[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


               CYBER THREATS IN THE PIPELINE: LESSONS FROM 
                THE FEDERAL RESPONSE TO THE COLONIAL 
                PIPELINE RANSOMWARE ATTACK

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                     SUBCOMMITTEE ON CYBERSECURITY,
                       INFRASTRUCTURE PROTECTION,
                             AND INNOVATION
                                 
                                 AND THE

          SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY
                        HOUSE OF REPRESENTATIVES

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 15, 2021

                               __________

                           Serial No. 117-18

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                                   

       Available via the World Wide Web: http://www.govinfo.gov/

                               __________
                               
                   U.S. GOVERNMENT PUBLISHING OFFICE                    
45-310 PDF                 WASHINGTON : 2021                     
          
-----------------------------------------------------------------------------------                                 
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                                 ------                                

     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND 
                               INNOVATION

                 Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas            Andrew R. Garbarino, New York, 
James R. Langevin, Rhode Island          Ranking Member
Elissa Slotkin, Michigan             Ralph Norman, South Carolina
Kathleen M. Rice, New York           Diana Harshbarger, Tennessee
Ritchie Torres, New York             Andrew Clyde, Georgia
Bennie G. Thompson, Mississippi (ex  Jake LaTurner, Kansas
    officio)                         John Katko, New York (ex officio)
               Moira Bergin, Subcommittee Staff Director
          Austin Agrella, Minority Subcommittee Staff Director
                   Mariah Harding, Subcommittee Clerk
                                 ------                                

          SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY

             Bonnie Watson Coleman, New Jersey, Chairwoman
Donald M. Payne, Jr., New Jersey     Carlos A. Gimenez, Florida, 
Dina Titus, Nevada                       Ranking Member
Josh Gottheimer, New Jersey          Jefferson Van Drew, New Jersey
Elaine G. Luria, Virginia            Ralph Norman, South Carolina
Bennie G. Thompson, Mississippi (ex  Mariannette Miller-Meeks, Iowa
    officio)                         John Katko, New York (ex officio)
                Alex Marston, Subcomittee Staff Director
          Kathryn Maxwell, Minority Subcomittee Staff Director
                     Alice Hayes, Subcomittee Clerk
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     5
  Prepared Statement.............................................     7
The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     8
  Prepared Statement.............................................     9
The Honorable Bonnie Watson Coleman, a Representative in Congress 
  From the State of New Jersey, and Chairwoman, Subcommittee on 
  Transportation and Maritime Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Carlos A. Gimenez, a Representative in Congress 
  From the State of Florida, and Ranking Member, Subcommittee on 
  Transportation and Maritime Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     9
  Prepared Statement.............................................    10

                               Witnesses

Ms. Sonya T. Proctor, Assistant Administrator for Surface 
  Operations, Transportation Security Administration, U.S. 
  Department of Homeland Security:
  Oral Statement.................................................    12
  Prepared Statement.............................................    13
Mr. Eric Goldstein, Executive Assistant Director for 
  Cybersecurity, Cybersecurity and Infrastructure Security 
  Agency, U.S. Department of Homeland Security:
  Oral Statement.................................................    16
  Prepared Statement.............................................    18

                                Appendix

Question From Honorable Jefferson Van Drew for Sonya T. Proctor..    45
Question From Honorable Jefferson Van Drew for Eric Goldstein....    45

 
CYBER THREATS IN THE PIPELINE: LESSONS FROM THE FEDERAL RESPONSE TO THE 
                  COLONIAL PIPELINE RANSOMWARE ATTACK

                              ----------                              


                         Tuesday, June 15, 2021

             U.S. House of Representatives,
     Subcommittee on Cybersecurity, Infrastructure 
                Protection, and Innovation, and the
                            Subcommittee on Transportation 
                                     and Maritime Security,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:37 p.m., via 
Webex, Hon. Bonnie Watson Coleman [Chairwoman of the 
Subcommittee on Transportation & Maritime Security] presiding.
    Present: Representatives Clarke, Watson Coleman, Langevin, 
Titus, Slotkin, Gottheimer, Rice, Luria, Thompson (ex officio), 
Garbarino, Gimenez, Van Drew, Harshbarger, Miller-Meeks, Clyde, 
and LaTurner.
    Mrs. Watson Coleman. The Subcommittee on Transportation & 
Maritime Security and the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Innovation will come to order 
for today's hearing titled ``Cyber Threats in the Pipeline: 
Lessons from the Federal Response to the Colonial Pipeline 
Ransomware Attack.''
    Without objection, the Chair is authorized to declare the 
subcommittee in recess at any point.
    Thank you to Chairwoman Clarke, Ranking Member Gimenez, 
Ranking Member Garbarino, and our panel of witnesses for 
joining us.
    The impacts of the May 7 ransomware attack on Colonial 
Pipeline were far-reaching. As we all know now, nearly half of 
the East Coast's fuel is supplied by the Colonial Pipeline. 
When the pipeline was shut down, Americans struggled to fill up 
their gas tanks, and the incident threatened to cause major 
disruptions to the economy and well-being of our country. That 
is why it is so important for us to have a conversation today 
about the Federal Government's response to the Colonial 
incident and its role in ensuring the cybersecurity of our 
critical infrastructure.
    Last week, we heard from the CEO of Colonial Pipeline about 
how his company responded to the ransomware attack against it. 
I also asked him why his company, prior to the attack, appears 
to have resisted TSA's efforts to assess its pipeline security 
prior to the attack.
    Today, we will hear from TSA and CISA, the DHS components 
that are charged with ensuring the cybersecurity of our 
Nation's pipelines and responding to cyber incidents. I am 
looking forward to learning, not only about TSA and CISA's 
engagement with Colonial before and after this incident, but 
also about their plans to ensure we are better prepared next 
time. Unfortunately, we know that there will be a next time.
    In recent weeks, we have seen 2 transportation systems fall 
victim to ransomware attacks in New York City and in 
Massachusetts. Hospitals have been brought to a halt. Even one 
of our Nation's largest meat-packers was shut down.
    We must ask ourselves what is next. Our power grid? Our 
aviation system? Maybe the next time it won't be foreign 
hackers looking for a quick payday but, rather, a nation-state 
looking to cripple our economy. Given the magnitude of these 
threats, we need to ensure CISA and sector-specific agencies 
like TSA have the tools and the authorities that they need to 
take action and that they use them.
    In the pipeline context, since TSA's establishment nearly 
20 years ago, it has been the principal Federal entity 
responsible for pipeline security. To this end, TSA publishes 
pipeline security guidance and conducts pipeline security 
assessments and inspections, including assessments that focus 
specifically on cybersecurity. To date, these assessments have 
been voluntary and, unfortunately, voluntary standards have 
proven insufficient.
    According to TSA, prior to the attack, TSA had asked 
Colonial Pipeline on no less than 13 occasions to participate 
in physical and cyber pipeline security assessments. Citing 
COVID-19, Colonial repeatedly delayed and chose not to 
participate. On multiple occasions Colonial didn't even bother 
responding to TSA's emails. In fact, Colonial still has not 
agreed to participate in a physical assessment, and only agreed 
to cooperate with TSA's cybersecurity assessment 3 weeks after 
the ransomware attack occurred.
    What's more, when a Member of this committee asked 
Colonial's CEO whether he would accept CISA's assistance, he 
politely but firmly declined. If this is at all indicative of 
how pipeline owners and operators view their regulators and 
their Federal partners, we have a problem. Although many of 
these systems may be owned by private companies, when you 
operate infrastructure that we all depend on, you have a 
responsibility to the public.
    The good news is that the TSA administrator has existing 
authority--statutory authority--to address this. Just a few 
weeks ago, TSA used this authority to impose the first 
mandatory cybersecurity requirements on pipeline owners and 
operators. Specifically, now they must report breaches, 
designate cybersecurity coordinators, and self-assess their 
compliance with TSA security guidance.
    This is an important first step, but there is clearly more 
that needs to be done. We must resource and empower TSA and 
CISA to act boldly and swiftly to ensure operators of pipelines 
and all other forms of transportation harden their systems. 
Meanwhile, it is similarly important that other agencies in the 
Federal Government respect TSA and CISA's experience and 
expertise on these matters.
    The cybersecurity of our critical infrastructure is too 
serious for us to reinvent the wheel by providing duplicative 
authorities to the Department of Energy. DHS has the existing 
statutory authority and technical talent that we need to tackle 
this challenge.
    Finally, before I conclude, I must note my disappointment 
that the FBI declined an invitation to attend this hearing. It 
is critical that Members fully understand the FBI's role and 
efforts to counter cyber threats, and I look forward to their 
participation in future events on these topics.
    That said, I am looking forward to hearing from today's 
witnesses about how the attack on Colonial Pipeline will inform 
their approaches going forward.
    [The statement of Chairwoman Watson Coleman follows:]
             Statement of Chairwoman Bonnie Watson Coleman
                             June 15, 2021
    The impacts of the May 7 ransomware attack on Colonial Pipeline 
were far-reaching. As we all know now, nearly half of the East Coast's 
fuel is supplied by the Colonial Pipeline. When the pipeline was shut 
down, Americans struggled to fill up their gas tanks, and the incident 
threatened to cause major disruptions to the economy and well-being of 
our country. That's why it's so important for us to have a conversation 
today about the Federal Government's response to the Colonial incident 
and its role in ensuring the cybersecurity of our critical 
infrastructure.
    Last week, we heard from the CEO of Colonial Pipeline about how his 
company responded to the ransomware attack against it. I also asked him 
why his company, prior to the attack, appears to have resisted TSA's 
efforts to assess the pipeline's security prior to the attack. Today, 
we will hear from TSA and CISA--the DHS components charged with 
ensuring the cybersecurity of our Nation's pipelines and responding to 
cyber incidents. I am looking forward to learning not only about TSA 
and CISA's engagement with Colonial before and after this incident, but 
also about their plans to ensure we are better prepared next time. 
Unfortunately, we know there will be a next time.
    In recent weeks, we've seen 2 transportation systems fall victim to 
ransomware attacks in New York City and Massachusetts. Hospitals have 
been brought to a halt. Even one of our Nation's largest meatpackers 
was shut down. We must ask ourselves: What's next? Our power grid? Our 
aviation system? Maybe next time it won't be foreign hackers looking 
for a quick pay day, but rather a nation-state looking to cripple our 
economy. Given the magnitude of these threats, we need to ensure CISA 
and sector-specific agencies like TSA have the tools and authorities 
they need to take action--and that they use them.
    In the pipeline context, since TSA's establishment nearly 20 years 
ago, it has been the principal Federal entity responsible for pipeline 
security. To this end, TSA publishes pipeline security guidance and 
conducts pipeline security assessments and inspections--including 
assessments that focus specifically on cybersecurity. To date, these 
assessments have been voluntary--and unfortunately, voluntary standards 
have proven insufficient.
    According to TSA, prior to the attack TSA asked Colonial Pipeline 
on no less than 13 occasions to participate in physical and cyber 
pipeline security assessments. Citing COVID-19, Colonial repeatedly 
delayed and chose not to participate. On multiple occasions, Colonial 
didn't even bother responding to TSA's emails. In fact, Colonial still 
has not agreed to participate in the physical assessment, and only 
agreed to cooperate with TSA's cybersecurity assessment 3 weeks after 
the ransomware attack occurred. What's more, when a Member of this 
committee asked Colonial's CEO whether he'd accept CISA's assistance, 
he politely but firmly declined. If this is at all indicative of how 
pipeline owners and operators view their regulators, we have a problem.
    Although many of these systems may be owned by private companies, 
when you operate infrastructure that we all depend on, you have a 
responsibility to the public. The good news is that the TSA 
administrator has existing statutory authority to address this. Just a 
few weeks ago, TSA used this authority to impose the first mandatory 
cybersecurity requirements on pipeline owners and operators. 
Specifically, now they must report breaches, designate cybersecurity 
coordinators, and self-assess their compliance with TSA's security 
guidance. This is an important first step, but there is clearly more 
that needs to be done.
    We must resource and empower TSA and CISA to act boldly and swiftly 
to ensure operators of pipelines and all other forms of transportation 
harden their systems. Meanwhile, it is similarly important that other 
agencies in the Federal Government respect TSA and CISA's experience 
and expertise on these matters. The cybersecurity of our critical 
infrastructure is too serious for us to reinvent the wheel by providing 
duplicative authorities to the Department of Energy. DHS has the 
existing statutory authority and technical talent we need to tackle 
this challenge.
    Finally, before I conclude, I must note my disappointment that the 
FBI declined an invitation to attend this hearing. It is critical that 
Members fully understand the FBI's role and efforts in countering cyber 
threats, and I look forward to their participation in future events on 
these topics.

    Mrs. Watson Coleman. The Chair now recognizes the Ranking 
Member of the Subcommittee on Transportation & Maritime 
Security, the gentleman from Florida, for an opening statement.
    Mr. Gimenez. Thank you, Chairwoman Watson Coleman, 
Chairwoman Clarke, and Ranking Member Garbarino.
    I am pleased that the CIPI and TMS subcommittees are 
holding this joint hearing today on cyber threats to pipelines. 
As we saw with the recent ransomware attack on the Colonial 
Pipeline, securing our Nation's 2.7 million miles of pipeline 
is of utmost importance.
    I look forward to hearing today from Mr. Eric Goldstein of 
CISA and Ms. Sonya Proctor of TSA on how CISA and TSA work 
together to ensure pipelines are secure from cyber threats. I 
thank the witnesses for their time today.
    I am interested to hear from TSA on the pipeline industry's 
compliance with the security directive that TSA issued last 
month. I look forward to Ms. Proctor detailing what plans TSA 
has for additional directives in the near future.
    I am concerned with the approach to move pipeline security 
oversight from the Department of Homeland Security and into the 
Department of Energy. I wholeheartedly agree that there is more 
that TSA can do in terms of increasing its resources and 
expertise, but I believe TSA or the Department of Homeland 
Security is the appropriate agency to oversee pipeline 
security.
    TSA's close corroboration with CISA serves to ensure that 
there is a strong DHS effort in securing all transportation 
modes against cyber threats. As a committee, we need to 
continue to strengthen our Nation's cybersecurity by 
strengthening CISA and giving them all the tools and 
responsibilities needed to keep all of our cyber infrastructure 
safe and secure.
    I look forward to the discussion today of finding ways to 
improve security of our Nation's pipelines against continued 
threats of cyber attacks and, frankly, all of our Nation's 
security threats and how we can protect the United States of 
America from cyber threats in the future.
    Madam Chairwoman, I also share your displeasure that the 
FBI did not participate today.
    Thank you, Madam Chairwoman. I yield back the balance of my 
time.
    [The statement of Ranking Member Gimenez follows:]
             Statement of Ranking Member Carlos A. Gimenez
    Thank you, Chairwoman Watson Coleman, Chairwoman Clarke, and 
Ranking Member Garbarino. I am pleased that the CIPI and TMS 
subcommittees are holding this joint hearing today on cyber threats to 
pipelines. As we saw with the recent ransomware attack on Colonial 
Pipeline, securing our Nation's 2.7 million miles of pipeline is of 
utmost importance.
    I look forward to hearing today from Mr. Eric Goldstein of CISA and 
Ms. Sonya Proctor of TSA on how CISA and TSA work together to ensure 
pipelines are secure from cyber threats. I thank the witnesses for 
their time today.
    I am interested to hear from TSA on the pipeline industry's 
compliance with the Security Directive that TSA issued last month. I 
look forward to Ms. Proctor detailing what plans TSA has for additional 
directives in the near future.
    I am concerned with the push to move pipeline security oversight 
from the Department of Homeland Security and into the Department of 
Energy. I wholeheartedly agree that there is more that TSA can do in 
terms of increasing its resources and expertise, but I believe TSA or 
the Department of Homeland Security are the appropriate agency to 
oversee pipeline security.
    TSA's close collaboration with CISA serves to ensure that there is 
a strong DHS effort in securing all transportation modes against cyber 
threats. As a committee we need to continue to strengthen our Nation's 
cybersecurity by strengthening CISA and giving them all the tools and 
responsibilities needed to keep all of our cyber infrastructure safe 
and secure.
    I look forward to the discussion today and finding ways to improve 
the security of our Nation's pipeline against the continued threat of 
cyber attacks and frankly, all of our Nation's security threats and how 
we can protect the United States from cyber attacks in the future. 
Madam Chairwoman, I also share your displeasure that the FBI did not 
participate today. Thank you, Madam Chairwoman, and I yield back the 
balance of my time.

