Skip to main content

tv   Senate Hearing on Cybersecurity Commission Report  CSPAN  May 18, 2020 8:27am-10:32am EDT

8:27 am
white house briefings, updates from governors and congress, and our daily call-in program "washington journal", hitting her thoughts about the coronavirus crisis. if you missed any of our live coverage, what you need time on demand at >> next, a look at protecting u.s. cybersecurity infrastructure and recommendations from a report by the cyberspace solarium commissioned or this was held before the senate homeland security committee with ron johnson the chairman. >> this ring is called to order. i want to welcome the witnesses. we have two cochairs of the cyberspace solarium commission. senator angus king and congressman mike gallagher. if i lived further north congressman al gore would be my member of congress. we are pleased to welcome suzanne spaulding who -- i'll
8:28 am
introduce people more formally prior to their -- also thomas fanning, two of the commissioners of the commission. first of all i want to thank the cochairs and that commissioners for the important work on the cyberspace solarium commission. i think the end product is excellent. i think it has solid recommendations that a number of these are within our committees jurisdiction over the working hard to evaluate those and the ones that we can get them passed into law of these recommendations can be done through executive action. what i'd like to spend my time just enter my formal written state into the record, i just want to talk about two of the commission's recommendations. when i i got here in the congrs in 2011, cybersecurity was a hot issue. it still is. it's not going away. i remember the buzzword back ban is we have to do something about
8:29 am
this. we've made a number of attempts and quite honestly we made a fair amount of progress. my own sense is the bad guys, the people and often always have an advantage but i think were catching up, closing the gap between offense and defense. there's been some very common themes. first one is where to do a better job of information sharing. i think we've accomplished that certainly with the establishment of the cybersecurity and infrastructure security agency headed up by chris krebs right now. by the way when a conference call director krebs last week and he was reporting that bad actors, cyber actors are trying to take advantage of covid, trying to steal some of the medical information on the velvet of vaccine. this is a persistent threat that's not going away which is what makes the commission's work so incredibly important. the first recommendation i want to talk about that quite honestly we're working hard at
8:30 am
getting hopefully include if the national defense authorization act, so it can become law is the need to put somebody in charge, a national cyber director. we held a hearing a couple years ago of the blue ribbon study panel, and this was another panel establish on biodefense. it's interesting that the number one recommendation is the same as this committee is we need somebody in charge. not too long ago we held a hearing on 5g. once again, the number one recommendation out of the committee hearing was we need somebody in charge of the implementation, the development of 5g if going to compete in the world. so now lo and behold i think the number one recommendation out of this commission is we need somebody in charge. there is some controversy behind that. exactly how to step it up is complex. i signed on a letter with senator rounds who is leading
8:31 am
the charge on the senate armed services committee asking the commission to continue while you still have your commission to study and make recommendations exactly how that national cyber director would be established in what part of the administration that individual should be placed into, that they could have the maximum positive impact. so hopefully the commission will stay together and make that recommendation and we can get that included into the national defense authorization act. the other recommendation is something that we did cover in a hearing with director krebs,, both insecure setting as those in the public hearing is the need for, this is senator hassan and i have bill of this, the bill is called cybersecurity vulnerability identification disclosure act. there's just i need for system to build the contact individuals where they have no there's a
8:32 am
threat and right now the only way they can contact those people is they can literally subpoena the records defined to those individuals are, but didn't buy them so they can contact them. this should scare anybody. this shouldn't be an issue with civil liberties is a very necessary authority that cisa needs and i'll ask everybody on our committee to do what we can by hook or by crook hopefully get the and national defense authorization act as well. anyway, those things i want to concert on. i do want to steal the commissioners thunder here and the testimony, or my ranking member senator peters his thunder with his opening statement salter now to senator peters. >> very good, mr. chairman. thank you. thank you for bringing us together for the string and thank you to our witnesses for joining us today and for your hard work on the cyberspace solarium commission. i especially would like to thank our colleague senator king for his leadership on cybersecurity
8:33 am
policy and for appearing before us today and subjecting himself to our questioning. so thank you, senator king come for doing that. cyber-attacks are one of the greatest threats to our national security and, as the commission found in your report, the united states is not thoroughly prepared to defend ourselves in cyberspace. the findings and recommendations included in your report could not have come at a more important time. adversaries like china, russia, and iran have repeatedly attempted to hack into our critical infrastructure, interfere in our democratic processes, and engage in largescale intellectual property theft. most recently, the chinese government launched a cyber-attack against our hospitals and health care research facilities in an effort to steal information on a coronavirus vaccine, an attack that threatened the health and safety of americans. every one of these attempted attacks are targeted to undermine our national and economic security. without sufficient cybersecurity
8:34 am
tools, resources, and personnel, these attacks could have a devastating impact on our daily lives. your report makes critical recommendations that congress must consider as we work to ensure our country is better prepared to deter, prevent, and recover from malicious cyber-attacks. your recommendations are wide-ranging, but boil down to three main goals: we must work with our allies to promote responsible behavior in cyberspace; we must deny benefits to adversaries who exploit our vulnerabilities; and we must impose greater costs on those who engage in malicious cyber-attacks. i have been proud to work on a bipartisan basis with many of my colleagues on this committee to advance legislation that will help meet some of these goals. i look forward to discussing these recommendations today and finding additional ways we can continue to strengthen our
8:35 am
cybersecurity protections. thank you again to all of our witnesses for joining us today, and i look forward to your testimony. >> iq, senator peters. i know this is a web event, not in person very but it is the tradition of this he -- i'll ask you to swear the test when you will give before this committee will be the truth, the whole truth and nothing but the truth so help you god. thank you. our first witnesses senator angus king. senator king is a cochair of the cyberspace solarium commission. since 2013 he served as the first independent senator from the state of maine. prior to joining the senate was the governor of maine for two terms. he's a a graduate of dartmouth college and university of virginia law school. senator king. >> and ranking member pierre, south dakota, patient the opportunity to testify before you. what i'd like to do is give you a little background on the commission, what our fundamental findings were and then talk
8:36 am
about our strategy of labor, of layered cyber deterrence. first, the commission. it was set up by the 2019 national defense act, and the mission of the commission was to establish an overall strategic direction for american policy in cyberspace. that's number one. and number two, to make recommendations for implementing that strategy. activation of 14 members, format from the congress, four from the executive, and six from the private sector. it was entirely nonpartisan. there were really no partisan discussions whatsoever and apart from the four members of congress i have no idea of the partisan affiliations of any of the other members of the commission. we had 29 in person meetings. we interviewed over 400 people. we went went to thousands of pages of documents, and ended up with 81 recommendations, 57 of which require legislative action
8:37 am
which have been submitted to the various committees and the staffs in the senate and the house. so what are the fundamental findings? the real basis of the commission rests upon three issues. one is reorganization. get the structure right. that year talked about this at the beginning. the second is resilience. how do we build cyber defenses to keep ourselves safe from attack? and a third is response. how do we respond to attacks in such a way as to defend our country? the fundamental strategy, if you will, is called layered cyber defense. layered cyber deterrence. here are the latest. number one is shaped behaviors. that is, establishing norms and standards in the international community so that this isn't a unilateral one country kind of
8:38 am
effort. the second is to deny benefits, and that is to strengthen our cyber defense, and that is we are position and it is reorganizing cisa and others will talk about. but the basically the more resilient and that includes plans for the recovery of the economy in the case of a cyber attack. the third is the strategy of deterrence. we have been attacked over and over, over the last ten or 15 years and are adversaries have paid very little price. we need to establish a clear declaratory policy that if you attack the united states in cyberspace, you will be able -- you will have to pay the cost, and that's really the fundamental idea of deterrence, and we have to be clear about it and we've got to have our adversaries make the calculations that attacking us
8:39 am
is going to cost them. i want to change their calculus when they are making that decision, and that's what the fundamental strategy is that were going to be presenting to you today. thank you very much holding the steering. look forward to answer your questions. >> thank you, senator king. our next witness is congressman mike gallagher. he is the cochair of the cyber and space solarium commission. he represents wisconsin's eighth congressional district in the u.s. house of representatives. he received a bachelors degree from princeton university and phd from georgetown university. he served in the united states marine corps for seven years and did two diploma in iraq. congressman gallagher. >> take a chairman johnson, ranking member peters, the names of the committee. it's an honor to be a presenting the findings of the cyberspace solarium commission and thank you to you and your staffs for engaging so proactively with the work of the commission as we try and turn our recommendations into actual legislation. we start really from a sobering
8:40 am
recognition, so her the one which animated the original project solarium some six or seven years ago which is is toy the status quo is not getting the job done. i would wholeheartedly agree with chairman johnson that we've taken important steps towards reform such a standing up cisa, u.s. cyber command for a variety of reasons we get to achieve the speed and agility that is necessary for survival in cyberspace. how do we get there? as my good friend and fellow coach or a disking continually me, structure is policy. i'd like to talk a bit about our recommendations related to structure. first, we believe we must create a house permanent select and senate select committee on cybersecurity in order to streamline congressional oversight and authority. second, we believe we must establish a senate confirmed national cyber director that chairman johnson talked about to
8:41 am
