[Senate Hearing 115-310]
[From the U.S. Government Publishing Office]
S. Hrg. 115-310
CYBERSECURITY REGULATION HARMONIZATION
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
JUNE 21, 2017
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
27-395PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky JON TESTER, Montana
JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana KAMALA D. HARRIS, California
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Colleen E. Berny, Professional Staff Member
Margaret E. Daum, Minority Staff Director
Julie G. Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Bonni E. Dinerstein, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator McCaskill............................................ 2
Senator Daines............................................... 16
Senator Heitkamp............................................. 18
Senator Lankford............................................. 21
Senator Peters............................................... 24
Prepared statements:
Senator Johnson.............................................. 29
Senator McCaskill............................................ 30
WITNESSES
Wednesday, June 21, 2017
Christopher F. Feeney, President, BITS, Financial Services
Roundtable..................................................... 4
Dean C. Garfield, President and Chief Executive Officer,
Information Technology Industry Council........................ 5
Daniel Nutkis, Chief Executive Officer, Health Information Trust
(HITRUST) Alliance............................................. 7
James ``Bo'' Reese, Vice President, National Association of State
Chief Information Officers, and Chief Information Officer,
Information Services, Office of Management and Enterprise
Services, State of Oklahoma.................................... 9
Alphabetical List of Witnesses
Feeney, Christopher F.:
Testimony.................................................... 4
Prepared statement........................................... 33
Garfield, Dean C.:
Testimony.................................................... 5
Prepared statement........................................... 58
Nutkis, Daniel:
Testimony.................................................... 7
Prepared statement........................................... 74
Reese, James Bo:
Testimony.................................................... 9
Prepared statement with attachment........................... 79
APPENDIX
Email submitted for the Record by Senator Lankford............... 92
Responses to post-hearing questions for the Record
Mr. Feeney................................................... 93
Mr. Garfield................................................. 98
Mr. Nutkis................................................... 109
Mr. Reese.................................................... 111
CYBERSECURITY REGULATION HARMONIZATION
----------
WEDNESDAY, JUNE 21, 2017
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to other business, at 10:29
a.m., in room SD-342, Dirksen Senate Office Building, Hon. Ron
Johnson, Chairman of the Committee, presiding.
Present: Senators Johnson, Lankford, Daines, McCaskill,
Carper, Tester, Heitkamp, Peters, Hassan, and Harris.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. Good morning. This hearing will be called
to order. I want to welcome our witnesses. Thank you for your
testimonies.
I would ask consent that my written statement be entered
into the record.\1\
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Johnson appears in the
Appendix on page 29.
---------------------------------------------------------------------------
I will just keep my remarks brief.
Cybersecurity is an enormous threat facing this Nation As
General Keith Alexander, the former Director of the National
Security Agency (NSA), said, the loss of industrial information
and intellectual property through cyber espionage constitutes
``the greatest transfer of wealth in human history.''
I believe this is either our fifth or sixth hearing on
different aspects of the problem associated with cybersecurity.
We are looking at different parts of this, looking for a proper
definition of the problem, certainly laying out the reality of
what General Alexander was referring to, but also looking for
solutions.
This is an interesting hearing because it combines our
concentration on this real threat, cybersecurity, one of the
top priorities on the homeland security side of our Committee,
with a top priority on the governmental affairs part of this
Committee, overregulation--the $2 trillion regulatory burden,
about $15,000 per year per household, and how that
overregulation is making us less secure in cyberspace.
It is interesting. We had Comptroller General Gene Dodaro
here at our annual duplication report hearing, and we had the
chancellor of UW-Madison come and testify. The last 2 years she
has visited me in my office, she has complained of
overregulation. This year she came in armed with a study
commissioned by the research universities that said that 42
percent of researcher time in these universities on Federal
Government grant programs--these are the grants that are
supposed to cure diseases and help advance human knowledge and
science--42 percent of researcher time is spent filling out and
complying with Federal regulations. And, I think what is
interesting is that in testimony today from our witnesses, one
of the witnesses will testify that about 40 percent of his time
or his cybersecurity group's time is spent--guess what?--
complying with often contradictory Federal regulations.
