[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]






    OVERSIGHT OF THE FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION

=======================================================================

                                HEARING

                               BEFORE THE

                       COMMITTEE ON THE JUDICIARY

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                        TUESDAY, MARCH 29, 2022

                               __________

                           Serial No. 117-60

                               __________

         Printed for the use of the Committee on the Judiciary











    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]












               Available via: http://judiciary.house.gov 
               
                                   _______
                                   
                 U.S. GOVERNMENT PUBLISHING OFFICE 
                 
57-420                    WASHINGTON : 2024 
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
                       COMMITTEE ON THE JUDICIARY

                    JERROLD NADLER, New York, Chair
                MADELEINE DEAN, Pennsylvania, Vice-Chair

ZOE LOFGREN, California              JIM JORDAN, Ohio, Ranking Member
SHEILA JACKSON LEE, Texas            STEVE CHABOT, Ohio
STEVE COHEN, Tennessee               LOUIE GOHMERT, Texas
HENRY C. ``HANK'' JOHNSON, Jr.,      DARRELL ISSA, California
    Georgia                          KEN BUCK, Colorado
THEODORE E. DEUTCH, Florida          MATT GAETZ, Florida
KAREN BASS, California               MIKE JOHNSON, Louisiana
HAKEEM S. JEFFRIES, New York         ANDY BIGGS, Arizona
DAVID N. CICILLINE, Rhode Island     TOM McCLINTOCK, California
ERIC SWALWELL, California            W. GREG STEUBE, Florida
TED LIEU, California                 TOM TIFFANY, Wisconsin
JAMIE RASKIN, Maryland               THOMAS MASSIE, Kentucky
PRAMILA JAYAPAL, Washington          CHIP ROY, Texas
VAL BUTLER DEMINGS, Florida          DAN BISHOP, North Carolina
J. LUIS CORREA, California           MICHELLE FISCHBACH, Minnesota
MARY GAY SCANLON, Pennsylvania       VICTORIA SPARTZ, Indiana
SYLVIA R. GARCIA, Texas              SCOTT FITZGERALD, Wisconsin
JOE NEGUSE, Colorado                 CLIFF BENTZ, Oregon
LUCY McBATH, Georgia                 BURGESS OWENS, Utah
GREG STANTON, Arizona
VERONICA ESCOBAR, Texas
MONDAIRE JONES, New York
DEBORAH ROSS, North Carolina
CORI BUSH, Missouri

          AMY RUTKIN, Majority Staff Director & Chief of Staff
               CHRISTOPHER HIXON, Minority Staff Director
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
                                 ------                                
                            C O N T E N T S

                              ----------                              

                        Tuesday, March 29, 2022

                                                                   Page

                           OPENING STATEMENTS

The Honorable Jerrold Nadler, Chair of the Committee on the 
  Judiciary from the State of New York...........................     2
The Honorable Jim Jordan, Ranking Member of the Committee on the 
  Judiciary from the State of Ohio...............................     3

                                WITNESS

Bryan A. Vorndran, Assistant Director, Cyber Division, Federal 
  Bureau of Investigation
  Oral Testimony.................................................     6
  Prepared Testimony.............................................     8

          LETTERS, STATEMENTS, ETC. SUBMITTED FOR THE HEARING

Materials submitted by the Honorable Sheila Jackson Lee, a Member 
  of the Committee on the Judiciary from the State of Texas, for 
  the record
  An article entitled, ``Information for over 6,000 Memorial 
    Hermann patients accessed in security breach,'' KHOU.........    34
  An article entitled, ``Medical provider waited months to send 
    patients letters about ransomware attack,'' KHOU.............    36
  An article entitled, ``NBA's Houston Rockets Face Cyber-Attack 
    by Ransomware Group,'' Bloomberg.............................    39
  An article entitled, ``Already in the midst of a crisis, a 
    Houston hospital was attacked by ransomware,'' Data Breaches.    41
  An article entitled, ``Cyberattack briefly shuts down Humble 
    ISD on first day of remote learning,'' KHOU..................    43
  An article entitled, ``Landry's Warns Customers of Potential 
    Data Breach,'' NBC DFW.......................................    45
Materials submitted by the Honorable Andy Biggs, a Member of the 
  Committee on the Judiciary from the State of Arizona, for the 
  record
  An article entitled, ``U.S. Deports High-Profile Hacker to 
    Russia Before End of Prison Sentence,'' Wall Street Journal..    50
  A document entitled, ``Critical Infrastructure Sectors,'' CISA.    53
  An article entitled, ``Biden Actually Gave Putin a List of 
    Critical Infrastructure Not to Carry Out Cyberattacks on in 
    US,'' Townhall...............................................    56
  An article entitled, ``Ratcliffe: Biden Handed Putin the Wrong 
    List: `It Should Have Been a List of Our Targets' in 
    Russia,'' CNSNews............................................    58
  An article entitled, ``Biden gave Putin green-light to 
    cyberattack US when he listed 16 `off-limits' targets, 
    experts say,'' The Sun.......................................    61
  An article entitled, ``Biden's `off-limits' list for Russian 
    cyberattacks criticized as `green light' to target everything 
    else,'' Fox News.............................................    69
  An article entitled, ``Russia may target U.S. business with 
    cyberattacks, Biden warns,'' NBC News........................    71
  An article entitled, ``Biden warns Russian cyberattacks 
    `coming,' '' Politico........................................    73
  A document entitled, ``Statement by President Biden on our 
    Nation's Cybersecurity,'' The White House....................    79
  A document entitled, ``Tactics, Techniques, and Procedures of 
    Indicted State-Sponsored Russian Cyber Actors Targeting the 
    Energy Sector,'' Joint Cybersecurity Advisory................    80
  A document entitled, ``TRITON Malware Remains Threat to Global 
    Critical Infrastructure Industrial Control Systems (ICS),'' 
    FBI Private Industry Notification............................   115
Materials submitted by the Honorable Matt Gaetz, a Member of the 
  Committee on the Judiciary from the State of Florida, for the 
  record
  A photograph of a document entitled, ``United States Department 
    of Justice Federal Bureau of Investigation Receipt for 
    Property,'' Fox News.........................................   132
  An article entitled, ``Documents appear to show Hunter Biden's 
    signature on $85 receipt for repair of laptops left at 
    Delaware store at center of email scandal--while other 
    paperwork reveals FBI's contact with owner,'' Daily Mail.....   140
Materials submitted by the Honorable Sylvia Garcia, a Member of 
  the Committee on the Judiciary from the State of Texas, for the 
  record
  An article entitled, ``Port of Houston target of suspected 
    nation-state hack,'' AP News.................................   164
  An article entitled, ``Sheldon ISD forced to pay nearly $207K 
    after hackers targeted servers,'' ABC13......................   166
  An article entitled, ``Information for over 6,000 Memorial 
    Hermann patients accessed in security breach,'' KHOU.........   168
An article entitled, ``Durham Probe Reveals Government Access to 
  Unregulated Data Streams,'' Wall Street Journal, submitted by 
  the Honorable Dan Bishop, a Member of the Committee on the 
  Judiciary from the State of North Carolina, for the record.....   174

                                APPENDIX

Hunter Biden's emails, submitted by the Honorable Matt Gaetz, a 
  Member of the Committee on the Judiciary from the State of 
  Florida, for the record........................................   204

                 QUESTIONS AND RESPONSES FOR THE RECORD

Questions to Bryan A. Vorndran, Assistant Director, Cyber 
  Division, Federal Bureau of Investigation, submitted by the 
  Honorable Eric Swalwell, a Member of the Committee on the 
  Judiciary from the State of California, for the record.........   206
Questions to Bryan A. Vorndran, Assistant Director, Cyber 
  Division, Federal Bureau of Investigation, submitted by the 
  Honorable J. Luis Correa, a Member of the Committee on the 
  Judiciary from the State of California, for the record.........   209

 
    OVERSIGHT OF THE FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION

                              ----------                              


                        Tuesday, March 29, 2022

                        House of Representatives

                       Committee on the Judiciary

                             Washington, DC

    The Committee met, pursuant to call, at 10:00 a.m., in Room 
2141, Rayburn House Office Building, Hon. Jerrold Nadler [Chair 
of the Committee] presiding.
    Members present: Representatives Nadler, Lofgren, Jackson 
Lee, Johnson of Georgia, Jeffries, Cicilline, Swalwell, Lieu, 
Jayapal, Demings, Correa, Scanlon, Garcia, Neguse, McBath, 
Stanton, Dean, Ross, Jordan, Chabot, Gohmert, Issa, Buck, 
Gaetz, Johnson of Louisiana, Biggs, Steube, Tiffany, Massie, 
Bishop, Fischbach, Spartz, Fitzgerald, Bentz, and Owens.
    Staff present: Aaron Hiller, Chief Counsel and Deputy Staff 
Director; Arya Hariharan, Chief Oversight Counsel; David 
Greengrass, Senior Counsel; Moh Sharma, Director of Member 
Services and Outreach & Policy Advisor; Jacqui Kappler, 
Oversight Counsel; Roma Venkateswaran, Professional Staff 
Member/Legislative Aide; Cierra Fontenot, Chief Clerk; Gabriel 
Barnett, Staff Assistant; Merrick Nelson, Digital Director; 
Christopher Hixon, Minority Staff Director; David Brewer, 
Minority Deputy Staff Director; Tyler Grimm, Minority Chief 
Counsel for Policy and Strategy; Stephen Castor, Minority 
General Counsel; Ella Yates, Minority Member Services Director; 
Elliott Walden, Minority Counsel; Michael Koren, Minority 
Professional Staff Member; Andrea Woodard, Minority 
Professional Staff Member; and Kiley Bidelman, Minority Clerk.
    Chair Nadler. The House Committee on the Judiciary will 
come to order. Without objection, the Chair is authorized to 
declare recesses of the Committee at any time.
    We welcome everyone to this morning's hearing on Oversight 
of the FBI, Cyber Division.
    Before we begin, I would like to remind Members that we 
have established an email address and distribution list 
dedicated to circulating exhibits, motions, or other written 
materials that Members might want to offer as part of our 
hearing today. If you would like to submit materials, please 
send them to the email address that has previously been 
distributed to your offices and we will circulate the materials 
to Members and staff as quickly as we can.
    I will now recognize myself for an opening statement.
    This hearing could not be more appropriately timed. 
Americans today live at a critical juncture in the history of 
cybersecurity. Our schools, businesses, public safety, local 
government, Federal government, public utilities, and critical 
infrastructure all exist at a nexus of threats from cyber-
criminals.
    In the last year, we have experienced attacks that shut 
down a gas pipeline along the eastern corridor, infiltrated 
government email systems, and froze hospital networks during 
the time of greatest need. To tritely describe the threat of 
cyberattacks against the United States as simply great or high 
as we often do minimize the danger we face as a nation.
    Ransomware attacks in which a hacker encrypts a victim's 
data and withholds the decryption key in exchange for a ransom 
has skyrocketed in recent years with an estimated 105 percent 
increase worldwide in 2021. American businesses, healthcare 
institutions, and local government entities have borne the 
brunt of ransomware attacks in the United States. An estimated 
37 percent of businesses and over 2,300 schools, local 
governments, and healthcare organizations were hit by 
ransomware attacks in 2021.
    Ransomware attacks against software companies, such as in 
the attack against Kaseya, affect thousands of small business 
clients who often feel the most pain from the destruction of 
data, loss of business, and damage to customer trust. The 
attack against software company Blackbaud, for example, 
compromised thousands of downstream clients, like Christ 
Hospital in Cincinnati and the Children's Hospital of 
Pittsburgh.
    Local government entities such as schools, county elections 
offices, and police departments are often underfunded and 
under-resourced. For many educators, the decision between 
patching software systems and acquiring new textbooks is just 
one of the many painful decisions they have to make in what is 
often a thankless job. In these cases, a grant for new 
technology can mean updating systems and increasing 
accessibility, but also increasing risks with more 
opportunities for hackers to exploit system vulnerabilities.
    The Biden Administration has acted to turn the tide on the 
ransomware and cyberattack threat and the FBI has played a 
central role in shoring up our defensive position. It has even 
begun recovering ransom payments from cyber-criminals as in the 
case of Colonial Pipeline. These successes have not been 
without controversy. After the attack on Kaseya, the FBI 
withheld for weeks the decryption key it had recovered, which 
left many downstream businesses without the tools they needed 
to operate and cost those businesses many millions of dollars 
that could have been avoided had the FBI provided it 
immediately.
    Many people also raised privacy concerns in the wake of the 
attack on Microsoft Exchange. After the FBI discovered that the 
individual networks of private companies had been compromised 
by the Microsoft Exchange intrusion, it obtained warrants to 
alter victims' systems without their knowledge or permission.
    No sector needs more protection than our critical 
infrastructure. In 2021, ransomware was used to attack 14 out 
of 16 critical infrastructure sectors including agriculture, 
financial services, energy, dams, and other often unseen, but 
crucial industries, that buttress American lives and 
businesses.
    In February of 2021, an attacker attempted to poison the 
water in Oldsmar, Florida. In 2017, Russian government-
affiliated cyber-attackers hacked a third-party contractor and 
used the company's email to gain access to part of the American 
electrical grid.
    In April of 2021, Chinese State affiliated hackers reached 
New York's Metropolitan Transit Authority network potentially 
exposing data and showcasing just how vulnerable our transit 
operational systems could be to attack.
    These are real threats. Blackouts and loss of electrical 
service could cripple our country's economy and paralyze our 
ability to respond to an attack. Without significant investment 
in IT systems and training, these industries will remain 
vulnerable.
    The threat does not end there. State affiliated cyber 
threat actors from Russia, Iran, and China have engaged in 
cyber espionage against our government and political systems, 
accessing critical data and loitering on our servers. American 
businesses have suffered breaches by cyber-criminals looking 
for personal data to sell.
    While the Russian invasion of Ukraine has not yet spilled 
over into cyberattacks that affect governments and businesses 
in the United States, President Biden has warned all Americans 
of evolving intelligence that Russia may soon launch 
cyberattacks against the United States. Our ability as a 
country to respond to such an attack rest in the hands of the 
FBI and its partner agencies. The Biden Administration has 
encouraged businesses, large and small, to adopt a shields-up 
posture to defend against cyber threats.
    Because it is the security of private companies, those that 
keep our lights on, provide life-saving healthcare and teach 
our children that will determine the fallout from an attack, we 
must all evolve to better protect our networks. This means 
strengthening our cybersecurity systems by patching 
vulnerabilities, training users how to recognize phishing 
attacks, and increasing network cybersecurity protocols.
    When we invest in our schools', local governments', and 
health-care' systems cybersecurity, we contribute to a safer 
country. We live in a technologically-advanced Nation of early 
adopters with private networks and the freedom to maintain our 
networks however we choose. There is no easy way to mitigate 
all cyber vulnerabilities in the United States, but by engaging 
in meaningful oversight of our nation's cybersecurity defenses, 
this Committee can ensure we are ready to meet any threat head 
on.
    I look forward to hearing from Assistant Director Vorndran 
on what he and his colleagues at the FBI Cyber Division are 
doing to keep our country safe and to engage in an important 
discussion about the threats our networks face.
    I now recognize the Ranking Member of the Judiciary 
Committee, the gentleman from Ohio, Mr. Jordan, for his opening 
statement.
    Mr. Jordan. Thank you, Mr. Chair. Last week, the President 
said a cyberattack from Russia is coming. What has the Biden 
Administration been doing? They released Alexei Burkov, a 
notorious Russian cyber-criminal.
    Here is what has been said about Mr. Burkov. He is an asset 
of supreme importance, one of the most connected and skilled 
malicious hackers ever apprehended by U.S. authorities. What 
did the Biden Administration do six months ago? Put him on a 
plane headed to Moscow.
    Cyberattack from Russia is coming the President said. What 
has our Justice Department been doing? We know they have been 
spying on Carter Page and not following the FISA rules. How do 
we know that? Because Inspector General Horowitz has done two 
different audits, two different reports that he has given to 
us. Four hundred errors in 29 randomly-selected FISA 
applications, 400 errors in 29 of them. In four of those 29 
applications, there wasn't even a Woods File, which is the file 
you keep that has the underlying supporting evidence for the 
claims made in the application itself.
    A cyberattack from Russia is coming the President said. 
What has our Justice Department been doing? Not only ignoring 
the FISA rules, but they also don't even follow their own 
rules. We know that from a story two weeks ago where in 
sensitive, investigator matters, special cases dealing with 
First Amendment concerns, concerns when they are investigating 
religious groups, investigating candidates, and investigating 
government officials, or the press, 353 cases, 747 errors in 
those cases. Not only are they not following the FISA rule, but 
they also don't even follow their own darn rules. That is why 
we sent a letter asking for the internal audit. We hope that 
will be given to the Judicial Committee, Mr. Chair, so we can 
look at that.
    Cyberattack from Russia is coming the President said. A 
week ago, what has been going on over at the Justice 
Department? Well, we know this from Mr. Durham. They were 
spying on President Trump's campaign. Mr. Durham just told the 
court that last month. Tech Executive No. 1 spying on not only 
the President Trump's campaign, looks like spying on him during 
the transition period, and potentially even while he was 
President of the United States.
    Cyberattack from Russia is coming and of course, we learned 
just four months ago what was our Justice Department doing? 
What are they still doing? Spying on parents, treating moms and 
dads as domestic terrorists. We had the Attorney General in 
front of this Committee back in October and he misled this 
Committee and said it wasn't going on, but we have now had a 
whistleblower come forward and tell us it is, in fact, going on 
so much so that there was an email sent to FBI agents with a 
threat tag designation that you are supposed to put on parents 
for simply showing up to school board meetings, voicing their 
concerns about what is being taught to their children.
    President Biden says a cyberattack from Russia is imminent, 
it is coming, and what were 51 former intel officials doing 
just a year and a half ago? They were telling us the whole 
Hunter Biden story was false. They told us it was Russian 
disinformation. The disinformation is what they told us, 
something we need to check out. How 51 of them in days before a 
presidential election, tell us a story that The New York Times 
has now said was absolutely true. The laptop was true. The 
eyewitness was real, and the emails and evidence and documents 
were real as well.
    I look forward to today's hearing, hearing from our 
Witness, but I think a fundamental question we have got to ask 
is how do you trust the Department of Justice to protect us 
from cyberattacks when they have been spying on presidential 
campaigns, spying on parents, telling us Hunter Biden was 
Russian disinformation, and releasing the most notorious 
Russian cyber-criminal we have ever had? The simple question I 
am going to have for our Witness is why did we let him go? What 
did we get for that? What kind of a trade--what kind of a--what 
happened there?
    Mr. Chair, I hope we get answers to these key questions and 
hope, again, we have talked about this now for months, we hope 
we can get the Attorney General back here to answer some 
questions about this whole School Boards issue and some of the 
other things I raised in my opening statement. With that, I 
yield back.
    Chair Nadler. The gentleman yields back. Thank you, Mr. 
Jordan.
    Without objection, all other opening statements will be 
included in the record.
    I will now introduce today's Witness. Bryan Vorndran has 
served as Assistant Director of the Cyber Division of the FBI 
since March of 2021. He joined the FBI as a special agent in 
the Washington Field Office in 2003 and has held a variety of 
positions since then including serving as part of the 
International Contract Corruption Task Force in Afghanistan, 
Unit Chief in Counterterrorism Division of FBI Headquarters, 
and leading the Washington Field Office's Joint Terrorism Task 
Force.
    Mr. Vorndran also served as Assistant Special Agent in 
Charge of the Cyber and Counterintelligence Programs at the 
Baltimore Field Office, Chief of the Strategic Operations 
section of the Counter Terrorism Division in Headquarters, and 
later as a Deputy Assistant Director of the Criminal 
Investigative Division.
    Prior to assuming his current position, Mr. Vorndran served 
as a Special Agent in Charge of the New Orleans Field Office. 
Before joining the Bureau, Mr. Vorndran was an engineer for the 
Proctor & Gamble Company and for Merck & Company. He earned a 
bachelor's degree in Civil Engineering from Lafayette College 
and a Master of Business Administration from the Ross School of 
Business at the University of Michigan.
    We welcome our distinguished Witness, and we thank you for 
participating today.
    I will begin by swearing you in. I ask that you please rise 
and raise your right hand. Do you swear or affirm under penalty 
of perjury that the testimony you are about to give is true and 
correct to the best of your knowledge, information, and belief 
so help you God?
    Let the record show that the Witness has answered in the 
affirmative. Thank you and please be seated.
    Please note that your written statement will be entered 
into the record in its entirety. Accordingly, I ask that you 
summarize your testimony in five minutes. To help you stay 
within that time limit, there is a timing light on your table. 
When the light switches from green to yellow, you have one 
minute to conclude your testimony. When the light turns red, it 
signals your five minutes have expired.
    Mr. Vorndran, you may begin.

