[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
DEFENDING AGAINST FUTURE CYBER ATTACKS:
EVALUATING THE CYBER SPACE SOLARIUM
COMMISSION RECOMMENDATIONS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
JULY 17, 2020
__________
Serial No. 116-79
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
43-867 PDF WASHINGTON : 2021
--------------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas Mike Rogers, Alabama
James R. Langevin, Rhode Island Peter T. King, New York
Cedric L. Richmond, Louisiana Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey John Katko, New York
Kathleen M. Rice, New York Mark Walker, North Carolina
J. Luis Correa, California Clay Higgins, Louisiana
Xochitl Torres Small, New Mexico Debbie Lesko, Arizona
Max Rose, New York Mark Green, Tennessee
Lauren Underwood, Illinois John Joyce, Pennsylvania
Elissa Slotkin, Michigan Dan Crenshaw, Texas
Emanuel Cleaver, Missouri Michael Guest, Mississippi
Al Green, Texas Dan Bishop, North Carolina
Yvette D. Clarke, New York Jefferson Van Drew, Texas
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
Hope Goins, Staff Director
Chris Vieson, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Cedric L. Richmond, Louisiana, Chairman
Sheila Jackson Lee, Texas John Katko, New York, Ranking
James R. Langevin, Rhode Island Member
Kathleen M. Rice, New York Mark Walker, North Carolina
Lauren Underwood, Illinois Mark Green, Tennessee
Elissa Slotkin, Michigan John Joyce, Pennsylvania
Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio)
officio)
Moira Bergin, Subcommittee Staff Director
Sarah Moxley, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 4
Prepared Statement............................................. 6
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Witnesses
Hon. Angus King, a United States Senator from the State of Maine,
and Co-Chair, Cyberspace Solarium Commission:
Oral Statement................................................. 9
Joint Prepared Statement....................................... 11
Hon. Michael Gallagher, a Representative in Congress from the
State of Wisconsin, and Co-Chair, Cyberspace Solarium
Commission:
Oral Statement................................................. 18
Joint Prepared Statement....................................... 11
Ms. Suzanne Spaulding, Commissioner, Cyberspace Solarium
Commission:
Oral Statement................................................. 20
Joint Prepared Statement....................................... 11
Dr. Samantha Ravich, Ph.D., Commissioner, Cyberspace Solarium
Commission:
Oral Statement................................................. 21
Joint Prepared Statement....................................... 11
DEFENDING AGAINST FUTURE CYBER ATTACKS: EVALUATING THE CYBER SPACE
SOLARIUM COMMISSION RECOMMENDATIONS
----------
Friday, July 17, 2020
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 12:30 p.m.,
via Webex, Hon. James R. Langevin [Member of the subcommittee]
presiding.
Present: Representatives Jackson Lee, Langevin, Rice,
Underwood, Slotkin, Thompson; Katko, and Joyce.
Mr. Langevin. Good afternoon. The Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation will
come to order.
Good afternoon, everyone. I want to thank the co-chairs of
the Cyberspace Solarium Commission and Commissioners Spaulding
and Ravich for participating in today's hearing. I would also
like to thank the gentleman from Louisiana, Mr. Richmond, for
allowing me the honor of chairing this subcommittee in his
absence.
I have the privilege of serving on the Solarium Commission
with the witnesses testifying here today. I can honestly say
that working on a report was one of the highlights of my
Congressional career--research, outreach, and deliberation was
a testament to our 2 co-chairs, Senator King--here today to
testify this afternoon. I hope our subcommittee will take full
advantage of the wealth of knowledge of the virtual witnesses
at the witness table.
The commission's report outlines a strategy of layered
cyber deterrence, and includes 82 recommendations on how the
Government can implement the strategy. I am looking forward to
discussing those recommendations with my colleagues today,
particularly those that would strengthen the cybersecurity--the
Cybersecurity and Infrastructure Security Agency by increasing
its capabilities and clarifying its relationship with the
intelligence community and sector-specific agencies.
I am also looking forward to covering the essential role of
Congress in implementing our Nation's cybersecurity posture.
From the outset of the--and thanks to the work of our dedicated
executive director, Mark Montgomery, we deliberated with a bias
toward action. After all, as the Members of the subcommittee
know full well, the status quo in cyber space sees us making--
status quo in cyber space sees us making steady progress, while
the threat increases exponentially.
We need to act, and act now, to change that dynamic and get
ahead of the curve. I am proud to report that leaders of this
subcommittee, including Chairman Richmond, Ranking Member
Katko, and Representatives Jackson Lee, Rice, Slotkin, Green,
and Joyce all have recommendations to the forthcoming National
Defense Authorization Act and impending--and to implement
aspects of the Solarium report.
It is an honor to share the virtual dais with Members
committed to addressing this quintessential information-age
challenge, and I am sure the committee and this subcommittee
will continue to play a vital role in implementing the report.
I encourage our witnesses to discuss why Congress is so
important to moving the conversation forward on cybersecurity,
and I encourage my colleagues to probe the decision making
behind the strategy and recommendations.
The events of this year provide an interesting context in
which to review the Solarium recommendations. The COVID-19
pandemic has amended and altered the way we live, the way we
work, and the way we govern. Overnight, nearly half of employed
adults became teleworkers, putting added stresses on our
infrastructure, and creating new opportunities for hackers to
wreak havoc.
Now Congress is holding remote hearings, and State and
local governments have become e-governments with little time to
transition. Many State and local governments are also finding
that, due to the antiquated IT systems and the fact that their
data aren't in the cloud, that they are unable to scale and
secure vital programs like unemployment insurance, highlighting
the need for modernization as part of the security push.
Our adversaries have noticed the broader attacks surface.
Just yesterday, CISA, in conjunction with allies in the UK and
Canada, announced that Russian operatives are targeting health
care organizations doing research on the virus.
[Audio malfunction.]
Mr. Langevin [continuing]. The breach of Twitter that saw
many prominent accounts linking to a Bitcoin scam. It doesn't
take much imagination to see what chaos one could sow with such
access on Election Day if a bad actor was pushing out
disinformation.
The realities of 2020 make clear that a comprehensive
whole-of-Nation approach to cybersecurity is necessary, but--is
a necessity, but we do not yet have one. So we lack a clear
leader in the White House whose mission it is to focus on
cybersecurity. We lack clear understanding of roles and
responsibilities, both within Government and--between
Government and the private sector. We lack clear metrics to
measure our progress.
The Cyberspace Solarium Commission report cannot fix all of
the challenges that we face in cyber space. But it does chart a
bold course, and it does not shy away from the trade-offs we
will need to make to decisively improve our cybersecurity
posture.
The report makes clear that everyone, from Government, to
private-sector companies, to Congress itself needs to make
meaningful changes. We need to expect more from Government:
Closer coordination across agencies; stronger collaboration
with critical infrastructure; and a--and critically, a greater
emphasis on planning. We need to strengthen Government
agencies--in particular, CISA--to do so.
We also need to expect more from the private sector. We
need companies to truly accept the risk that they take in cyber
space by accepting the consequences of failing to protect their
data and networks.
We also need technology companies, what the report calls
``cybersecurity enablers,'' to do more to make the secure
choice the default choice. Too often we see a rush to be first
to market, not secure in a market. Too often we see entities
like the ISPs not protecting the small and medium-sized
customers, because they don't believe it is their job. More
importantly, where the public and private interests at--the
nexus of critical infrastructure that this committee is charged
with protecting. We need to ensure the private sector is doing
its part to protect itself, while acknowledging that they can't
go it alone.
So this is part of the end-state we desire in the Solarium
report, a state where we are resilient enough to deter our
adversaries and agile enough to push back when they insist on
testing our defenses. To that end, to end--to--that end-state
is in reach, but it will require the work of this subcommittee
and of the experts that we have invited before us if we are to
achieve that goal.
So I look forward to beginning what I am sure will be a
fruitful series of discussions on how to implement the Solarium
report.
I again thank our witnesses who are here today. I am
grateful that the co-chairs of the Cyber Solarium Commission
could be here, Senator Angus King and Congressman Mike
Gallagher.
I am honored that Suzanne Spaulding could be here, as well,
and I look forward to all of our witnesses' testimony today.
[The statement of Mr. Langevin follows:]
Statement of Hon. James R. Langevin
July 17, 2020
I had the privilege of serving on the Solarium Commission with the
witnesses testifying here today, and I can honestly say that working on
our report was one of the highlights of my Congressional career. Our
thoughtful research, outreach, and deliberation was a testament to our
two co-chairs, Senator King and Congressman Gallagher, and I hope our
subcommittee takes full advantage of the wealth of knowledge at the
virtual witness table.
The commission's report outlines a strategy of layered cyber
deterrence and includes 82 recommendations on how the Government can
implement that strategy. I am looking forward to discussing those
recommendations with my colleagues today--particularly those that would
strengthen the Cybersecurity and Infrastructure Security Agency by
increasing its capabilities and clarifying its relationship with the
intelligence community and sector-specific agencies.
I am also looking forward to covering the essential role of
Congress in improving our Nation's cybersecurity posture. From the
outset of the commission--and thanks to the work of our dedicated
executive director, Mark Montgomery--we deliberated with a bias toward
action. After all, as the Members of this subcommittee know full well,
the status quo in cyber space sees us making steady progress while the
threat increases exponentially.
We need to act, and act now, to change that dynamic and get ahead
of the curve. I am proud to report that leaders on this subcommittee,
including Chairman Richmond, Ranking Member Katko, and Representatives
Jackson Lee, Rice, Slotkin, Green and Joyce all have amendments to the
forthcoming National Defense Authorization Act to implement aspects of
the Solarium report. It is an honor to share the (virtual) dais with
Members committed to addressing this quintessential Information Age
challenge, and I am sure the committee--and this subcommittee--will
continue to play a vital role in implementing the report.
I encourage our witnesses to discuss why Congress is so important
to moving the conversation forward on cybersecurity. I encourage my
colleagues to probe the decision making behind the strategy and the
recommendations.
The events of this year provide an interesting context in which to
review the Solarium Commission's recommendations. The COVID-19 pandemic
has upended and altered the way we live, the way we work, and the way
we govern. Almost overnight, nearly half of employed adults became
teleworkers, putting added stress on our infrastructure and creating
new opportunities for hackers to wreak havoc.
Now Congress is holding remote hearings, and State and local
governments have become e-governments with little time to transition.
Many State and local governments are also finding, that due to
antiquated IT systems and the fact that their data aren't in the cloud,
they are unable to scale and secure vital programs like unemployment
insurance, highlighting the need for modernization as part of the
security push.
Our adversaries have noticed the broader attack surface. Just
yesterday, CISA--in conjunction with allies in the United Kingdom and
Canada--announced that Russian operatives are targeting health care
organizations doing research on the virus. And 2 days ago, we saw a
major breach of Twitter that saw many prominent accounts linking to a
Bitcoin scam. It doesn't take much imagination to see what chaos one
could sow with such access on Election Day if a bad actor was pushing
out disinformation.
The realities of 2020 make clear that a comprehensive, whole-of-
Nation approach to cybersecurity is a necessity, but we do not yet have
one. We lack a clear leader in the White House whose mission it is to
focus on cybersecurity. We lack clear understanding of roles and
responsibilities, both within Government and between Government and the
private sector. We lack clear metrics to measure our progress.
The Cyberspace Solarium Commission report cannot fix all the
challenges we have in cyber space. But it does chart a bold course, and
it does not shy away from the trade-offs we will need to make to
decisively improve our cybersecurity posture. The report makes clear
that everyone--from Government to private-sector companies to Congress
itself--needs to make meaningful changes.
We need to expect more from Government: Closer coordination across
agencies, stronger collaboration with critical infrastructure, and,
critically, a greater emphasis on planning. And we need to strengthen
Government agencies--in particular CISA--to do so.
We also need to expect more from the private sector. We need
companies to truly accept the risks they take in cyber space by
accepting the consequences of failing to protect their data and
networks. We also need technology companies--what the report calls
``cybersecurity enablers''--to do more to make the secure choice the
default choice. Too often, we see a rush to be first to market, not
secure to market. Too often, we see entities like ISPs not protecting
their small and medium-sized customers because they don't believe it's
their job.
Most importantly, where the public and private intersect, at the
nexus of critical infrastructure that this committee is charged with
protecting, we need to ensure the private sector is doing its part to
protect itself while acknowledging that they can't go it alone.
This is part of the end-state we desire in the Solarium report, a
state where we are resilient enough to deter our adversaries and agile
enough to push back when they insist on testing our defenses. That end-
state is in reach, but it will require the work of this subcommittee--
and of the experts we have invited before us--if we are to achieve that
goal.
