Skip to main content

tv   Federal Cybersecurity Programs  CSPAN  October 3, 2017 6:26pm-7:54pm EDT

6:26 pm
company's data breach. tomorrow he will be set to appear before the senate banking committee. you can watch live coverage at 10:00 a.m. eastern on c-span three. also online, c-span .org or using the c-span radio app. thursday mr. smith will answer questions on the house financial services committee. live coverage starting at 9:30 a.m. eastern also on c-span three. there's a we are live in frankfort, kentucky for the next up on the c-span bus with the capitals tour. kentucky senate president robert and secretary of state allison will be our guest on the bust during washington journal. starting at 8:10 a.m. eastern and join us thursday for the entire washington journal starting at 7:00 a.m. eastern on c-span.
6:27 pm
the house hearing today focused on the federal government of cyber security programs and initiatives. it includes election and system designation is critical infrastructure and modernizing the federal government it system. from house homeland security subcommittee this is one hour and 20 minutes. >> the committee on homeland security subcommittee on cyber security and infrastructure protection will come to order. first of all, i'm sure i speak for all of us here on the day as expressing our deepest condolences to all of the family members and all of the victims of yesterday's tragedy in las vegas. it is like the ones yesterday really demand the utmost humanity in response to such blind hate and able and hopefully it will give us a renewed sense of purpose today as we approach the task of the day. the subcommittee is meeting today to receive testimony regarding the department of homeland security's cyber security mission.
6:28 pm
i recognize myself for an opening statement. we are here today, at the start of national cyber security awareness month, to discuss what i believe is one of the defining public policy challenges of this generation. the cyber security posture of the united states. we have seen cyber attacks hit practically every sector of our economy with devastating impacts to both government agencies in the private sector of life. it is our shared duty to ensure that we are doing our very best to defend against the very real threat of our cyber adversaries are posing. make no mistake, the cyber security challenges we face are about much much more than something protecting bottom lines or intellectual property or even our nation's most classified information. they also impact the personal and often irreplaceable information of every american.
6:29 pm
this year we have seen on a grand scale just how much damage can be done by a single individual or entity looking to conduct a cyber attack. the fax breach shows that it takes only one bad actor and one exploitable vulnerability to do something that compromises the information of 145 million americans and this is not the first cyber attack that has garnered national attention and unfortunately it almost assuredly will not be the last. as the members of this panel and our witnesses here know well, there is no silver bullet or guaranteed technology to fix the cyber security problem.
6:30 pm
leeds are national effort to safeguard and enhance the resilience of our nation's physical and cyber infrastructure helping federal agencies and when requested the private sector hardened their networks and respond to cybersecurity incidents. nppd partners with critical infrastructure owners and operators and other homeland security enterprise stakeholders
6:31 pm
to offer a wide variety of cybersecurity capabilities such as system assessments, response and mitigation support and the ability to hunt for malicious cyber activity. this collaborative approach to mitigating cyber incidence is meant to privatize meeting the needs of dhs as partners and is consistent with the growing recognition among government academic and corporate leaders that cybersecurity is increasingly interdependent across sectors and much -- must be a core aspect of all risk management strategies. this committee has been working hard to ensure that nppd and dhs in its entirety has the necessary authorization and organization it needs to combat growing cyber threats. dhs needs a strong and sharp workforce and an efficient organizational structure to support both that cybersecurity and its infrastructure
6:32 pm
protection missions. this year the committee markup and passed h.r. 3359 to the cybersecurity and infrastructure security agency act of 2017 to re-organize and to strengthen nppd. as the cyber threat landscape continues to evolve, so should dhs and in doing bad h.r. 3359 is the tool that we will use to bring nppd to a more visible role in cybersecurity of this nation. as a committee and is a congress we have taken important steps in the right direction with legislation on information sharing, on modernizing federal government information technology and in getting our state and local officials the cybersecurity support that they need. some of these programs have been years in the making. real-time collaboration between the government and the ers a lofty and worthwhile goal. through the automated indicator
6:33 pm
sharing program or ais, dhs has been partnering with industry to create an enhanced broader information sharing environment and we have made progress. we know that proactive information sharing is only as good as the information being provided. that type of relationship can only be made possible with a strong foundation of trust. i'm looking forward to a robust discussion today not only about how the department can be best organized and quick to ensure that we are leveraging the resources of the federal government towards this a mention -- immense talents but also how the government can or should grow the necessary partnerships to achieve the greater cybersecurity for our nation. we have to get this right because new technologies, the internet of things drive or less cars, artificial intelligence and climate -- quantum computing are all rapidly evolving so we
6:34 pm
need to be securing at the speed up innovation and not the speed up bureaucracy. we are in an era that requires flexibility, resiliency and discipline and i hope that i will hear those values operationalized in the testimony. cyberspace plays an increasingly dominant role in the fabric of the american society and a will take continued collaboration and across public-private international and domestic spaces to keep making the advancements needed to prioritize cybersecurity for our country. i know this is a responsibility that everyone on the subcommittee takes extraordinarily seriously and i look or to the discussion today with their witnesses. the chair now recognizes the ranking minority member of the subcommittee the gentleman from louisiana mr. richman for his opening statement. >> thank you mr. chairman. i'm pleased we are kicking off cybersecurity awareness month by
6:35 pm
talking to the department of homeland security about that cybersecurity mission and how congress can help ensure dhs is well-positioned to protect critical infrastructure from cyber attacks. before i begin however i would like to sum my condolences to the families of the victims of sunday nights horrific shooting. to the survivors, you are in our thoughts and prayers and to the brave first responders who ran into danger when everyone else was running away from it we are grateful. the democrats on this committee has said this before but it bears repeating. at some point we are going to have to come together and enact sensible gun legislation. the congressman representing new orleans i cannot sit silently as the president calls the hurricane -- who is trying to help them to the admin to katrina and i know what it's like when you are at your most vulnerable moment and you have lost everything and what you are