    Mrs. Watson Coleman. Thank you, Ranking Member.
    The Chair now recognizes the Chairwoman of the Subcommittee 
on Cybersecurity, Infrastructure Protection, and Innovation, 
the gentlelady from New York, for an opening statement.
    Ms. Clarke. I thank you, Madam Chairwoman, Bonnie Watson 
Coleman. To Ranking Members Gimenez and Garbarino, I thank you 
for working with me on today's hearing, and to our witnesses 
for joining us today.
    The ransomware attack on Colonial Pipeline was a reminder 
to us all that cyber attacks can do more than compromise our 
data. We have seen ransomware attacks cripple hospitals, 
manufacturers, municipalities, and meat packers. We have seen 
ransom demands skyrocket, operations brought to a standstill, 
and organizations left without many viable options aside from 
paying an unknown group of criminals who may or may not be 
subject to U.S. sanctions.
    Unfortunately, the takeaway for many of our criminals 
behind these attacks is ransomware is easy money. These attacks 
are not the stuff of SolarWinds. They are simple, 
unsophisticated, and rely on common cybersecurity missteps 
present in most organizations.
    I say this not to be fatalistic but to acknowledge the 
tremendous challenge we face. These attacks are not going to 
slow down, and adversaries have learned that the higher the 
stakes for the victim, the higher the payout they will likely 
get.
    If there is one message I hope to drive home today it is 
that this administration needs to have a plan for responding to 
cyber incidents and be ready to execute that plan at a moment's 
notice, specifically the National Cyber Incident Response Plan, 
which lays out clear roles for CISA, FBI, and other parts of 
the Federal Government that play a role in responding to cyber 
attacks on critical infrastructure.
    We also have long-standing directives, like PPD-21 and PPD-
41, that makes CISA responsible for coordinating Federal 
efforts to secure critical infrastructure and doing so hand-in-
hand with Sector Risk Management agencies like TSA, which 
oversees security for the pipeline sector.
    It appears the administration deviated from that plan in a 
number of ways, and I want to understand why that happened and 
what is being done to fix it. I want to see this administration 
become a well-oiled machine when it comes to responding to 
these attacks because that is what will be demanded moving 
forward.
    The second point I hope to make today is this: Although 
CISA has come a long way in a short amount of time, there is 
still parts of its mission that we need to clarify, and there 
are parts of its mission that we need to authorize and resource 
commensurate to the enormous job we are asking this new agency 
to do.
    Right now, CISA is tasked with leading asset response 
activities during a significant cyber incident, but what if the 
victim organization hires FireEye instead? What if they decline 
CISA's offer to provide technical assistance and delay or 
refuse to share information about the incident with CISA? What 
if they never report the incident to the Federal Government in 
the first place?
    This undermines our National security. CISA needs access to 
information it can use to understand the threat landscape and 
develop technical indicators that will help other entities 
prepare for similar attacks.
    As I have said before, I am working on legislation that 
will require critical infrastructure to report certain 
cybersecurity incidents to CISA, so that we are developing the 
muscle memory and the institutional knowledge to improve our 
cyber defenses over time. But this is only half of the battle. 
CISA also needs real-time visibility into threats on private-
sector networks, so they are empowered to collaborate with 
owners and operators before, during, and after an attack, or 
prevent the attack from happening in the first place.
    This is especially true for the industrial control systems 
that power pipeline operations, energy generation, and 
countless other industrial functions we rely on each and every 
day. These systems are increasingly connected to business and 
IT networks, which makes them vulnerable, and simply severing 
those connections is not always feasible.
    For the past few years, CISA has been piloting a program 
called CyberSentry that gives CISA the ability to monitor and 
detect cyber threats on participating critical infrastructure 
partner networks and work proactively with owners and operators 
to address threats in real time. This is exactly the kind of 
operational role that Congress envisioned CISA playing on 
critical infrastructure cybersecurity, and I am currently 
working on legislation to strengthen and codify these efforts.
    I would be remiss if I did not mention that the Federal 
Government can only do so much. We need private-sector critical 
infrastructure to step up, not just by investing in their own 
cybersecurity, but also by partnering with the Federal 
Government. We need the private sector to open the door to CISA 
and TSA, not just because it benefits them, but because it 
benefits our collective National security.
    In conclusion, I will also echo the Chairwoman's 
disappointment and our Ranking Member's disappointment that the 
FBI declined our invitation to participate in today's hearing. 
You cannot espouse the virtues of a whole-of-Government 
response 1 minute and then refuse to appear before the Congress 
with your interagency partners the next. But I, nevertheless, 
look forward to hearing from the DHS officials who have 
answered the call to testify before us today.
    With that, Madam Chairwoman, I yield back.
    [The statement of Chairwoman Clarke follows:]
                Statement of Chairwoman Yvette D. Clarke
                             June 15, 2021
    The ransomware attack on Colonial Pipeline was a reminder to us all 
that cyber attacks can do more than compromise our data. We've seen 
ransomware attacks cripple hospitals, manufacturers, municipalities, 
and meatpackers. We've seen ransom demands skyrocket, operations 
brought to a standstill, and organizations left without many viable 
options aside from paying an unknown group of criminals who may or may 
not be subject to U.S. sanctions. Unfortunately, the takeaway for many 
of criminals behind these attacks is: Ransomware is easy money.
    These attacks are not the stuff of SolarWinds--they're simple, 
unsophisticated, and rely on common cybersecurity missteps present in 
most organizations. I say this not to be fatalistic, but to acknowledge 
the tremendous challenge we face. These attacks are not going to slow 
down--and adversaries have learned that the higher the stakes for the 
victim, the higher the payout they'll likely get.
    If there is one message I hope to drive home today, it's that this 
administration needs to have a plan for responding to cyber incidents, 
and be ready to execute that plan in a moment's notice. Specifically, 
the National Cyber Incident Response Plan--which lays out clear roles 
for CISA, FBI, and other parts of the Federal Government that play a 
role in responding to cyber attacks on critical infrastructure. We also 
have long-standing directives, like PPD-21 and PPD-41, that make CISA 
responsible for coordinating Federal efforts to secure critical 
infrastructure, and doing so hand-in-hand with Sector Risk Management 
agencies like TSA, which oversees security for the pipeline sector.
    It appears the administration deviated from that plan in a number 
of ways--and I want to understand why that happened, and what's being 
done to fix it. I want to see this administration become a well-oiled 
machine when it comes to responding to these attacks--because that's 
what will be demanded moving forward. The second point I hope to make 
today is this: Although CISA has come a long way in a short amount of 
time, there are still parts of its mission that we need to clarify. 
And, there are parts of its mission that we need to authorize and 
resource commensurate to the enormous job we're asking this new agency 
to do.
    Right now, CISA is tasked with leading asset response activities 
during a significant cyber incident--but what if the victim 
organization hires FireEye instead? What if they decline CISA's offer 
to provide technical assistance and delay or refuse to share 
information about the incident with CISA? What if they never report the 
incident to the Federal Government in the first place? This undermines 
our National security. CISA needs access to information it can use to 
understand the threat landscape and develop technical indicators that 
will help other entities prepare for similar attacks.
    As I've said before, I'm working on legislation that will require 
critical infrastructure to report certain cybersecurity incidents to 
CISA so that we're developing the muscle memory and the institutional 
knowledge to improve our cyber defenses over time. But this is only 
half the battle. CISA also needs real-time visibility into threats on 
private-sector networks, so they're empowered to collaborate with 
owners and operators before, during, and after an attack--or, prevent 
the attack from happening in the first place.
    This is especially true for the industrial control systems that 
power pipeline operations, energy generation, and countless other 
industrial functions we rely on every day. These systems are 
increasingly connected to business and IT networks, which makes them 
vulnerable--and simply severing those connections is not always 
feasible.
    For the past few years, CISA has been piloting a program called 
CyberSentry that gives CISA the ability to monitor and detect cyber 
threats on participating critical infrastructure partner networks, and 
work proactively with owners and operators to address threats in real 
time. This is exactly the kind of operational role that Congress 
envisioned CISA playing on critical infrastructure cybersecurity, and I 
am currently working on legislation to strengthen and codify these 
efforts. I would be remiss if I did not mention that the Federal 
Government can only do so much.
    We need private-sector critical infrastructure to step up--not just 
by investing in their own cybersecurity, but also by partnering with 
the Federal Government. We need the private sector to open the door to 
CISA and TSA--not just because it benefits them, but because it 
benefits our collective National security. In conclusion, I will echo 
the Chairwoman's disappointment that the FBI declined our invitation to 
participate in today's hearing. You cannot espouse the virtues of a 
whole-of-Government's response 1 minute, then refuse to appear before 
Congress with your interagency partners the next.

    Mrs. Watson Coleman. I thank the gentlelady from New York.
    I now recognize the Ranking Member of the Subcommittee on 
Cybersecurity, Infrastructure Protection, and Innovation, the 
gentleman from New York, for an opening statement.
    Mr. Garbarino. Thank you, Chairwoman.
    First, I would like to thank you, as well as Chairwoman 
Clarke and Ranking Member Gimenez, for calling this important 
hearing. I thank our witnesses for being here today.
    Last week's full committee hearing on this topic was an 
important opportunity to peer into the decision-making process 
at Colonial and to better understand the business or victim-
facing side of an attack. This week's hearing affords us a 
unique opportunity to closer examine the Federal Government's 
coordination and response efforts following an attack.
    While Ranking Member Katko, myself, and our partners on the 
other side of the aisle have all expressed concern with the 
White House's decision to have the Department of Energy leading 
the Federal response to this attack instead of CISA and TSA as 
the lead agencies for the pipeline sector, we should all 
recognize that the decision was not any of yours to make. We 
are very appreciative of your efforts in response to this hack 
and many others, but there are clearly still many questions 
regarding this attack that need answers, and I hope we are able 
to get clarity on the outstanding issues here today.
    I am also interested in learning more about the value CISA 
is providing to industry leadership such as organization CEOs 
and CIOs. CISA provides a treasure trove of helpful guidance 
and resources for organizations to bolster their cyber posture, 
but it is increasingly clear that it should be hitting the 
desks of our Nation's CEOs and CIOs who are making the tough 
investment decisions.
    While many of the Members of our subcommittees understand 
the inherent value that CISA provides to agencies and industry 
alike, the truth is that CISA still has a lot to prove to the 
Hill, and it is important that you all are able to demonstrate 
that value. As the newest agency with the newest department, 
you are going to have to be forceful in staking your claim to 
ensure you are all leading the charge on major cyber incidents.
    The White House also shoulders some responsibility. It must 
empower CISA with the stature to be successful and 
appropriately delineate responsibilities between CISA, the 
Sector Risk Management agencies, and the incoming National 
cyber director. Cyber threats are rarely isolated to one 
sector, but CISA's role as the central agency that can connect 
the dots and share threat information across multiple sectors 
will help secure all critical infrastructure across our Nation.
    It is also important that you all are not bashful when it 
comes to highlighting areas that need strengthening and areas 
that require additional resources, personnel, or authorities.
    Thank you all for being here today. I yield back.
    [The statement of Ranking Member Garbarino follows:]
            Statement of Ranking Member Andrew R. Garbarino
    I thank our Chairs for calling this important hearing, and I thank 
our witnesses for being here today.
    Last week's full committee hearing on this topic was an important 
opportunity to peer into the decision-making process at Colonial and to 
better understand the business or victim-facing side of an attack.
    This week's hearing affords us a unique opportunity to closer 
examine the Federal Government's coordination and response efforts 
following an attack.
    While Ranking Member Katko, myself, and our partners on the other 
side of the aisle have all expressed concern with the White House's 
decision to have the Department of Energy leading the Federal response 
to this attack, instead of CISA and TSA as the lead agencies for the 
pipeline sector, we should all recognize that the decision was not any 
of yours to make. We are very appreciative of your efforts in response 
to this hack, and many others.
    But there are clearly still many questions regarding this attack 
that need answers, and I hope we're able to get clarity on the 
outstanding issues here today.
    I'm also interested in learning more about the value CISA is 
providing to industry leadership, such as organization CEOs and CIOs. 
CISA provides a treasure trove of helpful guidance and resources for 
organizations to bolster their cyber posture, but it's increasingly 
clear that it should be hitting the desk of our Nation's CEOs and CIOs, 
who are making the tough investment decisions.
    While many of the Members of our subcommittees understand the 
inherent value that CISA provides to agencies and industry alike, the 
truth is that CISA still has a lot to prove to the Hill, and it's 
important that you all are able to demonstrate that value.
    As the newest agency within the newest department, you are going to 
have to be forceful in staking your claim to ensure you all are leading 
the charge on major cyber incidents. The White House also shoulders 
some responsibility. It must empower CISA with the stature to be 
successful and appropriately delineate responsibilities between CISA, 
the Sector Risk Management agencies, and the incoming National cyber 
director. Cyber threats are rarely isolated to one sector, thus CISA's 
role as the central agency that can connect the dots and share threat 
information across multiple sectors will help secure all critical 
infrastructure across our Nation.
    It is also important that you all are not bashful when it comes to 
highlighting areas that need strengthening, and areas that require 
additional resources, personnel, or authorities.
    Thank you all for being here today.

    Mrs. Watson Coleman. Thank you very much to the Ranking 
Member.
    Members are also reminded that the committees will operate 
according to the guidelines laid out by the Chairman and the 
Ranking Member in their February 3 colloquy regarding remote 
procedures.
    The Chair now recognizes the Chairman of the full 
committee, the gentleman from Mississippi, Mr. Thompson, for an 
opening statement.
    Mr. Thompson. Thank you very much.
    Good afternoon. I want to thank Chairwoman Watson Coleman 
and Chairwoman Clarke for holding this important hearing on the 
Federal response to the recent ransomware attack on Colonial 
Pipeline.
    The attack on May 7 that resulted in a week-long shutdown 
of 5,500 miles of petroleum pipeline on the East Coast clearly 
represents a significant cyber attack on critical 
transportation infrastructure. It is clear that the future will 
bring more attacks like this, whether they are by organizations 
like DarkSide that seek to exploit cybersecurity weaknesses for 
profit or foreign enemies seeking to weaken our Nation. The 
Federal Government must be prepared to fight off attacks and 
respond to successful security breaches swiftly and 
effectively.
    The Cybersecurity and Infrastructure Security Agency is the 
lead Federal coordinator for securing critical infrastructure 
from cyber attacks, and the Transportation Security 
Administration is the designated Sector Risk Management agency 
for pipelines. Yet Colonial failed to properly engage with TSA 
in recent months in order to safeguard their pipeline against 
attacks, and repeatedly rejected technical assistance from CISA 
following the ransomware incident.
    While I am pleased that Colonial has finally agreed to a 
virtual cybersecurity assessment from TSA, I am alarmed that 
they refused to do so until 3 weeks after an attack that 
resulted in the full shutdown of their pipeline. Despite 
authority placed within the Department of Homeland Security to 
respond to cyber attacks on pipelines, including through TSA's 
authority to issue emergency security directives, the 
Department of Energy was made the lead agency for response to 
the Colonial incident.
    Additionally, the Federal Government did not deem the 
attack a significant cyber incident, as defined by policy, 
despite its substantial impact. If you don't believe me, ask 
those folks who were trying to find gasoline all over, 
everywhere, while this event was going on. It was a significant 
cyber event.
    Cyber incident response plans have been carefully crafted 
to ensure proper Government response to incidents, and we must 
ensure they are followed appropriately. The attacks on Colonial 
and others provide opportunities to learn and improve the 
resiliency of the pipeline sector and critical infrastructure 
across the United States.
    I was pleased to see TSA take initial action by issuing the 
first-ever mandatory cybersecurity requirements for pipelines. 
These new requirements went into effect on May 28 and will be 
critical to improving coordination among the pipeline industry, 
CISA, and TSA.
    More must be done to increase protections for our pipelines 
and allow Federal authorities greater ability to assess 
weaknesses in critical transportation infrastructure. 
Unfortunately, cyber criminals are not going anywhere anytime 
soon. In fact, they are getting smarter, and cyber attacks are 
likely to become more common. We must ensure the Department of 
Homeland Security remains at the forefront of protecting our 
critical infrastructure from these threats.
    I look forward to our testimony. I yield back, Madam Chair.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                             June 15, 2021
    The attack on May 7 that resulted in the week-long shutdown of 
5,500 miles of petroleum pipeline on the East Coast clearly represents 
a significant cyber attack on critical transportation infrastructure. 
It is clear that the future will bring more attacks like this, whether 
from organizations like DarkSide that seek to exploit cybersecurity 
weaknesses for profit or foreign enemies seeking to weaken our Nation.
    The Federal Government must be prepared to fight off attacks and 
respond to successful security breaches swiftly and effectively. The 
Cybersecurity and Infrastructure Security Agency is the lead Federal 
coordinator for securing critical infrastructure from cyber attacks, 
and the Transportation Security Administration is the designated Sector 
Risk Management agency for pipelines. Yet Colonial failed to properly 
engage with TSA in recent months in order to safeguard their pipelines 
against attack and repeatedly rejected technical assistance from CISA 
following the ransomware incident.
    While I am pleased that Colonial has finally agreed to a virtual 
cybersecurity assessment from TSA, I am alarmed that they refused to do 
so until 3 weeks after an attack that resulted in the full shutdown of 
their pipeline. Despite the authority placed within the Department of 
Homeland Security to respond to cyber attacks on pipelines, including 
through TSA's authorities to issue emergency security directives, the 
Department of Energy was made the lead agency for response to the 
Colonial incident. Additionally, the Federal Government did not deem 
the attack a ``significant cyber incident'' as defined by policy, 
despite its substantial impact.
    Cyber incident response plans have been carefully crafted to ensure 
proper Government response to incidents, and we must ensure they are 
followed appropriately. The attacks on Colonial and others provide 
opportunities to learn improve the resiliency of the pipeline sector 
and critical infrastructure across the United States. I was pleased to 
see TSA take initial action by issuing the first-ever mandatory 
cybersecurity requirements for pipelines. These new requirements went 
into effect on May 28 and will be critical in improving coordination 
among the pipeline industry, CISA, and TSA.
    More must be done to increase protections for our pipelines and 
allow Federal authorities greater ability to assess weaknesses in 
critical transportation infrastructure. Unfortunately, cyber criminals 
are not going anywhere anytime soon. In fact, they are getting smarter, 
and cyber attacks are likely to become more common. We must ensure the 
Department of Homeland Security remains at the forefront of protecting 
our critical infrastructure from these threats.