lead national level coordination for cyber strategy to serve as a public voice for cybersecurity and emerging technology issues. third, we believe we need to strengthen cisa to ensure the national resilience of critical infrastructure, conduct national risk management and cyber campaign planning, and late public-private collaboration ultimately allowing cisa to compete for talent that only with the nsa to with the google other attractive private sector companies. fourth, commission ways when he to recruit, develop and retain a stronger federal cyber workforce and thereby close our 35,000 person federal cyber workforce gap. fifth and finally, we believe we need to strengthen our cyber supply chain. the commission has taken an approach that believes in the power of free and fair competition to breathe innovation but it amounts little more to occasionally limiting the access affirms that we don't
8:42 am
trust into our markets. i believe this isn't working, consider the competition for 5g with the chinese communist party is able to subsidize their national champions like huawei, thereby advance the goal of dominate the global market without him to respond to market forces. to counter this the commission calls for investing information and communications technology, intellectual capacity and reinvigorating our investment in research and development. this will cost some money but whether in terms of responding to a pandemic or responded to a massive cyber attack, we believe america can no longer afford to depend on the largess of the chinese communist party for critical technology. with that i like to once again thank chairman johnson, ranking member peters, along with my coach or a disking as well as commissioners tom fanning and suzanne spaulding who really made this unique experience was a quality of participation we got from her outside experts, the executive branch and, of course, the city members of
8:43 am
congress that i look forward to your questions. >> a few, congressman , congres. our next witness is ms. suzanne spaulding. she's a commission of the cyberspace solarium commission and the senior advisor for homeland security center for strategic and international studies. she was the under secretary for the department of homeland security national protection and programs director from 2011- 2011-2017. she previously served six years at the central intelligence agency as assistant general counsel and legislative advisor to the directors nonproliferation center. ms. spaulding. >> chairman johnson, ranking member peters and members of the committee, thank you for this opportunity to testify here today. i i want to touch briefly on the areas that i think can and should be acted upon quickly. particularly given the vulnerabilities have been exposed by the pandemic. the first is strengthening dhs' cybersecurity and infrastructure
8:44 am
security agency, or cisa, as organization that i lead as the undersecretary that dhs is now call. thanks in no small measure to the work of this committee for which i am grateful. congress recognize cisa central role to reduce cyber risks and the commission strongly endorse this view. with malicious cyber actors targeted hospitals and health research and an at-home workforce presenting a massive attack surface, cisa's work is never been more important which is why we urge congress to provide the agency promptly with the resources and authorities that it needs, including mission support functions, to be able to be the national risk manager, provide continuity of the economy planning, identify systemically important critical infrastructure, and coordinate planning and research across the
8:45 am
federal government and with the private sector. second, with regard to improving the cyber ecosystem and reducing vulnerabilities, the commission understood that markets are usually more efficient than government and can try better cybersecurity. we looked at what the market isn't performing that function today. and a key reason is that markets need information in order to be effective. to provide this information we ask that congress establish a national cybersecurity certification and labeling authority to help consumers make informed decisions when buying an active devices. published guidelines for cloud security services, create a bureau of cyber statistics, promote a more effective and efficient cyber insurance market, and passed the national data breach notification law. finally i believe one of the most important pillars in the report is resilience. we need to reduce the benefits
8:46 am
side in the adversaries cost-benefit analysis. sometimes the most cost-effective way to reduce cyber risk will be reducing our dependence on those network systems. developing redundancies, perhaps even analog backup, for ways of interacting cyber ethics. paper ballots are way of building resilience into infrastructure, for example. we have a number of urgent election recommendations but i would like to conclude with our recommendation to build public resilience against disinformation. media literacy can help but we really need to focus on defeating a key objective of our adversary, which is to weaken democracy by pouring gasoline on the flames of division that already occupy online discourse. pushing americans to give up on our institutions, not just election, but the justice system, the rule of law, and
8:47 am
democracy. they seek to destroy the informed and engaged citizenry upon which a democracy depends. to defeat our adversaries objective the commission calls for reinvigorating civic education. help americans rediscover our shared values, understand why democracy is so valuable that it is under attack, and that every american must stay engaged to hold our institutions accountable and continue to move toward a more perfect union. thank you for the opportunity to testify, and i look forward to your questions. >> thank you, ms. spaulding. our final witness is mr. thomas fanning, also a commission of the cyberspace solarium commission and the chairman president and ceo of southern company, one of the nation's leading energy companies. he has worked for southern company for more than 38 years and curly serves as a culture of
8:48 am
electricity subsector coordinating council, principal liaison between the federal government and electric power sector on matters of national security, from terrorism and cybersecurity to disaster recovery. he has privacy served on the board of directors and chairman of the federal reserve board in atlanta federal reserve bank in atlanta. mr. fanning. >> good morning. thank you, chairman johnson, ranking member peters, and members of the committee for the opportunity to testify today. the united states is at war, virtually unchecked for years, our adversaries have been stealing our intellectual property and disrupting american commerce and our democratic way of life. this war is being waged primarily on our nation's critical infrastructure, mainly the energy sector, telecommunications networks and our financial system. fully 80 some% of the critical infrastructure of the united states is owned and operated by the private sector making
8:49 am
collaboration between the private sector and the government imperative. cyberspace solarium commission was created to reimagine u.s. national security doctrine for this new digital reality. later cyber deterrence approach outlined in the solarium commission report serves as a practical roadmap to protect, repair, hold accountable, and respond to existential cyber threats. we proposed a three prong strategy for success, recent behavior on the battlefield, and impose costs on her adversaries, and deny benefits to our enemy. certainly there is no internationally accepted and civil evacuation de-escalation in cyberspace. the first step in reshaping behavior on this battlefield is to define state accepted behaviors in cyberspace to include clear consequences for behaviors that are not acceptable.
8:50 am
then we need to communicate these behaviors not only to our friends but also our adversaries who attack us. every day american companies like southern company face millions of cyber attacks including from nations the adversaries. with the full support of the private sector, the federal, must advance a strategy to fend forward and an offensive posture in cyberspace through regular, persistent engagement with friends and foes alike. this engagement must include the full weight of the federal government including the department of defense, the fbi, the secret service and the intelligence community to allow for rapid and effective responses to these attacks. the third strategic prong is deny benefits to our enemies. we can do that by strengthening the critical infrastructures the building and maintain continuity against a cyber attack. we must also take steps to reshape the cyber ecosystem, the
8:51 am
people, processes, technology and data that make up cyberspace for its greater security. finally, we must create a true joint effort between private and federal government. this includes moving on information sharing to allow common access to collaborative announcement, joint planning and action. it means clearly identifying to the systemically important critical infrastructure and bringing to bear the full resources of the united states government in supporting and defending them from nationstate attacks. senators, the public and private sector's are true partners in this effort. we must move forward in better harmony. i am confident that the cyberspace lab commission report and recommendations will help us to do that. i'm happy to answer any of your questions. >> thank you, mr. fanning. let me just quick start out, senator kaine. i'm assuming you received the
8:52 am
letter from senator rounds asking the commission to study catch you up to the point of legislative language proposed in the exact structure before the national cyber director. is this something, is that a mission you accepted? >> absolutely. i talked with senator rounds about that last week and and ik the questions are good ones and to think it's appropriate we're going to apply ourselves to answering those questions and try to flesh out some of the details of how this new office would work with the authorities and how it would fit in with the federal government. >> thanks. congressman gallagher, my second point was giving cisa that subpoena authority so when they identify a threat they will be able to find out who is being targeted by that threat and provide notice. what are the prospects in the
8:53 am
bill to accomplish that? what are the prospects in the house? >> we very much support the recommendation and appreciate the work that you are doing. fully support the bill language. as for the prospects in the house, i can give you a good assessment right now but we are working with the committee's and really sort of leveraging one of the unique strengths of the commission, which is that jim langevin was he of the house member on the commission, democrat, has enormous influence within his caucus on these issues. he's a subcommittee chair on a relevant cyber related subcommittee and he's been a a champion of this proposal as well as some of the more hotly debated proposals such as the creation of a cybersecurity commission in the house. but but i just would say we bele that the administrative subpoena authority as called for in the commission's report and as called for in your legislation would strengthen cisa's ability
8:54 am
to be proactively detecting vulnerabilities in critical infrastructure and help secure them before they are compromised. the final point i would make and this is very much in line with the approach we tried to take throughout the report, which is not to create a bunch of new agencies with fancy new acronyms, would you take a look at agencies that exist now, particularly cisa and figure out we elevate and empower it and give cisa the tools that meet in order to accomplish it's very important mission. >> if you can spearhead the effort in the house so we could have, language so it passes one chamber where not ping-ponging back and forth. my goal would be to get this attached to the national defense authorization act. ms. spaulding, you mentioned the need for a national data breach notification. when i started talk about when to do something back in 2011, those are always the first two goals, better information sharing and national preemptive
8:55 am
standard for data breach. i didn't realize how incredibly complex and difficult that was. that's part of your recommendation. do you have a secret formula for actually accomplishing that? >> unfortunately, mr. chairman, we do not. we understand that congress is going to need work to those issues. our recommendation was really designed to describe the elements that we think need to be in this legislation and at window to your sales as you attempt to corral your fellow members into reaching consensus. because it is something that is so important to achieve on a national level as you fully understand. we have breach notification laws in effect. there are over 50 of them. every state has their own, and it is difficult obviously for businesses operate across state lines, but also doesn't result in the kind of statistics and information on a national scale
8:56 am