Mr. Langevin. With that, I am now proud to yield to Mr.
Katko for his opening remarks.
Mr. Katko. Thank you, Mr. Chairman, I appreciate your
comments. Before I begin I want to congratulate one of the
Solarium members on the birth of his first child,
Representative Gallagher.
Grace Ellen Gallagher came to this world not too long ago,
and we welcome her in. You--I will raise--I will hoist a pint
in her honor soon.
I want to thank all the commissioners for their work on the
Cyberspace Solarium Commission, and congratulate them on
producing a truly game-changing report and recommendations that
accompany that report that take a bold step in the direction of
reinventing our Nation's cybersecurity policy and architecture.
The commission's legislative proposals accompanying the
recommendations are enabling Congress to act quickly and
decisively on these urgent measures.
I am interested in all the recommendations in the report,
and I have gone through all of them, but I am really focused on
several of them today, and they are as follows: Strengthening
the Cybersecurity and Infrastructure Agency, or CISA, and its
work force; evaluating CISA's facilities needs; strengthening
the CISA director position, and making the assistant directors
clear positions--the National cyber director; authorizing CISA
to threat hunt on the gov domain, .gov domain; developing a
strategy to secure email; and modernizing the digital
infrastructure of State and local governments, and small and
mid-sized businesses.
As Ranking Member on the Cybersecurity, Infrastructure
Protection, and Innovation Subcommittee, my top priority among
the commission's recommendations is strengthening and
clarifying CISA's authority, and vastly increasing its funding
to allow it to carry out its role as the Nation's risk manager,
coordinating the protection of critical infrastructure and
Federal agencies and departments from cyber threats.
I introduced this recommendation as a bill, together with
Mr. Ruppersberger, and cosponsored his amendment to the NDAA,
which requires CISA to assess what additional resources are
necessary to fulfill its mission. This assessment should
examine CISA's work force composition and future demands, and
report to Congress on the findings.
Under this bill, CISA would also evaluate its current
facilities and future needs, including accommodating
integration of personnel, critical infrastructure partners, and
other Department and agency personnel, and make recommendations
to GSA. GSA must evaluate CISA's recommendations and report to
Congress within 30 days on how best to accommodate CISA's
missions and goals with commensurate facilities.
The facilities evaluation dovetails with the commission's
recommendation for an integrated cyber center within CISA. That
is critically important.
In conjunction with Chairman Richmond's CISA director
amendment to the NDAA bill that I cosponsored, I reintroduced
my CISA director bill. The bill and amendment elevate and
strengthen the CISA director position to reflect the
significant role that it plays, and making the position the
equivalent of an assistant secretary or military service
secretary. They limit the term of the CISA director to 2 5-year
terms, which ensure the agency has stable leadership, and de-
politicizes the assistant director positions by making them
career positions.
A related amendment that my fellow colleague, Mr. Green,
cosponsored and I cosponsored, clarifies CISA's authority to
conduct continuous threat hunting across the .gov domain. This
will increase CISA's ability to protect Federal networks, and
allow CISA to provide relevant threat information to critical
infrastructure.
Finally, the recommendation to establish a National cyber
director within the White House, offered as an amendment to the
NDAA by my colleague and friend, Mr. Langevin, is another
legislative proposal I am cosponsoring. This Presidentially-
nominated and Senate-confirmed National cyber director would be
the principal cybersecurity adviser to the President, tasked
with developing, counseling the President on, and supervising
implementation of a National cyber strategy, which is sorely
needed. This leadership will bring focus to our Nation's
cybersecurity as a top strategic priority.
I look forward to hearing from our witnesses today about
these Solarium recommendations and many others that fall under
the jurisdiction of our subcommittee, as well as working with
my colleagues to attach many of the commission's
recommendations as possible to the NDAA, another must-pass
vehicle, or pass as stand-alone bills.
I want to thank the Chairman for holding this important
hearing. I look forward again to convening in person with my
committee colleagues. But I want to take a moment before I
close to really command the members of the Solarium Commission:
Mr. King, Mr. Gallagher, Ms. Spaulding, Mr. Langevin, and all
the others.
I think that what you did is what they did after 9/11 with
respect to terrorism. You are anticipating the issues before we
have a catastrophic attack. I commend all of you for doing
that. That is why I think this is such an important hearing we
are having today.
So the bipartisanship that has been shown on this, the lack
of politics, and understanding the issues, and understanding
the threat and attacking it, it is exactly what we should be
doing. I commend everyone for that.
With that, Mr. Chairman, I yield back.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
Thank you, Mr. Chairman.
I want to thank all of the commissioners for their work on the
Cyberspace Solarium Commission and congratulate them on producing a
game-changing report and recommendations that take a bold step in the
direction of reinventing our Nation's cybersecurity policy
architecture. The commission's legislative proposals accompanying the
recommendations are enabling Congress to act quickly and decisively on
these urgent measures.
The recommendations I am most interested in hearing about today
are, strengthening the Cybersecurity and Infrastructure Security Agency
(CISA) and its workforce, evaluating CISA's facilities needs,
strengthening the CISA director position and making the assistant
directors career, the National cyber director, authorizing CISA to
threat hunt on the .gov domain, securing email, developing a strategy
to secure email, and modernizing the digital infrastructure of State
and local governments and small and mid-sized businesses.
As Ranking Member on the Cybersecurity, Infrastructure Protection,
and Innovation Subcommittee, my top priority among the commission's
recommendations is strengthening and clarifying the Cybersecurity
Infrastructure Security Agency's (CISA) authority and vastly increasing
its funding to allow it to carry out its role as the Nation's risk
manager coordinating the protection of critical infrastructure and
Federal agencies and departments from cyber threats. I introduced this
recommendation as a bill, which requires CISA to assess what additional
resources are necessary to fulfill its mission. This assessment should
examine CISA's workforce composition and future demands and report to
Congress on the findings.
Under the bill, CISA would also evaluate its current facilities and
future needs including accommodating integration of personnel, critical
infrastructure partners, and other Department and agency personnel and
make recommendations to GSA. GSA must evaluate CISA's recommendations
and report to Congress within 30 days on how best to accommodate CISA's
mission and goals with commensurate facilities. The facilities
evaluation dovetails with the commission's recommendation for an
integrated cyber center within CISA.
I reintroduced my bill elevating and strengthening the CISA
director position to reflect the significance of the role, making the
position the equivalent of an assistant secretary or military service
secretary. My bill limits the term of the CISA director to 2, 5-year
terms, which ensures the agency has stable leadership. It also
depoliticizes the assistant director positions by making them a career.
A related legislative proposal that I am working with colleagues to
pass, clarifies CISA's authority to conduct continuous threat hunting
across the .gov domain. This will increase CISA's ability to protect
Federal networks and allow CISA to provide relevant threat information
to critical infrastructure.
Finally, the recommendation to establish a National cyber director
within the White House is another legislative proposal I am
cosponsoring. This Presidentially-nominated and Senate-confirmed
National cyber director would be the principle cybersecurity advisor of
the President, tasked with developing, counseling the President on, and
supervising the implementation of a National cyber strategy. This
leadership will bring focus to our Nation's cybersecurity as a top
strategic priority.
I look forward to hearing from our witnesses today about these
Solarium recommendations and the many others that fall under the
jurisdiction of our subcommittee as well as working with my colleagues
to attach many of the commission's recommendations to the National
Defense Authorization Act (NDAA), another must-pass vehicle or pass as
stand-alone bills.
In closing, I want to thank the Chairman for holding this important
hearing and I look forward to again convening in person with my
committee colleagues.
[Pause.]
Mr. Katko. I can't hear anything, Jim----
Mr. Langevin. I was muted, sorry about that. I thank the
Ranking Member for his comments, and I want to join with him.
First of all, I want to thank you, Ranking Member, for your
leadership on cybersecurity issues, as well as I have been
honored to join with the Ranking Member on these cybersecurity
issues that are before us, and that are moving their way
through the Congress.
I also want to join the Ranking Member in congratulating
the newest father in the House, Mr. Gallagher, on the birth of
his baby girl, Grace, and wish all the best to your entire
family. My congratulations.
Also, I should mention not--when I mentioned Senator King
as co-chair along with Congressman Gallagher and Suzanne
Spaulding, I glossed over and unintentionally didn't mention
Dr. Samantha Ravich's name, but I am going to read bios on each
of them in a minute. But I welcome, obviously, Dr. Ravich, and
thank her for her participation and valuable contribution that
she made to this Solarium Commission report, as well.
So with that, I thank the Ranking Member again.
Members are reminded that the subcommittee will operate
according to the guidelines laid out by the Chairman and
Ranking Member in their July 8 colloquy.
With that, I ask unanimous consent to waive the committee
rule 8(a)(2) for the subcommittee during remote proceedings
under the covered period designated by the Speaker under the
House Resolution 965.
Without objection, so ordered.
The Chair now recognizes the Chairman of the full
committee, the gentleman from Mississippi, Mr. Thompson, for an
opening statement.
Mr. Thompson. Thank you very much, Mr. Chair and Ranking
Member, and our witnesses today.
As you know, the Solarium Commission is very forward-
thinking, something--I compliment our witnesses for their
brilliant work that they have done on it. I compliment you
personally, being a Member of our committee, having served on
it.
I have a written testimony for the record. In the interest
of time and, again--forward, I will submit it for the record.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
July 17, 2020
At the outset, I want to acknowledge how fortunate we are, as
Members of Congress, to have before us a whole-of-Government, public/
private-sector blueprint for defending the Nation against future cyber
attacks. Too often, thoughtful documents like this are the product of
Monday morning quarterbacking that takes place after a catastrophic
event has occurred.
After the September 11 attacks, the 9/11 Commission studied how the
organization and policies of the Federal Government led to its failure
to predict, prevent, and prepare for the attacks, and made a series of
recommendations to reorganize the Government and build lacking
capabilities.
After Hurricane Katrina, Congress identified critical deficiencies
in Federal emergency management policy and overhauled it in the Post-
Katrina Emergency Management Reform Act. After the Russian government
attempted to meddle in our elections in 2016, I co-led a Task Force on
Election Security to understand vulnerabilities in our election
infrastructure, and we issued a report and recommendations to address
them. Soon, I expect we will establish a commission to study the
failures of the Federal Government that have led to its inept response
to the COVID-19 pandemic.
We are lucky we are here today not to discuss a tragedy, but
rather, how to organize the Federal Government to effectively avoid
one. At this time, the responsibility for leadership on Federal
cybersecurity policy rests with Congress.
Although there are many well-intentioned, capable people working
hard to advance sound cybersecurity policy throughout the Executive
branch, the lack of consistent leadership from the White House has
stunted progress. Over 2 years ago, for example, the White House green-
lighted the elimination of its Cyber Security Coordinator. The result
is a lack of effective coordination among Federal agencies who compete
for cybersecurity authorities, responsibilities, and associated
budgets--and Federal agencies approaching Congress with conflicting
priorities. The time has come for that to stop.
Toward that end, I appreciate and support the commission's
recommendation that Congress establish a National cyber director. I
understand Congressman Langevin has authored legislation to implement
that recommendation and has also submitted it as an amendment to the
NDAA. I fully support both efforts.
I similarly appreciate the commission's recommendations regarding
strengthening the Cybersecurity and Infrastructure Security Agency and
more clearly defining the roles and responsibilities of CISA and sector
risk management agencies. Right-sizing CISA's budget and equipping it
with the authorities necessary to carry out its mission to secure
Federal networks, while also supporting critical infrastructure, has
been a bipartisan priority of committee Members.
I am particularly interested in hearing Ms. Spaulding's thoughts on
these recommendations given her perspective as the former under
secretary of the National Protection and Programs Directorate.
Additionally, I am interested in discussing commission
recommendations related to implementing a ``carrot and stick'' approach
to encourage private-sector collaboration with the Federal Government's
cybersecurity and defense efforts, particularly the proposed
codification of ``systemically important critical infrastructure.''
Finally, I would be remiss if I did not address the commission's
observation that Congress' fractured jurisdiction over cybersecurity
frustrates efforts to achieve a comprehensive, cohesive approach to
cybersecurity. I agree. While I disagree with the commission's
recommendation on that point, rest assured that I am working to address
the underlying problem.
Mr. Langevin. I thank you, Chairman Thompson, and I thank
you for your leadership, both of the full committee on a whole
host of issues, but for your leadership and support on
cybersecurity, in particular. You have been incredible, and I
thank you for that, your leadership there.
I understand that Mr. Rogers is not able to join us. Is
that correct?
OK, I believe that is the case. So if Mr. Rogers is not
here, then with that, again, I thank the Chairman, and I now
welcome our panel of witnesses.