    Mrs. Watson Coleman. Thank you very much, Chairman.
    I now would like to welcome our panel of witnesses.
    Ms. Sonya Proctor is the assistant administrator for 
surface operations at the Transportation Security 
Administration. In her role, she is responsible for strategic 
surface transportation security operations, not only agency-
wide but also on a National level and scope, for all surface 
transportation modes, including mass transit, freight, rail, 
highway, motor carrier, and pipelines.
    Ms. Proctor has served in several roles at TSA previously, 
including in leadership roles at Ronald Reagan Washington 
National Airport and within the Office of Law Enforcement and 
Federal Air Marshal Service. Prior to joining TSA, Ms. Proctor 
served 25 years in the Metropolitan Police Department, rising 
from a patrol officer to interim chief of police, and she 
served as the chief of police for the Amtrak police department.
    Mr. Eric Goldstein serves as the executive assistant 
director for cybersecurity for the Cybersecurity and 
Infrastructure Security Agency. In his role, Mr. Goldstein 
leads CISA's mission to protect and strengthen Federal civilian 
agencies and the Nation's critical infrastructure against cyber 
threats.
    Previously, Mr. Goldstein was the head of cybersecurity, 
policy strategy, and regulation at Goldman Sachs, and he served 
in various leadership roles at CISA's precursor agency, the 
National Protection and Programs Directorate. Mr. Goldstein has 
also practiced cybersecurity law at an international law firm, 
led cybersecurity research and analysis projects at a 
Federally-funded research and development center, and served as 
a fellow at the Center for Strategic and International Studies.
    Without objection, the witnesses' full statements will be 
inserted in the record.
    I now ask each witness to summarize his or her statement 
for 5 minutes, beginning with Ms. Proctor.

  STATEMENT OF SONYA T. PROCTOR, ASSISTANT ADMINISTRATOR FOR 
  SURFACE OPERATIONS, TRANSPORTATION SECURITY ADMINISTRATION, 
              U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Proctor. Good afternoon, Chairwomen Watson Coleman and 
Clarke, Ranking Members Gimenez and Garbarino, and 
distinguished Members of the subcommittees. I appreciate the 
opportunity to appear before you today to discuss TSA's role in 
securing our Nation's pipeline systems. I also thank you for 
your indulgence as I resolved my own technology issues this 
afternoon.
    Our Nation's pipeline systems are vital to the economy, our 
National security, and the livelihood of our country. There are 
more than 2.8 million miles of natural gas and hazardous liquid 
pipelines owned and operated by over 3,000 private companies.
    Pipelines are susceptible to physical attacks and, as 
recently evidenced, cyber intrusions as well. These threats 
have the potential to negatively impact our National security, 
economy, commerce, and well-being.
    For these reasons, TSA remains committed to securing our 
Nation's pipelines against evolving and emerging risks. To 
support this commitment, in October 2019, TSA established the 
Office of Surface Operations, and expanded its pipeline 
security staff from 6 positions to 34 positions, working on 
field and headquarters operations and policy development.
    TSA has had a long-established, productive private-public 
partnership with partners in the pipeline industry to protect 
the transport of hazardous liquids and natural gas.
    To support pipeline owners and operators in securing their 
systems, TSA developed and distributed security training 
materials for industry employees and partners to increase 
domain awareness and ensure security expertise is widely 
shared. In conjunction with the pipeline industry and our 
Government partners, TSA developed the Pipeline Security 
Guidelines, to provide a security structure for pipeline owners 
and operators to use in developing their security plans and 
programs. While the guidelines are not mandatory, the 
recommended security measures for both physical and 
cybersecurity serve as the de facto industry standard.
    TSA works with industry partners to assess and mitigate 
vulnerabilities and improve security through collaborative 
efforts, including intelligence briefings, exercises, 
assessments, and on-site reviews. Two key examples would be the 
Validated Architecture Design Reviews, to promote a secure and 
resilient cybersecurity posture, that TSA conducts, in 
coordination with CISA, to inspect a pipeline operator's 
critical infrastructure, including information technology and 
operational technology systems, and the pipeline Corporate 
Security Reviews and pipeline Critical Facility Security 
Reviews that assess the degree to which the pipeline company is 
adhering to the Pipeline Security Guidelines' physical and 
cybersecurity measures.
    In response to the recent pipeline cyber intrusion, TSA 
used its statutory authority and issued a security directive, 
which has the force of a regulation, aimed to strengthen the 
cybersecurity and resilience of pipeline owners and operators. 
TSA is committed to using its authority to implement 
appropriate security measures to elevate both the physical and 
cybersecurity of the pipeline industry.
    In addition, TSA, in close coordination with the Department 
and CISA, continues to explore ways to mitigate threats through 
additional cybersecurity measures, to ensure that critical 
pipeline owners and operators are engaging in baseline cyber 
hygiene and have contingency plans in place to reduce the risk 
of significant disruption of operations if a breach occurs.
    The pipeline system is crucial to U.S. National security, 
transportation, and energy supply, and that drives TSA's work 
to continue collaborating with our Government and private 
partners to expand the implementation of intelligence-driven, 
risk-based policies and programs.
    Thank you for the opportunity to discuss TSA's pipeline 
security program, and I look forward to your questions today.
    Thank you very much.
    [The prepared statement of Ms. Proctor follows:]
                 Prepared Statement of Sonya T. Proctor
                             June 15, 2021
    Good morning, Chairwomen Watson Coleman and Clarke, Ranking Members 
Gimenez and Garbarino, and distinguished Members of the subcommittees. 
I appreciate the opportunity to appear before you today to discuss the 
Transportation Security Administration's (TSA) role in securing our 
Nation's pipeline systems.
    TSA has engaged with the pipeline industry since 2001 and has taken 
clear and specific actions to address cybersecurity gaps and 
vulnerabilities with the pipeline industry. Our Nation's pipeline 
systems are vital to the economy, our National security, and the 
livelihood of our country. There are more than 2.8 million miles of 
natural gas and hazardous liquid pipelines owned and operated by over 
3,000 private companies. Besides the pipelines themselves, the system 
includes critical facilities such as compressor and pumping stations, 
metering and regulator stations, interconnects, main line valves, tank 
farms and terminals, and the automated systems used to monitor and 
control them. Pipelines are susceptible to physical attacks such as 
improvised explosive devices (IEDs) and vehicle-borne IEDs, small arms, 
and stand-off weapons. Additionally, as recently evidenced, cyber 
intrusions into pipeline computer networks have the potential to 
negatively impact our National security, economy, commerce, and well-
being. For these reasons, TSA remains committed to securing our 
Nation's pipelines against evolving and emerging risks.
   pipeline staffing, resourcing, and expanding internal capabilities
    TSA has historically devoted staff to developing surface 
transportation policies supporting the grant process for surface 
transportation-related security enhancements, and conducting 
inspections and assessments. In support of the TSA Modernization Act of 
2018 (H.R. 302), in October 2019, TSA established the office of Surface 
Operations under the Office of Security Operations, which reports to 
the executive assistant administrator for security operations. During 
this time TSA expanded its pipeline security staff from 6 positions to 
34 positions working in field operations, headquarters operations, and 
policy development. These resources allow TSA to advance our pipeline 
and cybersecurity mission.
    In fiscal year 2020, TSA created and trained a field-based 20-
member Pipeline Security Assessment Team (PSAT), which is comprised of 
Transportation Security Inspectors (TSIs) located around the Nation. 
For cybersecurity efforts, we now have 8 members from the PSAT team and 
headquarters who successfully completed comprehensive cybersecurity 
training, provided by Idaho National Labs (INL) in partnership with the 
Department of Homeland Security's Cybersecurity and Infrastructure 
Security Agency (CISA), and are receiving additional cybersecurity 
certification in support of TSA's pipeline cybersecurity mission.
    TSA continues to expand its cybersecurity staffing and resourcing 
capabilities through establishing a Cybersecurity Operations Support 
Branch, which is currently in the hiring process. The branch will be 
staffed by 11 specialized cybersecurity personnel, 6 of which will be 
hired in fiscal year 2021 as part of 34 positions as previously 
mentioned. Five additional cyber security personnel will be hired in 
fiscal year 2022. This new branch within Surface Operations aims to 
enhance transportation systems' cybersecurity posture through a multi-
layered approach, which includes conducting cybersecurity assessments 
and engagements; targeted stakeholder educational efforts; evaluation 
of cybersecurity best practices across the sector; and Government 
coordination and collaboration on surface cyber programs and 
engagements.
    The TSA Surface Policy Division within the Office of Policy, Plans, 
and Engagement is also increasing its cybersecurity efforts and will 
have a total of 9 positions by the end of fiscal year 2021 to expand 
its Cybersecurity Section. This section will focus on the development 
of cybersecurity-related policy and guidance for surface transportation 
security.
                        stakeholder partnership
    TSA's focus on pipeline security began in 2001 and through our 
expanding pipeline efforts, we have focused on enhancing the security 
preparedness of the Nation's hazardous liquid and natural gas pipeline 
systems. TSA has established a productive public-private partnership 
with Government partners and the pipeline industry to protect the 
transport of hazardous liquids and natural gas. This partnership 
includes collaboration with our Federal partners, such as Department of 
Homeland Security (DHS), the Department of Transportation (DOT), the 
Department of Energy (DOE), the Department of Justice (DOJ), and the 
Federal Energy Regulatory Commission (FERC) through the Energy 
Government Coordinating Council (EGCC), while providing input and 
support to the activities and initiatives of the industry-led Oil and 
Natural Gas Subsector Coordinating Council (ONG SCC) and the Pipeline 
Working Group (PWG). Through these partnerships, TSA continues to seek 
input on current efforts to develop mandatory cybersecurity measures in 
Security Directives (SD); collaboratively develops security guidelines 
and training materials, and offer cybersecurity assessments for 
pipeline industry partners to increase security awareness and 
preparedness.
    To support pipeline owners and operators in securing their systems, 
TSA developed and distributed security training materials for industry 
employees and partners to increase domain awareness and ensure security 
expertise is widely shared. Security training products include a 
security awareness training program highlighting signs of terrorism and 
each employee's role in reporting suspicious activity; an IED awareness 
video for employees; an introduction to pipeline security for law 
enforcement officers; a cybersecurity toolkit for small and midsize 
businesses offering guidance on how to incorporate cyber risk into 
their transportation system; and a pocket-sized guide for front-line 
employees to outline the most common types of cybersecurity threats and 
explain how transportation systems can protect their data, computer 
systems, and personal information.
    Additionally, in conjunction with the pipeline industry, TSA 
developed the TSA Pipeline Security Guidelines (Guidelines) in 2011 to 
provide a security structure for pipeline owners and operators to use 
in developing their security plans and programs. The Guidelines are 
non-regulatory but recommended security measures for both physical and 
cyber security that serve as the de facto industry standard. The 
Guidelines were updated and republished in March 2018 with a 
significant emphasis on cybersecurity measures that are aligned with 
the National Institute of Standards and Technology (NIST) Cyber 
Security Framework. In April of this year, the criteria for identifying 
critical pipeline facilities in the Guidelines were further updated. 
The Guideline's cybersecurity measures were developed in coordination 
with industry and with Industrial Control System (ICS) expertise from 
the Cybersecurity and Infrastructure Security Agency (CISA).
    Established by TSA in 2019, the Surface Transportation Security 
Advisory Committee (STSAC) consists of 35 industry voting members, of 
which 3 are pipeline subject-matter experts, and 14 Government non-
voting members. This committee advises, consults with, reports to, and 
makes recommendations to the TSA administrator on surface 
transportation security matters, including the development, refinement, 
and implementation of policies, programs, initiatives, rulemakings, and 
security directives pertaining to surface transportation security.
                exercises, assessments, and site reviews
    TSA works with industry partners to assess and mitigate 
vulnerabilities, and improve security through collaborative efforts 
including intelligence briefings, exercises, assessments, and on-site 
reviews. Through the Intermodal Security Training and Exercise Program, 
TSA provides exercises, trainings, and security planning tools to the 
pipeline community to strengthen company security plans, policies, and 
procedures. Working with pipeline operators' security personnel, TSA 
conducts Pipeline Corporate Security Reviews, which assess the degree 
to which the Pipeline Security Guidelines' physical and cybersecurity 
measures are integrated into the operator's corporate security plan.
    In addition, TSA also conducts Pipeline Critical Facility Security 
Reviews on critical pipeline facilities of the 100 most critical 
pipeline operators to collect site-specific information on facility 
security policies, procedures, and cyber and physical security 
measures. To promote a secure and resilient cybersecurity posture, 
through specific Congressional funding TSA works directly with CISA to 
collaborate with pipeline owners and operators to offer Validated 
Architecture Design Reviews to assess a pipeline operator's critical 
infrastructure including information technology (IT) and operational 
technology (OT) systems. This assessment is intended to determine if OT 
systems are designed, built, and operated in a reliable and resilient 
manner. This assessment examines a series of cybersecurity technical 
domains that goes beyond a questionnaire-type assessment and also 
includes traffic analysis from selected critical network segments as 
well as a network architecture diagram and functionality review. While 
these security reviews are not mandatory, they have been welcomed over 
the years by pipeline owners and operators who appreciate and 
understand the value of identifying and mitigating vulnerabilities to 
help better secure their physical and cyber systems.
                             cybersecurity
    On behalf of the Department of Homeland Security, TSA serves as the 
co-Sector Risk Management agency alongside DOT and the United States 
Coast Guard for the transportation systems sector and is responsible 
for developing, deploying, and promoting Transportation Systems Sector-
focused cybersecurity initiatives, programs, assessment tools, 
strategies, and threat and intelligence information sharing products 
that support the implementation of Executive Orders on cybersecurity. 
TSA is in close alignment with CISA and coordinates on both a tactical 
and strategic level to raise the cybersecurity baseline across the 
transportation sector. As noted earlier, TSA participates in the Energy 
Government Coordinating Council and regularly collaborates with the ONG 
SCC and its PWG on programmatic issues affecting the cybersecurity of 
pipeline systems.
    TSA supports DHS's cybersecurity efforts in alignment with the NIST 
Cybersecurity Framework (Framework). The Framework is designed to 
provide a foundation for industry to better manage and reduce their 
cyber risk. TSA shares information, resources, and develops products 
for stakeholders to support their adoption of the Framework. TSA works 
closely with the pipeline industry to identify and reduce cybersecurity 
vulnerabilities, including facilitating classified briefings to 
increase industry's awareness of cyber threats.
    In response to the recent pipeline cyber intrusion, TSA is using 
its statutory authority to strengthen the cybersecurity and resilience 
of pipeline owners and operators. The first security directive issued 
following the recent incident requires pipeline owners and operators of 
critical hazardous liquid and natural gas pipelines or a liquefied 
natural gas pipelines facility designate a cybersecurity coordinator; 
report cybersecurity incidents to CISA; and assess their current 
cybersecurity posture against a specific set of measures within the 
Pipeline Security Guidance. As part of this assessment, the owner/
operators must identify any gaps, develop a remediation plan if 
necessary, and report the results to TSA.
    All information reported to CISA pursuant to this directive is 
shared with TSA and other Federal agencies as appropriate. Similarly, 
all information provided to TSA is shared with CISA. By requiring the 
reporting of cybersecurity incidents, the Federal Government is better 
positioned to understand the changing threat of cyber events and the 
current and evolving risks to pipelines. The designation of 
cybersecurity coordinators will give TSA a known and consistent point 
of contact with critical pipeline owners and operators, allowing TSA to 
easily share security information and intelligence. The assessments 
will assist the owners and operators and TSA to better understand the 
current state of cybersecurity practices in individual companies and 
across the industry. In addition, TSA, in close coordination with the 
Department and CISA, is also exploring ways in which immediate threats, 
such as ransomware, can be mitigated through additional cybersecurity 
measures to ensure that critical pipeline owners and operators are 
engaging in baseline cyber hygiene and have contingency plans in place 
to reduce the risk of significant disruption of operations, if a breach 
occurs.
                               conclusion
    The pipeline system is crucial to U.S. National security, 
transportation, and energy supply. These pipelines provide connections 
to other critical infrastructure upon which we depend, such as airports 
and power plants. TSA is dedicated to protecting our Nation's pipeline 
networks against evolving threats and continues to work collaboratively 
with our Government and private partners to expand the implementation 
of intelligence-driven, risk-based policies, and programs. TSA is 
committed to using its authority to implement the appropriate security 
measures to elevate both the physical and cybersecurity posture of the 
pipeline industry in alignment with the threat environment. Thank you 
for the opportunity to discuss TSA's Pipeline Security Program and I 
look forward to your questions.