6:36 pm
looking for its assistance because it's beyond your capacity to respond to the storm of that magnitude. having seen the people grieve the loss of their homes in his assisted struggle to piece their lives back together i can tell you the last thing the people in puerto rico and the virgin islands need are insults. i urge the president to take a break from twitter roll up sleeves and get to work returning to the issue at hand as i mentioned i represent new orleans which has significant energy sector assets. last month with their disturbing reports of a new waive of efforts to breach energy sector networks in the united states according to symantec in some cases hackers achieve unprecedented access to operational systems that in light of these reports i'm interested to know how the department of homeland security and the department of energy are working together to secure energy sector networks and make
6:37 pm
them more resilient. additionally as a member of this committee and the congressional task force on election security i am eager to hear about dhs activities to secure our election systems. although the administration's commitment to the critical infrastructure designation appeared to waiver earlier this year i was encouraged when acting secretary duke told committee democrats last month that there are no plans to resend the designation. with that comment i look forward to hearing about the progress dhs is making to help the state and local government secure election of the infrastructure and whether the department has adequate resources to carry out its responsibilities in that space. for example i understand there's a nine-month wait for a risk and vulnerability assessment and some secretaries of state have complained about the clearance process for elections officials. i'm concerned that these kinds
6:38 pm
of challenges may deter some states particularly those in the critical infrastructure in designation from taking full advantage of the resources dhs can bring to bear. to that point dhs a struggle to build some of the relationships necessary to executing its election security mission. although i've heard that dhs is making progress in this regard i am concerned mistakes made notifying certain secretaries of state that their election infrastructure had been targeted , though it had not been, may have undermined the trust that dhs has sought to build. i will be interested in learning what do you need from congress to address election infrastructure request more quickly and build trust within the elections infrastructure community. finally, when ms. manfred testify before the subcommittee in march i asked when i could expect the dhs cybersecurity strategy.
6:39 pm
the strategy required pursuant to legislation my op erred due march 23 still has not been submitted to congress. i understand the trump administration did not fill leadership positions relative to the execution of dhs cybersecurity strategy with any real sense of urgency and ongoing vacancies may be contributing to the delays but the strategy is six months overdue and that is not acceptable. without mr. chairman i yield back the balance of my time. >> i thank the gentleman. the chair now welcomes and recognizes the chairman of the full committee my colleague from texas mr. mccaul for any opening statement that he might have. >> thank you mr. chairman. i would like to extend my thoughts and prayers to the victims and family members of the horrifying tragedy in las vegas. i'm hopeful as americans we can prevent such violence from happening in the future. i'm pleased to be here at this important hearing today with our
6:40 pm
distinguished guest at this hearing. national security has continued continued -- threatened by islamist terrorists to radical regimes building weapons of mass destruction human traffickers transnational gang members like ms-13 string across our border. theories threats are well-known and we need to do everything we can to stop them as we see them coming however we also find ourselves in the crosshairs of invisible attacks and sustained cyber were from nationstates and other hackers and as we become more and more reliant on computers smartphones and her personal and professional lives everyone is a potential target and sadly many of us have already been victims. over the past few years we have seen many successful large-scale labour attacks take place. in early september hackers were able to breach equifax and
6:41 pm
credit reporting agency dating access to sensitive information on as many as 143 million people in 2016 we know that russia tried to undermine our electoral system and democratic process and in 2015 we learned that china stole over 20 million security clearances including mine and these kinds of violations are simply unacceptable. i'm proud to say over the last two years this committee committee of homeland security has recognized these threats strengthening the defense of our nation's networks. in 2014 we enacted several important bills that empower dhs to bolster its workforce and update fisma for the first time in 12 years. a year later that cybersecurity act became law which enhances information sharing and makes
6:42 pm
dhs the lead conduit for cybercyber indicators and defensive measures within the federal government. while information sharing has come a long way the wannacry ransom attack illustrated how beneficial these relationships are. just last week the cybersecurity coordinator at the white house noted we need to provide the public sector put more expansive access to cyber threat information in a controlled setting something i believe we need to strengthen. issues relating to the sharing of classified information with the private sector like accrediting skiff space granting security spaces to key personnel and enabling two-way communications are issues we are looking at closely. in other words we have made great progress and the way indicators are shared but i want to examine if we can do more
6:43 pm
regarding the over all the sharing of a supplied information. earlier this year i was pleased to see president trump give an executive order to strengthen the cyber security of critical infrastructure. going forward i'm hopeful that the house can advance legislation that i've introduced that can elevate nppd as a stand-alone agency and better support the cybersecurity mission at dhs. this month is national cybersecurity awareness month, a time to learn more about these threats and offer ideas on how we can best to cure ourselves against these growing threats. while we have had some success on this issue we must do more. our cyber enemies including terrorist are always looking for new ways to carry out their next attack. unfortunately this is an issue that i believe transcends party lines. it's not a republican or
6:44 pm
democratic issue so let's work together to make our cybersecurity strong and keep the american people safe. again i would like to thank the witnesses for being here today and thank you for your service. a very important component of the department that often as i mention my opening we focus on counterterrorism and the border and other things but i consider this mission at the department to be one of the most important that this nation faces. i look forward to the conversation and congress and the executive branch working together and how we can work as leaders in the private sector to advance the nations cybersecurity soot that i'd like to yield back to the chairman and if i may submit my questions for the record. >> i thank the chairman and the chair now welcomes and recognizes the ranking minority member of the full committee the gentleman for mississippi mr. thompson for his opening statement. >> thank you very much. good morning.
