Skip to main content

tv   Top Cyber Officials Testify on Threats Deterring Attacks  CSPAN  January 14, 2022 11:06am-2:17pm EST

11:06 am
get c-span on the go. watch the day's biggest political events live or on demand any time, anywhere, on our new mobile video app. c-span now. access top highlights. listen to c-span radio. and discover new podcasts, all for free. download c-span now today. top security officials testified on cyber threats and ransomware attacks before the house oversight and reform committee. they discuss preventing future attacks, identifying critical cyber infrastructure, and educating the public about online security.
11:07 am
welcome, everyone. welcome to today's hearing. pursuant to house rules, some members will appear in person and others will appear remotely via zoom. for members appearing remotely, i know you're all familiar with zoom right now but let me remind everyone of a few points. first, the house rules require that we see you.
11:08 am
so please have your cameras on at all times. secondly, members appearing remotely who are not recognized should remain muted to minimize background noise. third, i will recognize members verbally, but members retain the right to seek recognition verbally. in regular order, members will be recognized in seniority for questions. lastly, if you want to be recognized outside of regular order, you may identify that in several ways. you may use the chat function to send a request. you may send an email to the majority staff. or you may unmute your mic to seek recognition. we will begin the hearing in just a few moments when they tell me they are ready to begin the livestream. let me say that this is a bipartisan issue. everyone in the country is deeply concerned about cybersecurity. and i hope that we will be able to work with ways to strengthen protections for american business and government. are we ready to go?
11:09 am
okay. the meeting will come to order. without objection, the chair is authorized to declare a recess of the committee at any time. i now recognize myself for an opening statement. this has been an unprecedented year for cyber attacks. the country is still reeling from last year's cyberattack against the company solarwinds that was linked to a russian -- and infected numerous and several agencies. these attacks have been described as a wake-up call for america. it attacked all through the federal government and numerous private sectors also. just this weekend, it was reported that the fbi, our premier law enforcement agency for investigating cyber crimes, was itself the victim of a hack that allowed emails to be sent from fbi email servers disguised as genuine fbi emails.
11:10 am
in short, we are at a tipping point as cyber attacks have become more common and potentially more damaging. several recent attacks have used a type of malicious software known as ransomware which encrypts a victim's system and demands a payment in exchange for restoring access or refraining from publishing stolen data. this is especially dangerous because it can shut down an entire system and can cause chaos in a community, an industry, or even an entire country. and cyber criminals are now demanding and receiving more money than ever. in march, cna financial and insurance company reportedly paid the largest known ransom payment ever, a staggering $40 million. in may, ransomware criminals from eastern european attacked the company colonial pipeline
11:11 am
resulting in the shutdown of more than 5,500 miles of gasoline pipeline spanning from texas to new jersey and causing temporary gas shortages up and down the east coast. the cost to unlock the system was $4.4 million. also in may, jbs foods, one of the largest meat suppliers in the united states, shut down its plants when it suffered a ransom attack. the cost to unlock their system was $11 million. in june, this committee launched an investigation out of concern that these multimillion dollar ransom payments would equip cyber criminals with even more financial resources and encourage future attacks. today, the committee issued a staff memo with some of the committee's preliminary findings. we found that these attacks often stemmed from minor
11:12 am
security lapses, even at companies with seemingly robust cybersecurity. our report also highlights the importance of clearly-established federal points of contact for companies to avoid wasting precious time when an attack is under way. finally, we found that companies face substantial pressure to pay these ransoms quickly, making it harder to stop these attacks. and it's not just large companies that are targeted. ransomware also harms small businesses, hospitals, schools, and local governments. since taking office, the biden administration has been countering ransom and they are really focusing on ransomware as a top priority. this included bringing together 30 nations for a white house summit last month to discuss strategies to combat the threat. it also means taking a tougher
11:13 am
line on countries including russia that harbor cyber criminals. the biden administration has also dedicated significant law enforcement resources to take ransomware resources offline and bring criminals to justice. just last week the department of just announced charges against two foreign nationals connected to a criminal group, r-evil. doj also recovered $6 million in ransom money paid. this is a good start, but we cannot afford to let up on our efforts. congress must ensure coordination of antiransomware efforts across the entire federal government and between the public and private sectors. last congress, this committee held a hearing on the need to establish a position at the white house to lead the federal government's response to cyber
11:14 am
threats. i was proud that president biden nominated chris inglis to serve as the first national cyber director this year and that he has testified before us today. i am also pleased that the infrastructure investment and jobs act, which president biden signed just yesterday, included $21 million in funding for the office of the national cyber director. this law, which house democrats passed over the objections of most house republicans, will also provide $1 billion to help state and local governments shore up their cybersecurity. so we can prevent ransomware attacks and $100 million to help critical infrastructure respond to significant cyber incidents. and the build back better act will provide new resources to cisa to help enhance cybersecurity in both the public
11:15 am
and private sectors. ransomware attacks are a grave national security challenge. today we will hear from our witnesses about the whole of government effort needed to disrupt ransomware networks and how we can help businesses, state and local governments, and others to prevent, prepare for, and respond to attacks. i now recognize the distinguished ranking member, mr. comer, for an opening statement. >> thank you, madam chair. this year we've seen an uptick in major ransomware attacks that have the ability to wreak havoc upon americans' everyday lives. in march, cna financial, one of the largest commission insurers in the u.s., was subject to a ransomware attack and paid $40 million to unlock its network. in may, colonial pipeline, one of the largest pipelines in the eastern u.s., paid $4.4 million in cryptocurrency to retrieve its data following a ransomware attack. in june, jbs usa, one of the
11:16 am
country's largest meat packers, paid a ransom of $11 million to hackers. these companies made these decisions to pay the ransoms because they did not want to dispute -- disrupt their supply chain. the fbi's official policy is not to advise companies whether or not to pay these ransoms. during our many briefings with these companies, this is indeed the fbi's position they took during the negotiations with the ransomware attackers. even the fbi, the top law enforcement agency, tasked with fighting cyber crimes, is not immune from cyber attacks. over the weekend hackers evidence is the fbi's external email system and spammed potentially thousands of people and companies by issuing a fake warning of a cyberattack. hackers' ability to penetrate the fbi systems could create catastrophic consequences and chaos. we need to hear from the fbi today on their efforts to disrupt and protect americans from these cyber attacks. i'm pleased that we have one
11:17 am
witness here today who is senate-confirmed, to discuss how we can disrupt cyber threats to better protect americans from the devastating consequences of successful ransomware attacks. unfortunately, this is only the second senate-confirmed witness this committee has had this entire year. that is far below what is normal for this committee. unfortunately the oversight committee under democrat leadership refuses to call witnesses from the biden administration and hold them accountable for waste, fraud, abuse, and mismanagement occurring on their watch. today is the committee's first hearing since the citizens in virginia sent a very loud message to the biden administration and that message to president biden, no more. the american people oppose the biden administration's radical left wing policies and are already seeking change. president biden and congressional democrats' actions to spend trillions of taxpayers' hard-earned dollars on a socialist agenda has backfired.
11:18 am
president biden is now more unpopular with the american public than nearly any other president at this point in history. not only in a but two-thirds of americans think this country under president biden's leadership is headed in the wrong direction. people are appropriately comparing president biden to president jimmy carter. president biden's policies and decisions have created numerous crises that impact americans' daily lives. gas is now 61% higher than this time last year. inflation is at a 30-year high causing families to struggle with how to pay for meat, milk, eggs, and other basic necessities. this year, thanksgiving is set to be the most expensive thanksgiving ever. the price of a 16-pound turkey is up 18%. there's chaos at our ports, with ships lining up but nowhere to deliver the goods. to add insult to injury, certain networks are criticizing truck drivers, the essential workers who have been shipping goods throughout the pandemic. a record number of illegal immigrants were apprehended at our southern border this year and the surge continues because
11:19 am
this administration is pro illegal amnesty agenda. this, not to mention the drugs flowing across the border, the biden administration has directed law enforcement to go after parents they deem domestic terrorists but these parents are only concerned about radical curriculum being taught to our children. at the same time, the biden administration turned a blind eye to real terrorists in afghanistan who seek to harm women, children, and u.s. troops. the biden administration's disastrous withdrawal from afghanistan has left a national security and humanitarian crisis in its wake and sadly, this committee is ignoring it all. committee republicans have written to the chairwoman over 20 times requesting hearings, investigations, and briefings on many of these topics and more. these issues are core to our committee's mission of rooting out waste, fraud, and mismanagement in the federal government. unfortunately chairwoman maloney has ignored our request. we are the people's house. we must be responsive to the needs and demands of american
11:20 am
citizens but this committee under democrat leadership refuses to do its job. it's no wonder this committee has received an "f" grade for how it has conducted oversight from a nonprofit organization. it's past time for this committee to get back to its mission and conduct oversight of the many issues facing americans today. the american people demand it and they deserve nothing less. madam chair, i yield back. >> the gentleman yields back. but before i recognize mr. connolly for opening remarks, i would like to take a few moments to address some of his concerns. the biden administration has created over 5.9 million new jobs in the first nine months of president biden's administration. this is a record for any new president. we created 531 new jobs just last month. and with the passage of the infrastructure investment and
11:21 am
jobs act, which the president signed into law, a bipartisan bill, it is going to create even more jobs and help grow the economy. our unemployment is under 4.6%. and if the republicans could see some of the very good things that the biden administration is doing instead of just spending their time attacking him, we are working this week on the build back better act, which would further strengthen our economy by making historic investments in our infrastructure and people. we did respond to your request for a classified briefing on afghanistan. we have government officials before you today. and with that i yield to mr. connolly. >> i thank the distinguished chair for holding this hearing. and let me join her in regretting the fact that the ranking member has chosen to use this hearing for propaganda rather than an in-depth
11:22 am
examination of ransomware and its impacts on the u.s. economy and u.s. businesses and u.s. governments. i find the word "chutzpah" is appropriate at this moment given the fact that our republican friends for four long years resisted any meaningful oversight of the trump years, including, you know, serious legal issues from security clearances to the trampling of democratic norms. >> would the gentleman yield to a question? >> if the chair will allow me extra time to do so. >> sure. without objection. >> i thank the chair. yes, sir. >> would the gentleman in his criticism of the, uh -- our criticism for not doing enough oversight, do you, mr. connolly, generally believe that this committee has provided any oversight? >> reclaiming my time, let's get back to the purpose of the hearing. let's not engage with their
11:23 am
propaganda. we have three important witnesses. let's hear what they have to say. that's why we're here. i would like to hear what they have to say. >> madam chair, with all due respect, this is the oversight committee. >> the gentleman is not in order. mr. connolly has the time. he has worked hard on this issue and he's absolutely right that we should focus on the purpose of this hearing. >> i thank the chair. the ramifications of ransomware permeate our economy. public health infrastructure and national security. in recent years, ransomware has grown into a multibillion dollar criminal industry. in 2020, more than 2,300 u.s.-based entities were affected by ransomware attacks, inflicting hundreds of millions of dollars in economic damage. at least 113 of these ransomware attacks targeted government entities, costing an estimated $915 million. one of those attacks happened to my own congressional district. in september of last year, hackers launched into the
11:24 am
nation's tenth largest school district in fairfax county. and the fairfax county public school computer system was attacked by ransomware after obtaining sensitive personal information about students and employees. that's just one example at the local level. the coronavirus pandemic abruptly revealed how ill-prepared many of our state and local governments were in delivering vital public services securely and remotely. criminals took advantage of overwhelmed public i.t. systems, generating a significant uptick in cyber crime. in june of this year, our subcommittee held a hearing on the outdated i.t. infrastructure and rising cyber attacks on state and local governments. the hearing examined the role of congress and the federal government in accelerating i.t. modernization initiatives for states and localities so that eligible individuals and not cyber criminals can gain access to vital government services.
11:25 am
in response to the hearing, i introduced the state and local digital service act. this important piece of legislation provides guidance and funding to state and local governments to form digital service teams focused on delivering fair, effective, and secure public services. the bipartisan infrastructure bill, as the chair has noted, which president biden signed into law yesterday, provides more than a billion dollars in vital investments that will assist both private and public entities affected by major cyber events. these investments will save taxpayer dollars in the long term by reducing the vulnerability of state and localities to cyber crime including ransomware attacks. more must be done. i look forward to hearing from our witnesses today about the steps the biden administration has taken to combat ransomware attacks and the ways congress can ensure the united states implements a whole of government
11:26 am
response to all cyber attacks moving forward. i thank the chair. >> the gentleman yields back. and i would now like to introduce our witnesses. our first witness today is the on honorable chris inglis. i am proud of the role this congress and committee had in creating this agency. then we will hear from brandon wells, who is the executive director of the cybersecurity and infrastructure security agency. originally we had planned to hear from the director of cisa, jen easterly. she was scheduled to testify. unfortunately she had a family medical emergency and was not able to be with us today. so we are deeply grateful to mr. wales for appearing on extremely short notice to testify today. thank you so much. finally, we will hear from mr.