    Mrs. Watson Coleman. Thank you, Ms. Proctor.
    Now I will recognize Mr. Goldstein to summarize his 
testimony for 5 minutes.

 STATEMENT OF ERIC GOLDSTEIN, EXECUTIVE ASSISTANT DIRECTOR FOR 
   CYBERSECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY 
          AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Goldstein. Chairman Thompson, Chairwomen Watson Coleman 
and Clarke, Ranking Members Gimenez and Garbarino, Members of 
the committee, thank you for the chance to testify today.
    As noted in the Members' opening statements, cybersecurity 
threats represent an urgent risk to our National security, 
economic security, and public health and safety. The committee 
is to be commended for your continued focus on this issue and 
for your support of CISA's essential role therein.
    As the lead agency for civilian cybersecurity, CISA plays 
several key roles in managing the risk of ransomware and other 
intrusions. In particular, recognizing that most ransomware 
intrusions exploit known vulnerabilities and common security 
weaknesses, CISA develops and shares best practices to help 
organizations reduce the likelihood and impact of a ransomware 
intrusion.
    To this end, in January of this year, CISA unveiled our 
Reduce the Risk of Ransomware Campaign. A few months later in 
April, Secretary Mayorkas initiated a high-profile Ransomware 
Sprint that included a series of National events intended to 
ensure that leaders across the country understand the 
criticality of these risks and take urgent action in response. 
Our work has continued as we further release updated guidance 
and consider novel approaches to drive risk reduction. CISA 
additionally serves a critical role in providing support to 
victims of cybersecurity incidents and sharing actionable 
information to protect future possible victims.
    Upon learning of the Colonial Pipeline intrusion, CISA 
immediately began to collaborate with the FBI and other Federal 
partners to gather information that could be used to help 
protect other potential victims of these sorts of serious 
campaigns. Within 4 days of the intrusion, CISA and the FBI 
published a cybersecurity advisory, with specific mitigations 
to reduce the likelihood and impact of similar events. We then 
updated this advisory with technical indicators of compromise 
and amplified the alert to maximize use by network operators, 
including through a stakeholder call with nearly 9,000 
participants from across critical sectors. These activities 
reflect CISA's role in National cybersecurity.
    While CISA's expert network defenders are available to 
provide incident response and threat hunting, upon request, of 
equal importance is our role in quickly using information from 
intrusions to protect others.
    Well before the Colonial intrusion, CISA was taking action 
to address cybersecurity risks facing the pipeline sector. In 
particular, through the Pipeline Cybersecurity Initiative, CISA 
works closely with TSA and pipeline companies to conduct 
vulnerability assessments, analyze risk to the sector, and 
implement a key pilot program called CyberSentry, which, as Ms. 
Clarke noted, leverages commercial technologies and sensitive 
threat information to monitor certain highly critical 
infrastructure networks for sophisticated threats.
    But going forward, it is very clear, as a Nation, we must 
do more to address the risks of ransomware and other cyber 
intrusions affecting our Nation's critical infrastructure. To 
this end, CISA is urgently driving progress in several key 
areas.
    First, we must gain increased visibility into cybersecurity 
risks and use this visibility to produce targeted guidance, 
share actionable information, and prioritize incidents that do 
occur. TSA's recent security directive that requires reporting 
of cybersecurity incidents to CISA is one key step, and we 
continue to evaluate potential ways to drive further reporting 
of incidents and cybersecurity risks to CISA in order to 
further enable this essential visibility.
    Second, we must continue to invest in and mature our 
voluntary partnerships with critical entities across the 
country. Going forward, we are implementing our Joint Cyber 
Planning Office to plan, exercise, and coordinate cyber defense 
operations between Government and the private sector.
    Third, we must leverage lessons learned and capabilities 
matured through our Federal cybersecurity mission, including 
through activities undertaken in executing the President's 
recent Executive Order to support our partners across critical 
infrastructure, including by conducting persistent hunts, 
ingesting, analyzing, and acting upon security data, and 
driving adoption of defensible network architectures. Funding 
provided in the American Rescue Plan Act is a critical 
downpayment in driving this essential change.
    Additionally, the establishment of a Cyber Response and 
Recovery Fund, or a CRRF, will ensure that CISA has sufficient 
resources and capacity to respond rapidly to cyber incidents. 
Recommended by the Cyberspace Solarium Commission and recently 
passed by the Senate, we do hope that the CRRF will be 
considered soon by the House and provide CISA with additional 
resources to conduct our rapidly-evolving and essential 
mission.
    In conclusion, our Nation is facing unprecedented 
cybersecurity risk, and the list of significant incidents in 
recent months is long and growing. Now is the time to act, and 
CISA is leading our National call to action. We will deepen our 
partnerships, enhance our visibility into National 
cybersecurity risk, and drive targeted action. In collaboration 
with our partners in the public and private sectors, our 
international allies, and with Congress, we will make progress 
in addressing this risk and maintaining the availability of 
critical services to the American people.
    Thank you again for the chance to appear today, and I very 
much look forward to your questions.
    [The prepared statement of Mr. Goldstein follows:]
                  Prepared Statement of Eric Goldstein
                             June 15, 2021
    Chairwoman Clarke, Chairwoman Coleman, Ranking Member Garbarino, 
Ranking Member Gimenez, and Members of the committees, thank you for 
the opportunity to testify today on behalf of the Cybersecurity and 
Infrastructure Security Agency (CISA) regarding the Federal response to 
the Darkside ransomware incident against the Colonial Pipeline company 
and the broader cyber threat facing our Nation's critical 
infrastructure.
    CISA leads the Nation's efforts to advance the cybersecurity, 
physical security, and resilience of our critical infrastructure. In 
particular, CISA serves as the Nation's ``cybersecurity quarterback'' 
and acts as the focal point to exchange cyber defense information and 
enable operational collaboration among the Federal Government, State, 
local, Tribal, and territorial (SLTT) governments, the private sector, 
and international partners. In this role, we are particularly focused 
on reducing cybersecurity risks to entities that provide or support 
National Critical Functions, including companies like Colonial 
Pipeline.
    To accomplish this mission, CISA leads a collaborative effort to 
identify and drive reduction of the most significant cyber risks to 
critical infrastructure. This requires first identifying cyber risks 
through robust multi-directional information sharing, conducting risk 
and vulnerability assessments, and deploying threat detection 
technologies to critical assets. We work to prioritize identified 
risks, including by leveraging the capabilities of our National Risk 
Management Center to understand relative criticality of critical 
infrastructure assets and working with our partners across Government 
to understand our adversaries' potential intent and capabilities. 
Finally, we drive collective action to reduce cybersecurity risks, 
including by providing incident response and threat-hunting services, 
issuing alerts and guidance, and coordinating joint cyber defense 
operations that bring together capabilities from Government and 
private-sector partners.
    Cyber intrusions over the past several months have further 
reflected the fact that our country is facing an immediate threat to 
our National security, economic prosperity, and public health and 
safety. Nation-state actors and criminal groups continue to increase in 
their sophistication and in their willingness to target organizations 
across all sectors of the economy. The impacts of these malicious 
activities continue to increase, impacting the provision of critical 
functions from health care to energy to agriculture. This hearing 
provides a timely opportunity to emphasize the urgency of this 
challenge, discuss CISA's critical role in helping our Nation manage 
this risk, and consider necessary steps to drive further progress.
                      ransomware: a growing threat
    Ransomware is an ever-evolving form of malware that encrypts files 
on a device, rendering the systems that rely on them unusable. 
Malicious actors then demand ransom in exchange for decryption, and 
often threaten to sell or leak the victim's data if the ransom is not 
paid. Malicious actors continue to evolve their ransomware tactics over 
time, and CISA remains vigilant of ransomware intrusions and associated 
tactics, techniques, and procedures across the country and around the 
world.
    Recently, ransomware directed at SLTT governments and critical 
infrastructure organizations has surged. In fact, it is estimated that 
over 100 Federal, State, and municipal agencies, over 500 medical 
centers, and 1,680 educational institutions in the United States were 
hit by ransomware in 2020 and ransom demands exceeded $1 billion 
dollars.\1\ This epidemic is now affecting our Nation's most critical 
infrastructure: Municipal governments, police departments, hospitals, 
schools, manufacturing facilities, and of course, pipelines.
---------------------------------------------------------------------------
    \1\ Emisoft, The State of Ransomware in the US: Report and 
Statistics 2020, https://blog.emsisoft.com/en/37314/the-state-of-
ransomware-in-the-us-report-and-statistics-2020/; Emisoft, The Cost of 
Ransomware in 2020: A Country-by-Country Analysis, https://
blog.emsisoft.com/en/35583/report-the-cost-of-ransomware-in-2020-a-
country-by-country-analysis/.
---------------------------------------------------------------------------
    CISA, and the broader Department of Homeland Security, has acted 
urgently to catalyze National action around this risk. In January 2021, 
CISA unveiled the Reduce the Risk of Ransomware Campaign to raise 
awareness and combat this on-going and evolving threat. The campaign is 
a focused, coordinated, and sustained effort to encourage public and 
private-sector organizations to implement best practices, tools, and 
resources that mitigate ransomware risk. Additionally, in coordination 
with the Multi-State Information Sharing and Analysis Center (MS-ISAC), 
CISA released a joint Ransomware Guide that details industry best 
practices and a response checklist that can serve as a ransomware-
specific addendum to State and local government's cyber incident 
response plans.
    In February, during his first remarks dedicated to cybersecurity, 
Secretary Mayorkas issued a call for action to tackle ransomware more 
effectively. To further drive a call to action, Secretary Mayorkas 
initiated a Ransomware Sprint in April 2021 that has included a series 
of high-profile National events intended to ensure that leaders across 
all sectors of the economy understand the criticality of this risk and 
take urgent action in response.
    Ransomware is a critical challenge and the risks posed to our 
Nation's critical infrastructure are severe. But the challenge is not 
insurmountable. Ransomware intrusions generally do not use zero-day 
vulnerabilities or exquisite tradecraft, but rather exploit known 
security weaknesses or a failure to adopt generally accepted best 
practices. By investing in improved cybersecurity as recommended in 
CISA guidance, organizations can reduce the risk of a ransomware 
intrusion and limit the potential impacts.
  an example of a broader risk: colonial pipeline ransomware intrusion
    The ransomware that impacted Colonial Pipeline was one of the first 
cyber intrusions in our Nation to have a direct effect on many 
Americans' daily lives. But the intrusion itself was not unique: The 
Darkside ransomware-as-a-service group has been associated with 
hundreds of intrusions in recent months and ransomware intrusions have 
impacted essential services on a smaller scale, from elementary schools 
to hospitals. Upon learning of the intrusion, CISA immediately began to 
collaborate with the Federal Bureau of Investigation (FBI) and other 
interagency partners to gather information that could be used to help 
protect other potential victims. Within 4 days of the intrusion, CISA 
and the FBI published a cybersecurity advisory on the incident, which 
included detailed information on how to reduce risk across critical 
infrastructure. This advisory contained specific mitigation measures to 
reduce the likelihood of a ransomware intrusion and, critically, steps 
to reduce the consequences. This latter element cannot be overstated: 
All critical infrastructure organizations should assume that they can 
be compromised by a ransomware intrusion and take steps to reduce 
impacts, including by ensuring that their essential functions can 
remain operable even if their primary business network is unavailable. 
CISA and the FBI subsequently enriched this advisory with specific 
indicators of compromise associated with the Darkside ransomware group 
and the Colonial Pipeline intrusion.
    In order to further amplify the importance of these mitigation 
steps, CISA convened a broad stakeholder call with over 8,000 attendees 
from across U.S. critical infrastructure to provide an overview of the 
incident, threat actor, and impacts. CISA also convened a meeting under 
its Critical Infrastructure Partnership Advisory Council with 
leadership from the 16 critical infrastructure sectors to discuss 
potential operational impacts for critical infrastructure due to the 
ransomware intrusion. This contributed to CISA's ability to assess 
potential impact to the 55 National Critical Functions from a sustained 
shutdown, and anticipate cross-sectoral impacts, including from 
transportation slow-downs and impacts to chemical facilities. Finally, 
CISA leveraged our regional personnel deployed across the country, and 
particularly in areas impacted by the Colonial Pipeline outage, to 
provide focused guidance to other critical infrastructure organizations 
and provide the U.S. Government with detailed information on cascading 
impacts across sectors.
     managing a broader risk: cisa's role in pipeline cybersecurity
    Well before the Colonial Pipeline intrusion, CISA was addressing 
cybersecurity risks to pipelines. Over the past several years, CISA and 
the Transportation Security Agency (TSA), in conjunction with the 
Department of Energy, National Laboratories, and private industry, have 
been focused on addressing cybersecurity risks to the Nation's 2.7 
million miles of pipeline infrastructure through the Pipeline 
Cybersecurity Initiative (PCI). The PCI was formed in response to 
increasing dependence on automation within the oil and natural gas 
(ONG) pipeline industry and the growing attack surfaces of assets using 
connected technology.
    As part of PCI, CISA collects, aggregates, and analyzes data to 
inform a holistic view of vulnerabilities, threats, and consequences to 
the ONG pipeline industry. Importantly, CISA also provides incident 
response and intelligence support for pipeline activities with a focus 
on industrial control systems and coordinates activities related to the 
PCI. In February 2021, CISA released a Pipeline Cybersecurity Resources 
Library to provide pipeline facilities, companies, and stakeholders 
with a set of free, voluntary resources to strengthen their 
cybersecurity posture.
    To inform CISA's analysis of pipeline risk, CISA routinely partners 
with the TSA and pipeline companies to conduct in-depth vulnerability 
assessments, or Validated Architecture Design Review (VADR) 
assessments, on their infrastructure. Importantly, VADRs assess 
pipeline critical infrastructure information technology (IT) and 
operational technology (OT) systems to determine if they are designed, 
built, and operated in a reliable and resilient manner. These 
assessments, which are free to participating companies, help identify 
gaps across infrastructure operators. TSA and CISA are on track to 
complete 52 VADRs on pipeline entities by the end of this fiscal year. 
To build on the VADR assessment recommendations, CISA and TSA are 
working with the ONG Subsector Coordinating Council (SCC) to analyze 
VADR findings, conduct follow-on analysis, and develop recommendations 
for pipeline owners to voluntarily implement.
    Given the criticality of certain pipeline entities and certain 
other critical infrastructure assets, CISA offers a pilot program 
called CyberSentry, which deploys technologies and analytic 
capabilities to monitor an organization's business (IT) and operational 
technology/industrial control system (OT/ICS) network for sophisticated 
threats. CyberSentry is a voluntary partnership with private-sector 
critical infrastructure companies using CISA's unique statutory 
authorities, policy and privacy solutions. This capability is not a 
replacement for commercial solutions; rather, the capability 
complements such solutions by allowing CISA to leverage sensitive 
threat information. CyberSentry has shown significant benefit in 
practice and has been used to drive urgent remediation of threats and 
vulnerabilities.
    Separately, in partnership with a National Laboratory, CISA is 
developing a suite of tools to assess cyber resilience through 
scenarios using specialized threat models and simulations to identify 
``crown jewel'' components within pipeline OT. Going forward, the PCI 
is planning a pipeline cyber table-top exercise to better understand 
the impacts of an OT compromise at a major natural gas transmission 
line and is collaborating with industry to integrate pipeline 
considerations into CyberStorm VIII--a CISA-led biennial exercise 
series that provides the framework for the Nation's largest 
cybersecurity exercise--in Spring 2022. PCI's future efforts will 
center around determining the prevalence of major components within 
pipeline OT systems to identify potential vulnerabilities and inform 
supply chain risk efforts. CISA will continue leveraging CyberSentry 
and move to expand the entities receiving such services. Last, CISA 
will lead the development of a pilot tool focused on liquid pipelines 
that will allow users to explore how disruptions to pipelines can have 
cascading consequences on National Critical Functions.
                        mitigating future risks
    The Colonial Pipeline intrusion and the more recent intrusion into 
JBS Foods must serve as an urgent call to action to address our 
Nation's cybersecurity risks. We must collectively and with great 
urgency strengthen our Nation's cyber defenses, invest in new 
capabilities, and change how we think about cybersecurity, recognizing 
that all organizations are at risk, and we must focus on assuring the 
resilience of essential services. To that end, CISA is acting with the 
utmost resolve to drive reduction of cyber risk across the National 
Critical Functions. Achieving the progress we seek will require 
consideration of several key areas.
    First, CISA is currently investing in, and growing capabilities to 
increase visibility into cybersecurity risks across Federal agencies 
and across non-Federal entities. This necessitates a fundamental 
change, in which CISA must gain the ability to conduct persistent hunts 
for threat activity, ingest and analyze security data at all levels of 
the network, and conduct rapid analysis to identify and act upon 
identified threats. At the same time, CISA is driving adoption of 
defensible network architectures, including implementation of zero-
trust environments in which the perimeter is presumed compromised and 
security must focus on protecting the most critical accounts and data. 
President Biden's Executive Order on Improving the Nation's 
Cybersecurity will drive critical progress in advancing cybersecurity 
across the Federal Government. Going forward, we must take lessons 
learned from our investments in Federal cybersecurity to support 
organizations across sectors in driving similar change.
    Second, CISA must work with all possible partners to gain increased 
visibility into National risks. With increased visibility, we are able 
to better identify adversary activity across sectors, which allows us 
to produce more targeted guidance, and identify particular incidents 
requiring a specialized CISA response team. Our support to TSA to 
develop a recent Security Directive requiring reporting of 
cybersecurity incidents to CISA is an important step and an example of 
such collaboration. We look forward to working with Congress to further 
encourage reporting of cybersecurity incidents to CISA in order to 
further enable this essential visibility.
    Third, CISA must continue to invest in and mature our voluntary 
partnerships with critical infrastructure entities. For example, our 
Cyber Information Sharing and Collaboration Program (CISCP) serves as a 
bi-directional forum in which CISA and private industry are 
collaborating on significant risks, developing sector- and threat-
focused products, and providing briefings on new trends, threats, and 
capabilities across the sectors. With information-sharing protections 
available through the Cybersecurity Information Sharing Act of 2015 and 
the Protected Critical Infrastructure Information Act, the program 
enables trusted sharing between CISA and a network of high-impact 
companies, Information Sharing and Analysis Centers (ISACs), and 
service providers. Within CISCP, the Mutual Interest Initiative brings 
together cyber threat companies and internet service providers to work 
with CISA and the broader Government community to exchange analysis and 
collaboratively work on threat actor-focused products. Furthermore, 
CISCP enables CISA to work in close coordination with software vendors 
and endpoint detection companies to both assess impact and mitigate 
risk of critical vulnerabilities. From a technical standpoint, these 
partnerships with industry enable us to better understand the nature of 
vulnerabilities pre- and post-disclosure and in turn provided timely 
and thorough mitigation guidance to Government agencies and critical 
infrastructure. Going forward, CISA is establishing a Joint Cyber 
Planning Office, as required by the Fiscal Year 2021 National Defense 
Authorization Act, to further mature our capabilities to plan, 
exercise, and coordinate cyber defense operations with partners across 
the government and private sector.
    Last, recognizing that we cannot prevent all intrusions, we must 
drive a focus on resilience and functional continuity even as we drive 
improvements in security. We must advance business continuity exercises 
even as we catalyze adoption of cybersecurity best practices; we must 
ensure that operational technologies are segmented from, and can run 
independently of business networks, even as we advance our ability to 
detect threats in both environments; and, we must reduce single points 
of failure across our National Critical Functions as we identify and 
harden identified nodes of systemic risk.
                               conclusion
    Our Nation is facing unprecedented risk from malicious cyber 
activities undertaken by both nation-state adversaries and criminals. 
The list of significant incidents in recent months is long and growing. 
Now is the time to act--and CISA is leading our National call to 
action. We will deepen our partnerships with critical infrastructure 
partners, enhance our visibility into National cybersecurity, and drive 
targeted action to reduce vulnerabilities and detect our adversaries. 
In collaboration with our Government partners, critical infrastructure 
entities, our international allies, and with the support of Congress, 
we will make progress in addressing this risk and maintain the 
availability of critical services to the American people under all 
conditions.
    Thank you again for the opportunity to be to appear before the 
committee. I look forward to your questions.