                  STATEMENT OF BRYAN VORNDRAN

    Mr. Vorndran. Chair Nadler, Ranking Member Jordan, and 
Members of this Committee, thank you for providing me this 
opportunity to speak to you today about FBI cyber. Although the 
FBI investigates a wide range of threats, we are here today to 
talk specifically about the cyber threats facing our nation, 
the FBI's place in U.S. cybersecurity ecosystem, and the FBI's 
valuable role in identify, disrupting, and imposing costs on 
America's cyber adversaries.
    The FBI Cyber Division turns 20 years old this year and 
over that time the American public has invested heavily to 
ensure the FBI is staffed where it is needed most. Today, we 
have more than 1,000 cyber-trained personnel spread across 56 
field offices and more than 350 sub-offices, and we can now put 
a cyber-trained agent on nearly any doorstep in this country 
within one hour of an attack.
    We have agents located in more than 70 countries working 
with our global law enforcement and intelligence counterparts. 
Some of these agents are dedicated to countering the cyber 
threat full time, while others stand ready to support our cyber 
mission.
    Today, as you know, we are putting the FBI's decades of 
expertise countering foreign intelligence and investigating 
cyber threats in the United States to work against malicious, 
Russian cyber activities. We do not do it alone. Our emphasis 
on disrupting cyber adversaries including through sharing 
information and enabling our partners and our partners enabling 
us is part of the FBI's continued move away from an indictments 
and arrests first mentality toward a play book where we work 
with the government and industry partners around the world to 
execute joint sequence operations and impose the greatest 
possible costs on our adversaries.
    As this Committee knows more than any others, sometimes an 
arrest and prosecution is the most decisive disruption, like 
earlier this month when we were able to bring cyber-criminal 
Yaroslov Vasinskyi to the inside of the U.S. Federal courtroom 
for his role in the Kaseya attack and the willingness of the 
Justice Department and the FBI to publicly attribute and expose 
damaging cyber intrusions by Russia, China, Iran, and North 
Korea has undermined those governments' denials and created a 
platform for U.S. allies to condemn destabilizing cyber 
activity while also undermining our adversaries' operations.
    Our focus though is investigating based on information we 
obtain from all sources, victims, foreign intelligence 
services, human sources, and our surveillance of adversary 
infrastructure and then pushing it to whoever can do the most 
good for victims here and cause the most harm to hackers 
abroad.
    At the risk of making some enemies on this Committee, I 
will draw a comparison between the FBI's role in the cyber 
ecosystem and an event I attended 30 years ago yesterday when 
Duke beat Kentucky in the 1992 NCAA Men's Eastern Regional 
Final. Sometimes we are Grant Hill throwing the pass and 
sometimes we are Christian Laettner taking the shot. Having 
said that, for the FBI to continue supporting our partners and 
executing successful operations ourselves, we need your 
support, even the Kentucky and North Carolina fans among you.
    As one of our key oversight committees and allies, your 
backing is crucial for our continued growth of authorities and 
resources. First, we appreciate Congress' action to pass a 
mandatory cyber incident reporting law. We are looking forward 
to working with CISA and others to implement this legislation 
in a way that enables law enforcement to use incident reports 
to disrupt our cyber adversaries.
    At the same time, we need to be postured to continue hiring 
and retaining the right people to achieve our goal. At the FBI, 
we have been working hard to identify ways to better attract, 
train, and retain talented tech minds. Although we promote our 
mission to the greatest extent possible, the calling to protect 
American people and uphold the Constitution does not equate to 
paying off weighty student loans or entitle someone to a salary 
competitive with what is available in the private sector. We 
have found our struggles to pay those minds market value, even 
Federal government market value is often a deal breaker. We 
will continue to work with DOJ, OPM, the Administration, and 
Congress to ensure we are able to properly pay and incentivize 
our cyber workforce.
    While we are trying to fill these seats with talent, 
passion, and patriotism, we are seeing the cyber threat grow 
exponentially and now it touches every program at the FBI. 
Cyber spaces where Nation states go to learn our country's 
secrets is where criminals are extorting billions of dollars 
and it is where wars are being waged. We are now at a critical 
juncture. We must keep pace with the expansion of the tools at 
our adversaries' disposal and we need to see the same sense of 
urgency reflected in funding these programs through increases 
in our base budget.
    Yes, the people in technology, the FBI Cyber Division needs 
to keep pace with these adversaries are expensive. They are 
essential investments because cybersecurity equates to national 
security.
    I look forward to working with this Committee on these 
topics and several other issues important to the success of the 
FBI and other U.S. government cyber programs.
    Chair Nadler, Ranking Member Jordan, and Members of this 
Committee, thank you again for inviting me here today and I 
look forward to your questions.
    [The statement of Mr. Vorndran follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Chair Nadler. Thank you for your testimony. We will now 
proceed under the five-minute rule with questions and I will 
recognize myself for five minutes to start off.
    Mr. Vorndran, in September of last year, Howard University 
was forced to shut down much of its web services after a 
suspected ransomware attack took over its systems. The K-12 
schools are also enduring an increase in cyberattacks against 
their systems. Ransomware attacks, in particular, surged last 
year and continued in January. On average, education victims 
pay over $100,000 in ransom payments to decrypt their data and 
regain network access.
    Why are schools and higher education institutions a growing 
target? Who are the most common perpetrators of cyberattacks on 
schools?
    Mr. Vorndran. Sir, I am sorry, what was the second part of 
your question?
    Chair Nadler. Who are the most common perpetrators of 
cyberattacks on schools?
    Mr. Vorndran. Okay. Sir, what we found is that institutions 
or organizations with low cybersecurity budgets, and I think 
public schools for the most part would fall into that space, 
not because they are not trying, but the resources that are 
available to a K-12 school may be different than the resources 
available to a multinational company. It is hard to keep up 
with all the patching requirements, all the new operating 
systems. So, what we see is cyber-criminals really preying on 
targets of opportunity. We see these criminals looking for 
opportunities more than precision attacks against one specific 
entity or one specific sector. So, when those criminals find a 
vulnerability in a traditional sector, they will continue to 
exploit it in hopes that they can make a lot of money off it.
    In terms of who the most common perpetrators are, the 
bottom line is the most common perpetrators are cyber-
criminals. They are global, but the heaviest concentration is 
through Russia and surrounding countries and the Russian 
territories.
    Chair Nadler. Thank you. In 2016, Russia attacked Ukraine's 
Ukrenergo--I hope I pronounced that right--electrical network 
succeeding in causing a blackout, but failing to destroy the 
system. This attack was noteworthy because it was a case where 
the perpetrator attempted to use software to permanently damage 
hardware.
    Can you describe for us how software could be capable of 
destroying a hardware system? Do we know how many entities have 
developed or are seeking to develop this capacity?
    Mr. Vorndran. One of the questions we typically ask is: Is 
there bleed over between what we would define as the IT and OT 
system, essentially the information technology and the 
operational element of a company of an organization of an 
entity. So, firmware and hardware, different than software, 
still has the potential to have a lot of vulnerabilities that 
can be exploited by cyber adversaries. So, the software bleed 
over would really be a question of can the software being 
exploited actually affect the operational component?
    To your second part, it is a really, really challenging 
question to answer what the scope and scale of those are. We 
just would point back to the fact that undoubtedly cyber-
criminals are going to work to find vulnerabilities where they 
can have the biggest impact, cause the biggest disruption, or 
make the most money off those vulnerabilities being exploited.
    Chair Nadler. It has been widely reported that on March 
18th, the FBI warned the Federal government of Russian hackers 
scanning the systems of five U.S. energy companies, as well as 
other critical infrastructure. What is the significance of a 
foreign power scanning networks in our energy sector? Have 
instances of Russian scanning increased in the last month?
    Mr. Vorndran. Sir, instances of Russian scanning have 
increased. The significance of that is I would draw a 
comparison to traditional crime. For a criminal to conduct a 
bank robbery, it is undoubtedly true that the criminal is going 
to likely conduct reconnaissance and surveillance to understand 
when the bank may be open, when the bank may be closed, what 
the security posture looks like. In the scanning as you 
described it, really is a reconnaissance space to understand 
what the net defense side of that company would look like and 
whether there are vulnerabilities that can or cannot be 
exploited. It is an extremely important part of the overall 
attack cycle.
    Chair Nadler. Thank you. My final question, can you explain 
for us the different ways the FBI is expanding its responses to 
cyber threats and how it can better serve victims of 
cyberattacks?
    Mr. Vorndran. Sure. We always encourage a couple of key 
things. The first is to build a relationship with your FBI 
Field Office. We are all over this country and international as 
well. For companies in this country, organizations, K-12 
schools would be included there, we encourage those entities to 
build a proactive relationship with their FBI cyber squad in 
their area. We would also encourage them to build a proactive 
relationship with their CISA rep in the area because CISA is 
going to be very helpful as well and has some helpful 
resources.
    Independently of the government, all those organizations 
need to have a defined incident response plan. They need to 
know who they are going to call in the moment they become a 
victim. They need to know who their insurance company is, who 
their attorney is, who they are going to call at the FBI, who 
they are going to call at CISA. We recommend that those are 
exercised every 90 days, not that they are drafted by a general 
counsel and put on the shelf and never thought of again.
    Then the third thing we say is if you do become a victim, 
we would ask that you report. You can report to CISA. You can 
report to the Bureau. It doesn't much matter to us. We will 
synchronize on the back side to make sure that those companies 
have the weight of the U.S. government.
    In terms of things that we can do, sir, the list is 
potentially endless. We have been asked to help with the media 
before. We are willing to do that. We have been asked to help 
with victim services, if somebody is not going to get a 
paycheck, we are willing to do that. We have been asked to help 
take servers offline. We are willing to do that. We have been 
asked to simply take the indicators that compromise that are 
provided by that organization's third-party incident response 
firm and then move on to our investigation. We are happy to do 
that. It really is a menu of options that we can provide in 
that moment.
    Chair Nadler. Thank you. My time has expired. Mr. Chabot.
    Mr. Chabot. Thank you, Mr. Chair. It is estimated that the 
FBI's Internet Crime Complaint Center received nearly 2,500 
complaints in 2020 which represented a 20 percent increase over 
the previous year. Over that same time, there was a 225 percent 
increase in ransom payoffs from nearly $9 million in 2019 to 
nearly $30 million in 2020. It actually may be a lot worse than 
that because my understanding is if the payoffs that were 
reported were $30 million, there is a number of experts who 
believe it could be 10 times that amount, so we are looking at 
$300-350 million. So, in other words, only one out of ten of 
the incidents are even reported. Nine out of ten, they actually 
pay off the criminals. That same report estimated that 
cybercrimes, whether it is phishing or extortion or identify 
theft or data breaches of botnets, that they all collectively 
cost the American businesses, for all small businesses 
especially employed by half the people in this country, about 
$4 billion would be.
    Again, the Chair mentioned the Colonial Pipeline attack 
which my understanding is it was one of the most devastating 
ransomware attacks in U.S. history. Eventually to contain that 
attack, the Colonial Pipeline made the decision to pay over $4 
million to the criminals. It turned out that the encryption 
tool that was sent back to them in return for the payment 
wasn't particularly helpful in restoring the functionality to 
their networks which is my understanding oftentimes the case.
    The good news, of course, is that the Department of Justice 
was able to track and to seize roughly, my understanding, about 
half of the payment that was made to the Russian-based hackers. 
That still left about $2 million to the criminals to be used 
against future victims of malware crimes. It is likely that the 
figures I have just mentioned only represent the tip of the 
iceberg of this ever-growing problem. Cybersecurity experts 
estimate that ransomware victims made an average payment of 
about $300,000 in 2020. They further suggest that when a 
company made a ransom payment, less than one out of ten of them 
actually regained access in a reasonable amount of time to 
their hijacked data.
    Undoubtedly cyberattacks are becoming more frequent. They 
are having larger impacts and many, unsurprisingly, are 
connected to the governments, as has been mentioned, of both 
Russia and China.
    So, Mr. Vorndran, let me get to my question. First, do you 
agree that of their ill-gotten gains, the payoffs basically 
that are made to these criminals, some significant portion of 
that is likely to go towards targeting the next victim or 
victims that they are not donating this money, they are not 
donating it to the Red Cross or the American Cancer Society or 
the Little Sisters of the Poor. It is more people, the public, 
or businesses that are going to be targeted. Would you agree 
with that?
    Mr. Vorndran. Yes, sir.
    Mr. Chabot. That is what I would like to focus on. We have 
got to make cybercrime, particularly, the use of malware 
extortion less lucrative, less profitable to these internet 
thugs. How about making it illegal to pay them off? After all, 
giving them money which we know they will use to go after the 
next victim is sort of like aiding and abetting the next crime 
in some ways. Would you agree with that?
    Mr. Vorndran. Sir, if you are asking me if I think it is 
right to make the paying of ransoms illegal, I don't think that 
is a good decision. The reason is because it creates a triple 
extortion model. So, in our current system, ransomware actors, 
cyber-criminals can attack a company and hold an extortion or 
payment to get a decryption key. They can also extort that 
company or that organization to threaten to leak information, 
PII of company employees or other sensitive information. That 
is the second of the three extortions. If you make the paying 
of ransoms illegal, you are creating a third extortion which 
means that if a company chooses to pay and they have now broken 
the law, then a cyber adversary has the ability to hold them 
accountable for that in the public's eye and threaten them even 
more with a higher extortion. So, we would actually recommend 
that this is not the best decision, but that is certainly just 
an FBI perspective.
    Mr. Chabot. Okay, well, I think it is something that 
certainly ought to be considered because what we are doing 
right now certainly has not worked. They are still doing it. 
They are getting more money than ever. Companies are actually 
allowed to write off on their taxes a payoff. Is that correct?
    Mr. Vorndran. Sir, I don't know the answer to that 
question. I apologize.
    Mr. Chabot. Well, they are. They can do it. I would argue 
that it is against public policy to allow that to occur.
    Then finally, some insurance companies, I understand, 
actually advise their clients that paying off the blackmailer 
is the cheapest course of action. Do you understand or have 
heard that?
    Mr. Vorndran. So, I think that--
    Chair Nadler. The gentleman's time has expired. The Witness 
may answer the question.
    Mr. Vorndran. You want me to answer?
    Chair Nadler. Yes.
    Mr. Vorndran. Sir, in terms of advisement of an insurance 
company to a victim, we think--what we hear is that companies 
are put in a position to simply make a business decision.
    So, when I go back to my position, before I joined the FBI 
or Procter & Gamble and we made very large-scale manufacturing, 
I was told, hey, Bryan, listen, an hour of downtime on this 
manufacturing line equates to this much revenue, and I think 
the business equation for any business that becomes a victim is 
simply that.
    If we're looking at restoring from backups taking 24, 48, 
or 72 hours, and that equates to $4 million of lost revenue and 
we can pay a ransom for $3 million, from a business decision, 
it's actually cheaper to pay the ransom.
    Now, to your first point, that just fuels the fire and that 
just causes the criminal enterprise to grow stronger. So, it is 
very much a vicious cycle.
    Mr. Chabot. Thank you. I yield back, Mr. Chair.
    Chair Nadler. The gentleman yields back.
    Ms. Lofgren?
    Ms. Lofgren. Thank you, Mr. Chair, and thank you, Mr. 
Vorndran, for your testimony and for your appearance before the 
Committee today.
    Most computer systems and transactions with sensitive 
information are encrypted in one way or another. I'm sure you 
would agree that encryption is important to defending against 
cyber threats and that cyber defenses without effective end-to-
end encryption are problematic.
    Now, historically, the FBI has called for legally mandated 
back doors to allow law enforcement access to encrypted 
communications. Is this still the FBI's position and how does 
that square so with the importance of encryption to effective 
cyber defense and the risks of legally mandated back doors?
    Mr. Vorndran. Ma'am, thanks for the question.
    I am not an expert on lawful access as we define what 
you're describing, but I'll do my best with your question.
    When we talk about back doors, we're really talking about 
should Federal law enforcement have the authorities through 
court-approved warrants to see evidence on a device that is 
critical to a criminal prosecution or--
    Ms. Lofgren. Well, I understand that, but the question is 
do we want to build in vulnerabilities to encryption to allow 
that court order to be effective. We understand--we're the 
Judiciary Committee. We understand court orders.
    Mr. Vorndran. Yeah. I do think that it's important that law 
enforcement has access to that data through official court 
process.
    Ms. Lofgren. Let me ask this. In ransomware attacks, if 
hackers have locked companies and institutions out of their own 
data and systems, now, in at least one instance, according to 
the House Oversight Committee testimony, the FBI reportedly got 
a decryption key on its own that could unlock a certain 
ransomware but didn't provide the key to the victim, and 
according to the testimony that I think you provided the FBI 
repeatedly tested the decrypter in different environments and 
this is--a quote of your testimony, to avoid introducing new 
vulnerabilities and back doors into U.S. infrastructures.
    Can you explain this? How might a decryption key create new 
vulnerabilities?
    Mr. Vorndran. Yes, ma'am. That's my testimony from 
Oversight and Reform, I believe, in December with the National 
Cyber Director, Chris Inglis.
    So, that specific decryption key that you're referencing, 
which is an open source as related to Kaseya, when we were able 
to obtain that, we, obviously, don't go to Best Buy and 
purchase that and have a trusted supply chain.
    So, the way we're able to obtain that is littered with 
potential points of vulnerability and criminal access to it. 
So, when we were able to pull that, it's extremely important 
that we put that through a testing environment to make sure 
that it doesn't have any additional malware or create any 
additional back doors, as you describe it, or vulnerabilities 
as we implement it not just in Kaseya but in our downstream 
environment.
    Ms. Lofgren. Let me ask another question and it really goes 
to something that the European Union has just done, which is to 
require technology platforms to interoperate with other apps 
and services, for example, requiring WhatsApp to connect and 
communicate with other chat and messaging systems.
    That's a laudable goal, I think, that everybody on the 
Committee shares. A concern has been expressed in some areas 
about the impact on cybersecurity.
    Alex Stamos, who is at the Stanford Internet Observatory, 
one of the leading cyber research facilities in the United 
States, said this:

        There's no way to allow for end-to-end encryption without 
        trusting every provider to handle the identity manager if the 
        goal is for all of the messaging systems to treat each other's 
        users exactly the same, and this is a privacy and security 
        nightmare.