First I would again like to welcome Senator Angus King, the
former Governor of Maine, who served as co-chair of the
Solarium Commission. Senator King currently sits on the Senate
Armed Services Committee and the Senate Committee on
Intelligence, among others, and has been a vocal leader on
cybersecurity throughout his tenure. I welcome the Senator
here.
Next, Representative Mike Gallagher, co-chair of the
Cyberspace Solarium Commission and current Member of the House
of Representatives for the 8th district of Wisconsin. Mr.
Gallagher is a Member of the House Armed Services Committee,
and a former Member of this committee. I would also like to
welcome Mr. Gallagher back to the committee again, back to
Congress after his paternity leave, and I thank him for
interrupting his paternity leave, being here with us.
Again, Mr. Gallagher, congratulations on your daughter,
Grace. In addition to being a huge Packers fan, I know they
will be incredibly very proud of their father for the work that
you have done with the commission.
Next we will hear from Suzanne Spaulding, a commissioner
for the Cyber Solarium Commission and senior adviser at the
Center for Strategic and International Studies. Before that Ms.
Spaulding served as the under secretary for the National
Protection and Programs Directorate at the Department of
Homeland Security, which is now the Cybersecurity and
Infrastructure Security Agency, or CISA. So I look forward to
hearing her unique perspective and her emphasis on how civics
education is an essential component of resiliency.
Finally, we have Dr. Samantha Ravich, a commissioner of the
Cyber Solarium Commission, and former deputy national security
adviser during the Bush administration. Dr. Ravich is currently
serving as the chair of the Foundation for Defense of
Democracy's Center for Cyber and Technology Innovation. I
deeply appreciate her coming to speak with us today, and for
her incredible contributions to, I think, a continuity of the
economy.
With that, without objection, the witnesses' full
statements will be inserted into the record. I now ask each
witness to summarize their statements for 5 minutes, beginning
with Senator King.
Senator King, it was a pleasure serving with you on the
Solarium Commission, and I look forward to hearing your
comments here today. You are now recognized.
STATEMENT OF HON. ANGUS KING, A UNITED STATES SENATOR FROM THE
STATE OF MAINE, AND CO-CHAIR, CYBERSPACE SOLARIUM COMMISSION
Senator King. Mr. Chairman, thank you very much for holding
this hearing. It really means a lot to the work of the
commission to be taking this next step.
I would say that I use this technology every Wednesday
morning for the Senate Prayer Breakfast, and it seems to work
very effectively, except when we try to sing hymns. So I think,
as long as we don't sing any hymns today, we will be OK.
I appreciate your time. I also appreciate the involvement
and engagement of Representative Katko, who has--who outlined a
series of bills, all of which we think are important, and I
really want to thank him for his work.
I want to give a little bit of background. The first thing
to observe is that, in the last 6 months, we have learned that
the unthinkable can happen. The unthinkable can happen. In the
last 48 hours, we have learned that cyber is an ever-present
threat.
As the Chairman mentioned in his opening statement, the
attack on Twitter, which was a commercial one, but also the
apparent attack by the Russians on the security of our pursuit
of a vaccine, it is just a reminder that this is not an
academic question, but it is something that is really a--front
and center in threats that this country is facing.
The commission that you mentioned several times, and that
Mike Gallagher and I were privileged to co-chair, was set up in
the 2019 National Defense Act. It had a unique structure. It
had 4 sitting Members of Congress, 4 members from the
Executive, and 6 members from the private sector. I can
honestly say that, throughout our deliberations--and we had
over 30 meetings, had 400 interviews, thousands of pages of
documents--there was not a single moment of partisanship or of
partisan discussion. In fact, I have no idea the party
affiliation of the other 10 members of the commission who
aren't Members of Congress. That, it seems to me, speaks to the
importance and overriding power of this issue that really must
unite us.
So that was the work of the commission. We went through, as
I mentioned, 30 meetings together. We had stress tests. We had
a sort-of contest of ideas in the middle of last summer, and we
really tried to approach this with fresh eyes to look at,
really, 2 basic questions: What should our strategy be, and
what should our organizational structure be to--both to
protect, to prepare, and to prevent cyber attacks?
As you mentioned, there are 82 recommendations in the
report, 54 of which have been converted into legislative
recommendations and presented to the various committees of both
the House and the Senate in the form of fully-drafted
legislative proposals.
What we are talking about is what is called layered cyber
deterrence, and that means resilience so that our adversaries
feel that there is not much to be gained by attacking us
because of our security and our protection of our systems, but
also a declaratory policy that, if attacked, we will respond.
One of the deficiencies in our cyber posture over the last
several decades has been we have a deterrence strategy for a
major sort-of threshold of use of force, but we haven't had a
strategy, and we haven't articulated a doctrine that would
provide a deterrent for less than use-of-force kind of cyber
attacks.
For that reason, as I have said many times, we are a cheap
date. Our adversaries don't--they don't compute the cost of
attacking us. That has to change. That is the strategic
picture.
The organizational picture is that cyber is scattered
throughout the Federal Government. It is in the Defense
Department, it is in the intelligence community, it is in DHS,
it is in the FBI. We really need to try to straighten out the
organizational structure.
One of my observations has been that messy structure equals
messy policy. That leaves with the creation of a National cyber
director in the White House, appointed by the President,
confirmed by the Senate, which will give continuity to this
important interest. We want somebody in the Federal Government
who wakes up every morning with the mission of protecting this
country in cyber space.
Finally, one of the crucial elements that we tried to
address in the report--and frankly, it is a difficult one--is
the relationship between the Government and the private sector.
Eighty-five percent of the target space in cyber is in the
private sector. The private-sector computers, whether they are
in the financial sector, or energy, or transportation, or
telecommunications, they are the front line troops in this
battle. Yet it is the Federal Government that often has the
resources and the expertise and the ability to pull together
this information in order to protect our country.
So I will go back to--I think one of you stated--I think
Mr. Katko, Representative Katko, stated and Mike Gallagher said
this was our mission from the beginning. We wanted to be the 9/
11 Commission report without 9/11. That is really what we have
tried to focus upon in this project.
So I want to thank the committee. Now is the time to put
these recommendations into law, into practice, if we are going
to protect our country in the way that we all believe--it can
be done, and certainly it should be done. The unthinkable can
happen. But we can be prepared, we can prevent, and we can
protect this country.
Thank you, Mr. Chairman.
[The joint prepared statement of Sen. King, Hon. Gallagher,
Ms. Ravich and Ms. Spaulding follows:]
Joint Prepared Statement of Senator Angus King, Honorable Mike
Gallagher, Samantha Ravich, and Suzanne Spaulding
July 17, 2020
The Cyberspace Solarium Commission (CSC) was established by the
John S. McCain National Defense Authorization Act (NDAA) for Fiscal
Year 2019 to ``develop a consensus on a strategic approach to defending
the United States in cyber space against cyber attacks of significant
consequences.''
The Cyberspace Solarium Commission consists of 14 commissioners,
including 4 currently-serving legislators, 4 Executive branch leaders,
and 6 recognized experts with backgrounds in industry, academia, and
Government service. Senator Angus King and Representative Mike
Gallagher serve as the co-chairmen. The commissioners spent the past 13
months studying the issues, investigating solutions, and deliberating
on courses of action to produce a comprehensive report. Our
commissioners convened nearly every Monday that Congress was in session
for over a year, achieving an impressive benchmark of 30 meetings. The
staff conducted nearly 400 interviews with industry, Federal, State,
and local governments, academia, non-Governmental organizations, and
international partners. The commissioners also recruited our Nation's
leading cybersecurity professionals and academic minds to vigorously
stress test the findings and red-teamed the different policy options in
an effort to distill the optimal approach to securing the United States
in cyber space. The final report was presented to the public on March
11, 2020 and identified 82 specific recommendations. These bi-partisan
recommendations were then subsequently turned into 52 legislative
proposals that have been shared with the appropriate committees in the
Senate and House of Representatives.
Ultimately, the commission developed a strategic approach of
``layered cyber deterrence'' with the objectives of actively shaping
behavior in cyber space, denying benefits to adversaries who exploit
this domain, and imposing real costs against those who target America's
economic and democratic institutions in and through cyber space. Our
critical infrastructure--the systems, assets, and entities that
underpin our National security, economic security, and public health
and safety--are increasingly threatened by malicious cyber actors.
Effective critical infrastructure security and resilience requires
reducing the consequences of disruption, minimizing vulnerability, and
disrupting adversary operations that seek to hold our assets at risk.
We believe the future of the U.S. economy and our National security
requires both the Executive branch and Congress work in tandem to
prioritize and grant the following recommendations.
First and foremost, the commission found that the Federal
Government lacks consistent and institutionalized leadership, as well
as a cohesive, clear strategic vision on cybersecurity. As a result, we
recommend that Congress establish a National cyber director in the
Executive Office of the President to centralize and coordinate the
cybersecurity mission at the National level. The National cyber
director would work with Federal departments and agencies to bring
coherence in the development of cybersecurity policy and strategy and
in its execution. The position would provide clear leadership in the
White House and signal cybersecurity as an enduring priority in U.S.
National security strategy.
Second, the Government must continue to improve the resourcing,
authorities, and organization of the Cybersecurity and Infrastructure
Security Agency (CISA) in its role as the primary Federal agency
responsible for critical infrastructure protection, security, and
resilience. We recommend empowering CISA with tools to strengthen
public-private partnership. Of particular value would be the
authorities needed to aid in responding to attempted attacks on
critical infrastructure from a variety of actors ranging from nation-
states to criminals. Currently, the U.S. Government's authorities are
limited exclusively to certain criminal contexts, where evidence of a
compromise exists, and do not address instances in which critical
infrastructure systems are vulnerable to a cyber attack. To address
this gap, Congress should grant CISA subpoena authority in support of
their threat and asset response activities, while ensuring appropriate
liability protections for cooperating private-sector network owners.
Third, elements of the U.S. Government and the private sector often
lack the tools necessary for successful collaboration to counter and
mitigate a malicious nation-state cyber campaign. To address this
shortcoming, the Executive branch should establish a Joint Cyber
Planning Office under CISA to coordinate cybersecurity planning and
readiness across the Federal Government and between the public and
private sectors for significant cyber incidents and malicious cyber
campaigns. Within a similar vein, Congress should also direct the U.S.
Government to plan and execute a National-level cyber table-top
exercise on a biennial basis that involves senior leaders from the
Executive branch, Congress, State governments, and the private sector,
as well as international partners, to build muscle memory for key
decision makers and develop new solutions and strengthen our collective
defense.
Fourth, the United States must take immediate steps to ensure our
critical infrastructure sectors can withstand and quickly respond to
and recover from a significant cyber incident. Resilience against such
attacks is critical in reducing benefits that our adversaries can
expect from their operations--whether disruption, intellectual property
theft, or espionage. Congress should direct the Executive branch to
develop a Continuity of the Economy Plan. This plan should include the
Federal Government, SLTT entities and private stakeholders who can
collectively identify the resources and authorities needed to rapidly
restart our economy after a major disruption. In addition, the
commission recommends establishing a Cyber State of Distress tied to a
Cyber Response and Recovery Fund, giving the Government greater
flexibility to scale up and augment its own capacity to aid the private
sector when a significant cyber incident occurs. These changes will
ensure the infrastructure that supports our most critical National
functions can continue to operate amidst disruption or crisis.
Fifth, the commission recommends 2 relevant initiatives to reshape
the cyber ecosystem toward greater security for all Americans. The
first, the creation of a National Cybersecurity Certification and
Labeling Authority, would help create standards and transparency that
will allow consumers of technology products and services to use the
power of their purses over time to demand more security and less
vulnerability in the technologies they buy. Furthermore, Congress
should appropriate funds to the Department of Homeland Security (DHS),
in partnership with the Department of Energy, Office of the Director of
National Intelligence (ODNI), and the Department of Defense (DoD), to
competitively select, designate, and fund up to 3 Critical Technology
Security Centers in order to centralize efforts directed toward
evaluating and testing security of devices and technologies that
underpin our networks and critical infrastructure.
Sixth, the U.S. intelligence community is not currently resourced
or aligned to adequately support the private sector in cyber defense
and security. While the intelligence community is formidable in
informing security operations in instances when the U.S. Government is
the defender, its policies and procedures are not aligned to
intelligence collection on behalf of private entities, which
constitutes around 85 percent of our critical infrastructure. To that
end, Congress should direct the Executive branch to conduct a 6-month
comprehensive review of intelligence policies, procedures, and
resources to identify and address key limitations in order to improve
the intelligence community's ability to provide intelligence support to
the private sector.
