Congressional Hearings
EVOLVING THREATS TO THE HOMELAND
Congressional Hearings
SuDoc ClassNumber: Y 4.G 74/9
Congress: Senate
CHRG-115shrg34575
| AUTHORITYID | CHAMBER | TYPE | COMMITTEENAME |
|---|---|---|---|
| ssga00 | S | S | Committee on Homeland Security and Governmental Affairs |
[Senate Hearing 115-588]
[From the U.S. Government Publishing Office]
S. Hrg. 115-588
EVOLVING THREATS TO THE HOMELAND
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 13, 2018
__________
Available via the World Wide Web: http://www.govinfo.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
34-575 PDF WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana KAMALA D. HARRIS, California
JON KYL, Arizona DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Michelle D. Woods, Senior Professional Staff Member
Colleen E. Berny, Professional Staff Member
William G. Rhodes III, Fellow
Margaret E. Daum, Minority Staff Director
J. Jackson Eaton, Minority Senior Counsel
Subhasri Ramanathan, Minority Counsel
Julie G. Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Thomas J. Spino, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator McCaskill............................................ 2
Senator Hassan............................................... 15
Senator Jones................................................ 18
Senator Peters............................................... 21
Senator Carper............................................... 24
Prepared statements:
Senator Johnson.............................................. 35
Senator McCaskill............................................ 37
WITNESSES
Thursday, September 13, 2018
Kevin Mandia, Chief Executive Officer, FireEye, Inc.............. 4
Cathy Lanier, Senior Vice President of Security, National
Football League................................................ 6
Scott McBride, Manager, Infrastructure Security Department, Idaho
National Laboratory............................................ 8
Jennifer Bisceglie, President and Chief Executive Officer,
Interos Solutions, Inc......................................... 10
Alphabetical List of Witnesses
Bisceglie, Jennifer:
Testimony.................................................... 10
Prepared statement........................................... 57
Lanier, Cathy:
Testimony.................................................... 6
Prepared statement........................................... 46
McBride, Scott:
Testimony.................................................... 8
Prepared statement........................................... 51
Mandia, Kevin:
Testimony.................................................... 4
Prepared statement........................................... 40
APPENDIX
Responses to post-hearing questions for the Record:
Mr. Mandia................................................... 66
Ms. Lanier................................................... 72
EVOLVING THREATS TO THE HOMELAND
----------
THURSDAY, SEPTEMBER 13, 2018
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:31 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, Lankford, McCaskill, Carper,
Peters, Hassan, Harris, and Jones.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. Good morning. This hearing will come to
order. I want to thank the witnesses for traveling here, for
taking time to write your testimony, and your willingness to
appear and answer our questions and give us your oral
testimony.
I will ask that my written statement be entered in the
record.\1\
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Johnson appears in the
Appendix on page 35.
---------------------------------------------------------------------------
As I was explaining out back or in the ante room, this
hearing really is borne out of my own personal frustration. I
have been here 7\1/2\ years, and I cannot remember where this
phrase was coined, but it is over the last couple of months as
I have been talking about a number of these issues. We have
been sitting here admiring these problems and just not
effectively addressing them.
So, today, we are not covering all the potential threats.
We are going to have our full-fledged threat hearing with the
Federal Bureau of Investigation (FBI) Director and Secretary of
the Department of Homeland Security (DHS) and the head of the
counterterrorism group. That will be in a couple weeks.
But I wanted to assemble some experts on some of these
specific threats that literally could be existential. I do not
want to scare people. I am always, to a certain extent,
reluctant to lay out these threats. I do not want to give
people any ideas, but some of these things are just so public
now and so obvious in terms of what these problems are.
I think it was in March 2015. We had Joe Lieberman and Tom
Ridge here. They developed this blue ribbon study panel on
biothreats, and back then, they had a pretty simple suggestion.
Number one recommendation was we need somebody in charge. There
are more than 20-some different appropriations, different
agencies, and a number of different agencies were doing things.
But there was nobody in charge of what happens if we actually
had a real biothreat and how we would react to that.
I would say kind of the same thing is true of cyber. We
have Kevin Mandia, a real expert with FireEye, talking about
the different types of cyber threats.
It is certainly true with drones. We have been trying to
pass a bill--I think we are getting a little bit closer--in
terms of just giving DHS the same authority to start studying
how to counter and some authority to counter drones, like the
Department of Defense (DOD) and the Department of Energy (DOE)
has over some of their facilities.
But I was shocked. I think most of my colleagues were
shocked that we do not have the authority to even study, much
less counter use of drones.
We have held multiple hearings on the threats of
Electromagnetic Pulse (EMP) and Geomagnetic Disturbance (GMD),
and we have Scott McBride here from the Idaho National
Laboratory, a real expert on that subject, both EMP and GMD,
but also just electric grids in total as relates to potential
cyberattacks or kinetic attacks as it relates to that.
And then we have Jennifer Biscelgie in terms of a strategic
resource management, in terms of how do we strategically look
at the threats of our supply chain, which has also come up with
whether it is Huawei and Zhongxing Telecommunication Equipment
(ZTE) and just other threats from that standpoint.
So, again, I just want to thank all the witnesses. I am
looking for some practical solutions, things that we can
actually do. We have admired this problem enough. We have
studied it enough. We have not produced the strategies, and
that is true, but I am actually looking for some concrete
things we can take away from this hearing. And maybe if there
is a law that we have to pass, try and pass that law, but just
try and figure out something. Let us do something about some of
these problems.
With that, I will turn it over to our Ranking Member,
Senator McCaskill.
OPENING STATEMENT OF SENATOR MCCASKILL\1\
Senator McCaskill. Thank you, Mr. Chairman.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator McCaskill appears in the
Appendix on page 37.
---------------------------------------------------------------------------
Two days ago marked the 17th anniversary of the September
11, 2001 (9/11) attacks on this Nation. It is a somber reminder
of the threats we face and that we must continue to vigilantly
protect the country from those who wish to do us harm.
In the 17 years since 9/11, Congress and the American
people have had spirited debates surrounding the nature of
threats to the United States and how best to protect ourselves
from them.
A lot has changed over these nearly two decades, but until
recently, one component remained constant. Since joining the
Senate over 30 years ago, my friend and colleague, Senator John
McCain, was an integral part of every national security
conversation that took place in this body. His commitment to
public service, his dedication to the defense of our country,
and his efforts to promote American values were unparalleled.
I had the privilege of serving with him on this Committee
and on the Senate Armed Services Committee. His conviction,
insight, and sense of humor will be sorely missed, even his
incredible temper. John McCain made an indelible mark on the
security of this Nation, and I will miss him as a colleague and
a partner in addressing these complicated issues.
I also welcome Senator Kyl back to the Senate and to this
Committee, and I look forward to working with him.
The United States has made enormous progress in preventing
another 9/11-style attack, but threats to the country remain.
Terrorism continues to evolve as a threat and requires
innovative solutions to confront and prevent it.
As the United States and the world become more digitally
connected and as technology advances at a rapid pace, we have
new vulnerabilities. This hearing provides an opportunity for
the Committee to focus on some of those concerns and explore
real solutions.
In 2013, for the first time, then-Director of National
Intelligence James Clapper prioritized cyber threats above
terrorism when testifying before Congress. In the years since,
the problem has metastasized. The threat of cyberattacks and
cyber espionage regularly dominate headlines, and with the
midterms approaching, election security is obviously of
paramount concern.
This Congress, Senator McCain, as Chairman of the Armed
Services Committee, created a Cybersecurity Subcommittee on
which I serve, where our focus complements the work of this
Committee on identifying cyber threats and strengthening our
forces and capabilities.
One area of focus that I am particularly concerned about is
Supply Chain Risk Management (SCRM) and specifically the
information technology (IT) and telecommunications supply
chains within our government agencies and the U.S.
infrastructure.
This evolving threat can turn a mundane antivirus software
purchase into an unacceptable risk to our national security. We
need to make sure our information technology products and
services are safe from infiltration, down to the smallest
component, and like most national security issues, that
requires a strategy and a whole-of-government approach.
Supply chain risk management cannot be achieved piecemeal.
In this regard, a threat to one agency is likely a threat to
many others.
In June, Senator Lankford and I introduced the Federal
Acquisition Supply Chain Security Act to address this critical
issue. Few understand this issue better than some of the
experts on this panel.
I hope this hearing will provide the Committee, Federal
agencies, and the public with a better understanding of how to
solve this problem.
Similarly, this Committee has heard from numerous Cabinet
officials and experts in the public and private sectors about
threats posed by drones.
Chairman Johnson and I introduced legislation that would
authorize the Department of Homeland Security and the
Department of Justice (DOJ) to conduct limited counter-drone
operations for a narrow set of important and prioritized
missions. Our bill is just the simple first step in tackling
this mounting problem, and we welcome additional thoughts from
the witnesses on solutions that might mitigate the threat.
I thank the Chairman for holding this hearing and look
forward to the discussion.
Chairman Johnson. Thank you, Senator McCaskill.
It is the tradition of this Committee to swear in
witnesses, so if you all would stand and raise your right hand.
Do you swear the testimony you will give before this Committee
will be the truth, the whole truth, and nothing but the truth
so help you, God?
Mr. Mandia. I do.
Ms. Lanier. I do.
Mr. McBride. I do.
Ms. Bisceglie. I do.
Chairman Johnson. Please be seated.
Our first witness is Kevin Mandia. Mr. Mandia is the chief
executive officer (CEO) of FireEye, a leading global
cybersecurity company. Prior to FireEye, he founded the
cybersecurity firm Mandiant Corporation. Earlier in his career,
Mr. Mandia served in the United States Air Force as a
cybercrime investigator. Mr. Mandia.
TESTIMONY OF KEVIN MANDIA,\1\ CHIEF EXECUTIVE OFFICER, FIREEYE,
INC.
Mr. Mandia. Thank you, Mr. Chairman, Ranking Member
McCaskill, and other Members of the Committee. I appreciate
this opportunity to speak to you today about the cyber threats
facing our Nation.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Mandia appears in the Appendix on
page 40.
---------------------------------------------------------------------------
Before I begin discussing these cyber threats, I would like
to take a moment to extend our condolences to each of you for
the loss of your dear friend and colleague, Senator John
McCain.