6:45 pm
i would like to thank chairman and ranking member for holding this hearing. there is no doubt that our country is facing an evolving a rate of cyber threats. as we stand here today our enemies are thinking of new and novel ways to strike at everything from banks to hospitals and chemical facilities. nefarious actors even want to disrupt some of our most basic institutions. last year we learned that our nation's election system served as a new frontier for cyber attacks. with every passing day we learn new ways to cyber operatives are are -- in this country they
6:46 pm
there is nothing more sacred than the ability to engage in civic act 70 and cyber criminals are seeking to undermine our democracy. furthermore as i watched the devastation unfold in texas, florida, puerto rico and the virgin islands i am reminded of the fragility of our systems. disrupting the systems we rely on for power fuel, food and water regardless of whether it's caused by a cyber attack or a natural disaster. in short the network we rely on for our day-to-day life are facing a multitude of threats. to respond to these threats congress has put its trust in dhs. over the past two years congress by way of this committee has consistently expanded dhs cybersecurity missions giving the department a key role in securing federal networks as well as a system that supports
6:47 pm
our nation's critical infrastructure. the department made huge strides in implementing these authorities including by standing up an automated system to share cyber threat data advising the new infrastructures subsector on how to promote cyber hack with election administrators throughout the country. we cannot however expect dhs to carry out these responsibilities with both hands tied behind its back. to be successful the departments adequate resources, a robust staff strong leadership and clear strategy. unfortunately this administration has been gravely unfocused when it comes to cyber security. president trump falsely promised to deliver a comprehensive plan to protect america's vital infrastructure from cyber
6:48 pm
attacks on the first day in office. took months for the president to get around to issuing an executive order on cyber security. also a quarter of the 20 person nationally structure advisory council resigned in protest of president trump's insufficient attention to cyber threats. president trump floated the idea of an impenetrable cyber unit with russia at the same time his administration was considering and ultimately deciding to ban the use of products on federal networks. within pbs the chief information officer resigned after serving only four months and the national program protections directed the department main cyber arm is still operating without a permanent undersecretary.
6:49 pm
the men and women in this room are willing to acknowledge an open setting that they are struggling without this leadership we can be certain these gaps are making their job harder. i look forward to hearing from the panel today about how the department is carrying out its cyber mission and i hope that you will be candid with us about the obstacles you face. indeed if there are areas where you need additional resources, tell us how we can help. i am especially eager to hear from ms. hoffman about how dhs works when one of its key partners in securing critical infrastructure the department of energy. with that mr. chairman i yield back. >> i thank the gentleman. other members of the committee are reminded that opening statements may be submitted for the record. we are pleased to have a distinguished panel of witnesses before us today on this very important topic.
6:50 pm
mr. burke christopher krebs is a senior performing the duties of the undersecretary of the national protection directorate at the united states department of homeland security. it's great to see you today mr. crabs and great to see you and your no rule -- were old at dhs. genet man for as the assistant secretary for cybersecurity and communications in the national protection for graham's directorate at dhs. also great to have you back before a subcommittee and finally ms. patricia hoffman is the acting assistant secretary for the office of electricity delivery and energy reliability of the u.s. department of energy thank you for being here with us today. i would now like to ask the witnesses to stand and raise your right hand so i can swear you in to testify. do each of you swear or affirm that testimony in which he will give today will be the truth, the whole truth and nothing but
6:51 pm
the truth and nothing but the truth so help you god? let the record reflect each of the witnesses is answered in the affirmative. the chair recognizes mr. krebs for his opening statement. >> chairman ratcliffe ranking member richman ranking member thompson members of the committee good morning and thank you for today's hearing. in this month of october we recognize national cybersecurity awareness month a time to focus on house ever security is a shared responsibility that ask all americans. the department of homeland security serves a critical role in safeguarding securing cyber space. i wanted begin by saying -- the cybersecurity infrastructure security agency act of 2017. if enacted the legislation would stream in the national protection program director at or nppd and renamed organization to clearly reflect our central mission.