Throughout the process of developing its recommendations, the
commission always considered Congress as its ``customer.'' Through the
NDAA, Congress tasked the commission to investigate cyber threats that
undermine American power and prosperity, to determine an appropriate
strategic approach to protect the Nation in cyber space, and to
identify policy and legislative solutions. As commissioners, we are
here today to share what we learned, advocate for our recommendations,
and work to assist you in any way we can to solve this serious and
complex challenge.
intersection between pandemic and cyber crises
The COVID-19 pandemic has been a big wakeup call for us all because
it illustrates the challenge of ensuring resilience and continuity in a
connected world. It is an example of a type of non-traditional National
security crisis that spreads rapidly through the system, stressing
everything from emergency services and supply chains to basic human
needs. The pandemic has produced cascading effects and high levels of
uncertainty. This situation undermines normal policy-making processes
and forces decision makers to craft hasty and ad hoc emergency
responses. Complex emergencies that rely on coordinated action beyond
traditional agency responses and processes illustrate what the
commission saw as an acute threat to the security of the United States.
The lessons the country is still learning from the on-going
pandemic are not perfectly analogous to a significant cyber attack, but
are highly illustrative of the possible consequences due to several
similarities between the 2 types of events. First, both the pandemic
and a significant cyber attack are global in nature. Second, both the
COVID-19 pandemic and a significant cyber attack require a whole-of-
Nation response and are likely to challenge existing incident
management doctrine and coordination mechanisms. Finally, and perhaps
most importantly, prevention is far cheaper and more effective than
response.
The global health crisis has reinforced the urgency of many of the
core recommendations in the commission's March 2020 report. Responding
to complex emergencies will require a balance between response agility
and institutional resilience in the economy and critical infrastructure
sectors. It relies on strategic leadership and coordination from the
highest offices in Government, underscoring the importance of a
National Cyber Director. It relies on a strong understanding of the
risks posed by a crisis and a data-driven approach to mitigating those
risks before, during, and after a crisis, validating the commission's
recommendations. Specifically, successfully responding to a crisis
relies on clear roles and responsibilities for critical actors in the
public and private sector as well as established, exercised
relationships and plans, highlighting the importance of Continuity of
the Economy planning.
the challenge
For the last 20 years, adversaries have used cyber space to attack
American power and interests. Our adversaries have not internalized the
message that, if they attack us in cyber space, they will pay a price.
The more connected and prosperous our society has become, the more
vulnerable we are to rival great powers, rogue states, extremists, and
criminals. These attacks on America occur beneath the threshold of
armed conflict and create significant challenges for the private sector
and the public at large.
The American public relies on critical infrastructure, roughly 85
percent of which--according to the Government Accountability Office--is
owned and operated by the private sector. Increasingly, institutions
Americans rely on--from water treatment facilities to hospitals--are
connected and vulnerable. There are also new industries and services,
like cloud computing, which our society relies on for economic growth.
As we saw last year, hackers don't just target the U.S. Government and
military personnel--they increasingly target our cities and counties
with malware and ransomware attacks.
Creating a secure Nation in the 21st Century requires an
interconnected system of both public and private networks secure from
state and non-state threats. China commits rampant intellectual
property theft to help their businesses close the technological gap,
costing non-Chinese firms over $300 billion per year. Massive data
breaches, including those suffered by Equifax, Marriott, and the Office
of Personnel Management (OPM), enable Chinese spies to collect data on
over a hundred million Americans.
Russia targets the integrity and legitimacy of elections in
multiple countries while actively probing critical infrastructure. In
spring 2014, Russian-linked groups launched a campaign to disrupt
Ukrainian elections that included attempts at altering vote tallies,
disrupting election results through distributed-denial-of-service
attacks, and smearing candidates by releasing hacked emails. They
continue to spread hate and disinformation on social media to polarize
free societies. But they have not stopped there. The 2017 NotPetya
malware attack spread globally, Iran and North Korea attack U.S. and
allied interests through cyber space. Iranian cyber operations have
targeted the energy industry, entertainment sector, and financial
institutions. There are also documented cases of Iranian APTs targeting
dams in the United States with distributed-denial-of-service attacks.
North Korea exploits global connectivity to skirt sanctions and sustain
an isolated, corrupt regime. The 2017 WannaCry ransomware attacks hit
over 300,000 computers in 150 countries, including temporarily
disrupting U.K. hospitals. According to United Nations estimates, North
Korean cyber operations earn $2 billion in illicit funds for the regime
each year.
A new class of criminal thrives in this environment. Taking
advantage of wide-spread cyber capabilities revealed by major state
intrusions, criminal groups are migrating toward a ``crime-as-a-
service'' model in which threat groups purchase and exchange malicious
code on the dark web. In 2019, ransomware incidents grew over 300
percent compared to 2018 and hit over 40 U.S. municipalities. More
recently, opportunistic hackers have hijacked hospitals and health care
systems during the COVID-19 pandemic, taking advantage of poorly
protected systems at their most vulnerable state. Remote access and the
expansion of the work-from-home economy continues to increase the
threat vectors for criminal actors as the world changes to meet the
needs of a global pandemic.
strategic approach
The strategy put forth by the Cyberspace Solarium Commission
combines a number of traditional deterrence mechanisms and extends
their use beyond the Government to develop a whole-of-Nation approach.
It also updates and strengthens our declaratory policy for cyber
attacks both above and below the level of armed attack. The United
States must demonstrate its ability to impose costs while establishing
a clear declaratory policy that signals to rival states the costs and
risks associated with attacking America in cyber space.
Since America relies on critical infrastructure that is primarily
owned and operated by the private sector, the Government cannot defend
the Nation alone. The public and private sectors, along with key
international partners, must collaborate to build resilience and
reshape the cyber ecosystem in a manner that increases its security,
while imposing costs against malicious actors and preventing attacks of
significant consequence.
Cyber deterrence is not nuclear deterrence. The fact is, no action
will stop every hack. Rather, the goal is to reduce the severity and
frequency of attacks by making it more costly to benefit from targeting
American interests through cyber space. Layered cyber deterrence
combines traditional methods of altering the cost-benefit calculus of
adversaries (e.g., denial and cost imposition) with forms of influence
optimized for a connected era, such as promoting norms that encourage
restraint and incentivize responsible behavior in cyber space.
Strategic discussions all too often prioritize narrow definitions of
deterrence that fail to consider how technology is changing society. In
a connected world, those states that harness the power of cooperative,
networked relationships gain a position of advantage and inherent
leverage. The more connected a state is to others and the more
resilient its infrastructure, the more powerful it becomes. This power
requires secure connections and stable expectations between leading
states about what is and is not acceptable behavior in cyber space. It
requires shaping adversary behavior not only by imposing costs but also
by changing the ecosystem in which competition occurs. It requires
international engagement and collaboration with the private sector.
Layered cyber deterrence emphasizes working with the private sector
to efficiently coordinate how the Nation responds with speed and
agility to emerging threats. The Federal Government alone cannot fund
or solve the challenge of adversaries attacking the networks on which
America and its allies and partners rely. It requires collaboration
with State and local authorities, leading business sectors, and
international partners, all within the rule of law. This strategy also
contemplates the planning needed to ensure the continuity of the
economy and the ability of the United States to rebound in the
aftermath of a major, Nation-wide cyber attack of significant
consequence. Such planning adds depth to deterrence by assuring the
American people, allies, and even our adversaries that the United
States will have both the will and capability to respond to any attack
on our interests. These 3 deterrent layers are supported by 6 policy
pillars that organize the 82 recommendations that collectively
represent the means to implement our strategy.
the need to reorganize the u.s. government (pillar 1)
The Legislative and Executive branches must align their authorities
and capabilities to produce the speed and agility required to defend
America in cyber space. Greater collaboration and integration in the
planning, resourcing, and employment of Government cyber resources
between the public and private sectors is a foundational requirement.
The U.S. Government needs strategic continuity and unity of effort to
achieve the goal of layered cyber deterrence called for by the
Cyberspace Solarium Commission. These actions require adjusting the
authorities and alignment of fundamental processes the U.S. Government
applies to defend its interests in cyber space.
First, Congress must reestablish clear oversight responsibility and
authority over cyber space within the Legislative branch. The large
number of committees and subcommittees claiming some form of
jurisdiction over cyber issues is actively impeding action and clarity
of oversight. By centralizing responsibility in the new House Permanent
Select and Senate Select Committees on Cybersecurity, Congress will be
empowered to provide coherent oversight to Government strategy and
activity in cyber space.
Next, select entities in the Executive branch that deal with
cybersecurity must be restructured and streamlined. Multiple
departments and agencies have a wide range of responsibilities for
securing cyber space. These responsibilities tend to overlap and at
times conflict. The departments and agencies tend to compete for
resources and authorities resulting in conflicting efforts that produce
diminishing marginal returns. Establishing a National cyber director
within the Executive Office of the President would consolidate
accountability for harmonizing the Executive branch's policies,
budgets, and responsibilities in cyber space while implementing
strategic guidance from the President and Congress.
In addition to this National cyber director, a properly-resourced
and empowered CISA will be critical to achieving coherence in the
planning and deployment of Government cyber resources. Multiple
administrations and Congressional sessions have worked to establish
CISA as a keystone of National cybersecurity efforts, but work still
needs to be done to realize our ambitious vision for this critical
organization. That includes strengthening its director with a 5-year
term and elevated Executive status, adequately resourcing its programs
to engage with the private sector while managing National risk, and
securing sufficient facilities and required authorities for its vital
and growing mission. These changes will remove key limitations in
CISA's ability to forge a greater public-private partnership and its
mission to secure critical infrastructure.
Finally, the U.S. Government must more effectively recruit,
develop, and retain a cyber workforce capable of building a defensible
digital ecosystem and deploying all instruments of National power in
cyber space. That will require designing innovative programs and
partnerships to develop the workforce, supporting and expanding good
programs where they are already in place, and connecting with a diverse
pool of promising talent. In some cases, success in building a robust
Federal workforce depends on stakeholders outside the Federal
Government, like educators, non-profits, and businesses. Policy makers
should support these important partners by providing the tools they
need to be effective, like classroom-ready resources, incentives for
research on workforce dynamics, and clear routes for collaborating with
the Government.
deterrence by denial (pillars 3/4/5)
Denying adversaries' benefits of their cyber campaigns is a
critical aspect of ``Layered Cyber Deterrence.'' By ensuring the
resilience of critical pillars of National power, reducing our National
vulnerability, and disrupting threats through operationalizing
collaboration between the Government and private sector we can
effectively force adversaries to make difficult decisions regarding
resourcing, access, and capabilities. The U.S. Government support must
be better informed through a Joint Collaborative Environment that would
pool public-private sources of threat information to be coordinated
through a Joint Cyber Planning Office and an Integrated Cyber Center at
DHS. Paired with our recommendation to conduct a Biennial National
Cyber Tabletop Exercise, that involves senior leaders from the
Executive branch, Congress, State governments, and the private sector
as well as international partners--the United States and her allies
will be in a forward-leaning position and ready to lead.
Today, under the direction of Presidential Policy Directive 21,
sector-specific agencies are the lead Federal agencies tasked with day-
to-day engagement with the private sector on security and resilience.
However, there are significant imbalances and inconsistencies in both
the capacity and the willingness of these agencies to manage sector-
specific risks and participate in Government-wide efforts. In addition,
the lack of clarity and consistency concerning the responsibilities and
requirements for these agencies continues to cause confusion,
redundancy, and gaps in resilience efforts. For this reason, the
commission recommends that Congress codify sector-specific agencies in
law as ``sector risk management agencies'' to ensure consistency of
effort across critical infrastructure sectors and ensure that these
agencies are resourced to meet growing needs.
Denying adversaries' benefits starts with ensuring that our most
critical targets are able to withstand and quickly recover from cyber
attacks. In other words, we must build resilience. Effective National
resilience efforts fundamentally depend on the ability of the United
States to accurately understand, assess, and manage National cyber
risk. Current efforts to assess and manage risk at the National level
are relatively new and are significantly hindered by resource
limitations, immaturity of process, and inconsistent capacity across
departments and agencies that participate in National resilience
efforts. Today, while the U.S. Government plans for continuity of
operations and continuity of Government, no similar planning exists to
ensure continuity of the economy. This must change, and the planning
process should analyze National critical functions, outlining
priorities for response and recovery, and identifying areas for
resilience investments. In doing so, the continuity of the economy plan
should identify areas for preservation of data and mechanisms for
extending short-term credit to ensure recovery efforts. Additionally,
Congress should also provide CISA with the necessary support to expand
its current capability to issue Cyber State of Distress declarations in
conjunction with Cyber Response and Recovery Funding. Furthermore,
providing CISA with Administrative Subpoena Authority will dramatically
improve the Federal Government's ability to actively notify critical
infrastructure owners and operators that are on the front lines and
being attacked by our adversaries who are largely acting with impunity.
