be exercising this beforehand. We shouldn't be needing the
offensive and defensive coordinators on game day. Everyone
needs to get to know one another.
While we are doing some of this at the Federal level, and
Congress Langevin knows very well, there is a commission
looking at some of how of the inner agency gets together that
we had the privilege to serve on together at the Federal level.
But that is not anywhere near where it needs to be at the State
and local level. So whatever advocacy, count on me being there.
Mr. Katko. I am out of time, but I do want to observe that
this is perhaps one of the best qualified panels I have seen in
a hearing in quite a while, so I appreciate the witnesses.
I yield back.
Mr. Richmond. The gentleman's time has expired.
I know recognize the Chairman of the full committee, Mr.
Thompson, for 5 minutes.
Mr. Thompson. Thank you very much, Mr. Chairman.
Mayor Bottoms, one of the challenges we have as Members of
Congress, people say, well, if you would just give us the
money, we can fix it. But our challenge is, do we set
parameters of guidelines with the money so that at the end of
the day we can measure how successful the goal has become?
So if Congress did somehow get in the business of helping
State and locals fortify its cyber systems, do you see any
pushback with the resources coming with some criteria by which
the money would be sent?
Ms. Bottoms. Absolutely not, Mr. Thompson. What I see is it
would be welcome, because we have a challenge with, No. 1,
hiring professionals as we compete with the private sector.
Also, in having--I believe it should be at least a baseline
standard with what our systems and security systems should be
in place.
For many years, again, we were allocating small amounts of
money per our budget toward our system, and we were not
addressing the real needs and upgrading in the way that we
should. With this cyber attack, it made us allocate a much
larger portion of our budget than we ordinarily would have to
do something as simple as create the cloud. I think that with
partnership with our Federal partners and with the allocation
of resources, I think that it will help put cities on a much
stronger footing and also create a baseline of standards that
many cities may not even be aware of until they are faced with
something as disastrous as a cyber attack.
Mr. Thompson. Mr. Duffy, you talked a little bit about this
in your comments. Do you want to share your opinion on that?
Mr. Duffy. Yes. I think anything when they are distributing
grant money, there certainly should be conditions relative to
how smart was the money spent. Just throwing money at the
problem is not the solution. Money has feet. One thing they
need to do is identify what their gaps are, what are their
weaknesses, and identify how are they using that money to plug
those holes that are in their networks. What are the metrics
you want so they can prove that the money was well spent. As I
said, throwing the money at it won't solve the problem. But
metrics and accountability should go hand-in-hand with any
grants that are out there.
Mr. Thompson. Mr. Cilluffo, are you comfortable with the
responses that have been received?
Mr. Cilluffo. Congressman Thompson, absolutely. I do just
want to underscore it is important. We have learned lessons the
hard way after 9/11 in terms of how all the funds were
disbursed and used. But I think it is now a much more refined
process, and I think we need to do the very same with respect
to cyber.
I mean, we absolutely need the resources, but we need to
also make sure we are measuring what matters. The one thing
that I would like to see is a match coming from State and
local, that they are committed, that they are willing to put a
percentage of whatever outcome of their own resources to
maximize the impact. But it is needed.
Mr. Thompson. Thank you.
I yield back, Mr. Chairman.
I will yield my minute to the Chair.
Mr. Richmond. I just wanted to make a point. I am not
needling my colleagues on either side of the aisle, but this
goes back to the Federal Government and our role as the Federal
Government of helping municipalities and others who are--some
things are beyond their capacity, whether it is talent-wise or
money-wise.
So do you think that we can provide more cybersecurity in
this country with less money? Does anybody think we can provide
more cybersecurity with less resources?
Mr. Duffy. I would say no.
Mr. Richmond. OK. Can we secure more airports with less TSA
agents? No?
Mr. Sultan. No.
Mr. Cilluffo. I think you can do more. That doesn't mean it
is going to be 100 percent, because cybersecurity--it is not an
end state.
Mr. Richmond. Well, no. My question is going toward this
general thing. When we go through our budget cycles, the mantra
is usually we are going to do more with less. I am just asking,
is this an area that we believe we can do more with less money,
just like TSA?