    Mrs. Watson Coleman. Thank you, Mr. Goldstein.
    I want to thank both of the witnesses for their testimony. 
I will remind Members of each subcommittee that we will each 
have 5 minutes to question the panel.
    I will now recognize--oh, I am sorry. I will now recognize 
myself for questions.
    The TSA pipeline security assessments are currently 
voluntary. Although a new security directive does require 
operators to self-assess their compliance with TSA's 
cybersecurity security guidance, this security directive also 
requires critical pipeline operators to report cyber incidents 
and designate a cybersecurity coordinator who will be available 
24/7.
    So, Ms. Proctor, I would like to ask you first, would you 
please discuss the process that led up to this security 
directive? How did TSA determine the directive was needed? How 
did you decide to include these specific elements?
    You have to unmute yourself, Ms. Proctor.
    Ms. Proctor.
    Ms. Proctor. Madam Chairwoman, I am sorry if that was 
directed to me. I am having some connection problems again. I 
beg your indulgence again.
    Mrs. Watson Coleman. OK.
    Ms. Proctor. I am requesting some assistance.
    Mrs. Watson Coleman. Can you hear me now? Can you hear me?
    I don't have any questions for Mr.--why don't we skip me 
and----
    Ms. Proctor. Madam Chair, can you hear me?
    Mrs. Watson Coleman. I can.
    Ms. Proctor. OK. I am having some technical problems again. 
The voice is going in and out. I am requesting some assistance, 
so I beg your indulgence one more time here.
    Mrs. Watson Coleman. Thank you.
    Mr. Goldstein, then, may I ask you a question?
    Mr. Goldstein. Yes, ma'am.
    Mrs. Watson Coleman. Beyond pipelines, have you considered 
promulgating cybersecurity standards for other surface 
transportation modes and like mass transit and airports?
    Mr. Goldstein. Thank you, ma'am, for that question. In 
general, CISA's goal is to be a source of cybersecurity 
expertise across all sectors. Where a given sector is subject 
to regulations by a regulator with particular jurisdiction, we 
certainly engage in discussions with regulators like TSA to 
ensure that they are benefiting from CISA's cybersecurity 
expertise when they are developing regulations that are 
applicable to entities within their given jurisdiction. We have 
a robust collaboration with TSA along those lines, and 
certainly look forward to similar conversations with other 
regulators based upon their own unique authorities.
    Mrs. Watson Coleman. So I am going to take that as a yes? I 
took that as a yes.
    Mr. Goldstein. We totally support strong cybersecurity 
across all sectors, ma'am, that is correct.
    Mrs. Watson Coleman. Thank you, thank you.
    I did have some questions for Ms. Proctor but, 
unfortunately, she is not able to answer those questions. So if 
we clear this up in the next few minutes, I will ask her her 
questions.
    But now I will go to the Ranking Member, Mr. Gimenez, for 
his 5 minutes.
    Mr. Gimenez. Thank you, Madam Chairwoman. I really 
appreciate it.
    This is for Mr. Goldstein. Mr. Goldstein, is there any real 
difference--you know, I understand that, you know, TSA has 
jurisdiction, I guess, over pipeline security, but I look at 
cybersecurity a little bit different than, say, physical 
security over the physical aspect, the pipeline itself. We know 
that there are threats to the pipelines, somebody does 
sabotage, et cetera. Those are things that we need to protect, 
and TSA needs to do that.
    But in terms of cybersecurity, is there really a difference 
between the control systems for the computer network, the thing 
that is going to be hacked, for a pipeline and, say, an airport 
or a bank or any such thing? Isn't ransomware really attacking 
the computer systems themselves and it really doesn't matter 
what industry that computer system is controlling?
    Mr. Goldstein. Sir, thank you for that question. I think 
there are 2 ways to answer it. The first is, I think your last 
statement is absolutely correct. Ransomware is a threat that 
can impact any organization in any sector big or small--
financial, energy, hospitality, across the board--which is why 
CISA has been so focused on promulgating these cross-cutting 
best practices and guidance, including our advisory promulgated 
after the Colonial intrusion, that is equally applicable to any 
organization because, as you imply, these sorts of 
cybersecurity best practices are generalizable across sectors.
    Now, it is also the case that different sectors may use 
different specific technologies. They may have different 
network architectures or different ways to use devices to 
achieve their operational needs. But when it comes to these 
cybersecurity practices that we want to see--things like making 
sure that your software is patched, making sure that you are 
using multifactor authentication, leveraging off-line backups--
those are practices that are generalizable across sectors and 
regardless of the size of company.
    Mr. Gimenez. So when CISA makes a recommendation, do you 
make a recommendation to the agencies across the Federal, you 
know, spectrum and say, these are the things we recommend that 
you then recommend or write a regulation for your specific 
sector? Is that the way it works here in the Federal 
Government?
    Mr. Goldstein. So, in general, CISA puts out guidance and 
best practices, and in the case of Federal agencies, directives 
that are generally applicable. Occasionally, we will put out 
guidance that is specific to control systems, or certainly if 
we know about a given threat or incident that is affecting a 
particular sector, we may produce a targeted alert or warning 
focused on a nuanced risk to a given sector or even a given 
device where we have information that a certain device is being 
exploited.
    Regarding our interaction with regulators, generally 
regulators, including TSA, may seek CISA's expert advice and 
consultation on how to produce cybersecurity regulations that 
actually drive improved security and can be expected to reduce 
the likelihood of damaging incidents affecting that sector. But 
given the unique authorities and independence of many 
regulators, CISA is generally a source of expertise for those 
regulators to exercise their authorities in this space most 
effectively.
    Mr. Gimenez. That is where I have a problem. OK. That would 
be, the problem that I have is that it appears to me that CISA 
is there to protect, basically, the thing that we are 
communicating with right now. OK. That is the control systems--
the control systems that are controlling most of America now, 
energy, the electricity, the pipelines, banks, is coming out of 
the computer, and the computers are being hacked, and that is 
where vulnerability lies.
    My concern is that different agencies may put different 
emphasis on the vulnerability that we have for cyber attacks 
and that it is really not focused. You know, TSA's focus for 
the most part, I see as, the real focus is airport security, 
port security, and all that, physical security, and then cyber 
attacks, yes, OK, but that may not be our core mission, whereas 
your core mission is cyber attacks.
    So wouldn't it be better for the Federal Government to 
kind-of gel that into, you know, your agency and you become the 
voice on what needs to be done on cybersecurity? That is an 
opinion I am asking from you, and I know that it is a loaded 
question. So if you can answer it, please do.
    Mr. Goldstein. Without question, CISA's key role today is 
being the Federal civilian Government lead voice on 
cybersecurity, and our goal is to use every single platform to 
make sure that business leaders, that Federal agencies, that 
regulators, understand the criticality of this risk and act on 
it with urgency and immediacy.
    Certainly under current law, our goal is to work with 
agencies that have unique authorities to drive change, to help 
them use those authorities to maximize security improvement 
within their sector. But to your point, we strongly agree that 
cybersecurity needs to be a top-of-mind issue in every 
boardroom, in every C-suite, and in every Federal agency.
    Mr. Gimenez. Thank you. I see that my time is up.
    Thank you, Madam Chairwoman.
    Mrs. Watson Coleman. Thank you, Ranking Member.
    I now recognize the Chairlady from--the gentlelady from New 
York for her 5 minutes.
    Ms. Clarke. I thank you, Madam Chairwoman.
    Mr. Goldstein, as I said in my opening remarks, I believe 
that for CISA to carry out its broad cyber mission effectively 
it needs, No. 1, greater access to information about major 
cyber incidents and, No. 2, greater visibility into threats 
targeting private-sector networks in real time.
    That is why I am working on 2 pieces of legislation. One 
would require critical infrastructure owners to report cyber 
incidents to CISA, and the other would authorize the capability 
CISA has built through the CyberSentry pilot. I see these 
efforts as complementary, giving CISA the ability to monitor 
threats today and also learn how and why they are successful, 
so we can prevent them from happening tomorrow.
    Can you talk about how CyberSentry works and some of the 
ways that it helps CISA partner more effectively with the 
private sector?
    Mr. Goldstein. Yes, ma'am, absolutely. To begin, thank you 
for your on-going support of CISA. It is deeply appreciated.
    You know, as you noted, one of the challenges that CISA 
and, frankly, our country faces is a lack of visibility into 
cybersecurity risks facing our Nation's critical 
infrastructure. When we say ``cybersecurity risks,'' we should 
be precise about what we are speaking about. What we are 
talking about is the possibility of criminal groups or nation-
states breaking into our critical infrastructure with the 
intent to do harm.
    Without that visibility, CISA is unable to fully conduct 2 
of our core functions. The first is to understand systemic risk 
across our country and provide actionable information that can 
protect others, so they can either detect and block these 
threats before break-ins occur or they can evict adversaries 
from their networks once the intrusion happens.
    We are also not able to fully understand those entities 
that may need our voluntary assistance in order to help 
understand the intrusion, remediate, and recover.
    CyberSentry provides a unique capability to help protect 
the most critical infrastructure in this country. What we have 
learned from a long history of cybersecurity intrusions is that 
many intrusions impacting critical infrastructure and 
particularly control systems actually begin on business 
networks. So CyberSentry provides commercial off-the-shelf 
technology that helps detect cybersecurity threats that are 
attempting to move from business networks to the operational 
technology or control systems network and provides coverage of 
both, and allows CISA to use sensitive information about 
particular adversaries or threats to help understand and 
rapidly identify those kind of threats manifesting across the 
most critical networks.
    Now, CyberSentry is only a pilot today. It is deployed 
across a limited number of highly critical entities, but we 
have seen significant success with this program thus far. It 
both provides CISA with the added visibility, ma'am, that you 
mentioned and also provides real concrete benefits to the 
owner-operators that are using CyberSentry in the first 
instance, and we look forward to further maturing the pilot as 
we go forward.
    Ms. Clarke. [Inaudible] today as part of our--as part of 
your pilot so that it can be instructive as we are drafting 
this authorization. So thank you so very much for your work in 
this space.
    I know Ms. Proctor has joined us again. Can you hear us, 
Ms. Proctor?
    You may be muted.
    Ms. Proctor. Yes, and please accept my apologies.
    Ms. Clarke. No, no. Understood. You know, everything is not 
perfected yet. So we are just happy you are able to join us.
    I would like to ask just a quick question about PPD-41, the 
National Cybersecurity Incident Response Plan. Is that 
something that you are familiar with?
    Ms. Proctor. Yes, ma'am, I am.
    Ms. Clarke. OK. There is a little delay, I guess, in your 
audio.
    On this committee, we spend a lot of time talking about the 
need for all organizations--large, small, public, and private--
to have incident response plans in place before an emergency, 
whether it is a flood, a fire, or a ransomware attack. It is 
important that in a crisis, there is a framework to guide 
decision making and everyone knows what role they are supposed 
to play.
    The PPD-41 National Cyber Incident Response Plan lays out 
the Federal roles and responsibilities or lines of effort.
    Would you agree with me that the Colonial Pipeline cyber 
incident was likely to result in demonstrable harm to National 
security interests or the economy of the United States as 
defined under PPD-41?
    Mrs. Watson Coleman. Ms. Proctor, you may answer this 
question.
    Ms. Clarke. She is delayed on her audio.
    Mrs. Watson Coleman. Yes. I just wanted to let you know 
that your time has expired, but she certainly may respond to 
your question, ma'am.
    Ms. Clarke. Appreciate that.
    Ms. Proctor. Yes, ma'am, I would agree with you on that, 
that it was a significant incident.
    Ms. Clarke. Very well.
    Madam Chair, I yield back.
    Mrs. Watson Coleman. Thank you, Madam Chairlady.
    I now recognize Mr. Garbarino.
    Mr. Garbarino. Thank you, Madam Chair.
    Mr. Goldstein, the committee has concerns with the White 
House's decision to place the Department of Energy at the helm 
of the Federal Government's response to the ransomware attack 
on Colonial Pipeline. In this case, DOE is not the Sector Risk 
Management agency, nor does it have a lead role in the cyber 
incident response in this case.
    DHS, via TSA, is the co-lead Sector Risk Management agency 
for pipeline sector, along with the Department of 
Transportation. Additionally, the National Cyber Incident 
Response Plan designates DHS, via CISA, as the lead agency for 
the response.
    What rationale were you and Acting Director Wells given for 
DOE being given the lead response to this incident? Did you or 
any of CISA's leadership raise concerns with the White House 
about that, about DOE being put in charge?
    Mr. Goldstein. Certainly. Congressman, I think it is useful 
to separate the various elements of this incident, because it 
is one of the first incidents that we have seen in this country 
where a cyber event led to a decision to disrupt a physical 
function upon which Americans depend.
    There really were, I think, 3 distinct aspects to the 
incident. The first was the cyber intrusion itself. The cyber 
intrusion, insofar as the Federal response went, was managed in 
accordance with PPD-41. The FBI, of course, led the threat 
response, and CISA led the asset response.
    Now, it happened to be in this circumstance, as Colonial 
CEO testified last week, that Colonial chose to engage a third-
party incident response firm rather than accepting CISA's offer 
of incident response assistance. Under current law, that is 
certainly the prerogative of a company to do.
    Not providing on-the-ground incident response assistance, 
CISA focused on our broader asset response role of protecting 
others. As mentioned in my opening statement, we shared urgent 
alerts, warnings, and advisories with detailed information to 
protect other organizations from this specific ransomware group 
and the broader ransomware threat.
    The second element of this incident is the broad 
coordination of the National response. Of course, under PPD-21, 
the Secretary of Homeland Security plays a critical role in 
coordinating the response to cyber or physical incidents 
affecting critical infrastructure. Here, Secretary Mayorkas 
certainly played that role, in close coordination with the 
White House and with our partners in the interagency and, of 
course, our Secretary was at the White House podium and was one 
of the key National figures communicating about their response.
    The third aspect, of course, was the fuel supply issue, 
assuring that Americans actually had fuel available to fill 
their tanks and that businesses were able to keep operating. 
That is an issue within the remit of DOE and was one of the 
core focuses of the Government's interaction with Colonial, 
recognizing that, as advised by the company, the cyber incident 
was being managed by a well-regarded third party.
    So DOE's role in this incident, and part of the reason for 
their centrality, was the justifiable National focus on the 
fuel supply issue and DOE's unique expertise and equities in 
assuring appropriate provision of fuel across the eastern 
seaboard during the duration of this incident.
    Mr. Garbarino. I get that, but this was the team--they were 
put in charge of the team, the Government's response to the 
ransomware attack. You know, this right now is a pipeline. Next 
time we don't know what it is. So don't you think that--or do 
you feel that further clarification is needed on the Federal 
level as to who is--you know, should CISA be the lead on all of 
these? Or, you know, because with the ransomware, it is always 
going to be ransomware. We just don't know what other industry 
it is going to hit. So I don't know if that makes sense that, 
you know, having DOE in charge of this one but then somebody 
else in charge of another one.
    Do you think there should be more--that clarification is 
needed on the Federal level of who is actually in charge or at 
the top, you know, when there is a cyber incident?
    Mr. Goldstein. So in this case, certainly, CISA did 
undertake our asset response role. Of course, the advisories 
and communications that we put out were joint with the FBI, 
consistent with PPD-41 and not with other agencies outside of 
that construct. But, certainly, we are deeply conscious that as 
we see the potential for these sort of incidents that bring 
together cyber intrusions and very real functional impacts that 
affect Americans lives, it is deeply important for the U.S. 
Government to communicate clearly and concretely about how we 
approach these incidents and how we manage them as a whole-of-
Government effort to both reduce their prevalence and minimize 
impacts to the American people.
    Mr. Garbarino. I get that. Under PPD-41--I know my time is 
about to end--but why was this not a significant cyber incident 
under PPD? This seems pretty significant. Why was this not?
    Mr. Goldstein. This was absolutely a significant event. Any 