Denying adversaries' benefits also must lie in driving down our
National cyber vulnerability at scale. Today, vulnerability in our
cyber ecosystem is derived not only from technology, but also human
behavior and processes. The commission sought means to improve the
security of both the technological and human aspects at scale. Moving
the technology markets to emphasize security requires creating greater
transparency about the security characteristics of technologies
consumers buy. This is why the commission recommends the creation of a
National Cybersecurity Certification and Labeling Authority and
Critical Technology Security Centers to collectively to develop and
facilitate authoritative, easy-to-understand security certifications
and labels for technology products. By helping consumers make more
informed technology purchases, the market will become a difficult place
for vendors who do not prioritize security to do business.
Layered cyber deterrence includes shaping cyber actors' behavior
through strengthened norms of responsible state behavior and non-
military instruments of power, such as law enforcement, sanctions,
diplomatic engagement and capacity building. A system of norms, based
on international engagement and enforced through these instruments of
power, helps secure American interests in cyber space.
To strengthen cyber norms and build a like-minded international
coalition to enforce them, the commission recommends Congress create
and adequately resource the Bureau of Cyberspace Security and Emerging
Technologies led by an assistant secretary of state. The Bureau would
bring dedicated cyber leadership and coordination to the Department of
State.
Leading internationally also means having strong and coordinated
representation in bodies that set global technical standards,
therefore, Congress should sufficiently resource the National Institute
of Standards and Technology to bolster participation in these bodies.
American values, interests, and security are strengthened when
international technical standards are developed and set with active
U.S. participation. Engaging fully means we must also facilitate robust
and integrated participation from across the Federal Government,
academia, civil society, and industry; the United States is at its best
when we draw input from all our experts.
In parallel to robust participation in multilateral bodies, law
enforcement activities also provide fruitful ground on which to work
with international partners and allies to hold adversaries accountable.
We recommend providing the Department of Justice Office of
International Affairs with administrative subpoena authority
streamlines the Mutual Legal Assistance Treaties process, enabling U.S.
law enforcement to help allies and partners prosecute cyber criminals.
Additionally, the commission recommends Congress create and fund 12
additional Federal Bureau of Investigation cyber assistant legal
attaches to facilitate intelligence sharing and help coordinate joint
enforcement actions. Investing in these types of international law
enforcement activities improve the credibility of enforcement and
signal America's commitment to bring malicious actors to justice.
deterrence by cost imposition (pillar 6)
A key layer of the commission's strategy outlines how to impose
costs to deter malicious adversary behavior and reduce on-going
adversary activities short of armed conflict. As part of this effort,
the commission puts forth 2 key recommendations: To conduct a force
structure assessment of the Cyber Mission Force (CMF); and to conduct a
cybersecurity and vulnerability assessments of conventional weapons
systems and of the nuclear command, control, and communications
enterprise.
Today, the United States has not created credible and sufficient
costs against malicious adversary behavior below the level of armed
attack--even as the United States has prevented cyber attacks of
significant consequences. Our Nation must shift from responding to
malicious behavior after it has already occurred to proactively
observing, pursuing, and countering adversary operations. This should
include imposing costs to change adversary behavior using all
instruments of National power in accordance with international law.
To achieve these ends, the United States must ensure that it has
sufficient cyber forces to accomplish strategic objectives in and
through cyber space. The CMF is currently considered at full
operational capability (FOC) with 133 teams comprising a total of
approximately 6,200 individuals. However, these requirements were
defined in 2013, well before our Nation experienced or observed some of
the key events that have shaped our Government's understanding of the
cyber threat. The FOC determination for the CMF was also well before
the development of the Department of Defense's (DoD) defend forward
strategy. Therefore, we recommend Congress direct the DoD to conduct a
force structure assessment of the CMF to ensure the United States has
the appropriate force structure and capabilities in light of growing
mission requirements. This should include an assessment of the resource
implications for intelligence agencies in their combat support agency
roles.
If deterrence fails, the United States must also be confident that
its military capabilities will work as intended. However, deterrence
across all of the domains of warfare is undermined, and the ability of
the United States to prevail in crisis and conflict is threatened, if
adversaries can hold key military systems and functions, including
nuclear systems, at risk through cyber means. Therefore, the commission
recommends Congress direct the DoD to conduct a cybersecurity
vulnerability assessment of all segments of nuclear command, control,
and communications systems and continually assess weapon systems' cyber
vulnerabilities.
Our hope is that, by implementing these recommendations, we can
ensure our Nation is willing and able to counter and reduce malicious
adversary behavior below the level of armed conflict, impose costs to
deter significant cyber attacks, and, if necessary, fight and win in
crisis and conflict.
conclusion
The recommendations put forward by the commission are an important
first step to denying adversaries the ability to hold America hostage
in cyber space and will be critical to our efforts to re-establish
deterrence in cyber space. We believe that deterrence is an enduring
American strategy, but it must be adapted to address how adversaries
leverage new technology and connectivity to attack the United States.
Cyber operations have become a weapon of choice for adversaries seeking
to hold the U.S. economy and National security at risk. Near peer
adversaries such as China and Russia are attempting to reassert their
influence regionally and globally, using cyber and influence operations
to undermine American security interests. The concept of deterrence
must evolve to address this new strategic landscape. Reducing the scope
and severity of these adversary cyber operations and campaigns requires
adopting the commission's strategy of layered cyber deterrence--
improving our ability to defend our critical infrastructure and
investing in an effective public-private collaboration.
To this end, we believe this committee must prioritize a selection
of the commission's recommendations that include: Strengthening the
Government with a National cyber director, an empowered CISA, a new
Joint Cyber Planning Office, and improved intelligence support to the
private sector; building resilience with Continuity of the Economy
Planning, and a codified ``Cyber State of Distress'' tied to a ``Cyber
Response and Recovery Fund''; and, an improved cyber ecosystem with a
National Cybersecurity Certification and Labeling Authority, and the
designation of Critical Technology Security Centers.
The 2019 NDAA charted the U.S. Cyberspace Solarium Commission to
address 2 fundamental questions: What strategic approach will defend
the United States against cyber attacks of significant consequence? And
what policies and legislation are required to implement that strategy?
The commission has delivered on its mission in the promulgation of
``layered cyber deterrence'' strategy and the corresponding legislative
proposals. We now need your help to enact these key legislative
proposals as they will empower the Government and the private sector to
act with speed and agility in securing our cyber future.
Mr. Langevin. Thank you, Senator King. Again, thank you for
your leadership on the Cyberspace Solarium Commission. As one
of the co-chairs, you did an outstanding job, and I was proud
to serve on that commission. Thank you for your testimony.
Now I recognize Congressman Gallagher to summarize the
commission statement for 5 minutes.
Mr. Gallagher, you are recognized.
STATEMENT OF HON. MICHAEL GALLAGHER, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF WISCONSIN, AND CO-CHAIR, CYBERSPACE
SOLARIUM COMMISSION
Mr. Gallagher. Thank you, Chairman Langevin, not only for
chairing this hearing today, but for your immense contributions
to the commission. Our final report would not have been
possible, were it not for your leadership. In many areas we
were building upon work that you have been doing for the last
decade. So it was really great to get to work with you.
Thank you to Ranking Member Katko for your engagement from
the start of this effort, for meeting with us and our staff
multiple times, and for your leadership on these issues.
Thank you, Chairman Thompson, for giving us this forum
today.
Let me just echo what my co-chair, Senator King--who is
married to a Packers fan, I should note--said at the outset,
which is, you know, we were--we come from different parties, we
were appointed by partisans on different sides, and certainly
the outside experts, Commissioner Spaulding and Ravich were, as
well. But it would have been impossible to determine the party
affiliations if you were just to listen to one of the many
debates we had as we met as a commission.
I think what came out of this process was a truly
nonpartisan report that attempts to put the interests of the
country ahead of any parochial or political interests. So this
really has been an issue that every Presidential administration
for the past 25 years, Democrats and Republicans, has tried to
figure out: How do we defend U.S. interests and promote U.S.
values in cyber space?
Despite these well-intentioned efforts, our networks are
vulnerable, if not already compromised. Our country has lost
hundreds of billions of dollars to nation-state-sponsored
intellectual property theft via cyber means. A major cyber
attack on our Nation's critical infrastructure and our economic
system would create chaos and lasting damage.
So, in an effort to forestall such a future, the Cyberspace
Solarium Commission examined a broad range of structures and
policies that could more effectively defend our Nation in cyber
space.
I should admit our public relations plan, when we released
the report publicly on March 11, 2020, did not factor in a
global pandemic taking over the conversation. But that is all
the more reason why it is important to have hearings like this
today. We hope that, not only will you digest our full report,
but also read our pandemic annex.
But I just would highlight a few of the commission's key
recommendations up front here.
One, reform the U.S. Government structure and organizations
for cybersecurity. This starts with establishing a National
cyber director situated within the Executive office of the
President, who is Senate-confirmed and supported by the Office
of the National Cyber Director, as Senator King outlined.
It also continues with strengthening CISA, as
Representative Katko outlined, so that CISA can better serve as
that central core element to support and integrate the Federal,
State, and local, and private-sector cybersecurity efforts.
I think it is important to note that the overall approach
we are taking here is not to create a bunch of new
organizations within the Federal Government, but rather an
attempt to elevate and empower existing organizations like
CISA, who have made important progress in recent years, but
need more support from Congress.
Second, I just would say we have a variety of
recommendations on promoting National resilience, specifically
that Congress should codify the roles of sector-specific
agencies, focusing National risk management efforts, and also
developing and maintaining a continuity-of-the-economy planning
process so that we think through the unthinkable now, so we are
not having to make things up on the fly in the wake of a cyber
9/11.
Then third and finally, I just would highlight the need to
reshape the cyber ecosystem toward greater security. We are
recommending, for example, that Congress establish and fund a
National cybersecurity certification and labeling process to
establish and manage a program on security certification and
labeling of ICT products, as well as establish a Bureau of
Cyber Statistics charged with collecting and providing data on
cybersecurity.
These recommendations, and many more like them in the
report, are all designed to implement the commission's
recommended strategy of layered cyber deterrence, which is our
theory for how we evolve into a harder target, a better ally,
and a worse enemy in how we better defend our Nation, our
economy, and our way of life in cyber space.
So thank you for giving us the opportunity to present our
findings here today. We look forward to the debate. Again, I
just want to highlight not only the contributions of the
commissioners that you will hear from, but also our wonderful
staff who has dedicated a year of their life to this important
effort.
I yield back.
Mr. Langevin. Thank you, Chairman Gallagher. Again, I
commend you for your leadership on the Solarium Commission.
Both you and Senator King made a great team in co-chairing the
Cyberspace Solarium Commission. We are greatly indebted to you
for your work and service.
With that, I thank you for your testimony, and I now
recognize Ms. Spaulding to summarize the commission's statement
for 5 minutes.
[Pause.]
Mr. Langevin. Commissioner Spaulding, you are muted. We
need to unmute you.
There you go, you are unmuted.
STATEMENT OF SUZANNE SPAULDING, COMMISSIONER, CYBERSPACE
SOLARIUM COMMISSION
Ms. Spaulding. Thank you, Chairman Langevin. Thank you,
Chairman Thompson, Ranking Member Katko, and Members of the
committee. Thank you for this opportunity to be here today to
testify. It is an honor to be here with my fellow witnesses.
Particularly, Chairman Langevin, an honor it was to work
with you again, having worked with you in 2007 on the
Commission for Cybersecurity for the 44th President, which you
co-chaired. I want to thank you for your long, outstanding
leadership on cybersecurity issues.
The bipartisanship, nonpartisanship which you have heard
today, really, that tone was set at the top by our 2 co-chairs,
Senator King and Congressman Gallagher. So thank you for that.
Of course, a pleasure to work with Commissioner Ravich.
I want touch briefly today on 3 key areas that I think
should and must be acted on very quickly, given the
vulnerabilities particularly, as we have noted, with the
pandemic.
The first is strengthening DHS's Cybersecurity and
Infrastructure Security Agency, or CISA, as the organization
that I once led at DHS is now called, thanks in no small
measure to the work of this committee and Chairman Thompson,
and I thank you for that.