that could help, for example, this national bureau of cyber statistics that could help advance the cyber insurance market, would help cisa trying to make cases for the management for return on investment. that's the kind of information that a national reach law could help accomplish. >> as you well know we will need a lot of help. i'm not even sure we have our sales up, much less wind in them. mr. fanning, you and i've spoken in the past about my concern about emp as a threat to our national grid. cyber attacks represent a similar type of threat. can you give us some assurance that we are addressing these problems so we have the resiliency within our electrical grid? what progress has been made? i'm particularly concern now that iran has launched successfully a satellite data circling the globe and coming up
8:57 am
over america probably multiple times a day. that is a big concern of mine. >> yes, , thanks. i appreciate our dialogues in the past. one of the points that i try to make is there needs to be comprehensive approaches to all of these issues. in fact, my leadership is been about seven years. we see cyber issues, natural disasters like hurricanes and tornadoes, and that we see the coronavirus pandemic. what we need to do is have a comprehensive approach where we harmonize the efforts of government with the efforts of the private sector and let's not forget state and local governments and are international partner whole idea is not a comprehensive approach to this. i would say that every silo of government, and i would say the silos of the strategically important sectors of the economy, have been doing a pretty good job. but what we've got to do in
8:58 am
order to advance the ball for america is to harmonize these efforts and collaborate. >> thank you, mr. fanning. i'll reserve the rest of my time and turn over to senator peters. >> thank you, mr. chairman. my first question is for senator king and mr. fanning. in his report recently indicated the chinese government has been sponsoring cyber attacks against our hospitals, government networks and our medical research institutions, presumably in search of covid-19 vaccine research. this is clearly unacceptable. it puts american's lives at risk. my first question senator king is how would some of the recommendations specifically in the support of yours enable us to combat these kinds of attacks we're seeing from china? >> well, first, i think it's important to note that china is a long-range problem in
8:59 am
cyberspace. they are clearly active. they want to be more active, and they're coming at us. i think if you go back through our recommendations, number one, we need to step back and start talking about establishing international norms and standards. so that if there's a violation is not only us that are calling foul, , but it's the whole worl. i think it's got to be part of the strategy for combating something like what china is doing. secondly, we talking about resiliency which are strengthening our defenses. but the final piece that i think is so important is to let the chinese and whole world know that if you pull something like this, you are going to pay a price. we don't define what the price is. it doesn't have to be committed, it does have the cyber, it doesn't have to be in a particular price but there will be consequences because i believe that one of the real problems with whole cyber posture has been that we can basically taking the punches without responding, and i what
9:00 am
our adversaries to say maybe if we do this we would get whacked. in some way, shape, or form. that's exactly him this is exactly the kind of thing that we've been talking about. and, frankly, one of the things we talked about was if you come at us in a time of national crisis like the pandemic, the response will be even stronger. .. we weren't showing to the world just two, three months ago. >> thank you, senator king, well said. >> mr. fanning, as the ceo of a critical infrastructure company, i'm sure you would like to jump in and add how we
9:01 am
protect infrastructure from chinese and others. >> it's all over the place, my company alone gets attacked millions of times a day. that's not unusual for any critical infrastructure provider. one of the things i championed over the years and now we've formed, a tri-sector group, guys like jamie dimon and j.p. morgan and brian moynihan and boa and randall stevenson, we've developed a joint threat matrix basically modeling what the different kind of consequences and likelihoods are for a whole spectrum of attacks and now we're developing a wish list and they're showing up in the solarium space, kind of working through our work to make sure that we are consistent with what really is happening in the private sector and what we need to do about it as a federal government. as i can say, an important
9:02 am
point in this whole, i think, report, is you don't see very many words like sharing and cooperate. it is collaborate. since 87% of the critical infrastructure is owned, we have to illuminate the battlefield and share the effort of the intelligence community of our sector specific agency and then the folks that will hold the bad guys accountable, fbi, et cetera. we have to all work together and all have to be accountable to make sure that we keep america safe. >> well, thank you, thanks to both of you for that answer. we must do more to protect our nation's critical infrastructure from certainly these types of attacks, as you mentioned, many other attacks that are happening on a daily basis and recently i pressed the administration to hold the chinese government accountable for irresponsible action to make it clear that this is not going to be tolerated
9:03 am
particularly during a time of pandemic and there is going need to be consequences. whether it's our overreliance on china for medical supplies needed to address the coronavirus pandemic, i think we need to all stand up to the chinese government and strengthen our national security and this effort is so important. my next question for senator king as well is the solarium's recommendations recording the continuity of the economy are particularly relevant given the challenges we're addressing here with the coronavirus pandemic. so in the event of a widespread or a prolonged cyber attack on critical infrastructure, i think we all agree the impact could be catastrophic. my question to you, senator king, could you discuss the recommendations and what lessons do you think we should be learning from covid-19 for a long-term cyber attack? >> one thing we've learned is the necessity of planning, the
9:04 am
necessity of thinking the unthinkable, of putting smart people into a room and talking about what could happen and what would happen and how to bring the economy back. i think the continuity of the economy planning and setting that up as a real function is one of our most important recommendations, and you've got to be-- we've got to be thinking about what happens if the northeast grid goes down or the southern grid, we've got to be thinking about the lessons that we're learning now. some unanticipated. frankly, i think once we get through this awful situation that we're in now, one of the most important things is an after action assessment. what i call an after action assessment, what did we learn? what was missing? what are the critical functions? what are the pieces that we need to be paying attention to that are likely to be vulnerable? before i finish, also let me
9:05 am
mention, the chairman asked the question about breach notification. senator wicker, senator cantwell and senator moran have bills on that, i think they're all good bills and i think there are models that we can go forward, but to get back to the continuity of the economy, i think it's absolutely a critical function. it's got to be strategic. it's got to be specific. and i want to be ready when this happens. it's going to happen, mr. senator, it's going to happen. i told somebody the other day, we are seeing the longest windup for a punch in the history of the world, but that punch is going to come. >> yeah, absolutely. new for that answer. thank you, mr. chairman. >> thanks, senator peters. let me just read off the list of questions in order. senator scott, carper, hawley, hassan, rosen, romney and lankford. now, i don't see senator scott on the board.
9:06 am
so if that's incorrect, have somebody text me, but right now we'll go to senator carper. >> thank you. nice to see you all of you and good luck on so many of-- congressman galloway, i don't know that i had the pleasure to meeting you, but look forward to that. a and-- that was before i read your bio, welcome. and great to have -- in the house. the benefit of being up close and personal watching what we've done and failed to do, and-- [inaudible] you'll recall tom coburn was my wingman on the committee, and
9:07 am
accomplished a lot with the support of several of the members here today in this hearing. just reflect back on some of the steps making -- you may recall [inaudible] and one of the things we finally did well-- so thank you. >> great to see you, senator carper and thank you for the question and thank you for all of your hard work over those years and continuing to today in your leadership on
9:08 am
cybersecurity and other issues, we did accomplish a great deal and i would say some of the most important thing were solidifying the authority of what was then the national protection and programs director again as now. government operates mostly when it has a clear mission and helping to codify the existing mission of the cyber security and infrastructure resilience effort at dhs was a really important step forward so your work on the legislation to codify its operation center, the national cyber communications integration center very important to get those in place. codifying its role as the primary central place for the business sector to come with information. all right, and to be the key place that then gets information back out to the
9:09 am
private sector. so, clarifying very clearly what that mission is and that dhs had as been tagged with that mission was really important and continues to be important. resourcing the agency under your terms of budget began to go up and has continued to rise, but really, it was so to begin with particularly with resources. particularly for the mission support functions that don't get the attention. typically it's easier for funding for specific program to go out and do something, but the back office source for procurement. for acquiring the technology that needs to be acquired, position, for hr, human resources so we can bring in the talent that we need so badly to do this mission. funding those adequately becomes very important and the commission strongly recommends
9:10 am
that. to continue to make sure that the leadership there has the expertise that it needs so we recommended a five-year term for the head of that exactly, so this they can be in there long enough to become familiar and then really move out on a strategy and making sure that we're doing the mission effectively. so, the things that you started, that the committee has continued to pursue, these continue, but they need to be accelerated and it all needs to be done as it has been to date on a bipartisan basis. i want to thank our co-chairs, senator king and congressman gallagher for leading us in a bipartisan and nonpartisan way. it's the way cyber security should be done and i hope will continue to be done. >> thank you for those kind thoughts. >> a friend and former colleague tom coburn passed away a little more than a month ago. >> i'm sorry to hear that. >> and after a long, long
9:11 am
battle with cancer, he left a great legacy and this is just one and trying to build on that. i think you mentioned in your remarks you used the words in order to form a more focused union and part of the-- preamble of our constitution and a reminder again as much as we tried in the past to do a better job in this regard, continuing to evolve, and sources evolve-- i remember when 9/11, the 9/11 commission, it was chaired by i want to say a former-- hamilton, one of the co-chairs and from new jersey, and they presented us with recommendati recommendation. [inaudible]
9:12 am
and we, our committee literally adopted all, but maybe a handful of recommendations. there was great bipartisan leadership. [inaudible] >> senator, carper, if i could interject, mike gallagher has characterized our commission the work we're doing, we want to be the 9/11 commission without 9/11. >> that's great. >> that's exactly what we're trying to do here, to think about how to respond and how to respond in a systemic across the government kind of way and the private sector, but that's the key. the 9/11 commission without north american. >> that you, angus. >> and one of the things i have my graduates to hear, aim high, work high, the golden rule and don't quit.