time when we have Americans worried about cessation of an 
essential function like fuel, it is absolutely a significant 
event. Here, however, based upon information received from 
Colonial, the cyber incident aspects of this event were well-
managed by a trusted third party. So based upon that 
information, the event itself was unequivocally significant and 
certainly dealt with as such at the highest levels of the U.S. 
Government. But the cyber incident aspect of it was well-
managed by a third party and was a very well-known type of 
ransomware that likely didn't reach the cyber-specific 
threshold of significance that would usually trigger that 
designation under PPD-41.
    Mrs. Watson Coleman. Thank you.
    Mr. Garbarino. I yield back.
    Mrs. Watson Coleman. Thank you, Mr. Garbarino.
    Mr. Thompson, I recognize you.
    Mr. Thompson. Thank you very much. Let me thank the 
witnesses for their testimony.
    Mr. Goldstein, it is always good to see you as a witness. 
You are good.
    I want you to tell me what authorities you think CISA lacks 
at this point in time that this committee could help you with.
    Mr. Goldstein. Thank you, sir. It is always good to see you 
as well. I would like to harken back to Ms. Clarke's eloquent 
statement, which is, we need the ability to get visibility into 
National cybersecurity risks. We need to understand where 
adversaries are intruding into networks across this country. We 
need to understand the techniques that they are using to break 
in. We need to understand what they are doing or trying to do. 
The more of that kind of information that we get, we can then 
protect others, and we can work as a whole of Government to 
reduce the risk facing our country.
    Mr. Thompson. So how do we codify that authority that you 
are describing?
    Mr. Goldstein. Yes, sir. So, certainly, the more that we as 
a country can do to drive reporting on cybersecurity incidents 
to CISA, as TSA recently did with their security directive, and 
certainly as several of your colleagues have suggested via the 
other avenues, that will help drive that change.
    The second part, sir, is, you know, we need the ability to 
address resource gaps across far too many entities in this 
country, particularly, our State, local, Tribal, and 
territorial partners. The more that we can do to help 
organizations that may be underresourced to invest in core 
cybersecurity, build cybersecurity programs, including in the 
context of incident response through the Cyber Response and 
Recovery Fund, or through other mechanisms that allow SLTT 
partners to get the funding they need, that will all help raise 
the bar.
    Mr. Thompson. Well, thank you. So, do we need voluntary 
compliance on the part of companies? Or do you see something 
down the road where we will have to require companies to take a 
test for their systems?
    Mr. Goldstein. Certainly, sir. CISA right now is urgently 
focused on making best use of the voluntary partnership model 
where we are encouraging companies and giving companies help 
and resources to drive security across their systems and manage 
National risks. They are absolutely----
    Mr. Thompson. Well----
    Mr. Goldstein [continuing]. Please, sir.
    Mr. Thompson [continuing]. OK. I don't want to go over my 
time, but that is a good point. So what did Colonial do?
    Mr. Goldstein. Sir, I don't have deep visibility into 
Colonial's security posture at the time of the intrusion. It is 
certainly the case today that there are many organizations in 
this company that--pardon me, in this country, for a variety of 
reasons, are unable to invest in the security they need. The 
U.S. Government must take urgent steps to incentivize, drive, 
and require those companies to make the investments that they 
need to make.
    Mr. Thompson. OK. Well, thank you. Now Ms. Proctor, what is 
your knowledge of what TSA did on the security side?
    Ms. Proctor. Thank you so much for that question, sir. TSA 
has had a long relationship, security relationship, with 
Colonial. That goes back to the beginning of our Pipeline 
Security Guidelines. We have conducted Corporate Security 
Reviews with Colonial in the past. We have had--as you are 
aware, we have done Critical Facility Security Reviews with 
them. Last year, during the pandemic, we approached Colonial to 
engage in a Validated Architecture Design Review. That 
conversation was on-going over a period of time. They recently 
submitted their approval to participate in the VADR. It is now 
scheduled for the last week of July of this year. So we have 
conducted----
    Mr. Thompson. So----
    Ms. Proctor [continuing]. OK.
    Mr. Thompson [continuing]. Thank you. My concern is that if 
there is no regulatory requirement for companies to allow TSA 
or whomever to look at their security protocols, they will tell 
you to come back next month, they will tell you to come back in 
6 months. I am just concerned that given the expansion of 
ransomware attacks, a voluntary system without some compliance 
mandated puts us at risk. You don't have to comment. That is, 
you know, my thoughts on it.
    Ms. Proctor. Sure.
    Mr. Thompson. You know, you can have relationships with 
companies, but if that company knows that they don't have to, 
at the end of the day, comply, then I just don't see us working 
to a threshold for security. So, Madam Chair, I yield back.
    Mrs. Watson Coleman. Thank you, Mr. Chairman. I now 
recognize Representative Harshbarger for 5 minutes.
    Mrs. Harshbarger. Thank you, Madam Chair, and Ranking 
Members, and witnesses. I have a question for Mr. Goldstein. 
You know, CISA needs to engage directly with our Nation's 
business leaders, and, my goodness, receiving a voluntary 
program where they will assess their vulnerabilities.
    But most of these companies, you know, they won't do it. I 
totally understand why they are afraid that their customer base 
may see that they have vulnerabilities. They may not want them 
to know that they somehow would have their information 
compromised. There are things like their stock prices may drop. 
They may be afraid that they will be hauled in front of 
Congress if this vulnerability is shown. So I do understand 
that.
    I guess my question is, what is CISA's position on whether 
a victim of ransomware should pay the ransom or not? Who 
decides that?
    Mr. Goldstein. Thank you for that question, ma'am. It is 
the position of the U.S. Government to strongly discourage the 
payment of ransoms. This is the case for 2 reasons. First of 
all, paying a ransom offers no assurance that the victim 
organization will actually have their data restored or have 
stolen data returned. We have seen many instances of ransomware 
gangs either failing to decrypt the data, or providing a 
decryption tool that only decrypts part of the data and still 
leaves a lot of the data locked up and unusable.
    But, of course, the second reason is that these ransomware 
campaigns and these criminal gangs are fueled by ransom 
payments. The more the organizations pay ransom, the more that 
we can expect these criminal gangs to be incentivized to 
continue the scourge of attacks against U.S. critical 
infrastructure. The decision to pay remains with the impacted 
company, and certainly, for many companies, this is a hard 
decision, particularly, if they provide some critical service. 
But these payments, again, provide no assurance of restoration, 
and what is driving these campaigns and these really damaging 
attacks to continue.
    Mrs. Harshbarger. Do you know how many private companies 
have paid ransomware because they were hacked in--you know, a 
lot of companies, even in my district, they don't even report 
it, because of those reasons I gave you initially. You know, 
you can't really track and get an accurate number of how many 
people have been hacked or paid the ransom, because they don't 
want you to know. They have cyber insurance because of these 
ransomware attacks. This is--I mean, it is has gotten out of 
control when our own Government, you have 9 different agencies 
hacked, and they don't really know how it happened. It was an 
outside entity that had to tell us.
    So, there is a lot of reasons, I understand, why private 
businesses won't voluntarily be assessed, even to find out what 
their own vulnerabilities are. Maybe they just don't trust the 
Government. I don't know. But what percentage of companies do 
you have numbers on that report that they have had to pay 
ransomware, or they have been compromised? Do you have a 
number?
    Mr. Goldstein. So, ma'am, we don't have a good number 
today. It gets back to the question that the Chairman raised, 
which is today, you know, it is largely voluntary whether a 
victim of a cybersecurity intrusion, including ransomware 
attacks, does report to either CISA or Federal law enforcement.
    I do want to comment briefly though, ma'am, on your last 
point, which is well-taken, on disincentives for sharing 
information with the Government. Because Congress has already 
acted to largely address many of those concerns, both in the 
Cybersecurity Act of 2015, and in the Critical Infrastructure 
Information Act, both of which provide strong protections for 
information shared by the private sector with CISA, including 
protections from regimes like FOIA, regulatory use, civil 
litigation, et cetera. So, certainly, one of our goals at CISA 
is to ensure broad understanding of these protections and 
ensure companies take advantage of them by reporting both their 
cybersecurity risks and incidents to CISA.
    Mrs. Harshbarger. Yes. This is big business right now, and 
we have got to get a handle on it, and that is why we are 
having these hearings.
    I do have another question. Why--and this is just your 
opinion--why do you think the FBI did not take this committee 
up on our invitation, I guess you could say?
    Mr. Goldstein. Ma'am, I have not discussed that question 
with my colleagues at the FBI, and I wouldn't be able to 
comment.
    Mrs. Harshbarger. Well, that is your opinion. I appreciate 
that. I don't know. How much time do I have left?
    Mrs. Watson Coleman. You have 20 seconds.
    Mrs. Harshbarger. Twenty seconds. Well, I will just yield 
back. Thank, you ma'am.
    Mrs. Watson Coleman. Well, thank you very much. I will now 
recognize Representative Titus.
    Ms. Titus. Thank you, Madam Chairman. Thank you for holding 
this hearing. We certainly realized that we have put this off 
for too long. We need to get on top of it, and the testimony 
has been excellent. We focused on the Colonial Pipeline, but I 
would like to be sure that other kinds of energy infrastructure 
are protected like generating stations.
    I represent Las Vegas, and we have a lot of lights there, 
and we need a lot of sources of energy that are consistent, 
that are persistent that we can count on to serve our 
residents, and also 40 million visitors.
    Now, Nevada Energy is our primary provider of energy, and 
they are doing a lot of investing in renewable energy 
resources. They are developing throughout the State, mostly 
solar, but some wind, which I think is a great thing. But I 
want to be sure that the Government is adequately protecting 
those sources, too, from these kinds of threats.
    I wonder if y'all would comment on what CISA and TSA are 
doing in anticipation of maybe some needs in this area?
    Mr. Goldstein. Yes, ma'am. So, certainly, CISA is deeply 
focused on cybersecurity risks facing the energy sector and 
iteration entities in particular. Of particular note, the White 
House recently announced a 100-day industrial control system 
Cybersecurity Sprint. The first sprint focused precisely on 
this sector recognizing the centrality of the energy grid, of 
course, to our Nation's economy and National security, and the 
potential for a cybersecurity event to cause significant 
disruption.
    You know, certainly, many entities across the electric 
subsector are well-resourced and mature in this space. This is 
a sector that recognizes the risk and has invested accordingly. 
But, certainly, CISA and our colleagues at DOE are deeply 
focused on providing tools, resources, and guidance to this 
sector, recognizing the risks and the need to make further 
investments to stay ahead of our adversaries.
    Ms. Titus. So do you work directly with the utilities? You 
would be working directly with Nevada Energy to help them to be 
sure they are up to speed?
    Mr. Goldstein. Yes, ma'am. I can take back to see if we 
have worked with Nevada Energy recently. But, certainly, we 
work very consistently with individual operators to assess 
their security and make sure they have what they need to be 
secure.
    Ms. Titus. Oh, I am glad to hear that. Any other comment? 
Well, the second question that I have is that I know one of the 
problems that we often have is trying to recruit and train and 
have in the field cyber professionals. I understand that there 
is a program--it is a scholarship program--called CyberCore. 
Now, my district is home to several minority-serving 
institutions. I just wonder how much outreach you are doing, or 
how much work you are doing with those institutions to try to 
attract and train people who are--well have the skills to enter 
into this field that is going to be needed increasingly as we 
go forward?
    Mr. Goldstein. Ma'am, thanks so much for that question. You 
are absolutely correct. Building a deep, diverse cybersecurity 
work force is absolutely essential for us not only getting our 
arms around this risk, but managing it going forward. CISA is 
deeply focused on working with institutions across the country, 
but particularly minority-serving institutions, HBCUs, and 
community colleges, to make sure that those schools have 
curriculum, have training, have resources, and assistance so 
that they can train the next generation of cybersecurity 
professionals.
    Certainly, we are focusing in that regard, not only 
training that work force so that they can join Federal service, 
including through the programs like Scholarship for Service, 
but, also, ensuring that we are driving and catalyzing a robust 
educational community around the cybersecurity work force at 
all levels of education to ensure that we are educating people 
today, so that they can be well-equipped for the jobs of 
tomorrow.
    Ms. Titus. I am going to reach out to the campuses in my 
district about this CyberCore program and see what they are 
doing. Then can I have them get in touch with your office or 
somebody there to find out how they might enhance that, and 
maybe get the word out more and be sure people--students in 
there know that they can apply for this kind of program.
    Mr. Goldstein. Yes, ma'am. Most certainly.
    Ms. Titus. Thank you. Thank you, Madam Chairman, I yield 
back.
    Mrs. Watson Coleman. I want to take this opportunity to ask 
Ms. Proctor a question that I tried to ask when our system went 
down. Ms. Proctor, are you there?
    Ms. Proctor. Yes, ma'am, I am.
    Mrs. Watson Coleman. Oh, thank you very much. You know, 
given that operators will only be required to self-assess their 
compliance with TSA guidelines, how would TSA verify the 
information provided, and what will the consequences be if the 
pipeline operator misrepresents their cybersecurity practices 
to the TSA?
    Ms. Proctor. Thank you so much for that question, because I 
think it is important to know that in the first security 
directive we have issued, there is a requirement for companies 
to conduct a self-assessment as part of those requirements that 
security directors want. However, we are continuing to develop 
additional measures for pipeline companies. We are developing 
now a second security directive, which will have the force of a 
regulation. That one will require more specific mitigation 
measures, and it will ultimately include more specific 
requirements with regard to assessments.
    The second security directive is going to be an SSI 
directive, because of the nature of the mitigating measures 
that are going to be required within there. But these are also 
subject to inspection by TSI inspectors. We have a cadre of 
service inspectors that we have trained that underwent training 
at PHMSA Training Academy for pipeline operations. We have a 
subset of them who have also undergone cybersecurity training. 
They just recently completed an in-residence course at Idaho 
National Lab. So they have both pipeline operations training 
and cyber training.
    Ms. Titus. Thank you.
    Ms. Proctor. Those will be the individuals who will be 
ensuring that the pipeline companies are adhering to what is 
required in those security directives.
    Mrs. Watson Coleman. Thank you. Yes or no, do you all have 
the resources and personnel that you need to be able to ensure 
the accountability measures that we think are important?
    Ms. Proctor. Yes, ma'am, we do have those resources now.
    Mrs. Watson Coleman. OK. Thank you. Thank you very much.
    Now, I would like to recognize Mr. Van Drew from New 
Jersey.
    Mr. Van Drew. Thank you, Madam Chair. I have just some 
questions, and some of them may seem a little repetitive, but I 
really want to tack this down.
    For Sonya Proctor from the TSA, I understand there are 
growing concerns that the TSA [inaudible].
    Mrs. Watson Coleman. Congressman, Congressman, can you 
unmute? I guess while we are trying to work this out, I will 
recognize Representative Clyde.
    Mr. Clyde. Thank you, Madam Chair, for holding this 
hearing. This question is for Eric Goldstein. Mr. Goldstein, 
the subcommittee held a hearing last month on the ransomware 
crisis with experts from the private sector, and former 
Director Krebs responded to a question of mine about how CISA 
gets word out about its great services. He said that marketing 
is not an area of strength for the agency.
    Considering the recent attacks where CISA has not been 
directly involved, I think it is important that business 
leaders, critical infrastructure companies, and State and local 
governments are aware of CISA and its great services. So, my 
question to you is how many dedicated marketing professionals 
does CISA have? If I may, sir.
    Mr. Goldstein. Thank you, sir. So I don't have an exact 
number on the size of our relative external affairs team. I am 
happy to get that back for you. What I would say is fully agree 
with the general point. It is absolutely critical for CISA to 
make sure that every company in this country, as well as every 
SLTT government partner understands the services that we are 
offering and understand how our services can help them drive 
down cybersecurity risks and the investments that they need to 