    I'm not asking you to comment on legislation you may not be 
familiar with. Generally speaking, do you agree that requiring 
private companies to connect and interoperate with other 
entities could create new cybersecurity vulnerabilities, 
especially if it reduces or eliminates end-to-end encryption or 
other security measures that are in place?
    Mr. Vorndran. Yes, ma'am.
    Ms. Lofgren. What's the answer is, yes?
    Mr. Vorndran. Yes.
    Ms. Lofgren. Okay. I see that my time is expired, Mr. 
Chair, and so I yield back. Thank you.
    Chair Nadler. The gentlelady yields back.
    Mr. Buck?
    Mr. Buck. Thank you, Mr. Chair, and thank you for being 
here. Mr. Vorndran.
    I am trying to figure something out. What is the purpose of 
these cyberattacks on Colonial Pipeline, JBS, SolarWinds, et 
cetera, in a short summary?
    Mr. Vorndran. Sure. Two different points.
    So, on SolarWinds--I'm sorry, on JBS and on Colonial it's 
pure financial gain for a criminal element. On SolarWinds the 
best answer I can provide you, it's, obviously, Russia State-
backed activity to see what that software as a service and 
supply chain attack could get them access to that would be of 
interest to them.
    So, perhaps, U.S. government information where SolarWinds 
is a software platform in any number one of the departments, 
but it would be an access point so that they could exfiltrate 
or find information that's of interest to them.
    Mr. Buck. So, there have also been attacks--cyberattacks on 
OPM, on government agencies, gathering data about United States 
citizens and former government employees or for other purposes.
    I assume that some of the cyberattacks on banks, other 
institutions, give the cyber-attackers the ability to gain 
information about U.S. citizens.
    Mr. Vorndran. Yes, sir.
    Mr. Buck. I'm also assuming that at a time of war that 
could be used to destabilize our country.
    Mr. Vorndran. Certainly, that's one of the potential uses. 
Yes.
    Mr. Buck. So, we really have sort of two categories, if I'm 
not mistaken, and I appreciate Mr. Chabot's questions about how 
this money can be used to further the enterprise.
    When Procter & Gamble makes toothpaste, they sell it and 
they're going to be able to make more toothpaste. When these 
folks receive money, they're going to be able to invest in 
maybe more intricate equipment or more people and continue 
their activities.
    There's also this national security implication where you 
have citizens are vulnerable as a result of all these--not all 
these, but some of these attacks.
    Mr. Vorndran. Yeah. I think that when we look at Russia 
specifically and their targeting, but if you're okay with it, 
I'll expand it to China as well--when we look at their 
targeting of what I'll call personally identifiable 
information, that is something that they're going to take back 
and utilize to craft a more overarching campaign.
    It's very hard for me to say what those are here in this 
moment, not because it's classified or unclassified--we just 
don't know how they're going to potentially use that 
information.
    I could come up with a use case in my mind that says 
perhaps the Chinese are using it in the criminal underground to 
generate income off USPII, right. I mean, there's any number of 
use cases.
    So, I think your terminology of destabilizing is absolutely 
fair. It's very hard for me to be precise about exactly what 
they're going to do with that information.
    Mr. Buck. Well, here's the issue, I guess. We know that 
part of a future war would be attacking the infrastructure of 
another country, and so if Russia had the capability to shut 
down our electric grid, airports, or whatever it is--our 
banking system--if there was, in fact, a war--obviously, we all 
pray there never is such a thing, but if there was that could 
be.
    It could also be to make sure that Thomas Massie, for 
example, wouldn't have access to his bank account. There's a 
lot of money in that bank account, I understand, and so if 
there is that type of--and what I'm wondering is, is there that 
type of individual capability to not just take out an 
infrastructure system but also affect individuals, whether 
they're in leadership positions in this country or not.
    Mr. Vorndran. Yeah. So, we have seen leadership individuals 
targeted precisely, right. We have seen the primary--you can 
name them--Russia, China, Iran, North Korea--take precision 
action to compromise an email account, to compromise, primarily 
an email account, as I'm working through it in my head, of 
people that we all know the names of in this country.
    For the average American, what we see, both the State actor 
side and the criminal side, is overarching campaigns have the 
most disruptive capacity that they're capable of, not really 
precision targeting of Mr. Massie's bank account, independent 
of the amount of money that may be there.
    Mr. Buck. Okay. Well, I'm sure he finds that comforting.
    I guess my last question is what can Americans do? 
Obviously, these major companies have staffs, and they can take 
care of themselves, or maybe not. What can Americans do to 
protect themselves from an attack like this?
    Mr. Vorndran. Yeah. I mean, two basic things, right. Ensure 
that your operating system on your home computer is upgraded to 
the most current operating system, whether that's traditional 
Microsoft or Apple, and number two is two-factor authentication 
on all your accounts.
    Never use the same email--the same password on any accounts 
and--like, think about it this way, right. If people did open-
source research on me, they would understand where I grew up, 
probably could get my wife's name, probably could get my 
brother's name, probably could understand where I've lived, 
where I've worked.
    Well, that's, largely, what people use for their passwords. 
So, if you do life-based profiling around that, you can really 
narrow down how to break a password. So, really obscure 
passwords and long passwords is very good advice.
    Mr. Buck. Thank you for being here.
    Mr. Chair, I yield back.
    Chair Nadler. The gentleman yields back.
    Ms. Jackson Lee?
    Ms. Jackson Lee. Thank you, Mr. Chair, and, Mr. Vorndran, 
thank you so very much. I've got a bunch of pithy questions, I 
hope, and you will help me get it within the time frame that I 
have.
    First, I've introduced legislation, H.R. 2980, which is the 
Cybersecurity Vulnerability Remediation Act, which has passed 
the House, which gives your counterpart, DHS, working with you, 
of course, and the FBI just the opportunity to be able to 
mitigate against cybersecurity vulnerabilities and to know more 
about ransomware attacks and ransom payments, something all our 
agencies should ramp up.
    We look to the FBI, we look to the Department of Defense 
and Homeland Security, to really be our front line. So, as you 
answer your question, I would just like your comment as to the 
importance of that kind of efforts in various agencies that you 
partner with.
    I'm giving an answer to the answer, but if you would share 
that in your answers, we'd come forward.
    This is a question of vulnerabilities and so my question, 
and I have a series of them, is to what extent the FBI can 
provide early warnings of perceived vulnerabilities and/or 
incursions.
    Why don't I let you do that and then I have--trying to get 
in a bunch before my time.
    Mr. Vorndran. Sure. I'll be quick.
    So, what you're describing is can the FBI or anyone else in 
the U.S. government actually provide what we would consider 
tactical warning of an imminent cyberattack. It's a very, very, 
very hard threshold to meet.
    What we consider currently in the current ecosystem is if 
we have absolute strategic warning that Russia plans to hit us, 
we will do our best among our interagency partners to provide 
more real-time updates, as we already have, through specific 
sectors.
    Providing what I would call tactical warning that this is 
imminent is going to be very, very hard because it assumes that 
we see everything, and we don't.
    Ms. Jackson Lee. Can you get in the ballpark sometimes?
    Mr. Vorndran. We have been in the ballpark in the last 
three weeks, yes.
    Ms. Jackson Lee. The vulnerability question that I had and 
agencies getting abilities to know more about ransomware and 
vulnerability is that a good thing that they should be focused 
on?
    Mr. Vorndran. Anything that makes us stronger through 
legislation in terms of information sharing, transparency, 
understanding vulnerabilities we're absolutely in support of 
and willing to look at.
    Ms. Jackson Lee. What do you think about an affirmative Act 
or affirmative responsibility, maybe legally, for the companies 
that have been attacked to notice the FBI?
    I knew that was a problem with Colonial. I was really 
shocked how long they waited, or they hesitated. Obviously, it 
was a new time frame. What do you think about that?
    Mr. Vorndran. So, I think that through the legislation that 
just passed Congress and the Senate in the last couple of weeks 
through HSGAC, with the mandatory incident reporting bill, we 
are hopeful that through the rulemaking period with CISA 
specifically that we're able to get real-time access to the 
reports that CISA is going to have access to through law, and 
so we hope that we're able to accomplish that in the near term.
    Ms. Jackson Lee. One of the bottom rock infrastructure or 
bottom rock part of the infrastructure of democracy is voting. 
In 2021, U.S. Cyber Command acknowledged that in 2020 it 
launched an operation against the software TrickBot which posed 
a danger to U.S. voting systems.
    Are U.S. voting systems in continued danger from malware, 
unlike other representations of individuals like TrickBot and 
what is the scope of the malware threat going into the 2022 
election season? Where is the FBI in this effort of prevention?
    Mr. Vorndran. Yeah, absolutely. So, I want to be really 
clear. For victims of what we would call cyber interference 
operations, targeting election infrastructure, candidates, and 
campaigns and other election-related victims, the FBI is lead 
on the threat response side through PPD-41. We have two primary 
functions there--victim and witness assistance and attribution.
    In terms of vulnerabilities going into 2022, all I can say 
is that it's something that we started talking about over a 
year ago, and when I say we, at the interagency level to 
include the agency that you referenced, and we are meeting 
routinely on a regular basis to ensure that 2022 is a secure 
election.
    Ms. Jackson Lee. I would look forward to maybe a briefing 
that is separate and distinct that focuses squarely on that 
because that is the bedrock of democracy.
    Mr. Vorndran. Sure.
    Ms. Jackson Lee. We have already heard some accusations 
that are far away from the truth but still speak to the issue 
of violations dealing with voting.
    So, thank you.
    Let me just--you're not the Department of Defense, but can 
Russia win a war with cyberattacks? Obviously, having just 
listened this morning to Ukrainian parliamentarian women who 
talked about the--just the sheer brutality and bloodshed and 
butchering that's going on, can Russia now just move to cyber 
efforts?
    Mr. Vorndran. I mean, that's a really hard question for me 
to answer, not because I don't want to, but I just don't know 
the answer.
    Ms. Jackson Lee. In your involvement with them and their 
capacity.
    Mr. Vorndran. Russia is one of the two most capable cyber 
adversaries we face globally. Whether they have the ability to 
completely destabilize our country and win a war is a whole 
different conversation. They are a formidable foe.
    Ms. Jackson Lee. Thank you.
    Mr. Chair, I just want to introduce into the record four 
articles dealing with cybersecurity, which maybe I'll get a 
chance to talk about: The Rockets, Memorial Hospital medical 
provider, UMCC--a hospital, as I indicated, cybersecurity.
    I think there are one, two, three, four, five that I ask 
unanimous consent to submit into the record on cyberattacks in 
Texas and in Houston.
    Chair Nadler. Without objection.
    [The information follows:]



      

                     MS. JACKSON LEE FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chair Nadler. Mr. Biggs?
    Mr. Biggs. Thank you, Mr. Chair.
    Sir, thank you for being here today. I'm over here. Over 
here.
    Ms. Jackson Lee. Thank you.
    Mr. Biggs. I don't know if you know anything about this, 
but on March 21st, myself and several of my colleagues sent a 
letter to Director Wray with regard to various issues, and I'm 
wondering if you've come prepared to answer questions on his 
behalf since he's chosen not to answer our questions.
    Mr. Vorndran. Sir, I'm sorry. I didn't hear the last part.
    Mr. Biggs. Have you come prepared today to answer questions 
that any of my colleagues have--we have sent Director Wray 
three letters within the last three weeks on--
    Mr. Vorndran. You're referring to the--just so my prep 
notes, I have a March 21st letter on the sensitive 
investigative matter audit. Is that the one you're--
    Mr. Biggs. Yes. Are you prepared to answer questions on 
that?
    Mr. Vorndran. I am not, sir.
    Mr. Biggs. Okay. You are aware of that? Will you take back 
to Director Wray that we expect an answer soon?
    Mr. Vorndran. Yes, sir.
    Mr. Biggs. Appreciate that.
    Last June, President Biden gave President Vladimir Putin a 
list of 16 critical infrastructure entities that are off limits 
to a Russian cyberattack, and then a week ago President Biden 
warned that a cyberattack is coming and is imminent. The 
entities that he described in June were listed as critical 
infrastructure entities.
    According to CISA, the 16 entities included commercial 
facilities, chemical communications, critical manufacturing, 
dams, energy, defense, industrial base, emergency services, 
financial, food and agriculture, government facilities, 
healthcare and public health, information technology, nuclear 
reactors, materials and waste, transportation systems, and 
water and wastewater systems.
    I think you're probably aware of that list that he provided 
because it was in your documentation as well. So, giving a list 
of entities that are off limits implies that all other entities 
are fair game for cyberattacks, or maybe it is that we haven't 
adequately protected other sectors.
    As former DNI Ratcliffe suggested in a story that was--
included his comments about it was that he might accidentally 
be suggesting that we have vulnerabilities in these areas.
    Can you tell me what the President has done--what he's 
directed you guys to do to protect these sectors or any other 
area, for that matter, from cybersecurity threats?
    Mr. Vorndran. Sir, I'll do my best with your question. The 
President doesn't tell us anything, what we should or shouldn't 
do.
    What we have agreed upon internally within the FBI and our 
interagency partners and the interagency partners that I think 
are notable are Cyber Command.
    Mr. Biggs. Hold on. Before you get there, it just occurs to 
me that if he doesn't tell you anything to do, did you know 
that he was going to give that list of sensitive sectors to 
Vladimir Putin?
    Mr. Vorndran. No, sir. I did not.
    Mr. Biggs. Did anybody on your team know?
    Mr. Vorndran. I don't know that answer.
    Mr. Biggs. So, there was no communication, no briefing from 
the White House, that he was going to share that list of 
vulner-
abilities?
    Mr. Vorndran. Not--sir, not that made it to me.
    Mr. Biggs. Okay. Okay. So, if you can give me a brief 
response then, previously, as you were giving.
    Mr. Vorndran. Sure. When we look at our primary interagency 
partners--State, Treasury the folks at the Ford, CIA, et 
cetera--we all have a very, very good working plan related to 
the current threat streams about what our priority goals are.
    So, there is extremely strong operational coordination 
based on strategic and tactical intelligence that I think if 
any of them were sitting here today in front of you, separate 
from me, they would speak with confidence about what we're 
prioritizing.
    Mr. Biggs. Those 16 areas that President Biden listed off 
to Vladimir Putin, has there been cybersecurity attacks or 
breaches in any of those 16 areas since he's given those--that 
list to Putin?
    Mr. Vorndran. Sir, I don't know the answer to your 
question. I apologize. I can certainly take that back and get 
that answer for you. I just don't know in this moment.
    Mr. Biggs. Okay. I wish you would let us know, and then 
also if you can identify--since you don't know that you 
probably can't answer the next question, which was have any of 
those come from Russia.
    So, if you can identify whether they're national actors or 
other actors, if you can identify where those threats have come 
from and those attacks have come from.
    Are you aware of any other cyberattacks to any other 
entities outside the 16 sensitive areas that the President 
listed and gave to Vladimir Putin?
    Mr. Vorndran. Yes, sir.
    Mr. Biggs. Can you describe those, please?
    Mr. Vorndran. Well, just off the top of my head, certainly, 
we have software companies that have been targeted. I'm just 
trying to go through my head over the past couple of weeks.
    We, certainly, have--there are--sir, as I'm working through 
this in my head in real time, there are compromises against 
some of those 16 critical infrastructure sectors that you 
mentioned. I can't speak specifically to which ones.
    Mr. Biggs. You can provide that to the--
    Chair Nadler. The time of the gentleman has expired.
    Mr. Biggs. Well, Mr. Chair, can I just--I've got some 
submissions for the record.
    Chair Nadler. Yes.
    Mr. Biggs. Thank you.
    An article dated September 29th that said, ``U.S. Deports 
High-Profile Hacker to Russia Before End of Prison Sentence''; 
a series of CISA articles and notifications in memos, as well 
as a piece by Leah Barkoukis entitled, ``MARCH 29, 2022 Biden 
Actually Gave Putin a List of Critical Infrastructure Not to 
Carry Out Cyberattacks on in US''; another piece entitled, 
``Ratcliffe: Biden Handed Putin the Wrong List: `It Should Have 
Been a List of Our Targets' in Russia.''
    Another one on The Sun from June 18th, 2021, ``Biden gave 
Putin green light to cyberattack U.S. when he listed 16 `off-
limit' targets, experts say.'' Another one entitled, ``Biden's 
'off-limits' list for Russian cyberattacks criticized as `green 
light' to target everything else.'' Another piece entitled, 
``Russia may target U.S. businesses with cyberattacks, Biden 
warns''; another piece entitled, ``Biden warns Russian 
cyberattacks are coming,'' another official statement by the 
White House and then a series of memos from--that are joint 
Cybersecurity--
    Chair Nadler. Without objection to everything you're 
submitting.
    Mr. Biggs. Okay. Got a whole bunch more. Thank you, Mr. 
Chair.
    Chair Nadler. Without objection.
    [The information follows:]



      