6:52 pm
the department strongly supports this much-needed effort encourages swift action by the full house and senate. nppd mission statement is clear we lead the nation's effort to ensure the security and really really -- we collaborate with federal agencies state local tribal territory governments and of course the secretary our three goals are as follows secure and defend federal networks and facilities, identify and mitigate critical infrastructure systemic risk incentivize and probably enable enhanced cyber security and practices. azimi today i'm proud to share with you the tireless efforts of so many of nppd. in portage with her and her agency partners to accomplish this mission. the targeting of our elections wannacry intrusions into energy infrastructure, harvey, irma maria. soft target attacks in london barcelona orlando and most
6:53 pm
recently las vegas. as threats to our critical infrastructures evolve and in many ways remain the same. [inaudible] our security has truly shared response ability. today's hearing is about dhs's cybersecurity mission. the president signed an executive order and strengthening the cybersecurity federal networks and critical infrastructure. this is a can of order set in motion a series of deliverables to improve our defenses and lower to cyber threats. dhs is organized around these deliverables by working with federal and private sector. we are processing the security. across the federal government agencies in implementing industry standards cybersecurity framework that agencies are reporting to dhs and the office of management and budget on their cybersecurity risk management and mitigation choices. they just know they are valuing the totality of these agency
6:54 pm
reports to comprehensive list test the adequacy of the federal government's overall cybersecurity risk management posture. in addition to our pursuer tech ertel government networks are focused on how government and industry work together to protect the nation's critical infrastructure. we are prioritizing deeper or collaborative public-private relationships and partnerships. in collaboration with civilian military and intelligence agencies we are developing an inventory of authorities and capabilities. reprioritized entities at greatest risk of attacks that could result in catastrophic consequences. , called this our section 9 efforts. before closing let me discuss our continued efforts to address cybersecurity risks facing our election infrastructure be facing the threat of cybernaval operations by foreign government during the toy 16 elections dhs married her agency partners conducted unprecedented outreach in providing assistance to state and local election officials. information shared included
6:55 pm
indicators of compromise technical data and best practices. through numerous efforts before that and after election day we declassified shared information related to russian malicious cyber activity. the specimen critical to protect elections enhancing awareness among the election officials in educating the american public for or the designation of critical of the structure of election if the structure provides a foundation to institutionalize prioritize service and support. we are working with federal state and local partners to develop information sharing protocols and establish key working groups. there is more to be done and we shall not waiver in the face of increasingly sophisticated threats in ppd is focused on extending our nation's critical infrastructure. the risks are complex and dynamic with technological advances such as the internet of things and club competing increased access to streamlined efficiency however they also increase access points that may leverage by adversaries to gain
6:56 pm
unauthorized access to networks. as new threats emerge in her use of technology evolves we must integrate cyber in order to effectively secure our nation. for two surround cyber critical entered dependencies is where nppd brings unique expertise and capabilities. thank you for inviting here today and i look forward to your questions. thank you mr. krebs. ms. manfra you are recognized her fight ms.. >> chairman ratcliffe ranking member thompson members of the committee thank you for holding today's hearing could i also want to begin my testimony by thinking this committee for taking action to some on the cybersecurity infrastructure security agency act of 2017. the name for organization reflects their mission is essential to our workforce recruitment efforts and effective stakeholder engagement we must also ensure nppd is appropriately organized to address cybersecurity threats both now and in the future and we appreciate this committee's leadership.
6:57 pm
cyber threats remain one of the most significant strategic rest of the united states. cyber risks threaten our national security economic prosperity and public housing in safety. our adversaries cross borders at the spittle fly. over the past year american side bands persistent threat actors including actors criminals and nation-states increase in frequency complexity and sophistication. in my role at dhs includes our operations of national cybersecurity and integration center. our goal goes along three work streams instrumenting agency workforce that appointed censors accessing and measuring agency will have to wait and risks as well as critical infrastructure interacting and funding actions the federal agencies and critical infrastructure to better secure their networks.
6:58 pm
[inaudible] and coronation for critical infrastructure and the federal government. as my colleague noted we are emphasizing the security of federal networks. nppd's assistance to federal agencies includes providing tools to safeguard civilian executive branch networks are a national cyber protection system and the continuous diagnostic mitigation programs great second measuring and motivating agencies and third serving as a hub for information sharing and incident reporting in i'm a providing operational and technical assistance. einstein deployed as a cyber protection system refers to the suite of intrusion detection capabilities that protects agencies at the perimeter of each agency. today the detection and prevention capabilities action on malicious activity.
6:59 pm
pilot efforts to move beyond signatures are yielding positive results. these capabilities are essential to discoveries previously unidentified malicious activity. we are demonstrating the ability to capture data that can rapidly be analyzed for anomalous activity using technologies from commercial government and open sources. the pilot efforts are also defining the future operational needs for tactics techniques and procedures as well as the skill sets personnel required to operationalize the non-signature-based approach to cybersecurity. it is our tool to address permit or security but it will not detect every threat. therefore we must complement it with systems and tools working inside agency networks are continuous diagnostics and mitigation program provides those tools and integration services to federal agencies. ..
7:00 pm
7:01 pm
resilience. >> thank you. thank you for the opportunity to discuss the continuing threats facing the structure cyber security is one of the top priority and the major focus of the department. the department of energy -- doe
7:02 pm
works with dhs and jointly with other agencies for a government response to cyber incidents by protecting assets and countering threats. in addition, the department of energy serves as the lead agency for support function 12 which is energy under the national response framework. we are responsible for facilitating restoration of damaged energy infrastructure. the department works with industry, federal, state and local partners. combining doe's role for cyber security with national response activity ensures that incidents both cyber and physical attacks are coordinated in the energy sector. i would like to acknowledge the secretary of her victims of the
7:03 pm
hurricanes. i would express my gratitude for the utility workers that have been working hard in the region for restoring power. in extreme cases we can use legal authority as amended by the fixing america acts to assist in response operation. this enacted several important security measures. the secretary of energy is provided a new authority as a declaration of emergency by the president to issue emergency orders to protect or restore infrastructure. this authority allows doe to respond as needed to the threat of cyber and physical attacks through the grid. we collaborated with the energy sector for nearly two decades.