In my testimony today, I intend to discuss the cyber
threats to our Nation, what they are, what their impact could
be, and what we can do about it.
I have been working in cybersecurity for over 25 years. As
the Senator said, I started my career in the Air Force as a
computer security officer at the Pentagon. Following that, I
was a special agent in the Air Force Office of Special
Investigations, investigating computer intrusions into our
military networks, and I have the privilege today to serve as
the CEO of FireEye.
As I sit here right now, we are responding to dozens of
breaches around the world. We have over 300 investigators that
conduct over 600 investigations every year into what happened
during the breach and what to do about it. We have over 100
threat analysis that are in 18 different countries that speak
32 different languages, actively tracking the threat actors on
a global basis to try to get attribution behind who is doing
it. And we have over 15,000 sensors that every hour detect
between 50 to 70,000 malicious events. We are the last line of
defense for computer security for our customers.
We have been seeing the attacks firsthand. We know how the
attackers are evading our safeguards, and we have witnessed the
impact that these attacks have had firsthand as well.
Let me begin by sharing three general observations about
the cyber threats to the United States. First, I believe the
United States is more vulnerable in cyberspace than other
nations. First, we depend more on the Internet, the
connectivity, the technology, and the infrastructure than the
nations that host the most prevalent cyber attackers, such as
Iran, Russia, China, and North Korea.
Second, our critical infrastructure is shared. For the most
part, it is in the hands of the private sector, and during
times of duress or outright war, if we need to do ``shields
up'' in a joint defense, we are going to need to cooperate
between the government and the private sector, whereas many
other nations, some of their critical infrastructure is purely
government controlled.
Third--and it sounds odd, but it is true--that a weakness
of the United States is in fact in cyberspace, freedom of the
press, fundamental to our democracies, but it gives attackers
two advantages that we simply do not have if we reciprocated
those types of attacks on closed societies.
First, influence operations can be conducted in the United
States with greater efficacy than in a closed society. Second,
the ability to attack an organization or an individual, steal
their information, and threaten to publish it online in any
capacity; or to threaten or hold their information hostage is
an invasion on our privacy. It allows folks to leverage our
citizens in ways that closed societies do not need to worry
about as much.
The second observation I would like to make is that a lot
of people talk about Pearl Harbor scenarios against the Nation
in cyberspace. I think what is going to be more likely is what
we refer to internally at FireEye as ``cyber trench warfare.''
I want to talk about some of the ingredients for cyber trench
warfare.
The first characteristic is that it is going to be
conducted below the threshold that would elicit an aggressive
response by the United States. It will be low and slow. It will
endure, but it will slowly erode our willingness to combat it
over time. Second, the campaigns will be long term. Third,
these campaigns are going to go after, in my opinion, the
softer targets. A lot of people think that critical
infrastructure in the military will be target number one if we
have a modern war. In fact, it may very well be the softer
targets, small municipalities, health care, small elementary
schools, the small businesses that make the fabric of our daily
businesses run. Those will be the soft targets that are in fact
attacked, and in aggregate, if all the soft targets in this
country succumb to a destructive attack, the impact and
consequence can be pretty grave.
The last general observation that would happen during any
cyber conflict against the United States, is what I describe as
a butterfly effect, and it works two ways. Whenever there is a
cyberattack, when somebody takes the gloves off and escalates
in cyberspace, even the perpetrators are not fully aware of
what the impact of these attacks will be. If somebody launches
an indiscriminate, destructive attack on our Nation, they do
not know what unintended consequences can happen from that.
But I do know this. We have not been able to predict it
either, and imagine if the U.S. Senate came offline for a day
or two from the Internet, what would happen? Would you be able
to get into the parking garage? Would you be able to even make
a phone call from your desk? Would you be able to buy lunch in
the cafeteria downstairs? It has a lot of unintended
consequences that people have not predicted in the past.
So what do we do about it? The threats to our Nation are
growing. I gave you some high-level observations about this,
but by establishing a system where the private and public
sectors work together, we practice together. That is key. We
practice together doing dry runs, and we proactively use threat
intelligence. We can create a learning system. We are getting
better every day, but we can accelerate getting better at a
faster rate.
And, last, we need to explore international rules of
engagement and hold threat actors accountable. Right now, the
key word is ``deterrence.'' Do we have a deterrence against
cyber-threat actors against our Nation? What can we do about
that?
If we find a way to have some diplomatic treaties or
agreements with other nations that are launching these attacks,
the United States and the daily lives of our citizens will be
better safeguarded.
Thank you, Mr. Chairman.
Chairman Johnson. Thank you, Mr. Mandia.
Our next witness is Cathy Lanier. Ms. Lanier is the senior
vice president of Security for the National Football League
(NFL). She previously served as the Chief of the Metropolitan
Police Department of the District of Columbia. Ms. Lanier.
TESTIMONY OF CATHY LANIER,\1\ SENIOR VICE PRESIDENT OF
SECURITY, NATIONAL FOOTBALL LEAGUE
Ms. Lanier. Hi. Good morning, Chairman Johnson and Senator
McCaskill. How are you? Members of the Committee. Thank you
again for the opportunity to testify here today.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Lanier appears in the Appendix on
page 46.
---------------------------------------------------------------------------
As requested, I will focus my testimony on the threat posed
by malicious drones at major sporting events.
At the NFL, we have observed a dramatic increase in the
number of threats, incidents, and incursions by drones. Fewer
than 10 miles from here, a drone flew over FedEx Field during
pregame activities for a Monday Night Football game, violating
Washington's national security airspace and the airspace
restrictions of the NFL game.
The NFL is not alone. For example, in 2017, a drone crashed
into the stands of a Major League Baseball game between the
Padres and the Diamondbacks.
A 2017 incident involving two NFL stadiums dramatically
demonstrates this threat. During a San Francisco 49ers game,
the stadium security director at Levi's Stadium called me and
alerted me that a drone had just dropped leaflets over the
seating bowl. I warned the other teams, so when the operator
sought to fly a drone over nearby Oakland Coliseum, local law
enforcement was ready for them. They were able to quickly
identify the operator and arrest him.
We are all very fortunate that the drone over Levi's
Stadium dropped just leaflets. Drones today are capable of
inflicting much greater damage.
As the Committee knows, various threat assessments have
recognized that large gatherings of people are enticing targets
for malicious actors.
The Federal Aviation Administration (FAA) and Congress have
therefore imposed flight restrictions on the airspace above
large sporting events. The FAA first established these
restrictions after 9/11, and Congress subsequently strengthened
and codified those requirements.
The current temporary flight restrictions prohibits
aircraft over NFL games, Major League Baseball games, National
Collegiate Athletic Association (NCAA) Division One football
games, and major motor speedway events such as National
Association for Stock Car Auto Racing (NASCAR). These flight
restrictions have largely worked as intended, keeping
commercial and civil aircraft away from stadiums during games.
Drones, however, present an entirely different challenge that
needs an appropriate legislative response.
Drones can be acquired easily and cheaply. They are often
used by unlicensed individuals, with no awareness of airspace
rules, flight restrictions, or many other regulatory
requirements related to aircraft.
Stopping drones is currently extremely challenging. Drones
are small and portable. They can be launched quickly and very
close to a stadium from an adjacent parking lot. Several
stadium security directors have told me that they are regularly
approached by vendors selling counter-drone equipment. They
know that using such devices are illegal.
The current State of law, however, leaves security
officials with an unenviable choice: Procure the equipment
whose use would be illegal, or remain unequipped to respond to
a security threat that can endanger tens of thousands of
people.
The NFL, therefore, supports the development of new
approaches to drones. We support the FAA's remote
identification effort. We support revising the hobbyist
exemption, which currently permits far too many drones to be
flown by far too many unlicensed and untrained pilots.
Further, we support the aim of your legislation to extend
drone interdicting authority to DOJ and DHS. Your bill is an
important step forward.
In particular, the bill permits State officials to request
Federal support for local law enforcement efforts. The bill
correctly recognizes that local law enforcement officers are
primarily responsible for security at locations where drones
present risks such as NFL games.
Although this provision permits local officials to request
Federal assistance, there is not enough Federal resources to
provide security at all the events that need protection,
including the 256 NFL games in a season.
The NFL, therefore, strongly encourages Congress to
consider additional reforms that would provide authorities to
local law enforcement officers to detect and intercept drones
that pose a threat to major sporting events like our NFL games.
The NFL looks forward to continuing to work with Congress,
the FAA, and others on our shared goal of ensuring the safety
and security of our players, coaches, fans, and staff that
attend our games.
Thank you so much for the opportunity to be here today. I
appreciate your time.
Chairman Johnson. Thank you, Ms. Lanier.
Next witness is Scott McBride. Mr. McBride is the
Infrastructure Security Department manager within the National
and Homeland Security Infrastructure Protection Department at
Idaho National Laboratory. Mr. McBride directs power systems
engineering projects for the lab's clients, including the
Department of Energy and Department of Defense. Mr. McBride.
TESTIMONY OF SCOTT MCBRIDE,\1\ MANAGER, INFRASTRUCTURE SECURITY
DEPARTMENT, IDAHO NATIONAL LABORATORY
Mr. McBride. Thank you, Chairman Johnson, Ranking Member
McCaskill, and distinguished Members of the Committee for
holding this hearing and inviting Idaho National Laboratory's
testimony on the potential threat of geomagnetic disturbance
and electromagnetic pulse to the U.S. power grid.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. McBride appears in the Appendix
on page 51.
---------------------------------------------------------------------------
At Idaho Nation Laboratory, I manage power system projects,
industrial control system security to secure critical
infrastructure throughout our Nation, with a primary focus on
the energy grid.
As the U.S. electric power grid incorporates new digital
technology with decades-old infrastructure, the grid is
becoming vulnerable to GMD and EMP events, whether the EMP
source is from nuclear or non-nuclear sources. We have
developed a fairly robust understanding of the scientific
principles of the damaging waveforms associated with GMD that
enables us to predict effects and design protections to
mitigate those effects.
Initial experiments have been completed, and models are
beginning to emerge that assist us in better understanding and
characterizing effects and impacts from the individual waveform
specifically associated with an electromagnetic pulse.
Research and testing of the interdependent effects of the
combined three waveforms on our grid's individual components
and interconnected infrastructure is an uncharacterized field
of study that needs further exploration and discovery.