11:27 am
bryan vorndran, assistant director of the fbi. the witnesses will be muted so we can swear them in. do you swear or affirm the testimony you're about to give is the truth, the whole truth, and nothing but the truth, so help you god? >> i do. >> let the record show the witnesses answered in the affirmative. thank you, and without objection, your written statements will be made part of the record. with that, director inglis, you are now recognized for your testimony. >> thank you. chairwoman maloney, ranking member comer, distinguished members of the committee, and dedicated staff, thank you for the honor to appear before you today alongside deputy director wales from the cybersecurity and infrastructure security agency, and assistant director vorndran from the federal bureau of investigation. cisa's role in support to our nation's critical infrastructure combined with the fbi's deep expertise and its essential role in victim assistance, investigation, attribution, and
11:28 am
threat disruption comprises a breadth of experience, authority, and resource that does make a critical difference for the american people. cyber is a team sport and i couldn't ask for better teammates. i'm eager to appear before you today and update you on the biden/harris administration's continuing actions to counterransomware and to improve our national cybersecurity including recent actions to prevent, deter, and mitigate ransomware attacks against public and private sector networks as well as efforts to bring ransomware actors to justice. before turning to ransomware, allow me to say a few words about the office i have the privilege to lead. the role of the national cyber director was established by the congress in january of this year. instantiated by my nomination, confirmation, and entry on duty in july. i am grateful for the president that the president and congress have placed in this role. on october 28th, i released the national cyber director's strategic intent statement which
11:29 am
outlines the initial scope of work i expect the office to undertake. at the same time i announced the designation of chris de rusha has deputy director. a dual headed title he will role as well as his role as chief federal security officer to create our shared mission to ensure the security of shared systems. both these announcements lay the groundwork for a national cyber director team that continues to increase its contributions to the nation's overall cybersecurity posture. four key outcomes will serve as benchmarks to gauge the success of the office of the national cyber director. first, to drive coherence across the federal enterprise, both in how it builds and operates its own digital infrastructure and in how it supports the defensive critical infrastructure owned and operated by the private sector. second, to strengthen and improve public/private collaboration in security. third, to ensure the u.s. government alliance its cyber
11:30 am
resources to its priorities to include advising departments, agencies, and the congress on recommended changes. and finally, to increase present and future resilience of technology, people, and doctrine within the federal government and across the american digital ecosystem. as this committee well knowns, ransomware attacks levered systemic weakness in the ecosystem. by employing cyberspace, our geopolitical competitors can achieve global reach and strategic effect while criminals and malicious actors can wield an unprecedented level of influence, impact, and coercion. these attacks are costly and pernicious and they undermine both critical functions and the confidence we must have in digital connectivity that underpins the modern economy. accordingly, crafting a strategy to stop the scourge of ransomware has been a priority for this administration. that strategy begins with understanding what makes ransomware so effective. ransomware actors are able to
11:31 am
purchase their tools on the black market and mount their attacks from least and disposable cloud based infrastructure which once exposed can be torn down and quickly rebuilt. the systems that these criminals target are far too often left vulnerable by failures to patch, to properly secure data, to create reliable backups or to ensure that front line employees of targeted organizations exercise basic cybersecurity practices. inconsistent application of antimoney laundering controls to virtual currencies permits criminals to leverage permissive jurisdictions to acquire and launder the proceeds of their crime. and finally, ransomware criminals are often able to operate with impunity in nation states,they reside facing no meaningful accountability for their actions. the administration's counterransomware efforts include actions on four broad fronts. first, disruption of infrastructure and actors. second, bolstering resilience to withstand attacks. third, address the abuse of virtual currency to launder
11:32 am
ransom payments. and finally, leveraging international collaboration to disrupt the ransomware ecosystem and address safe havens for ransomware criminals. consistent with and supportive of this strategy, the biden administration supports legislative efforts to require cyber incident reporting to include ransomware payments to both the fbi and cisa that will help prioritize the use of pressure resources to support victims, disrupt threat actors and to guide future actions. these are daunting undertakings and overcoming them will require a digital ecosystem that's resilient by design, a policy and commercial environment that alliance consequences to actions. thank you for the opportunity to testify before you today. i look forward to your questions. >> thank you for your testimony. mr. wales, you're now recognized. >> chairwoman maloney, ranking member comer, members of the committee, thank you for the opportunity to testify today on behalf of the cybersecurity and
11:33 am
infrastructure security agency alongside national cyber director inglis and assistant director vorndran. i look forward to discussing cisa's efforts to elevate our nation's response to the ransomware epidemic. cisa is the national coordinator for critical infrastructure, security, and resilience, responsible for reducing risk to the digital and physical infrastructure americans rely on every hour of every day. within the administration's approach to countering ransomware, cisa's focus is on bolstering resilience. unfortunately strengthening resilience to withstand ransomware attacks is arguably the most difficult element of our collective efforts as it ultimately relies on changing human behavior. while certain attempts such as spotting phishing attempts are easily implemented at the individual level they're much more difficult to implement community, business, or organization-wide. building resilience requires a long term investment in people, processes, and technology. every organization that wants to
11:34 am
avoid being a victim of ransomware must invest in the practices that will keep their customers, systems, and data protected. investments that make good security and business sense. the question we need to ask ourselves is what do we do now to truly have an impact. i point to three things. first, we must give people the tools and guidance they need to increase their resilience and security. that is why cisa is working to raise awareness and promote basic cyber hygiene across tens of thousands of businesses and organizations and governments throughout the country. earlier this summer, we led the interagency development and launch of, the u.s. government's official repository for resources across the interagency to help public and private organizations tackle ransomware more effectively. to date,'s ransomware readiness assessment tool has been downloaded 15,000 times. we just wrapped up cybersecurity
11:35 am
awareness month in october which included over 300 events, trainings, and webinars as well as our fourth annual cyber summit which reached over 73,000 individuals, helping them to understand the importance of being cyber smart. second, because vulnerabilities are widespread across technology environments, it is increasingly challenging for any organization to prioritize which vulnerabilities to fix. so last week, we released a binding operational directive which established a dynamic cisa-managed catalogue of more than 300 known vulnerabilities that are exploited, requiring federal agencies to remediate such vulnerabilities within a specific time frame. we strongly encourage every organization to adopt this directive and prioritize mitigation of these vulnerabilities. those listed in cisa's public catalogue as we continually identify new ones. third, critical to the effort will be our partnership with key players who can help us achieve
11:36 am
board based effects. in the coming weeks, two groups of outstanding thought leaders and experts will provide critical perspective, insight, and knowledge in dealing with our most difficult cyber challenges. these efforts build on the recently launched joint cyber defense collaborative or jcdc, a partnership between key federal agencies and private sector companies who see across networks and industries to help us identify emerging threats, provide actionable information and take action at scale to reduce the risk of compromises of all types. finally, perhaps the most important role, ensuring early warning of threats and attacks. presently we only receive information on a fraction of incidents. this hampers our ability to conduct critical analysis, spot adversary campaigns, release mitigation guidance and provide timely response. this leaves critical
11:37 am
infrastructure vulnerable which is simply unacceptable. providing this information quickly will allow us to enrich it and get it out broadly, protecting future victims and raising the baseline of national cybersecurity. given the importance of visibility into the true size and scope of the cyber threats facing us, i urge congress to move quickly on the urgent priority of adopting incident notification legislation. i would be remiss if i didn't close with a thank you to congress. today marks our third anniversary as the cybersecurity and infrastructure security agency. you have entrusted us with the critical mission, and i am honored to work alongside an incredible group of men and women who execute that mission with professionalism, integrity, and excellence. thank you for your partnership and support. our nation is facing unprecedented risk from cyber attacks undertaken by both nation states and criminals. in collaboration with our government and critical infrastructure partners, international allies, and with the support of congress, cisa will continue to lead our national call to action. i want to thank you again for the opportunity to appear before
11:38 am
the committee. i look forward to your questions. thank you. >> thank you for your testimony and for responding on such short notice. and our last witness today is assistant director vorndran. you are now recognized for your testimony. >> good morning, chairwoman maloney, ranking member comer, and members of this committee. thank you for the opportunity to be here to represent the fbi and our cyber program and to sit with chris and brandon as a unified front against a growing ransomware threat in this country. the three of us and our staffs are constantly in touch and i appreciate the work both of them and their organizations are doing to keep this country safe. i would also like to thank in no particular order the department of justice, the secret service, u.s. cyber command, nsa, cia, treasury, and state, all who have a significant role. i hope everyone leaves the room today understanding that no one federal agency can tackle cyber threats alone but that we each have unique authorities and capabilities allowing us to create a whole greater than the sum of our individual parts.
11:39 am
ransomware may just now be grabbing the headlines but the cyber threats facing our nation aren't new. in fact the fbi's cyber division is turning 20 years old next year. over that time we've learned a lot, most notably how to work within the interagency, with foreign partners and with private sector companies. we also have recent reminders about the long arm of the law with the arrest in poland of the individual who conducted a ransomware attack against casea. our current strategy is focused not just on indictments or arrests, though we do think it's important to remove players from the field, but on pursuing and disrupting the actors, their infrastructure, and their money, all while providing help to victims and actionable intelligence to warn potential future victims. looking ahead, i have no doubt the playing field and the rulings of the game will change over the coming months and years in the face of this threat evolving. i believe our interagency team is improving each day and we're
11:40 am
excited for the opportunity to continue to serve and protect our country from cyber threats. as chris mentioned, there are four critical outcomes for all of us. federal coherence, improving public/private collaboration, aligning resources to aspirations, and increasing present and future resilience. the fbi, due to its unique authorities, will play an important role in achieving each of these outcomes. but the fbi won't be able to fully support these strategic outcomes if we don't receive timely information about cyber breaches. as the cyber threat has evolved over the past 20 years, one thing has remained the same. the fbi has been at the center of acting on u.s. based cyber threat intelligence. it's what we do best. when i discussed the fbi's value proposition in cyber with people who want to see this country succeed, i describe it this way. the fbi is the only agency in this country who can get a well-trained agent working with local computer scientists, intelligence analysts and others on any doorstep in this country within an hour.
11:41 am
cyber is a global, mostly foreign-based threat. and we can be on the doorstep of foreign law enforcement and intelligence services in a position to assist within a day in over 70 countries too. our agents care. they want to make a difference. that's why i and almost everyone else joined the fbi. now, i know there are several cyber incident reporting bills currently being considered, and i can't stress enough the importance of the fbi receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at cisa. the faster we get this information, the faster we can deploy a local cyber threat expert to a victim's door, track, freeze, and seize funds taken and ultimately hold cyber criminals accountable. 24 hours probably wouldn't seem like a big delay to most people but the help we can offer within that time can be the difference between a business or a piece of critical infrastructure staying afloat or being crippled. let me state the same as a
11:42 am
sports metaphor. why would a team bench one of its best players in the first quarter of the super bowl? it doesn't make sense to me. to give those criminals a head start against the people protecting the public doesn't make sense. as the u.s. government continues to hone its approach to this problem, to take full advantage of all instruments of power at its disposable, i believe we'll see two significant types of outcomes. first, we want to degrade the ecosystem where it is no longer worth our adversaries' time and effort to commit these crimes. second, we do want to remove players from the playing field. it's awfully hard to hack a computer from behind bars. >> thank you very much. i now recognize myself for five minutes. the united states is a major target for ransomware attacks. it's really a threat to our national security. it's my understanding there is
11:43 am
legislation attached to the ndaa that will allow our government and require our government to start tracking data on cyber attacks. i'm hopeful that this will be signed into law. this is a good first step. many other experts tell me the next thing we have to do is get a stronger coordination between the private and public sector, which mr. vorndran spoke about in his testimony. it's hard for the government to responsibility and help if we don't even know about the attacks. there have been numerous bills before congress, for a long time. we have not been successful in passing them because there is resistance and really objection from the private sector. i understand that england has been successful in setting up systems that have the private sector now working with their government to respond to cyber attacks. i would like to start with mr. wales, but invite our other two
11:44 am
panelists to answer if they would too, what can we do to pass this legislation, put in place this type of cooperation? this is a threat to our national security, our economic security, and certainly to the public and private sector. so if we could start with you, mr. wales. >> sure. so i'll answer the question in kind of two parts. the first part is associated with the legislation you're discussing. i think as both -- all three of us said during our opening statements, passing cyber notification legislation is a top priority. we need the information because that enables cisa and the fbi to both engage with that victim, offer our assistance, understand what's happening on their networks, and protect other victims as well as all the threat response and going after the actor and following the money that the law enforcement community including the fbi begins to do from that point. but even today, there is a lot
11:45 am
that we are doing across the u.s. government to improve our public/private partnership to enable more effective cyber defensive activities and protecting the homeland. i mentioned during my opening statement the recently launched cyber defense collaborative where we've brought together the critical government agencies like the fbi and the nsa and cyber command along with those companies in the private sector who have the best visibility into the cyber ecosystem. we're talking about major cloud providers, major internet service providers, the cybersecurity firms in the private sector who provide response, support, and protection to tens of thousands of companies across the country. as we work together to identify and spot adversary activity, as we share indicators back and forth and enrich them on both sides, we're able to provide more protection than anyone can do independently. these are the companies that can take action on a massive scale to protect networks. and so even if companies are not part of that collaborative up front, they're often being protected by the activities that
11:46 am
are happening within that structure. it is something that is new, we've rolled it out in august. we've already seen fairly significant success in identifying recent campaigns and activities. and we really look forward to working on this more in the future and appreciate congress' support since this effort was enabled by authorities granted in last year's ndaa. >> thank you. and in the interests of time, i now want to move to assistant director vorndran. last week the department of justice announced charges against two foreign nationals for their role in the ransomware attack against the florida-based software company casea. one of the people indicted is a russian national who is reportedly responsible for over 3,000 ransomware attacks. i commend the justice department and our international partners for bringing to justice these attackers. but to hold cyber criminals accountable, russia has to play by the rules. can the charges against the
11:47 am
russian national be viewed as a test case for russia's willingness to crack down on cyber criminals? earlier, mr. inglis has testified publicly, made public statements that because of the biden administration's active engagement on combating cyber, that some of the activities in russia seem to be more mild. but you said you don't know if this is going to be sustained. but could you respond on this, and how should the u.s. respond if russia fails to act? >> thanks for the question. i would default the -- or defer the question about the administration test case to mr. inglis. from a fbi perspective, we have not seen a decrease in ransomware attacks in the past couple of months originating from russia. please understand we do have incomplete data in a best case scenario, we only see 20 percent
11:48 am
of the intrusions into the country. the fbi remains focused on investigating cyber criminals in and around russia for well more than a decade at this time. so the indictment of polianan is the latest indictment we've pursued based on criminal conduct here in the united states. >> would you like to comment, mr. inglis? >> yes, ma'am, i would simply add to that that it's very important that russia play a part in this. it is far more effective to stop these threats at their source. and a permissive environment, if harbored, if given safe haven by the russians, would encourage more entry into this space. that being said, we're not powerless. we're kind of using only the russians as a tool to push back on this. the strategy that i articulated earlier and that others have reflected on actually says we can become a harder target, we can increase resilience and robustness, we can bring international coalitions to bear, we can find these
11:49 am
transgressors as they travel to other countries or shift their illicit gains across the internet. we will continue to pressure the russians very strongly to help them understand they must do their part. >> the gentleman yields back. my time has expired. in answering the question, i went over time. i give certainly as much time and more to my distinguished ranking member mr. comer. >> thank you, madam chair. in early july, a florida software company became the victim of a ransomware attack causing widespread outages for over a thousand institutions ranging from hospitals to schools to grocery stores. it wasn't until july 23rd, three weeks later, that the company announced it had received a universal decryption key to help companies restore their files. in september, "the washington post" reported the fbi had secretly obtained the digital key to unlock these files yet sat on it for three weeks and never told the companies, costing untold millions of dollars in recovery costs.