                        MR. BIGGS FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chair Nadler. Mr. Johnson?
    Mr. Johnson of Georgia. Thank you, Mr. Chair.
    A ransomware attack struck the city of Atlanta in March of 
2018, causing a disruption to municipal functions and affecting 
critical sectors including the drinking water system, the 
police department, the judicial system, and other critical 
departments.
    That attack cost taxpayers nearly $2.7 million in emergency 
contracts to recover, and Mayor Keisha Lance Bottoms--then 
Mayor Keisha Lance Bottoms later called on the Federal 
government to, quote, ``expand programs that share real-time 
threat information, which is often critical in avoiding and 
mitigating threats,'' end quote.
    Now, there are reports of, Mr. Vorndran, that the Federal 
government's response to the Atlanta cybersecurity attack was 
incredibly lackluster and prompted needed change.
    How has the role of the FBI in responding to a municipal 
government ransomware attack changed since 2018?
    Mr. Vorndran. Sure, sir. Just my records do not indicate 
that it was lackluster. In fact, the city of Atlanta engaged 
the FBI and the U.S. Secret Service almost immediately. There 
was actually a leaked ransomware note, certainly, not by the 
FBI, that actually prevented the city of Atlanta from being 
able to pay a ransom.
    I would note that we have indicted two Iranians for that 
activity. To your core question, listen, we strive for 
perfection. I'm not saying we're always there, but we strive 
for perfection.
    Our goal in that moment is to provide any and all available 
resources that accompany, in this case, a victim or, in this 
case, a municipality city, is in need of.
    As I've described, that can include taking a server 
offline. That can include victim service support. That could 
include support with the media or any number of other things.
    To your question about sharing indicators, I think the 
velocity of which we share indicators has definitely improved, 
and that's not just an FBI statement. That's a U.S. government 
interagency statement and, certainly, a goal of ours is to 
improve the velocity even more.
    Those are some of the foundational goals that we have when 
we respond to a victim.
    Mr. Johnson of Georgia. Thank you, sir. If Atlanta were to 
happen again today, what would the FBI do differently than what 
it did in response to the Atlanta attack?
    Mr. Vorndran. Sure. Sir, so I, obviously, was not in 
Atlanta when that happened so I'm not familiar with the inner 
workings of that incident response.
    In today's world, if the FBI received the call first we 
would first contact CISA, and between CISA and the FBI, perhaps 
Secret Service as well, we would go meet with the victim and to 
the best of the victim's ability, in this case--use case 
Atlanta--ask them what is going on and that how we can help.
    We, again, as the U.S. government there are certain 
recommendations that we would have for anybody in this position 
that Atlanta was in. Probably the most notable one is to 
specifically identify a point of ingress and egress into and 
out of the organization by the Federal government.
    So, that could be CISA. That could be the FBI. That could 
be Secret Service. That will help synthesize the flow of 
information in this use case with Atlanta and the U.S. 
government.I21Mr. Johnson of Georgia. Thank you.
    What role, if any, is there for the private sector when it 
comes to attacks against governmental entities like 
municipalities or government agencies? Is there room for the 
private sector? Is there a need for the private sector?
    Mr. Vorndran. Absolutely. The private sector is going to 
see the threats almost--let's just say nine times out of 10 the 
private sector is likely to see the manifestation of the threat 
before the U.S. government because remember, when you have 
these major multinational companies out there that are all U.S. 
based--I don't want to name them in public testimony--but they 
are the infrastructure that all of us ride on for our 
networking needs and all of us means Americans at the household 
level all the way up to the multinational corporation level.
    So, they're going to be able to see activity very, very 
quickly and so they have an absolutely enormous role, and I 
think being part of the ecosystem in the last year has shown 
that they have been willing to step very formidably into that 
space to benefit the U.S. government and to benefit 
victims.I21Mr. Johnson of Georgia. Okay. I thank you for your 
responses. My time has wound down and I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Massie?
    Mr. Massie. Thank you, Mr. Chair. I'll tell the Witness 
that I wasn't going to ask any questions today until he brought 
up the Duke versus U.K. ball game from ancient history.
    I do have some questions that I want to ask now. First, are 
you aware of a piece of software named Pegasus that's provided 
by NSO Group, Israeli software company?
    Mr. Vorndran. Yes, sir.
    Mr. Massie. Does the FBI use this program? It looks like 
they had a license to it for $5 million.
    Mr. Vorndran. Yes, so the FBI has not and did not ever use 
the NSO products operationally or in any investigation. We did 
buy a limited license for testing and evaluation. Those limited 
licenses are part of our normal exploratory process to 
understand what other technologies are out there, but, again, 
we have never purchased it for use operationally or in an 
ongoing investigation.
    Mr. Massie. So, your division hasn't used this spyware 
domestically?
    Mr. Vorndran. No, sir.
    Mr. Massie. Have you detected the use of this software 
domestically?
    Mr. Vorndran. Sir, there is reporting in the media about 
Apple filing a lawsuit against NSO, and there is a lot of 
information in that article. I can't comment further on your 
question truly due to classification. If that is of interest to 
you, we could consider a background briefing.
    Mr. Massie. I would appreciate that very much. Thank you.
    Executive Order 14028, called ``Improving the Nation's 
Cybersecurity,'' requires agencies to adopt a zero-trust 
architecture and to achieve certain goals by the end of fiscal 
year 2024. The FireEye's hack was possible because everybody 
trusted that software. So, I think the zero trust architecture 
has merit. Can you tell us if the Cyber Division has taken any 
steps toward that Executive Order in adopting zero trust 
architecture or promoting that?
    Mr. Vorndran. Sure. So, I mean, when we look at 14028, 
which is really tailored towards DHS's role in the 
cybersecurity ecosystem, CISA would be responsible for 
multifactor authentication recommendations, zero trust. We are 
absolutely supportive of all those topline requests because 
they do move us to a better security posture.
    From a Bureau perspective, what we are focused on is that 
the Executive Order should lead to more transparency between 
government and private sector standard operating procedures for 
incident response, alignment between the Bureau and CISA on 
what incident response is and how to do it effectively.
    Mr. Massie. One of the sort of Catch-22s or oxymorons that 
I see in cybersecurity is, to be more secure, some platforms 
and operating systems require real-time updates. In other 
words, the argument is that, if you detect some kind of 
vulnerability, you can push out the fix immediately to those 
platforms. The problem is hackers use that as a vulnerability 
in itself.
    So, how do you view that tradeoff? You mentioned before 
everybody should have the most recent operating system, and I 
think that is good advice. Should we promote, allow, encourage, 
or should we discourage operating systems that do their own 
updates without user involvement, without sort of a two-factor 
authentication, without some user sitting there saying, okay, I 
will accept this update?
    Mr. Vorndran. Sure. I mean, what you are describing is 
exactly how SolarWinds was utilized to catalyze a downstream 
attack in terms of a forced update.
    What I would simply say is perhaps a third recommendation 
for people in America, but for corporations, to have daily 
backups. So, if that forced OS update or another update 
compromises the system, you or your company has a within-24 
backup that would allow you to restore fairly efficiently with 
the most relevant data.
    Mr. Massie. My final question, when it comes to security 
audits, it seems like it is not such a great idea to let the 
same vendors that are selling the software do the audits. Do 
you think there is any merit into making sure that these audits 
are legitimate audits, instead of sort of scripted--that the 
vendor provides, the software vendor provides, and then, the 
end user runs the script, and then, feels secure because now 
they think they have audited it, but they really don't know 
what is going on?
    Mr. Vorndran. Yes, I just think--
    Chair Nadler. The time of the gentleman has expired. The 
Witness may answer the question.
    Mr. Vorndran. Sure. I just think due diligence of vendors 
in understanding your risk profile as an organization is 
extremely important. That is based on your own variabilities. 
The same conversation we have for doing business in China: 
There is going to be risk. What is your risk tolerance and what 
is your due diligence to put your organization in the best 
position possible?
    Mr. Massie. Thank you. I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Cicilline?
    Mr. Cicilline. Thank you, Mr. Chair, for this hearing, and 
thank you to our Witness for being here.
    In recent years, we have seen an alarming number of 
cyberattacks on our Nation's infrastructure, including election 
systems, police departments, local governments, and hospitals. 
In fact, a healthcare company in Rhode Island was affected this 
year when a contractor of Care New England faced a cyberattack 
that disrupted their payroll system, requiring Care New England 
to pay its approximately 7,500 employees manually.
    So, Mr. Vorndran, my first question is, what is it about 
healthcare providers that the FBI and CISA, back in October of 
2020, did an advisory warning of an increase in imminent cyber-
crime attack to the healthcare and public health sectors? So, 
why is the healthcare industry such a lucrative target for 
ransomware attackers, and what is the FBI doing to help 
healthcare providers protect against this vulnerability?
    Mr. Vorndran. Sure. I appreciate the question, and I say 
that sincerely, sir, because it is an area that touches all of 
us and people in our families and in our circles of friends.
    What we would say is that we saw criminals, ransomware 
actors, shamelessly trying to exploit the COVID-19 pandemic by 
attempting to extract high payouts from targeted organizations, 
like you said, such as hospitals. That can mean disruptions to 
patient care are fully on the table to motivate a victim into 
paying a ransom for their information or system access.
    The reason is because, obviously, those hospitals are life-
safety-related, and hospitals in that scenario, faced with that 
set of circumstances, are likely going to be more willing to 
pay a ransom more quickly. So, it becomes a very, very target-
rich environment for a financially motivated criminal.
    Last June, even on the Nation stateside, hackers sponsored 
by the Iranian government compromised a children's hospital. 
There is just endless lists of potential impact to hospitals 
that causes deep, deep concern. We have a very, very strong 
relationship with the American Hospital Association and with 
the Health-ISAC, which is the Information Sharing and Analysis 
Center for the health industry and the health sector. We are 
very engaged with them in terms of pushing out indicators of 
compromise that are specific or vulnerabilities that are 
specific to software applications or supply chain software that 
is meaningful to the healthcare industry.
    So, sir, I hope that provides a good response to your 
question.
    Mr. Cicilline. Thank you. It does.
    I want to just turn to election security. Director Wray 
testified back in September of 2020 about his concern about 
what he called smaller cyber intrusions and the steady drumbeat 
of misinformation and its ability to undermine America's 
confidence in our elections.
    So, has the FBI seen indications of cyber misinformation 
campaigns in the lead-up to the 2022 midterm election, and what 
is the FBI doing to prepare for misinformation campaigns, 
whether from foreign powers or from within the United States?
    Mr. Vorndran. Sure, sir, I will answer your question in two 
phases. One is about election security, and one is about 
foreign influence.
    So, I am previously on the record here today, but I am 
happy to repeat it. On election security, from the FBI 
perspective, it is all about cyber interference operations 
targeting election infrastructure, candidates and campaigns, 
and other election-related victims. From an FBI-centric 
perspective, the FBI would have threat response lead through 
PPD-41, which means that we would provide assistance to the 
victims and the witnesses, and we would be squarely focused on 
attribution.
    More largely on foreign influence, the FBI has really 
specific responsibilities and authorities. By design and 
necessity, the FBI is just one part of the foreign influence 
team. We follow the actor and the activity, and I think that is 
really, really important to mention. The problem is, when an 
actor masquerades as someone he or she is not and amplifies 
disinformation through a coordinated campaign. Over the past 
years, we have worked really, really hard to understand how we 
can best provide information to our private sector partners, so 
they can take appropriate action in terms of service 
violations.
    I just want to foundationally say this last point. I think 
it is really important. The primary goal we have in foreign 
influence is ensuring the respectful rights of U.S. persons. As 
Americans, we have very broad rights to consume, create, and 
spread information, and that is an underpinning of our 
democracy. That is very, very important to keep intact.
    Leading into the 2022 midterms, sir, we have already 
started interagency conversations--they have been underway for 
perhaps as much as six or seven months at this point--to ensure 
that we are properly prepared if we face any types of threats 
to the 2022 midterms.
    Mr. Cicilline. Thank you very much. I yield back, Mr. 
Chair.
    Chair Nadler. The gentleman expired--or the gentleman's 
time has expired. God forbid the gentleman expired.
    Mr. Cicilline. I hope that wasn't a Freudian slip, Mr. 
Chair.
    Chair Nadler. The gentleman's time only has expired.
    Mr. Issa?
    Mr. Issa. Thank you, Mr. Chair. I want to stipulate for the 
record the gentleman has not expired.
    Director Vorndran, a couple of things, one of them that I 
think is timely. Recently, The New York Times reversed its 
position on the Hunter Biden laptop being fake or Russian 
misinformation. Do you have any reason to believe that is 
inaccurate, or would you support that it appears to be an 
authentic--I know you have an investigation going--but that the 
laptop itself appears to be authentic and always was?
    Mr. Vorndran. Sir, I have no background on that 
investigation. I am here to talk about the cyber program.
    Mr. Issa. I just asked if you had any knowledge of it that 
would cause us to believe that it was not authentic. If the 
answer is no, that is fine.
    Mr. Vorndran. No, sir.
    Mr. Issa. Thank you.
    Mr. Vorndran. Sir, let me go back. Just parsing words, if 
you are asking me if I have any information on the 
investigation, the answer is--
    Mr. Issa. No, I got the answer I wanted, to be honest. 
After 50 well-organized intelligence people, including former 
CIA Directors and national security people, all said it was 
fake, and we now know it is true, I just wondered if that was, 
since that did affect an election, it was worth asking.
    Mr. Vorndran. Sir, I want to be really clear. My answer to 
your question is, from my perspective, do I have any knowledge 
of that investigation--
    Mr. Issa. Right. You said no.
    Mr. Vorndran. No, sir. Yes.
    Mr. Issa. Thank you.
    So, moving on, when Russia hacked Viasat early in this 
conflict, they hacked into what I would believe would have been 
the infrastructure that would have been on the President's list 
of 16. As we all here mostly know, Viasat also controls Air 
Forces One and other related asset communications out of the 
same area and facility that was hacked.
    Would you agree to give us an appropriately classified 
briefing on the level of penetration and the remediation that 
has been done since that time to protect not only assets that 
were hacked, but other assets that would be vulnerable, 
potentially?
    Mr. Vorndran. Yes, sir, I would be happy to do that.
    Mr. Issa. Thank you.
    Next, the President gave a list of 16 items that were off 
limits. Can you give us at least one item that was not on that 
list that you believe should be off limits to Russia hacking?
    Mr. Vorndran. Sir, I mean, the 16 critical infrastructure 
sectors are very, very broad and almost all-encompassing. I 
would have to spend some time thinking about what is actually 
is not on that list.
    Mr. Issa. Would it be fair to say, maybe turning it around, 
that the list should be: You may not hack the United States of 
America, period?
    Mr. Vorndran. Sir, I am not going to get into a 
conversation about what the Administration--
    Mr. Issa. No, no, no. I am asking what the standard should 
be in accepting Russian hacking and disruption of any of our 
systems. Is the standard supposed to be they don't do it?
    Mr. Vorndran. Our role in this ecosystem is to investigate 
when foreign adversaries, criminals, or nation-states 
compromise U.S. networks, infrastructure, et cetera. That is my 
specific role in this ecosystem.
    Mr. Issa. Okay. As of today, currently, in the last 3one 
days, has a Russia-based organization hacked or tried to 
interfere with any U.S. assets, to your knowledge?
    Mr. Vorndran. Sir, can I consult with someone about what is 
and isn't classified?
    Mr. Issa. Oh, I just want to know whether there is an 
existence of any activity by Russia. That seems to be broad 
enough that it would fall outside of classified.
    Mr. Vorndran. Sir, the threat from Russia in the criminal 
sense, in the nation-state sense, is very, very real.
    Mr. Issa. Current?
    Mr. Vorndran. Yes, sir, very current.
    Mr. Issa. Thank you. That is all I needed for today, was 
the, quote, ``current.''
    Mr. Vorndran. Yes.
    Mr. Issa. The last question may be beyond your scope, but 
it is important to everyone. Historically, when ransomware has 
occurred from Russia, with some regularity, there have been 
payoffs. Under current sanctions, wouldn't it, in fact, be a 
payment to a Russian entity prohibited under U.S. sanctions, 
and therefore, any payment would now be something that the U.S. 
person should not be able to do?
    Mr. Vorndran. Sir, that is a complicated question. Let me 
do my best with it.
    When we talk about sanctioned entities, there are a lot of 
cyber-criminal entities in and around Russia that are not 
currently sanctioned. So, a U.S. government or a U.S. victim, 
person, or company, or organization that chooses to pay someone 
affiliated with the Lapsus$ ransomware--
    Mr. Issa. So, for the record, persons or entities, criminal 
entities we may not know much about, that may or may not be 
connected to the Soviet Union, or to Russia, could, in fact, be 
getting payments, as we speak, based on those attacks, and that 
could end up going to the same Russia that is murdering people 
in Ukraine?
    Chair Nadler. The gentleman's time has expired. The Witness 
may answer the question.
    Mr. Vorndran. So, the first part of your question, sir, is, 
yes, there are people being paid over there right now. Whether 
that money flows through to the regime, I am not in a position 
to talk about that. I just don't have that information.
    Mr. Issa. Could you give that to us for the record, if you 
can find it?
    Mr. Vorndran. Yes, sir.
    Mr. Issa. Thank you.
    Thank you, Mr. Chair. I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Lieu?
    Mr. Lieu. Thank you, Chair Nadler, for holding this 
important hearing.
    Thank you, Assistant Director Vorndran, for your public 
service and for answering questions today.
    A few years ago, hackers in German listened in on my cell 
phone conversations, and they tracked my movements from 
California all the way to the House of Representatives. Now, 
the good news is I had a heads-up that this might happen, as 
part of an investigative report by ``60 Minutes'' on mobile 
security. The bad news is that this problem has not been fixed.
    It is known as the Security System No. 7 flaw, also known 
as SS7 for short, and actually it stands for Signaling System 
No. 7. It allows foreign governments and hackers to access your 
cell phone data, exploiting a loophole in our wireless systems.
    This past November, a telecom executive did a whistleblower 
complaint saying that the NSO Group, a spyware firm, offered to 
exchange bags of cash to access wireless systems to spy on 
people. We sent the criminal referral to the FBI. I know that 
you cannot comment directly on individual cases. So, I am going 
to ask you some general questions.
    In the last five years, has the FBI investigated cases 
where the SS7 flaw was exploited to access cell phone contents?
    Mr. Vorndran. Sir, all our information in FBI holdings on 
SS7 is at a higher classification. I would be happy to have a 
conversation with you in the right forum with that information.
    Mr. Lieu. Does the FBI itself exploit the SS7 flaw to 
access cell phone contents?
    Mr. Vorndran. Sir, I am not in a position to answer that 
question. I don't know the answer.
    Mr. Lieu. Previously, Congressmember Massie asked you about 
a briefing. I just want to make sure, will you commit to a 
bipartisan briefing classified on Pegasus, the NSO Group, and 
the SS7 issue?
    Mr. Vorndran. Sir, yes, and if I can expand, it is very 
important for me personally, as a representative for the cyber 
program at the FBI, to keep that as an open invitation in both 
directions between all of you and me, and from me to all of 
you, that whatever information that you would want access to, 
we would try to facilitate that.
    Mr. Lieu. Thank you.
    I am going to ask you a series of questions, and if you 
could answer yes or no, and then, you can expound on it 
afterwards. It is about infrastructure.
    So, is it possible for hackers to take control of a dam and 
do an uncontrolled release of water?
    Mr. Vorndran. Yes, sir.
    Mr. Lieu. Is it possible for hackers to take over a 
chemical plant system and do a release of toxic gas?
    Mr. Vorndran. Sir, just as a blanket statement, anything is 
the realm of possible, if the adversary has the right access.
    Mr. Lieu. All right. Is it possible for a foreign 
government or hackers to access a transit system, disrupt 
railway signals, and cause trains to crash into each other?
    Mr. Vorndran. I would imagine so, sir.
    Mr. Lieu. Is it possible for a foreign government or 
hackers to access an air traffic control tower or airplane 
guidance systems and cause planes to crash?
    Mr. Vorndran. I don't know that answer, sir.
    Mr. Lieu. Okay. Is it possible for foreign governments and 
hackers to access a wastewater treatment facility and cause a 
release of harmful chemicals into the water?
    Mr. Vorndran. To the best of my knowledge, yes, sir.
    Mr. Lieu. All right. Does the FBI only investigate these 
incidents, if it were to happen, after the fact or does it take 
actions to tell these different infrastructure places how to 
harden their systems?
    Mr. Vorndran. So, when you look at the evolution of the 
U.S. government in this space since mid-2018 when CISA in its 
current form came into what we know today, I would divide it 
into two tiers. When you look at the FBI role, as defined in 
PPD-41, it is largely what we would call ``threat response.'' 
That is the term used in the documentation. What that means is 
response to an incident; bilateral information intelligence 
sharing with the affected entity, organization, company, 
school, dam; it doesn't matter. CISA would be there primarily 
to deal with the net defense remediation side, and that is what 
is termed in PPD-41 as ``asset response.''
    So, I would look at it as, what is on the operational 
investigative side, that is the FBI. What is on the net defense 
asset recovery side, that is CISA's responsibility. The 
information sharing and what investigative can inform that 
defense, or what on the net defense side can inform 
investigation, is very synonymous.
    Mr. Lieu. For the actual hardening of our infrastructure 
against cyberattacks, is that something that the Department of 
Homeland Security would be doing or is it the Department of 
Defense?
    Mr. Vorndran. So, the answer is both, depending on the 
critical infrastructure sector. So, obviously, within the 
Defense Industrial Base, DOD would have a very, very 
significant role in that. Within the traditional 15 critical 
infrastructure sectors, as defined in CISA's mission statement, 
they would largely be on point for the hardening, what we would 
call ``resiliency net defense.''
    Mr. Lieu. Thank you. I yield back.
    Mr. Vorndran. Sure.
    Chair Nadler. The gentleman yields back.
    Mr. Gaetz?
    Mr. Gaetz. So, where is it, the laptop?
    Mr. Vorndran. Sir, I am not here to talk about the laptop. 
I am here to talk about the FBI cyber program.
    Mr. Gaetz. You are the Assistant Director of FBI Cyber. I 
want to know where Hunter Biden's laptop is. Where is it?
    Mr. Vorndran. Sir, I don't know that answer.
    Mr. Gaetz. That is astonishing to me. Has FBI Cyber 
assessed whether or not Hunter Biden's laptop could be a point 
of vulnerability, allowing America's enemies to hurt our 
country?
    Mr. Vorndran. Sir, the FBI Cyber Program is based off what 
is codified in title 18, section 1030, of the Code, which talks 
about computer intrusions, right, using nefarious intent 
network--
    Mr. Gaetz. Well, you have talked about passwords here. 
Hunter Biden's password on his laptop was ``Hunter02.'' He 
drops it off at a repair store. I am holding the receipt from 
Mac's Computer Repair, where, in December 2019, they turned 
over this laptop to the FBI. What now you are telling me right 
here is that, as the Assistant Director of FBI Cyber, you don't 
know where this is, after it was turned over to you three years 
ago?
    Mr. Vorndran. Yes, sir, that is an accurate statement.
    Mr. Gaetz. How are Americans supposed to trust that you can 
protect us from the next Colonial Pipeline if it seems that you 
can't locate a laptop that was given to you three years ago 
from the First Family, potentially, creating vulnerabilities 
for our country?
    Mr. Vorndran. Sir, it is not in the purview of my 
investigative responsibilities.
    Mr. Gaetz. That is shocking, that you wouldn't, as the 
Assistant Director of Cyber, know whether or not there are 
international business deals, kickbacks, shakedowns, that are 
on this laptop that would make the First Family suspect to some 
sort of compromise.
    Mr. Assistant Director, have you assessed whether or not 
the First Family is compromised, as a result of the Hunter 
Biden laptop?
    Mr. Vorndran. Sir, as a representative of the FBI Cyber 
Program, it is not in the realm of my responsibilities to deal 
with the questions that you are asking me.
    Mr. Gaetz. Has anyone at FBI Cyber been asked to make 
assessments whether or not the laptop creates a point of 
vulnerability?
    Mr. Vorndran. Sir, we have multiple lines of investigative 
responsibility in the FBI. They are all available on public 
source--
    Mr. Gaetz. Well, I would think you would know this one. I 
would think that, if the President's son who does international 
business deals--referencing the now-President--with the 
Chinese, with Ukrainians--have you assessed whether or not the 
Hunter Biden laptop gives Russia the ability to harm our 
country?
    Mr. Vorndran. Sir, again, we can do this back and forth for 
the next couple of minutes. I don't have any information about 
the Hunter Biden laptop or the investigation--
    Mr. Gaetz. Should you? You are the Assistant Director of 
FBI Cyber.
    Mr. Vorndran. By the block-and-line chart, no, sir, I 
should not.
    Mr. Gaetz. Who should? Who should we put in that chair to 
ask questions about this laptop that FBI has had for three 
years?
    Mr. Vorndran. Sir, I am not in a position to make a 
recommendation of who should sit here.
    Mr. Gaetz. So, you don't have it? You don't know who has 
it? You don't know where it is? You are the Assistant Director. 
Earlier, you talked about whether or not you are the Grant Hill 
or the Christian Laettner. It sounds like you are the Chris 
Webber trying to call a timeout when you don't have one.
    So, who is it? Do you even know who has it? Do you know who 
we should put in that chair to ask these questions to?
    Mr. Vorndran. No, sir, I don't know who has it.
    Mr. Gaetz. Well, could you find out and tell us? You are 
going to have to give us briefings, thanks to Mr. Lieu's and 
Mr. Massie's question about whether or not the FBI was taking a 
$5 million test drive on the Pegasus system that was being used 
to target people in politics, people in government, people in 
the media, people in American life. So, will you commit to give 
us a briefing, as the Assistant Director of FBI Cyber, as to 
where the laptop is; whether or not it is a point of 
vulnerability; whether or not the American people should wonder 
whether or not the First Family is compromised?
    Mr. Vorndran. Sir, I would be happy to take your request 
back to our office.
    Mr. Gaetz. Gosh, will you advocate for that briefing as a--
    Mr. Vorndran. Sure.
    Mr. Gaetz. You will?
    Mr. Vorndran. I will be happy to take your request back to 
FBI headquarters.
    Mr. Gaetz. Well, do you believe that this is a briefing 
that the Congress is worthy of having, I guess?
    Mr. Vorndran. Sir, I am not going to answer that question. 
I am here to talk--
    Mr. Gaetz. The invitation--no, sir.
    Mr. Vorndran. The invitation says, ``Oversight of the FBI's 
Cyber Division.'' It does not say anything about--
    Mr. Gaetz. Well, right, but this is a cyber asset. This is 
a point of vulnerability.
    Mr. Vorndran. It is not a cyber asset.
    Mr. Gaetz. If there are passwords, if there are business 
deals, if there are references to things that could harm our 
country--like you can't even sit here right now and say that 
you know that there is not a point of vulnerability. Maybe 
there are other crimes. Maybe there are tax issues, or 
whatever. As it relates to the First Family sufficient cyber 
infrastructure to protect? You don't even know if they are 
compromised.
    Tell you what, Mr. Chair. I seek unanimous consent to enter 
into the record of this Committee the contents of Hunter 
Biden's laptop, which I am in possession of.
    Chair Nadler. I am not--
    Mr. Johnson of Louisiana. There is no objection to that.
    Mr. Gaetz. I have never had such an--
    Chair Nadler. We will object, pending further 
investigative--
    Mr. Gaetz. What is the basis of that objection?
    Chair Nadler. It is a unanimous consent request, and I 
object, pending--
    Mr. Gaetz. I have a subsequent question. Mr. Chair, I seek 
unanimous consent to enter into the record the receipt from the 
Mac shop--
    Chair Nadler. It may very well be entered into the record 
after we look at it further.
    Mr. Gaetz. Mr. Chair, I have a subsequent unanimous 
consent--
    Chair Nadler. Ms. Demings is now recognized.
    Mr. Jordan. He has got a second unanimous consent request.
    Chair Nadler. Oh, I am sorry.
    Mr. Gaetz. Mr. Chair, I seek unanimous consent to enter 
into the record the receipt from the Department of Justice from 
the Mac shop--
    Ms. Demings. Mr. Chair, this is Ms. Demings. Am I next or--
    Chair Nadler. Without objection.
    [The information follows:]



      