I just wanted to highlight that we have different
challenges in this country in this time and day. It costs money
to protect the American people. It is not that we just want to
spend, spend, spend. What we really want to do is protect,
protect, protect our people, their assets, and their resources.
With that, I will recognize the gentleman from Texas, Mr.
Taylor, for 5 minutes.
Mr. Taylor. Thank you, Mr. Chairman. I appreciate this
hearing. I think this is important.
Just to kind-of go through one specific item that has come
to my attention. Sometimes cities lose control of their data,
right? So cities provide municipal services, water service,
electric service. They have everybody's address. They have got
their phone numbers. They have got their credit card
information.
Is there a standard or a Federal requirement of some kind
to tell the consumer, to tell their citizens, hey, we have lost
your data, it got breached? Is there some kind of standard out
there that--I am not aware of one, but maybe you can tell me
that there is.
Mr. Duffy, do you know of a standard?
Mr. Duffy. Yes. Well, most States have a breach
notification law. So if there is a breach and the breach
reaches a certain criteria relative to the number of
individuals that are impacted, there is a requirement that they
do notify the individuals.
Where it gets rather difficult is, say, someone's credit
card is compromised by a local town, and they may not have the
person's individual address to identify to contact them. So
then they have to work with their credit card company, because
they are the ones that have the relationship with the
individuals.
But I think almost every State, not quite every State, does
have breach notification laws.
Mr. Taylor. Did you want to follow up with that?
Mr. Sultan. Congressman Taylor, I do think--and people have
attempted to move toward a National data breach notification
law, which I think we really do need, because there is lots of
confusion. You have seen one State, you have seen one State.
That is a good thing. That is what a Federalist form of
government is.
But when it comes to data breach notification, we should
have consistency across the board. I know some of your
colleagues have pushed for this for a while. My argument is
keep pushing.
Mr. Taylor. Do you think it is incumbent on the Federal
Government to devise standards for cities, counties, you know,
subdivisions of the U.S. Government to force cybersecurity? I
mean, to have a Federal standard. Hey, this is--you need to
response in this amount of time to this. You need to have this
standard of security.
Is that something that we should be looking toward doing,
Mr. Duffy?
Mr. Duffy. Well, I think, certainly, the standard should be
a goal that folks should strive to achieve. One of the things
we suffer from now, there are so many standards out there.
There are so many criteria. Just as I mentioned with the
Federal auditors. I was speaking to a State chief information
security officer yesterday on this topic, and he told me that
at the end of April, he had 4 different teams of Federal
auditors on all asking different questions. Even the Federal
Government doesn't ask the same questions.
Mr. Taylor. So who are the 4 different teams? Like where do
the 4 different standards come from?
Mr. Duffy. I can find out for you.
Mr. Taylor. OK. Mr. Cilluffo, do you----
Mr. Cilluffo. You know, I think that the private sector
needs to be part of whatever it is we are driving here. So I
think that there are standards that may not only be legislated,
but here is the--the reality is the private sector is on the
front lines of this war. Just like how many cities went into
business and how many companies went into business thinking
they had to defend against foreign intelligence services. It is
an unlevel playing field. It is. But the question is, do we
have enough to know what a single standard is? I am not 100
percent sure. I am not smart enough to figure that out.
But I do think we have a series of them. I do think, at
least with data breach notification, that is something worth
fighting for.
Mr. Taylor. Mr. Duffy, I think I cut you off. Did you want
to finish?
Mr. Duffy. No. Just on the data breach notification. I
think the importance of a National standard is that businesses,
especially small businesses that are now on the internet and
doing business around the country, they now have to understand
how to respond to a data breach with regulations in place in 50
different States. It is hard for them to be able to follow what
they need to do if there is a breach when there is 50 different
regulations I have to follow.
Mr. Taylor. OK.
Ms. Bottoms. Mr. Taylor, may I just add, within hours of
our attack, we went before the public to notify the public,
because we didn't know if we were dealing with just a cyber
ransomware attack or if we were dealing with a data breach. We
found it extremely helpful to communicate that to the public,
and it was appreciated. I think it gave us a little more
leeway. The public was much more appreciative and patient with
us during that recovery. So I do think it is helpful.