11:50 am
the fbi's rationale apparently was to carry out an operation to disrupt the hackers, a group known as r-evil yet according to "the post" the group's platform went offline before had a chance to execute its plan. in september, the chairwoman and i wrote to director wray asking for a briefing on the fbi's decision. we never received that briefing. and mr. vorndran, i'm going to address my first question to you, but with respect to the briefing, i understand that you're not at the top of the organizational chart of the fbi, but please relay to expect a briefing. i don't think it's any secret in eleven months, we're probably going to be sitting over there, and we're going to have a lot of questions for the fbi from the
11:51 am
steele dossier to the ransom ware, especially in a bipartisan manner, we expect a response, so mr. vorndran, and behind the fbi's decision to withhold the digital encrypter key. >> how do we do what's in the best long-term interest of the public and balance that with the public in the short-term, stated differently, if any one of us could completely eradicate that disease takes a little bit of time, perhaps a little discomfort for a loved one, we would probably prefer that over a less effective shorter term solution because in the end we would know it would have a long lasting effect. the decisions you're referring to and asking about are very
11:52 am
very complicated and they're ones we take seriously, and it's why decisions like those are not just made within the fbi but taken into an interagency environment for final determination of what makes the most sense. i think it's also really important to remember that those decrypter keys you're referring to were developed and coded by safe harbor criminals. in this case we took a process to take a safe and effective way for the victims, obviously malware that's been coded by criminals in russia and deploying on to u.s. infrastructure would not be a wise decision and those things take time to get right. we repeatedly tested that decrypter in different environments because an even worst case scenario for us was providing criminal degenerator encrypter keys to victims that
11:53 am
introduce new vulnerabilities for infrastructure. >> the fbi conduct estimates how much money was lost due to the bureau's decision to withhold the digital encrypter key, did that play -- >> i'm not prepared to answer that question today. >> we would, you know, that's -- we get complaints from businesses as their representatives and as members of congress about decisions government agencies make, and it's always frustrating when the government agencies or bureaucracies don't take into consideration how much this decision will actually cost. and that's a problem. director inglis and mr. wells did your agency agree with the fbi's decision to withhold the digital encryptor key and was the decision unanimous or was there dissension? >> thank you for the question and the opportunity to comment. my organization was not in place
11:54 am
at the time that this operation was in place. my read of the record was that this was a well discussed and consensus of the various agencies that had the opportunity to comment and simply observe as director vorndran said, there was never a question about the desire to in a timely, broad way to disrupt this action and save the downstream effects on potential further victims. the question at the end of the day is how do you maximize the timeliness, allow the criminals to escape, to take their access to various customers that haven't been sprung and spring them at some later time. if you wait for a while, and that is therefore a very subjective choice, one that must be well considered, you might then be able to simply remove the entirety of this threat from the landscape. if you wait too long, then there are too many victims. there's something between zero and infinity that you have to come down to align on timeliness
11:55 am
and strength. >> i think director inglis's response was, you know, on the money. this was a challenging environment. and i think anytime you're in the middle of an incident response, balancing the various equities of what can be shared publicly, what needs to be held back so that you can achieve longer term benefits. those are ongoing discussions during every incident response that our agency in cooperation with the fbi is involved in. and i think that care and evidence, i don't think there's anything that can happen with the interagency right now. >> i would strongly encourage the fbi and whoever in the biden administration is faced with this decision again to take into account the hundreds of millions of dollars that private companies are losing by a decision to withhold unlocking
11:56 am
that. that's something that should be taken into account. with that, madame chair, i yield back. >> the gentleman yields back. the gentlewoman from the district of columbia, ms. norton is now recognized. ms. norton. >> thank you, madame chair for this important hearing. very important. the focus of ransomware and the news has been on big corporations. i was astonished to find that schools are more likely to be the target. and yet they have the fewest resources to deal with this matter. so i look for examples and i have found that in brown county, florida, a district there, had a demand for $40 million in ransom ware, and when the school
11:57 am
district refused to pay, the hackers posted 26,000 stolen files on the internet. so harm can, in fact, be done. it looks like schools face unique risks, and i wonder what can be done. they have few risks, yet we need to strengthen this cyber security in k through 12 schools, could you briefly do it. i thank you for agreeing to be here on short notice, briefly say what cisa is doing to address the problem of ransomware in schools. >> sure, thank you,
11:58 am
congresswoman. we are and have been working hard to expand our outreach to school districts as a result of the growing threat of ransomware that they have faced. i'm particularly making them aware of the free resources that are available today that can help them improve their cyber security under a cooperative grant to the multistate isac, that helps support state and local communities throughout this country. there are a number of free services that the msi sack offers to school districts and other state and local governments to help them provide critical protections including things that block malicious domains. they provide initial triage and support during initial response. there's more services that can be taken on. unfortunately, school districts are among the least signed up for a number of free services. we're doing a lot to raise awareness.
11:59 am
in addition, thanks to some additional authorities provided to congress last year, we have been hiring state cyber security coordinators that are designed to live in each state, and work directly with the state and local governments in their areas to make sure that they understand the services that are available, and we now have 36 of them on board throughout the country, and part of their job is to help conduct this kind of outreach and awareness. in addition last month, the k through 12 cyber security act was passed and signed by the president. that required us over the next 120 days to better identify what more can be done to support state and local governments when it comes to protecting school districts, and to begin to roll out those services, including new trainings and we have a team across our agency working with relevant interagency colleagues like the department of education on our response to that legislation and we look forward to briefing congress on our plans in the coming months.
12:00 pm
>> mr. wales, it does look like you are doing a great deal, but the department of education in our report that has recently been issued by the jao noted that various services to help k through 12 with cyber threats appear to have an extremely low participation rate. you have something called albert that schools can get for a modest fee. yet less than 10% of districts across the united states have signed up for this service. mr. wales, how can we encourage better participation and programs at cisa, that cisa funds and offered to school
12:01 pm
districts around the country. is the fee too high, is there lack of awareness about the program, what's the problem, and what can we do about? >> i think like a lot of our cyber security challenges, this is a multifaceted problem. we do need to do more to raise awareness so that people at school districts and there are a large number, 13,000 school districts throughout this country, we need to raise more awareness, so those folks working on -- >> 15,000. >> 15,000. we need to do more to raise awareness so those people know what resources they can get. for some things it's going to require an investment. we are very hopeful with the new state and local cyber security grant program that was established in the infrastructure bill that was recently signed by the president will give us more ability to provide resources down further into the state and local governments, some of that money can be used to protect schools. that will be part of the ongoing
12:02 pm
conversation we have with the states about the implementation of that grant program over the next several years, so we think help is on the way, but this is a collective problem, and i think anything that you can do from your purchase to raise awareness in the districts that you represent about the services that are out there and reaching out to the government to see what else can be done to protect the nation's schools, we'd strongly encourage you to do that and we're willing to provide any support to help enable that kind of outreach and engagement. >> thank you, mr. wales, my time is expired. >> thank you, the gentleman from south carolina, mr. norman, is recognized. >> director inglish, you've got a big job. security of america is being compromised by this administration allowing the millions to come into here from
12:03 pm
152 countries that we have no idea why they're coming, do they have terabyte grounds and the task that you have along with the others is unbelievable now. you mentioned russia, and you mentioned pressure points. the only non-pressure point that this administration has done is allowed them to build the north stream pipeline which aids and abets russia, the very country that we're attributing the cyber attacks to. so what specific pressure points do you think this administration with their record will actually do to bring them to comply. is it just to ask them to be nice? >> so thank you very much for the question. it's an important question. this administration, not unlike other administrations has been very clear with the russians about what we expect normal behavior looks like. not simply -- >> in words. >> in words. not simply kind of articulating what we believe they should not
12:04 pm
do but what they should not harbor as safe havens in their country or abroad. we brought an international coalition to bear to make the same statement. >> give me specifics, what pressure points with a rogue country like russia, what specifics do you think as head of the national cyber security team would be implemented to use leverage to stop their actions? >> the first opportunity we give them is to simply, of their own accord to cooperatively respond to the question we made. >> just more words. >> we have provided information to them. we are now assessing whether they provide that we would withhold certain diplomatic status, certain economic benefits. >> what? give me specifics, what would you do specifically that would at least slow them down as to the cyber attacks and you give them, i know words, but words with this administration mean nothing. >> attribution is important in this case. i think that we have clearly attributed these actions to
12:05 pm
persons who operate in the russian or russian near abroad. we have not attributed these actions to the russian government. we therefore have to give the russian government an opportunity to understand what the nature of that problem is and then to address it. our patience is not unlimited in that regard. we have conducted a number of what are called expert group meetings with the russians to make it crystal clear who we think is accountable here and what we need them to do about that. there is a limit to that patience, and when that is done, there are diplomatic and financial remedies brought to bear on the leadership of those entities. we have also brought 30 nations to the city to have a discussion about what an international coalition might do in this regard, and i think that russia clearly sees that the deck is stacked against them in that regard, and they must therefore act. >> and with all due respect, you gave words, but you didn't have any specifics. it's just asking, it's pleading with them. i feel for you and your job
12:06 pm
because the next major tact, if it's on our energy grid, for example, our water supply, which is, i don't know whether it was one of the 17 items that this president mentioned that were off limits, asking them not to attack. i don't know if that's on the list. at what point is this a declaration of war, a declaration that we cannot put up with. what's this administration going to do other than words? >> it's an important question, and there are multiple pressure points. russia is one of those pressure points but we can make it such that we're a harder target, and they simply cannot prevail the criminals harbored or given safe haven by russia cannot prevail because we correct the errors they make in the construction of these systems. we can ensure we disrupt the architect used against us. there are any number of examples in the last week of that. >> give me some examples.
12:07 pm
>> taking the money back from criminals. there are two occasions in the last month where we have done that. we have arrested and extradited -- >> were they in the country? were they already here? >> as you note, sir, cyber space is a border lester rain, and therefore as much as they can reach us, we can reach them. >> it's borderless but it's got people behind it. >> it does have people behind it, but therefore if we bring allies to bear, we can use jurisdiction in poland and romania, the most recently two examples to apprehend criminals and bring them to justice using the courts of law that exist in the west, and so all of those remedies, essentially giving russia the ultimatum, we have to give them an opportunity to understand and address this. two, addressing the actors and the infrastructure that is essentially holding us at risk at the moment, and making sure we're sufficiently resilient and robust. some of those will make a difference. some of those can in fact push back on this threat, deterrence isn't found by simply shooting your way out of it. that's an important part of the solution, but ultimately you
12:08 pm
need to make it such that your hard target and proactive, and robust in your defense. >> they're shooting their way into us. i yield back. >> the gentleman yields back, the gentleman from massachusetts, mr. lynch is recognized for five minutes. >> thank you, madame chair, thank you for holding this hearing, and i want to thank our three witnesses for their great work and i understand how difficult this challenge is. i also serve as the chair on the fintech task force over in the financial services committee, so i'd like to change gears a little bit and talk about some of the ransomware attacks that have been happening with financial services firms. i know that earlier this month, the fbi released a private industry notification, and basically it reported that ransomware attackers are now leveraging specific significant
12:09 pm
events, such as mergers and acquisitions. initial public offerings as a focus point to launch ransomware attacks, and the idea is for the ransomware attackers is to impact the victim companies share price at that crucial time. you know, at the point of a merger or acquisition and an initial public offering. most recently, the ransomware group darkside, that's the same group that is responsible for the attack on the colonial pipeline in my part of the country and it has shut down major fuel supplies on the east coast. they recently said about these type of attacks and i'll quote them, if the company refuses to pay, we're ready to provide information before the publication so that it will be possible to earn in the reduction price of shares. basically they're providing
12:10 pm
information to short the stock. and assistant director vorndran, ransomware attack is usually not something that is on the top of a company's mind, you know, there's a lot to do with an ipo or with mergers and acquisitions. i'm just wondering, is this a particularly vulnerable moment for these companies and how much damage can a ransomware attack inflict, especially during this process? >> thank you, sir, for the question. you know, i think as the threat has continued to evolve, we have seen our cyber adversaries continue to change direction where they have the most leverage. so the private industry notification that you're referring to highlights a vulnerability for companies in your discussion in the financial space that have a lot to lose during the m and a process. and i think if i were a company, the primary recommendation i would have would be to evaluate all the vectors of risk through
12:11 pm
that m and a process, and how are you going to manage that situation if something does go wrong. but to director's point, a lot comes back to our resiliency posture. the same question has to go to the companies have they taken the precautions that they deem appropriate for that risk profile, as they go through an m and a process. i'll stop there and take follow up questions. >> sure. are we doing anything fbi or mr. english or mr. wales, are we doing anything with some of these companies at this moment, you know, looking at ipo or nasdaq or the exchanges to identify the point of as a result -- of vulnerability and plus up their own security so that at least they're aware and taking proactive steps to defend
12:12 pm
themselves during that period of vulnerability. >> i'll take a first stab at that. i think we have fairly aggressive posture when it comes to working with the financial sector. it's one of those sectors that has focused heavily on organizing itself to make sure they are sharing information amongst the various companies in the financial sector, and that they want to work very proactively with the government to share information and to take action when possible. so that partnership is good, there are a number of organizations that have been set up to enable that type of strong prior partnership in the financial industry. there is certainly more that can be done. i think things like the industry notification that fbi had mentioned earlier are designed to feed into that process, raise awareness inside that community so it could be more of a focus. i would say, sir, you know, you're looking at one side of the challenge, but this is industry wide. it shouldn't matter whether you're going through an ipo or
12:13 pm
not. every board should care about the cyber security of their company. it should be part of the questions on due diligence when they are going through m and a many every case. and so we are trying to do more to make sure they are asking the right questions and taking the right actions quickly. >> i was trying to get another question in but my time expired. thank you. >> the gentleman from pennsylvania mr. keller is recognized for five minutes. >> thank you, madame chair, and thank you to the witnesses for being here today. the increase in frequency and severity of ransomware attacks shows the urgent need for answer, so i appreciate the topic of today's hearing. malicious attacks represent a real threat to americans' privacy, financial well being and the integrity of our national infrastructure. we cannot afford to let these continue to happen.