9:13 am
one of the areas we don't-- we haven't quit in, but don't have a lot to show for is our efforts to undoubtedly create a national approach, a uniformed national approach. >> and that's one of our key recommendations. >> we look forward to working with you on that. there's so many different jurisdictions and competing issues and interests. with your help and support and maybe a good bipartisan whip finally get to-- >> thank you, senator carper and certainly appreciate you, again, pointing out senator coburn, that was a huge loss for all of us and for the senate and for this nation. i also appreciated miss spaulding's use of the term nonpartisan. i prefer that to bipartisan, that totally eliminates the
9:14 am
thought of partisanship, in what we face and solutions we need to enact. i appreciate that. our next senator is senator hawley. >> thank you, mr. chairman and thank you to all the witnesses for being here. and the commission. congressman gallagher, i want to come back to you in your joint testimony, you said china has fueled economic where fair in trillions of intellectual property and cut our economic competitiveness and i appreciated your focus on this and i appreciated your own work in the house on this issue. so i just want to give you a chance to expand on some of those themes i think are so important. let me start, but asking you, when it comes to cyber attacks, what do you see? how does china typically operate? how do they typically attack and whom do they typically target and what is it that they seek to gain or disrupt?
9:15 am
>> well, just quickly, my own awakening on this issue was painful. i spent most of the last decade as a middle east specialist in uniform not really understanding much in the way that china operated, but i remember vividly getting a letter from the office of personnel management an of the massive hack of over 22 million people's, you know, federal government employees records saying, thank you for your service, but your records have been hacked and that was a wakeup call for me to recognize that i needed to widen my own aperture and understand what was going on. and xi jinping had just come to power and didn't understand how aggressive direction he would take the chinese communist party. and since then not only the obm hack, but multiple, a series of
9:16 am
attacks that we know go all the way back directly to the chinese communist party, in addition we know that there are certain state champions, huawei and dt in particular that operate as an appendage of the chinese communist party. and we have the huawei beamed back information the same time every night at midnight and we pointed out the scale in which huawei technology has been compromised. so we found nothing to contradict that assessment in our own work on the commission. if anything, we would emphasize the findings of the blare huntsman commission, the transfer of intellectual property theft in the order of $300 billion a year, the greatest transfer of wealth in human history. i would say that up to this point and what i alluded to in my opening testimony, we've
9:17 am
taken primarily a defensive approach which has been necessary, but insufficient. in other words, we've said, you know, we're going to put huawei on the enemies list and do a variety of things to dissuade our allies from operating with c krch cc-- and a positive approach, development, finding ways to work with allied countries on key technologies in order to ensure that we're not dangerously dependent on china going forward and finding a way to make a positive case for american global leadership in a contrasting case with what we've seen from the ccp. >> very good, thank you for that. let me ask you just a little about a closely related topic which is our supply chain vulnerability, particularly as it relates to china. the report to acknowledge our extended supply chain threatened and the u.s. eco
9:18 am
system, the economic system and i have been advocate for reshoring, on-shoring. can you elaborate on the risk management techniques and what role to you see the private sector playing? >> absolutely, so we recommend, and i believe recommendation 4.6 in our report, that congress directs the government to develop and a-- an information technology industrial based technology for more untrusted supply chains and communications technology. so, this starts with a simple identification of which technologies are critical and where we have single points of failure in the supply chain so that we're not discovering the single points of failure in the midst of a crisis, which i would submit we are in some
9:19 am
cases with advanced pharmaceutical indicators and medical equipment right now. we're asking the government with ensansed sissa and cyber focus to identify proactively where are the areas where no kidding, we either have to bring that manufacturing back to the united states as you've had multiple pieces of legislation aimed at doing that, but potentially, also, work with partners. so, for example, when it comes to semiconductors, taiwan is an obvious target for enhanced cooperation. and i believe the administration right now is exploring some sort of deal with dscm, a major taiwanese semiconductor company, know in order to build certain things in the united states. it's identification of our domestic and our allied itc industrial capacity and identifying those key areas of risk where a foreign adversary could potentially restrict the
9:20 am
critical supply of technology or intentionally introduce compromise at a large scale and that should affect our direct investments in those key areas or our investment in research and development. >> that's really good. tell me what role i think the private sector plays here and how we get a balance of both requirements and also incentives to help the private sector get to where it needs to be. >> i think this is one of the major things we wrestled with, throughout the commission's entire work, which is to say, how do you get that balance between, we don't want to sort of out ccp the ccp for lack of a better word. we can't adopt a one size fits all heavy-handed top-down series of regulations. and how do we instead pursue that incentivizing approach and what we've sort of landed on, there are simple things that we can do to inventize the private
9:21 am
sector rather than mandate they do certain things. for example, one of the examples in the report is mandatory penetration testing for publicly traded companies. so that they have to invest more in cyber security. because what we saw time and again is that wherever the c-suite did actually prioritize and take cybersecurity seriously, those companies outperformed their competitors. we would like to, for example, over time, see certain best practices that are emerging right now become the industry standard. so, for example, there's something called the 110-60 rule, where you're able to detect an intrusion in one minute have someone look at it in 10 minutes and isolate and quarantine in 60 minutes. by incentivizing the c-suite to invest in cybersecurity, we believe over time best practices like that could
9:22 am
become the norm. and i would say and suzanna alluded to it, we'd try to adapt an approach that harnessed market forces so that the private sector could step up and respond to a clear incentive that the federal government is setting. >> very good. thank you. thank you all. >> senator hawley, i'd like to touch on your question for a moment. >> yes. >> the supply chain. number one, we've learned in the covid situation how critical the supply chain is and what a mistake it is to rely on supplies for critical materials outside of our borders. the second piece is, we have to realize that the chinese are integrating economic policy with intelligence and national policy by subsidizing things like huawei to make it cheaper in order to insinuate itself into the nation's or the world's internet infrastructure. we have to realize the cheapest
9:23 am
may not always be the answer and maybe a little premium on the price is an insurance policy. because historically we've said we'll get the cheapest wherever we can and that's going to bite us. and supply chain, we just have to analyze every piece of military equipment and piece of crit cat infrastructure and say where is it coming from and is it safe? i think you've identified one of the most serious issues that's facing us, it's not going to quit. >> thank you for that senator king, and thank you for your leadership over many years on this issue and a privilege to serve with you on the committees that we do, thank you, mr. chairman. >> thank you, senator hawley. senator hassan. >> before this hearing and thank you to our panelists for your work. all the effort that you've put in and for being with us in this new remote hearing world
9:24 am
we live in. senator king, i wanted to start with the question to you. the comprehensive report outlines many key steps that the federal government can take to mitigate cyber attacks. however, the report is relatively quiet on how the federal government can help strengthen state and local government's ability to prevent against attacks. recently the national governor's association wrote a letter to house and senate leadership asking for funding to help state and local governments defend against crippling cyber attacks amid the covid-19 pandemic. before this crisis, legislation was introduced to both the house and senate to create a sizable federal grant program for state governments. we know that it's only as good as our weakness link to the last point they were makingment and we have the cyber resiliency, down to our smallest localities. did you example the possibility
9:25 am
of federal support for state and local cyber security? if so, what were your conclusions? >> we absolutely did. and in fact, a major wave of rans ransomware attacked our cities and towns. we've had small towns in maine, that i've talked about this, that had hits of ransomware. i think there was something like 45 mentions of state, local, tribal government. but here is what we wrestled with, we believe and we advocate for the creation of a fund to assist states and localities in dealing with these issues, not only money, but technical expertise, which sissa has throughout the federal government. but part of it, part of the thing we wrestled with is what i call moral hazard. we don't think the federal government should relieve the states of their own obligations to protect their own networks and to do what's necessary.
9:26 am
so, what we've proposed was a matching program, where it would start with a 90% federal share, 10% match for improving critical infrastructure on the state level, which year by year would scale up and end up 50-50. we want the states to be engaged as well. we don't want them to say, well, cybersecurity is a defense job, that's not our job. that won't work. that's the way we approached it, but we understood and working with the states on critical infrastructure is absolutely important. i mean, it's elections, national guard has a role to play here. i think there are a lot of ways that we can integrate with the states properly, but we need to-- it needs to be a shared responsible, i guess is the way i would put it. and that was-- the commission wrestled with this, but that's the way we came out. >> well, i thank you for that. i would make the note and new hampshire has seen ransomware attacks on very, very small
9:27 am
jurisdictions, tiny systems. when it comes to town meeting time or state budget balance, what you don't want to do is having the matching obligation be so great you put at risk federal cybersecurity because a small town can't meet a cyber obligation or a state has to cut its budget to balance it so those are the things that we have to think about. i wanted to move on to ms. spaulding and i wanted to build on something that senator johnson asked about. as you know, one of the solarium commission's recommendations is for congress is pass the cybersecurity vulnerability identification and notification act. the bipartisan bill passed our committee and senator johnson and i are continuing to work to pass the bill into law. ms. spaulding, drawing on your experience at the department of homeland security can you explain why sisa needs the subpoena authority particularly in the context of the covid-19 pandemic? >> yes, senator, thank you for that question and thank you for
9:28 am
your efforts to try to get this authority passed through congress. it's something that we have needed for quite some time and going back to my time at dhs. dhs has the tools to scan the internet for vulnerabilities, for known vulnerabilities, to find systems that are publicly facing the internet, that we can tell have the vulnerability that we're looking for. what we cannot do without a tremendous amount of effort sometimes not at all is to identify then who opens that system so we can reach out to them and warn them. so this would be an administrative subpoena. the folks who have the information about who owns that system are the providers, the is p's, the internet service providers. so what we need to do is take that ip address which the tools allow us to know and go to those providers and say, we
9:29 am
have found this, it looks like an industrial control system, which is something that may power our critical infrastructure, it could be in the energy infrastructure, transportation, you know, all kind of infrastructure, and we see that they have this very dangerous vulnerability that an adversary, a bad actor could exploit and cause problems. we don't know what its and we can't tell them. >> thanks for that response and i look forward to continuing to work with senator johnson and members. committee on getting that legislation passed. miss spaulding, i also wanted to talk to you about cyber threats and health care. prior to the pandemic, the health care sector was in part of malicious actors and with covid-19 and the hospitals. i'm worried that it could be a threat to human life. and it's not just a warning
9:30 am
that some nation state backed actors are targeting covid-19 medical research efforts. obviously, that's very concerning. can you help us understand what we can do right now and going forward to improve the resiliency, including the threats to these medical research facilities? >> yes, senator, such an important point and it's addressed by our commission recommendations a number of ways. this is really the kind of event, series of events that, for example, could be covered under this cyber state of distress that we talk about in the commission report, which is falling short of the national emergency where you've got physical destruction and consequences along the lines after hurricane or a super storm. but are beyond the routine day-to-day occurrences that we deal with every day. the attacks during a pandemic
9:31 am
on this vital structure could rise to the level of the cyber state of distress and the key there is that it would trigger the ability for sisa particularly to use fund to tap into a response and recovery fund to scale up, to go out and help these researchers, these facilities that are being attacked, the hospitals, our health care providers, and to bring in additional resources, particularly to call on assistance for experts within the dod or the intelligence community and where we have to reimburse them. so, that's a key part of that authority. and really critically important. >> well, thank you, i see i'm over time, mr. chair. if this is time for additional questions, i have one more for senator king which we can do later on on the national guard. thanks. >> sounds good, senator hassan.