There are ways the United States may improve its
understanding of the extent of the vulnerability and reduce or
eliminate consequences of GMD and EMP events.
In addressing this need, the Department of Energy recently
tasked the National Laboratories to develop a report that
updates the extent of our current scientific understanding of
the effects of EMP on the electric power grid. Pending this
report's publication, significant progress for GMD and EMP grid
protection can be made by pursuing four concurrent paths.
The first adopts EMP hardened transformer neutral blocking
devices designed to provide automatic protection for
transformers against GMD events to prevent harmonic generation,
reduce reactive power demand, and reduce voltage collapse.
The second defines the EMP threat environment, including
research coupled currents and voltages for transmission and
distribution lines, in support of developing an informed all-
hazards protective strategy.
The third conducts a series of scaled experiments on a
variety of grid components and restoration assets to
understand, predict, and measure the impacts of EMP events on
unprotected systems as well as the effectiveness of protective
options.
The fourth identifies the prioritized infrastructure that
can lead to a most effective and impactful set of actions that
will harden the grid and enable reliable black-start processes.
Following this research path with appropriate and
coordinated government and industry partnerships can lead to a
set of effective hardness and protective measures for GMD and
EMP events that add quantifiable, cost-effective resiliency to
the power grid.
Current gaps in knowledge suggest that the experiments of
highest priority would include assessing the damage from
integration of the propagating electromagnetic radiation
effects to grid assets directly connected to long power lines,
antennas, and communication and data lines; measuring
effectiveness of shielding, including nonconductive critical
communication fiber-optic cables, well-grounded equipment
racks, and shielded buildings, such as power grid control
centers; determining the effectiveness of developmental
technologies for transient voltage surge suppression; and
finally, exercising high-voltage system operations and
processes for critical systems spares replacement, restoration
procedures, and recovery processes.
This research will have the most benefit if the results are
concurrently shared with stakeholders who are developing
priorities for more research that can be utilized to enhance
predictive models and provide stakeholders with the sound
technical basis for standards and regulatory guidance. While it
may not be plausible to protect all assets, careful
prioritization of the research and implementation of
protections can enable critical portions of the grid to survive
or at least be rapidly restored following a GMD or EMP event.
Cooperation between government and industry can accelerate
full implementation of a protection strategy through a greater
technical understanding of GMD and EMP threat characteristics
and system effects.
Thank you.
Chairman Johnson. Thank you, Mr. McBride.
Our final witness is Jennifer Bisceglie. Close enough. You
can tell us what it is. [Laughter.]
Ms. Bisceglie is the president and CEO of Interos
Solutions, Inc., which assists public and commercial sector
customers with supply chain and vendor risk management. Ms.
Bisceglie is named the AT&T Innovator of the Year in 2015.
TESTIMONY OF JENNIFER BISCEGLIE,\1\ PRESIDENT AND CHIEF
EXECUTIVE OFFICER, INTEROS SOLUTIONS, INC.
Ms. Bisceglie. Chairman Johnson, Ranking Member McCaskill,
and Members of the Committee, thank you for the invitation and
the opportunity to speak with you today on the underappreciated
threats to the homeland that, if not mitigated, could
significantly damage the Nation's critical infrastructure and/
or disrupt people's lives, especially as it relates to the
global supply chain and the use of information and
communications technology (ICT).
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Bisceglie appears in the Appendix
on page 57
---------------------------------------------------------------------------
By way of introduction, Interos is a company I founded over
13 years ago to evaluate the risks in the global economy and
our business partnerships, alliances, and distribution networks
that comprise our supply chains.
The company is built on my over 25 years in the global
supply chain industry, having helped multiple U.S.-based
companies create maximum advantage from different skillsets,
labor pools, and competitive business arrangements with
partners around the world.
During those years, I have watched risk concerns in the
supply chain move from quality to physical security to
resiliency and now product integrity and the role of the
digital connection or cyber.
Published in April of this year, Interos' report for the
U.S.-China Economic and Security Review Commission for supply
chain vulnerabilities when sourcing technology specifically
from China and using that technology in the U.S. Federal IT
networks stressed several solutions, the most important being
that the United States establish a national strategy for supply
chain risk management in U.S. ICT with supporting policies, so
that the Nation's security posture is forward-leaning versus
reactive and based on incident response.
Our adversaries are very public about executing a strategy
against us. The time has come for us to stand strong and
visibly protect ourselves.
In my submitted testimony, I spoke to six areas that are
directly related to today's hearing. I will be summarizing them
here for this briefing, with focus on three, and I have been
massively updating the last one based on your pep talk--and
then open the remaining time for any questions you have.
Before addressing the specific areas of the report, I would
like to stress that whether it is 5G or blockchain, the
Internet of Things (IOT), or any other emerging technology or
technological threat, an underlying foundation for security,
both physical and digital, is an understanding of who the
stakeholders are, where your vulnerabilities lie, and having a
strategy for managing those associated risks.
The solution cannot solely be focused on the latest tools
and technologies. Cultures need to change. The money needs to
be spent to educate people on their role in traditional risk
management.
Given our position in the market, my company has had the
opportunity to work with public and private sector
organizations, spanning multiple industry verticals. In the
government, we have worked with Defense Intelligence Agency
(DIA), National Security Agency (NSA), several Office of the
Secretary of Defense (OSD) members, the General Services
Administration (GSA), Social Security Administration (SSA),
Federal Deposit Insurance Corporation (FDIC), Department of
Energy, and the National Nuclear Security Administration
(NNSA).
In the private sector, we have worked with manufacturers,
the financial institutions, utilities, and others, and the
situation is always the same. If the organization does not take
a focused and comprehensive approach to risk management
prioritized by senior leadership, there will be unnecessary
exposure and invariably negative impact.
We would also like to stress that the supply chain attacks
will continue to become easier, more prevalent and more
threatening as emerging technologies, such as the one I
mentioned earlier with 5G, the Internet of Things, and others
increase the attack surface exponentially.
As a point of clarification, just briefly, you will hear
the term SCRM a lot.
Very quickly in the time that I have left, how reliant is
the U.S. Government and U.S. IT firms specifically on China
firms and Chinese-made IT products and services? The answers
vary. Over 95 percent of our electronic components and IT
systems supporting the U.S. Federal IT networks and commercial
off-the-shelf products come from China. They have done this on
purpose. It is an economic movement, and that is just where all
the sourcing comes from.
Number two, to assess the government success in managing
these risks associated with the sensitive country firms and
sensitive country-made products, in short, there is very little
systemic success, and that is part of the reason we are having
this conversation today.
And I think the last part is what steps should we take, and
this goes back to the conversation earlier. I have changed my
comments. They will align with what I submitted, but six very
specific things, if I were to leave this room today, the first
is--and the act that we talked about earlier brought it up--a
single whole-of-government approach that the Department of
Defense and other agencies cannot self-elect out of. We are all
using the same suppliers, and there has to be some sort of
exception management process because things do pop up, but
there really just needs to be a single risk-management approach
for the government.
There really needs to be somebody in charge, and the person
needs to report to the head of the agency. And it cannot be a
political person. This is not a political problem. It is a
business problem. We cannot keep changing people as the
Administration changes. You are never going to get ahead of it.
The third, you need to have a line item resource for the
agencies to use. Right now, the way that this is managed across
the intelligence community (IC), the DOD, and the civilian
agencies, it is robbing Peter to pay Paul. There is no money
associated to supply chain risk management in the agencies.
The fourth--and the act does talk on this--is a real
partnership with industry. We need to fix the Federal
Acquisition Regulation (FAR). We need to fix the Defense
Federal Acquisition Regulations (DFARs), the Defense Enrollment
Eligibility Reporting System (DEERS), and any other acquisition
strategy we have in the government. The National Institute of
Standards and Technology (NIST) has a role, but it is as an
evangelist and a supporter. They are not a leader in this
conversation. They do not dictate how business operates. This
is a business problem.
The second to last is metrics on the impact, not just
activity, not just how much money did we spend or what are we
doing, but specifically what mitigations, what problems with
mitigations and how did we share that information to get better
as the whole of government. And I think, again, the act can
help with that.
And then the last part is not to overclassify this problem.
That is a problem I run into in every agency, and the thing
that we have to remember is that this is a global business and
economic issue, and every time we overclassify it, we reduce
the amount of people that can have an impact on solving the
problem.
So, with that, I will turn it back. Thank you.
Chairman Johnson. Thank you.
I am going to reserve my time out of respect for my
colleagues' time, but one of the big problems in just about
every one of these situations is the complexity of the problem.
The expert witnesses, you speak in language that laymen do not
understand. Again, I really appreciate your expertise, and we
need it in your written testimony, to answer our questions, if
you could, as much as possible try and convey this in layman's
terms. It would be very helpful.
One of the analogies I use is I am old enough to remember
``Gilligan's Island,'' and on this island, most of us are
Gilligans. Not too many professors know how to turn a coconut
into a battery.
I do not care whether it is cyber, whether it is EMP,
whether it is encountering drones. This is incredibly complex
technology and just science, and that is part of the problem
the government has in dealing with these problems, is nobody
understands it in the agencies or in Congress. So that is a
hurdle I am just really not quite sure how we are going to ever
overcome.
But, with that, I will turn it over to Senator McCaskill.
Senator McCaskill. I want to talk a minute about supply
chain. I would like your take on this, Ms. Bisceglie and even
Mr. Mandia.
I read in the morning paper and what really concerned me is
the conflict we have going on now in Turkey. We reached out to
eight nations to help us build the F-35, including Turkey.
Turkey is building--a cockpit display--is one of their
companies, defense contractors, and a center fuselage.
Well, now we have Erdogan in disagreement with the United
States. So he has now decided he is going to go buy the Russian
air defense system, S-400 from Russia, instead of working with
us to acquire the Patriot.
So now we have this bizarre situation; Russia, who we know
has conducted cyber warfare against our country, is beginning
to put an air defense system in the same country that is
building the cockpit displays and the center fuselage on our
next generation fighter pilot.
Should I be worried about this? Ms. Bisceglie.
[Speaking off microphone.]
Senator McCaskill. Absolutely.
Ms. Bisceglie. We are actually talking to the F-35 program
as well.