                        MR. GAETZ FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chair Nadler. Now, Ms. Demings.
    Ms. Demings. Thank you so much, Mr. Chair.
    Thank you, Assistant Director Vorndran, for your patience, 
your endurance, and most of all, for your service to our 
Nation.
    In a February 9th Advisory, FBI and partner agencies warned 
about the continued prevalence of phishing emails, Remote 
Desktop Protocol exploitation, and exploitation of software 
vulnerabilities, as attackers' strategies for gaining access to 
systems.
    Assistant Director, could you tell me why these strategies 
have been so effective, are so effective?
    Mr. Vorndran. Ma'am, could you restate that question? I 
missed a part towards the end. I just want to make sure I am 
crisp on the answer.
    Ms. Demings. Yes. Yes. Regarding the phishing emails, 
Remote Desktop Protocols exploitation, exploitation of software 
vulnerabilities, as attackers' strategies for gaining access to 
systems, could you please tell us why these strategies have 
been so effective?
    Mr. Vorndran. Sure. Because Remote Desktop Protocol is 
going to going to give any adversary direct access to, 
essentially, command-and-control of a server of a user end 
computer. That will give them the rights, the administrative 
rights, to, arguably, do whatever they need to do to meet the 
intent of their attack.
    Ms. Demings. Which tactic, phishing emails versus software 
exploitation, is most commonly used by cyber-attackers?
    Mr. Vorndran. Ma'am, it is any of the above, based on what 
is going to work. So, attackers will often look for broad 
vulnerabilities and deploy multiple different tools or vectors 
of attack to achieve their goal. So, it is very, very 
challenging to say, statistically, which one is more prevalent. 
The better question is, how have we, as a collective at the 
American level, but also at the corporation level, armed 
ourselves to defend against them?
    Ms. Demings. Okay. Could you answer that question?
    Mr. Vorndran. Sure. I mean, it is all about hygiene for 
information security. I have mentioned a few of these, right? 
Multifactor authentication, two-factor authentication for all 
of us at home on general accounts; complicated passwords; 
having active backups, those types of standard, what I would 
call, hygiene, operating system, routine operating system 
maintenance is very, very important.
    Ms. Demings. What level of cooperation have you seen from 
the private sector in terms of arming their systems and working 
with you to do just that?
    Mr. Vorndran. We have very, very strong relationships with 
the private sector that crosscut pretty much every industry in 
this country. I mentioned this earlier in my testimony. I think 
the private sector has really answered the bell here in the 
last year about coming and being part of solutions, because 
they own a lot of the infrastructure that we all use to have 
our daily access to the internet. So, they are seeing adversary 
activity very, very quickly, and they have been a tremendous 
part of the solution in the distant pass, but really in the 
recent past.
    Ms. Demings. What other type of cyberattacks--or we talked 
about the phishing emails; we talked about the software 
exploitation--what other types of strategies did you see in 
2021?
    Mr. Vorndran. Well, we look at--there is ransomware 
botnets. I mean, the list goes on and on. Spear phishing is a 
very, very important targeting tool that all the adversaries 
use. It is not as simple to say that 80 percent of all cyber 
intrusions occur because of spear phishing. I know that 
statistic is out there, but there is a lot of 
interdependencies, once an adversary has access to a system. 
Really arming an organization or institution with understanding 
what spear phishing looks like is a very, very helpful step for 
any organization.
    Ms. Demings. Thank you.
    Mr. Chair, I yield back.
    Chair Nadler. The gentlelady yields back.
    Mr. Jordan?
    Mr. Jordan. Thank you, Mr. Chair.
    Mr. Vorndran, why did the Biden Administration release 
Burkov?
    Mr. Vorndran. Sir, Mr. Burkov was investigated by the U.S. 
Secret Service, not by the FBI. I don't know specifics. What I 
do know is that there was no swapper concession. It is my 
understanding that his release--
    Mr. Jordan. We didn't get anything for it?
    Mr. Vorndran. Sir, to the best of my knowledge, there were 
no swapper concessions.
    Mr. Jordan. Well, why do you think we--you have said 
Russia, your statements today, ``formidable foe,'' ``foremost 
adversary,'' and the threat is current.
    Mr. Burkov has been described as an asset of ``supreme 
importance,'' ``one of the most connected and skilled malicious 
hackers ever apprehended by U.S. authorities.'' You don't know 
why we let him go?
    Mr. Vorndran. No, sir, it is a Department of Justice 
question. The FBI didn't have any--
    Mr. Jordan. You are the Director of Cyber at the FBI in the 
Department of Justice. It is part of the Department of Justice, 
right?
    Mr. Vorndran. Sir, yes, sir, it is, but, obviously, we are 
our own agency--
    Mr. Jordan. I read your bio, and other than the degree from 
Michigan, it is pretty impressive. You have worked at FBI for 
like 20 years, right? You have held all kinds of positions. You 
are the Director of Cyber, and you can't tell me why we let the 
most notorious Russian hacker go, and you don't know what we 
got for it?
    Mr. Vorndran. No, sir.
    Mr. Jordan. Were you consulted?
    Mr. Vorndran. It is not an FBI investigation.
    Mr. Jordan. Well, you are the cyber man. Mr. Gaetz just 
talked about it; you are the key guy. You are the guy the 
Administration sent here today to talk about cyber, in light of 
the fact that last week President Biden said the threat from 
Russia is imminent. You have confirmed that today. You said it 
is current; it is as we speak. You can't answer if it was a 
good idea or not or whether you were consulted?
    Mr. Vorndran. Sir, I don't actually--no, to your question, 
I was not consulted.
    Mr. Jordan. You were not consulted? Okay. Do you think it 
was a good idea?
    Mr. Vorndran. Sir, I am not in a position to comment on 
that.
    Mr. Jordan. The head of Cyber is not in a position to 
comment, the guy in front of the Judiciary Committee, at a time 
when the most formidable foe, our No. 1 enemy when it comes to 
cyberattacks, with the threat that is imminent and current, 
can't answer whether it was a good idea or not to release the 
most notorious Russian hacker we have ever caught?
    Mr. Vorndran. Sir, it was a Department of Justice decision 
through the U.S. courts process, right? I would refer all the 
questions on Mr. Burkov--
    Mr. Jordan. Mr. Vorndran, why did you come? So, far today, 
you have not been able to answer questions about Pegasus; you 
can't answer questions about sensitive investigative matters. 
Mr. Gaetz just went through the whole thing on Hunter Biden's 
laptop. You couldn't answer any questions about that. Can you 
answer questions about anything today? Can you answer a 
question about the school board situation, spying on parents? 
Do you know anything about that?
    Mr. Vorndran. Just to correct the record, sir, I actually 
did the answer the questions to two Representatives about NSO 
and Pegasus. To your point, I have not answered questions about 
the Hunter Biden laptop or about the--
    Mr. Jordan. Or the sensitive investigative matters.
    Mr. Vorndran. I was just going to say that, if you would 
let me finish--or about the sensitive investigative matter 
audit.
    Mr. Jordan. Do you know how many threat tags are on 
parents? How many of the threat tags that say EDU officials 
have been assigned? How many cases now have that threat tag 
designation? Do you know anything about that?
    Mr. Vorndran. Sir, no. All those questions should be 
referred to the Department of Justice.
    Mr. Jordan. Last week, in Mr. Biden's speech, he said this. 
I mean, just to emphasize I can't figure this out. He said, 
when he was talking to business leaders, ``The magnitude of 
Russia's cyber capacity is fairly consequential and it's 
coming,'' as we have talked about before, and as you have said 
as well. ``We'll help you,'' saying to the business leaders, 
``We'll help you any way to deal with cyberattacks.''
    Do you think it helps the businesses who the President is 
asking to do everything you can to shore up your systems, do 
you think it helps to release the most notorious Russian hacker 
we have ever apprehended?
    Mr. Vorndran. Sir, I am not going to answer any questions 
about Mr. Burkov. It is a Secret Service case. As I said, the 
decision was made, to my understanding, through the ordinary 
course of action by the U.S. courts.
    Mr. Jordan. Well, you have agreed to give us briefings on 
other issues. Do you think there is someone at the FBI who can 
brief us on the Burkov situation?
    Mr. Vorndran. Probably not, because it is not our case.
    Mr. Jordan. Do you think there is a chance Mr. Burkov's 
name was on the Hunter Biden laptop?
    Mr. Vorndran. Sir, I have no idea.
    Mr. Jordan. No idea? I mean, that says it all. That says it 
all. Because we want someone in front of the Committee, as Mr. 
Gaetz alluded to, we want someone here who can answer these 
questions.
    Our constituents come up to me and talk to me about the 
school board situation. They come up and talk to me about the 
Hunter Biden laptop. They talk about all this. They are 
concerned with the fact that we had an FBI that has abused the 
FISA process, looks like they have abused the sensitive 
investigative matter process, and we have sent letters on it, 
not to get a response.
    By the way, we did send a letter to the Biden 
Administration on the Burkov situation; asked them to respond 
by five o'clock yesterday. Got no response from them. Then, the 
guy we send today, the guy who comes in front of the Committee 
today can't answer any questions about that, either.
    It seems to me that would be the most important question 
that we would want the Witness, Mr. Chair, to be able to 
answer--is the whole, why did the United States of America let 
go Aleksei Burkov? Why did we release him, put him on a plane 
back to Moscow, when this is the biggest cyber threat we face, 
is from Russia?
    With that, Mr. Chair, I would yield back.
    Chair Nadler. The gentleman yields back.
    Ms. Scanlon?
    Ms. Scanlon. Thank you. Over here.
    Since 2015, we have seen foreign adversaries try to 
manipulate our elections and national politics with false and 
misleading information being shared online, and sometimes we 
have seen domestic politicians amplify that disinformation, and 
media hosts.
    Using a mix of bots and organic posts on social media, 
Russia, China, and Iran have spread or amplified disinformation 
in a coordinated attempt to influence the outcome both local 
and federal elections. Can you talk to us a little bit about 
why disinformation campaigns are so difficult to identify and 
take down? How does the FBI work with public and private 
partners to neutralize disinfor-
mation campaigns?
    Mr. Vorndran. Sure. So, what you are primarily talking 
about is what we would term ``foreign influence.'' I am on the 
record already saying this, but I am happy to go through it 
again.
    The FBI has very specific responsibilities and authorities. 
By design and necessity, the FBI is just one part of the 
solution, among many other U.S. government partners.
    It is important to note that we follow the actor and the 
activity. The problem is when an actor masquerades as someone 
he or she is not and amplifies disinformation through, 
obviously, a coordinated campaign.
    We have been working really hard over the past couple of 
years to build relationships with private sector partners, so 
that we can transparently and in a timely fashion take 
appropriate action, allow those companies to take appropriate 
action in line with their corporate terms of service. We do all 
that we consider mindfully, legal process, as appropriate.
    I think just underscoring all this is ensuring we are 
respecting the rights of possible U.S. persons, as Americans 
have had very broad rights to consume, create, and spread 
information. So, that is our position on foreign influence as 
an organization.
    Ms. Scanlon. Okay. Yes, of course, there is the First 
Amendment right to consume and spread information, but, of 
course, we wish that our people in leadership positions would 
not spread disinformation quite so freely.
    I want to turn to something that has impacted some of the 
retirees in my community, cyber fraud that has impacted some of 
our seniors. One couple, in particular, in my district was 
targeted by a cryptocurrency scam that, ultimately, defrauded 
them of almost a million dollars in retirement funds.
    So, it is a nationwide problem. According to the 2020 Elder 
Fraud Report, of the 791,790 complaints reported to the FBI 
Internet Crime Complaint Center in 2020, about 28 percent of 
the total fraud losses were sustained by victims over the age 
of 60, resulting in approximately a billion dollars in losses 
to seniors. So, this is folks who have worked hard all their 
lives and tried to save for retirement.
    Can you tell us a little bit about how the FBI is working 
to protect seniors from internet scams and what we could do to 
help you in that quest?
    Mr. Vorndran. Sure. I mean, the Department of Justice, for 
as long as I can remember, has had a very, very keen focus on 
what we would call elder care fraud and elder care abuse. That 
is something that the FBI takes very, very seriously, because 
they are among, like children, our most vulnerable.
    The fraud schemes that are run against that population are 
very, very vast, very complicated, and unfortunately, very 
lucrative for the criminals. So, we have dedicated FBI agents, 
dedicated analysts; Department of Justice has dedicated 
prosecutors dedicated to this problem, and only this problem, 
throughout the entirety of the country.
    In terms of what you can do to help us, it is all about 
awareness, right? I think that all of us who have elderly 
people in our lives that may not understand the current trend 
of technology and the vulnerabilities that poses are very, very 
important from a messaging perspective.
    Ms. Scanlon. Thank you.
    In 2020, one of the counties that I represent was targeted 
by a ransomware attack. The attackers extorted, I think it was 
$25,000 in ransom, and it took months of staff time and 
resources for the county government to recover from the attack.
    So, we have seen these attacks against local governments, 
and obviously, they have personal information of folks that 
could be at risk. One of the wrinkles that we ran into was 
trying to get insurance coverage back. I was wondering if the 
FBI has any information about working with these private 
insurance companies, or whatever. There were questions about 
whether the FBI had negotiated with the ransom attack, and I 
understand that is not the position of the FBI. Some insurance 
companies are requiring that they appoint a negotiator. So, I 
was wondering if you had any recommendations with respect to 
that.
    Mr. Vorndran. No, I don't, unfortunately. The insurance 
industry is a difficult conversation for the Bureau, and 
certainly, from a cyber perspective. So, those relationships 
that really exist, exist between, generally, retained counsel, 
a third-party incident response firm, and then, the insurance 
company.
    This is why exercising incident response plans are so 
important to companies, so that they know what their insurance 
company is or is not going to be looking for in that moment, 
and they can plan for that effectively.
    To look back on it as 20/20 hindsight, and offer a 
recommendation, I really don't have one.
    Ms. Scanlon. Okay. Thank you for that information.
    I yield back.
    Chair Nadler. The gentlelady yields back.
    For what purpose does Mr. Gaetz seek recognition?
    Mr. Gaetz. For a unanimous consent request.
    Chair Nadler. The gentleman is recognized.
    Mr. Gaetz. Thank you, Mr. Chair.
    After a consultation with majority staff, I seek unanimous 
consent to enter into the record of this Committee contents 
from files from and copies from the Hunter Biden laptop.
    Chair Nadler. Without objection.
    Mr. Gaetz. Thank you.
    [The information follows:]



      

                        MR. GAETZ FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Gaetz. I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Johnson of Louisiana?
    Mr. Johnson of Louisiana. Thank you, Mr. Chair.
    Thank you for being here, Mr. Vorndran.
    On page 6 of your written statement today, you concluded 
this:

        The most significant nation-state threats we face are those 
        from China, Russia, Iran, and North Korea  . . .  . They're 
        coming at us using every element of their national power, . . . 
        these adversaries become more sophisticated and stealthier.

    That sounds pretty ominous. I know that you agree; I assume 
you agree we are in a very dangerous time--I think it is 
difficult to overstate it--because we have very serious and 
fiercely committed foreign adversaries, right?
    Mr. Vorndran. Yes, sir.
    Mr. Johnson of Louisiana. President Biden said, several 
days ago--Ranking Member Jordan noted it earlier--that a 
cyberattack from Russia is coming, right?
    Mr. Vorndran. Yes, sir, I believe that was in his 
statement.
    Mr. Johnson of Louisiana. So, here is the problem. Here is 
one of the things that has concerned us, and therefore the 
questions keep coming back to one of the issues that has not 
yet been adequately addressed today. In spite of all that, 
according to the records we now have, a significant amount of 
DOJ time, attention, and resources is being used to monitor, 
and we will say intimidate, the parents of American school 
children who have the audacity to express concern over their 
local school boards' decisions.
    On October 4th of last year, Attorney General Merrick 
Garland issued a memorandum, now-infamous memo, directing the 
FBI and the U.S. Attorneys' Offices to investigate those 
concerned parents. Since then, we have had more and more 
information that has come to light about that directive, such 
as the fact that the National School Boards Association worked 
in conjunction with the White House to write the letter that 
spurred Attorney General Garland's memorandum.
    The NSBA's letter has led many State school board 
associations to call its leadership into question. Many have 
since removed their affiliation, including my home State and 
the one where you spend a lot of time, Louisiana. They dropped 
out.
    Unlike, the National Association, those local State 
associations understand that parents can and should have a say 
in their children's education. They have a right to closely 
monitor school curricula. They have a right to try to influence 
those choices as best they can. That is our system. That is the 
beauty of it. It is not the government's job to raise our 
children; it is the parents' job.
    So, let me ask you a couple of general questions, because I 
know what your responses, I anticipate what some of your 
initial responses would be here. Let me ask you just out of the 
gates: Do you think it is appropriate for any White House to 
commission outside groups to make false or misleading claims 
about its political adversaries?
    Mr. Vorndran. Sir, I am not here to--
    Mr. Johnson of Louisiana. I know. I know you are going to 
say you are not here--I am not asking you in your official 
capacity. I am asking you under oath, in your personal opinion, 
as a general notion, is it okay for the White House to do that?
    Mr. Vorndran. Sir, I am here in a personal and professional 
capacity under oath because of my job.
    Mr. Johnson of Louisiana. Right.
    Mr. Vorndran. Okay. So, I am not going to comment on 
anything related to the school board or really anything related 
to the Administration.
    Mr. Johnson of Louisiana. Let me ask you about your job. Do 
you think it is appropriate for the Department of Justice, 
where you work, to be influenced by a White House's actions in 
a case like that?
    Mr. Vorndran. Sir, the memo was issued by the Attorney 
General, and I would defer all your questions back to him on 
this topic.
    Mr. Johnson of Louisiana. Oh, we would love to get him back 
here, but he won't. He won't be called by the Democrats in 
charge.
    An FBI whistleblower revealed the Counterterrorism Division 
is using threat tags against concerned parents. They were 
labeled by some of the parties involved as domestic terrorists, 
or at least analogized to them. They have categorized them into 
the FBI system, so their so-called crimes could easily be 
pulled up for investigation. That was the supposed 
justification for it.
    In general, does the FBI Cyber Division, your division, 
engage in the practice of using of using threat tags?
    Mr. Vorndran. Sir, when we talk about threats tags from a 
cyber perspective, we could use the current system of Russia 
activity and perhaps there would be a tag for that, so that we 
could, we could find anything that's relevant. I can't honestly 
answer the question right now about whether we're currently 
using them or not.
    Mr. Johnson of Louisiana. Why not?
    Mr. Vorndran. Sir, we have thousands of investigations in 
the cyber ecosystem. I just don't know the answer.
    Mr. Johnson of Louisiana. The threat tag is a tool that you 
use in your division, right?
    Mr. Vorndran. I, sir, I don't know that answer, if I'm 
being very honest with you. I don't know if we use them in our 
division or not.
    Mr. Johnson of Louisiana. How many active or closed 
investigations does the FBI Cyber Division have regarding any 
parents who have voiced concerns at school board meetings, or 
via social media, about their children's education?
    Mr. Vorndran. Sir, how many active or closed investigations 
does the FBI Cyber Division have on school board matters?
    Mr. Johnson of Louisiana. On parents. Parents who have come 
up on the threat assessment somehow for expressing their views 
about their children's education in social media or at school 
boards.
    Mr. Vorndran. Sir, I don't know that answer.
    Mr. Johnson of Louisiana. Who would know that answer? There 
is a lot of answers you don't have for us today, and you are 
the Assistant Director of the Cyber Division. Who has that 
information?
    Mr. Vorndran. I mean, organizationally, we probably have 
that information. I mean, again, all these questions need to be 
directed back to DOJ.
    Mr. Johnson of Louisiana. I wish somebody from DOJ would 
send the appropriate party here.
    Chair Nadler. The gentleman's time--
    Mr. Johnson of Louisiana. I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Swalwell?
    Mr. Swalwell. Thank you, Chair.
    Thank you, Director.
    We have a very capable adversary in Russia with capable 
cyber and nuclear abilities. Europe has seen the largest 
invasion since World War II. Millions of refugees are on the 
run. Russia could move farther west. I am sorry that, despite 
the serious job you have and the serious background that you 
bring, that you have been treated to unserious questioning by 
some of my colleagues. It is like a ``Greatest Hit'' channel on 
Sirius radio of Hillary's emails, Hunter Biden's laptop, and 
school board meetings.
    What I want to talk to you about are private sector 
vulnerabilities right now, in light of what the President said 
about Russia. What letter grade would you give America's 
private sector readiness as far as a cyberattack that Russia 
could bring?
    Mr. Vorndran. That's a really tough question to answer, but 
I think that the dialog between the U.S. government and the 
private sector, especially what we would consider high 
vulnerability sectors--finance, energy, these type of sectors--
I would score them very high in terms of preparedness.
    That is never going to guarantee absolutely 100 percent 
success, but to say that they're engaged with the current 
threat picture, that they understand the current threat 
picture, and that they're trying to be helpful to the United 
States and their fellow companies and their fellow citizens is 
an accurate statement.
    Mr. Swalwell. Do you agree with former Cisco CEO John 
Chambers who predicted that the year 2022 would bring 
approximately 120,000 private sector and public sector 
ransomware attacks, to the tune of $60,000 for each attack, as 
far as the cost to the public and private sector?
    Mr. Vorndran. When was that statement made?
    Mr. Swalwell. It was made in the fall of 2021.
    Mr. Vorndran. Yeah. The current ransom--I believe our 
numbers--so, our data is only about 20-25 percent complete 
because of the number of complaints/referrals that we receive. 
I think, based off of that data, the current ransom payment is 
actually higher than that threshold already. That number of 
victims is hard to say one way or the other, but I think that's 
within the realm of possibility for--
    Mr. Swalwell. Because, right now, there is no requirement 
that a victim actually notify you that they have been hit?
    Mr. Vorndran. Right.
    Mr. Swalwell. Now, it is pretty clear in what we have seen 
from Russian ransomware attackers, is it that they want to make 
it clear, when they are seeking a high ransom, that they are 
not associated with the Russian government, because they know 
that, if there is any link, then that prohibits the private 
sector's ability to pay because the Russian government, many of 
them are on the sanctions list.
    As we continue to cripple the Russian economy, though, what 
are we going to do as more and more Russian actors who are 
unable to support themselves and their families resort to 
ransomware as a means to try and make money? How are we going 
to make sure that our private sector is not inadvertently 
paying a ransom that violates the sanctions? I just worry 
that--
    Mr. Vorndran. Yeah.
    Mr. Swalwell. --we could be a victim of our own success in 
that realm, and then, put the private sector in a tough 
position.
    Mr. Vorndran. Sure. I mean, when you look at OFAC's 
guidance, it specifically says one of the most important 
mitigation criteria is whether the victim, the company, has 
engaged federal law enforcement prior to paying the ransom. The 
reason for that is that we can very much help that entity who's 
having a bad day understand who they're paying, and whether 
that is a sanctioned entity. That is looked at as a very, very 
significant point of mitigation from a Treasury perspective.
    So, that really just draws me back to the need to report is 
not just so the FBI and my world has the information. There are 
specific things we can do to better position a company, an 
organization, who is a victim in that moment, to ensure in this 
case, in your question, that they're not paying a sanctioned 
entity.
    Mr. Swalwell. Director Wray, at the House Intelligence 
Committee hearing recently, said that, within about, I think he 
said an hour or less, if you report a ransomware attack, you 
could have an agent there to assist you.
    Could you just kind of describe what that agent would do? 
Also, maybe address some fears that the Bureau would be looking 
at other nonransomware parts of the business, that a business 
may be uncomfortable with the Bureau looking around.
    Mr. Vorndran. Sure.
    Mr. Swalwell. I mean, we want our businesses to report and 
have the benefit of your resources, but can you just talk about 
what that looks like, when you get a call?
    Mr. Vorndran. So, I mean, when we, when we show up at a 
doorstep, a lot of the conversation is about what the victim 
company is seeing; when their initial compromise occurred. Do 
they have indicators of compromise? Are they seeing tactics, 
techniques, procedures, malware signatures, these things of 
information? Are there life-safety matters that have been 
compromised, in the case of a hospital?
    Then, it really becomes an information-sharing proposition, 
and what services we can or cannot provide. What it is not in 
any way is asking us to sit behind a keyboard with 
administrative access to say, ``Give us unfiltered access to 
your system, so we can do what we want to do.'' I look at it as 
a bilateral exchange in a moment of need. That moment of need 
has benefits to the organization, the victim; that having us 
engage early can definitely help in the short term and long 
term.
    If a company wants to bring us in and say, ``Hey, can you 
just walk through this journey with us?'' and then, in a day or 
in two days, we'll give you the evidence that our third-party 
incident response room has obtained, we're absolutely fine with 
that. So, I very much look at it as a malleable engagement to 
serve multiple priorities.
    Mr. Swalwell. Great. Thank you.
    I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Steube?
    Mr. Steube. Thank you, Mr. Chair.
    While much has been said about cyberattacks coming from 
Russia and China today, Mexico is also a growing cyber threat. 
Mexican cartels have increased their involvement in 
cybercrimes. For instance, the Bandidos Revolutions team stole 
nearly $15 million from financial institutions in 2018. Drug 
cartels are increasingly buying synthetic opioids using the 
dark web.
    Do you agree, yes or no, the Mexican cybercriminal 
organizations are a growing threat?
    Mr. Vorndran. I would just say the Mexican cyber or Mexican 
criminal cartels have always been a threat and will use 
whatever means they need to financially grow. So, yes.
    Mr. Steube. To make matters worse, these Mexican criminal 
organizations can gain physical access to the United States. We 
have had over two million illegal crossings since Joe Biden has 
been President. We had 160,000 illegal crossings last month. We 
are on pace to get 200,000 illegal crossings on the southern 
border.
    The ongoing border crisis is putting Americans at risk in 
countless ways, including cybersecurity. Month after month, we 
have seen increased illegal border crossings since Biden took 
office.
    Do you agree, yes or no, that the ability of the Mexican 
cyber-
criminals to physically enter the United States make them an 
increased threat?
    Mr. Vorndran. Sir, I'm not here to talk about Southwest 
border crossings by the cartels. I'm here to specifically talk 
about computer intrusions using network architecture to 
catalyze a cyber-
attack.
    Mr. Steube. Yes, but you just said that--and correct me if 
I am wrong--that Mexican cartels are a cyber threat, correct?
    Mr. Vorndran. Mexican cartels, to the best of my 
understanding, right--and this is not my area of expertise at 
all, right? Specifically, to the dark web, which you 
referenced, there is, in my investigative portfolio, activity 
on, investigative activity on the dark web. Yes, there are 
synthetic opioids and other drugs sold on there, which 
undoubtedly, come back to the cartels.
    Mr. Steube. So, wouldn't you agree, as a law enforcement 
official, that if you have those individuals illegally 
operating in your country, that is more a threat to the union 
than it would be if they were operating in Mexico?
    Mr. Vorndran. Sure. Cartel activity in the United States 
is, obviously, not helpful in any way.
    Mr. Steube. So, the more cartels and illegals and folks 
that come across the border that are operating in the dark web, 
doing this type of things as it relates to drug activity, is 
obviously not helping the United States and hindering law 
enforcement efforts, and increasing the amount of fentanyl and 
criminal activity that would occur in our country?
    Mr. Vorndran. Sir, again, I'm here to talk about the cyber 
program, right? If you want to talk about the--
    Mr. Steube. Well, we are talking about cybercrimes and 
related--
    Mr. Vorndran. If you want to talk about the dark web 
specifically, right, there is activity on the dark web related 
to opioids and every other illegal narcotic, illegal drug, 
that's consumed in this country. That, those drugs that are 
provided on the dark web are sourced, to the best of my 
knowledge, both domestically and internationally, right? Do 
some of them come back to the cartels? I would presume yes.
    Mr. Steube. How long have you been in law enforcement?
    Mr. Vorndran. Nineteen years.
    Mr. Steube. So, in your 19 years of law enforcement 
experience, if you have a bad guy operating in a different 
country on the internet versus operating here in this country 
domestically--again, we are talking cyber--knowing what things 
are going on in Texas, knowing what is happening in the United 
States, knowing what is going on here in our country, don't you 
think that this is an increased threat to the safety and 
security of the American people versus them being in Mexico and 
not coming into our country domestically?
    Mr. Vorndran. Yeah, they are, but in the traditional drug 
world, right, that you're describing, they are distribution 
channels to users here in the country. So, yes, they are not a 
mandatory--they are a necessary element of the supply chain.
    Mr. Steube. All right. Switching subjects quickly, big 
tech. As has been discussed today, cybercrimes are growing at 
an alarming rate in a wide variety of activities. While some 
take place entirely on the dark web or involve sophisticated 
hacking operations, many occur on common online platforms like 
Facebook and Twitter. Such crimes can involve the exploitations 
of children; communication and coordination between terrorists 
or cartels, and even the organization of smash-and-grab thefts.
    If an online brick-and-mortar business openly serves as 
meeting space for criminal organizations, that business and its 
owners may face criminal liability. At what point do online 
platforms, like Facebook and Twitter, face criminal liability 
for openly allowing criminal conduct on their platforms?
    Your mic is not on.
    Mr. Vorndran. I apologize, sir.
    I don't know the answer to that question. I have to 
apologize; I truly don't know the answer to that question.
    Mr. Steube. So, can you get us--so, aren't you the head of 
cybersecurity for the FBI?
    Mr. Vorndran. Not for cybersecurity, sir, no.
    Mr. Steube. So, what is your position title exactly?
    Mr. Vorndran. Investigations on the cyber system and--
    Mr. Steube. Investigations on the cyber system, and you 
don't know--
    Mr. Vorndran. If you want--
    Mr. Steube. --if crimes committed on online platforms, say, 
child porn, child exploitation, that there is no liability on 
behalf of the platforms that allow that activity to--
    Mr. Vorndran. Sir, the reason I--
    Chair Nadler. The gentleman's time has expired. The Witness 
may answer the question.
    Mr. Vorndran. So, the reason I'm saying I don't know is 
because I don't know where the line of civil liability and 
criminal liability starts and stops in the example that you're 
providing me. So, Facebook, as you mentioned, right, do they 
have liability for conveying child sexually exploitive 
material? The answer is likely yes, but I don't know where the 
civil and the criminal bleed over, and I would need to get a 
better answer on that.
    Chair Nadler. The gentleman's time has expired.
    Ms. Garcia?
    Ms. Garcia. Thank you, Mr. Chair, and thank you for 
convening this very urgent hearing on our nation's cyber 
resiliency.
    Cyberattacks are at an unprecedented high level. Our small 
businesses and our critical infrastructure around the country 
are under relentless siege. The consequence of ransomware 
ramifies throughout our economy, public health infrastructure, 
and national security.
    Making things worse, of course, is that ransomware has and 
continues to be increasingly become a multi-dollar criminal 
history--industry.
    In 2020, more than 2,300, U.S.-based entities were affected 
by Ransomware and including billions of dollars of economic 
damage. So, I want to focus on a few of those, sir, and I know 
you said you're here to talk about intrusion so let's talk 
about a few of those, getting back to the topic.
    Several of these events have happened in my district. One 
that comes to mind is a cyberattack on the Port of Houston. The 
Port of Houston, of course, is a critical piece of 
infrastructure in my district and it's important to the 
national security of our country.
    It was subject to a cyberattack by a foreign Nation state. 
They were able to resist the attack. How often does something 
like this happen where it's a major piece of infrastructure 
like a port?
    Mr. Vorndran. So, we don't know because there are no 
mandatory reporting requirements from victims. So, I'm very, 
very familiar with the incident that you're describing and 
would credit the SISO associated with the Port of Houston for 
being a tremendously productive and transparent partner in that 
moment and I do believe that if you spoke to that SISO he would 
be very complimentary of the U.S. government's role in helping 
them gain restoration of the situation they faced.
    What we see, though, is when an adversary finds a 
vulnerability, a zero day vulnerability in a specific piece of 
software, and that software may be consumed or used routinely 
by the same industry, so in the case you're providing, if there 
was a piece of software in the Port of Houston compromised that 
you're describing that's used in other ports, it's likely that 
the foreign adversary would go after them in the immediate 
aftermath.
    We, generally, lack some understanding about why the 
adversary may be interested in that target. That would be the 
best answer I could give you today in terms of how these things 
stack up and sequentially evolve.
    Ms. Garcia. Right. Then, I had a school--a high school, a 
superintendent--I mean, the district's offices hijacked. This 
is not a big major school district. This was in an 
unincorporated area, which is semi-rural, outside of Houston, 
less than 10,000 students and there were hacked, and they had 
to spend--I think it was $207,000 in Bitcoin was the ransom.
    How often and why are schools under such attack?
    Mr. Vorndran. Ma'am, what I would say is that the criminal 
adversaries that we face--the criminals that we face that are 
going to specifically look at financial motivations, which is 
the example that you're providing, they are going to go after 
targets who are the most vulnerable and so school districts, 
perhaps some other entities at the municipality level, it's 
very important for them to keep their budget requirements where 
they need to be, to maintain operating systems that are current 
to ensure that patches are passed for operating systems or for 
other vulnerabilities, to ensure that their employees do 
understand what spear phishing is and is not.
    What we see criminals do is where can they get the most 
ease of access to guarantee some generation of money back? So, 
I'm not saying that it is a resource issue, but they are going 
to go after the areas that--
    Ms. Garcia. So, it's not just the big banks, it's not just 
the big companies.
    Mr. Vorndran. It's everyone.
    Ms. Garcia. It's happening everywhere.
    Mr. Vorndran. Everyone.
    Ms. Garcia. I mean, like, again, this school district is a 
small school district. The $207,000 may not sound like a lot--
    Mr. Vorndran. It's a lot of money.
    Ms. Garcia. --but for them it is and then they want it in 
Bitcoin, which I think from what my reading, that is a current 
trend where they're using crypto currency for ransom.
    Mr. Vorndran. That's correct. Yeah, it is industry 
organization agnostic, right. The criminals will go and find 
vulnerabilities where they can, where they believe people are 
going to pay.
    Ms. Garcia. Right. I do have a couple of other questions 
that I'll submit for the record, Mr. Chair, because I see my 
time is gone. I do want to submit for the record three 
articles. First, ``Port of Houston target of suspected nation-
state hack,'' and the second one is ``Sheldon ISD forced to pay 
nearly $207,000 after hackers attacked,'' and the last one is 
information for over 6,000 Memorial Hermann Hospital System 
patients access a security breach.
    Chair Nadler. Without objection.
    [The information follows:]