12:14 pm
so i would like to do assistant director wales. we know that fuel prices are skyrocketing, gasoline is a dollar more per gallon than it was last time this year. americans are projected to pay up to 30% more to heat their homes this winter. cyber incidents such as the colonial pipeline attack just six months ago underscored how vulnerable we are to various cyber threats. can you explain to us how another ransomware attack on a pipeline or other critical energy infrastructure might affect the already high price of fuel. >> sir, your point is exactly right. during times like this, the infrastructure becomes even more critical because disruptions could have even more significant consequences and it's why we continue to encourage critical infrastructure owners and operators of all types, and across all sectors to think carefully about the risk profile that they have, the potential consequences that could stem from a disruption of their
12:15 pm
operations, and what more they can do to enhance their security and their resilience, if they have a disruption, they can get back up and running quickly, without the full consequences happening. in the case of pipelines we have worked since the colonial pipeline, with the transportation security administration, which is the sector risk management agency for the pipeline sub sector, and who regulates the security of pipelines, they have put in place a number of security directives designed to improve the cyber security posture of the pipeline industry requiring them to conduct certain assessments on their cyber security, providing those assessments to the government and provide information on cyber incidents in those sectors. there's been a lot more engagement and outreach with the pipeline industry in response to what we saw from colonial and other information available to the united states government. certainly more could be done, and we have an ongoing work program underneath the white house focused on improving natural gas pipeline, cyber
12:16 pm
security, the end of september. cisa released new industrial control system performance goals across industry, across all of our critical infrastructure, setting for the first time, what we believe should be the baseline cyber security posture, for any company operating industrial control systems until the united states, and we think we're really pushing hard on this to protect our critical infrastructure, we've got a ways to go. we really support, we're encouraged by what we're seeing and really appreciate the support we're getting from congress for some of these important initiatives. >> thank you for that, and you mentioned everything that the companies could be doing for this, and i know they're going to do that because, you know, they need to. other than -- and the importance of it, and the job of the federal government to make sure that americans and that would be companies that americans rely on can produce this, so other than
12:17 pm
giving putin a list of things that they shouldn't hack, you know, other than the president giving a list, which the list should be very short, nothing that affects an american or any of our allies should have been the list. i mean it would have been a really short list if i would have put it out there. in addition to giving putin a list of things they can hack, what else has the administration done to make sure that our adversaries know we're not going to tolerate any kind of ransomware or cyber attacks on our infrastructure or quite frankly, anything of american interest around the globe. >> congressman, i'll be happy to complement the answer thus far which i support. i would say the administration, again, has been clear with the russians about what the consequences of failing to assist in cleaning up this safe haven would be, diplomatic,
12:18 pm
economic, indicate also law enforcement, but again, we are not powerless, if the russians were to fail to take their appropriate action, we brought a coalition to bear such that that coalition will bring further impression on the russians. we have done our own research necessary to understand who these criminals are, and when and where possible we have caused them to be arrested in the various countries they may travel to and extradited to the united states. we have followed the money flows and apprehended that money when and wherever possible. we have used our intelligence resources to assist the private sector in understanding what the threats to them are, and at the same time, give them best practices so that may up their game and become a harder target. the sum of all of those will make a determinative difference. the russians can help make that a better program but it's not a completely weak program without the russian cooperation. >> i understand the russian cooperation and what you're talking about but if you followed this around, they have been arrested and there's been some money recovered.
12:19 pm
i think that ought to be money that goes back to the american people and the people impacted by this. i would just like to know what we've done, and maybe this can't cover it in five minutes, but i would like to know what we've done to make sure that we're certain that putin is going to make sure that these things don't happen. he's going to do everything he can to stop it. i don't know that we have that confidence yet, and handing him a list of things, quite frankly, the list should say nothing. you can't hack anything or we're going to hold you accountable. thank you, and i yield back. >> the gentleman yields back, the gentleman from virginia, mr. connolly is now recognized. >> i thank the chairwoman, and i agree with any colleague, by the way, the danger of handing a list of prescribed cyber attack items is that the inference could be drawn everything else is fair game, and that's a real risk. mr. inglis, last month, the department of justice launched the national cryptocurrency enforcement team and the civil
12:20 pm
cyber fraud initiative to marshal departments resources on complex cyber and cryptocurrency investigations, earlier this year, the department also created a ransomware and digital extortion task force. in july, the national security council established a ransomware task force. we of course have a cyber division in the fbi, and we have mr. wales as the executive director of cisa. when you were, before the senate for your confirmation hearing, you said that one of the primary purposes of your position was to create coherence among federal agencies with respect to cyber security. given the proliferation of various entities in the federal government on cyber-related issues, how big of a challenge is that coherence? i worry about the traditional conpartmentalization that characterizes how the federal government responds to
12:21 pm
everything. >> sir, it's an excellent question and i question that i think is on the minds of many when they look at the complicated organizational arrangements that pertain in cyber space. no less complicated than the united states department of defense, with an army, navy, now a space force. it can be coherent if we use the joined in a, to use each of these deep and sharp strengths such that they collaboratively, collectively concurrently make the difference they should. that's our job, that's what we're pursuing. if you ask the task force whether they understand what the other task force is doing and how they complement each other, i think you would get a solid answer. i would be happy to come back and talk at length the details underneath all of those. if i might address your earlier observation, the president having given vladimir putin a list, if you ask any cyber expert in the united states and
12:22 pm
various other places, but in the united states, how do we describe critical functions, that person would likely say we describe them 16 ways, there are 16 infrastructures, if you say don't attack critical infrastructure, the energy sector, the transportation sector, and so on and so forth. that's a way broadly to say don't attack anything critical. >> yeah, let me just say to you mr. inglis, i'll stipulate that last point, but with respect to your observation about my question, let me just say, the experience is at best spotty within the federal government. you look at terrorism as a challenge and the coordination among federal agencies, say, prior to 9/11, not something to be proud of, and in fact, information was withheld. information wasn't shared. intelligence wasn't shared. cooperation was not a characteristic of the culture,
12:23 pm
not only within the federal government, but between the fbi and other agencies of the federal government and our local law enforcement. >> sir, i do acknowledge this historical accuracy of your observation. you're quite correct. we have had moments when we failed to connect the dots or worse, where we failed to combine our efforts to even form the dots. i think what you're hearing from this panel today is that we understand that we must integrate and collaborate such that we discover and do things together that no one of us can do alone. that is the challenge. >> i will observe that we had the ceo of solar winds, mr. roma chris na before this committee talking about the attack his company experienced that affected a lot of federal agencies, and his observation was having a single entity to which all of can refer will serve the purpose of building speed and agility in this process. too much time is wasted in communicating across agencies where information is very
12:24 pm
fragmented. >> sir, we agree, and to quote my good friend jen easterly, we shouldn't need a ph.d. in government to get a cohesive response from government. >> well said. final observation, maybe to you, mr. vorndran, should companies or federal agencies or state and local governments pay a ransom? what is the guidance we give, and if a ransom is ever to be paid, should it not be a last resort rather than the first response to the threat? your observation, and what policy guidance does fbi give and then i would yield back? >> sure, i appreciate the opportunity to get this on the record, the fbi's official position is that we do not recommend any company paying a ransom. however, we understand that a company's decision to pay a ransom should be based on their own business priorities, and if they choose to pay the ransom, we ask us that they let us or
12:25 pm
cisa or the appropriate federal law enforcement agency they're working with at the time know, the quicker we're able to see the money, the better the chance we have to trace it. so our bottom line position is we do not recommend paying ransom because it fuels a huge criminal enterprise, but we do understand it's a business decision, and we understand that that's a company's decision. >> thank you, and i yield back. >> gentleman yields back, the gentleman from arizona mr. biggs is recognized. >> i thank the chairwoman, and i thank the witnesses for being here today. so some cyber security experts have said that diplomatic pressure, and criminal prosecutions are insufficient to deter adversaries. and that the administration should use offensive cyber operations to degrade an adversary's capabilities and create credible deterrence. i'm wondering, and i guess for each of you, is what offensive cyber operations might be
12:26 pm
effective in deterring cyber attacks on our businesses and our government entities director. >> thank you for the question, sir, i think taking a broader interpretation of what offense looks like in cyber space, it might not be what one would imagine in kinetic space, using all instruments of power, trying to impose cost to perhaps stop or apprehend, right, the threat of the moment. we can use diplomatic power to use other nations authorities to arrest extradite people, combine that with legal authority, we prosecute those people in our own court. that is an offensive maneuver. we can use our capabilities to find and arrest money flows. we can use our capabilities to take down illicit infrastructure. we can collaborate with the private sector to infiltrate
12:27 pm
attacks as they come across the boundaries. as the law of conflict would say, and i avoid the term armed conflict, but as the law of conflict or contention would say, the remedy must be proportional to the need, and in this case, we have many instruments of power at our disposal such that we can understand what's happening to us, engage it at the earliest possible moment and bring these threats to heal. >> director, i'm sorry, i was going to give you a chance, i'll try to get back, i just want to ask, you mentioned a number of things thought would be categorized as offensive in the cyber world, how successful, how much have you engaged in that, how successful have you been and then i'll turn the first question over to mr. vorndran, and then mr. wales. >> i think that we have applied all of those instruments to have the powers of early discernment through diplomacy, legal means, financial means, and understanding in cyber space what's transpiring and at those moments when we understand a
12:28 pm
threat is being against us to interdict that at the earliest possible moment. i would say anecdotally over the last weeks or month you have seen some evidence that those are beginning to succeed, against the nature of the threat which is long in the making, it's not unlike climate change, which is decades in the making and therefore can't be turned around in a fortnight. it's too soon to tell whether we will sustain that in a concurrent applied fashion to have the changes to make the changes necessary. that being said, as important as that offensive component is that you address and that i've attempted to explain, defenses equally if not more important, stopping these threats by simply making them such that they may not succeed is as important as any other, because there's no nation in the world that is more dependent upon infrastructure, digital infrastructure than we are, and we have to be concerned that if we were to -- >> i thank you, and as you're answering, the questions mr. vorndran, i would like you to elaborate on arrest indictment, and interdiction and
12:29 pm
interception of flows of money that are being -- that you are undertaking, if you can. >> of course. i just want to go back to the first question you asked, sir. one item to build on what director inglis said is we heard a reference to pre-9/11 and post-9/11, the ecosystem in cyber moves at a pace that far outpaces what we saw post-9/11 and terrorism. the reason i highlight that is because the public/private collaboration and what private sectors sees on their infrastructure is infinitely high, and without that flow of intelligence from private sector it inhibits our ability to be more proactive and more offensive. to your second question about, you know, the term following the money, we have virtual currency experts in the fbi, secret service has them, irs has them, we are all looking at those money flows, treasury is heavily engaged in sanctioning individuals and entities so that u.s. persons and u.s. businesses can't partake in that.
12:30 pm
so virtual currency remains a very key focus area in terms of putting pressure on the threat. >> thank you, and this is for you mr. vorndran, earlier this year, "the washington post" reported that the fbi refrained for almost three weeks from helping to unlock computers of hundreds of businesses and institutions hobbled by a major ransom ware attack, even though the bureau had obtained the digital key needed to do so. the question is do you believe there are steps that the fbi could have taken in that case to provide relief to the victims of the ransomware attack without also compromising the bureau's efforts to disrupt the russian-backed hackers there knowing that it was estimated that literally millions of dollars were lost by the victims? >> sir, my answer to that question is already on the record, i'm happy to go through it again if you desire. >> yes, i would. >> okay. so in direct, director inglis provides the answer as well.
12:31 pm
how do we do what's best to protecting the public in the long-term, if i had a loved one with a terminal disease, if i could take a long-term effort to sustain their life for longer, knowing i would have a more impactful outcome, i would probably play that hand versus a band-aid solution. in our efforts, right, we thought with our inner agency partners and this decision was taken to a complete inner agency team where there was consensus that it was best to play the long game. i think it's really really important to understand that those dekrip crypter keys consider built by criminals, not built by us. taking a decrypter key built by a criminal, and simply deploying it to, in this example, the downstream victims is not a good decision here, and requires multitudes of testing environments and time tied to those testing environments to mange sure that we're not inadvertently introducing back
12:32 pm
doors or malicious code on to u.s. infrastructure. >> the gentleman yields back, mr. ras kin, you are recognized. >> thank you very much, in july, justice department official richard downing testified before the u.s. senate that doj believes only one quarter of ransomware intrusions are reported. at this rate, the government is missing crucial information that it could use to help ransomware victims and deter future attacks. for victims who do want to report a ransomware attack, the guidance on who to report to is not exactly clear or efficiently organized. for example, if i'm the victim, and i visit the fbi's web site to report it, i'm encouraged to take one of three steps. i can report the ransom aware attack to my local fbi field office, submit a tip through the fbi's tip portal or report it to the fbi's internet crime complaint center or ic 3. assistant director vorndran, how
12:33 pm
many fbi field offices are there? >> sir, there's 56. >> 56. so if i'm the victim of a ransomware attack, there are potentially 58 points of entry to the fbi to report the attack, counting the online portals. now, if i visit the web site, i'm advised that i can report not only to the 58 points in the fbi but also cisa and the secret service which has its own network of field offices too. director inglis, let me ask you, i appreciate the possibility that i might have multiple points of access, but doesn't this sound potentially confusing to a ransomware victim to figure out where to go. >> thank you for the question. i admit that if those were independent entities, it would be confusing. there would be too many opportunities and you wouldn't
12:34 pm
know it got to the right place at the right time. our job on the government side is to ensure if you've told one of them, you've told all of them. cisa, fbi, secret service routinely coordinate the information they have received and we have established something called the joint cyber defense collaborative where the information is synthesized and pushed out to a much broader population. >> i want to pursue that point, when cisa receives a ransomware report from a victim, does it automatically share that information with the fbi or the secret service, mr. wales? >> yeah, so i would say that in almost all cases we're in partnership with the fbi and the secret service. in almost every case where we have conducted direct engagement with or notified a victim that is always coordinated ahead of time with the fbi, we in all cases do that jointly to ensure cisa's role in providing support and responding to helping to understand what happened and share information, the fbi's threat response role that we can
12:35 pm
both support that company through that engagement. >> in what cases would you not? >> you know, i don't think there's any cases where we say we're not going to do it. i just want to leave myself a little bit of flexibility if something came in in a weird way, and one of our field personnel did not report properly that it may not have happened, but that is not the standard operating procedure that we operate under. >> assistant director vorndran, when the fbi gets a ransomware report from a victim, does it automatically share that information with cisa or the secret service? >> sir, i will double down on mr. wales' statements. we have central coordinating entities between fbi coordinating division, and cisa central to share all of that information. all of our threat reporting and notifications flow from our field offices back into that portal. so certainly our intention and we believe our practice almost 100% of the time is crossing the coordination with cisa, but certainly none of us are failure proof so i'm sure there is one
12:36 pm
or two examples out there we haven't gotten it exactly correct. >> if a victim reports a ransomware attack through any of the channels listed on the stop ransomware web site, does that guarantee every agency that needs toon about the attack is notified or is it more ad hoc, does the collaboration as just set forth by these other two gentlemen, does that collaboration work systematically and uniformly. >> as my colleagues have said, the design skt intended operation is that having told one of them, all of them will know and be able to respond with their unique authorities. >> right. i find it curious no one wants to state categorically it happens. >> i would say that the caveat here is we're allowing for the fact that the system is not perfect, and therefore may be a situation or two where it doesn't work. we will work to correct that and identify those. >> if it doesn't happen, that would be an accidental thing. that would not be as the product of a deliberate policy.