And back to the Senator's comment, to me--and maybe I am
very simple about this, but this--again, it is a business
problem. And so we are actually working with a very large
technology company right now around prototyping, and I will
bring it back to exactly what you asked about, but the whole
idea is getting out of the fact that we are in a world that
there is only a single source of supply. There is not.
There is either other companies that can be competitive
that are today competitive or other companies that if we put
research and development (R&D) dollars into them could be
competitive. So they do the 75 percent solution; they need the
25 percent to develop.
And so with this technology company, that is literally what
we are doing around prototyping, is figuring out what are the
products and the components and the software that they are
going to need in the near and the long term, and how do we look
globally at where suppliers exist in the world in places that
maybe we do not want to deal with and we do have to deal with
them because of cost, because of time that I need that product
or service, or other places in the world that are a bit more
friendly to how I do business? And then I can start developing
it, so I have multiple sources of supply. So I do not have a
situation that you are talking about right now.
Senator McCaskill. Except the problem is with this, the
reason they did this is they wanted to bring down the cost by
having more orders.
Ms. Bisceglie. Right.
Senator McCaskill. So this was a quid pro quo. We are going
to give you pieces of the production in return for an order for
100 F-35s because the more we build, the cheaper they get.
So that to me is the challenge here, is that we are doing
business with a very sensitive part in an incredibly important
weapon system with a country that is now playing footsie with
our cyber enemy.
Ms. Bisceglie. Right. I think it goes back to my comments
earlier, and again, ma'am, maybe I am doing this too simply,
but to me, this is very much a business situation and it is
risk management that says I am willing to deal with that
sensitive country because of cost or I am going to pay a little
bit over here, more over here, because I do not want to deal
with that country. And if we could get out of the politics,
understanding that is part of risk management----
Senator McCaskill. Right.
Ms. Bisceglie [continuing]. And say, ``You know what? I am
willing to accept this risk over here, and I am going to
mitigate more on my side,'' that is a risk management approach.
What you are talking about is exactly the conversations we
are not having. We are just saying ``China bad'' or ``Turkey
bad,'' and that is just not the world we live in.
The more that our leadership that is actually involved in
these programs is focused on this is what I can deal with from
a risk standpoint and this is what I cannot and focus on
requirements, I honestly think that--businesses have been doing
this forever. This is really how business is done. We cannot
get excited over the political aspect. I actually think that is
to our detriment.
Senator McCaskill. Well, business and the Pentagon are
sometimes two mutually exclusive concepts----
Ms. Bisceglie. Yes, ma'am.
Senator McCaskill [continuing]. Let me just say, having
done a lot of work on contracting in the Pentagon.
Do you have anything you would like to add to that, Mr.
Mandia?
Mr. Mandia. Yes. I think at the highest level of
abstraction, Senator, economics follows geopolitical
conditions. Cyberattacks are directly linked to geopolitical
conditions. Security is related to it.
When I listened to what you were saying, it dawned on me
that the exact same challenges we have with Turkey building
very important components and essential components to anything,
we have the same problem here in the United States. We have
small companies that cannot protect themselves in cyberspace--
--
Senator McCaskill. Right.
Mr. Mandia [continuing]. But they are building mission-
critical systems.
Senator McCaskill. Exactly.
Mr. Mandia. So, obviously, as part of the process, we have
to build security in it and checks and balances into the
process, regardless of where construction and where the supply
chain resides.
Senator McCaskill. Have either one of you had a chance to
look at the supply chain risk management bill that Senator
Lankford and I have introduced? It is very similar to a
proposal the White House has made. Is there any input you would
like to have on that legislation?
Ms. Bisceglie. So I have, and actually, if I had kept to my
original comments, I think it is a very good start.
I think when I first heard about it, it heartened me,
having been in this industry for so long, that we have raised
the visibility up to this level.
I think that my comments--and I have been asked to submit
as well--is that from an implementation standpoint--and I
understand it is the first time we have gotten the conversation
to this level--I still do not think we have enough industry and
business involvement because, at the end of the day, that is
who is actually going to execute against it.
So the players that are included in that bill are all the
normal players from a government standpoint, but I would like
to see more direct industry involvement, which is not
necessarily just through trade associations, but specialties in
different industry sectors, which I think from an
implementation standpoint will make it more impactful from an
implementation as well as reduce the cost.
Senator McCaskill. I am going to turn to another subject
now. If you have anything else on this, Mr. Mandia, I would
sure like you to submit it.
So what happens if the folks at Busch Stadium in St. Louis
get information that there is going to be a drone incursion,
and that their sources tell them--maybe it is the St. Louis
police department--that it is an armed drone.
So if that were to occur today, what would happen to the
Cardinal organization if they took it down? What penalties
would lie against the Cardinal security operation if they
actually took down that drone?
Ms. Lanier. So it would depend. First of all, we typically
would not get intelligence or information that a drone is
incoming, but if we did and if there was mitigation or
interception technology available and that was used as one of
several different types of technologies, it would be illegal
for them to use that to take that drone down.
Senator McCaskill. What would happen to them? What are the
penalties? Do you know?
Ms. Lanier. I cannot tell you the penalties. It just
depends on which type of----
Senator McCaskill. Well, can I just tell you that I will
represent them for free if they take it down?
Ms. Lanier. I will pass that along.
Senator McCaskill. Ultimately at the end of our processes
in law, there is a jury, and juries are very good about
weighing the facts. If you let juries decide things, they
very--I mean, not that they do not make mistakes, but a jury in
that circumstance, I can assure you would apply common sense
and say this was a matter of risk management, and what they did
was the right thing.
We are going to rush to get something done. We are trying
to get something done that would give people the authority to
take action in those circumstances, but it scares the bejesus
out of me that----
Ms. Lanier. Unfortunately, this is a discussion that is
going on, and it should not have to go on. You have people that
want to make sure they are providing adequate security and
safety for 70 or 80,000 people, and they want to do the right
thing. Nobody wants to be at odds with the law under any
circumstance.
Senator McCaskill. Right.
Ms. Lanier. So that is the discussion that goes on, quite
honestly.
Senator McCaskill. Well, I just think that, obviously, if
you are faced with a dilemma of the unknown being harm to
thousands of people versus the unknown of what happens to us if
we do it, I just want to encourage them to use common sense.
Chairman Johnson. Of course, one of the problems right now
is DHS does not even have the authority to study how to knock
that thing down. It is a problem.
Again, if they knock down malign drones, my guess, the jury
would rule correctly. The problem is, What if they knocked down
the wrong one in good faith? Then they would have greater
liability, and that is what we are trying to give. We are
trying to give them the liability against that type of event.
Senator Hassan.
OPENING STATEMENT OF SENATOR HASSAN
Senator Hassan. Thank you, Mr. Chair and Ranking Member
McCaskill, and add me to the group that would call for the
application of common sense here when it comes to protecting
people at large events.
I wanted to focus with you, Mr. Mandia, on some of the
issues that come up with small vendors and cyber threats. In
your testimony, you spoke about the challenges that smaller
companies and organizations face from cyber threats. In
particular, you pointed out that their vulnerabilities not only
threaten their operations but their partners, their customers,
their suppliers, and ultimately our country's economy.
Your point underscores the importance of making sure that
the Federal Government does all it can to help protect these
small companies and service providers.
Last spring, DHS revealed that Russia targeted several
small vendors through a cyberattack to gain access to our
electric grid. DHS reported that many of these vendors lack the
resources or dedicated cybersecurity professionals to detect
and prevent these kinds of intrusions. It does not seem
reasonable to me to expect companies with only a few staff and
maybe one full-time IT professional to be able to defend
against the fully offensive cyber capabilities of State-level
cyber actors like Russia.
What should be DHS's role in helping to secure these
companies, and what sort of resources should we be considering
in order to achieve some degree of defense against State-level
hacking?
Mr. Mandia. You have to take this in a couple parts. Great
question, one of great concern to many people.
First and foremost, if all we do is play defense, if we are
up against Russia, we are up against Wayne Gretzky on a penalty
shot, and we have a bunch of goalies out there, where if they
get unlimited penalty shots, they are going to put the puck in
the net.
What I have observed in the private sector in practice is
the bigs are helping secure the ``smalls'' and taking on some
of the burden of doing that, but we cannot win if all we do is
focus on defense, defense, defense. And that is why we need to
have imposed risks and consequences to those who do it, which
means we have to get attribution rights support the technical
assets, the human assets, the international cooperation so that
we know who is doing these attacks----
Senator Hassan. Right.
Mr. Mandia [continuing]. So we can at least weigh a
proportional response to it.
But when we also look at it, we have to take it in bite
sizes. We cannot secure every company overnight, all the
``smalls''. You have to start with the ones in the critical
infrastructures, and I believe if you can secure the ``bigs''
first, the ``bigs'' will help you secure the ``smalls'', and
you start with the utilities. You start with health care. You
start with communications. And you work that way.
I think you have to take it industry by industry. If you
protect the company, then you can protect the industry, and if
you protect certain industries, you can protect the Nation.
There are three ways to slice it, but we are certainly
going to need some deterrence to come to the table.
Senator Hassan. Well, I thank you for that response, and we
will likely follow up with you on it some more.
I wanted to move now to the issue of Federal network
security. According to your testimony, FireEye has worked
closely with DHS and dozens of civilian and Federal agencies to
provide these agencies with the capabilities needed to achieve
a baseline of security against cyber threats.
As we see increasingly more sophisticated and diverse
cyberattacks, DHS's role in helping to protect Federal agencies
and the dot-gov domain from cyber intrusion will become all the
more important.
To that end, DHS has endeavored to strengthen the tools and
capabilities it provides to Federal agencies to protect
themselves, including the maturation of its two signature
programs, the EINSTEIN Program and the Continuous Diagnosis and
Mitigation Program. Can you please talk to us about the value
of these programs in enhancing Federal network security and how
they may need to evolve in order to keep pace with a really
diverse and ever changing threat, a cyber-threat environment?
Mr. Mandia. Yes, I can, and I will make it brief.
You have to start somewhere I was a big proponent of the
EINSTEIN stack because it sets the floor of how good you are,
and you know what you are working with. If you can have a
referenced architecture, it is easier to manage.