      

                       MS. GARCIA FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Ms. Garcia. Thank you.
    Chair Nadler. Mr. Bishop?
    Mr. Bishop. Thank you, Mr. Chair.
    Director Vorndran, has the FBI taken new steps since 2017 
to ensure that private government contractors do not abuse 
access to sensitive U.S. government data stores for self-
serving purposes, including political purposes?
    Mr. Vorndran. Sir, I'm not familiar with the background of 
your question. Can you--
    Mr. Bishop. Well, the DOJ claims in court that Rodney 
Jaffe, AKA Tech Executive-1, exploited sensitive DNS data 
reflecting internet traffic to and from Trump Tower, to and 
from Donald Trump's personal residential apartment building, 
and the Executive office of the President.
    He allegedly affiliated with Clinton campaign officials, 
including Michael Sussman, who had been a cyber lawyer at DOJ, 
and tech researchers at Georgia Tech to fabricate plausible 
sounding but false allegations about connections between Trump 
and a Russian bank before the election in 2016 and then after 
the election about the use of a Russian-made phone.
    Both were scams. Mr. Sussman fed them to the FBI at the 
highest levels while concealing his political motives. So, 
that's the background, and the question is has the FBI taken 
new steps since 2017 to see that these awesome stores of 
sensitive data that U.S. has are not being exploited for 
political purposes by private contractors?
    Mr. Vorndran. Sir, I mean, compliance is, obviously, 
important to us and just taking a little bit broader view, we 
have obviously taken a lot of reform steps over the past couple 
years. Many of them have been in the public, whether it's FISA 
Woods 702.
    So, I can't speak specifically to your question. I don't 
know the answer. The Bureau has taken a lot of reform steps 
through that time period that all have been discussed in public 
forums such as this and in the media.
    Mr. Bishop. You mentioned FISA Woods 702. So, I think 
you're talking about the Woods file abuse in the FISA 
applications.
    I don't think I'm asking about that. Can you think of any 
reforms that have been taken specifically to see to it that 
this kind of private contractor abuse of these data stores 
can't happen?
    Mr. Vorndran. Sir, not at this moment. I cannot.
    Mr. Bishop. Oh. What are the cybersecurity implications of 
a private company being able to intercept internet traffic to 
and from the White House?
    Mr. Vorndran. Sir, I'm not here to talk about those 
matters.
    Mr. Bishop. Look, you've said what you're here not to talk 
about. A Member of Congress asking you for something within 
your knowledge is a question you're bound to answer, sir. Do 
you know what the cybersecurity implications are of data being 
intercepted into and out of the White House?
    Mr. Vorndran. Do I know what the cybersecurity implications 
are? If you're asking me if I know what the policy is that 
backs up when we can and cannot--
    Mr. Bishop. That's not what I'm asking you. I'm asking you 
what the implications are--the national security implications 
of intercepting data in and out of the White House and a 
private company having access to that.
    Mr. Vorndran. Yes, in general terms. Yes.
    Mr. Bishop. There are exposures from that, wouldn't you 
agree?
    Mr. Vorndran. Yes, sir.
    Mr. Bishop. This article from The Wall Street Journal 
entitled, ``Durham probe reveals government access to 
unregulated data streams,'' February 26, 2022--have you seen 
that article?
    Mr. Vorndran. No, sir, I have not.
    Mr. Bishop. It relates that the latest developments in the 
high-profile criminal probe by Special Counsel John Durham show 
the extent to which the world's internet traffic is being 
monitored by a coterie of network researchers and security 
experts inside and outside of government.
    There are concerns, obviously, about the privacy 
implications of private cybersecurity companies being able to 
tap into the web traffic and then give that data to government 
at any particular level without warrants or court orders. In 
what ways does the FBI rely on this kind of data in their 
investigations?
    Mr. Vorndran. Sir, as I've said earlier today, when you 
look at private sector, broadly defined, but when you look at 
private sector a little bit more narrowly defined about who 
provides infrastructure for network servers, computers, et 
cetera, those network providers obviously see a lot of traffic.
    They see my personal traffic. They see your personal 
traffic on a very routine basis. We have subpoena processes 
that we go through to request that information when it's 
relevant to an investigation. So, that is how we interact with 
those companies on a routine basis from an investigative 
perspective.
    Mr. Bishop. Well, my time is about expire. What this 
article relates is that a lot of that information can be 
accessed without warrant and that's exactly the problem I'm 
talking about.
    You've spoken two times to the priority given to the FBI at 
the highest level to the imperative of protecting the rights of 
Americans, particularly First Amendment rights, Fourth 
Amendment rights, and I'm looking for some indication that 
those are more than empty words, more than just a platitude.
    I'm stunned that above all the things we have talked about 
today that you can't even speak to something that--an abuse 
that is out in public, based on allegations of the Department 
of Justice involving the use of cyber data.
    Is there anything that you can offer the American people to 
improve their confidence that the FBI is, indeed, protecting 
their rights beyond just platitudes?
    Chair Nadler. The time has expired. The gentleman--the 
Witness may answer the question.
    Mr. Vorndran. Sir, you're very familiar with the legal 
process that we have to go through to obtain information from 
any number of companies or even from victims in certain cases.
    That is our baseline protocol of how we do business. I'm 
unfamiliar with the article, so I cannot speak to what it 
actually says in there.
    Mr. Bishop. Mr. Chair, I ask unanimous consent to submit 
for the record the article from The Wall Street Journal 
entitled, ``Durham probe reveals government access to 
unregulated data streams.''
    Chair Nadler. Without objection.
    [The information follows:]



      