7:04 pm
in voluntary public-private partnerships, technical, operational, and executive. along with state and local governments to identify and mitigate cyber risks to the energy system. in the energy sector the partnerships have coordinated with the council, in these meetings interagency partners including dhs, states, international partners come together to discuss resiliency issues the electric sector has been forward leaning and aggressive doe plays a critical role in supporting cyber security by building and security. specifically we've been looking at building capabilities in the
7:05 pm
sectors in three areas. the first is preparedness, enhancing visibility and operational networks increasing cyber security preparedness responsive activities in supporting the whole of effort and leveraging the expertise of the department of energy's national lab to drive cyber security innovation. threats continue to evolve. doe is working to stay ahead of the curve. the solution is an ecosystem of resilience that works in partnership with state, and local stakeholders to advance best practices. we must accelerate information sharing to better inform and strengthen all local response
7:06 pm
especially through the participation of training program i appreciate being here however, i would be remiss not to take a moment and stress the interdependent nature of our infrastructure. it requires all sectors to be constantly focused on improving their cyber security posture. doe looks forward to working with a federal agency to share best practices and build a defense in depth. thank you and i look forward to answering your questions. >> thank you. i now recognize myself for five minutes of questions. want to start with you, you mentioned einstein and cdm and the role that they play in securing federal networks, i
7:07 pm
want to give you an opportunity to provide clarity on the implementation of cdm specifically. can you give us an idea of how many departments and agencies have fully into implemented cdm phase i and how many dashboards are up and running and give us some perspective on that. >> thank you for the question, and cdm were in the process of deploying both phase i and phase ii, phase i being hardware assets and identifying what's on the networks internal to the networks in phase two is looking at who's on the networks in dealing with issues like access and identity management. we can get back to with specific numbers of agency department, there are various stages of deployment. we have made it available to all agencies but each is in a different state of deploying.
7:08 pm
were nearing 20 agencies that have a dashboard up and running. this month the department of homeland security will be setting up the federal dashboard, that will be receiving peace from agency dashboard. that will allow us to have real-time understanding of what the sensors are identifying on those agency networks and allow us to prioritize vulnerability management. >> think you one of the other points i wanted to cover today was last week the gao came out with a critical report on the current state of cyber security. one would appear to be a troubling aspect was a statistic that only seven of the 24 cfo act agencies have programs with
7:09 pm
any functions considered effective. that doesn't sound very good. i want to give you the opportunity as we talk about cyber security posture of the.gov, reconcile that with the gao report. >> i think we have learned a lot over the years about agency capacity to manage cyber security risks and the resources they have to do so. agencies are prioritized the management of their cyber risk at the highest level across the government. what we have learned with our partnership and measuring agencies is that there remain some significant gaps.
7:10 pm
we have built over the last couple of years and are continuing to build technical assistance capabilities, things like design and engineering, architecture reviews, helping agencies get more in-depth insight into their networks and providing them with assistance in both engineering and on the government side to help address the complicated networks with limited resources. we do see potential for cdm and the ability to deliver tools at a lower cost across agencies. this is the first time many agencies have had access to this level of automated data to understand what's on their network. we see potential for this, but for many agencies this capability that has to be built and were taking advantage of things like shared service to deploy to agencies who need it most. >> so you comment about shared services and resources, want to
7:11 pm
follow up because it's important to look where we are but also look where were going. so looking forward, how do you see dhs federal network protection tools evolving past a signature base threat detection and particularly where my conversations with the cyber security advisor to the president and putting an emphasis on shared it services and resources. in a sense, what is the einstein future generation, 10.0 look like? >> i'm not exactly sure what it will look like. but i can tell you where were looking to evolve. with agencies in modernizing our it, there's large challenges with legacy technology and we need to modernize the way we govern it services.
7:12 pm
working closer to modernize our security processes. as we take advantage of things like cloud services were also not losing the insight to traffic or in and out of agency networks, importantly, we have learned some key lessons for the first date of deployment it will enable cloud and mobile technology so we are evolving and building on what industry is learning from behavioral technician methods and we have successful pilots. >> my time is expired. we now recognize mr. richman for his questions.