9:32 am
let's go senator rosen, romney and then lankford. but senator rosen. >> thank you, mr. chairman. and i thank you, ranking member for bringing this great hearing today with amazing witnesses. thank you for your work and especially my colleagues, angus king and of course, congressman mike gallagher. we were freshmen in the house together and we were both founding members. bipartisan caucus and a lot of great work there and great to see you're continuing with that and look forward to seeing what you're doing. and you know, we know that the cyber cyberspace commission report and this is widespread in the public and private sector. as a former computer programmer and systems analyst i've introduced a number of bipartisan bills to promote our cybersecurity work force, including legislation to prepare our junior rotc
9:33 am
candidates for careers in cybersecurity, build support of apprenticeship programs in cybersecurity modeled after nevada's in-state cybersecurity apprenticeship program. so ms. spaulding, what do you think are the additional forward-thinking solutions that congress can offer to provide our business communities, our government, with the skilled work force they need to strengthen our nation's cybersecurity infrastructure and protect americans from bad actors and even considering what is happening now in the pandemic and covid crisis, also addressing retraining. these are jobs that are going to continue to grow where other jobs may not come back as robustly. >> senator, thanks for the question and thank you so much for your efforts on this really important issue. i noted it earlier and i think making sure that we are doing everything we can to build the talented work force that we need on the scale that we need
9:34 am
it across this country. it's a huge challenge and something we all need to tackle. we have a number of recommendations for the commission report along these lines and one of the most important and sweeping is to build and continue to build on the things that are working and that we think are successful and certainly, the scholarship f for-- we think is important and where the government reaches out early on to encourage students to study cybersecurity, helps them with their education. and then they have a job with sisa or others across the government where i used to say to the private sector, i'll take them right out of school. i'll give them onto job training. i know that you in the private sector will then lure them away with higher salaries, but i believe that a number of years after they've put their kids
9:35 am
through college they'll come back to government because they'll miss the mission and often times the audience would laugh, but i know that you know what a strong draw that mission can be. i think it's also important to focus not just on recruitment, but retaining that cyber work force. one of the things we worked on at dhs is the importance after inclusive work environment so wh you've succeeded in, for example, teaching girls to code and recruiting women and a diverse work force, women and minorities into the cybersecurity work force, you retain those talents by creating an inclusive work force. so those are the kind of things that we looked at and really important program for congress to continue to support. >> senator rosen, if i could-- could i join in and provide another answer to that question? one thing, and this sounds minor, but it can be major, we
9:36 am
need to work on our security clearance process. >> that's my next question. >> well, we've been doing a lot of work on it on the intelligence committee and i know of people who gave up after a year or more of waiting. and i must say the administration has improved that considerably, the backlog is down. they're working better on reciprocity so if you get a security clearance for one agency it can apply to another. but that's one of the issues. the other thing we talked about creation of a program where you could get some scholarship aid and then make a commitment when you came out, but you're absolutely right to focus on this issue because if we don't get the talent, we're in trouble and we need, i think, mike gallagher mentioned at the beginning, a shortfall of like 35,000 people across the government that we need in the cyber security area. so, it's one of our most important priorities. >> and hundreds of thousands across the country.
9:37 am
and i was pleased that last december my building blocks of stem bill did pass which is going to promote stem education for young girls and thank you for answering my security clearance question. that was my next question. i do think it is hurting us in government. with the short time i have left, i want to talk about protecting data through cloud services. so, senator king and for ms. spaulding, quickly, what can the federal government learn from the private sector's experience in migrating to the cloud services? how can we better partner with that to be sure that we're able to do that? >> let me start and i'll turn it over to suzanne. the movement to the cloud can be a very positive development because you don't have-- you don't have all of your data in 10,000 locations all of which are vulnerable, but that means that the cloud itself has to be more secure and we could
9:38 am
do talk in the report of developing a security standard for cloud-based services so that companies and governments, whoever wants to use a cloud service can have some knowledge, some assurance that they're dealing with a secure service. suzanne, do you want to touch on that issue? >> that's exactly right. we-- the commission felt strongly that we really wanted to encourage folks to move to the cloud for many-- really, for most, that's going to be a more secure environment. you're going with to have real experts who are securing that data. but not all cloud service providers are equal and so, we thought it was really important again to rely-- to try to push the market by providing information for folks on whether -- which cloud service providers meet certain security standard. if we're going to encourage
9:39 am
folks move to the cloud we have to make sure that the cloud environments are indeed secure. so our recommendation is for the development of guidelines and that those guidelines be public and folks can see whether cloud security providers are indeed providing a secure environment. it can't just be that it goes to the lowest bidder. >> i think you're right. i think we also have to include just not national cloud services, but think about our international security as we share data across borders, global borders, that's important to secure that as well. thank you so much. >> thanks, senator rosen. senator romney. >> the part of this discussion, it is a bit of deja vu for me because many years ago when i was serving as governor in massachusetts, i was part of
9:40 am
the homeland security advisory committee and we came together and spoke about this topic and felt that we were behind and that there were actions we needed to take if we were going to be effective in protecting our cyber space and what is somewhat alarming is to find we're still talking about it and not as much as i might have anticipated being done has actually been done. and so i'd like to focus for a moment on what it is that prevents something from happening. we -- in an authoritarian regime the person in the top can demand that something happens and everybody jumps or in the case of kim jong-un they found themselves, you know, no longer breathing. so, we don't have that model. i'm not suggesting we do, but we have to use the tools that we have and so i'm going to ask mr. fanning it begin with, is there not a potential to create a lot of pressure on the coming from the corporate sector on
9:41 am
the white house? we need to have the white house get fully behind this because it's hard at the congressional level for us to push a string uphill. i'm mixing two metaphors there, but nonetheless it's hard to do it from the bottom up. would it not be helpful if the corporate america shouted we need the federal government to step in here to provide the following elements to get behind this report? how do we do that, mr. fanning, and why hasn't it happened so far? >> senator romney, great to see you again. look, i think that's happening. the fact that all of the critical infrastructure in america has been working with their sector specific agencies. i think the issue is really now how do we harmonize and collaborate with all of the government? one of the important facts, i know with your background, you'll get here is that not all private sector is created
9:42 am
equal. we've called a designation of sticky, but it's systematically important critical infrastructure. so working through sisa, a risk-based approach, what the most critical is in america and we do that at the asset level. so we identify assets that can either prevent major loss of life, significant economic disturbance, or prohibit or hurt our ability to defend ourselves, to fight back, to see, to listen. and so, what we're doing is to identify the most critical assets in america and then, evaluating the layers around those assets of the private sector to really work with the federal government. and in my opinion, it's not just a voice that says you need more. i think the private sector has a special obligation in this
9:43 am
new cyber digital world that we are in to join in the effort and defend america, to join in the effort to have a special relationship with the intelligence committee, sector specific agency, dod, et al to create a more-- that why we have the sticki and frame work that will carry this out. you know, as i walk the halls of congress and work in the administration, my sense is there is a great desire to have this happen. we are not without motivation. and really, i think it now says we've got to pool that effort and direct it in a certain way. i think that the solarium commission report does that. >> i certainly hope so. >> senator, romney, can i touch on that for a bit? >> sure, angus, go ahead.