With malicious cyber actors targeting hospitals, vaccine
development, and governments at every level, and a stay-at-home
work force presenting a massive attack surface, CISA's work has
never been more important. This is why the commission urges
Congress to provide CISA promptly with the resources and
authorities, including administrative subpoena authority, that
it needs to be the National risk manager; to serve as the
central civilian cybersecurity authority to support Federal,
State, local, territorial, and Tribal governments, and the
private sector; to conduct continuity of the economy planning,
a concept that Commissioner Ravich brought to the commission,
so important; identify systemically important critical
infrastructure; and coordinate planning and readiness across
Government and the private sector.
Second, with regard to improving the cyber ecosystem and
reducing vulnerabilities, the commission turned first to
improving the efficiency of the market. We looked at why isn't
the market performing its function of driving better
cybersecurity?
A key reason, we determined, was that markets need
information to operate effectively. So we ask that Congress
establish that National cybersecurity certification and
labeling authority, the kind of underwriter laboratories effort
that Congressman Gallagher, mentioned; publish guidelines for
secure cloud services; create that Bureau of Cyber Statistics;
promote a more effective and robust cyber insurance market; and
pass a National data breach notification law.
Finally, I believe one of the most important pillars in the
report is resilience. We need to reduce the benefit side in the
adversary's cost-benefit analysis. Often that means reducing
our dependence upon those network systems, developing
redundancies, maybe even analog systems. Paper ballots, for
example, are a way of building resilience into our election
infrastructure.
We have a number of urgent election-related
recommendations, including reforming regulation of on-line
political advertisements, providing grant funding for States to
improve election systems, replace outdated equipment, ensure
voter verifiable paper-based systems, and conduct post-election
audits. These are perhaps the most urgent of our
recommendations.
I would like to close with our recommendation to build
public resilience against information operations that target
elections, but also democracy as a whole. Media literacy is
important, but we also need to focus on deterring the key
objective of our adversaries, which is to weaken democracy by
pouring gasoline on the flames of division that already engulf
on-line discourse, pushing Americans to give up on
institutions, not just elections, but the justice system, the
rule of law, and democracy itself. They portray our
institutions as not just flawed, but irrevocably broken. Where
protesters and judicial reform advocates seek changes to make
our institutions and our Nation stronger, our adversaries seek
only to make us weaker. They want Americans to despair at the
prospect of bringing about change, to despair at the prospect
of being able to discern fact from fiction. They want to
destroy the informed and engaged citizenry upon which a healthy
democracy depends.
To defeat our adversaries objective, the commission calls
for reinvigorating civics education to help Americans
rediscover our shared values, understand why democracy is so
valuable, that it is under attack, and that every American must
stay engaged to hold our institutions accountable and continue
to move us toward that more perfect union.
Thank you for this opportunity, and I look forward to your
questions.
Mr. Langevin. Thank you, Commissioner Spaulding, again,
both for your participation and valuable contributions to the
Solarium Commission, but your dedication and work on cyber in
general. With that, thank you for your testimony.
Finally, I now recognize Ms. Samantha Ravich to summarize
the commission's statement for 5 minutes.
Dr. Ravich, you are now recognized.
STATEMENT OF SAMANTHA RAVICH, PH.D., COMMISSIONER, CYBERSPACE
SOLARIUM COMMISSION
Ms. Ravich. Thank you. Thank you. Chairman Langevin,
Chairman Thompson, Ranking Member Katko, distinguished Members
of the committee, and my fellow witnesses, whom I have grown to
know and greatly admire over this past year. I thank you for
inviting me to participate in this important hearing about one
of the most pressing questions that our Government is currently
tasked with answering: What steps can the Federal Government
and the private sector do to defend our businesses, our
military, our citizens, our country against future cyber
attacks?
Our recommendations in the Cyber Solarium Commission
focused on shaping the international cyber battle space,
hardening our resilience, and maintaining our capability,
capacity, and credibility to impose costs on the adversary, all
in the service of deterring the type of catastrophic attack
that our 2 esteemed commission chairmen laid out in plainspeak
in the opening pages of the report.
But we would not have lived up to the great responsibility
given to us if we had not thought about what our country would
do in the aftermath of a significant cyber attack. So I want to
spend the next few minutes underscoring one of the commission's
recommendations: The need for the United States to develop and
maintain a continuity of the economy, or COTE plan, which was
introduced last month as a bill in the Senate Banking, Housing,
and Urban Affairs Committee by Senator Peters.
During the Cold War the United States developed continuity
of operations, COO, and continuity of Government, COG, plans to
ensure that the Government could reconstitute and perform a
minimum set of essential public functions in the event of a
nuclear----
[Audio malfunction.]
Ms. Ravich. While COO, COG--Government contingency planning
for the last 60 years, no equivalent effort exists to ensure
the rapid restart and recovery of the U.S. economy after a
major disruption, despite the 2017 U.S. National Security
Strategy identifying economic security as National security,
and the recognition that the private sector, as much as the
U.S. Government itself, is a critical component of the security
of our populace.
So think about it for a moment, what it would mean for the
U.S. military and the security forces of our allies if there
was a major attack on bulk power transmission, not only
knocking out the lights in major metropolitan areas, but taking
transportation systems off-line; or if the major stock
exchanges were compromised; if wholesale payments, medicine,
telecommunications, and trade or logistics were brought down.
Now think about the difficulties that would create for
mobilizing and deploying forces if this all occurred during a
time of international crisis, not knowing which plane, train,
or bus to hop on to get to the rally point; leaving loved ones
at home, scared in the dark and not knowing if their medicine
or baby formula will still be stocked at the local Walmart;
much of the economic base of the United States potentially
losing complete access to their data for good.
Creating and exercising a continuity-of-the-economy plan
will serve as a visible deterrent to adversaries by
demonstrating that the United States has the wherewithal to
respond to a significant cyber attack. It will show that we
will not be cowed, and that, if the economy upon which our
livelihoods depend is brought down by an adversarial cyber
attack, they, the adversary, will feel our wrath.
Our commission's recommendation on COTE revolve around, in
part, determining any additional authorities or resources that
will be required to implement plans in the case of a disaster,
and establishing a framework for rapidly restarting and
recovering core functions in a crisis, giving precedent to
functions whose disruption would cause catastrophic economic
loss, lead to a runaway loss of public confidence, imperil
human life on a National scale, or undermine response,
recovery, or mobilization efforts in a crisis.
Continuity-of-the-economy planning might also further
review the feasibility of disconnecting critical services or
specific industrial control networks if National security
concerns overwhelm the need for internet connectivity
continuity.
Continuity-of-the-economy planning should also further
explore options to store backup, protected data across borders
with allies or partners, particularly in areas where economic
disruption in either country could have cascading effects on
the global economy. This could include technology that
considers what seed data would need to be preserved and
protected in a verified format, with a process to assure no
compromise or manipulation.
Finally, COTE must take into consideration the lack of
readiness by the general public. By its very nature,
continuity-of-the-economy planning will not prioritize. It will
only prioritize the most essential functions of the country and
the locales, both to enable a rapid recovery from a devastating
cyber attack, and to preserve the strength and will to quickly
punish the attacker.
Many industries will not be included in this planning, and
most citizens will not be able to rely on Government assistance
in the period following an attack. But as is also true of
natural disaster preparedness, the American people do not need
to be helpless. DHS and other relevant agencies should expand
citizen preparedness efforts and public awareness mechanisms to
be prepared for such an event.
COTE, along with many other recommendations in the report,
seeks to build upon the work of the Cybersecurity and
Information Security Agency, CISA, at DHS, what they have been
working on for the past couple of years, and seeks to ensure
that the United States is prepared to respond and recover to
the full range of disruptive cyber attacks below and up to the
threshold of COTE.
While it is true that there is no magic solution that will
protect the United States from cyber attacks in perpetuity,
there are steps that the Federal Government can undertake that
will significantly improve the Government's ability to protect
and defend itself from hostile cyber operations.
So as we sit here in our virtual COVID world, trying to
think the unthinkable and plan for the unplannable, we must ask
ourselves the hardest question of all: What would a cyber day
after look like if we didn't undertake continuity-of-the-
economy planning?
So I thank you for this opportunity to testify--questions
and discussions. Thank you.
Mr. Langevin. Very good. Thank you, Commissioner Ravich,
for your testimony and, again, for your leadership on
cybersecurity. You made a valuable contribution, likewise, to
the Solarium Commission process and its recommendations.
With that, again, I thank all the witnesses for their
testimony.
I remind subcommittee Members that we each have 5 minutes
to question the panel, and I now recognize myself for 5 minutes
to begin.
I will start with you, Senator King. Yesterday we saw a
multinational coalition announce that Russian agents were
targeting vaccine research through cyber space. In this
pandemic, health care networks are incredibly important to our
security. And while it is not clear whether the Russians were
seeking to destroy data, the attempts are clearly troubling.
So how would a National cyber director play a role in
preventing incidents like this?
Why did the commission find this construct most efficient?
Senator King. Well, I think the key is to have someone in
overall charge.
As I mentioned before, we have got responsibility for cyber
scattered throughout the Federal Government, a variety of
different agencies, a variety of different authorities, funding
levels. But there is no central coordinating function. There is
no person with the authority of the White House to settle turf
wars, to oversee budgets, and to basically forge cooperation
through the various agencies that are involved.
It was--I think it was one of the most obvious suggestions
of the commission that we talked about. Now, we had quite a bit
of discussion about where it should go, and how it should be
structured. The--but the conclusion--one thought was elevate
CISA, or create a new--essentially, a new Cabinet office. We
rejected that because, No. 1, it would take a long time. No. 2,
it would be duplicative of other functions that are already
there. It wouldn't have the power and authority of the White
House.
So the model we ended up approaching it as is the U.S.
trade representative, who has responsibility for trade that
cuts across a lot of Federal agencies, is Presidentially-
appointed, Senate-confirmed, and has that authority within the
Executive Office of the President.
But the fundamental idea--and I used--I was in business
before I got into politics. When I was doing contracting, I
wanted one throat to choke. That is what we are really talking
about here, one person that is responsible, can be held
accountable. I feel this is, actually, a favor to the
President, to have somebody in that office that he or she can
hold responsible for, and will be accountable for all the
various complex operations of the Federal Government with
regard to cyber.
Mr. Langevin. Thank you, Senator King. I completely agree
with, I concur with you.
Congressman Gallagher, on Wednesday we both testified
before Chairwoman Maloney and the Oversight and Government
Reform Committee. You said something very interesting about
ensuring we appropriately balance offensive and defensive
cyber.
Why is strengthening CISA so fundamental to the
commission's report?
Mr. Gallagher. Thank you. Well, I think, first, let me just
connect it to what Senator King just said. I mean, not only is
it important to have a National cyber director to do
preplanning, coordinate all the efforts of the Federal
Government, but, as I alluded to in my opening testimony, we
have organizations right now that are doing good work. We
really felt the best path forward was to elevate, empower them,
and give them the tools they need to get the job done.
Strengthening CISA in that regard is perhaps one of the
most important recommendations in our final report. As Senator
King and I point out in the Chairman's letter opening the
report, it is not just a matter of better enabling CISA to be
able to do that defensive mission, it is not just a matter of
giving CISA, for example, the authority to do persistent threat
hunting on .gov networks in the way that CYBERCOM and NSA can
do that on .mil networks. It is also a matter of making the
mission of CISA so appealing that CISA can compete for talent
with the likes of Google, Apple, Facebook, and win.
We know we can't compete when it comes to what we can pay
some of the most talented cyber warriors out there, but we can
compete on mission. Indeed, that is one of the things that
General Nakasone told us about the NSA. While he worries about
retention, he can always compete on mission.
So, by giving CISA that elevated position, that really
appealing mission, we believe that we can sort-of solve the
human element that is endemic to every cyber issue. Because, at
the end of the day, while discussions about cyber can get very
technical, they can devolve into jargon about, you know, this
tech--that--these are fundamentally human problems.
I mean, my understanding, at least, of the Twitter hack
this week was that it was--they fooled a human being into
providing administrative credentials that resulted in the
attack. So our greatest failures have been human failures. Our
greatest successes will also be human successes.
So, empowering CISA, giving the director a higher level of
authority and a longer term is one step toward that sort of
human solution to human problems in cyber.
Mr. Langevin. Thank you for that answer, and very
insightful and helpful for everyone to understand. I deeply
appreciate the work that Director Chris Krebs at CISA, the team
there, but they also actually added resources to be able to
grow their entire cyber work force, inherent capability there.
I look forward to supporting that effort.
So my time has expired. I now recognize the Ranking Member
of the subcommittee, Mr. Katko, for 5 minutes.
Mr. Katko. Thank you very much, Mr. Chairman, and thank you
all for, really, a great conversation. It is wonderful to hear
people not sniping from side-to-side, which is all being on the
same page about what we need to do in a bipartisan manner. It
is truly inspiring.