Mr. Taylor. Thank you.
I yield the balance of my time to the gentleman from New
York.
Mr. Katko. Thank you very much, my colleague.
Mr. Cilluffo, just a very quick question. As many cities
look to become smart cities, including the city of Syracuse,
are they also considering, to your knowledge, cybersecurity
risks associated with an internet of things and additional
connectivity?
Mr. Cilluffo. Well, thank you, Congressman Katko. That is
an issue that should keep everyone here up at night.
Mr. Katko. Indeed.
Mr. Cilluffo. Smart cities are amazing opportunities. But
it also exponentially expands the attack surface and can touch
individual citizens directly that the only way to try to get
our arms around this is to bake security into the design at the
early stages, design and planning stages of smart cities. So
shame on us if we are not thinking about this, but easier said
than done.
The highways of tomorrow are going to be paved in silicon
as much as they are in asphalt. The reality is, is this is the
future, and to retrofit afterwards is going to be exceedingly
difficult, if not impossible. So big issue. Great opportunity.
Just let's make sure it is not a footnote or an afterthought in
our smart city planning.
Mr. Katko. Thank you, Mr. Taylor.
Thank you, Mr. Chairman.
Mr. Richmond. The gentleman's time has expired.
I now recognize the gentleman from Rhode Island, Mr.
Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Thank you for
holding this hearing.
I want to thank our panel of witnesses, some of whom are
very familiar to me and I have had the opportunity to meet
with, so thank you for all that you are doing on this topic. I
have covered a lot of important issues, and concerning the data
breach notification, I agree. You know, we are focused right
now on a different topic, but I have got a bill in for a 30-day
data breach notification, which would be a 30-day Federal
standard, and I think that is something that we should move
along.
We talk about cyber work force, of course, and we shouldn't
look at this in terms of competition and try to--in terms of
how the local, State, or Federal Government can compete for the
talent that is out there. We really need to focus on growing
the pie itself, not just our piece of the pie at the local,
State, or Federal. That is, obviously, looking more deeply into
our educational system and how we can incentivize people going
into this field.
But let me go back to what we are talking about and the
issue of what is the right balance of, you know, State, local,
and Federal attention support on cyber. So I have been trying
to draw attention to and prioritize cybersecurity now for over
a decade, and the problems of getting focus of dollars are,
unfortunately, not new and they exist across the private sector
and the Federal Government as well.
So one of my concerns, though, is that the Federal
investments will supplant rather than complement State and
local funding, and I don't want to see that. We see that
between the--you know, with the private sector, even critical
infrastructure. We say the private sectors, you know, fine to
say--they are quick to say, if you want us to do more on
cybersecurity, well, then, you pay for it, but, you know,
everybody really does have a role here.
So for the panel, I wanted to ask, how can we better ensure
that cybersecurity is a priority for leadership in State and
local governments? What will incentivize State and local
leaders to make adequate investments in this space?
Mr. Duffy. One of the things that is happening recently
with the FEMA grants, I mentioned earlier that we conduct a
Nation-wide cybersecurity review of State and local
governments, and right now, participation is voluntary. We have
had relatively high participation in the State, around 90
percent, but the local government has been low, and that is
intended to identify gaps in the capabilities where they should
be investing their money.
With the new Homeland Security grant funding, there is a
new requirement that recipients and subrecipients must take the
Nation-wide cybersecurity review to find out, to identify where
their gaps are, where their investments should be made. The
nice thing about it, it is a confidential assessment, so the
information on the assessment goes to them to help them develop
a strategy where they should be making their investments.
I certainly share your concern on it should not supplant
funds. You know, it should be for new initiatives. That is
always something that I think is real difficult for the
guidance writers, but I defer to them on how they get that in
there.
Mr. Langevin. Anybody else on the panel care to comment?
Mr. Sultan. Congressman, I think it is a really good
question. I have previously worked very closely with the city
and county of San Francisco's administration, especially with
their digital staff, and I think if the city administration
began having a frank conversation with the digital staff that
work for the cities, they would understand that they are highly
unequipped at this moment to deal with massive amounts of cyber
attacks that are happening on a daily basis.