9:44 am
>> i have a life principle, structure is policy. if you have a messy structure you're going to have a messy policy and right now we have a structure in our government that is -- we have really good people in agencies, sisa, and cyber command. there's nobody in charge. going back to my business day i always like to have one throat to choke and that's the national cyber director. we need somebody at a very high level who can oversee and coordinate and work on the planning with all of these different disparate parts of the federal government that are working on this. i think that's an absolutely critical need. the other recommendation, which hasn't gotten much discussion today is, we recommend that the congress reorganize itself and develop select committees on cyber because we've got cyber jurisdiction is scattered across-- i've heard as high as 80
9:45 am
subcommittees in the congress. it's very difficult to get anything done. now, that's going to be difficult because i'm on intelligence and armed services and we're talking now to homeland security. people are going to have to give up some jurisdiction in order to gain a more coherent approach to this issue, both in congress and in the executive branch. so, you're onto something and you know, you want some centralized leadership and if you're governor or you're president and you want somebody you can go to and say, i want this to work. but right now, if you're president you have to go to a bunch of different places and that's our goal here. >> i fully agree. so one question and five to go, i have one minute to go, i'm not going to get them in. but i want to ask of ms. spaulding whether or not the intelligence community can say tear down the barriers
9:46 am
between us and let's go to the white house and get the white house behind it. would strike me if the head of the cia, department of defense, secretary of defense were to say to the president we really need to have this one person, we need to restructure this in the following way, that's going to happen. but if the white house is dragging its heels on this, it's not going to happen. so, is there -- i mean, can we get support from the leaders of the, if you will, the agencies that deal with this topic to get behind this principle? >> so, one of the advantages that we had on this commission, senator, was that unlike any other commission i've been involved with, and i've been associated with many, we have people from the executive branch sitting on the commission. and they attended every meeting, all of our nearly 30 meetings over time, and while they were not in a position to sign onto the final report, given the separation of powers issues, et cetera, i think there's a strong understanding of the need to coordinate and
9:47 am
to have coordination at a senior level for cyber security efforts. and the intelligence community is absolutely essential part of that effort. so i would like to think, along with you, that we can get concensus around the need for this coordination effort and push this through. >> well, thanks, senator romney. by the way, this is -- this hearing a clicking along pretty quick. senator hassan, if you'd like to ask another question, stick around and i'll give awe opportunity to do that. senator king, pass add bill -- a simple bill and under homeland security, making it difficult for the department to respond properly to congress when you're going to that many different committees. similar concern that you have
9:48 am
in times of cybersecurity, we couldn't even get that simple commission established into law to take a look at it. that got kiboshed, but i'm happy to work with you on both issues because again, this is a little insane in terms of how, you know, dispersed the congressional authority is on both cyber as well as homeland security. with that we'll turn it over to senator lankford. thanks, mr. chairman. thanks for the hearing, i've got a ton of questions like senator romney was talking about before. congressman gallagher, let me ask you a question. what is the difference as you would see this between the national cyber director and what sisa is doing now. congress has a bad habit of saying this is not working as we want to and we'll leave that in place and plus, add another thing onto it. we're talking about sisa and elevating it or two different things and it works for the national cyber director? what's the different? >> well, sisa in the first
9:49 am
instance we're recommending elevating and empowering. in a variety of simple ways that might surprise you don't already exist. for example, start at the top, we shift the director to a five year term, increase their pay, push for resources and authorities to he will evaluate their stature in the federal government. but sisa is always-- and suzanne, having worked in this job the best person to talk about in, in my mind always going to primarily have the mission of defending critical infrastructure, defending the dot-gov space in a way that cyber com defends the dot-mil space. the biggest impact is giving sisa to do threat hunting on dot-gov networks so they can defend prior to the attack and the national cyber director in my mind has a more coordinating function that is making sure
9:50 am
that sisa in performing that mission is working well with nsa, with cyber com and all the other other federal agencies that play in the cyber space. the advantage of the national cyber director, particularly one senate confirmed and therefore in theory more responsive to senate and house oversight, is that proximity to the president, having the ear of the president and hopefully enhance their ability to coordinate across missions and do long-term planning at sisa, sort of the fight on a day-to-day basis. >> more of an odni type structure? >> you know, we did look at the odni structure and debated it as a model for national cyber director. ultimately we had something more model to the trade director. we found it's interdisciplinary, it's functionally oriented and
9:51 am
institutionalized with senate confirmed lip and situated within the executive office of the president, but this is really one of the more robust debates we had on the commission. >> suzanne, you wanted to add # to that. >> guest: sisa coordinating across the area. and denied benefit asset response function. so this national cyber director would bring together the defensive and offensive planning to make sure those things are coordinated and working in a synergistic way and not at cross-purposes. and bring in title 10dod authorities into that broader whole of nation, whole of government planning. so-- >> civilian role not a military role for this position?
9:52 am
>> that would be our recommendation, yes. >> to be able to do the whole of nation work for the private sector. >> thank you. >> senator king, let me ask you about the select committee proposal here shifting out. you and i have talked about before that our committee structure was designed in a way that it never should have been designed. more accidental as designed. and over the years agencies created and congress has knots kept up with the structure of the house and the senate committees, it's more and more chaotic and trying to hold people to account. trying to do another select committee and able to strip those away, is it easier to create another select committee and easier to land them in a committee.
9:53 am
it's pet better to strip away and-- >> i think the intelligence committees, they didn't exist before the select committees and there was a realization after the church committee there was a need to have one committee with special expertise in a technical area. and we're talking not only sisa, but military aspects. cyber com, nsa, the intelligence agency. so i think there's an argument, a good argument to be made that a special select committee and frankly, one. things we talked about was having the membership of that committee be the leadership of the various committees such as this one. they would, that's who would be the members, the chair and ranking member or designees. i think there's a way to do it and i realize that jurisdiction is life around here, but i think this is a moment like the '70s, where there's a
9:54 am
specialized area that's incredibly important to the future of the country, and right now as senator johnson said, you can have a very simple bill and it takes years and i don't want to go home after a cyber attack and say, well, congress really, we were talking about that and there were a couple of bills, but four different committees that had jurisdiction and it was really hard. i don't think that's going to wash with my constituents. >> nor should it on that. let me ask you a question about standards i saw in the report multiple different times to be able to push private sector to have better standards, higher standards and creating a standard. spent a lot of our conversation on the internet of things. once you hit a government standard it doesn't take long long for it to scale in the cyber world. you've got a lot of technology and innovation. by the time the government any agencies set the standard it's out of date. how do we keep a standard from slowing down innovation? >> well, you raise a very
9:55 am
important point. the standard shouldn't be thought of as a static certification, rather, a lot of the standards that will be certified will include a process to evaluate gaps in the future. to evaluate how to improve whatever it is. it will also be kind of weighted by the importance in the critical infrastructure of america. in other words, if it's thought of to be incorporated into this systematically important infrastructure, it will have a much higher standard, a much quicker response time. so look, i think the private sector, in working with government now, in collaborating not cooperating, has a special burden to work to make sure that whatever we do fits the national interest. this will be benefits so if there's more for us to do and perhaps it's more expensive, i think the benefit will be that
9:56 am
you will have a real-time evaluation of the battlefield. as i mentioned, you know, the battlefield of today is the electric network, the telecom and the financial system. we've got to make sure that our stuff works and if we can get real-time evaluation collaborating with the intelligence community, specific agencies and folks like dod will all be better off. i think this is a big carrot for private industry. >> governor. thank you. >> thank you, senator lankford. i see senator sinema. so if she's ready to go, she can go. if senators have a question, use that raise your hand function and we'll start with senator hanson after senator sinema, are you there? >> yes, i am. i want to thank
9:57 am
you for holding this hearing and thank the witnesses. as we navigate the pandemic, we look alt cohesive strategies for public safety and the pandemic has shown the need to fortify our cyber security. overnight many americans expanded their virtual footprint through virtual work, telemedicine, a -- we will have this for a long time and we have to ensure our networks are secure. and the parallels should make us ask whether or not the united states is prepared to recover from a sustained cyber attack. i hope we can look through the lens of the ongoing pandemic and some of the challenges we tackle now so we're better prepared for the next crisis. my first question today is from ms. spaulding. the report says that the united states was to implement social
9:58 am
distancing and stay-at-home orders for the pandemic. the pandemic has turned to a much greater reliance. do you have issues to prioritize given this new environment? >> yes, senator, you're right about the heightened risk environment we face in the context of this pandemic. there are a number of things, i think as we have this at homework force, everyone is using their home routers and wi-fi networks to interact and so, one of the recommendations that we have is for this national certification and labeling authority, and i do think that's the kind of thing that could get up and running fairly quickly, it's like an underwriter's laboratory and would help provide information to consumers as they look at securing purchasing devices like routers and web cameras we know have been vectors to
9:59 am
malicious activities. how to evaluate their purchases from a cyber security perspective. so, i think that's critically important to continue to inform the public about how to make wise choices, but also for our business owners. critically important around the internet of things and the industrial internet of things, that they, too, have the information that they need to make informed decisions as they are purchasing equipment. strengthening sisa and making sure they have the resources that it needs to do the kind of outreach to the american public and to the business community, to let them know when we are seeing heightened activity in a given area. how do secure their homes, devices that they already have at home. those are things that can be done right now and really, there is a strong sense of urgency about. >> thank you. >> senator king, in the chairman's introducing the report, you and congressman gallagher state security that
10:00 am
election security must become a priority. i agree with you. and one of the recommendations congress should enhance the instruction of the commission system to help states and localities better protect electi elections. ... we have an interesting recommendation. as you know the commission is set up on a bipartisan basis and the problem is that it's deadlocked and quite often can't take any action whatsoever. we suggesting the appointment of a fifth commissioner with
10:01 am
technical expertise in the cyber area who could only vote on cyber related issues. this would break the deadlock on the kind of issues were talking about here this morning to enable us for the commission to actually do this important work on behalf of all the states. those are two specific suggestions, stabilize funding, fifth commissioner, limited in the vote to cyber related issues to break the deadlock so that actions by the commission can move forward to deal with this really critical issue. >> first of all, senator, we miss you in the house. it's great to see you again. >> not mutual, but thanks. [laughing] >> in addition to what senator king said, the fact we are come something that ms. spaulding said early witches we are very
10:02 am
much coming out strong in favor of paper balloting and auditable paper trail, a commission having such a recommendation in addition to stabilizing the election assistance commission we have recommendation that intends to streamline and modernize the sustained grant funding for states to improve the election systems. and then we are intrigued and try to recommend ways in addition to funding from the top down how can we take advantage of what i would call the bottom up, a lot of nonprofits in the space that are providing free cyber literacy to campaigns and we think that's a good thing. we want to encourage those efforts because a lot of times the top ten funding is entirely dependent on the individual personalities and systems in the states so we need a mix of top-down and bottom-up going forward. >> thank you so much, congressman gallagher. on a personal note congratulations on your wedding
10:03 am
and one day i'll see you in the gym again. mr. chairman, i have no further questions. >> thanks, senator sinema. i don't see senator hassan hand up. you have your question? >> i do, thank you. this is just the senator king. and again thanks to all of the panelists today for really superb discussion. senator, the commission's report includes recommendations to leverage the capacity of the national guard to help states prepare for cybersecurity incidents. yet as you point out, our current department defense policy doesn't provide clear guidance about what activities the national guard conduct or whether these activities can be supported by federal funding. i know this is been an ongoing issue in my state. what do you think is the best mechanism to engage the national guard in helping states with preventive measures that increase cybersecurity vulnerabilities? delete current authorities are sufficient or does the guard
10:04 am
need clear authorization to conduct these preventive measures? >> i i will distinguish between the work authorities and guidance. i think the authorities are sufficient. as you know the guard can be a tremendous asset to the states in this kind of situation because of their technical abilities. i think what we believe, what i say i think, what the commission recommends is a clarification of guidance on the department of defense that would allow reimbursement to the guard under title 32 so that -- that should be able to be cleared up fairly straightforwardly, and that's our recommendation. the guard is a tremendous asset. let's use it and let's not have obstacles to its use. >> it's really about making clear that when the guard does cybersecurity work with the state, there's a federal interest in it, too. >> absolutely, there sure is, a huge federal interest.