I do want to talk a little bit more about the leadership
issue, because I think it is critically important. It is a
central focus upon which all this sort of stuff can happen. For
20 years I was a Federal organized crime prosecutor, and part
of that was doing the organized crime drug task force cases. We
had our quarterback, and that was the Office of National Drug
Control Policy. He was over it, and be able to look over all
the different disparate agencies that had a hand in drug
enforcement, and kind-of be that person that the President
needs to advise him all drug-related matters.
So I know I--Senator King, I heard you talk a little bit
about the leadership position, why it is important. But, you
know, I want to drill down a little bit farther, just so people
understand why we need it, similar to the ONDCP position.
So, Ms. Spaulding, perhaps you could talk about why a
National cyber director is important. What are the different
agencies that are involved in the cybersecurity? Because I know
I have Homeland Security, Department of Defense. There is a lot
more. So I would like to kind-of get an understanding of why we
need this coordinated position.
Ms. Spaulding. Ranking Member Katko, thank you. You are
absolutely right. There is really no major agency in the
Federal Government that isn't in some way involved in
cybersecurity. Certainly every agency is involved in ensuring
that it is able to perform its mission-essential functions on
behalf of the American public in the wake of cyber threats and
cyber risks.
So the National cyber director is absolutely essential. We
cannot help but have this cyber activity distributed across the
Government. The, you know, Department of Energy is the--they
are the experts in the electric sector.
[Audio malfunction.]
Ms. Spaulding [continuing]. In the financial services
sector. Having those agencies bring that sector expertise
together with cyber expertise is really important.
So if you are going to have it distributed at NSA and FBI
and DHS and DOE, et cetera, then you need that central
coordination function. That is why that National cyber director
is so important.
Again, having been the under secretary, that is the--was
the equivalent of the director of CISA, I think that White
House support is critically important. It really should not in
any way undermine CISA's coordination role across civilian
government and with the private sector, but stand behind and
give the imprimatur of the White House as CISA endeavors to
undertake those activities.
Mr. Katko. OK, thank you very much. I--in the interest of
time I will forgo asking Senator King, because, really, I
understand fully what the issue is.
But I will note that, from the leadership position, and
having that consistent leadership at the top of CISA, and de-
politicizing the assistant director positions are very
important adjuncts to that, and attracting and maintaining the
talent.
But I do want to talk for a second, because we have 4
nuclear power plants in my district. We have a major grid
issues in upstate New York. So, Ms. Ravich, I want to ask you
real quick about my concerns in that area.
Some of the most vulnerable areas of our Nation's
infrastructure and our local municipal utility services often
have limited budgets to support their cyber capabilities. Was
there a discussion at all during the commission's work as to
how to potentially assist State and municipal power and water
utilities with their cyber-related mitigation and controls and
coordination?
Ms. Ravich. Yes, thank you. Thank you very much. We
actually did look particularly at water utilities. There are
70,000 water utilities across the United States. There are
3,000 water utilities alone in the State of California. That is
equal to all electric utilities across the country. Many of
them are very small. Many of them, to cut costs and deal with
personnel issues for the last number of years, have put on--
incorporated some technology that, frankly, isn't safe. Some of
the technology has been made in adversarial countries, and now
it is in our water systems. So, while you may be able to live
in the dark for a day or 2 without energy, try living without
water.
So we recognize this, and we had long conversations about
what could be done to help State, local, Tribal, territorial,
especially, and create--ask for, as a recommendation, the
creation of a cybersecurity assistance fund, knowing that,
again, State and local, you know, needs best practices, needs
assistance. They are not going to be the repository of all
cybersecurity best practices. To make us all safe, we
absolutely have to, from the Federal Government on down, help
the smallest among us.
Mr. Katko. Thank you very much. It is an important issue. I
have got plenty more questions, but I know I am out of time. So
I yield back, Mr. Chairman.
Mr. Langevin. Very good, Mr. Katko. Thank you for your line
of questions.
I just wanted to yield to--if the Chairman is on still, I
will yield to Chairman Thompson. If not, we will go to
Congresswoman Sheila Jackson Lee.
OK, I believe Mr. Thompson has stepped away, so
Congresswoman Sheila Jackson Lee is recognized for 5 minutes.
Ms. Jackson Lee. Thank you very much, Mr. Chairman. I
appreciate this very important hearing, and I am delighted to
be here with the--some very important witnesses that include
Commissioner Ravich, as well as Commissioner Spaulding and my
colleagues, Representative Gallagher and Senator King. I thank
them both for their service on this committee.
Particularly, I will join with my voice, Congressman
Gallagher, to congratulate you on the birth of a beautiful baby
and, I might imagine, where opportunities are not limited. So I
am delighted, and wish your family the best.
This is a very important hearing that deals with addressing
the question of the recommendations by the Cyberspace Solarium
Commission related to how the Federal Government can be more
secure. I am wearing a mask because I am in the epicenter here
in Houston, Texas. I just came to my office to be a part of
this very important hearing. But we are fighting against very
large numbers of COVID-19. In fact, of course, we are about
75,000 cases here in Houston, my home town, and 717 deaths.
Interestingly, cyber is part of how we will survive,
because many people have turned toward cyber and connecting
through the system.
I wholeheartedly agree with the need for a cyber National
director, and I support that. I am also introducing an
amendment to protect--to NDAA to protect the security of
emails. I want to thank Congressman Langevin for his leadership
and support of the amendment, cosponsoring it, as well as
Congressman Gallagher.
I want to raise 2 questions as quickly as I can. Yesterday
we were alerted to a coordinated hack of major U.S. Twitter
accounts, including those of President Obama, Elon Musk, Bill
Gates, Mike Bloomberg, and former U.S. President Joe Biden, and
many others. At that time, where misinformation--at this time,
where misinformation poses one of the greatest threats to
National security, we need cybersecurity policy that will
uphold the truth.
The commission made a number of recommendations designed to
improve collaboration between CISA and the private sector. So I
would appreciate it if--I first go to Commissioner Ravich--to
elaborate on any recommendations that you believe would have
the potential to prevent a similar breach--that we have asked
for our private sector to ramp up their system. I think the
Government needs to not deny the First Amendment rights, but
has to have a forceful place in this. I would welcome the
comments of our two co-chairs, Congressmen Gallagher and King,
but I will start with Commissioner Ravich on that question.
Let me ask my second question, just so it is on the record
for answering, and that is we are very much dependent,
potentially, on the ending of COVID-19, on vaccines. We have
just determined over the last couple of days that Russia has
been interfering with the cyber, or the research on vaccines by
a number of our companies, which really mean life or death for
many Americans.
So, Commissioner Ravich, would you answer the first
question about the violations of Twitter accounts? Thank you.
Ms. Ravich. Yes. Thank you. Thank you very much. You know,
we absolutely looked at--and this was, again, before COVID
started and we were all working from home and relying on these
devices on these networks to be able to interact with our
Government, to be able to register to vote, to be able to go to
the DMV virtually, our Social Security payments. Now we are
realizing that many of these networks could be untrustworthy.
So a few things that we certainly highlighted in our
original report, and then in our pandemic annex, things like
the internet of things security, that individuals, our
populace, should not have to be cybersecurity experts. It is
absurd in this day and age to say that, when my mom or my
neighbor goes to the store and buys a router, that they have to
be cybersecurity experts to know which one is going to protect
them better.
The same way, when you see the locked icon on your email,
the idea that I should automatically know that this is a
trusted certificate. No, there have to be better safeguards in
place from the Government itself.
So the commission really took kind-of 2 tacks at this. One
is what are--what is the responsibility inside the Government?
How can we push ahead with better cybersecurity recognition of
what is secure for individuals that they know what to buy and
what not?
But also, what are the responsibilities from the private
sector, right? The Government can only do its job if it
understands attribution better. What is being attacked? What
type of industrial control systems are most in the crosshairs
of a Russia or Iran or a China or North Korea? Right? So the
U.S. Government needs better information and data to be able to
do intel sharing back to the private sector.
So these are some of the things that the commission really
focused on. But it has to be a different type of relationship
between the U.S. Government and the private sector than really
existed before, if we are all going to be safer.
Ms. Jackson Lee. Thank you. If Senator Gallagher and
Representative--Senator King and Representative Gallagher could
take a moment to comment on Russia's----
Mr. Langevin. Congresswoman, you are not coming through.
Ms. Jackson Lee [continuing]. Research.
Mr. Langevin. Congresswoman Jackson Lee, you are coming
through gargled.
Ms. Jackson Lee. Senator? Senator King.
Mr. Langevin. Senator King is muted.
Senator King. Could you restate the question,
Congresswoman? I couldn't hear it.
Ms. Jackson Lee. I would be happy to.
Senator King. Yes.
Ms. Jackson Lee. I thank the Chairman for indulging.
I just want you to focus on the interference that has been
reported by recent reports about Russia's interference in our
vaccine research--COVID-19 is a pandemic in our Nation surging
in many States--as it relates to the work that we are doing
here to shore up our cyber systems.
Maybe Representative Gallagher would comment, as well. But
the Russian's interference with vaccine research, how important
the report of the Solarium Commission's report is in the work
going forward.
Can you hear me? Did you hear me?
Senator King. Yes, I can. I did. Thank you very much.
First I want to send my warmest thoughts to the people of
Houston. I know what you are going through. I have seen it, and
I am following it, and it is a very tough time. I know it means
a lot to them that you are there with them on this--in this
terrible time.
What the Russians appear to be doing, I think there are a
couple of lessons to be learned from this.
No. 1, there are no boundaries for what our adversaries
will do.
No. 2, the Russians are doing something that the Chinese,
in fact, have been doing for many years, which is, essentially,
theft of intellectual property. The estimates are that Chinese
theft of intellectual property has cost our economy billions of
dollars. So clearly, this is one of the most important areas
that we need to shore up our defenses.
We attended to this in a number of different ways in the
report. But the fundamental--I think one of the fundamental
issues is, as I mentioned in my opening statement, they have to
understand that there is a price to be paid for this. If the
Russians or the Chinese or the Iranians or whoever it is comes
after us and does something like this, and we can attribute it
to a particular country, there needs to be--there need to be
consequences. There need to be results. Otherwise, they will
keep doing it. Why wouldn't they?
So that is the kind of strategic area that we are talking
about. But then also, we need to be more defense-oriented. It
is very interesting that--I can't remember--85 percent of cyber
risk rests upon individuals doing things like clicking on
phishing emails. In other words, the most basic kind of cyber
hygiene would be tremendously important in protecting our
companies and our country from these kinds of attacks.
I don't know how they got into those vaccine companies, but
it wouldn't be surprising at all if it was some kind of
phishing expedition that got the credentials, that got the
password.
So the Government has a lot of things that we can do, and
they are all in our report, or many of them are in our report.
But we also need to support and encourage the citizens to
understand the magnitude of this risk, because it may not be
that they hit the Pentagon, but they are going to try to hit
smaller companies and get into the system in that way.
So you raise a very important question that I think we
really have focused upon, and must continue to do so.
Mr. Langevin. Thank you, Ms. Jackson Lee.
Ms. Jackson Lee. Thank you. Thank you so very much. Thank
you.
Mr. Langevin. Mr. Joyce is now recognized for 5 minutes.
Ms. Jackson Lee. Thank you very much.
Mr. Joyce. Thank you. Thank you, Senator King,
Representative Gallagher, Dr. Ravich, and Commissioner
Spaulding.
I will join in congratulating you, Mike, on the birth of
your wonderful daughter. This is an important time in life, and
yet you are stopping that new family moment and joining with
us.
Each of us, each of us is aware of the hostile cyber--and
you mentioned that, Dr. Ravich.
I think that the discussion, Senator King, that you just
talked about is important, as well. But Mike Gallagher said
something that is important to this conversation. Our greatest
failure will be in human failure. Senator King, you mentioned
that, how easy it is for someone to open an email and allow
that integration into someone's personal cyber world to be
shared and, ultimately, potentially destroyed.
Five years the DMARC protocol has been established. It is
deployed very, very sporadically, but it has increased. What I
am going to ask both you, Commissioner Ravich, and Commissioner
Spaulding to address is what barriers exist to that old
deployment of DMARC, so that potential integration can occur,
and potential protection occur, as well.
Ms. Ravich. OK, I don't know if I should go first.
Well, first of all, I think it is a great point, because
we, obviously, would all be more secure if the uptake on
protocols like that were more expansive. It goes back to some
of the other things that we were looking at on the commission
directly, which will get to your point.
We had looked at things such as final goods assembly
liability, rights? I mean, you know, kind-of as I was saying
before, why should my mom be a cybersecurity expert, right? Why
should my doctor be a cybersecurity expert? They should be able
to go--and the devices that they are buying, they should know
that they are secure.