Right now, the cybersecurity staff are not solely focused
on cybersecurity. They usually have dual roles, and
cybersecurity is usually a secondary role. So when they begin
working and focusing on cybersecurity, they have to read
documents that range between 300 to 500 pages. These are
referred to as NIST documents that provide standards for
cybersecurity.
So when you look at these overworked staff that have to
deal with cybersecurity standards, it can be incredibly
cumbersome, frustrating, and difficult to deal with as the city
isn't focusing on providing sole cybersecurity staff.
Ms. Bottoms. As one of the panelists mentioned, I think
matching funds in the same way that we seek matching funds for
transportation and infrastructure projects, I think that that
would be a great incentive for cities, because we are making
the investments but often not enough. But I think any
opportunity for us to have matching funding will also encourage
us to invest more on our end.
Mr. Langevin. I completely agree.
Mr. Cilluffo. Congressman Langevin, I was just going to
bring up that other point. But also in the opening statement by
Ranking Member Katko, I think he said it was 1 or 2 percent of
the IT spend is going toward security. Best practice in the
private sector is 8 to 11 percent. So we really do need to
bridge that gap there, and I think Mayor Lance Bottoms said it
straight up, and the reality of matching funds would go a long
way.
I think it is also great that you have the executive
testifying, not the CISO and--because ultimately, cybersecurity
is an executive issue. It is not going to be relegated to the
IT department. That is important, but it is ultimately
understanding how cyber fits in to the risk of the company,
country, or city.
Mr. Langevin. Very good.
Thank you all for your answers and your attention to this.
I agree with a lot of what has been said, so thank you very
much.
Mr. Chairman, I yield back.
Mr. Richmond. The gentleman from Rhode Island yields back.
Before I recognize the gentlelady from New York, Mayor
Bottoms, I understand you have a hard 4:15 stop?
Ms. Bottoms. OK.
Mr. Richmond. So let me just--before you get up, ask the
gentlelady from Illinois and New York, do you have--did either
of you have a specific question for the mayor?
Well, with that, Madam Mayor, thank you for leaving your
busy city and coming up here to provide valuable insight to
this committee. So with that, we will just pause and give you a
second to break. We don't want you to miss your plane back to
Atlanta.
Ms. Bottoms. Thank you.
Mr. Richmond. The Saints and the Falcons will see each
other twice this year.
Ms. Bottoms. Thank you again.
Mr. Richmond. I now recognize the gentlelady from New York,
Miss Rice.
Miss Rice. Thank you, Mr. Chairman.
This question is for any or all of you, the Ranking Member,
Mr. Katko, and I recently wrote to the New York Metropolitan
Transportation Authority expressing concerns over the
possibility of buying subway railcars from a Chinese state-
owned entity. We did that because we were concerned that State
and local governments don't have the proper resources to
prepare for the threats posed by state actors since these types
of National security decisions have typically taken place at
the Federal level.
How do we address this issue of supply chain--the supply
chain issue at the local and State level?
Mr. Cilluffo. Miss Rice, I will take first crack. So I
testified recently before Transportation and Infrastructure on
the CRRC and State-owned enterprises and the concerns that
poses for the country, and I think they are genuine, real
risks, especially when we start thinking about ZTE, Huawei, 5G.
This is going to be the underpinning of modern societies, and
we don't want it built on quicksand. So I think these are big
issues.
It took Congress, though, to help bridge a gap because
Huawei is cheap. It is much cheaper. When you are in a city and
a community and you want to do all you can for your citizens,
you are going to find the most cost-effective way to do that.
So you raise a really good question.
Miss Rice. Well, it is hard to ignore that, though, Mr.
Cilluffo----
Mr. Cilluffo. Impossible to ignore.
Miss Rice [continuing]. Because they always come in lowest
bid. Always.
Mr. Cilluffo. They are subsidized, on top of it, and they
have got concessionary financing on top of that, so it is a
triple whammy against some of these States. But I think when
the Federal Government takes strong actions to ban certain
technologies, that should be a nod toward State and local as
well.