12:37 pm
>> that's correct. there are no policies that would fail to share but the implementation is what we're then cautioning, might not be perfect. >> if a ransomware victim thinks he or she has been the victim of a crime, they don't need to file an independent report with the fbi. it's enough to report it to cisa, for example, is that right? >> that's correct, sir. >> okay. all right. finally, mr. wales, is there anything specific reporting advice you can provide to a small business owner suffering from a ransomware attack, what should they do? >> sir, we actually worked with the multistate isac to release a ransomware guide last year. it was designed for state and local governments, but it is very applicable to small and medium sized businesses, and it goes through a checklist of what to do ahead of time, how do you better protect yourself and prepare for ransomware incidents and goes through my last remembering looking at it, like 19 steps that you should undertake if you have a ransomware incident including kind of understanding what
12:38 pm
happens, isolate your network to the extent you can, when you should turn off devices, who you should call, kind of works through the steps, someone who has been a victim, what they should do and how they should potentially engage with an outside firm who can potentially help them, reach out to the government that can potentially offer support. that information is out there, on, designed for the small to medium sized business. >> thank you very much. >> the gentleman from florida is recognized. >> thank you, madame chairwoman. mr. vorndran, what is your estimate of the attacks that are criminally motivated versus foreign intelligence cyber operations? >> sir, i don't have a good answer to that question told. i would be happy to take that back and give you a more refined answer. all i can say between nation state actors and criminal attacks on u.s. infrastructure both are extremely prolific. >> do you ever see or do you
12:39 pm
believe in your opinion, do you think there are nation state actors that are posing as criminals at times to probe our networks under the guise of just seeking ransomware but actually have a more nefarious intent. >> that's more of a classified conversation, but i would refer to that as a blended threat, there are gaps as whether intel are moonlighting as criminals or state actors are hiring criminals to conduct certain activities. those are some gaps. certainly will have a more classified discussion with you if that's an interest of you. >> do you think the spike we're seeing is it people are more willing to report it or are there more attacks because crooks are seeing it's more profitable, more lucrative. why the recent spike, do you think? >> so our data, and again, i think it's important to highlight that we only see our
12:40 pm
estimates are about 20 to 25% of the total intrusions and i'm quite sure brandon would share approximately the same figure with you. it's very hard to say increase, decrease, what we can say, though, is in the last six months, we have not seen a decrease in the amount of frequency on reporting on ransomware attacks. we attribute it to the simple fact that it's incredibly lucrative for the criminals. that's partially due to the valuation of virtual currency but it's partially due to the vulnerability of our systems and infrastructure here that makes it profitable in both ways. >> okay. thank you. director inglis, the colonial pipeline attack caused major disruption at the gas pumps, you know, there was talk about concern of it shutting down the energy grid, if something like that were to happen, obviously there would be mass chaos. it's not hard to think of other examples of attacking health care systems where we could see a significant loss of life. i know this isn't completely
12:41 pm
within your purview, you have it with your military background, as well, in your view, when would such an attack rise to an act of war. >> typically classically, the attack rises to an act of war when it achieves the damage, kind of national security, of a significant nature. these are serious at any level, and therefore requires that we respond fully with the remedies proportionate to that need. we need to double down on resilience and robustness, proactively defend these spaces and bring to justice the transgress sors who conduct these actions. >> we talked about the 16 critical infrastructure areas, and it's one thing to reach out to, you know, a foreign country like russia and tell them pretty please, you know, please don't do these things, but should we be engaging in treaties or formal documents with other nations to establish those trip wires, like geneva conventions
12:42 pm
of something of that nature. >> there was a global group of experts sponsored by the united nations in 2015 time frame that described enormous that constitute reasonable expected behavior in the space. the united states signed on to those. just a week and a half ago, the vice president in paris announced that we would support the paris accords which are a similar articulation of what is reasonable and responsible behavior in this space. they do not have the force or effect of treaties but clearly are recognized by like minded nations as the way one should batavia in the space and the responsibilities of nations in the space. >> something like that could provide justification of violated than when we responded in kind then we would have kind of the international support. >> it has practical purposes established what we would describe then as reasonable and appropriate behavior and therefore we are able to describe what is not. >> mr. wales spoke earlier in his testimony of improving our incident reporting system. should the definition of major
12:43 pm
incident change so that congress is better informed when cyber attacks occur against federal agencies? >> i think that we need to have a standard definition of what major institute constitutes such that we can uniformly regardless of where an event might take place inform the congress of those things that are truly major or in some cases significant. to your point, if those decisions are all made locally, then there's going to be a certain degree of inherent unevenness. if we're to operate with unity of effort, unity of purpose, we need to make sure we have a common standard, a common definition, and when and where appropriate, and there are various situations where that is entirely appropriate to inform the congress. >> thank you, and i yield back. >> gentleman yields back, the gentle lady from illinois, ms. kelly is recognized. >> thank you, madame chair, as ransomware threats continue to spike, our response has been plagued by the challenge of hiring cyber security workers
12:44 pm
into the government. as of august, there was a shortage of about 36,000 public sector cyber jobs across all levels of government and about 1,700 are vacant from the department of homeland security. needless to say, we till these positions and ensure our cyber defense systems are operating at full capacity. the department of homeland security recently made a dent in cyber vacancy initiative, which led to the on boarding of 300 cyber security professionals and the extension of 500 additional offers. mr. wales, what will the department's initiative so very successful? >> thank you, congresswoman. this is a high priority for both cisa and the broader department, and we've made hiring a really high priority for everyone. so just in terms of the past year in fiscal year '21, we
12:45 pm
hired more than double the new employees into the agency than we did in both fy 19 and fy 20 combined. we are making real progress. in addition, just yesterday, we announced the launch of the new cyber talent management system, which used authorities that congress had granted a number of years ago to create a new system designed to hire cyber talent and give us additional tools to bring in and recruit and retain the best and brightest into the government when it comes to this space. we're really looking forward to using that over the next year to dramatically increase our ability to fill our ranks. in addition, we are working hard to kind of broaden that pipe work with different groups, girls who code, the girl scouts, getting more people interested in this space, aware of the opportunities and to highlight the importance that this kind of work plays to our overall security. and we're working hard to look at bringing new groups to bear,
12:46 pm
whether that's working with community colleges and historically black colleges and universities. there's a lot of efforts underway to grow the pipe and make sure we can bring in the right diverse work force that is expected to solve the hardest cyber challenges, i know director inglis has been working hard in the education and training space as well and may have additional points. >> congresswoman, i would simply add to that that as you've indicated, leadership matters in this regard. this is not something that can be put on autopilot. we need to revisit the definitions for these jobs to make sure we properly describe what those skills are. we open some of these jobs to a broader population. we need to appeal to the broadest possible population, and use all methods and work as hard as retaining these people as we do at getting them on board in the first place. >> the other thing i always think about, the difference between public and private, of course, is compensation. it's extremely hard for the federal government to compete, you know, with outside private
12:47 pm
corporations. so one proposal i put forward with rep gonzalez in the ndaa was creating a cyber digital reserve corps to bring in private talent at federal agencies. director inglis, how can the federal government overcome this compensation discrepancy so we can compete with others and get top talent? >> congresswoman, i quite agree that money is an important determinant when people select or stay in jobs, so is job satisfaction. so in that case, i think we need to be competitive, but we're not going to pay the largest salary, congress has given many tools to the federal government that i think we can and should employ. we need to work hard as we do at giving job satisfaction feedback to the people who take these jobs, such that they stay on the merits of the sum of those factors. >> let me add, the new cyber telemanagement system we rolled
12:48 pm
out yesterday does include the ability to pay more competitive salaries but as director inglis notes, we're never going to be as competitive as the private sector, but the opportunity to work in the government, the opportunity to serve your country and to do things in the cyber security field that you can not do any place else public or private, i think is an attractive opportunity for a lot of professionals in this space and it's incumbent upon us to demonstrate that opportunity when we're engaging with audience and prospective candidates for jobs here. >> my other question was going to be about attracting diversity, but you talked about that already. i don't know if you have anything else that you want to add and mr. wales, i hope the people that you send out to recruit have your -- the passion that you just displayed about it, so hopefully we can -- if they are like you, we'll be able to get good people that want to work for the government, but i didn't know if there was anything else you wanted to add
12:49 pm
around the diversity piece. >> the only thing i'll add is that increasing the diversity of our work force is one of the highest priorities for director easterly and we are seeing the results of that in the new employees particularly at the junior employees. we are growing that pipe of cyber professionals, and it's going to represent this country well. thank you. >> thank you, and i yield back. >> the gentleman from new mexico, the gentle lady from new mexico, ms. herrell is recognized. >> thank you, madame chair, and i believe it's a very important hearing. i mean, it's vital that we confront the threat of cyber attacks on our government, and critical infrastructure, like the food industry, and of course energy, director inglis, as you know, earlier this year, jbs faced ransomware attack that halted production on the country's second largest processer of beef, pork and poultry. jbs supplies about 25% of the beef, about 20% of pork, and poultry to the united states.
12:50 pm
concentrated control heightens the potential for severe disruption to our food supply, and it is vital that we mitigate against future risks. i actually think it's dangerous in and of itself to have four companies control 80% of the beef processing # # # but what you is director 'ingles do you agree such concentration of our food supply creates additional risk. >> the concentration of course gives a concentrated target. so i think our first endeavor should be to take the systems that we have to make them more resilient and robust. does an adversary have to beat one of us to beat all of us, and make sure we're responding so we
12:51 pm
can quickly restore those systems to their proper function. >> great. and i thank you for that. and you just actually answered my next question briefly which would have been what is the administration doing to put protections in place so we don't have a future threat to especially our food supply chains. the administration is also considering shutting down line 5 an oil and natural gas pipeline that carries and transports fuels from wisconsin to michigan to ontario. i think this would be reckless and endanger americans in the heart of winter causing a surge in prices in heating and oil. this is an unnecessary danger to the american people especially if we consider what's at risk when we have the cyber attacks. rather than thinking about shutting down a bio pipeline is the administration studying how to prevent future shutdowns like the colonial pipeline, the
12:52 pm
ransom ware attack that occurred earlier this year? >> i think there's some very specific programs at dhs. the answer is yes. looking at the various critical infrastructure sector components to include pipelines, the government has stepped forward to determine what are the features required to create defensible architecture. >> thank you. as i mentioned earlier there's a number of activities under way. some of that is in response to the colonial pipeline incident. in its wake the transportation security administration released two security directives designed to improve the cyber security of critical pipelines throughout this country. some of that required them conducting more detailed
12:53 pm
vulnerability assessments. there's a number of activities underneath a white house ics initiative focused on industrial control systems, those are the systems that operate the pipeline. and cisa is a part of that. there's certainly more work to do and we recognize how critical pipelines are to the economic security and national security of this country, and it's why we're working in such close partnership with both industry and our government partners to provide more information, more expertise, conduct our own assessments and make sure our pipelines are as protected as possible. >> great. and i really do appreciate that. and i think americans after seeing this happen earlier this year, the importance of protecting our assets whether it's oil and gas or food supplies. and you already kind of touched on this. i was going to ask what are we
12:54 pm
doing to counter these attack, where and how are we responding to protect our nation's infrastructure, but you just answered that. i appreciate you all being here. and madam chair, i'll yield back. >> the gentle lady is recognized. >> thank you, madam chair. ransomware attacks target systems americans use every day. attacks were launched on hospitals in central florida leaving nurses and doctors with lost patient files. a hacker tried to dangerously spike the levels of sodium hydroxide. thankfully a savvy water treatment worker blocked it in time from causing sickness and death. in one recent prolific attack
12:55 pm
hackers targeted hundreds of schools, businesses and government customers served by a miami-based company. gasoline prices skyrocketed and gas stations across the southeast experienced fuel shortages. so it appears various actors target critical infrastructure including not only cyber criminals but also nation states and their proxies. these attacks focus on high stake targets and large organizations that have robust security systems, but our community investigations found even large organizations lacked initial points of contact with the federal government. right now we seem to have a patchwork of agencies focused on cyber threats. what are you doing to clarify roles and make sure state and local governments and large nongovernmental organizations know who to contact and how they should respond to a cyber threat? >> yes, thank you for the question. i appreciate the report issued by this committee today and the
12:56 pm
recommendation -- the findings and recommendations one of which was it was essential the federal government we joined up and coherent as individual citizens or organizations attempt to report or to seek service from that government. my office as i indicated has four outcomes we should be held accountable for. the first is federal coherence. not simply how we manage our own digital infrastructure but how we respond to support the defense of critical infrastructure. the despite the fact the federal government is quite diverse, that can be brought to bear as a strength if we're joined up. >> but that doesn't really answer what we're doing to clarify the roles and make sure state and local governments and large ngos know who to contact.