make. So, certainly, we need to do more to convey that message 
to every corner of this country, and part of doing that is by 
having, as you frame it, sir, marketing campaigns that make 
sure that the word gets out effectively. So that is an area of 
urgent investment for us. The point, sir, is very well-taken.
    Mr. Clyde. OK. Well, because the more I learn about you, 
the more I like you. OK. So I want to make sure that the entire 
Nation knows just what outstanding services you provide. So, I 
strongly encourage you to have a very good media campaign, 
because I think our business is needed. OK? We need to know 
that CISA is there really to help. Tell me, does CISA have a 
position on whether the victim of ransomware attack should pay 
ransom?
    Mr. Goldstein. Sir, we do. We advocate that victims--we 
strongly discourage victims from paying ransom. As noted, I 
think, from a prior question, that is for 2 reasons. First, 
because there is no guarantee that victims will have their data 
restored. Second, of course, because paying ransoms is exactly 
what these criminal gangs want. Paying ransoms only further 
incentivizes these sort of damaging attacks to continue.
    Mr. Clyde. OK. Does CISA have an offensive capability?
    Mr. Goldstein. We do not, sir. We are purely a cyber 
defensive organization.
    Mr. Clyde. OK. Last week, I asked FireEye senior VP Charles 
Carmichael if his company would be willing to work with the 
Federal Government in helping secure a network. He stated that 
he would certainly be interested in the opportunity. Mr. 
Carmichael also stated that he believes the attacks on the 
Colonial Pipeline and JBS Foods originated overseas. Does CISA 
work with the private sector regarding any intelligence sharing 
or threat assessments to safeguard private or public networks?
    Mr. Goldstein. We do, sir. We have deep relationships with 
many, if not the vast majority of the Nation's leading 
cybersecurity companies, internet companies, cloud providers to 
do just the work you describe. Sharing and exchanging of 
information that these companies are learning about 
cybersecurity risks affecting their customers, fusing that 
together with what CISA is learning from Federal networks, and 
what we are learning from our partners elsewhere in government, 
and developing that common operating picture of cybersecurity 
risks.
    We have made real investments there, but there is certainly 
more work to do to ensure that we have that deep visibility we 
need to understand risks that are impacting our country.
    Mr. Clyde. OK. Would you agree with his assessment that 
these attacks were perpetrated from overseas, all of them, or 
any of them from this country that you know of?
    Mr. Goldstein. Sir, as a general matter, many of these 
ransomware gangs are domiciled overseas. I am not able to speak 
about any particular act in this committee, sir.
    Mr. Clyde. OK. Do you have any evidence that would suggest 
that they are sponsored by a foreign state?
    Mr. Goldstein. Sir, in general terms, these criminal groups 
are seeking financial gain, and are generally not seeking any 
sorts of strategic ends sought by nation-states.
    Mr. Clyde. OK. If CISA doesn't have an offensive 
capability, do you know does one exist in our country 
somewhere?
    Mr. Goldstein. Sir, there are various other Federal 
agencies that do exercise under their own authorities the 
ability to disrupt adversaries using cyber means, including 
within the Defense Department. I would, of course, defer to the 
departments for further detail in their committees.
    Mr. Clyde. OK. Do you coordinate with any of those to 
assist them?
    Mr. Goldstein. Yes, sir. We work very deeply across the 
interagency, with Federal law enforcement, with the Defense 
Department, and other partners to ensure that we are sharing 
information, and that all of our activities across the 
Government are well-coordinated and aligned.
    Mr. Clyde. OK. All right. Well, thank you very much, sir, I 
appreciate your responses in that. With that, I yield back.
    Mr. Goldstein. Yes, sir.
    Mrs. Watson Coleman. Thank you, Representative Clyde, for 
raising that issue because I was just talking about that 
myself. I think the capacity to be able to be on the defense is 
something we really do have to drill down a little bit better 
on.
    Mr. Langevin.
    Mr. Langevin. Very good, Madam Chair, can you hear me OK?
    Mrs. Watson Coleman. Yes.
    Mr. Langevin. Very good. Madam Chair, thank you holding 
this joint hearing. I want to thank our witnesses for their 
testimony today and for the important work that they are doing.
    Mr. Goldstein, let me start with you if I could. Last week, 
in front of this committee, I was so bold as to offer CISA's 
service to the CEO of Colonial Pipeline, and he refused them. 
So, I urged him certainly to reconsider, as he says, he is 
acting for the good of the country. So that being said, I just 
want to confirm that the offer is still on the table. So, Mr. 
Goldstein, just to confirm, CISA stands ready to offer 
assistance on the networks of the Colonial Pipeline if your 
services are requested, correct?
    Mr. Goldstein. Yes, sir, we stand ready to support any 
entity providing critical services in this country, including, 
of course, Colonial.
    Mr. Langevin. Thank you. Thank you. So Mr. Goldstein, now I 
know that CISA is a relatively new agency, and not everyone is 
familiar with the services that you offer. Can you help the 
committee understand what value you bring to entities when they 
invite you onto their networks following a breach? Furthermore, 
what benefits to other critical infrastructure owners and 
operators across various sectors can CISA bring to the table by 
having on-network presence? I hope that the CEO of Colonial is 
watching. Maybe this will encourage him to invite you in once 
and for all.
    Mr. Goldstein. Indeed. Thank you for that question. Sir. 
The way you framed it is exactly right. First and foremost, it 
bears noting that we do encourage organizations that are 
victimized by cybersecurity incidents to bring on a third-party 
private response provider if they are so inclined. We work very 
frequently closely in tandem with private incident response 
firms to conduct a joint response.
    So CISA's role is not replacing the extraordinary talent in 
the private cybersecurity market, but is, instead, additive 
there, too. That is the case really in 2 ways. The first is in 
supporting a victim of a cybersecurity intrusion, we are able 
to bring to bear information from other Federal agencies, and 
from what we have learned across incidents affecting the 
Federal Government, and our other partners, and enrich the 
incident response that may be already undertaken by the victim 
itself or their third-party provider. So, we can complement and 
add to the incident response, bringing some unique information, 
and in the case of incidents, that impact control systems, some 
unique expertise and capability. In fact, our team that is 
focused on control system cybersecurity is actually one of the 
oldest and most expert teams doing that kind of work.
    So, in the first instance, we can be deeply complementary 
to and additive to the work already going on by an 
organization. Of course, if a victim chooses not to bring on a 
third party and seek CISA's help, foundationally, we can 
certainly provide the primary incident response role as well.
    But as you note, sir, our role extends far more broadly, 
and we are focused on managing National risks and ensuring that 
a cybersecurity intrusion that impacts one entity doesn't 
spread across others. Certainly, organizations should think of 
this as even if you are not a victim today, you may be one 
tomorrow. If you are one today, that doesn't mean that you will 
not have an intrusion again in the future.
    So, organizations should certainly see this as an issue of 
National interest where the more information that CISA can 
receive in the early days of an incident by being part of the 
incident response and part of that initial assessment, that 
lets us move more quickly to glean information, glean those 
technical indicators that we can then share either in a focused 
way with organizations that may be directly impacted based upon 
their sector, their technology footprint, their geography, or 
broadly and nationally, and even internationally, to raise the 
cost for adversaries and ensure that they are not using these 
same tactics, these same indicators over and over again.
    Mr. Langevin. Thank you for that. Before my time expires, 
Mr. Goldstein, we have seen press reports that third-party 
incident responders suggested not bringing the Government in. 
Do you find that outside cyber consultants tend to work 
cooperatively with CISA in emergency situations like this one 
with Colonial, for example, or do they bring their clients' 
reservations about Government involvement?
    Mr. Goldstein. So we do find in general, sir, that 
certainly, most of the major cybersecurity providers in this 
country work collaboratively with CISA. We have deep 
relationships with many of them and have on-going operational 
collaboration around significant campaigns and significant 
threats, and, certainly, would discourage any company or third 
party from deciding not to share information with the 
Government.
    As noted throughout this hearing, this really at this point 
is both an issue of National security and public health and 
safety. The more that U.S. Government can understand this risk 
and take urgent action and mitigate it, the more we can drive 
down this trend over time and protect our people.
    Mr. Langevin. Thank you.
    Mrs. Watson Coleman. Thank you for the question. The 
gentleman is out of time. Thank you.
    I understand Mr. Van Drew is now available to be recognized 
for 5 minutes. Mr. Van Drew.
    Mr. Van Drew. Thank you. I will give this a shot again. We 
had some technical issues. So, although, Congress gave the TSA 
authority [inaudible] over pipeline [inaudible] in 2001 have 
recently been efforts to transfer its authority to the 
Department of Energy [inaudible]----
    Mrs. Watson Coleman. Mr. Van Drew is having technical 
problems again. We cannot hear you. So I will recognize 
Representative LaTurner.
    Mr. LaTurner. Thank you, Madam Chair. My question is for 
Mr. Goldstein. Mr. Goldstein, how are you doing today?
    Mr. Goldstein. Doing well, sir. Thank you.
    Mr. LaTurner. Good. Thanks for being with us. Could you 
help us understand how many, just the scope, in the Federal 
Government, of how many different Government agencies are 
dealing with cybersecurity ransomware, either on an offensive 
or defensive nature?
    Mr. Goldstein. Certainly, sir. So the existing model for 
Federal Government cybersecurity is--in the first instance, 
there are 2 agencies that are focused on cybersecurity incident 
response, and that is CISA, as they lead for asset response, 
which are efforts to understand and mitigate the immediate 
impacts of an incident, and then help to protect others. Then 
our colleagues at the FBI, who are the leads for threat 
response and focused on understanding the adversary, and then, 
of course, taking actions to disrupt or impose costs.
    Apart from CISA and the FBI, there are a number of Sector 
Risk Management agencies that bring to bear specialized 
authorities in their sectors that may support CISA and the FBI 
for a cybersecurity incident affecting their sector. Then, of 
course, apart from these civilian space, both the Department of 
Defense and our Nation's intelligence community have unique 
authorities to either gather information about adversaries who 
are seeking to damage our country through cyber means, or, of 
course, take other measures to impose costs on our adversaries 
wherever they may be.
    Mr. LaTurner. The Colonial Pipeline CEO recommended that 
there be designated a single point of contact to coordinate the 
response to cyber attacks and incidents at large. What is your 
reaction to that?
    Mr. Goldstein. So sir, our goal as a U.S. Government is to 
make this as easy as possible for victims on cybersecurity 
incidents. Certainly, today if an organization calls CISA, if 
they call the FBI, if they even call their Sector Risk 
Management agency, they should get the same response.
    So, we have worked deeply within the Federal Government to 
ensure that we are providing victims of cybersecurity incidents 
with all of the resources that the Federal Government can bring 
to bear. I think that this actually worked fairly well in the 
context of the Colonial intrusion where, you know, there was a 
wide breadth of Federal agencies based upon the unique 
attributes of this incident. But those agencies collaborated 
well together behind the scenes. Colonial was able to interact 
with a handful of agencies, and not, frankly, the full breadth 
of agencies with some authority to manage an incident of this 
complexity.
    But certainly to your point, we can always do more to make 
this clearer in the private sector, and make sure that the 
activity of reporting an incident in the Federal Government, 
and engage in our health is as frictionless as possible and as 
simple as possible.
    Mr. LaTurner. I talked to people in the private sector in 
my State that this has happened to, and it has happened to a 
lot, and the number seems to be growing. So, it is a great 
concern to me that the Federal response to this can be kind-of 
clunky. It has been described, or suggested by some, that we 
have one person that coordinates this and have the ability to 
control the budgets of all of these other entities. Do you have 
a response to that?
    Mr. Goldstein. So, sir, I think the answer is----
    Mr. LaTurner. There is some precedence for it in the past 
as well. I am sorry. Go ahead, Mr. Goldstein.
    Mr. Goldstein. Sure. Certainly, sir. So, certainly, the 
various agencies involved here, and certainly CISA and FBI have 
been the lead for cyber asset response, have unique authorities 
and unique capabilities to bring to bear. But you said it had 
the opportunity to hear testimony from our nominee for National 
cyber director just last week. That role, I think, will also 
help further codify the structure and the engagement model, and 
further streamline the manner in which the Federal Government 
engages with all manner of entities.
    So we are looking forward both to the speedy confirmation 
of the National cyber director, as well as director for CISA. 
Both of those individuals, I think, will help the Government 
further mature our processes to simplifying engagement with the 
private sector.
    Mr. LaTurner. Do you think that that solves the problem, 
though? Because, I think, from my perspective, it can still put 
us in the exact position that we are in right now. Maybe 
improve it, right? But at the end of the day, it is concerning 
to me that we don't have one point of contact who controls the 
budgets who can force these different bureaucracies to come 
together and make sure that our response in the United States 
is clear and concise and efficient. Do you think that those 
confirmations fix that problem?
    Mr. Goldstein. I think that we are making progress over 
time in significant ways. I will say, sir, I was in this agency 
5 years ago. Having recently come back in, we have made 
significant progress in the intervening time. I think the 
confirmation of both the new CISA director and the National 
cyber director will make another significant step forward in 
our ability to offer these sort-of simplified, cohesive 
engagement model that you described. But, assuredly, we will 
have more work to do because this is a deeply evolving space, 
and as the U.S. Government, we will have to evolve the pace.
    Mr. LaTurner. Thank you for your----
    Mrs. Watson Coleman. Mr. LaTurner, your time has expired. 
Thank you. The Chair recognizes Representative Slotkin.
    Ms. Slotkin. Thank you, Madam Chair. Thanks for our 
witnesses for being here. Two very different questions. So, you 
know, after the Colonial Pipeline was attacked, I went to all 
of the CEOs of the pipelines that criss-cross through Michigan, 
both over land and over sea, or under our inland seas, and 
asked them, like, what they were doing in the wake of the 
Colonial attack to improve their own cybersecurity, learning 
from the painful example that Colonial was offering us.
    I know that we put in these new procedures at the end of 
May. So, I just want to understand, in a very concrete way, 
what actually happened? Let's say, Enbridge, which is a big 
pipeline company that goes under the Straits of Mackinac, a 
very sensitive place in Michigan's Great Lakes. Let's say they 
are attacked. What is the actual procedure? Tell me the 9-1-1 
process from the moment they are attacked in terms of engaging 
with Federal agencies? Whoever is the responsible party should 
take that one.
    Mr. Goldstein. Sorry, ma'am. I will take it first, then I 
will yield to my colleague. Under--and I will defer to my 
colleague if this pipeline is in scope for the TSA directive. 
But the TSA directive does require a certain set of pipeline 
entities to report cybersecurity intrusions centrally to CISA. 
Upon receiving such a report, CISA triages the report based 
upon a standard methodology to assess the criticality of the 
incident, based upon risk to the country, the nature of the 
entity, the nature of the intrusion, and then certainly for an 
incident affecting an entity of the criticality that you note 
we would likely offer some measure of incident response or 
threat hunting assistance.
    Now, I will note in this case it would still remain 
voluntary for this pipeline entity to accept our assistance. 
This entity could say, they have chosen to engage a third 
party, and that is how they want to engage their response. Now, 
even in that model, we would still encourage them to share 
information with us urgently so we can help them with the 
response and protect others. I am sorry, ma'am. Go ahead.
    Ms. Slotkin. As a requirement, just so I understand, is it 
true that within 12 hours now, they must contact CISA? Is that 
the sort of requirement with the new rules that were put in 
place at the end of May?
    Mr. Goldstein. Ma'am----
    Ms. Proctor. Yes, ma'am.
    Ms. Slotkin. OK. Perfect. So just so I understand, that is 
the 9-1-1 call they must make within 12 hours if they detect 
some sort of cyber intrusion. OK. I know it depends on the type 
of pipeline, but I understand.
    Then a completely different question on sort-of the eve of 