Miss Rice. I totally----
Mr. Cilluffo. At least for Federal grants.
Miss Rice. Yes. I agree with you, and so, hopefully, we are
going to get some answers there.
Mr. Cilluffo. Mr. Sultan, you mentioned this in your
written testimony and, Mr. Cilluffo, you referred to the magnet
school for 7th through 12th graders. Can you just talk more
about that? Because I think one of the biggest problems that we
have in this field, on top of the funding--and you have all
alluded to this as well--is the talent pool. We have to start
building a talent pool because these issues are not going to go
away.
So can you explain, Mr. Cilluffo, a little bit more about
this magnet school? Do we have to be--I understand the
education and curriculum issues are run at the State level, but
should this be a mandatory curriculum?
Mr. Cilluffo. I will be very brief because I am sure Mr.
Sultan has some thoughts. I am very proud of this magnet school
because we do need to get them younger. I used to run an MBA
with the focus on cybersecurity, and I would bring my students
to a residency overseas in Estonia. In Estonia, you have got a
small country, and I think you have been on a codel with Mr.
McCaul, they are teaching coding at kindergarten. So--and then
once you start hitting gumnaasium, or high school, they are
already going into that particular--we need something similar
here.
So we need to make sure that everyone is cyber aware and
savvy. So we have got to integrate cyber into all existing
curricula and then we need more ninjas. We do need more very
deep cyber expert work force, but we need both. I am really--
and not just because I am the--we need more women, not only in
STEM but in cyber.
Miss Rice. Amen to that.
Mr. Cilluffo. Quite honestly, my students, they were the
strongest, but we really do need to attract different types of
students to be part of that solution set. We are just missing
out on too much talent.
Miss Rice. Well, we are just starting with the whole STEM
reaching out to young girls--well, not just, but, you know,
within the last 5 to 10 years, and this should be added to that
for sure.
Mr. Cilluffo. At the top of that list.
Miss Rice. Yes.
Mr. Sultan.
Mr. Sultan. I just want to add that cybersecurity trainings
are incredibly difficult to accomplish successfully. What
happens is that, often, people become more scared after
cybersecurity training. A lot of trainers use FAIR appeals very
effectively and very ineffectively a lot of times. So what
happens is that the participants of these trainings become so
afraid--and there is a lot of literature on how cybersecurity
trainings fail--that they begin to withdraw from using the
internet. They begin to withdraw from using key internet
services that could enrich their own lives. And so----
Miss Rice. How do you address that issue? I mean, it is
what it is. It is frightening.
Mr. Sultan. It is frightening, but I think a lot of
participants, at least those that I have interviewed and
surveyed personally, fall on a spectrum of confidence and
trust. If you understand where they fall on that spectrum, you
can actually change it very easily.
So often at times participants can have over low
confidence, low confidence that is below their actual
understanding and skill level. So you can actually correct that
through measures by trying to discuss with them what their
cultural understanding, their background of cybersecurity is,
where they get resources, how they can improve those resources,
and overall improve their understanding of realistic threat
assessment as opposed to exaggerating the threat assessment,
which a lot of trainers do.
Miss Rice. Very interesting point. I have a lot more
questions, but my time is up. Thank you.
I yield back.
Mr. Richmond. The gentlelady yields back.
Now the gentlewoman from Illinois is recognized for 5
minutes.
Ms. Underwood. Thank you, Mr. Chairman, and thank you all
for calling today's hearing on this critically important topic.
Cybersecurity is a challenge for State and local
governments across America, but the suburban and rural
communities that I represent in northern Illinois don't have
the resources that big cities have, and as such, are at an
increased risk of cybersecurity attacks.
A city official told us that he relies heavily on informal
networks with other city officials and on professional IT
associations, such as GMIS International, to ensure that the
city's cybersecurity needs are met.
Mr. Sultan, in your testimony, you referenced concerns for
cybersecurity inequality between rural and urban or suburban
communities. What steps could the Federal Government take to
bridge this inequality gap?
Mr. Sultan. The Federal Government could support local
governments, understanding where the baseline is for the rural
areas and especially the urban areas as well. Figure out how
low-income households and how low-income communities fair in
terms of their understanding and skill level on cybersecurity.