12:57 pm
>> let me give specifics on that. since the office was created and funded yesterday. but since the office was created i've worked closely with the cyber security and infrastructure agency cisa, to ensure they had the entities that deal directly with the infrastructure, department of energy, department of defense, so on and so forth such if you report it to one of those critical agencies cisa would report that. and more importantly we push that proactively to the beneficiaries. that work is not complete. it is a very diverse but that's
12:58 pm
the work before us. that's what we've been doing. i've spent arguably half of my time on that issue alone. >> i also want to follow up in response to chairman conley's question. as you know cyber insurance policy will typically cover the cost associated with a ransomware attack. what would you recommend to local and state governments when they're making a decision about whether to purchase cyber insurance policies to cover losses related to an attack? >> thank you for the question. that's a challenging space for me to venture into in my job and within the organization i represent. but what i would say is simply that those state and local governments need to understand their risk calculus and where they are in their maturity of net defense and resilience and
12:59 pm
how much time they would be able to take to legitimately bring all their systems back online to have a functioning state or local government. and based on the totality of that analysis that should drive whether they do or don't want to drive cyber insurance. >> thank you very much. madam chair, i yield back the balance of my time. >> gentleman from texas, mr. cloud is now recognized. >> thank you, chair. a lot of our discussion and rightly so is focused on cyber attacks on big national interests, colonial pipeline and meat packing plants and the like. i wanted to focus a bit on rural counties. a lot of the district i serve is rural. we've had at least two communities affected by attacks against them, ingleside and jackson county. jackson county it's a population about 14,000.
1:00 pm
they experienced a cyber attack by hackers using ransomware. the system shutdown and the hackers demanded 362,000 in bitcoin, which for a rural community like that is a lot of money. they were able to -- the state of texas responded and the texas military department cyber incidence response team along with the texas department of resources were able to accomplish what they say was six months of work in about 15 days and brought 31 machines back onboard. anyway, they were able to recover but it was at a bit of a cost. what tools or programs are currently available to these municipalities to assess the current systems and develop and implement plans before their attack? >> sure, i'll start. i mentioned earlier there's a number of services and resources that are available for our state
1:01 pm
and local communities including rural counties. a number of those are often at no cost either from cisa directly or through the multi-state designed and setup from cisa to support the state and local governments. so that includes assessments and actual technology that will detect and block activity on those networks. and some incident response support should they need it. i think congress has also spoken. there will be additional resources available. in addition the infrastructure bill established a cyber response and recovery fund starting small. this is the first time we're going to be utilizing it, and it is a way to help in the face of
1:02 pm
significant cyber incidents, a way for the federal government to surge resources, to respond and recover from those -- from those incidents. so we're looking now about the stand up of both of those programs and identifying how exactly we'll work with our our state and local colleagues. but in the case of the grant program it's going to ride on fema's existing processes, so they're good about getting that money out to local communities. and we're working in close partnership with them in its stand up. >> it's been mentioned already but i'd like to submit for the record this article. biden tells putin certain cyber attacks should be off-limits, and just the logic behind this in us listing 16 areas that are off-limits really does open up the door from a messaging standpoint everything else is on limits, notably these rural counties. you know, and i would just
1:03 pm
suggest if you can take the message back to the white house saying you should be having the message all cyber attacks are off-limits and we need to be standing strong on that. it would be certainly greatly appreciated. i wanted to ask you about our pipeline. could you speak to how we can develop the pipeline. and mr. whales, you may need to speak on this, too. as we sit here and talk about real nation state threats and then see news like this and then we're asked to give more resources, you ought to come
1:04 pm
here because you would like more resources, which there's bipartisan support for, no doubt. we need to firm up our cyber. it is a critical defense mechanism for our nation. but when we see resources in our intelligence agency being dedicated to investigate parents at school board meetings, it really makes it hard to, you know, just blatantly just give more money to these sort of resources. could you speak to the talent pool and then using the resources of our intelligence agency and cyber security apparatus? thank you. >> sure. i think i'm going to stay squarely focused on one topic. within the department of justice and fbi we're different from dhs and cisa and dod and nsa.
1:05 pm
what they can pay someone who's 22 coming out of college with a science degree far outpaces our skills by 50%. and that is a very, very significant concern of ours moving forward. we do believe that once we have people in the door that we can retain them well and our numbers indicate that. our retention rate is well over 99%. but the key is how do we attract that talent and right now the biggest gap is the pay gap. >> sir, you know i can't comment on that. that's a memo issued by the attorney general. >> so is the fbi taking it
1:06 pm
seriously the memo from the a.g. or not? >> i'm not in a position to answer that question. >> the gentleman's time has expired. the gentleman from illinois, mr. davis, is recognized for five minutes. you need to unmute, mr. davis. mr. davis, we can't hear you. you need to unmute. >> thank you, madam chairman. this hearing is focused on the need for the federal government to marshal all of its resources to strengthen the nation's cyber defenses against ransom ware attacks led by cyber director chris ingles. it won't be completely
1:07 pm
determined by decision makers and government buildings. it will also be determined by decisions made in company boardrooms by businesses and even on local school boards. director, you have previously stated and i quote, we need to increase awareness so that every citizen, every person who experiences cyberspace has what's necessary to cross the digital cyber street in the same way we teach children to cross actual streets. of course large corporations have entire departments dedicated to i.t. whereas small businesses and individuals typically use off the shelf i.t. products and have minimal expertise in cyber defense. director ingles how important is
1:08 pm
outreach to improve our nation's defenses, and how can we effectively communicate this need to individuals and organizations of all sizes? >> congressman, thank you very much for the question. i standby those previous remarks. i would say it's very important to get the people piece of this right. the definition i like of what cyberspace is, what cyberspace the noun is, of course it's technology, but it is also people. not simply kind of people being served by cyberspace. people are in cyberspace. the decisions they make determine the operation of cyberspace, and then finally doctrine. how do we get the roles and responsibilities right? who's accountable under what circumstances. that's not something people who have the word cyber or i.t. in
1:09 pm
their job title need to get their head around. everyone. how do we do that? broadly i think there needs to be some sense of accountability what individuals are accountable for, the public sector, the private sector. we need to each feel some degree of accountability, and training and awareness at the earliest possible level. i suggested and i quote that we do that in kindergarten, the earliest possible moment someone is brought into contact with cyberspace we need to teach them the ins and outs of that as much as we teach them to navigate a hot stove or busy street. >> thank you very much. the security framework provides five key functions that form the backbone of good cyber security.
1:10 pm
identifying risk and assets, protection of data and systems, detection of attacks, response and recovery. cisa director easterly previously testified that 90% of successful cyber attacks start with a phishing e-mail and that multifactor authentication would reduce chances of successful attacks by 99%. mr. wales, do you see organizations not investing enough money to guard against ransomware attacks? and if so, please explain. >> so i think as you would expect the implementation of sound cyber security practices will vary significantly across industry. there are small businesses being protected and large businesses that are going to have significant holes. we feel like it is our responsibility to help raise
1:11 pm
that baseline of cyber security by highlighting the key things that need to be done by everyone, get us to that right baseline of cyber hygiene where things like multifactor authentication are widely used. that people are keeping up with their patching, identifying vulnerabilities. as i mentioned in my opening statement we recently finished cyber security awareness month in october, and we were extremely focused on trying to raise the awareness of the importance of multifactor authentication on those accounts, but in particular those accounts with higher privileged access. it's not going to be enough. there are still going to be companies who are not focused on this problem, who will not focus on it until it's too late, until after they're hit. i think we need to do everything across the united states government and in partnership
1:12 pm
with the private sector to raise awareness, highlight the best practices that should be used and make sure the right individuals and organizations are held accountable. >> let's say i'm a small business owner without a dedicated i.t. staff. where should i focus most of my attention and resources to protect against ransomware attacks? is it prevention or what should i do? >> your mic, please. we can't hear you. >> congressman, we actually released on our website a list of what we call cyber essentials. what are the first things you should do when putting in place more effective cyber security. multiauthentication at scale is
1:13 pm
the first step you should take. >> thank you very much. >> thank you so much. the gentleman from georgia is recognized. >> thank you, madam chair. mr. ingles, last year when congress was debating whether or not to create your position, the national cyber director, there were some concerns that we were just going to be creating yet another layer of bureaucracy. so if you can help me understand within the context of what we're talking about today ransomware, what role does your office play? >> thank you for the question. if i might put that into context. in the context of ransomware my job would be to ensure the various instruments the government can bring to bear are
1:14 pm
deployed in a way are concurrent, useful and complementary, and we've talked at some length in this hearing about the role of sector risk agencies about the fbi, about the roles of cisa. my job is to ensure those are applied and looking back at the government you don't need a ph.d. in government to essentially deal with the government. the second broad role i would then describe is the role of the national security council which outside of cyberspace is accountable to use all the instruments of power this nation can bring to bear, diplomacy, intelligence, military resources, financial resources, sanctions that might be applied to bring about the proper conditions in all domains not least of which cyberspace. so that role is also important. and the third role is those discreet individual roles of cisa, the fbi sector risk management agencies all who need to within their lanes do what they do in a way, again, that's
1:15 pm
complementary, concurrent, coherent such at the sum of those parts is much greater than its sum. >> it sound like the buck stops with you and so far as ransomware is concerned for the government. do you set federal policy? >> the buck does stop with me in terms of performance of the federal government. i'll not entirely capable of setting the federal policy which often is dictated by law or existing statute. but to the extent we need to adjust various roles and responsibilities and relationships, i'm the accountable person. >> okay, so as it would relate to whether or not just as an example going to with hold encryption keys from victims as it appears the fbi has done, what role or policy would you have in that decision? >> i should be involved in that
1:16 pm
decision. i should be at the table for that decision. there are other factors that come into play in terms of making a determination about a decision of that sort. >> what other variables go into a decision of that nature? >> let's take that incident, again, i wasn't there so i'll observe from the distance i enjoyed. >> well, the buck stops with you. what kind of variables go into making that decision. >> there are two variables. the one not at issue is a desire by the federal government to achieve the greatest, broadest possible disruption of the threat being held against the united states or its citizens. the variables in that are how timely and how broad can you be in the application of that disruption? if you're timely in the extreme
1:17 pm
then you might give them the opportunity to escape kind of their ill-gotten gains and recover and repeat that experience on another day. you might not know enough about the nature they've done such you can disrupt it more broadly. if you wait too long such that you take it down in a strategic way, you've allowed too many victims to fall victim to that. so the alignment has to be made between timeliness and breath. but there's no question disruption is the goal. >> that doesn't really answer the question in terms of variables when it comes to making a decision about withholding encryption keys. you're talking in broad principles. if you would i would appreciate if you could give me a more detailed answer in writing. the fbi certainly has had some credibility issues in the past years, recent years. but overall i believe americans look at the fbi as it relates to
1:18 pm
the cyber area. this past weekend at least has reported and appears to be accurate that thousands of spam e-mails masquerading as fbi were sent to state and local officials warning them of a phony cyber attack. so can you explain to me now how this event does not raise somehow more questions regarding the voracity, the accuracy of fbi alerts in the future? >> sir, i'm not sure i understand your question, but let me do my best to answer. certainly this weekend, you know. >> the question has to do with the phony e-mails that went out from the fbi warning of a phony
1:19 pm
cyber attack to state and local officials. that being done how can the accuracy of future e-mails from the fbi be depended upon from state and local? how will they know what's real and not real if our own cyber has been impacted. i want to make sure we're protecting state and local officials. >> the gentleman's time has expired so the gentleman may answer the question. >> that's an incident you're referring to that happened this weekend, but we know specifically how it occurred and also know no fbi data or personally identifiable information was compromised. that software application was taken immediately off-line, so we consider the incident contained, and we don't think it'll impact any future
1:20 pm
communications coming out of that e-mail server. >> i yield madam chair, but that did not answer the question as to how people can erely upon the fbi's information in the future totally evading my question, and i would like an answer, thank you. >> the gentleman's time has expired. the gentle lady from new york, ms. ocasio-cortez, is recognized. >> thank you so much, madam chairwoman. director easterly, your team looked at some of the excess death data during the ransomware attack on university of vermont health network. i was quite frankly surprised by the conclusion of that case study, that ransomware attacks on hospitals are correlated significantly with loss of patient life. now, briefly how is it that these ransomware attacks have that kind of impact? >> congresswoman, that study looked broadly at excess deaths
1:21 pm
during covid -- during the covid pandemic largely looking at what happens when hospitals are overwhelmed with icu patients suffering from covid. what were the number of excess deaths from other -- from other types of needed hospitalizations or icu admittances, so there were excess deaths from things like heart attacks, cancer, et cetera. we were highlighting during the course of that study that ransomware incidents have the potential to exacerbate the strain on hospitals and result in additional excess deaths, and that is why it is incumbent upon hospital administrators to make sure they have the right level of cyber security in place and they're aware of the potential for significant -- they're prepared for what might happen should their hospitals be overwhelmed by cyber or other disruptions, and it is why we're
1:22 pm
working so hard to highlight the results from that work and additionally what we can do to offer additional assistance to hospitals across the country as we've been doing over the course of the covid-19 pandemic. >> thank you. and as i understand it, the victims of ransomware attacks including institutions like hospitals sometimes they just pay this ransom and try to essentially not report it, but just to confirm and again very briefly, director, a ping ransom to cyber criminals instead of reporting it out and working to the government does not necessarily guarantee that will be -- that's correct. there are no guarantees if any corporation or entity pays ransom it will necessarily be
1:23 pm
decrypted. >> and director easterly, currently the house is seeking to pass the build back better act. and now among other figures the bill includes more than $400 million for your agency, the cyber security and infrastructure security agency. now, in concrete terms can you help communicate to us and to the public of what that 400 million would allow your agency to do and what kind of capacity and what sort of implementation does that buy, per se? >> sure. so congresswoman, there's a number of provisions in there that deal with cyber security beyond cisa, but i'll focus on the provisions that deal with our agency and the additional funding it would potentially provide, and i think there's a number of initiatives there that go to a series of concerns that have been raised by members during the course of this
1:24 pm
hearing particularly related to the security of our critical infrastructure, the control systems that enable our infrastructure to operate. there's money in there that will help us to detect and monitor activities that happen on critical infrastructure networks and take quicker action in response. there's money in there for development to identify new and emerging ways in which we can detect and protect those critical assets. there's money in there for expanded training and education that go to a number of topics that we hit on. so i think there's a series of provisions that will certainly help bolster our ability to provide support to the cyber security of this country. >> thank you very much, and i yield back. >> the gentleman from north carolina, the gentle lady from north carolina is recognized. >> thank you very much, madam
1:25 pm
chair. i thank our witnesses for being here today. and i a question for executive director whales and director ingles. we know ransomware attacks can be complicating. health care entities face additional requirements because their data can include protective health information that's covered by hipaa. entities covered by hipaa are required to report a breach of protected information within 60 days of the discovery of the breach. however, it can sometimes take several weeks of forensic investigation after ransomware attacks are discovered and protected health information was compromised. there's pending legislation that may require the reporting of a network breach to the department of homeland security. since health care entities often need time to discover the
1:26 pm
protected health information was compromised are there plans to address the interagency communication so that the answer is does not begin whether ransomware payment is reported but rather once the health care entity has determined that a breach of protected health care information has occurred? >> ma'am, obviously there's a number of different versions of the cyber incident reporting legislation that are moving around. they will have somewhat different responsibilities for the degree of regulatory harmonization that may be required because obviously there's a number of regulators that require incident reporting from our critical infrastructure and the financial sector and the energy sector and others. part of that legislation it would seem would require cisa to work with those agencies if we are implementing our regulation.