a big meeting between President Biden and Vladimir Putin, where 
Putin had suggested that there be some sort of trade for groups 
that are conducting ransomware attacks, you know, from Russia, 
and groups that are allegedly conducting ransomware attacks 
from the United States.
    Can you confirm for me--I know you are defensive and not 
offensive in nature, I know that you are not law enforcement--
but, Mr. Goldstein, can you confirm in one sort-of yes or no, 
the United States of America has the ability to go after any 
criminal actors who are conducting ransomware attacks, here or 
abroad?
    Mr. Goldstein. Ma'am, that question will get into the 
authorities vested in Federal law enforcement, which I am not 
able to answer.
    Ms. Slotkin. OK. Have you seen the Russians do anything to 
try and clamp down on ransomware actors emanating from their 
soil?
    Mr. Goldstein. Ma'am, I think, what I can say, generally, 
there is, you know, we strongly encourage all countries to take 
urgent action against ransomware actors operating within any 
country. The trend that we have seen of ransomware attacks over 
the past year suggest that such acts across the board is not 
being taken.
    Ms. Slotkin. Right. So it is more--I understand it is not 
your jurisdiction. I guess I just want to make the point that a 
trade between Vladimir Putin and Joe Biden makes zero sense. 
Because we actually go after our criminals. We actually would 
take action if we had a ransomware group that were threatening 
other countries, that were attacking Russia, or attacking a 
European ally, or attacking China, that we would go after them, 
unlike the Russians, who have taken, at best, limited action 
against those, who we know, who we have said publicly, are 
attacking United States infrastructure.
    So it is more of a statement. I just feel like this--until 
we get to the root of the problem that no action is being taken 
often by the Russians and the Chinese against actors emanating 
from their soil, we are going to keep having this conversation 
over and over again. I know I am out of time. I will leave it 
at that. Thanks very much.
    Mrs. Watson Coleman. Thank you. We will now recognize 
Representative Luria for 5 minutes. Thank you.
    Mrs. Luria. Thank you, Madam Chair, and the Chairs and 
Ranking Members of both committees for having this important 
hearing. I was reviewing one report, and I saw that there were 
over 304 million ransomware attacks world-wide in 2020. That 
was a 62 percent increase from 2019.
    So the recent Colonial Pipeline ransomware attack was, 
obviously, not the first we have seen against critical 
infrastructure, but it spurred the fuel shortages across the 
Eastern Seaboard for several days. At the local level, I was 
seeing impacts like this as well in my district. For example, 
the Hampton Road Sanitation district suffered a ransomware 
attack last November that disrupted billing across the service 
region for several weeks.
    I think that we can all agree that ransomware attacks are a 
National security crisis. As Chairman Thompson noted last week, 
the Colonial Pipeline ransomware attack raised serious 
questions about the cybersecurity practices of our critical 
infrastructure owners and operators, and whether the voluntary 
cybersecurity standards are sufficient to defend ourselves 
against these types of cyber threats.
    So I wanted to the ask the question of our witnesses today. 
With regards to our critical infrastructure owners and 
operators, such as those that operate pipelines, what evidence 
do you and other agencies have that the organizations you 
oversee actually understand the extent of their cybersecurity 
risk?
    Ms. Proctor. We offer briefings to owners and operators of 
critical infrastructure. Based on the threat that has been made 
clear over the last several years, we have arranged Classified 
briefings for owners and operators of infrastructure to ensure 
that they understand the nature of the threat. We also have 
provided assessments, vulnerability assessments, so that they 
can identify and then close those cybersecurity gaps to make 
themselves less likely to be a successful target for those who 
would be likely to launch those kinds of intrusions.
    We also work with owners and operators to conduct 
exercises, so that they can actually exercise their plans. It 
is one thing to have plans on paper. It is another thing to be 
able to exercise those both within your company, and within the 
region or with others in your industry.
    So, we have a layered approach, both in terms of providing 
education, assessments, exercises to exercise those plans, and 
to be able to continue to inform of emerging threats, and to 
keep the cycle of both informing, exercising, and updating 
plans to keep that process under way.
    Mrs. Luria. Well, thank you. I mean that does sounds like a 
good resource, and a good way for them to understand the 
potential threats, the emerging threats that helped developing 
plans. But can you clarify--am I understanding that this is 
still all voluntary on behalf of the company?
    Ms. Proctor. Well, currently, we certainly started out with 
the Pipeline Security Guidelines which were not mandatory. But 
as of May 28, we issued our first security directive, which has 
the power of regulation. We are in the process now of 
developing our second security directive, again, which will be 
mandatory, which will have more specific mandatory mitigating 
measures that will be required by owners and operators. That 
directive is going to be very specific. So there is going to be 
marked as an SSI document, security--excuse me, Security 
Sensitive Information. So that one will have a lot more detail 
and will be rather prescriptive in terms of the mitigation 
measures required.
    Mrs. Luria. Well, thank you. Just in the last couple of 
seconds remaining, do you have a good assessment for all of the 
operators of the major pipelines? Do you know where they are on 
a scale that shows both their awareness and preparedness, their 
plans, their training that they have completed in order to 
execute plans, and is that something you are tracking so that 
kind-of within the network of pipelines around the country, you 
know where the biggest vulnerabilities exist?
    Ms. Proctor. Within the network of critical pipelines, we 
have conducted Corporate Security Reviews and Critical Facility 
Security Reviews with most of them. So we do have a good 
baseline for them in terms of where they are with regard to 
their corporate plans, their cybersecurity plans, and also, 
with their critical facilities in the field. So both are 
assessments that we continually perform with owners and 
operators in the pipeline community.
    Mrs. Luria. OK. Well, thank you very much. Ma'am, my time 
has expired. I yield back.
    Mrs. Watson Coleman. Thank you very much. The Chair 
recognizes Representative Rice.
    Miss Rice. Thank you so much. Mr. Goldstein, I know that 
Chairman Thompson had asked you some questions about, you know, 
additional resources and such. I mean, it is clear that, you 
know, your agency has issued extensive ransomware guidance and 
led efforts such as the Reduce the Risk of Ransomware Campaign 
to help owners and operators of critical infrastructure prepare 
for ransomware threats. But we also know that, you know, the 
Colonial hack demonstrates that even when companies are willing 
to self-report and engage with law enforcement after a 
ransomware attack, they may not report to, or engage directly 
with CISA. I think that is one of the issues we need to address 
here.
    So, is this something that, you know, CISA is not being 
clear enough to owners and operators about the value added that 
you could bring to their protection of their, you know, 
critical infrastructure? Or is it just that they are saying 
thanks, but no thanks.
    Mr. Goldstein. There is certainly more that we can do to 
make sure that companies across sectors understand the unique 
value proposition, which we discussed in response to 
Congressman Langevin's question, about engaging CISA and the 
way that that value is unique and additive to engaging a third-
party response firm, and additive to engaging with Federal law 
enforcement. We worked very closely with our partners in law 
enforcement and often conduct joint responses, because we are 
achieving different mission objectives where we support a 
victim organization. So, certainly continuing to clarify the 
value proposition that CISA brings to the table, and 
differentiating that and showing that it is complementary to 
engaging other partners, I do think is a critical area for the 
work for the agency.
    Miss Rice. What percentage of ransomware attacks would you 
say get reported to CISA?
    Mr. Goldstein. So, ma'am, as noted, due to the real 
challenge we have here with visibility, we don't have a good 
number there. What I would say is after recent intrusions of 
Colonial, JBS Foods, et cetera, we are seeing a real increase, 
both in organizations that are reporting incidents, and also in 
organizations that are availing themselves of CISA's guidance 
and best practices. As just one example, in the week after the 
Colonial intrusion, I think we saw increased views of our 
ransomware guide, I think, something like 400 percent for that 
week after.
    So, we are seeing organizations across the country 
recognize this risk and recognizing that CISA is a source of 
support and expertise. We just need to make sure that that 
continues, and that we reach again into every corner of the 
country going forward.
    Miss Rice. Well, I agree with that, Mr. Goldstein, but I 
also think it is also really important for whatever Federal 
agency it is that gets contacted by an operator of a critical 
piece of infrastructure in this country, that whether they take 
it to the FBI--if the FBI brings in CISA, and whatever other 
agency, Federal agency we need to partner with to address this 
as comprehensively as possible. I hope that that is what the 
practices is--or if it isn't, will be, going forward.
    Ms. Proctor, just in the past few weeks, a ransomware 
attack against a Massachusetts ferry operator shut down travel 
between the State and its islands. It was revealed that hackers 
had breached the networks of New York's MTA on whose trains my 
constituents work and ride every day.
    Now, neither of those hacks posed a risk for passenger 
safety, but, you know, cyber attacks targeting mass transit, 
railways, aviation, they have the potential to put travelers at 
risk, and would be massively disruptive to society writ large. 
So can you, specifically, discuss the recent ransomware attack 
against the MTA?
    Ms. Proctor. Yes, ma'am. As a matter of fact, I can. After 
that incident, I actually did speak with New York's MTA's CISO. 
I did learn from speaking with him that the attack was not 
considered to be successful. They did not actually access 
information in the system. They did not make a demand for 
ransom. They did not acquire information from the MTA. The 
example that the CISO used would be that the ransomware 
intrusion opened the screen door, but did not get in the front 
door.
    Miss Rice. OK. So thank you.
    Ms. Proctor. That was the example that they used. They did 
not acquire anything in that attack.
    Miss Rice. Thank you for that clarification. I think it is 
really important for TSA to engage with MTA and other public 
transit agencies on security measures, and cybersecurity, in 
particular, not just private-sector companies who are running 
pieces of critical infrastructure. Thank you both so much, and 
I yield back the balance of my time.
    Mrs. Watson Coleman. Thank you. I recognize Mr. Gottheimer 
from New Jersey.
    Mr. Gottheimer. Thank you, Chairwoman Watson Coleman also 
from New Jersey, and Chairwoman Clarke for recognizing me and 
arranging today's important hearing on cyber threats to 
pipelines.
    The recent ransomware attack on the United States' largest 
fuel pipeline, Colonial Pipeline, I think many Americans across 
these East Coast experience a rush on gas and long lines at the 
pump because of the collective failure to secure our critical 
infrastructure from hackers, as we have heard time and time 
again today and before.
    I think it is fair to say that Colonial had serious 
security flaws, including an outdated VPN system which 
permitted ransomware hackers to breach Colonial systems that 
required dual-factor authentication. But I am also concerned 
that Colonial's spotty record of engagement with TSA, which 
since 9/11, has been tasked with securing our pipelines by 
conducting voluntary assessments of private operators.
    If I can ask Assistant Administrator Proctor, we may know 
that on multiple occasions prior to the attack on May 7, TSA 
requested cybersecurity assessment of Colonial's system, but 
Colonial repeatedly punted, and has yet to participate in these 
assessments. Can you please compare TSA's experience with 
Colonial to the cooperation you received from other pipeline 
operators?
    Ms. Proctor. Yes, sir. I would speak to that in that the 
experience we have had with Colonial is--it is for the request 
that they have made to reschedule, not unusual during the 
pandemic. During the pandemic, there were a number of companies 
that had limited personnel on-site. They considered their 
personnel on-site to be essential personnel. They did restrict 
them from a lot of interaction with outsiders. So Colonial had 
postponed a discussion to get a scheduled date for their VADR 
assessment.
    The postponement was not unusual for other companies. Other 
companies did go through. We did pivot, and we did manage to 
find a way to conduct the VADR virtually. So we were able to 
schedule those in other cases.
    The Colonial discussion was postponed because they were 
installing some new software. At one point, they were doing 
some other updates, and we had a focus in March. They had asked 
for about 6 weeks to complete some cyber updates. The 6 weeks 
was actually a week after the incident with Colonial. We have 
since focused on getting that date in place. They are now 
scheduled for the last week of July for their Validated 
Architecture Design Review.
    Mr. Gottheimer. Got it. Has a pipeline ever flat-out 
refused to cooperate with an inspection or assessment, or tried 
to limit the scope of what you are assessing?
    Ms. Proctor. No, it wasn't a refusal, it was rescheduling 
the discussion so that they could deal with personnel issues. 
At one point, we had a conversation set with them, and they had 
several employees that were COVID-impacted. So they delayed 
that.
    Mr. Gottheimer. I am sorry to interrupt. I was just going 
to ask, is that similar in terms of others' ever having done 
the same thing where they have delayed? Have others refused? 
Other pipelines? Is this consistent, with the last little extra 
time?
    Ms. Proctor. We have had other delays, but we have gotten 
to the point where we have done those assessments. We had 
worked out a way to do them virtually, so it made this more 
manageable for the company, even though they were trying to 
protect their essential employees from engaging with outsiders.
    Mr. Gottheimer. Got it. Thank you so much.
    Mr. Goldstein, you recently witnessed a series of attacks, 
not just against pipelines, but also against mass 
transportation infrastructure. Clearly, we need robust 
cybersecurity standards for the transportation sector writ 
large. What additional measures can we take to protect this 
sector not just from ransomware hackers, but, also, determined 
nation-state adversaries like China, Iran, or North Korea?
    Mr. Goldstein. Thank you, sir. The good news here is that 
there is nothing particularly unique about ransomware 
intrusions. The sorts of cybersecurity advisories and best 
practices that are promulgated by CISA and the sorts of 
cybersecurity directives that we impose upon Federal civilian 
agencies are effective against ransomware actors, nation-
states, and really any adversaries.
    In addition, as we think through the more sophisticated 
types of adversaries that may want to cause more lasting damage 
or gain more persistence, that is where a program like 
CyberSentry really comes into play. Our ability to gain 
persistent visibility into cybersecurity risks affecting our 
most critical infrastructure. By broadening and maturing that 
pilot program, we will be able to get more visibility and drive 
targeted action to drive out those risks of intrusions as soon 
as they are identified.
    Mr. Gottheimer. Thank you. I yield back. Thank you so much, 
gentleman.
    Mrs. Watson Coleman. Thank you very much. With that, I want 
to thank the witnesses. Your testimony has been invaluable, 
enlightening, and thank you so much.
    The Members of the subcommittee may have additional 
questions for you all, the witnesses, and we ask that you 
respond expeditiously in writing to those questions. The Chair 
reminds Members of the subcommittee that the committee's record 
will remain open for 10 days. Without objection, the 
subcommittee stands adjourned. Thank you so much.
    [Whereupon, at 4:33 p.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

    Question From Honorable Jefferson Van Drew for Sonya T. Proctor
    Question. I understand there are growing concerns that the TSA's 
performance in pipeline security has been inadequate. Given the recent 
attack on Colonial, I am inclined to share those concerns.
    Although Congress gave the TSA authority over pipeline security in 
2001, there have recently been efforts to transfer its authority to the 
Department of Energy. Do you believe that the TSA should retain its 
authority, and what assurance can you provide us that the TSA will 
expand and improve on its Pipeline Security Guidelines?
    Answer. Response was not received at the time of publication.
     Question From Honorable Jefferson Van Drew for Eric Goldstein
    Question. During last week's hearing, Colonial Pipeline CEO Joseph 
Blount stated that he did not feel like including CISA at this state of 
their response would add much value. Moreover, Colonial chose to hire 
private firms to assist with their recovery efforts from the ransomware 
attack last month instead of working with CISA.
    Does Colonial's decision to hire private companies instead of 
working with CISA concern you?
    Do you feel that CISA maintains a competitive edge in the cyber 
realm? What can CISA improve upon to incentivize organizations who are 
victims of cyber attacks to collaborate with the agency?
    Answer. Response was not received at the time of publication.

                                 [all]