So, we obviously have to streamline this. We have to
understand the enormous opportunity cost of overregulation, of
contradictory regulations. If we want to truly address this
very complex problem of the threats we face because of the
cyber attacks and our challenges in securing our cyber assets,
we have to look to all levels of government, consolidating
their regulatory framework, to streamline that regulatory
regime as much as possible so professionals within industry and
within government, quite honestly, can concentrate on the
primary task at hand, which is securing our cyber assets.
With that, I will turn it over to Senator McCaskill.
OPENING STATEMENT OF SENATOR MCCASKILL\1\
Senator McCaskill. Thank you, Chairman Johnson. One of my
top priorities as a Senator is focusing on how we can make
government work better and more efficiently. Eliminating waste,
fraud, and abuse in an effort to save taxpayer dollars and
improve government services and make government less intrusive
into the lives of operating businesses in this country are a
priority.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator McCaskill appears in the
Appendix on page 30.
---------------------------------------------------------------------------
Today's hearing allows for us to hear from representatives
from the private sector and the States about how they manage
compliance with the variety of regulations they face relating
to data and cybersecurity. There is currently no clearinghouse
for mitigating conflicts between regulators, and as a result,
States and industry bear the burden for ensuring compliance
between sometimes redundant and often conflicting regulations.
Regulators play an essential role in mandating security
measures like notifications after a data breach and requiring a
minimum level of security to protect personally identifiable
information (PII). However, as these witnesses will attest,
while the goal of the regulation is improved security, due to a
lack of harmonization between regulations industry spends too
much valuable time sorting through compliance when it could be
investing those hours and resources into improving their
security systems and services.
We will hear today about how centralized information
technology (IT) systems can play a key role in improving
efficiency and security. The same can be said about
centralizing cyber policy across the Federal Government. We
have made significant strides in recent years to authorize and
operationalize the Department of Homeland Security's (DHS)
National Cybersecurity and Communications Integration Center
(NCCIC). President Obama also mandated the creation of National
Institute of Science and Technology (NIST) Cybersecurity
Framework, which creates a common language for government and
industry.
We have spent years working to make DHS the central
cybersecurity information sharing entity. We finally passed the
Cybersecurity Information Sharing Act (CISA) in 2015, providing
liability protection to encourage industry to share threat
information with DHS. But, now the Department of Health and
Human Services (HHS) has decided that the NCCIC and the
existing information sharing structure have limitations. Rather
than examining what the private sector was doing to address
potential gaps, HHS went ahead and built a health-specific
version called the ``Health Cybersecurity and Communications
Integration Center'' (HCCIC). That is the essence of
duplicative. It is exactly the problem that we are trying to
address in this hearing.
I have questions about the utility of this new entity. It
is also not clear that this new cyber center is necessary or
that it adds value. We should be looking to enhance information
sharing participation and the NCCIC's capabilities, not
sprouting a new ``kick'' for every industry or critical
infrastructure sector. This could go on ad nauseam, handcuffing
business even more in terms of sharing important threats with
people who need to know.
I am glad Chairman Johnson is joining me in sending a
letter to HHS asking questions about the genesis of this new
HCCIC and how it has been and will coordinate with DHS on the
liability protections offered to those that share information
with the HCCIC and why this new entity is even necessary. I
hope we can stop this before it goes too far.
I look forward to hearing from the witnesses today about
other ways we can work to simplify and harmonize their
regulatory burden.
Thank you, Mr. Chairman, for holding this hearing.
Chairman Johnson. Well, thank you, Senator McCaskill. And,
again, I appreciate the leadership you have taken on that. It
just kind of proves the point that, bottom line, the government
wants to grow, regardless of the Administration. I believe this
was started under Obama, and the Trump administration is kind
of moving right forward with it. So, hopefully we can prevent
that and consolidate this, and that is the purpose of the
hearing.
It is the tradition of this Committee to swear in
witnesses, so if you will all stand and raise your right hand.