1:27 pm
part of it would require once information is reported to them, it would be further reported to us within 24 hours once they get that information, but it's a little too hard to say in terms of what will be the final passage of the bill. we're still working closely with relevant congressional committees on that legislation. but i can assure you that our goal working with director ingles and others would be to ensure the maximum harmonization of those regulatory requirements. >> thank you. >> i would simply add that most of these bills have a rule making period such that the bill is not implemented immediately upon passage, but after some months in some cases as much as two years afterwards, after there's a kind of full consideration of the concern you raised and others. >> thanks. mr. wales, with regard to cyber
1:28 pm
security are there enough qualified workers for you to hire at cisa? >> that question is kind of hard. we're not hiring them in a vacuum but in an environment where there's intense competition for talent and they're doing a lot to recruit and retain the cyber work force we want, and i touched upon some of those issues earlier, but i do think it is essential for the nation that we grow the pipeline of people who are focused in this area. it is not going to be enough to just look at the people available today. we need to think about what the needs are going to be in the future, and to do that we're going to need more people who are interested and focused on this area and get involved whether at the federal government level and state and private sector in academia in the research and development community and security research community so we need to grow that pipeline. we've got initiatives and it's going to take a whole of nation
1:29 pm
effort to make sure we've got what's required. >> director ingles, cyber security is not an issue people often think about until there's a problem. should strengthening cyber security be the role of the private sector and the government rather than citizens? >> thank you for the question. it's a wonderful question. i don't think cyber security at the end of the day can completely go to a group of experts who build and operate to a group of people who are serve and made by ordinary users who depend upon it to conduct their livelihoods or their personal
1:30 pm
affairs or businesses. those choices are actually reflected in weaknesses of cyberspace. therefore everyone must be involved and broadly a campaign for awareness, and some degree of awareness and training that equips people so they can fulfill the roles they need to as individuals, organizations or sectors. >> again, i would invite you if you have some suggestions on how we can enhance our national cyber security, that you don't have a chance to talk about today. i hope you'll share those things with us. >> i would love an opportunity to engage with you and your staff. >> thank you very much. >> the gentlewoman from michigan is recognized. >> thank you, chairwoman. thank you so much for being with us. if you work with an organization that is successfully hit with ransomware attack this is an example of the kind of ransom note you might find on your computer system. this is ransom note left i
1:31 pm
believe by a cyber criminal group that is behind some of the most prominent ransomware attacks of the past few years including those on software provider and the meat marketing process jbs foods. this note reportedly was part of the attack and deployed against some of their customers. there's a lot of information as you all can see. but i want to focus on the line that says you have two days. right under that deadline it says you pay $5 million ransom and says, quote, if you do not pay on time the price will be double. this a common tactic used by attackers correct? >> generally, yes, this is what cyber criminals are trying to do
1:32 pm
to extort money out of victims. would you like to comment in regards to that because i think the time line. >> sure, i appreciate the question and opportunity. the bottom line is it is an extortion tactic that is heavily leveraged based on time. we have unique data in our holdings based on the number we worked that show how long we can potentially negotiate and what type of reductions, and that's information we're happy to share with victims should they get hit with a certain ransomware variant. >> part of that threatening is not just a deadline in doubling but also threaten the stolen data, make news of the attack public or destroy the key to pressure victims to pay, right? so uh-uh cystitant director, in your view should companies pay the ransom immediately? >> let me split that question into two, ransomware groups move
1:33 pm
into a double extortion model. the data is used as additional leverage to hold leverage over the company or affected organization. so our position on paying ransoms has remained the same, which is we do not recommend paying the ransom because it fuels the criminal enterprise, but we do understand its business decision. the only thing we would collectively ask the government so we can do our best to track the money. >> director ingles, one of the things i find here there seems to be emphasis on new laws in criminalizing, right, and i believe we have some strong legislation now and these types
1:34 pm
of attacks and criminal activity do you think it's really about resources and more funding and investment and enforcement or do we really need new legislation to try to attack this? >> thank you for the question. i think your question goes to the heart of the matter which is we need a comprehensive approach. we need to double down on investment and resilience across technology and making sure we've got the right roles and responsibilities. do we in fact make it such a trancegressor needs to get past all of us to get at one of us? which then if we fail in those first two pieces which should have a determinative effect we're left responding to an incident. if we only did that third bit we would find ourselves in an impossible tail chase. >> one of the things i know
1:35 pm
happens in the local government okay, we invested this much in your department or division and the result became -- are we able to track the result of investing build back better what we have is millions of dollars of investing in this issue, how is it working so colleagues can see we need to do more in this way? >> that's a great question, too. during my time in the private sector i was often asked the question. am i taking risks i don't actually want to spend time and money to secure because it's not a risk that i think is worthwhile? have i balanced, right, my risks
1:36 pm
such that i've done the necessary preparation, it's resilient and robust? am i actually following what the system is doing such that only that last bit then can i detect an anomaly, some transgressor inside the system. you have to think what the purpose of the system is. if you've done both of those things then you can ask do i need further dollars and i've determined i haven't been able to secure through resilience, proactive defense or pursuit. >> thank you so much. very insightful. i yield. >> thank you. the gentleman from wisconsin, mr. grossman, is recognized for five minutes. >> thank you. first question, this is for mr. ingles. as i understand it there was recently a cyber incident and an important part of government,
1:37 pm
and it took your agency quite a while to become aware of it. it wasn't reported to your agency for quite a while. is there any reason why agencies are apparently afraid or hesitant to share information with you or could you give your general opinion of that incident? >> yes, so if i recall the incident you refer to happened in late july. i think we came forward to the congress, the federal government came forward to the congress in mid-august to describe the nature of that incident. what we were doing about that. is that the one, sir? >> i believe so. and i believe your agency was not made aware either. >> we were not. it's almost coincident with the incident we believed to be significant. i believe there's a couple of challenges here. one is that there are hundreds of things that happen in a system every day that might be constituted as anomalous.
1:38 pm
it's not something you may have expected but something in the end may have been a simple anomaly. they're not all cyber events that rise to the level of significant or majorch and therefore it's almost impossible instantaneously to determine what's major or what's not. a trancegressor does not always reveal their methods on that first day. long story short it might legitimately take two or three weeks. the challenge is you had an agency that determined something had happened, understood this was in the context of a lot of events taking place and determined on its own merits this didn't meet the level of major or something reported. quantitatively the statistics they cited were appropriate and therefore it was a decision and locally what we determined when we became aware of that in the middle of august this was an incident that could have happened in other places and we need to take that signature and
1:39 pm
check in other places which we did. and it was something in the longer scheme to make sure we prevented this from happening again. the context matters greatly and it took 3 1/2 weeks and we need to be quicker on the draw and reduce noise to information that matters and perhaps level set across various agencies and departments that we come to the same that's the scheme we're implementing at this moment. >> it's a concern this report quicker. you can tell by the discussion here today people talk about china, russia, north korea, iran i guess without identifying those countries. i imagine why you wouldn't want to. do you feel that is a comprehensive list of countries you have to read about here, or are there other countries you
1:40 pm
believe should be of concern as well? >> i think we have an understanding which nations are at risk if that's the question. >> okay. do you feel that's a comprehensive list? >> i think we know what that list is, the names you mentioned on that list. >> okay. and presumably other questions as well. should we be concerned al-qaeda or isis are planning an attack or they have the means to do it? >> i would say there are a number of entities, organizations or nation states in the world that have the ability to hold cyberspace, cyber infrastructure at risk. we've been discussing this morning a variety of individuals who operate in the safe havens near russia that have held us at risk. and so i would say that al-qaeda, isis, anyone who places time and attention in the development of cyber methods
1:41 pm
could hold us at risk. we don't at the moment discern that is at this time a risk from them. >> okay. that would include countries adjacent to i guess afghanistan right now kind of a bit of a hodgepodge. would you say that -- say that successor governments or groups operating would perhaps be a problem. >> i'm worried about any collection of individuals that would have a low cost of entry and some ability to develop talent that could hold us at risk. again, we've been describing this morning a number of individuals who have been formed into a syndicate and we are not powerless to prevent that if we increase the resilience proactively and collaboratively defend those systems. >> thank you. >> thank you. and the gentleman from
1:42 pm
california, mr. desonier is recognized. >> thank you, madam chair. i want to talk a bit about information. a recent report surveyed 600 health care organizations and found as many as 40% of them were targets of these types of attacks. and at least in one instance there's a loss of life, extended stays in hospitals, our normal response because of these attacks, an undetermined as yet of the cost to our health care system. >> maybe you could talk to us about why health care systems specifically are so vulnerable. >> sure, congressman. we've had one of our senior health analysts describe our
1:43 pm
hospitals and target sectors as resource poor. and ones that are the focus of adversaries because they believe they have a soft underbelly and that in it case of ransomware they'd be willing to pay to get that hospital up and running very quickly. on the other hand, they don't necessarily have the resources and capabilities to devoted enhancement to cyber security to match the degree of risk they're facing. that is why i believe we're trying over the course of the covid-19 pandemic to ensure as hospitals became increasingly fragile and being overwhelmed with covid patients we were able to surge support to those entities, get them to the free services we offer, but frankly that's only scratching the service. that's a lot more we need to do to make sure hospitals are as protected they need given the potential for disruptions there to have really consequences on the communities. and this is an area where there's a lot more work that's
1:44 pm
needed. i'm here to pretend what we've done is nearly enough. this is going to be a constant focus for our agency in the years ahead to match that risk that's out there. >> i'd love to work with you more, and i'm sure there's many people in congress who would like to work with you more. this infrastructure is obviously really important and there should be a sense of urgency as you say coming out of covid. assistant director, could you tell us about specific organizations that are targeting our health care industry and hospitals? >> if i understand your question correctly you mean which ransomware variant groups are targeting health care? is that accurate? >> yes. that's the question. >> sir, it's a difficult
1:45 pm
question to ask because these criminal groups really go after groups of opportunity where they can find vulnerabilities. certainly there may be common vulnerabilities in the health care network that any number of the 101 ransomware groups we track could target, but i think it's important to recognize that it's really the calculus of where can the criminals find the best vulnerability and the best access, and certainly that is prevalent in the health care industry but also prevalent in many, many other critical industries as well. >> we've got laws, hipaa protecting patients and doctors and the federal level and state level providers. are there things unique to this industry we can be helpful with so that health care organizations can provide you with the information but not feel as if they were becoming susceptible to some other
1:46 pm
privacy issues or litigation. >> i'll start, sir. so within the fbi we have a concerted effort to engage the health care industry, and really the focus of that engagement is sharing tactics, techniques and procedures of these ransomware criminal groups but also specific indicators a compromise they can build into their net defense posture. we work very closely on those lines of effort with cisa on a routine basis to make sure we get to the hospital communities. and regarding your questions about hipaa where hipaa and other pii come into play is incident response framework, and there is concern certainly hipaa, pii across industries of willingness of affected industries to share
1:47 pm
inadvertently pii. have the health care industry work through in a moment of crisis how would they be able to inform cisa or the fbi or the other relevant government federal entities as quickly as possible by lowering the barriers to pii and hipaa? >> i really appreciate that. i look forward to working with any of you and the committee to make sure we can protect this important part of our culture and the health care system. thank you, madam chair. i yield back. >> thank you. the gentleman from texas, mr. sessions, is recognized. >> madam chair, thank you very much. and thank you to this hearing. i want to ask the entire panel, but, general, i'll probably focus on perhaps you first. i'd like to move down the pathway and that is called lessons learned. can you tell me how many prosecutions, federal
1:48 pm
prosecutions have occurred in the last five years on these issues of cyber security? >> sir, i don't have that information at my disposal at the moment. i'd be happy to take that question for the record or defer to the assistant director. >> director? >> sir, i can't answer that question. with great fidelity i can take it back and get you that answer. >> the reason i asked the question is just like mr. desonier said we are interested in what lessons that are learned from the investigations that you do, and we're interested in knowing how best -- there was a question asked earlier about new laws, but i think we ought to know the effectiveness of what we're doing. we're spending a lot of time, a lot of resources. it's a national priority that we're engaged in. which one of you should i look
1:49 pm
to getting that answer from? >> i'd be happy to check the lead on that. >> thank you, we'll write you a letter to help you. we'll follow up and write you a letter dwsing that information. we'll include the chairwoman in that request. for any one of you you could probably dissect the marketplace problems into about 50 different areas. i'm going to put it simply today in one or two ways. and that is malware which is this malicious use of the computers -- the other might be computer induced where someone broke in necessarily from an employee or something. but as it relates to an employee and related to how the employer has protected their own data and
1:50 pm
their employee's are you finding -- or what would the discussion be of company -- what i would call it company induced breach? it's not related to nothing else, someone was not given the right thing, and someone had a employee who gave this. how would you respond to that, let us know about the size and scope of that threat. >> so preliminary estimates, or the best data we have that drives our estimates are that 90% of cyber breaches on user, end-user equipment or infrastructure for a company are induced by human error but i think where we see an intersection is where we would see an insider threat and the information that an insider has access to, that's trying to sell to a nation state or somebody getting economic gain, and the overlap between that set of information, intellectual property, whatever have you, and what hackers are also going after, and we see a core intersection between insider threat, hacker breaches, going
1:51 pm
after the same thing we've seen in covid researched, advanced defibrillatorrers, we've seen across a gambit so a keen intersection there. >> in other words, your investigators, once they were able to effectively get their handle around the problem and look at how things happened, you're finding that employees and systems within companies many times as the large breach, so one of the questions i'd like to ask, general, then, in then, if you have that information about how many people then were prosecuted, what i would call on an internal basis, by their company, one of the questions why we ask this, and one of my colleagues previously asked is are there new laws. years ago we were really concerned with making sure someone could report their
1:52 pm
information without being held liable necessarily, in other words to share information about the things happening which would help everybody. but in this case, if a major part of, as you allude to, some part of the failure is with an employee, for us to know more about those employees, did they come from a certain pool, perhaps, a school, nba program where they had been involved, perhaps an area of the country, perhaps on something, whatever your investigation may do. if you could give us any clue about -- >> we're happy to take that question and provide a fullsome response. i would say the 90% figure assistant director cited is one that i cite as well but vast majority of those people don't intend to make those mistakes. they simply make them. they're not well-equipped to
1:53 pm
make an appropriate choice at the moment, may click on a link thinking it's one thing, provided by someone phishing them, so on and so forth so can give great clarity to the things attributable to human being and those malicious in their intent. >> and i think that's important, i'm not an athlete, i'm a football player and through interceptions i didn't mean to but had to correct my behavior in some circumstances what happened when i through the pass and i think in business understands more clearly, the huge part that their employees play, and i know we talk about it in the private sector a lot and in the government a lot, but i think that focus of that activity would help me, and i appreciate you being here. each of you, this is a serious attempt. i will tell you, it's just a biline, but in 1985 when i was in new jersey, in old bell labs,
1:54 pm
i was in the original bell labs team that invented what might be, what became broadband, and we began gathering data and information that would be in a switch, which would then gather data and information about how this data stream would be included in the bureau. my father was director at the time and the bureau was very concerned on what was being built in as information that could be gleaned on both sides of that, not only from a perpetrator but also from a company, to gather information about that. and i might ask, not now, but i might ask, at some point, for you, assistant director, about your viewpoint of gathering data and information, whether that has stayed up with time that would aid and help not just law enforcement but the managing companies and their effort.