We have a shortage of security professionals. You do not
want to learn 180 different products. You need to keep it down
to the five to eight that are best of breed at that moment, but
you also have to create a learning system. And that is where
the intelligence comes in.
At the highest level of abstraction, I have been working
with the government since 1993 in cybersecurity. We are getting
better every year, so that is the good news.
Senator Hassan. Yes. Well, thank you for that.
Let me follow up with one last topic on the issue of
cybersecurity generally, which is something you have talked
about, cyber resiliency.
You mentioned it in your testimony that one of the best
ways to counter the threat of a crippling cyberattack is to
mitigate the effects of such an attack through strengthening
private and public sector cyber resilience.
You gave the example of how an Alaskan-based company worked
to survive a ransomware attack by reverting to typewriters and
handwritten notes to maintain daily operations.
While I was Governor, we worked to develop continuity of
operations plans for our State agencies and government, and
that included considering how to access data and how we would
operate without technology.
Obviously, in an ideal world, we want to avoid bringing out
carbon paper again, right? But can you help us identify the
best ways to achieve effective cyber resiliency? What sort of
mechanism and incentives would need to be put in place to
encourage the private sector to develop this kind of
resiliency, and what can the U.S. Government's role be in
helping to achieve baseline cyber resiliency?
Mr. Mandia. Yes. I think it is a great question.
Bottom line is life fire drills. The only way you are ever
going to get better at something is if you force the issue, and
you keep it--maybe it is utilities and energy first, health
care, telecommunications. Financial services are pretty good on
their own.
But if you think about it, if the gloves came off in a
modern warfare today, what are the two top targets? It is going
to be energy; it is going to be telecommunications. And that is
where they are mostly in the hands of the private sector. So
you have to do a joint drill, and they already are doing this,
but is it the only way to get the unvarnished truth that every
CEO is operating on. We are as secure as we can get. Even CEOs
want the live fire drills, and the red teaming exercise to see
what can happen. Then if you coordinate it, it would be a 1-day
or 2-day event every year, where you had the private sector and
public sector do a joint drill, that simple, and that will give
us both, A, how good are we to get the unvarnished truth, and
B, so what do we do and how do we operate through it. We will
learn a lot just by practicing.
Senator Hassan. Well, I thank you for that answer, and I
think it also speaks to the need not only to prioritize it in
concept, but prioritize it in terms of resources because in my
experience, if you do not assign that kind of coordination and
practice as a priority and devote resources to it, it always
gets pushed aside with the urgency of everyday operations. And
so we need to really focus on it.
I thank you for your expertise and your help.
Chairman Johnson. Senator Jones.
OPENING STATEMENT OF SENATOR JONES
Senator Jones. Thank you, Mr. Chairman, and thank you to
all the witnesses for being here today. It is really
informative for us.
Ms. Bisceglie, I would like to ask you a little bit more
about the supply chain.
I had lunch with a friend of mine in Mobile the other day
whose company ships all over the world. They are in ports all
over. We talk about the supply chain. We talk about infecting
the supplies and those kind of things, as Ranking Member
McCaskill said a minute ago. But to me, it is also a problem
with the shippers, that those could get hacked. And you divert
or either destroy shipments going across, and I would like for
you to address that just a moment because the public-private
partnerships seems to me very important with folks like that to
be able to work with the government to try to minimize those
potential attacks. I would like you to address that.
Also, when you were giving us your list of things to be
done, you warned against overclassifying the problem, and I
would like for you to just dive into that just a little bit
more for the record to explain what you meant by
overclassifying which I think government often tends to do.
Ms. Bisceglie. Thank you for both those questions.
So your point about the delivery mechanisms, to me, that is
part of the supply chain. When we talk in the industry, we talk
about sub-tiers, and it is one thing I do not think, to the
point you are making--in the government, we are not thinking
that way yet, so again, back to the act that is being created--
the bill that is out there.
The more that we start talking about all of the levels of
the
supply chain, which is not just the people producing widgets
but how those widgets move to the next step, I think it is
incredibly important. And when you talk about widgets moving to
the next step--and I do not care if that is software or
hardware--that is the physical delivery, so the boats and
trains and automobiles and all the people involved in that. It
is the electronic. It is the blockchain updates. It is the
Electronic Data interchange (EDI). It is however you are
sending that information, open source software, but it is all
of those mechanisms.
So if I were to just take a quick example, if I was to make
this pen, so I am the holder of the pen, somebody behind me
cobbled that together. I bought it at Staples. Somebody behind
Staples cobbled it together. Then you explode the pieces, and
in between all of those it was mailed, right? Was it put on a
truck? And who are all those people? Humans involved in all of
that. To me, that is the multi-tiered supply chain.
We do visualizations of those types of relationships at
Interos in my company, and we just did this for one of the
topid banks, the top 10 banks in the country. And when they saw
how interconnected they were with their suppliers--and not just
who they thought they were directly connected to, but how that
same company was actually a tier 2 and a tier 3 and, to your
point, delivery partners, they had no idea.
So, to me, the more that we as a government partner with
industry and think of all of the sub-tiers and all of the hands
that touch it, that is really the only way to solve this
problem. So it is expanding that definition.
The second thing on the overclassifying is that we do this
because we do not understand, and part of what we do not
understand is that this is a business problem that needs to be
solved. And the second piece is that most businesses do not
have the clearances because they do not need the clearances to
actually get the job done.
Back to the Senator's point, the more that we can kind of
dumb this down and talk about it just business to business, put
it into requirements, and so the Senator's point, a lot of the
small and medium size businesses, the more you put these things
into requirements and say as part of your contract, you have to
do X, Y, Z, the better off we are going to be. And
classification does not come into that.
Most of the people that actually have to take actions and
provide solutions do not have clearances.
Senator Jones. All right. Thank you.
Ms. Lanier, you said something in response to Senator
McCaskill's question that struck me a little bit because,
obviously, the drone issue concerns everyone. Alabama, my
State, has a lot of outdoor events, whether it is the music
festivals, whether it is the sporting events. We are in the
fall, and college football is a really big deal right now. In
fact, many people would think that Alabama should be in the NFL
rather than the NCAA, but we will not go there.
But you mentioned that you might not have any notice about
an incoming drone, unlike our missile defense system or
something like that. Would you talk about that a little bit
more and what can we do now to maybe at least get that on the
radar, so to speak, a lot of people want to take a picture over
Bryant-Denny Stadium when it is full. I get that, but they
should not.
What can we do right now to maybe help in that aspect to
just put people on notice? Is there something we have the tools
with now?
Ms. Lanier. Well, there are efforts under way to try and
educate people. A lot of it is people that are just not
educated that there are flight restrictions that prohibit the
use of drones over most of these large events, like the NFL
stadiums on game days. So getting that message out has been a
huge effort to try and educate folks.
And there are detection systems. So the technology that is
there now comes into two different sets. There is detection
capabilities, and then there is interdiction capabilities. Some
of the technology that is available--and, again, mostly illegal
to use--can detect that a drone is incoming.
A lot of times, they are launched from a parking lot right
near or very close by.
Senator Jones. Right.
Ms. Lanier. So there is not a lot of lead time, not a lot
of advanced warning that they are coming. So the detection
systems would be one thing, but the interdiction systems is the
other part of that. And that is kind of what we have been
talking about here today, is the ability for someone to have
the authority to use that, from a law enforcement perspective
to use that technology to intercept that incoming drone so that
it does not make its way into the stadium, into the seating
bowl where all of those thousands of people are gathering.
Senator Jones. The restrictions that are currently in
effect, I think--and maybe I am wrong about this, but as I
understand it, there are restrictions about flying a drone
within 3 miles of any event that is holding 30,000 or more
people. Is that correct?
Ms. Lanier. That is correct, and that is the one that is
more difficult to educate people on because it is a temporary
flight restriction.
So there have been some measures put in place to geo-fence
areas around airports, so that drones cannot go into those
restricted areas, but the temporary flight restriction that
goes along with mass gatherings, with that threshold and
higher, is much more difficult to educate and is not as easily
programmable into drones.
Senator Jones. OK. All right. That is all.
I may have some questions for the record, Mr. Chairman.
Thank you very much for having this hearing.
Senator Johnson. Thanks, Senator Jones.
I do want to underscore the importance of public awareness.
It is one of the reasons we are holding this hearing to make
the public aware that we have these threats, whether it is the
flight restrictions, public exposure in terms of the hacking,
whether it is Kaspersky Labs. I think public exposure is
extremely important when it comes to cyber defenses. Just
people's awareness so they can start looking at their own
vulnerabilities is incredibly important. Senator Peters.
OPENING STATEMENT OF SENATOR PETERS
Senator Peters. Thank you, Mr. Chairman.
Thank you to each of our witnesses for your testimony here
today.
While we meet today to talk about the evolving threats to
the homeland and look at major threats like cyberattacks,
electromagnetic pulses, and drones, I would like to express my
concerns about the broader issue of crisis response under our
current Administration.
I was disturbed this morning to see that the President took
to Twitter to make false claims about the death count in Puerto
Rico, which comes days after he claimed the government's
response to Maria deserved an A plus.
Nearly 3,000 Americans died as a result of Hurricane Maria
and the inadequate response that followed, and yet the
President does not accept those results and denies any
responsibility for the failures in 2017.
3,000 deaths is not a number invented to attack the
President, as he claims. It is the acknowledgement of real
human lives. Each number represents a person that trusted in
their government to help them in their time of need. Hurricane
Maria was devastating, and our country will continue to face
evolving threats from a variety of hazards, manmade as well as
natural.
Americans should not have to worry that in a time of
crisis, a true national emergency, that our commander in chief
would cast doubt on very real, very human impacts of the
crisis.
And as Hurricane Florence now bears down on the Carolinas,
we have to make every effort to ensure that the Federal
Government is well-positioned to support everybody in its path,
but we cannot forget about the continuing crisis in Puerto Rico
and the systemic challenges that led to the horrifying death
count that the President today denied on Twitter.
Our Committee or the Federal Spending Oversight and
Emergency Management (FSO) Subcommittee should make use of the
broad jurisdiction of the Department and governmentwide
emergency response to exert strong oversight and hold officials
accountable.
Mr. Chairman, I think we should hold a hearing on the
failures and lessons learned from the responses to Hurricanes
Harvey, Irma, and Maria and hope that we can have a dedicated
hearing on that issue.