10:05 am
that was one of our specific recommendations. >> thank you very much, and thank you, mr. chair. take care. >> senator romney. >> the line of questioning that you described with china's intrusion into our cyberspace, both corporate and government, was really quite revealing and very effectively presented. i think you made the point that we, as well as our international partners, need to push back against the intrusions are being made by china. i guess the question is, how can we go about doing that? any thoughts about -- right now there is a mood not only in a country but around the world, everybody pulling back with its america first or france first, whatever, people are pulling back, becoming less associate on the global basis to say how do we work out these things together? like you i i figured the only y were going to get china to be dissuaded from the course they
10:06 am
are on is if we and other nations to follow the rules of law, if we come together and say china, if you keep doing these things you can no longer have unfettered for access to markets. we will respond collectively. you can have access to any of our markets. i'm interested in your thoughts, and we get there? doesn't unicef delete this? to someone else leak it? how do we create a recognition on the part not just here but around the world, that we need to come together and collectively push against the world's most benevolent actor right now, which is china. >> a great question, and in some ways i think it is actually the question will be grappling with for the next few decades. why aren't you having watch this play out is that i think the momentum for some form of selective decoupling from china will continue in some ways regardless of who is president, 2021 or 2024 or 2025.
10:07 am
our challenge and again this is my view and this is a bit outside the actual click text of the commission report, is that the smart way to avoid -- we can make everything in america, while weaning ourselves off dependency on china, is to harness that made in america energy into more productive partnerships with our allies. i mention taiwan would come to semiconductor earlier. there's an opportunity and our partnership with australia when it comes to rare earth. and what we recommend particularly in the 5g space is pooling our resources with like-minded countries who have expertise in this space in order to not just say huawei and gte are bad but say we as a free world have better product and more secure product that we can offer to you and is going to cost a little bit more that it's not going to be cost prohibitive. that's sort of the general direction we are trying to push
10:08 am
our cooperation with allies. there's a variety of smaller recommendations in line with that, for example, elevating the assistant secretary of state position in order to facilitate our cooperation with allies. the final thing i would say just to tie it to the question you had asked senator king earlier, is that while it is very hard to deter the chinese communist party at present, we believe this is further evidence of the need for a clear declaratory policy. we are recommending both a strengthening of the existing declaratory policy above the use of force threshold to say if you attack us, we will respond. but also the promulgation of a second declaratory policy below the use of floor threshold so china can do it reports suggesting it's doing right now, hacks or american companies to get information on the coronavirus vaccine without fearing the consequence.
10:09 am
there's a lot there. i apologize for going on but it's very important and difficult question. >> senator romney, there's an important principle i think you hit on the key question. churchill once said the only thing worse than fighting with allies is trying to fight without allies. and in my visits to asia, what i found is china has clients and customers. we have allies. we don't take sufficient advantage of that. one of our recommendations is a new position of assistant secretary of state for international norms in cyberspace. we got to involve the rest of the world in setting what the guard rails are. if china violates them just as you said, they are not just could be facing sanctions from us but from the entire world. above all else, their sensitive to economic responses. if it's an international economic response is going to be a lot more powerful than if it's just unilateral from our side.
10:10 am
i think you're asking a key question. part of the answer has to be what we talked about in the report is the importance of elevating norm setting and talking about how we can provide some international guard guardo this kind of malicious activity. >> thank you. i yield my time, mr. chairman. thank you very -- very well said, , both of you. thank you. >> senator lankford. >> let me drill down on that more because that's part of my question as well. it was really talking on a nationstate. we also the big problem with cybersecurity individual actors in nationstates. we found it difficult to hold them to account. some of them we get a a chanceo walk through, there's a great story about two romanians were basically living like the kardashian scope stealing bitcoin from people all over the world.
10:11 am
they were just basically buying on the dark web information and then putting out ransomware. they happened to hit on psalm on pennsylvania avenue through our security cameras, and right before president trump's inauguration cause an international incident from two folks in romania that didn't even know what they had. they were just doing ransomware out there and that's a case we are able to track them back down come get to them and arestin. in many countries whether the india or south america eastern europe, we have actors that are doing this and find increasing difficulty working with local governments to hold them to account. a lot of our conversation today has been about nationstates. what recommendations do you have an individual actors to be able to work with nationstate still people to account within their country? what are the options we have? >> that's one of the top things about cyber is it sort of
10:12 am
changes all the power relationships. you can have two guys in romania who can really wreck havoc or have a small country like north korea that can also wreck havoc. you don't have to be a superpower in order to play effectively in this area. i think this is another place where talking -- that are swift to aspects, two sides to this. one is improving resilience. we really haven't talked a lot about that today but to really upgrade our game in terms of protection and we talked, you talk only about the idea of an underwriters laboratory label. it would be voluntary. it would be consumer driven, but have people more careful about what they're buying. this will become much more important to go to the internet of things. it's not only your router that can spy on you. it might be a microwave or your car, for sure. we got to be more better at
10:13 am
defense. but i get back into this international peace. if we imposed sanctions on two guys in romania, they may not care. but if the sanctions are also imposed by hungary, austria, russia and their neighbors, and maybe romania, then we can get after them. the international cooperation is a way of breaking down the national barriers for law enforcement so that we can go against some of these people, wherever they are. but that means went to expand our reach and that means we have to be cooperating with our allies. >> could i just quickly add, senator lankford, there is a school of thought after the we engage with and continued to debate with the suggest this is precisely the reason why deterrence is not possible in cyberspace. we very much believe it is because at the end of the day we are not deterring cyber or cyber
10:14 am
instruments to we are deterring human beings using those instruments. what you are touching on is a problem of attribution and the need for us to improve a rapid capability. we do have a variety of recommendations that attempt to do that such as codifying and strengthening agencies that already exist like the cyber threat intelligence integration center in odni so they can better partner with the private sector and ultimately arrive at a cultural change where they are more proactive in sharing the results of rapid attribution with the private sector entities that may be the target of those low actors that you again if f. >> the chalice is not just attribution although that is a significant challenge, it's also enforcement. a group of folks in pakistan that decide to do this, we go to the pakistani government and say we believe this is one of your citizens and they say we believe it's not. now what do we do? >> so we do have some recommendations to strengthen the fbi ability to bring its law
10:15 am
enforcement tool to this whole of nation effort, and including strengthening their overseas presence and cyber attaches intimacies, and also recommendations that would strengthen mutual legal assistance. at least in countries where you can get some cooperation and the relationships, a lot of that is being on the ground, being able to provide assistance to the country in which, where this league might be base so that you go to relationship that when you need information from them, they are willing to cooperate. >> this is an ongoing issue whether it's robocalls a massive numbers trying to be able to target fraud for social security recipients or whether it's a cyber threat directly towards an industry, infrastructure or towards stealing credit card numbers and such. we have a global issue on this right now.