1:55 pm
>> sir, i'd be happy to have that conversation with you at any time. >> thank you very much, madam chairman. >> time's expired and we're moving on. the gentlemen from georgia, mr. johnson. >> thank you madam chair for including this very important committee meeting today and hearing on this very important subject. i introduced the cyber security opportunity act with senator ossof and education program at mu jurority black universities and institutions, this legislation would promote cyber security education and introduce granted to hbcus and msis and help build a more diverse work place, mr. welds and mr. fordron, how important is it to
1:56 pm
bring diversity into the cyber security work force? >> i think diversity is very important, makes that team harder to beat than any other team bringing diversity to the table. i think that investment is very important. >> i think cyber security is largely thought of as largely a technical problem, and we often say it's really a problem-solving challenge and we need people who are effective at solving problems and the more people and diversity we have looking at those problems, the better we're going to be at solving them and bringing there the right solutions to the significant risks and challenges that we face in this area. so we are working hard, as i mentioned, this is one of the top priorities for the director at cisa is to expand our work with hbcus and minority work institutions and reaching out to
1:57 pm
communities that have never been priorities for engagement in the cyber security sphere among highest priorities and happy to work with you on the legislation you discussed. >> thank you, sir, mr. fordran. >> thank you, i'll broaden your question a bit and say for the fbi, diversity across the organization is a number one priority for all of us. certainly that cuts into cyber and the need to diversity. what mr. ingless said, it counts for every view point in our society. >> thank you, mr. ingless, according to an article published by association of american medical colleges, about a third of healthcare organizations globally referred to being hit by ransomware in 2020. while the inconveniences of
1:58 pm
cyber attacks such as the one on the colonial pipeline were felt in many homes, our family members and friends' lives are at risk when hospitals go offline. with so much reliance on the internet in general, are hospitals generally prepared to meet the challenges to patient care that arise from ransomware attacks? >> thank you very much for the question, congressman. i don't have the data on hand to indicate how many of those were successful. again, we know about 25% broadly, of attacks that take place. we don't know about the other 75%. that being said, i think every critical sector, the hospitals being in the center of one very important critical sector i think can do a better job of improving resilience and robustness, kind of mounting a pro active defense and ultimately, ensuring they access all resources to include governmental resources to help in that defense or the response.
1:59 pm
as i think was indicated earlier, it is often a targeted-rich environment, resource poor environment so need to make sure the hospitals have the necessary resources to make those investments and properly defend those assets. >> thank you, mr. ingless, in the same article, it was disclosed that rural hospitals are more subject to attacks than those in urban areas. how is your office addressing the need to cyber security resources such as training and software in smaller, rural hospitals. >> sir, if i might, kind defer to question to deputy director brandon whales who addressed this earlier, and thoughtfully so. >> it is a real challenge to make sure we get out to the organizations that are in most urgent need of our support, and i think we're trying to do this at a number of different levels, a lot of this concerns working
2:00 pm
with the state level with the state authorities that we can help bring down support they have into the local communities, identify those places that most need support and some states have things called cyber navigators in a are cyber security expert provided by the state to support local communities building their cyber security posture. we deploy cyber security state coordinators from cisa to be a linkage back to the federal government, back to cisa and make sure our products are being used at state and local level throughout the country. in addition, the most recent infrastructure bill included a cyber security grant program that could help many public hospitals throughout the country, particularly because it had certain provisions that require certain support to go through rural communities as part of that grant program so we think it could be an important stepping stone to begin to provide some of those resources the communities need to put in place the base-line cyber
2:01 pm
security we would want for such a critical infrastructure to have. >> the gentlemen from georgia, mr. clyde is recognized snoop thank you madam chair, director ingless, great to see you again, director wales, thank you for sharing your insights on the threats of ransomware that it poses to our security. i would also like to wish cisa a happy third birthday. director ingles, i would ask you this question and like a follow-up from mr. wardren, i believe a company's defense is best summed up in its offense, offensive capabilities. so without a strong offense, i think our nation will lack the ability to deter and defend
2:02 pm
attacks from both state and nonstate actors. can you briefly highlight what capabilities are at the state's disposal to eliminate those threats and if you believe you cannot discuss those capabilities, to the extent you'd like to in this hearing would you be willing to come back and hold a classified hearing to help me and my colleagues better understand those capabilities. >> i would certainly be pleased to come back in a classified hearing more wholesomely, but i would say in cyber space, as much as cyber space can impact any instrument of power we should, in turn, use any instrument of power to affect cyber space so our offense as it were, is not only necessarily to do things within cyber space but employ diplomat remedies, private sector remedies, remedies on their own infrastructure to bring all that to bare in a full wholesome way such to cause cost to
2:03 pm
adversaries, again, offense must be extension of the defense, defense needs to be equally important to us. >> thank you, mr. wardren could you comment on that too please. >> of course sir, when you talk offense i see what you're saying but i think we miss in a role how much investigation plays in helping provide that defense, making sure our victim entities in this country are in good shape. you know, for every one victim, there's usually a dozen or hundred more being affected by the malwear, you know, the recent critical infrastructure compromise able to get agents out to the scene immediately, immediately pivoted using investigative tools, found other zero days in critical infrastructure, worked with cisa able to patch all those when the patch became available, those other critical infrastructure companies never would have known they were potentially vulnerable victims. had a situation with a hospital
2:04 pm
recently, able to get to a hospital within hours to share indicators of compromise that allowed them to eradicate a adversary from their network in real time, so i appreciate the question about offense. i would want to be part of that classified briefing with director inglis but i believe there's a hybrid space in here between true defense and true offense that our force is filling extremely well on a day in, day-out basis. >> well, thank you, i think cyber attacks are one of the most dangerous ones where outside entities can pierce our defenses and affect our civilians that don't have the defensive capabilities. also, assistant director vorndren, in your testimony here, you say doj also has extensive experience in navigating complex privacy and civil liberty issues that inevitably rise from new
2:05 pm
requirements and prove invaluable to set the standard to see strike the right balance that incident report information is collected, stored appropriately, it is not mentioned that civil liberties are protected. would you speak to the importance of protecting these civil liberties and fbi and doj commitment to do just that, please? >> sure, any new incident-reporting legislation, the fbi and department of justice's position has always been the same. we want full and immediate access to any data reported to the u.s. government, because we are a decentralized organization and we can get people on site almost immediately. we're also very, very attentive and understanding to civil liberties, personal identifiable information, and everything that's derivative of that and would be willing to work within confines of a bipartisan bill to make sure those elements are clearly protected, to make sure
2:06 pm
everybody's in a good space. >> okay, thank you, i appreciate that commitment, and got just a few seconds left for director wales. director easterly recently had the opportunity to discuss how the government's hiring process has hindered cisa's ability to recruit the work force to save our nation's important entities, highlighted you don't how the federal government has 20 steps to hiring someone and the process takes about 200 days, whereas the private sector's process usually takes about 60 days, can you recommend to the committee how we can streamline the process so cisa can be better staffed so it can more effectively carry out its mission? >> sure, sir, it's a great question. this is an area that is of intense focus for our entire agency right now, we have worked over the past year to reduce the time i think 15%, went from 240 to 200 days on average to hire a
2:07 pm
person but still obviously too long. we're looking at n10 review to understand what do we have the ability internally to change, without new requirements from legislation but we're happy to come back to you to talk about what we identified and if there are additional tools that we need in order to streamline it further than we can do internally. >> thank you, very much, and i yield back, madam chair. >> thank you, and i join you in your request for classified briefing. democrats also expressed concern and wanted to investigate this further. before i close, i want to offer mr. grossman an opportunity to offer a closing statement. >> i'd lake to thank you for having the hearing. i thought it was a good bipartisan hearing without the partisan ranchor you sometimes have. i'd like to think our guests for being here. this is an important topic and failure is really not an option. some agencies can flop around
2:08 pm
and our country will continue on but you guys cannot fail, and i hope you make dealing with cyber security threats your number one priority and some indications from your comments that might not be your number one authority or goal but it's got to be your number one goal. i share in the request for a private meeting sometime and again, i thank the chairman for keeping such a cordial hearing going, one more time. thank you. >> thank you, the gentlemen yields back. i'd like to thank first and foremost all our witnesses for appearing today, including mr. wales who appeared on very short notice, thank you. today's hearing advanced several important goals. the hearing highlighted key findings the committee relished today from our investigation into major ransom payments made
2:09 pm
by u.s. companies by cyber criminals. these payments only fuel more criminal attacks. today's witnesses also agreed, with the committee's findings, that we need to do more to enhance coordination among federal agencies in responding to these attacks. mr. inglis as role of national cyber director was championed by this committee will be crucial to that effort. his office finally received permanent funding yesterday, when president biden assigned the bipartisan infrastructure bill and i'm looking forward to his continued leadership. today's hearing also demonstrated the significant strides the biden/harris administration has already taken to tackle ransomware head-on including by helping the private sector to prevent attacks, prosecuting attackers, and working with our allies to fight back against this global challenge. finally, today's witnesses made
2:10 pm
clear that the time for congress to act is now. we need to disrupt ransomware incentives, and require incident reporting so that the federal government has full visibility into every attack. i urge all my colleagues to support this critical, bipartisan legislation. to all of the witnesses, i thank you for your service, and i look forward to working with you to strengthen our nation's cyber defense. with that, i would like to just end by saying and closing that i want to commend all of my colleagues and the panelists for participating today in this important conversation. with that and without objection, all members have five legislative days with which to submit extraneous materials and to submit additional questions to the witnesses for the chair, which will be forwarded to the witnesses for their response.
2:11 pm
i ask our witnesses to please respond as promptly as you are able. this hearing is now adjourned. thank you.
2:12 pm
2:13 pm
2:14 pm
>> download c-span's new mobile app and stay up to date with the latest political events, from live streams at the house and senate floor and key congressional hearing to white house event and see supreme court oral arguments, even our live, interactive program, washington journal where we hear your voices everyday. c-span has you covered, download the app today. book tv. every sunday on c-span 2, features leading authors discussing their latest non-fiction books. at 8:20 p.m. eastern, former new jersey governor and 2016
2:15 pm
presidential candidate chris christi provides his blue print how the republican party can help win elections, then afterwards, north carolina democratic congressman and political scientist david price shares his book, the congressional experience, providing his perspective on the rules and role of congress, how it's changed over time and how a legislative body can function better, interviewed by virginia democratic congressman, gerald connelly. watch book tv, every sunday on c-span 2 and find a full schedule on program guide or watch online anytime at book c-span is your unfiltered view of government, funded by these television companies and more, including buckeye broad band.
2:16 pm
buckeye broad band supports c-span as a public service, along all these other television providers, giving you a front row seat to democracy. >> a look now at hunger issues facing u.s. military service members, a house agriculture subcommittee hear that is many lower military personnel often do not earn enough to adequately feed themselves or families. this hearing is about an hour and 40 minutes. >> this hearing of the subcommittee on nutrition oversight in department operations entitled "hunger amongst veteran and service members, understanding the problem and evaluating solutions" will come to order. welcome, and thank you to everyone for joining this hearing today. after brief opening remarks, members w


info Stream Only

Uploaded by TV Archive on