7:13 pm
>> you know that legislation called for departmentwide cyber security strategy within dhs. that strategy was due in march, we still don't have it. what is the status of it? and if you're running into problems getting it done in roles and components across the departments transportation security administration, so while we don't lead the development of that strategy because it is a departmentwide
7:14 pm
strategy for a significant player. to speak to the status of the strategy itself my understanding of where it sits is influenced by the president's executive order that was released earlier in the spring. that report puts dhs at the front were in the lead for almost all of the reports particularly so all those reports and assessments are underway there anticipated to have significant impacts on some of the priorities of the department, including mp pd. so the decision of finalizing the strategy has been to get through the cyber security assessments related to the io as well as the administration national security strategy a national cyber security strategy that are expected in the next
7:15 pm
several months then with a broader understanding of where were going that said, rolling it back that you offered -- it still a priority to finalize that report. as a department we are moving forward with a number of our priorities. i want to touch on a couple of things that you mentioned early. as a senior official who are f perform the duties of the undersecretary i have been authorizing been given direction by acting secretary duke to move out and execute all aspects of this. while we don't have a permanent undersecretary i have all authority that i need to execute the mission. >> with regards to strategy in
7:16 pm
terms of the report the me take that aside. to have a departmentwide strategy with how we deal with cyber security? and the challenges that we will face in the near future. my understanding is that there is a cyber security in draft form are you operating with some comprehensive strategy on a day-to-day basis. >> i indicated that ensuring the nation's infrastructure i mention the top goal which is facilitating our and with the
7:17 pm
assistant secretary that the very top of our minds every single day. the second is identified mitigating systemic risk across the infrastructure, when i think about that i think about the greatest risk. but i'm also putting election infrastructure in there. that for me is the number one priority from a critical infrastructure perspective. we cannot fail there. third is it enabling and incentivizing practices to include state, local, small and medium-size businesses. >> this is been a great deal of concern of mine. that russia's goal in disrupting the power supply in 2015 and 16 was to test its capabilities in preparation of a large attack on the united states. last month we learned that they may have been responsible for
7:18 pm
dragonfly 2.0. how is this energy sector responding? what is their capabilities to prevent widespread attack? with that, i yield back. >> thank you for the question, the attack was very much an eye-opening event for the sector, so this guy very organized and recognizing that we need to step up our continuous monitoring capabilities and detect behavior on the system and building inherent protection. recognize that the core of everything and that is starting to go after where we need to be so, we've been working actively
7:19 pm
with the sector to build tools and capabilities and have protections for their system. >> the chair recognizes gentleman from new york for five minutes. >> i like to ask one question, in 2015 congress passed the cyber security act and we pass the cyber and infrastructure act and the president also issued an executive order in may to strengthen our abilities, what you need? what can congress do to help you protect our nation, federal agencies or private entities as mr. richman said, or energy industries. what you need from us to help protect our nation better.
7:20 pm
>> thank you for the question. but i would start with this the cyber security act of 2018. we need quick action by the full house let me give you an anecdote of why that's important. that bill will give us three things, it will allow us to introduce operational efficiencies, looking at infrastructure across and push them together so were more streamlined from a customer service orientation. second, it will help with branding and clarify roles and responsibilities but more importantly with her state local partners in the private sector. finally it will give us the ability to attract talent. the talked about workforce and
7:21 pm
hiring, but clarity in roles and responsibilities, i've been to puerto rico twice in the last week and i was with the homeland security advisor tom buser and was secretary duke. we were discussing a number of critical infrastructure challenges when it came out to me we talked about communication infrastructure. that resides within the office of cyber communication and manfred's communication. i was talking about how we are assisting the communication terriers whether at&t, sprint, helping them get back in and prioritize deliveries to helping
7:22 pm
temporarily pop off the communications coverage. also helping get in for cell towers. try repeating that back, someone who has never heard that before immediately went on to an interview and alongside the tsa administer like the coast guard the secretary of homeland security, the regional administrator we have fema, tsa and the cons guy, she doesn't know how to describe me. what i'm engaging my stakeholders they don't understand my mission. i need help in clarifying and
7:23 pm
providing so any help i can get there, please so clarification of authorities we are in the process of running that stock taking of where the department sits in cyber security. the department of energy got significant authorities, dhs has authority in terms of incident response and going forward the cyber security threat it's not going away, adversaries are going better and faster and more agile. we need to be resourced and staffed and be positioned to respond to that. when i can use less technology going forward. we are are going to be relying
7:24 pm
upon these crosscutting technologies. we need to ensure that from a digital defense perspective we have what we need. we welcome the conversation and you can believe you'll see me again. >> very briefly just to complement what chris talked about were working within the federal government, what is the full threat, how can we lean into this were working to understand that now that we have identified the critical assets, either legal and operational policy hurdles that we need to address to ensure we have appropriate prevention in place? so we look forward to working
7:25 pm
with you. >> are you back the chair recognizes the german from mississippi. the last two speakers have talked about being resourced and staffed from the agency standpoint, last march we held a hearing talking about staff at the department can you give us the number of positions. >> were currently staffed at 76%. >> so we are 24% under, can you
7:26 pm
tell us why we are understaffed at this point? >> there are a variety of reasons on this largely our preparation staff in congress on building that are allocated to my organization we have grown significantly and worked hard to build but we have had challenges. we worked with management colleagues in human capital colleagues to identify areas to reduce the time to hire. looking at statistics we have been able to reduce the time to hire by 10%. many of these requirements have to do with security clearances, it takes a long time to process
7:27 pm
people through that process but we've made progress were continuing to work with security office were also diversifying our recruitment path looking at scholarship for service, it's been a great pipeline for us in bringing these individuals and as interns and then hiring them full-time. they're qualified for authority and looking at authority such as pathways and other recent graduate programs. were looking at partnerships with industry. >> i don't mean to cut you off, but are there programs to attach people too? i'm just trying to find out why when we give you the authority to hire why we have not been
7:28 pm
able to come closer to whatever that authority is, is that something we need to do to get you to that point? >> i separate the authority that we were given by congress to build an excepted service program. what i was referring to is i did not believe a couple of years ago we were fully leveraging the authorities we are ready have to bring people in and tightening the timeline it takes to bring people in. this is led by the chief human capital officer and it's a high priority. we did not expedite the development of that program four years ago, there's a regulatory process that we have to undergo.