The same thing when I--if you sent me an email, I should
know it is from you. Right now, frankly, in not all places are
things like trusted certificates actually to be trusted.
So we didn't want to be too prescriptive in terms of how
the private sector needs to start to layer on much greater
security in IoT, for instance, and devices, hardware, and
software. So we recommended a number of different ways to kind-
of skin that cat.
But it is true, we are living in a time where, if we don't
make these types of devices, hardware, software more secure, we
will all be more at risk.
Ms. Spaulding. Congressman, I couldn't agree more, and
thank you for your leadership on this important issue.
You are absolutely right that email is one of the most
troubling vectors, and most frequent and common vectors for
malicious cyber activity to get into networks and systems.
DMARC, domain-based message authentication reporting and
conformance, is one of the protocols that has proven to be most
effective, really, at stopping this kind of activity, so
critically important.
You ask why isn't it then just uniformly adopted across the
board? You are correct that it is gaining ground, and its
adoption is moving forward. But I think it is leaders, CEOs,
boards of advisers, secretaries of departments and agencies,
leaders across the board need to support their chief
information security officers when they make these kinds of
recommendations. It is those leaders that decide about resource
allocation, and that becomes very important.
To do that, it is helpful to be able to show a return on
investment. That, again, requires information. It is one of the
reasons that the commission has a recommendation that would
require key companies to report more information about
malicious cyber activity, so that we can begin to build the
kind of repository of data that allows us to be able to tell
those decision makers who are allocating resources the costs of
not implementing something as basic as DMARC.
Mr. Joyce. I think that cost issue is important. I just
have seconds left, but I am perplexed by only 80 percent of
Federal agencies are reported to be implementing DMARC. Are
there specific obstacles that we in Congress should address to
see that all Federal agencies----
Ms. Spaulding. So I think the number--I suspect that that
80 percent covers most, if not all, of the major departments
and agencies of the Government. There are lots of very tiny--
the Millennium Challenge Corporation, the Denali Commission, et
cetera--that really just need a lot of hand-holding to make
these technical changes.
But I applaud you. Keep, you know, keeping their feet to
the fire, and keep pushing this. It is really important. But
thank you.
Mr. Joyce. Thank you, Commissioner. Thank you, and I yield
my time.
Mr. Langevin. I thank the gentleman.
Before I turn to Miss Rice, I need to step away from the
Chair for a few minutes. There is a press conference and a
meeting with our Governor that I need to--a virtual one that I
need to jump on to. It is COVID-related, and related to our
small business community. So I will be stepping away as briefly
as possible, and Ms. Underwood will be taking the gavel to
chair the hearing, going forward. I hope to make it back before
the conclusion.
In the event--in the unlikely event that I am not able to
get back before this is concluded, I do want to thank our
panelists today for their testimony, their leadership on the
Solarium Commission, and their leadership on cyber, which I am
grateful for.
With that, Miss Rice is recognized now for 5 minutes.
Miss Rice. Thank you so much, and I want to thank all of
the--my 2 colleagues and our private-sector witnesses here
today, members of this commission.
As I--if we do not implement every single recommendation in
this report, shame on us, as a Government. I mean, it is just
such common-sense stuff. With everything that is going on right
now in the world, we see in this report why it is so important
to implement every single recommendation.
Congressman Gallagher, I just want to go to you first,
because it seems to me that this is a constant, constant issue
that comes up between public and private partnership. Why is
it, you know, that it is hard for us to get that right?
I mean, do you think it is possible to continue incentive-
based public-private cybersecurity partnerships as part of an
effective cyber defense program, or do you think it is going to
come to Congress having to more strongly consider imposing
mandates?
Mr. Gallagher. Well, I think the other commissioners would
agree that the approach we have largely taken in this report
was to try and incentivize the private sector to work more
closely with the Federal Government or, as we say in the
Chairman's letter, try and incentivize the C-suite types in the
private sector to take cybersecurity seriously.
There are areas, however, where we are, you know, imposing
further requirements that some in the private sector will no
doubt view as onerous, such as the need for large, publicly-
traded companies to do mandatory penetration testing.
But I do think--and connected to the earlier series of
questions on the Russian hack and things like that--I think,
culturally, what we are trying to do here is shift the culture
in the intelligence community and at CISA--and this is my
verbiage, not contained in the final report--from a culture of
need-to-know to more toward need-to-share.
So it is not just that we need the private sector to step
up and do more for their own security, but we also want our
cybersecurity professionals in the Federal Government to be in
a posture where they are constantly sharing information with
the private sector, so that they are seen as a valued partner
with the private sector, and the private sector doesn't view
them suspiciously.
So, toward that end, we recommend creating a joint
collaborative environment, a common and interoperable
environment for sharing and fusing threat information inside,
and other relevant data across the Federal Government, and then
between the public and private sectors. Our recommendation to
strengthen a public-private, integrated cyber center within
CISA is intended to allow for that closer collaboration between
the public and private sector.
Then finally, we have a recommendation about establishing a
joint cyber planning office under CISA to coordinate
cybersecurity, planning, and readiness across the Federal
Government and between the public and private sector.
So I guess, in sum, I still maintain hope that we can
pursue an incentive-based approach. But you are right to
suggest that I think everything hinges on that--the level of
trust between the private sector and the public sector. Because
the reality is, as Senator King and I say in the opening
letter, you know, we are not the Chinese Communist Party. We
can't just dictate outcomes for the private sector, nor should
we want to, right? We want to maintain the free and open and
innovative environment we have in America.
So it is a delicate balance, but it is one we hope we have
struck well in the commission's final report.
Miss Rice. Yes. So it sounds like a little bit of
territorialism, too, which is one of the things that we learned
about in a post-9/11 world. To see that possibly still kind-of
rearing its head is not a good thing.
You know, I just want to be very mindful of my time, and
all of our witnesses' time. I have to give a shout out to Chris
Krebs, because I think he is doing such a great job at CISA,
especially in the area of election security, really reaching
out to individual States to help them secure their election
infrastructure.
But I would like to ask both Ms. Ravich and Spaulding, in
light of the threats and challenges associated with the
upcoming 2020 election, do you think the Federal Government is
doing enough to defend elections from foreign interference?
Ms. Spaulding. So I am happy to start on that. I think not
yet, no.
I agree with you. I think Chris Krebs and the men and women
at CISA are doing a terrific job, and working very hard with
State and local election officials, who I think are also taking
this very seriously. But our--in the commission report we have
a number of recommendations that we really hope Congress will
act on, and will act very quickly.
One of those, obviously, is the reforming of on-line
political advertising to prevent foreign interference in that
regard.
But the other is providing the wherewithal, the support to
our State and local officials so that--in the form of grants,
so that they can do the things that need to be done to put
secure systems in place, but also to put paper-based audit
capabilities in place so that we can reassure the public about
the legitimacy of the process when it is challenged.
Ms. Ravich. Yes, so let me jump in. That is very
thoughtful, as always, what Suzanne had said.
You know, our commission report, as the 2 co-chairmen said,
is--has 3 parts of layered defense. When you look at elections,
each part of that layered defense has to be deployed, right?
So shaping international behavior, it is not only us that
is being attacked in our election, it is all free and
democratic nations. So the----
[Audio malfunction.]
Ms. Ravich [continuing]. With partner nations, our friends
and allies, those who believe in democracy and free enterprise,
so that together we can share lessons learned and bolster our
systems.
The second, resilience. Suzanne spoke about it, as always,
you know, brilliantly. The Election Assistance Commission needs
a stable budget, needs senior cyber expertise because this is
not one and done. It is not like we are going to protect our
systems, and then that is it, we don't ever have to protect
them again. It is going to be consistent and constant.
The third part of layered defense is imposed costs, right?
So the adversaries that try to undermine what makes us a great
Nation, you know, have to actually really understand there will
be costs imposed upon them for this.
So the 3 parts of layered defense you can see when you look
at the question of elections, how they all must relate to one
another to make us more secure.
Miss Rice. Thank you so much. If we can't protect our
elections, I mean, that will doom our democracy, I think,
quicker than anything else.
So I want to thank you all so much for being here today,
and I yield back.
Ms. Underwood [presiding]. Thank you. I now recognize
myself for 5 minutes.
I would like to start by thanking Chairman Thompson for
calling today's hearing, and Chairman Langevin for his
dedicated work to strengthen America's cybersecurity, both as a
commissioner and as a valuable Member of this committee.
Cybersecurity advocates like Mr. Langevin have been sounding
the alarm for years about America's vulnerability to cyber
attacks.
As a representative from Illinois, a State that experienced
a major cyber attack in our election system in 2016, I am well
aware that such attacks pose a threat at all levels of
government, and so a whole-of-Government response is required.
In the last few months the COVID-19 pandemic has exposed
this vulnerability like never before. As Americans have
struggled to telework securely, overworked hospitals have
suffered ransomware attacks. Cyber attacks have targeted
vaccine developers, and more.
I am pleased that the commission built on the
recommendations in the March report by publishing a white paper
in May on cybersecurity lessons from the pandemic. In this
white paper, the commission found that maligned foreign
disinformation operations are undermining public health: ``The
resulting confusion is threatening to become a literal matter
of life and death.''
Ms. Spaulding, can you elaborate on how disinformation
impacts our cybersecurity, public health, or other areas of
National security, even to the point of life and death?
Ms. Spaulding. Absolutely, Congresswoman, thank you for
that really important question that--we have seen our
adversaries take advantage of this situation, and putting out
disinformation around COVID that confuses the public. It may
not be that they are able to convince the public necessarily of
the narrative that they are pushing, but they create confusion,
which is deadly enough. If the public gives up, as I say, on
their ability to figure out what is fact when--at a time when
giving the American public facts about what they should be
doing to protect themselves, their families, their communities,
and our Nation, that is extremely destructive.
When we see the COVID coming together with our elections as
election officials are making decisions about how to adjust,
whether to adjust elections in light of the pandemic, and then
those are winding up in courts--and we have seen disinformation
around all 3 of those: COVID, elections, and the courts--and
that is a really dangerous combination that threatens the
peaceful transition of power.
Ms. Underwood. Thank you. I agree with the commission's
assessment of the severe and even deadly security threat posed
by disinformation, which is why, in the last month, I
introduced the Protecting Against Public Safety Disinformation
Act. This bill would direct the Department of Homeland Security
to assess maligned foreign disinformation operations that
threaten public safety and share their findings with State and
local authorities like public health departments, emergency
managers, and first responders.
The commission's recommendations repeatedly highlight the
role of State and local officials in hardening our
cybersecurity posture. Ms. Spaulding, why is it so important
for State and local officials to be involved in our National
response to disinformation and other cybersecurity threats?
Ms. Spaulding. So we have gotten used to the idea that
State and local officials are on the front lines of responding
to disasters in the real world. We have to understand, as you
say, that they are also often on the front lines of responding
to disinformation that causes confusion in their communities.
We know that local sources of information are often more
trusted than National sources. We also know that they are being
targeted, both with ransomware, with traditional cyber
activity, but that traditional cyber activity can also be
designed to undermine public confidence, so part of an
information operation. They need to be supported in combating
that.
Ms. Underwood. Thank you. As you may know, the personal
information of 76,000 Illinois voters was accessed by Russian
operatives in 2016. Since then, our State and local election
officials have been working hard to improve election systems
and infrastructure. But due to limited resources, some have
faced challenges in upgrading legacy machines and hiring
additional cybersecurity personnel. Now, when State budgets
across the country have been devastated by this pandemic,
Federal support is more urgently needed than ever.
So over 2 months ago, the House passed a bill, the Heroes
Act, which would provide $3.6 billion for election security
grants in the State. Unfortunately, the Senate has yet to act
on this bill. We know that election security grants like those
in the Heroes Act would equip these State and local officials
with the resources that they desperately need in order to
secure our elections and our National security ahead of the
election in November.
With that, I yield back. I have to step away, and so Miss
Rice will now Chair the hearing. Thank you.
Miss Rice [presiding]. Thank you so much. I--it looks like
we have come to the end of the questioning, so I would love to
thank the--all our witnesses for your valuable testimony today,
and the Members for their questions.
This is a report that every single Member of Congress needs
to digest, and immediately get on board doing something about,
and implementing as many of these recommendations as we can.
The Members of the subcommittee may have additional
questions for the witnesses, and we ask that you respond
expeditiously in writing to those questions.
Without objection, the committee record shall be kept open
for 10 days.
Hearing no further business, other than to congratulate
Mike Gallagher once again on lovely baby Grace, the
subcommittee stands adjourned. Thank you all.
[Whereupon, at 2 p.m., the subcommittee was adjourned.]
[all]