Chairman Johnson. Right now, we have a different subject.
Senator Peters. I know, but this is of critical importance.
And I would hope that we would do that. We were trying to do
this in the Subcommittee, and we were informed that the
Administrator does not go to a Subcommittee even charged with
oversight of Federal Emergency Management Agency (FEMA). We
would hope to have your help in getting the Administrator here
to answer questions.
Chairman Johnson. OK. I would like FEMA right now to
concentrate on the hurricane season currently, but we will look
at that.
Senator Peters. I appreciate that, Mr. Chairman.
Certainly, cybersecurity, which is our issue that we are
here today to discuss, is a vital component of all of our
critical infrastructure. Mr. Mandia, do you put in that
category chemical facilities or ones that are potentially
susceptible to significant cyberattack and could present a risk
to critical infrastructure?
Mr. Mandia. Yes. I do not know if I can speak to the
specifics of all the chemical facilities out there and their
cybersecurity posture in defense, so no.
In my prepared remarks, I did talk about indiscriminate
attacks, and certainly, every single individual and every
single organization, should the gloves come off in cyberspace
and there is an escalation, we are all going to get targeted.
That is the interesting thing about cyberspace. It is
infinitely scalable and can go broad.
A lot of times, the individualized security of one
organization in that industry, is only going to be as secure as
the weakest link in that industry.
Senator Peters. Well, I raise the issue of chemical
facilities because I have heard that inspectors in the Chemical
Facility, Anti-Terrorism Standards (CFATS) Program, who mostly
have physical security backgrounds, they are worried that they
do not have the appropriate knowledge and training to assess
whether or not the facility owners have appropriately addressed
the risk to cybersecurity.
So my question to you is, How can we get these folks the
training that they need, and certainly fits into their very
busy schedule now in order to be able to supervise these
activities?
Mr. Mandia. I can tell you, speaking generically, as a
public CEO, you never want to see more and more regulation. The
reality is regulated industries, generally, at least you can
set the benchmark or threshold for what security they will
have, and if it is important enough to the Nation to secure
those types of organizations that create certain chemicals, you
could regulate them. You could find a way to do a benchmark of
security that they have to have. And once that is the case,
there are plenty of opportunities to hire cybersecurity
professionals. There is plenty of training that they can
obtain.
And we saw work in the private sector with the payment card
industry. The private sector regulated itself and said, ``Here
is what we need to have to secure credit card data,'' and they
forced you to do vulnerability assessments and different types
of assessments. And anyone who processes credit card data
applies those standards to them.
Senator Peters. Mr. McBride, I have been a proponent of
improving our understanding of geomagnetic disturbances from
space weather for some time now, and I teamed up with Senator
Gardner on the Space Weather Research and Forecasting Act back
in 2016.
We had William Bryan, the nominee to the director of
Science and Technology (S&T) at DHS a couple of weeks ago. I
asked him what role his organization can play in preparing our
Nation for a potential space weather event. He responded that
he will work with the DHS and other customers to determine what
requirements needed to be worked toward in this area.
So my question to you is, in your opinion, in what areas do
we know what these requirements are, and in what areas do we
need more research to better understand how our critical
infrastructure may be impacted by a space weather event?
Mr. McBride. So the electromagnetic pulse threat is
multifaceted. We have high-altitude nuclear detonations that
create an E1, E2, E3 effect. So it is the full spectrum of the
EMP pulse.
We have things like flux compression generators. We have
the sun. The sun particularly--the E3 portion of the EMP pulse
with geomagnetic disturbance can be minutes or even up to
hours. That threat is ultimately going to potentially cause
damage to large substation power transformers.
We have never combined in the models or otherwise the
entire waveform associated with the EMP threat, E1, E2, and E3.
I believe that is a huge knowledge gap that needs to be
experimented and understood.
In addition, nobody is in charge. So DHS, we have been
doing some work for the Department of Energy Office of
Electricity, understanding what EMP and GMD risks to the power
grid are. DHS, their mode was they asked a particular person to
stay abreast of what others are doing relative to the
electromagnetic pulse threat.
Department of Defense recently formed their electromagnetic
defense task force, which I participated in 3 weeks ago. Nobody
has really taken ahold of whose responsibility is it to
mitigate this threat to the power grid.
I believe for EMP E3, with an investment of somewhat less
than $4 billion, we could mitigate that vulnerability to our
most key resources in our extra high-voltage power grid. That
technology exists. We have tested and validated it. We know how
to do it. Where we do it and who funds it is the big challenge
that we face.
Senator Peters. Thank you.
Chairman Johnson. As long as we just made that point, I
want to talk about how reasonable that cost is. Less than $4
billion, we had testimony here earlier with Dr. Richard Garwin
on the Carrington Effect that happened about 150-some years
ago.
Mr. McBride. 1859.
Chairman Johnson. 1859.
We have generally--figure that one of those large-scale
solar storms once every 100 years. Richard Garwin said we have
a 10 percent chance every decade of having something like the
Carrington Effect.
Again, we have been dodging that bullet now for over 150
years. If we were to experience that with today's electronics
and technology, what would the cost of a massive solar storm--
what would the potential cost be that we are trying to mitigate
with about a $4 billion expenditure?
Mr. McBride. I believe that cost would be in the trillions
of dollars, significantly less than the cost to replace the
infrastructure that would fail due to a Carrington-level event.
Chairman Johnson. And hundreds, thousands, tens of
thousands of lives lost?
Mr. McBride. Very likely. It would be the socioeconomic
disaster that this country has never seen.
Chairman Johnson. So you take a look at Puerto Rico who
lost power, but we could try and surge resources and help that.
There would not be too many people coming to rescue on
something like that type of event, correct?
Mr. McBride. That is correct.
Chairman Johnson. Again, Senator Peters, I appreciate your
concern about this. We share that, and we will continue to try
and figure out and get somebody put in charge of that. Senator
Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thanks, Mr. Chairman.
We also are on multiple committees, and we just finished
one of my hearings. So I am happy to be able to join you now at
this hearing. I missed your testimony and had a chance to look
at it, and I appreciate the chance to ask you some questions.
I am told that some of you mentioned in your testimony the
Russian campaign to hack the U.S. Presidential election in
2016. Attempts by Russia and Russian government, backing actors
to interfere in sovereign elections are not new. In 2014, that
country orchestrated a campaign to interfere in the elections.
In the Ukraine, my wife has been with some of her friends and
colleagues from DuPont from years ago, has been in Georgia this
week, and she is sharing with me some of what Russia tried to
do in Georgia that we are familiar with.
U.S. intelligence agency or the U.S. intelligence community
said in its 2016 report that a criminal will likely continue
using cyber campaigns to interfere in elections for two simple
reasons. They are cheap, and there seems to be no consequences.
Mr. Mandia, your testimony said much the same thing.
Yesterday, President Trump signed a general Executive Order
that would impose sanctions on countries found to be
interfering in our elections, but he has failed to impose
sanctions on Russia, despite explicit authorization from the
Congress.
The Republicans in Congress recently defeated an amendment
from Senator Leahy that would have provided States with an
additional $250 million for election security.
I would just ask. Again, I think, Mr. Mandia, from you and
Ms. Bisceglie?
Here is the question: Do you believe the United States
could do more, should do more to deter and prevent cyberattacks
on our election infrastructure in order to protect our
democratic processes? That is the first part of the question.
The second half of the question would be, What steps in
particular do you recommend that those of us here in Congress
focus on first?
Kevin, do you want to go first? Thank you.
Mr. Mandia. Well, for the next 30 minutes, I will be
outlining the steps we need to take. No, I am kidding.
But the bottom line is right now it is an interesting time
to be impacting cybersecurity. Every modern nation does not
know where the border is for behavior. There are no
international rules of engagement, and I observed the Russian
behavior from 1995 to 2000 and whatever today is.
For the most part, we have observed their offensive
capability on a daily basis. I have done thousands of hours of
forensics looking at some of the machines compromised from
threat actors in Russia, whether criminal or government-
sponsored. Sometimes it is hard to tell the difference.
The bottom line is if all we are ever doing is playing
defense, we are always going to be having a little mop-up on
Aisle 5 to do in cyberspace somewhere just because the
asymmetry between offense and defense, it is almost hard to
explain.
We are trying to defend millions of machines, but as long
as there is a communication channel into your organization from
another human and there is anonymity on the Internet, you are
hackable. It is just that simple. Whether that communication
channel is email, Skype, instant messaging. Facebook wall is
just waiting for somebody and baiting them to it.
So this is a complex channel where you have to have a
doctrine that imposes risk and repercussions. The problem is it
is also hard to write a red line in cyberspace. The demarcation
of what is acceptable and what is not acceptable is still
blurry.
What I have seen in the last few years--and I am indirectly
answering your question--is we are seeing indictments. We are
getting attribution. We are making indictments. A lot of people
ask, ``Does that matter?'' The answer is yes. We have a
sovereign nation and a Department of Justice pointing the
finger at nation-states and individuals in those nations.
Over time, even if the government cannot impose risks and
repercussions, the Internet experience from nations that harbor
cybercriminals and different--what I call trench warfare in
cyberspace by nation-state actors, their Internet experience is
actually going to be different.
There are private sector organizations that block every
Internet Protocol (IP) address from Russia today. That is going
to expand and expand and expand.
The bottom line is the private sector is doing what is in
its realm to defend itself, and it is looking to the government
to do its best to get attribution right and to impose risks and
repercussions and to have some predictable doctrine so that we
can govern the behaviors.
And it is going to happen. If we do not do anything soon,
Senator, what we are witnessing is escalation, and the reason I
told you the years I have been responding to Russia is for
whatever reason, in August 2015, we saw them change rules of
engagement that they followed with great discipline for the
prior 20 years. Suddenly, they started targeting wider, started
doing less counter-forensics, started attacking anti-Putin
professors, started posting things that they stole. Those
behavior changes, if unchecked, will keep escalating.
So we are going to have to sort it out. The answer to that
is going to be a lot of folks sitting in the room trying to get
that doctrine piece together. We have been working on this for
20 years. It is not simple. We have been admiring the
complexity of it, but we have to start somewhere.
And that is enough of my statement.
Senator Carper. All right. Thanks so much.
Jennifer, I will just use your first name, if you do not
mind.