10:16 am
we do have a lot of tools in the toolbox to put pressure nationstates, put pressure individuals within the country to knock it off. we have to find savoy scribble to have some leverage. right now our focus seems to be a nationstate was then individuals within nationstates. have to have a balance of both. i appreciate all your work. i don't think i said that earlier. we have talked multiple times about the number of hours that you'll spin on this. so thanks for all the work in compiling this together. let's make sure it doesn't sit on a shelf somewhere. >> thank you. >> we agree. >> thanks, senator lankford. i think senator hassan found the little hand. do you have another question? >> just a, and reminder. first of all let me echo the thanks ovie. just reminder, mr. chair, this committee passed and internet of things standards bill that would say when the federal government purchases internet of things that certain security standards
10:17 am
would have to be met. we had something we passed out of committee that we might be able to work from and keep pushing on. so just wanted to make that known. thanks. >> thank you. i have one last question for mst i'll do is i'll give all the witnesses a chance for a closing comment and i'll do it in reverse order starting with mr. fanning. but ms. spaulding, you mention the commission is recommending most people transfer their data into the cloud. and again makes a lot of sense. you would assume cloud probably has the absolute best security versus a bunch of other smaller actors. can you provide some assurance? i think the county that is a fact now rather than have just a huge disbursement of all this data across thousands of companies, now were going up of our eggs, oliver david eggs in
10:18 am
one or a few very large baskets that if that security is breached it could represent a really big problem, make a really big mess. can you address that aspect of it? >> it's an excellent point, and it is something, for example, in elections in 2016 we looked at that decentralization of elections across the country as a way of mitigating the risk of a national impact from hacking activity. but really if you look, and that's a good example. if you look carefully at that, particularly in states and counties and locations around the country where the might be a very close election, that decentralization doesn't necessarily going to buy you protection. it is an ongoing discussion about the value of biodiversity, if you will, you know, the diversity of systems and assets
10:19 am
making it more challenging for the adversary. i think what we've seen, however, is that the adversary is able to overcome a lot of that. as we've seen these broad attacks in which the adversary, for example, takes over routers and webcams, hundreds of thousands of them across the country and around the world, millions, we realized that we are not getting as much benefit from that distributed network if you have secure cloud providers, you really can -- we concluded, increase your overall security of your system. that's the key and the point we emphasize is our recommendation. you need to have standards, security standards for the cloud service provider. >> that gets to recommendation some kind of national certification of those types of services. >> that's exactly right. both the certification of the kinds of equipment that folks might purchase and then guidelines and making sure that
10:20 am
those cloud service providers meet a a relatively high levelf security standard. >> thank you. mr. fanning, do you have some closing comments? >> yes, sir, and chairman, thank you so much for leadership. i have always enjoyed our chat and your whole committee is doing really the lord's work here. let me just say this. we didn't talk as much during his hearing about the importance of the collaboration between the private sector and government. this isn't going to be a government led issue in my view. at the end of the day because so much the infrastructure is in the hands of the private sector, we really do need to join the obligation, and are so important issues that arise out of that that are really different from the way we think about it today. one of the clear examples is this continuity of the economy. the old model in our industry and electricity was reliability there was a cost associate with the outage and we could. how reliable the equipment must
10:21 am
be in order to prevent that cost. the notion of resilience says this is how my system operates under abnormal conditions, whether it's a hurricane, a snowstorm, a covid virus or a cyber attack. the only way we would be able to continue the economy and provide an american way of life that we are all used to is for the private sector to pitch, not catch, and to work with the federal government and the state and local governments, whether it's the fusion centers, the governors themselves or the state and local government, to really think about a different way to turn the economy back on it get us back on her feet. this commissions report deals with a lot of those important issues and the think it's really important to consider the revocations and that going forward. so thank you for your time. really appreciate it. >> thank you, mr. fanning. ms. spaulding. >> thank you, mr. chairman, and want to add my thanks for your leadership on these issues and
10:22 am
for giving us a time to talk with the committee and answer questions and talk about our commission report. i think our outstanding leadership early but i do want to thank tom fanning. he usually somebody who walks the talk. he has totally been an outstanding contributor to the commission report bringing that valuable insight, but i know from my time at dhs when he and i worked closely together with electricity subsector coordinating council, which he has shared for such a long time, that he is somebody who really gets this issue and is out there every single day tried to make sure that our infrastructure, not just in electricity, but across other critical sectors, is going to be there when the american public needs it. his point about resilience is so important. this is an exercise not in risk elimination to we will never have 100% security. this is risk management,, resilience, the ability to be reliable that is just make into
10:23 am
the electrical sector, for example, is such an important lesson for us to spread across this country as a talk about cybersecurity, but thanks very much. >> thank you, ms. spaulding. congressman gallagher, you are up to the plate. >> thank you, mr. chairman. thank you, ranking member peters for this opportunity. i just would like to add that we very much view our unique makeup of this commission as an asset with that on participation from outside experts but executive branch in sitting legislation as a way we can avoid the report just collecting dust on a shelf somewhere. your staffs have been excellent in terms of working with us and our staff thus far. we hope to continue that collaboration and partnership as we fight to get some of our recommendation is a national defense authorization act and other legislation. we are at your disposal in terms of anything you need from us. our team as we debate these issues, the we didn't solve everything in the support we attempted if nothing else to
10:24 am
provoke the debate and build upon the work you've already done. so thank you for allowing us to talk about day. >> thank you, congressman gallagher. senator king, you got the bases loaded. you are batting cleanup. better knock it out of the park. >> talk about why we are here. we're here because this nation is under threat, and were in the midst of this coronavirus crisis down which is absolutely unprecedented crisis, there's no doubt about that. that's taking a lot of the attention, but the fact is this threat hasn't gone away. in fact, it's been magnified by this crisis. the job we have now is action. we have talked this morning, and all of us on this hearing, in this hearing, share an interesting of these issues,, shared understanding of how important they are all we have to communicate that to our colleagues. that this a something academic. this is coming at us and if that's something that may come at us. it's coming at us today.
10:25 am
our private sector is being hit million times a day right now by malicious actors. and so we have really got was a responsibility seems to be to move forward. you've already taken a lot of leadership on this issue. you've already talked about bills, about the administered subpoena bill. we ought to get rid of the word subpoena. that scares people. we need another word because what were doing is seek information in order to warrant and assist companies are under attack. -- worn. we need national leadership for some kind of coordination, for better resiliency and also for declaratory policy that puts our adversaries are noticed the field. price to come after the united states of america. we have the means. i think the commission report has given some important guidance. now it's up to us as members of congress and the people from the private sector who have made such a a huge contribution to s project to work together to do
10:26 am
something. i don't want to walk away and say well, we had a great commission, it was a good report. 81 recommendations, 57 legislative proposals but we really didn't accomplish much. i think the onus is on us now to make it happen. this committee has certainly been on this for a long time. i deeply appreciate the support you have already indicated for some of our major recommendations, and a really look for to working with you to get the details right, to work with house, of the committee's in the senate so that we can take action here to defend this country that we love. thank you, mr. chairman. we really appreciate the time you took with us today and attention you have given to this critical subject. >> again, thank you, senator king. i completely agree with you. we have to turn this report into real action. i want to thank the for a few, all the other commissioners, all
10:27 am
the staff members who worked so hard on this for your hard work, your dedicated efforts and your very thoughtful recommendations. we will do everything we can to bring those to fruition and get them -- we are required to sign into law, try to get info minister executive action token thank you all for all your hard work. that concludes this hearing. the record will remain open 415 days until may 28 at 5 p.m. -- >> mr. chairman? >> yes. >> i wanted to add if i could a short thought at the in. i apologize for interrupting but apparently you did not get that message. >> no, i didn't. did you have a question. >> was just a short thought i would like to add. >> go ahead. i'm sorry. >> thank you very much. again our thanks to each of you. not just what you've done on this project. some of you know, i came here 20
10:28 am
years ago. i've been -- [inaudible] with some of our colleagues in the house of representatives. [inaudible] my father and my fathers mother, my moms brothers served in world war ii. the battle he took on was fascism, nazism. they rose to the occasion and we came through that. thanks to their courage. my life much of my life -- trying to make this world a a safer place from communism. a couple months after writer in the u.s. senate we suffered a terrible attack on 9/11. 9/11. we all remember. and then we took up terrorism after that. today that is still a threat.
10:29 am
communism and nazism is not but security threats -- cyber attacks, that's a major threat to our security as a nation. the reason why we have succeeded and came out of 9/11 was extraordinary. [inaudible] i again want to raise up -- i want to raise up if i could lee hamilton, purdy exterminate leadership that they provided. [inaudible] will so thanks for your work. >> at 11 a.m. eastern we will hear massachusetts governor charlie baker giving update on the states response to the
10:30 am
coronavirus pandemic and the phases of reopening. live at 11 a.m. eastern here on c-span2. >> today the senate will gavel in at 3:00 eastern time to work on the nomination of a judge for the district of arizona. lawmakers also work on the nomination of a texas lawyer, to the federal election commission. he worked with the republican national committee in 2016 don't elect president trump. watch live gavel to gavel coverage of the senate floor today at 3:00 eastern on c-span2. >> c-span has unfiltered coverage of the federal response to the coronavirus pandemic with white house briefings, updates from governors and congress, and our daily call-in program "washington journal" come hearing your thoughts about the coronavirus crisis. if you missed any of our live coverage come watch anytime
10:31 am
on-demand at >> c-span has unfiltered coverage of congress, the white house, the supreme court and public policy events from the presidential primaries to the impeachment process, and now the federal response to the coronavirus. you can watch all of the c-span's public affairs programming on television, online or listen on a free radio app and be part of the national conversation through c-span's data "washington journal" program or through our social media feeds. c-span, created by america's cable-television companies, as a public service, and brought to you today by your television provider. >> host: reid wilson with u


info Stream Only

Uploaded by TV Archive on