They can conduct surveys to better gauge where those
populations fall, and then they can actually conduct trainings.
They can actually partner with private technology companies to
provide software updates to phones that are outdated. They can
provide system level support. They can facilitate trainings
with the private technology companies, but not to supplant the
Federal Government's networks with the populations, because you
don't want the private technology companies determining what
those trainings look like.
So there are a host of options for the Federal and local
governments to improve and understand their populations'
cybersecurity needs.
Ms. Underwood. Thank you. Do you have any recommendations
for rural communities that are at just the beginning stages for
setting up their infrastructure? You know, the idea that a
local community would even know which private company to
approach is something that I think we sort-of take for granted
for people that are just beginning to bolster their
capabilities.
Mr. Sultan. That is an excellent point, and I think that is
where the Federal Government can play a really important role,
because the Federal Government has the ability and the
opportunity to connect with these private technology companies
in ways that are far more realistic and centralized than local
governments can.
They can also create public awareness campaigns, push them
out into schools, push them out into television, on social
media platforms, on radio. Because without a public awareness
campaign, people aren't going to be very interested in even
participating in those trainings. I had to use a lot of
incentives to get vulnerable populations to even come to
discuss their needs about cybersecurity. So if you offer a
training, the chances are they might not appear.
Ms. Underwood. Right. Do you have any advice for local
governments to better educate their communities on the
appropriate personal cybersecurity best practices?
Mr. Sultan. I think--in terms of staff?
Ms. Underwood. Uh-huh.
Mr. Sultan. I think with staff you can improve trainings,
but you can also simplify the cybersecurity documentation that
they are currently working with. They are using centralized
documentation that spans hundreds of pages, they are fairly
dry, not very interesting, and I think you can make trainings
that are more engaging. So instead of just trying to pass off a
document to staff that probably have other responsibilities
other than cybersecurity, they are probably responsible for IT
and system infrastructure, you could focus on cybersecurity
through engaging trainings. Those could be digital trainings.
They don't have to be personal trainings so they can scale
better.
Ms. Underwood. Chairman Richmond recently convened this
committee to address the lack of diversity in our talent
pipeline for the cybersecurity field. We touched on the need
for gender diversity in particular. But as you know, that there
is a real high number, significant number of unfilled
cybersecurity jobs across the country.
So, Mr. Duffy, do you have any feedback or ideas for what
Congress and the Federal Government can do to attract more
skilled cybersecurity professionals, particularly from diverse
backgrounds?
Mr. Duffy. Yes. One of the things you need to do is
certainly identify those individuals that may have not thought
they had a talent in cybersecurity. We work closely with the
SANS Institute and with the Governors around the country with
something called the CyberStart Program. This is something that
is basically industry funded. Twenty-six Governors participated
in this past year. What the program is, the schools develop
these programs or they try to identify individuals who may not
have an interest in technology but have a real aptitude. So how
do they go about finding those folks that have an aptitude but
not the interest, and that is what the program is about.
It is the third year of the program. The first year of the
program, there--shouldn't be surprised, like 85 percent of the
participants were boys. So in year two, they did it for girls
only because they wanted to deal with the gender issue. So this
year, they have a combination. One program is for the boys and
the girls, but yet a second program is just for the girls only
because they are trying to work on the gender issue.
Ms. Underwood. Excellent. Well, it is my hope that as we
have models like this that private industry is supporting, that
we can count on the Cybersecurity and Infrastructure Security
Agency to develop innovative programs to help States and local
officials who don't have expertise and maybe who don't have a
local private company to sponsor something in their community.
This is something that is important everywhere and we want to
make sure that we are properly prepared.
Thank you all so much for being here.
Thank you, Mr. Chairman, for convening this hearing. I
yield back.
Mr. Richmond. The gentlelady from Illinois yields back.
I want to thank the witnesses for their valuable testimony
and the Members for their questions.
The Members of the committee may have additional questions
for the witnesses and we ask that you respond expeditiously in
writing to those questions.
I would ask unanimous consent to insert into the record
written testimony in today's hearing from Talib Karim of
STEM4US!, Inc.