7:29 pm
>> just for the sake of the committee, can you provide us with a timeline between when somebody who is considered for employment and when that is completed. >> was it three months, six months, year, i think that would be instructive for us so we can see if there's politics involved. the reason i say that i think were constantly bombarded and if we have potential opportunities here is a something were not doing? we just need to kind of figure something out.
7:30 pm
>> i want to clarify that the 76% is just indicating the people on board right now. if you include the people in the full pipeline it brings a state of 5%. so for us were averaging about 224 days to hire. that sounds fine but that's to include a top-secret fbi clearance process which were doing quite well. if you want me to work with you will come back with you. >> we have a congressional task force on election security, and we may request the department to provide us classified briefing around this issue. we have been told that it has to
7:31 pm
be bipartisan, that you just can't brief democrats, are you aware that? >> sir, i'm not aware of any existing policy, let me say this, i share your concern on election infrastructure. i've made that clear today and i want to say directly to you that it is my top priority at the department. if we can't dedicate every asset we have two assisting her state and local partners and frankly i'm not sure what we're doing day-to-day. in terms of what we have done in terms of engagement, were prioritizing delivery of the briefing information sharing. shoot. [inaudible]
7:32 pm
[inaudible] [inaudible] [inaudible] >> all were trying to do is get access to the information and your interest is there and that's the spirit in which did in which the request was made.
7:33 pm
>> is a priority that crosses and transcends over the aisle. i would ask that any briefing you give that perhaps you give to republican members although it would be a great redundancy. in the absence of another of the united states of america. i hope you will respond to the ranking members that it relates
7:34 pm
to cyber issues, i cannot fathom that one party has monopoly on fair and trustworthy elections. i'm sure my colleague didn't mean it that way. i want to be clear in suggesting that should not be a partisan issue and perhaps may be both people will be invited having said that, transitioning to what we know with the cyber activity, specifically with relation to the ukraine based on my understanding the bulk of the platforms used infiltrate infrastructure, it would appear that it was off the shelf if you will, they were known entities that were discovered as it relates to these attacks.
7:35 pm
as part of a coordinating attack. how well do we stay ahead to try to stay a online with it? to the extent that there is any hope, again, i understand the format might limit the conversation we have. a lot of the malicious activity to this point and data would indicate by the russians has used off-the-shelf technology. how quickly can we pick up on the advancements of malware and if treat them on into our preventative measures and that's if either one of you want to address it. >> all provide a broader approach in the defer to my expert colleague at the department of energy for
7:36 pm
anything specific to the grid. >> i am subject to a time limit. >> when we think about threats it's not necessarily advances just persistent, organizations are still on the basic, some of those expectations are based on open vulnerabilities just not patched. it's not actually the primary exploit that we tend to see in the wild. >> i'm a big fan of limited government but in this arena the entire nation hangs in the bottom.
7:37 pm
it might not be effective to hit the particular power providers were counts. that's essentially make it cost something, perhaps metaphorically and literally for those who don't patch those open and known threats. that would be within the purview of the government. you will be up-to-date or it will cost you. set something that's explored? >> we can speak to the government piece. >> you guys are great, just -- >> the first directive we've issued was reducing the time to pass critical vulnerabilities to 30 days. we have seen a complete cultural change as a result the nursing the government highly prioritizing passing is critical vulnerabilities. so i want to throw that out there. >> so there's a carrot in the stick. but i'm glad to hear he say that you're addressing that. i want to speak to the nature of -- and whether or not it's a semi private pseudo- entity
7:38 pm
compromises these procedures. >> i don't think as an organization it compromises any intelligence. it has information's sherry which is our mechanism for sharing the information at large. it is capabilities to compel a look at the industry to get the information we need. >> thank you. i apologize for going over. >> i think the gentleman in the chair recognizes my friend from rhode island. >> thank you. i one thinker witnesses for your testimony. before i go into my question i want to mention for publicly, i'm a member of the election test course the democrats have put together on how to go forward in approving election security.
7:39 pm
i would say to my colleague that there is an initial effort and outreach to republicans to make this bipartisan effort which was not accepted. we didn't find anybody who was receptive. the task forces open to the public. garrett is welcome to participate fully with that. we expect the ranking members question on the classified briefing both on interference on elections on how it would better secure the system. that's either i would prefer it as a democrat and republican briefing. unless i'm misunderstanding what the ranking member was asking. so we ask that you provide that to us. >> i believe we have provided classified briefing in the past.
7:40 pm
we welcome the full committee briefing on that as well. >> the other thing i want to mention is i appreciate your comments and you have your authorities and acting role to do what's necessary but i would reiterate that is vitally important that we get key control appointed in place permanently. i respect the work that you're doing in your team but we need permanent people in place both in confidence and clarity to what the mission is. to try to going to my questions quickly. for once you cannot answer fully i request a follow-up in writing, on september 13 they should a branding operational directive it that directed executive branch departments to remove the systems within the
7:41 pm
next 90 days. in doing so to coincide with the establishment of the direct. my question is, what analysis led to this and this is the case of where might be classified but i would request that you and your team provide the deliberations behind it. >> next, the fcc was breached in late 2016. we now know that the attackers had access to corporate filings prior to a public release. this was made nearly one year after it was first discovered.