                       MR. BISHOP FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chair Nadler. Mr. Jeffries?
    Mr. Jeffries. Well, thank you very much, Mr. Chair and to 
the Witness, thank you so much for your presence and for the 
work that you and the FBI do.
    I'm sorry that you've been subjected to so much pro-Putin 
pro-insurrection pro-conspiracy rhetoric, as if Donald Trump is 
a victim, not the perpetrator of perhaps the most significant 
ongoing crime spree in the history of the American presidency 
from Russia's interference in the election explicitly designed 
to artificially place him in 1600 Pennsylvania Avenue, to his 
corrupt abuse of power when he pressured a foreign government, 
Ukraine, to target an American citizen, Joe Biden, by 
withholding $391 million in military aid to a country, Ukraine, 
under Russian threat in order to try to extract phony political 
dirt as part of his aim to artificially interfere in the 2020 
election.
    Then to cap it off, he incited a violent insurrection and 
attack on the United States Capitol to try to halt the peaceful 
transfer of government.
    Donald Trump is not a victim, despite what some of my 
colleagues from the other side of the aisle have endeavored to 
project. He is a perpetrator, a one-man walking crime spree. 
I'm sorry you've been subjected to this.
    Now, let me ask a question or two that relates to everyday 
Americans. According to a recent report by the FBI Internet 
Crime Complaint Center, I guess, in 2020 alone approximately 30 
percent of fraud losses reported to the FBI was sustained by 
victims ages 60 or over. Is that correct?
    Mr. Vorndran. Sir, I don't have the exact number in front 
of me. That number sounds appropriate, based on both the 2020 
and 2021 annual report.
    Mr. Jeffries. Is it fair to say that we have seen an 
increased trend of cyber-criminals targeting older Americans?
    Mr. Vorndran. Sir, the--what we would call elder care fraud 
has been a priority of the Bureau for many, many years. We have 
dedicated analyst agents, prosecutors in the Department of 
Justice, that work just this.
    So, it's a very important threat, a very important victim 
set for us to protect. So, whether there has or has not been an 
increase, I don't know the specific answer.
    I think what I would say, perhaps, more meaningfully is 
that it's at unacceptable levels, even if it's decreasing, 
because it's targeting some of our country's most vulnerable.
    Mr. Jeffries. What are some of the steps that the FBI is 
contemplating taking or that you are taking to deal with what 
you describe as this unacceptable threat that appears to have 
intensified as we have been navigating our way through this 
once in a century deadly pandemic?
    Mr. Vorndran. Sir, I'm not sure I understood your question. 
Did you say what is the FBI specifically doing?
    Mr. Jeffries. Right. What steps are you contemplation? It 
appears to be intensifying. You've indicated that it, 
obviously, is unacceptable and troubling. So, just trying to 
get a sense of what you're doing.
    Mr. Vorndran. Sure. Again, we have dedicated agents 
investigating these types of crimes across the country, a lot 
of them tied to international criminals and working with our 
international law enforcement partners.
    We have FBI agents in 70 countries and very, very good 
relationships in many of those 70 countries that allow us to 
get closer to these criminals.
    Then the second piece of it is public awareness campaigns 
for those who are elderly and who may not understand the 
current threats that pose--they're facing in terms of 
technology.
    So, it's a multi-faceted approach and something that's 
very, very important to us today, no different than it was in 
the past.
    Mr. Jeffries. Now, you have public education campaigns that 
are designed in part to be preventative and, of course, 
proactive FBI action to kind of take down these cyber-
criminals.
    Once, you've sort of uncovered criminality and prosecuted 
it successfully in partnership with the DOJ, could you comment 
a little bit in the time that I have remaining on your 
restitution efforts?
    Have you been successful or is part of the FBI's work 
designed to recover money that has been stolen so that these 
older Americans who are adversely impacted can gain back some 
semblance of what was taken away from them?
    Mr. Vorndran. Sure. Of course, recovering money is always 
important to us and that restitution back to victims, quite 
frankly, is what drives many of us to come to work every day 
and drove many of us to apply to this organization. It's very, 
very challenging, especially in the international landscape of 
how money is transferred.
    I'll just give you some statistics that may not relate 
specifically to elder care fraud but does relate to business 
email compromise.
    In terms of business email compromise, when we receive 
reports of BEC fraud, we do have a 75 percent success rate when 
those transfers are domestic, and so I think if you know you've 
become a victim of a fraud, independent of what time, that 
reporting timeline is extremely, extremely important, and many 
of these frauds hit individual Americans and I think that makes 
it even more relevant for the audience.
    Mr. Jeffries. Thank you, sir.
    Chair Nadler. The time of the gentleman has expired.
    Mr. Tiffany?
    Mr. Tiffany. Thank you, Mr. Chair.
    First, sir, thank you for being here, and I'm sorry you 
were subjected to scurrilous comments about the previous 
President who gave us peace through strength, kept us out of 
wars, who took crime seriously, who gave us energy 
independence, which we have given up in just a little over one 
year, and had kept illegal border crossings down to a level 
that we had not seen in a long time, and we wish for those days 
to come back when we had a strong America.
    I think Mr. Bishop's testimony showed that, I would say to 
the Chair, that it is time to bring the director back in. 
There's a lot of questions to be answered.
    As we heard from the Witness here, there's things that he 
could not answer. I would hope that the FBI director would be 
able to answer some of those questions that we'd like to have 
answers to.
    As you follow social media and efforts to facilitate 
illegal immigration, does it raise concern for you when you 
have people like the vice President of Facebook who openly 
admits they facilitate illegal immigration?
    FBI is in the business of stopping illegal activities, 
breaking the law here in the United States. Does that raise 
concern for you?
    Mr. Vorndran. Sir, again, I'm not familiar with that post 
or what you're referring to. Any violations of U.S. law we are 
interested in exploring, right, and those referrals should come 
into the bureau.
    They can either come to the local field office. If there is 
a violation of U.S. law, that is, obviously what we're here to 
do.
    Mr. Tiffany. So, if I show those to you, will the 
cybersecurity division follow up on them?
    Mr. Vorndran. It's not going to be a cybersecurity 
responsibility. What you're describing is going to, largely, 
fall in the Criminal Investigative Division. If that's what you 
want to do, you want to make a referral to the bureau that we 
can get it to the right people.
    Mr. Tiffany. So, it should be a criminal investigation if 
they're posting things that facilitate illegal immigration. Is 
that what you're saying?
    Mr. Vorndran. Sir, I don't know what the post says. What 
I'm saying is that if there is a violation of U.S. law, a 
criminal allegation that you think warrants investigation, then 
we'd be happy to take a look at it.
    Mr. Tiffany. Absolutely spread the word at FBI. It needs to 
be done. By the way, it wasn't a post. It's numerous posts, and 
as you know how social media works, it spreads like wildfire 
and that's what's happening down on the southern border where 
the big tech companies are helping facilitate illegal 
immigration.
    In February 2022, the Biden Administration--yeah, just 
recently last month--decided to scuttle its China initiative 
program launched by the Justice Department during the Trump 
Administration to protect America from national security 
threats posed by the PRC.
    I'm troubled that is's going away. What comments do you 
have? Isn't that something that is important to protect 
Americans and American interests?
    Mr. Vorndran. What I would say about China is from a cyber 
perspective they are the top overall cyber threat that we face 
as a country. That poses both security and economic--
    Mr. Tiffany. So, in other words, when we hear from the 
other side Russia, Russia, Russia, Russia, it's actually China 
is the biggest threat. Is that correct? Not diminishing that we 
should pay attention to Russia also. You just said China is the 
biggest threat. Is that right?
    Mr. Vorndran. We have a big four, right. China, Russia, 
Iran, and North Korea. They're all formidable adversaries. From 
a cyber perspective, we would assess that China is our most 
formidable adversary.
    Mr. Tiffany. Does the Biden Administration scuttling the 
China initiative bring you any concern?
    Mr. Vorndran. Sir, we operate fairly autonomously, 
independent of what the Biden Administration did or didn't say. 
Our investigative posture on cyber threats posed by China has 
not diminished in any way and we have the largest percentages 
of our organization dedicated to those types of investigations.
    Mr. Tiffany. Thank you for that answer.
    It was recently reviewed at the start of the Russia-Ukraine 
conflict that information that President Biden passed on to 
General Secretary Xi in China that it was compromised. That 
information was sent on to Russia.
    Do you know if any of our foreign assets and/or 
infrastructure was compromised?
    Mr. Vorndran. Sir, I don't know that answer.
    Mr. Tiffany. Who do I go to get that answer?
    Mr. Vorndran. What I would say is let me take that back and 
we'll get that answer for you. I don't know that answer in the 
moment.
    Mr. Tiffany. Yeah. Deeply concerning, Mr. Chair, that we're 
seeing information just simply passed on to our number-one 
adversary, China, and the Russians are able to use it, and just 
another thing where it seems this Administration, the Biden 
Administration, is giving away the keys to the castle here in 
the United States.
    I yield back.
    Chair Nadler. The time of--the gentleman yields back.
    Ms. McBath?
    Ms. McBath. Thank you, Mr. Chair. Good afternoon, Assistant 
Director Vorndran. Thank you so much for coming before us 
today.
    As it's been mentioned by my colleagues earlier, the 
nation's cybersecurity is just likely one of the most important 
security fronts that our Nation actually faces. It's also 
quickly becoming a major threat at the individual level for 
everyday Americans.
    My district--I represent Georgia's Sixth Congressional 
District. It's the headquarters to the Colonial Pipeline, and 
that's one of the largest pipeline systems for refined oil 
products in the United States, and it was victim to one of the 
most--one of the worst ransomware attacks that our nation's 
energy sector has seen.
    So, this attack, really, affected not only just Georgians, 
my constituents, but it affected Americans throughout the 
country.
    Americans--they were racing to fill up their tanks at the 
gas stations before they ran out of fuel and Americans that are 
relying on their vehicles to perform their jobs, and there are 
many people that are ride share drivers and delivery drivers.
    They wondered whether or not they were going to actually be 
able to get to work the next day, and this was just not to--
this happened just fairly recently.
    These cyberattacks aren't just restricted to large 
corporations, and the city of Dunwoody, Georgia, which is also 
in my district, which was subject actually to ransomware on 
Christmas Eve of 2019 and this forced the shutdown of all 
department networks for several days and it was just really 
preventing the most important work, necessary work, that needed 
to be done in our Atlanta suburbs.
    Additionally, my local school district of Cobb County, 
Georgia, was also subject to cyberattack on its emergency alert 
system, which placed all 112 of its schools--of our schools in 
lock down.
    So, I know that we have really--as has been expressed, we 
really have to make sure that we're doing all that we can to--
within our powers to keep America's towns and our businesses 
secure and just really making sure that we're allowing America 
to keep running.
    Assistant Director Vorndran, my first question for you is 
this. How is the FBI's cyber division ensuring that America's 
towns and cities like my city, Dunwoody, in Georgia have the 
tools and the resources that they need to respond to these 
cyberattacks quickly and appropriately?
    Because I'm assuming that this will continue to happen. So, 
what do we do to assure that they are prepared?
    Mr. Vorndran. Sure. Well, a couple things. First, we would 
recommend that all those municipalities have active 
relationships in the U.S. government to the best of their 
ability that would cross cut the FBI, U.S. Secret Service, and 
CISA as well, because FBI and/or U.S. Secret Service can fill 
the threat response side of PPD-41 and CISA can fill the--as 
the response side.
    CISA, specifically, to the net defense resiliency piece, 
has a lot of online resources available for those towns and 
municipalities to ensure that they're aware of the latest 
vulnerabilities and by mission design and, I believe, by EO 
that is one of CISA's core responsibilities is to maintain 
those vulnerability lists to ensure that those entities like 
you described have access to that information about how to 
ensure resiliency of their systems.
    A few other points I would make are, it is important that 
these municipalities have incident response plans built and 
that they're in a position to exercise those so if they do 
become a victim, they can call people they know and engage in 
meaningful dialogue with the bureau, with Secret Service, or 
with CISA to ensure that the latest information is in their 
hands.
    As I've described here already today, there's a whole host 
of things that the U.S. government can do leading up to a 
compromise and on the back side of becoming a victim.
    Probably most important is to ensure that the U.S. 
government interagency level that would be inclusive of, 
certainly, the FBI, Secret Service, CISA, NSA, to name a few, 
that we are disseminating information about indicators of 
compromise, known vulnerabilities, in a timely fashion, and I 
think that's an area that, collectively, as the interagency we 
have made tremendous progress in in the past year.
    Ms. McBath. Thank you so much.
    I know I'm quickly running out of time. On September 24th 
of last year, Ciox Health, which is also in my district--it's a 
health-
care information management company--they discovered that they 
had an authorized individual--an unauthorized individual also 
had access to sensitive patient information.
    What are ways in which the FBI cyber division is ensuring 
that patient data posted by various health information 
management companies is also protected?
    Chair Nadler. The time of the gentlelady has expired. The 
Witness may answer the question.
    Mr. Vorndran. Sure, sir.
    Ma'am, that's a fairly complicated question because from an 
FBI perspective, our role is asset recovery in terms of if 
something's been lost, in this case data.
    So, in these scenarios that you describe, such as Ciox 
Health, we're actively engaged to try and prevent that data 
from being pushed out or being used for other nefarious 
purposes, and I believe that was the exact reason that Ciox 
engaged us.
    Again, I would point back to, like, what is the U.S. 
government doing. It's really a focus on the resiliency and 
that defense training side to make sure that operating systems 
are updated, that there's active backups for all these 
corporations, all these things that are very, very much within 
CISA's roles and responsibilities by mission and EO, very much 
relevant on their website, are things that they should pay--
they, being the entities in your district, should pay attention 
to.
    Chair Nadler. The gentlelady's time has expired.
    Ms. Fischbach?
    Ms. Fischbach. Thank you, Mr. Chair, and Assistant 
Director, thank you for being here.
    I'm going to just ask some questions about that have to do 
with rural areas, and my district is very rural and has large 
amounts of farmland. Very big. It goes from half of Minnesota, 
from Canada to almost Iowa.
    Does the FBI categorize the cyberattacks or cyber threats 
by geographic location.
    Mr. Vorndran. So, the answer is yes, but not in a way that 
we use it to drive resourcing. So, when we look at the threats, 
we're looking, really, at who is conducting the activity that's 
causing people in your district problems.
    Obviously, almost entirely, I'll throw a figure out there--
close to 100 percent are outside of the U.S. that are 
adversaries to us in the cyberspace.
    In your example, whenever there is a compromise, we will 
have the FBI engage with the organization or the entity or the 
company, and because of that, we certainly have information 
that indicates how many victims have been relevant in a 
district or in a sState.
    Ms. Fischbach. Do you think that it should be categorized, 
so that people in rural areas understand that they are at risk, 
too? Because, obviously, do we know if there's more in big 
cities? That's kind of what I'm asking about and--
    Mr. Vorndran. I don't know the answer. It's an interesting 
question. What we see is that a lot of these attacks will be 
indiscriminate in terms of who they're going after just to find 
access points or vulnerabilities, and then to see what value is 
there, and like we have talked about here today on the 
ransomware aside, specifically, the bottom dollar is the bottom 
dollar, right.
    If they can get money out of a victim they're going to 
continue to go back to that industry. You described farmland.
    We know that certain industries within AG have been 
targeted through known vulnerabilities. I don't believe in 
Minnesota but, perhaps, more in the Midwest where we have seen 
a trend of specific AG industries being targeted.
    As we have talked about here today, that usually happens 
because those industries or those companies are using the same 
software packages that have the same vulnerability in them.
    Ms. Fischbach. Okay. So, maybe it was going to be a follow 
up. So, you kind of answered because I was going to ask if you 
understand how much of a threat cybercrime and cyberattacks are 
to agricultural businesses big or small. So, it sounds like you 
are addressing those.
    Mr. Vorndran. They are--absolutely. Absolutely.
    Ms. Fischbach. Okay.
    Mr. Vorndran. By ``we'' it's not just the FBI. It's the 
inter-agency of the U.S. government that has roles and 
responsibilities in this space. Certainly, FBI is a big part of 
that.
    Ms. Fischbach. Do you think that there is any way, 
Assistant Director, to get the information about it being 
either rural or metro? Because I know that there was a 
hospital--a small hospital in my district that was--I believe 
it was ransomware.
    Mr. Vorndran. Yeah.
    Ms. Fischbach. So, I'm just wondering if there is a way to 
determine that.
    Mr. Vorndran. So, I'd be happy to take that back to our 
team and to see what we can come up with that could answer that 
request for you. That's not a problem.
    Ms. Fischbach. Okay. Well, thank you very much. I 
appreciate that. Then just one last question. The FBI maintains 
the Internet Crime Complaint Center for reporting cybercrime. 
Unfortunately, it's online. Is that correct? It's only online?
    Mr. Vorndran. Correct.
    Ms. Fischbach. In my district, internet signals can be 
weak, and we have been working on deploying broadband. It does 
make it difficult for victims to always report cyberattacks or 
seek help from the FBI.
    Is there something that the FBI can do differently or take 
into consideration to do to mitigate this so there is an option 
to--if they don't have good internet available?
    Mr. Vorndran. I mean, they can simply call our field office 
or the local resident agency to report that. That's not a 
problem.
    Ms. Fischbach. Is that generally something that would be--I 
mean, if you see something that says reported here, 
www.whatever, would then a phone number be with that same 
information or is it something that should be added?
    Mr. Vorndran. IC3 is a very, very valuable resource. I was 
looking at some statistics here. What I would say is our focus, 
and it's been very, very core of our message, is we'd actually 
rather have a personal relationship with a company, an 
organization, a municipality, than we would receive a random 
report through an internet portal, right.
    So, yes, IC3 is available. Please note that personal 
relationship is extremely important to us, and if there's 
anything I can do to facilitate that or if you think we're 
missing out on important data because we're only offering an 
internet portal, I'd be more than happy to have that 
conversation about how to improve that.
    Ms. Fischbach. Well, and just one more.
    I'm just concerned that when there are those attacks, 
whether it be in agriculture or a small hospital, that they are 
able to reach out immediately.
    Mr. Vorndran. Sure.
    Ms. Fischbach. So, that they know where to reach out to. 
So, thank you very much. I appreciate that.
    Mr. Vorndran. Of course.
    Ms. Fischbach. Mr. Chair, I yield back.
    Mr. Neguse. [Presiding.] The gentlelady's time has expired.
    The gentlelady yields back. I recognize myself for five 
minutes of questions.
    Director Vorndran, thank you for attending this hearing 
today, for helping us understand how we may better address this 
serious issue. In my home State of Colorado, local government 
entities have been hit hard by ransomware attacks as have large 
organizations like the University of Colorado, which is in my 
district.
    One of my biggest concerns is the link between some of 
these attacks and hostile foreign entities. The University of 
Colorado, for instance, was affected by an attack on Accellion, 
a third-party vendor used by the university in 2021.
    The university refused to pay the ransom request and over 
300,000 records containing personal information was ultimately 
released on the dark web.
    It turns out the hackers, at least as we understand it, 
were part of a ransomware consortium known as CL0P. They were 
arrested in Ukraine, as you know, and the Ukrainian authorities 
believe the group may have caused half a billion dollars in 
financial damages around the world.
    I wonder if you might be able to share some additional 
information on this particular organization and what the 
potential links are between groups like this one and the 
Russian government.
    Mr. Vorndran. Okay. So, CL0P is a very well--in my world 
CL0P is a very well-known ransomware variant. We have heard 
them referred to as ransomware gangs.
    I, personally, don't like that terminology because it 
infers that you have a dedicated group of people under the 
banner of one variant. We know that's not true.
    We know that many of these actors, many of whom are in 
Russia or the surrounding region, are affiliated with multiple 
variants because when we look at it, really the ecosystem 
breaks down this way.
    You have key services, you have malware and delivery, you 
have infrastructure, you have communications, and you have 
financial, right. Those five key services are paramount to 
catalyze and bring home any cyberattack.
    So, actors crosscut those services. So, there may be an 
actor who's great on the financial side. That individual may 
decide to service four, five, six, or even more of the 
ransomware variants. The ransomware variants are simply a brand 
name.
    To your core question, sir, CL0P is a very, very well-known 
ransomware variant that the entire interagency in the U.S. 
government has been aware of as well as technology researchers 
and technology--cyber threat intel companies know.
    Mr. Neguse. I do think the point--and thank you for your 
answer--and the point you make is a salient one with respect to 
the cross currency of these variants, right, and the fact that 
they may be operating under multiple different banners.
    I guess I wonder--more of an open-ended question. I've 
reviewed your written testimony and appreciated a lot of the 
exchanges that you've had today. This is, clearly, a pervasive 
issue across the country, certainly, in Colorado.
    Across our State, we have had attacks on Children's 
Hospital in Colorado, which was attacked in 2017, exposed the 
personal data of more than 3,000 patient families. The Fort 
Collins-Loveland Water District--of course, the Colorado 
Department of Transportation, the University of Colorado, as I 
mentioned. Entity after entity impacted by these cyberattacks.
    Congress has proposed a series of solutions. We have a 
bill, a bill that I introduced last year, the State and Local 
Government Cybersecurity Act, that would expand DHS 
responsibilities to provide education and assistance to State 
and local, Tribal, and territorial governments along the lines 
of what you've described today, as well as the general public, 
right on cyber threat indicators and on defensive measures that 
they can take, right, to better kind of determine their own 
vulnerabilities and their incident response, which you 
referenced in response to a question from one of my colleagues.
    I don't know if you would care to opine on that particular 
bill. It's passed the United States Senate. We're trying to get 
it through the House.
    Also, on a more open-ended question, what other tools you 
might recommend the Congress legislate? New statutes that you 
might recommend that we consider?
    Mr. Vorndran. Sir, I appreciate the question and the 
opportunity.
    Certainly, on the proposed legislation that you mentioned, 
we'd be more than happy to have a look at it and offer you more 
refined thoughts.
    In terms of your question about what legislation would be 
helpful, first, would be to give prosecutors stronger sticks to 
prosecute, using RICO charges for cyber-criminals, enhance 
punishments for damaging critical infrastructure.
    Second, would be equipping courts and law enforcement with 
more tools to disrupt large-scale cybercrime. So, criminalizing 
selling infrastructure access to botnets, injunctions to stop 
ongoing or imminent mass cybercrime.
    Last would be to improve DOJ's forfeiture authorities so 
that we increase our ability to our authorities to seize 
cybercrime critical infrastructure--network infrastructure, 
that is.
    So, those are just a few thoughts that are very relevant.
    Mr. Neguse. Thank you, Director, for your service, for your 
hard work, to your team for the work that you're doing each and 
every day to protect our country, our States, our local 
governments from these pernicious attacks, and we'll certainly 
take your recom-
mendations under advisement.
    With that, the Chair now recognizes the gentleman from 
Oregon, Mr. Bentz, for five minutes.
    Mr. Bentz. Thank you, Mr. Chair, and thank you, Mr. 
Vorndran, for your patience.
    So, it would have helped me had there been a definition of 
cybercrime at the very onset of the hearing, because it appears 
that the definition I quickly looked up here in the dictionary, 
which says cybercrime criminal activity carried out by means of 
computer or the internet, is a far broader definition than that 
which your portion of the FBI is dealing with.
    Do I have that right?
    Mr. Vorndran. Sir, when we look at cyber within the FBI, I 
would split it as computer-enabled crime in cyber. Cyber we 
would define specifically as network intrusions or computer-
enabled crimes, such as, child exploitation on the internet, 
elder care fraud facilitated by the internet, these types of 
things.
    Those are different investigative programs within the FBI.
    Mr. Bentz. This is still within the FBI because you're the 
lead agency, are you not, when it comes to all the other 
subagencies we have heard about today?
    So, one way or the other, the FBI is in charge, and I 
guess, though, you would carve yourself out from responsibility 
for some of the things we have heard about today.
    The one that comes most readily to my mind is the situation 
on the border where we see and heard from the Border Patrol 
that the internet is being used to attract thousands of folks 
to the border, and we know it's being done illegally but, yet 
nothing's being done about it.
    That's outside the scope of what you believe your portion 
of the agency is dealing with?
    Mr. Vorndran. That is inaccurate statement.
    Mr. Bentz. Okay.
    Mr. Vorndran. As I mentioned to, I believe, to Mr. Tiffany, 
if there's a belief that there is a violation of U.S. law, then 
that referral should be made. I'm not specifically familiar 
with the issue you're talking about. Certainly, not saying it's 
not out there.
    Mr. Bentz. Well, it's out there and it has been referred 
and it's being ignored. That's not your, apparently, scope of 
purpose.
    So, let's shift to what you do, and it sounds to me like 
what--if we looked at this cyber situation as a continuum and 
the cyber event occurs in the middle, your primary focus in 
prevention would be to point at those who are in the business 
of writing software in the private sector to try to head off 
attacks of malware and other things, as opposed to you--because 