[The information follows:]
Statement of Talib I. Karim, CEO STEM4US!, Inc.
June 24, 2019
Good afternoon. My name is Talib I. Karim, and I am a co-founder
and chief executive officer for STEM4US!, Inc. As background, I have
spent over 2 decades working on cybersecurity and other public policy
issues. This includes serving chief counsel and legislative director to
Congresswoman Sheila Jackson Lee, a senior Member of the Homeland
Security Committee.
STEM4US! is a non-profit organization based in Washington, DC, that
works with universities, businesses, Government entities, and other
non-profits to scale investments, training, and promotion of the
cybersecurity and other STEM fields. Our goal is to transform the STEM
workforce by creating 600,000 new cybersecurity professionals by 2030.
To ensure that the STEM field reflects the rich diversity of this
Nation, we aim to ensure that at least 50 percent of these new
cybersecurity workers are African Americans, Latinos, and women. By
focusing on diversity, we can foster creativity and offer a range of
perspectives and ideas in the cybersecurity realm.
Today, several factors impede the ability of State and local
governments to protect critical infrastructures from cyber attacks.
Among these structural impediments are regulations at the State and
local levels, limited resources, and an expanded attack surface. We
wish to raise a few constructive points regarding this important topic.
First, insufficient funding and staff has been identified by
members of State and local governments as one of the key barriers to
effective cybersecurity. Without the necessary funding, it is difficult
for State and local governments to hire the qualified cybersecurity
experts necessary for providing cybersecurity protection. Cybersecurity
expenditure constitutes a small percentage of the overall budget:
According to a 2015 report, most State cyber budgets are between 0-2
percent of the overall IT budget. This means that governments do not
have the resources or expertise necessary for a resilient cybersecurity
infrastructure. Therefore, it is imperative that cybersecurity becomes
a greater spending priority for governments. By addressing the lack of
budgetary resources, governments will be able to hire and retain a
greater number of cybersecurity personnel.
In order to achieve this goal, STEM4US! proposes what we've called
the ``Cybersecurity Pell Grant.'' Under this proposal, Congress would
authorize and appropriate $1.5 billion each year, for a 10-year period
to fund free cybersecurity and related training. This training would be
offered at 250 Historically Black Colleges and Universities and other
Minority-Serving Institutions along with community colleges and high
schools. If fully funded for 10 years, the grant could create more than
600,000 new, more adequately trained American cybersecurity workers.
If our proposed legislation is enacted, the grants would support 15
weeks of cyber training. The tracks of the cyber training would include
cyber defense and incident handling skills as well as drone maintenance
and operations. Additionally, each training program would have the
capacity to train 300 students per year in 3 cohorts--spring, fall, and
summer. Therefore, through this initiative, STEM4US! would create a
pipeline of talented and skilled cybersecurity workers. These newly-
trained cyber workers would work for Government agencies or contractors
in their respective communities. This, in turn, would create a Nation-
wide network of cybersecurity personnel who would increase the
resiliency of their State and local governments to cyber attacks. These
grants would result in a hardening of the Nation's critical
infrastructure.
Earlier this year, STEM4US! organized a fly in that allowed our
stakeholders to meet with staff from this committee along other House
and Senate leaders to discuss our ``Cybersecurity Pell Grants''
proposal. To advance this idea, we call on the Subcommittee Chair and
Ranking Member to partner and both sponsor a bill that would capture
this proposal.
The field of cybersecurity is one of the fastest-growing job fields
in the Nation, but there is a critical shortage of qualified
cybersecurity personnel. Therefore, there is a clear imperative to
expand the Nation's cybersecurity workforce. Our proposed
``Cybersecurity Pell Grants'' would ensure that State and Federal
Government agencies have an ample source of cybersecurity workers they
need to protect the Nation's cybersecurity infrastructure.
STEM4US! appreciates this opportunity to provide this testimony.
Mr. Richmond. Without objection, the committee record
should be kept open for 10 days.
Hearing no further business, the committee stands
adjourned.
[Whereupon, at 4:25 p.m., the subcommittee was adjourned.]
[all]