Ms. Bisceglie. No, that is fine.
Senator Carper. Again, two-part question. Do you believe
the United States could do more to deter and prevent
cyberattacks on our election infrastructure in order to protect
our democratic process? And, second, what steps in particular
would you recommend that we take here in Congress? Where should
we focus first?
Thanks.
Ms. Bisceglie. Thank you.
And I absolutely agree with everything that Kevin outlined.
Back to the Federal Information Technology Supply Team Risk
Management Improvement Act, to me, this is a perfect example of
where they could have some impact. It is really the players
that are at that table looking at what the doctrine should be
and then really looking at all of the sub-tier relationships
because it is not happening at the voting machine level. It is
all the components in it that expose you to a lot of the
communication concerns that Kevin just outlined. To me, that is
a perfect opportunity for what you have put out there to say
let us really understand all the different levels, all the
different players, what is important, where the opportunities
are that we are exposed to, because I agree we need to have an
offensive, but we do need to have a defensive at the same time
because you have people involved.
And so I think if you follow the steps that Kevin just
outlined, it is perfect. Take this act. Take this bill that is
out there and really start focusing on the sub-tier
relationships, and we are going to be better off.
The last thing I would like to talk to you--and it comes
from all the questions that have been asked--you really cannot
separate these two conversations. The supply chain and the
cyber concern is a physical and a digital relationship, and you
cannot separate those things anymore. Whether you are talking
about the F-35 or logistical ports or voting machines, this is
the same conversation, and it has to be done hand-in-hand or we
are going to miss something.
Senator Carper. Thanks to both of you. In fact, thanks to
all of you.
Chairman Johnson. A quick little comment. This is really
more Senate Foreign Relations Committee, but we held a hearing
with North Atlantic Treaty Organization (NATO). The question I
raised in that hearing last week and the one I will continue to
raise is we need an attitude change. When you look at NATO, the
combined economic firepower of NATO is well north of $30
trillion. Russia is less than two. How can NATO, how can the
EU, how can America allow that puny little economic power push
us around this way? Because we just have to change that
attitude. We are the 800-pound gorilla, and it is really absurd
what we are allowing Russia to get away with.
But, anyway, I have questions. I want to ask each of you--
and I will start with Mr. McBride. Who should be in charge of
this effort? Which Department, which agency is best positioned
to be in charge of GMD, EMP, and I would say even responsible
for reestablishing the grid, even with a cyberattack?
Mr. McBride. I believe as the sector-specific agency for
the electric grid in the United States, the Department of
Energy should be in charge of mitigating this threat.
Chairman Johnson. So, obviously, Department of Defense,
Department of Homeland Security would be involved in that, but
the lead agency should really be the Department of Energy?
Mr. McBride. I believe that to be the truth. Yes.
Chairman Johnson. OK. Ms. Lanier, when it comes to drones,
what do you think? You have been in law enforcement. Who should
be in charge of that effort?
Ms. Lanier. Well, in charge of the effort, I would say
probably DHS.
Chairman Johnson. Because right now, it is FAA.
Ms. Lanier. Correct. I would say probably DHS.
And I would also say that, as I mentioned in my testimony,
both my written and my oral testimony, I think it is really
important that we find some way to integrate State and local
law enforcement on the back side of that DOJ-DHS effort. I
think they are really important. That is why they are the first
responders.
And the threat that is posed by drones that detect and
interdict, it is going to be critical to have State and local
law enforcements tied in there.
Chairman Johnson. Mr. Mandia and Jennifer, in terms of
cybersecurity, who should be taking charge?
Mr. Mandia. It is going to depend on mission. It is that
simple.
Right now, when it is law enforcement, you see the FBI
primarily present, but local law enforcement will be present as
well.
In regards to other operations in cyber, you will have the
intelligence agencies. I just think it is more complex because
you also had the private sector, and there is usually an
alignment by industry where energy companies and utilities are
aligned to figure out what is best practice for us and what do
we do. The financial services and the Financial Services
Information Sharing and Analysis Center (FS-ISAC) are aligned.
So you see the private sector trying to regulate the private
sector in many ways as well. I gave you that example, the
payment card industry.
I think it is hard to pick. Do you have one cyber czar in
charge of all this when you have so many missions and so many
industries impacted by it?
Right now the system is working pretty well. I think
probably the biggest change we could make in the government is
because there is a shortage of cybersecurity professionals, you
may want to have the DOD doing what they do. The intelligence
agencies are doing what they do, and there may be other
agencies like FAA and a few others that need to do it alone,
but there is probably an opportunity to consolidate a single
computer emergency response team--that is the security
operations center for 100 government agencies. Why not? We do
not have the effort to do it.
Chairman Johnson. Where should that be housed?
Mr. Mandia. Sir, I would pose that question to you.
Chairman Johnson. Well, Ms. Bisceglie.
Ms. Bisceglie. So it may be a little snarky, but my point
is whoever is going to actually do it is who should do it.
Chairman Johnson. That would be good criteria, right.
Ms. Bisceglie. So the latest one I have seen for supply
chain in cyber is Homeland Security. If we are going to do
this--and I do agree with what Kevin, again, just laid out.
But my thought is I would have a dotted line. I would have
the alignment by industry because even when you look at an
industry, you have all the different pieces that go into it. So
I would have the dotted line to Department of Energy, to the
DOD, to whatever they are responsible for, get away from the
partnerships. The idea of a GSA and DHS partnership is really
very difficult. Somebody has to be responsible.
And then, again, get away from the political agenda, which
to the point that you just said forces that cultural shift that
really needs to occur.
Chairman Johnson. You have all mentioned that you really
need the information sharing with private sector and
government. That has always been the problem with DOD taking
charge, and that is one of the reasons people look at DHS as
kind of the default agency that can work with private sector.
But, again, who has the greater capability?
Ms. Bisceglie. So, in my opinion--and I do not want to put
myself out of business, but this is--to the point that you
said, this is a culture.
There was actually a memo that you are probably aware of
that went around last year in the Department of Defense that
actually gave their people permission to talk to industry. That
is not a law. That is a culture. And so the more that we help
folks understand that businesses are the ones that are going to
solve this--this is not government to solve. Regulatory, I
agree with. It is businesses to solve and change the culture.
Chairman Johnson. I think there may be reluctance from the
private sector to be contacting DOD or NSA.
Mr. McBride, I will just have you chime in on this one on
cyber. You have some knowledge of this.
Mr. McBride. Yes. So, for several years, Idaho operated the
Industrial Control Systems Cyber Emergency Response Teams (ICS-
CERT). So we were in a reactive mode. Where there is an attack
in the Ukraine, we send fly away teams out, collect that
forensic data from their networks. We reverse-engineer that in
our malware lab, understand what the malware can do, and
develop mitigations for that.
Department of Homeland Security has now closed the ICS-
CERT, and now it is all operated through the National Crime
Information Center (NCIC) here in--I believe DC.
Sharing information with the asset owners that need to know
what the threat and intelligence is has been a difficult
problem. I think we can improve that. Some people are now
getting security clearances, where the threat intelligence can
be shared with them.
There is a new program that has just been stood up that is
trying to change from a reactive mode into more proactive.
Countries like Chechnya, Estonia, the Ukraine, they have told
us that they feel like they are test beds for Russia. So Russia
develops a cyber capability. They exercise that on one of these
three countries.
We have people all over the world collecting intelligence.
We want to be able to develop mitigations for threats,
vulnerabilities, and malwares that are discovered prior to
arriving on U.S. soil.
The intent is to create a proactive mitigation strategy for
cyber threats.
Chairman Johnson. OK. But do you all agree somebody has to
be in charge? I mean, this cannot be five, six, seven different
agencies, just line authority and nobody really with the
authority to make sure that there is commonality in our
approach and that type of thing. Just yes, yes, yes, or what is
it?
Mr. Mandia. It is tough because I still think it aligns by
industries. If there was an all-out cyber campaign against this
Nation, you are going to see the financial services circle the
wagons. You are going to see the utility circle the wagons.
Largely, a lot of the attacks against those two groups may be
wholly different.
If you are attacking a utility to shut it down, the attack
looks one way. If you are attacking the financial services to
disrupt it, it may look a little bit different.
What I have observed in threat actors is they actually do
align a little bit by industry. So you will circle the wagons
that way.
Overall, coordinating that event and that response, it is
hard from where I sit to say it is not the DOD during times of
war.
With that being said, during times of perceived peace,
right now, I have observed we have a shortage of folks to
protect our networks. It would make sense to centralize for
most government agencies that defense component and capability.
Chairman Johnson. I am just going to continue down my list.
I have a lot of questions here.
Mr. Mandia, you are talking about attribution----
Senator Carper. Mr. Chairman?
Chairman Johnson. Pardon?
Senator Carper. Could I just follow up on your question?
Chairman Johnson. Sure.
Senator Carper. It is just a follow-on, if I can.
When we passed out of this Committee legislation
reauthorizing DHS, one of the provisions in that
reauthorization dealt with National Protection Program
Directorate (NPPD) and in which we sought to make it clear that
they had the skills, the responsibility and so forth to work in
this arena.
I think a bunch of us believe that we all share the goal of
ensuring that NPPD functions as a full component of the
Department and it has resources that are necessary to carry out
what we all think is a critical cybersecurity mission.
Would any of you care to comment on the importance of
authorizing a dedicated cybersecurity agency within DHS to work
with the private sector in order to address these kinds of
threats?
Ms. Bisceglie. I think it is very important. I think it is
important to have somebody in charge with a charter, and if
NPPD is the place, they have to have a charter. They have to be
resourced appropriately from a skills set standpoint as well as
financially, and then they need to be held accountable and
again not just around activity but for the integration across
the players, as Kevin keeps outlining, and what are we actually
doing about it?
Senator Carper. Thank you.
Anyone else?
Mr. Mandia. Centralized is going to be better than
decentralized.
At the end of the day, you look at what Britain did and the
UK. They have one place where everybody reports every single
event to, not a multitude of them. Overall, you will have a
better learning system if you do centralize all the intel
coming in and have one coordinating point. Yes.
Senator Carper. All right. Thank you, Mr. Chairman.
Chairman Johnson. Israeli has one directorate reporting
right to the prime ministers. So we need to look at those
models.