7:42 pm
my question was when was dhs informed of the breach? what was the involvement in detecting, responding, and recovering from this attack? finally, how can dhs improve its integration with the federal agency to ensure these type of attacks are notified quickly in the future. >> let me briefly touch on the cup or ski case. that was based on the totality of evidence including over information. i believe her on the schedule for some point with the full committee, the monthly until briefing. now i will turn it over. >> sir, welcome to support a briefing on chris persky.
7:43 pm
we want to have a more in-depth conversation. they notified us on november 4. it was at the time the extent of the issue is not well understood. given the time limits and might be more useful if we set down with you and other staff members is appropriate to walk through specific details. >> what you think that, what was dhs involvement in detecting and responding to the recovery? >> we have very limited involvement with the fcc. they did not return our race quest for information. in addition to this incident, as well as several others we are reviewing our procedures to
7:44 pm
ensure that it is clear that when an incident happens what role the department needs to play in response not just at the request of an agency. if we're looking at specific critical services and functions than the department needs to have a more active role in that response regardless of whether the agency requested. >> in august congressman i traveled to a security conference. we were both impressed by the willingness of security research to report vulnerabilities to improve overall internet security. what efforts has the department made to establish a reporting process for dhs sites and software? one thing that i found is that it was very helpful in identifying security vulnerabilities and getting
7:45 pm
bright individuals to close that. talking to researchers one thing that impressed me was that you want to make the internet work better. but, they want to know they want to report it when they want to be heard. what progress has dhs made in this respect? . .
7:46 pm
while the programs can be useful we need to ensure that there are supplemented with the broader risk and vulnerability analysis and testing of my ordination does to ensure organizations are properly prioritizing what they are addressing. >> what about dhs assistance question. >> my organization also supports penetration testing and vulnerability assessments within the dhs and particularly the high-value assets that the dhs owns but i do know that our leadership and management is interested in learning from the department of defense and what they've done in their county program and how that might apply. we are continuing to work through how that might be applied. >> i had one more on collection security. can i ask -- thank you. >> i know we've touched on this
7:47 pm
a bit but i want to dive deeper and state and local shows that have access to resources from dhs to protect the vital systems that represent the cornerstone of our democracy. can you further describe how dhs is working with election officials to report and to protect networks? do you believe the response to the russian interference has been sufficient and finally, how can you put the relationship and access to resources. are there additional funds are resources that the department needs in this respect? >> so, thank you for these questions. let me start at the end with improving relationships. while i was not at the department last summer as it has manifested i can speak to generally the relationships with state election officials. that was not in existing relationship between the department of homeland security
7:48 pm
in the state and locals. however, we do have strong relations of course with the homeland security advisors in the chief information officers and security officers. to square the circle on this specific threat we need to develop partnerships that are three or four legs on the stool within each specific state and each state will be a little different in terms of who they designated is the chief election vessel as well as you roll in the defenders of the technology. how to improve relationships? it will take a lot of effort and a little bit of time and those are things that we are working on right now. we don't have much time but we are dedicating resources and in fact just this morning i sent out a notice across my organization reflecting some changes we made organizationally last week by establishing an election tax force. previously the election in the structure piece has been held
7:49 pm
within the office of the structure protection of the program. again, matching my words with our execution we are elevating it as a test for spring components from across the dhs components including the office of intelligence analysis and resourcing it appropriately. this is speaking to a lot of resources, we are pulling the resources together in recognition that we don't have a lot of time given there are three elections this year and the number of ftes and monies that are committed to this -- i don't have them on hand but -- smack if i can make one additional point on the resources. ranking member richmond noted that there was a nine-month weight for risk and vulnerability assessment. i don't know whether that is the exact current number but that speaks to the high demand that we are experiencing for our assessment services and that is everything from penetration testing to the fiber hygiene scans that multiple states and localities have participated in
7:50 pm
continue to participate in as well as these more in-depth risk and vulnerability assessments. we are growing that program and we are diverting resources and we are building into structure so that we can scale that but these are services we are providing, not just federal agencies but also to state and local governments, as well as critical and structure and we are experiencing much more demand for those services and we are continuing to look for ways to scale that capability. >> thank you. >> thank you for your answers. thank you for the follow-up that you could provide in writing i would say that. mr. chairman, thank you for your indulgence. >> you are welcome. the gentleman yields back and i want to thank all three of our witnesses today for your valuable and insightful testimony. i think all the members for their questions today. the members of the committee do have additional questions for witnesses and we will ask you to
7:51 pm
respond to those in writing. pursuant to committee roles 7d the hearing record will be held open for a period of ten days and without objection the subcommittee stands adjourned. [background noises] [background noises]
7:52 pm
>> on wednesday, the senate budget committee will consider public republicans 2018. life starting at 2:30 p.m. eastern on c-span three. you can also follow that online on c-span .org or use the brief c-span radio app. for chair and ceo of fax richard smith testified for several congressional committees this week about the company's data breach. tomorrow he will be set to appear before the senate banking committee and you watch live coverage of that at 10:00 a.m. eastern on c-span three. also online or using the c-span radio app. thursday mr. smith will answer questions from the house financial services committee. live coverage starting at 9:30 a.m. eastern, also on c-span three. >> president assad visited puerto rico today and "the new york times" quotes the president every one of the officials was.
7:53 pm
mr. trump said "you can be proud of all your people, all of our people are working together. sixteen versus literally thousands of people. you can be very proud" here is video of president trump and first lady millenia trumpet touring the damage from hurricane maria. [background noises]

21 Views

info Stream Only

Uploaded by TV Archive on