you're--the FBI isn't writing that software? Or am I wrong? Are 
you--do you have your own division that's trying to write 
software that's going to head-off some of these things?
    Mr. Vorndran. Not to my knowledge, no.
    Mr. Bentz. Okay. So, going back to my continuum, what we 
have is a situation where the FBI is saying we're alerting 
people, hey, we have had an attack over here, get ready. It 
could happen.
    Go buy some new protective software. Then the event 
happens, and then you come in afterwards and say, hey, look 
what just happened. We'll try to help you clean up the mess and 
we'll try to find whoever did it and prosecute.
    Have I summarized the nature of your department 
appropriately?
    Mr. Vorndran. Yes. In my opening statement I gave some 
really important notes that we're not an arrest first, 
indictments first, organization when it comes to our cyber 
ecosystem role.
    We're very much interested in understanding who in the 
interagency has the most impactful operational play to impose 
the most significant costs on the adversary.
    At times, that may be an arrest--an indictment and arrest 
and extradition, but at times that may be degrading the 
infrastructure that these adversaries are riding on--
    Mr. Bentz. Right. I understand that you have tools, and you 
have different ones you might use after the event.
    Now, I want to go to a question of great interest to me and 
that is your assessment of the quality and ability of our 
private sector to head off that which is happening in China.
    So, tell me, how good a job are we doing in that private 
sector? Are you seeing an increase in attacks? Are you seeing 
the private sector doing a good or a bad job?
    Mr. Vorndran. So, and I want to try to be consistent. I've 
answered this question twice. I try to be really consistent. My 
interactions and our organizational interactions in cyber 
relative to the private sector have been very positive in the 
last year that I've been here. It's hard for me to speak to the 
time before that. I was in New Orleans.
    In the last year, these infrastructure providers, these 
major server providers, they have been very, very good 
partners, and if you go and do some research, you'll see 
they're actually writing their own blogs and disseminating 
their own products to the American public, largely, before 
sometimes anyone else outing adversarial activity.
    So, I think they've been tremendously transparent and 
tremendously proactive in that space in terms of--
    Mr. Bentz. That's all very good, but I haven't heard you 
tell me how well we're doing when it comes to keeping up with 
China.
    Mr. Vorndran. Sir, my statement covers China, it covers 
Russia, because the private sector sees a lot of the activity 
from all those countries.
    Mr. Bentz. So, you're saying we're doing just fine?
    Mr. Vorndran. Sir, there's always room for improvement, 
undoubtedly. What I'm saying is the private sector is very 
proactively engaged and been a very good partner in that space 
to us.
    Mr. Bentz. Thank you. I yield back.
    Ms. Dean. [Presiding.] The gentleman yields back.
    The gentleman from Arizona, Mr. Stanton, is recognized for 
five minutes.
    Mr. Stanton. Madam Chair, thank you very much, and thank 
you to Mr. Vorndran for your service at the FBI and for 
testifying at today's very important hearing.
    In recent years, we have Witnessed cyber threats and cyber-
attacks as they become more sophisticated, more targeted, and 
more harmful. These attacks not only are directed at strategic 
national security operations but also essential infrastructure, 
educational institutions, and local governments.
    For instance, in my home State of Arizona, one of our local 
community colleges was forced to cancel classes when a cyber 
threat was detected in their network. Luckily, they were 
prepared. They took preventative measures, and they safeguarded 
their students' and their employees' information.
    These smaller incidents don't always get the national 
attention like the bigger attacks on Colonial or JBS. The 
threats are no less real and neither are the disruptions they 
cause to our daily lives.
    So, Mr. Vorndran, I want to ask you about these lower 
profile attacks. In February of 2022, the Cybersecurity and 
Infrastructure Security Agency published an alert that the FBI 
had observed some ransomware groups shifting away from so-
called big game hunting in the United States and instead 
increasingly targeting smaller victims to avoid scrutiny from 
the Federal government.
    Do you believe that this change was due to the 
Administration's crackdown on ransomware attackers?
    Mr. Vorndran. No, sir. I just think that we are seeing an 
evolution of the criminal enterprise that instigates and 
catalyzes ransomware attacks, and they are going to go where 
they can find the most routine financial gain on a routine 
basis. So, they're going to go where the money is and that's 
the bottom line.
    Mr. Stanton. Why are small to mid-sized victims a safer bet 
for ransomware groups?
    Mr. Vorndran. Sir, my opinion on that question is that 
smaller entities are not as well-resourced as some of these 
larger entities. That resourcing really covers the resiliency 
and that defense side, whether that's patching, multi-factor 
authentications, zero trust architecture, whether that's 
training for spear phishing, keeping your operating systems 
patched and updated, any number of these things that tie back 
to resources.
    My assessment, personally, would be that these types of 
organizations, entities, municipalities, are not as well-
resourced as some of your major multinational companies, and 
because of that they're likely, potentially, more vulnerable.
    Mr. Stanton. Are you concerned that by cracking down on the 
hackers of bigger, wealthier companies that the FBI has sent a 
message that smaller targets will be met with less force?
    Mr. Vorndran. The way we work our investigation, sir, we 
look at the conglomerate of all the victims that, 
unfortunately, become victims and tie them back to the 
adversarial activity that's perpetrated by groups of people, 
almost all are overseas.
    So, the ability for us to investigate or for the 
interagency to include the bureau to run offensive operations 
really isn't impacted in any way.
    So, it would be hard for me to see a scenario where we're 
encouraging smaller targets to be hit because it's just not 
tied to our investigative or our interagency operational 
calculus.
    Mr. Stanton. How would the FBI adjust its attack plan to 
better ensure that small and medium-sized businesses are 
protected as they are with some of the larger entities?
    Mr. Vorndran. Sir, so the FBI is always available for these 
entities, and we would encourage those relationships to start 
if they're not already present.
    This exact question is why CISA was stood up and it's 
codified in the Executive Orders. They are there for the 
purpose of improving what we would define as resiliency in net 
defense, and they have these resources in their mission 
statement or as part of their mission and available for the 
exact type of groups that you're talking about.
    So, they are in the U.S. government, the best entity for 
those small businesses to really work with to improve their net 
defense plans. The FBI and CISA have a tremendously strong 
operational day-to-day and week-to-week relationship.
    What we can do is we're sharing indicators of compromise, 
latest intelligence, that can better inform the net defense 
side that CISA carries forward.
    Mr. Stanton. I appreciate your testimony today, and I will 
yield back.
    Ms. Dean. The gentleman yields back.
    Now the gentleman from Wisconsin, Mr. Fitzgerald, is 
recognized for five minutes.
    Mr. Fitzgerald. Thank you, Madam Chair.
    Mr. Vorndran, on February 23, 2022, Department of Justice 
announced the end of the China initiative, despite an internal 
review finding no indication of racial bias.
    Mr. Vorndran, what is your division doing to absorb all the 
activities that were part of that China initiative that we all 
thought was being very successful in countering national 
security threats posed by China?
    Mr. Vorndran. Sir, our workload in terms of cyber division 
has not changed as a result of that initiative that you 
referenced.
    As I've said already on the record here today, we do 
consider China our top overall cyber threat to the United 
States and to our allies. We have an enormous amount of our 
workforce dedicated to that cyber threat. That has not changed 
in the last six months, the last 12 months, the last 18 months.
    The problem with China is that they're very indiscriminate 
about who they target. It's not just the U.S. government--I 
just have a few notes here--think tanks, academia, CDC, 
journalists, medical, and COVID-19. The list goes on. They're 
very indiscriminate.
    So, we would say that they're the biggest national security 
and economic threat. To your question, has my workload changed? 
It has not. We have had a lot of people dedicated to that 
problem, certainly, over the past year.
    Mr. Fitzgerald. So, in relationship to the initiative, 
there had to be some items that, I would assume, would have to 
be picked up in some form by your division. You're saying that 
did not happen?
    Mr. Vorndran. No, sir. That didn't happen for me. Again, 
this gets into some of the Bureau's structure, 
counterintelligence division. They may have a different answer 
to that question. I'm unsure. For me, personally, under oath, 
my workload has not changed or been altered in any way as a 
result of that.
    Mr. Fitzgerald. There was some discussion earlier by other 
Members about Alexei Burkov and--the cyber-criminal. Now, that 
he is kind of out there, and we're not sure exactly, I guess, 
and it'd be difficult for you to tell us how you're tracking 
that.
    Can you tell us today that you're confident that there 
aren't currently cyberattacks that are being coordinated or 
launched as a result of his release?
    Mr. Vorndran. I don't have any information that would 
indicate that's happening. That's as much of a refined answer I 
can provide to you.
    Mr. Fitzgerald. Okay. REvil, a Russian-based criminal, 
cyber-criminal group, claimed responsibility for one of the 
biggest ran-
somware attacks on the information technology management and 
security software company Kaseya, which I'm sure you're aware 
of.
    Reportedly, victims, including schools and hospitals, many 
lost millions of dollars in recovery. Is it accurate that the 
FBI withheld a digital decrypter tool that could have unlocked 
the system subject to the ransomware attack in the case of 
Kaseya?
    Mr. Vorndran. Yes, sir, it is. I'm on--myself and National 
Cyber Director Chris Inglis are in open testimony in December 
on Oversight and Reform where we're on the record about this 
exact topic.
    So yes, that is an accurate statement. I'd be happy to 
explain our decision on that if that would be helpful right 
now.
    Mr. Fitzgerald. Let me just tell you, is it also accurate 
that the goal of withholding this tool was to disrupt the 
hackers--the Russian hackers--without alerting them? Was that 
what the goal was?
    Mr. Vorndran. There were multiple derivative elements to 
the operational plan that were being evaluated during that time 
period to include the validity of the decrypter tool and 
ensuring that it didn't have Malware or introduce other 
vulnerabilities into the supply chain.
    Mr. Fitzgerald. Is it fair to say that the mission overall 
was not successful?
    Mr. Vorndran. Sir, my pause is because I'm trying to 
remember specifically on that operation.
    Mr. Fitzgerald. Let me ask you this. Did you or anyone in 
the FBI caution against withholding the decrypter?
    Mr. Vorndran. Did we caution against withholding the 
decrypted? We had a series of variables that were under 
consideration in that moment that ranged from providing the 
decrypter key immediately to letting an operational plan play 
out in infinite time period. Once we had indications that 
operational opportunities were not going to be valid, we 
immediately moved towards deploying the decrypted.
    In parallel, from the moment this started, we were testing 
the decrypter to ensure that it didn't have any malware because 
as I already described, we don't go buy this from Best Buy, 
right. This is touched by many, many criminals, developed by 
criminals, and many hands in the supply chain.
    So, to get that we, obviously, have to put it through a 
testing environment, knowing that Kaseya is going to deploy it 
in a supply chain environment and we don't want them to 
introduce vul-
nerabilities downstream.
    Mr. Fitzgerald. I'm out of time but I'm going to follow up 
with a letter trying to dig into this a little bit deeper. So, 
thank you, Madam Chair.
    Ms. Dean. The gentleman yields back.
    Now, the gentlewoman from Washington State, Ms. Jayapal, is 
recognized for five minutes.
    Ms. Jayapal. Thank you, Madam Chair.
    Mr. Vorndran, thank you so much for your commitment to 
ensure security in light of new and evolving cyber threats. I 
wanted to focus my five minutes on the data breaches of 
critical infrastructure, namely, our hospital systems.
    Hospital attacks against healthcare facilities are becoming 
more frequent as the pandemic and workforce shortages created 
new vulnerabilities.
    Just this past June, Sea Mar Community Health Centers, a 
nonprofit community-based provider in my district, learned that 
the sensitive personal health data of nearly 700,000 patients 
were compromised.
    Names, addresses, and Social Security numbers were stolen 
from its internal network. The FBI has stated its deep concern 
about the increase in ransomware attacks on hospitals and other 
critical infrastructure. Can you elaborate on why these attacks 
on healthcare systems have become so frequent?
    Mr. Vorndran. Sure. One second here. So, we have seen 
excessive targeting of the healthcare industry during the 
COVID-19 pandemic.
    We would assess that the reason for that, more than 
anything else, is because adversaries, criminals, know that 
those hospitals, healthcare providers, are in a very, very 
vulnerable position in terms of continuing to provide care, and 
as a result of that, are likely to potentially pay an extortion 
payment or a ransom more quickly.
    So, it's really a sad State of affairs when criminals 
really are looking to disrupt patient care, and that's actually 
on the table of viable options for them as criminals and how 
they're going to affect us here in the United States.
    So, that would be the primary reason that we would assess 
that there's been an escalation.
    The other point that I would really highlight--I've talked 
about this several times today--what we see is industries--
hospitals in this use case, it could be any industry, though--
have common software platforms that they all generally use, and 
when an actor finds a vulnerability in one of those software 
platforms, that is, obviously, likely to be pervasive or 
potentially pervasive across other hospitals.
    So, you may see a surge of activity against a traditional 
or a specific sector until that is closed. I hope that answers 
your question.
    Ms. Jayapal. It does. What's really terrible, and you 
referenced it, is that these attacks are just leaving patients 
so vulnerable and delay first responders from responding to 
emergencies or prevent hospitals from accessing life-saving 
equipment.
    In fact, 22 percent of healthcare organizations that 
suffered a ransomware attack this year experienced increased 
patient mortality after the attack.
    So, what are your best thoughts on how hospital systems 
that are suffering from cyberattacks can mitigate negative 
patient outcomes?
    Mr. Vorndran. So, again, when we look at the cyber 
ecosystem, what you're describing specifically as 
cybersecurity, within the U.S. government CISA is on point for 
those recommendations.
    Largely, what you would hear from them is cyber hygiene is 
really important. That includes multifactor authentication, 
implementing zero trust architecture.
    That includes making sure that your patch management is 
where it needs to be, updated operating systems, et cetera. It 
also includes strong passwords, but also strong discipline of 
users, specifically, administrators.
    All that information is available on CISA's websites and 
that's a really good one-stop shop for hospitals like you're 
describing to kind of get to a best of checklist.
    Ms. Jayapal. Is the FBI launching your own special 
initiative to make sure that hospitals that are struggling with 
access to sufficient cybersecurity defenses because they have 
low budgets or staffing restraints?
    What are the ways that the FBI can help elevate this for 
healthcare providers to reinforce their defenses against 
ransom-
ware attacks?
    Mr. Vorndran. I appreciate the opportunity to answer that 
question. We have very, very strong relationships with the 
American Hospital Association and with the Health ISAC. ISAC is 
the Information Sharing Analysis Center.
    We do very routine podcasts with the American Hospital 
Association and their director and some of our personnel on 
both the analytical and the operational side to try and 
reemphasize this message.
    We're very much prioritizing the investigations that hit 
critical infrastructure overall to include hospitals. So, I 
hope those few additional items helped.
    The only other thing I would say is for CISA to do its job 
well all of us on the investigative side have to do our job 
well because we're seeing new indicators compromised, new 
malware signatures, new tactics, techniques, and procedures, 
all which reinforce and inform in that defense side.
    So, that's how we would plug into it and what we have been 
doing to amplify it.
    Ms. Jayapal. Thank you, sir, for elevating that. I really 
appreciate it.
    Madam Chair, I yield back.
    Ms. Dean. The gentlewoman yields back. I now recognize the 
gentleman from Texas, Mr. Gohmert, for five minutes.
    Mr. Gohmert. Thank you, Madam Chair, and appreciate your 
being here. Looks like we may be last and maybe somebody else 
did ask questions.
    There was an internal review done at the FBI in 2019 to 
gauge compliance with FBI rules for handling high profile 
delicate cases known as Sensitive Investigative Matters--SIMs.
    Generally involved activities of domestic public officials, 
political candidates, religious organizations, and the FBI's 
audit, turns out, found that in auditing 353 cases there were 
747 compliance errors in violation of FBI rules.
    To your knowledge, were any aspects of those 353 cases 
handled by the cyber division?
    Mr. Vorndran. Sir, to the best of my knowledge, there were 
a handful of cyber cases that were part of that audit.
    Mr. Gohmert. Well, I know Jamie--well, Members of Congress, 
Jamie Raskin and Nancy Mace have requested a review of the 
FBI's domestic operation. Will the cyber division comply with 
that request?
    Mr. Vorndran. Sir, are you referring to the DIOG, the 
Domestic Operations Guide? I'm not sure.
    Mr. Gohmert. Well, they've made a request to review 
domestic operations.
    Mr. Vorndran. Any requests that's supported by the 
department and by the director of the FBI, obviously, will 
support.
    Mr. Gohmert. Well, then I guess that's the question. Are 
they supporting--the question is would you support them to the 
director?
    Mr. Vorndran. Sir, I'd be happy to take back your request. 
I'm actually not familiar with what you're referring to.
    Mr. Gohmert. I'm not asking for any specifics, just 
numbers. How many cyber cases have been involved with warrants 
for surveillance of any American citizens from the FISA court?
    Mr. Vorndran. Sir, I couldn't even hazard a guess. I 
apologize.
    Mr. Gohmert. So, there would be a lot?
    Mr. Vorndran. Of U.S. citizens?
    Mr. Gohmert. Right.
    Mr. Vorndran. Sir, I don't know that answer off the top of 
my head. I apologize.
    Mr. Gohmert. Well, how about generally speaking? More than 
a thousand?
    Mr. Vorndran. No, sir.
    Mr. Gohmert. Less than a thousand?
    Mr. Vorndran. My best guess would be absolutely the latter.
    Mr. Gohmert. Do you know if there's been any internal 
review like that one that we just found out about from 2019? 
Has there been any internal audit for 2020 or 2021?
    Mr. Vorndran. Not that I'm aware of, sir.
    Mr. Gohmert. The cybercrime website on fbi.gov says the FBI 
is the lead agency for investigating cyberattacks and 
intrusions, and the division collects and shares intelligence 
and engages with victims while working to unmask those 
committing malicious cyber activities.
    According to a Department of Justice audit in 2017, the FBI 
disrupted or dismantled 262 high-level criminal operations 
targeting global U.S. interests. In 2014, we know that 
cybercrimes disrupted--your division disrupted 2,492, but in 
2017 just 262.
    Has the track record improved since 2017? What was the 
reason for having so few compared to what your division has 
done before that?
    Mr. Vorndran. I'm unsure about the 2014 number and what 
that is or isn't referencing.
    Mr. Gohmert. More concerned about 2017 when you didn't 
disrupt too many.
    Mr. Vorndran. I guess my point, though, would be, I'm 
unsure of how the metrics were pulled in 2014 on that website.
    Mr. Gohmert. Okay. If you don't know, but I would sure like 
to find out and I'd like to yield the rest of my time to Mr. 
Jordan.
    Mr. Jordan. I thank the gentleman for yielding.
    Mr. Vorndran, were you involved in the original indictment 
and prosecution of Alexei Burkov?
    Mr. Vorndran. No, sir.
    Mr. Jordan. Okay, thank you. I'll yield back to the 
gentleman.
    Mr. Gohmert. Okay. Just quickly, does cybercrime division 
pay informants as part of cybersecurity investigations?
    Mr. Vorndran. Sir, I'm not going to go into specifics about 
our source operational activity.
    Mr. Gohmert. Well, I just asked you a general question. Do 
you?
    Mr. Vorndran. I understand. That is always an option that 
we would consider if the circumstances are appropriate.
    Mr. Gohmert. Okay. My time has expired.
    Ms. Dean. The gentleman yields back.
    I now recognize myself, the Member from Pennsylvania, for 
five minutes.
    Director Vorndran, I'm very thankful to you for your 
service. It's such an important critical time in our country. 
I'd like to turn to voting.
    There is a concerning level of apathy among American 
voters. Citizens on both sides of the aisle believe more and 
more that their vote doesn't matter and, of course, I couldn't 
disagree more.
    So, restoring our faith in the voting system in our 
democracy requires greater investigation into the ways to 
protect the integrity of our voting system, and protected 
against misinformation, cyberattacks. They've become a tenement 
of the American voting system. I believe America deserves 
better. We deserve better.
    Director, why are disinformation campaigns so difficult to 
identify and take down, and what does that process look like?
    Mr. Vorndran. I mean, they're so difficult to identify and 
take down because the rights of U.S. people in the United 
States are very, very broad in terms of their rights to 
consume, create, and spread information, even disinformation, 
and so it's a very, very, very, very nuanced conversation.
    To your question about how we handle this, the FBI has very 
specific responsibilities and authorities. It's important to 
note that we're just one part of the U.S. government team that 
looks at that. Specifically, we follow the actor and the 
activity more so than identifying a piece of disinformation.
    We don't do that. We really are following the actor and the 
activity. The problem is when that actor masquerades as someone 
he or she is not and understanding the amplification the 
disinformation campaign and to deal with the coordination of 
that, from an adversarial perspective, proves to be pretty 
challenging.
    We work really hard to understand how our private sector 
partners like to receive information from us and other partners 
in the U.S. government so that they can take appropriate action 
in lines with their terms of service violations.
    I think we do it all very mindfully. We use core process 
when appropriate. I cannot underscore more that, like, the 
underlying principle is in respecting the rights of U.S. 
people, right, and we all know that their rights to consume, 
create, et cetera, are very, very broad from a First Amendment 
perspective.
    Ms. Dean. Absolutely. I know that is the challenge. That's 
part of the beauty of our democracy but also the challenge.
    Is the FBI doing processes to combat misinformation 
campaigns, not just domestically but also foreign?
    Mr. Vorndran. Are we doing a campaign?
    Ms. Dean. To combat disinformation campaigns foreign?
    Mr. Vorndran. When you say campaign to me, I think of 
media. So, not to my knowledge. We are doing a lot of work in 
this space to investigate actors and activity to deal with that 
appropriately through what we would consider foreign influence.
    That work is done in complete collaboration with our 
interagency partners who have very specific responsibilities 
and authorities in that space as well.
    Ms. Dean. In a roomful of politicians, I probably shouldn't 
use the word campaign because I think of something else.
    I'm a former teacher. I was a professor for 10 years before 
I came to public service. I was surprised to learn that 
schools, K-12 schools, are some of the most common targets of 
ransomware attacks.
    I have a school district in my suburban Philadelphia area 
Souderton, PA, and in September 2019, they suffered a cyberware 
attack.
    I don't think we even know--and maybe you could offline get 
back to me if there's anything more you would know about the 
Souderton, PA, cyberattack.
    Why schools, and are they particularly easier to attack?
    Mr. Vorndran. I do think--my personal assessment, based on 
where I sit on a daily basis, there are very mature 
cybersecurity organizations in this country. There are also--
and I don't use this term maliciously at all--cyber immature 
organizations.
    They may not have the resources. They may not have the 
funding. They may not have a culture of cybersecurity in place. 
Those second batch of companies, organizations, entities, 
municipalities, school districts, become very, very vulnerable, 
and the best practices are really on the net defense resiliency 
side, ensuring that the employees of Souderton High School, 
which I'm familiar with, by the way, are well prepared in terms 
of identifying spear phishing campaigns. Very, very important.
    We see these targets becoming targets, generally because 
they're immature from a cyber perspective. Again, with all due 
respect to school districts, municipalities, they're just not 
as well-resourced as a multinational bank when it comes to 
Cybersecurity.
    Ms. Dean. I see my time is expiring. Maybe we could connect 
offline and allow me to learn what we can learn. Thank you for 
your answers. I yield back.
    For what purpose does Ms. Jackson Lee seek recognition?
    Ms. Jackson Lee. I thank you so very much, and I would like 
to engage the FBI offline on--what I'm going to just read the 
headlines into the record, please, and thank you so very much 
for your testimony and as well your very keen effort in trying 
to answer our questions of substance.
    Let me just read information for over 6,000 Memorial 
Hermann patients excess and security brief. These are all 
Houston in Texas. This goes to the question of healthcare.
    Medical provider waited months to send patient letters 
about ransomware. Of course, this goes to the seeming 
intimidation that firms have about letting people know what has 
happened to them.
    NBA's Houston Rockets faced a cyberattack by a ransomware 
group, and I would argue that this had some impact. They would 
have been in the finals had they had that ransomware attack.
    Already in the midst of a crisis. Houston Hospital was 
attacked by ransomware. This was during the midst of the 
pandemic COVID-19. Cyberattack briefly shuts down Humble ISD on 
the first day of remote learning.
    That was really devastating during the pandemic, and then 
restaurant Landry warns customers of potential data breach. 
That's all the credit cards and things of that sort.
    So, it is pervasive, and I look forward to some further 
discussions. I wanted Houston's impact to be in the record and 
let them know that we're fighting to thwart these kinds of 
attacks. I thank you so very much. Again, I thank you for your 
service and yield back.
    Ms. Dean. Without objection, they shall become part of the 
record.
    Ms. Dean. Mindful of the Chair that is here, this concludes 
today's hearing. We thank you, Director Vorndran, for 
participating, for all the time that you have given us.
    Without objection, all Members will have five legislative 
days to submit additional written questions for the Witness or 
additional materials for the record.
    Without objection, the hearing is adjourned.
    [Whereupon, at 1:28 p.m., the Committee was adjourned.]



      

                                APPENDIX

=======================================================================

    The Hunter Biden's emails are not available at the time of 
publication.



      

                        QUESTIONS FOR THE RECORD

=======================================================================

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    
    
                                 [all]