But, Mr. Mandia, you were talking about attribution
offense. What came to my mind during that process was just
definition of the problem too.
I have been doing this for 7 years, and I kind of define
the whole cyber issue in four buckets--crime, cybercrime;
espionage, industrial espionage; then just malicious activists,
OK; and then warfare, those four buckets.
I completely agree with you. As long as we are just on
defense, that is where we are going to be, and offense is going
to get better and better capabilities.
You need to have some kind of deterrent, but the problem
there is attribution and if you go on offense, to do it right.
Can you just speak to that concern?
Mr. Mandia. Well, I do know this. You can easily frame it
exactly how you just did. You have criminals. You have
espionage. You have just malicious intent, destroy whatever you
can, and you have warfare.
But what we observed was amazing for me. In September 2015,
we had some kind of agreement with China. I do not know if it
was written or not, but what we observed in cyberspace is prior
to August 2015, we saw between 60 to 80 U.S. companies
compromised every month from cyber espionage campaigns out of
China. August, it goes down to four.
Chairman Johnson. And you wrote the book on that, right?
Mr. Mandia. Right. Well, we exposed it in New York Times in
2013 just because it felt unfair having folks barge into a
building in a military unit and hack into a brick-and-mortar
firm in the United States, did not seem like a fair fight.
The bottom line is we saw, after some agreement was
reached, those attacks go down to four and hold steady for a
long time. So there are certain nations we can, in fact, have
agreements on rules of engagement, and I would argue, we have
had them for decades with Russia even until recently. It seems
like they have escalated.
So where you can get that kind of agreement, we should do
it, and where you cannot, that is where the complexities arise.
Chairman Johnson. Well, to get back to your point about too
much classification--again, I will go back to Kaspersky. When
we first found out about that, we knew about them for almost a
decade. We allowed that business to grow and be a security
platform for most computers here and exposed ourselves. To me,
that public exposure is incredibly important.
I mean, in your Mandiant report, I think it was 2014 on the
People's Liberation Army (PLAs) little operation there.
China, I think is particularly sensitive to public exposure
and disclosure on these things.
I think Russia certainly could possibly, as long as we are
making them pay a price for these things.
I could not agree with you more that we way overclassify
these, and it is to our own detriment. And we are saying we do
it for national security, and I think we are actually risking
our national security by not making more of these things
public.
I want to talk a little bit about government control versus
private sector. Private sector would be more nimble. When I sat
in a hearing over there early on--this was in probably 2012--
talking about the Collins-Lieberman bill, a representative from
DHS--I asked him point blank, ``How long will it take you to
write the regulations, contemplating this piece of
legislation?'' With a straight face, he said about 7 years.
To me, an insurance model will really help discipline this
process. I would like you to talk a little bit about that, Mr.
Mandia, because you sort of touched on this. Where are we in
terms of ensuring cyber risks, and do you think that is an
effective model?
Mr. Mandia. Well, I do think it has been in the discussion
since the late 90s. When you look at risk, most CEOs want to
deploy their own risk framework to their organization. If you
are not a regulated entity, it is your risk profile that you
need to implement at your company.
I do believe insurance--I think it is inevitable, quite
frankly. We have talked about it for multiple decades, but
there is cyber insurance available, and the question becomes
who sets the floor for how good we are at cybersecurity?
It is real hard for the government to have sweeping
legislation that says here is how good you need to be whether
you make cupcakes, make hamburgers, or make missiles.
I do not think it works. I think you can self-regulate, and
the private sector can do this. And insurance is probably one
way where that can come to fruition. That if you do want cyber
assurance and maybe even you have to get it if your company is
shaped a certain way, has a certain number of employees, or for
maybe certain industries. We have regulations for utilities. We
have them for financial services. Those are pretty much taken
care of, but for a lot of the mom-and-pop shops that are
driving business, maybe insurance is the right route in that
they get--basically it will be the insurance companies that say
here is how good your cybersecurity needs to be, here is the
floor, and at least we can start benchmarking the
infrastructure security.
Chairman Johnson. Well, then through the supply chain too,
like International Organization for Standardization (ISO)
certification, you can also certify sub-tier suppliers to do
those audits again. That can all occur in the private sector.
Senator McCaskill, do you have any further questions?
Senator McCaskill. No.
Chairman Johnson. Let me in this case--because, again, we
had some good questions. We have some real experts here. Is
there something that somebody touched on that we were not able
to really kind of flesh out?
I will just kind of go down the list or down the witness
panel here. Is there something you want to say just in a
closing comment? Mr. Mandia.
Mr. Mandia. No. I have said enough.
Chairman Johnson. OK. Ms. Lanier.
Ms. Lanier. Yes. I think I missed an opportunity to
reemphasize the main points that we wanted to get across today.
Again, I mentioned in my written testimony, we support the
Federal Aviation Administration's efforts to adopt and
implement the remote identification requirements for all or
nearly all drones that are sold or operating in the United
States.
We also feel that Congress should revise the hobbyist
exemption in Section 336 of the FAA Modernization and Reform
Act of 2012. The current hobbyist exemption permits far too
many drones to be operated by unlicensed and untrained pilots.
And we support the aims of your bill. The Preventing
Emerging Threats Act of 2018, which would extend drone
interdiction authority to Department of Homeland Security and
Department of Justice. The bill represents an important step
forward in helping to provide greater protections. We just want
it to go a little further and include State and local law
enforcement officers that are on the front lines every day at
mass gatherings trying to protect thousands of people.
So thank you for letting us participate.
Chairman Johnson. That would be next step, no doubt about
it. Mr. McBride.
Mr. McBride. So I would like to mention that in the United
States, we have public power utilities like Request for
Equitable Adjustment (REAs), co-ops, and municipals. They are
owned by their members, by their customers, and they are
unregulated. And then we have the investor-owned utilities
which are regulated. They are regulated by the State public
utility commissions and by the Federal Energy Regulatory
Commission (FERC). I think it is important that government-
private partnership be developed because the utilities that are
not regulated, unless they are told they have to do something,
they are probably not likely to do it. So I believe the
responsibility to the asset owners would be to identify, do the
modeling and analysis, to identify those critical assets that
need the protection against the threat of EMP or GMD, and then
the government, I think has to help them implement the
mitigations for those.
Chairman Johnson. Thank you.
Ms. Bisceglie, did I ever get that right?
Ms. Bisceglie. That was awesome. You did.
Chairman Johnson. Oh, OK. Great.
Ms. Bisceglie. I think our biggest thing was to really
centralize it and line item fund it, but on your last question,
if I could, the difference to government and the private
sector, I think the biggest thing--and again, I think that the
bill for the Federal Information Technology Supply Team Risk
Management Improvement Act, the Government really needs to
understand what they are inherently responsible for and what is
important to them. So is it the voting machines that were
involved in the Census 2020? What is important? Use this act to
actually drive that home.
Focus on that risk tolerance. That is where the
regulations, the policies, the auditing that was just mentioned
by Mr. McBride--we do not get asked. Like Continuous
Diagnostics and Mitigation (CDM), the latest version of CDM
actually has a supply chain risk management as a requirement in
procurement, and nobody is being audited against what is being
done or not being done. I think it is a great question to ask.
And then I think the last thing is what I mentioned before.
Again, I did hear a lot here. In any of these things, we cannot
separate cyber and supply chain because they are one-in-one,
hand-in-hand right now.
Thank you.
Chairman Johnson. Again, thank you.
I cannot help but notice and comment on the fact that prior
to this hearing--this was always Senator McCain, who--again, we
all respected--in his last couple of years as Chairman of Armed
Services, he was not in this Committee as often, but we all
traveled with him. We saw his commitment to individual liberty,
freedom, the type of hero he was not only in America, but you
go over to Ukraine because he was fighting for, again, those
kind of democratic values.
So we already do miss him. We sorely miss him. I am
reminded just kind of looking at a different name in his spot.
And I also want to welcome Senator Jon Kyl, who I also have
a great deal of respect for. He has done a lot of work in terms
of national security, maintenance of our nuclear stockpile to
keep this Nation safe.
So I wanted to make those comments as we close out this
hearing.
But, again, thank you for your testimony. You put a lot of
work into it. You really did. I appreciate that. They will be
in the record, and the hearing record will remain open for 15
days until September 28, 5 p.m., for the submission of
statements and questions for the record.
This hearing is adjourned.
[Whereupon, at 12:04 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
| MEMBERNAME | BIOGUIDEID | GPOID | CHAMBER | PARTY | ROLE | STATE | CONGRESS | AUTHORITYID |
|---|---|---|---|---|---|---|---|---|
| Enzi, Michael B. | E000285 | 8328 | S | R | COMMMEMBER | WY | 115 | 1542 |
| Carper, Thomas R. | C000174 | 8283 | S | D | COMMMEMBER | DE | 115 | 179 |
| McCaskill, Claire | M001170 | 8252 | S | D | COMMMEMBER | MO | 115 | 1820 |
| Peters, Gary C. | P000595 | 7994 | S | D | COMMMEMBER | MI | 115 | 1929 |
| Lankford, James | L000575 | 8113 | S | R | COMMMEMBER | OK | 115 | 2050 |
| Hoeven, John | H001061 | 8331 | S | R | COMMMEMBER | ND | 115 | 2079 |
| Paul, Rand | P000603 | 8308 | S | R | COMMMEMBER | KY | 115 | 2082 |
| Johnson, Ron | J000293 | 8355 | S | R | COMMMEMBER | WI | 115 | 2086 |
| Daines, Steve | D000618 | S | R | COMMMEMBER | MT | 115 | 2138 | |
| Heitkamp, Heidi | H001069 | S | D | COMMMEMBER | ND | 115 | 2174 | |
| Harris, Kamala D. | H001075 | S | D | COMMMEMBER | CA | 115 | 2301 | |
| Hassan, Margaret Wood | H001076 | S | D | COMMMEMBER | NH | 115 | 2302 | |
| Jones, Doug | J000300 | S | D | COMMMEMBER | AL | 115 | 2364 | |
| Kyl, Jon | K000352 | 8250 | S | R | COMMMEMBER | AZ | 115 | 655 |
| Portman, Rob | P000449 | 8266 | S | R | COMMMEMBER | OH | 115 | 924 |
Disclaimer:
Please refer to the About page for more information.