Do you swear that the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you, God?
Mr. Feeney. I do.
Mr. Garfield. I do.
Mr. Nutkis. I do.
Mr. Reese. I do.
Chairman Johnson. Please be seated.
Our first witness is Christopher F. Feeney. Mr. Feeney is
currently president of BITS.
The technology policy division at the Financial Services
Roundtable (FSR). Mr. Feeney has over 30 years of experience in
technology, business, sales, executive management, and
operating roles at a variety of companies. Before starting at
BITS, Mr. Feeney served as Chief Executive Officer (CEO),
president, and in executive roles at Thomson Financial, Bank of
America, Telerate, Multex, and Broadridge Financial. He is
currently on the Board of Directors at Scottrade, Incorporated,
and an executive committee member of the Financial Services
Sector Coordinating Council (FSSCC). Mr. Feeney.
TESTIMONY OF CHRISTOPHER F. FEENEY,\1\ PRESIDENT, BITS,
FINANCIAL SERVICES ROUNDTABLE
Mr. Feeney. Chairman Johnson, Ranking Member McCaskill,
thank you for inviting me to testify on this critically
important and timely subject.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Feeney appears in the Appendix on
page 33.
---------------------------------------------------------------------------
The Financial Services Roundtable represents 100 of the
leading financial firms in our country, including banks,
insurance companies, asset managers, payment firms, and finance
companies.
Make no mistake: Cybersecurity is a top-of-mind issue for
every one of our CEOs, and the industry is committed to making
the investments necessary to protect our critical
infrastructure and, ultimately, the information and assets of
our customers.
Our industry is one of the most heavily regulated sectors.
Nine independent Federal regulators, three self-regulatory
organizations, and the State insurance, banking, and securities
agencies oversee the industry. With that level of regulatory
oversight, it is imperative that financial firms develop
strong, collaborative relationships with regulators. In no
space is that more relevant than in cybersecurity.
The cybersecurity requirements across the financial
industry are, like the sector itself, very diverse in terms of
business size, type, and geographic footprint. That said, we
have heard from both our members and regulators that 60 to 80
percent of the cyber issuances could be considered common
across all regulators. For any regulated entity, words matter.
For the financial sector, with our waterfront of State and
Federal regulators, it becomes a tangible problem when those
tasked with creating cybersecurity rules do not follow a common
language and instead approach the shared components of
cybersecurity regulations with their own variations addressing
the same cyber issues but from different perspectives.
Think about it this way: As you all know, English is the
universal language of air traffic controllers, and controllers
all over the globe speak to pilots using the same agreed-upon
language. Imagine if a pilot flying to Paris, the Middle East,
and China had to know every native language as well as the
different variations in expectations and protocols for every
airspace they pass through.
To put it in the context of this hearing, over the last 2
years State and Federal financial regulators have put forth 46
cybersecurity regulations, updates to guidance, or new tools.
Individually, these regulations have merit. However, while we
recognize the need to have cyber regulations tailored to the
different firms and the markets in which they operate, these
regulations do not follow a common language or a common set of
exam procedures. This is counterproductive and introduces
tremendous inconsistency and duplication of effort for
technology operators, governance architects, and executive
leadership.
More specifically, firms already burdened by a shortage of
skilled cyber professionals must take resources away from
protecting their platforms to interpret the language of diverse
regulations. Ultimately, we hold ourselves accountable, and the
financial firms must ensure compliance with the regulatory
process.
As for a solution, you might be surprised to hear me say
that it is not necessarily fewer regulations but instead
rationalized and harmonized regulation around a common approach
and a shared language. Our industry is committed to working
with regulators to address this issue. In fact, FSR BITS and
our industry partners have developed a model cyber framework
using consistent language specific to our sector. The
foundation of this effort is the NIST Cybersecurity Framework,
which has been used in a similar way by other industries.
We were very pleased to see this issue highlighted in the
Treasury's report on modernizing financial regulation, which
called for better coordination on cybersecurity regulation and
examination across State and Federal financial Agencies.
In conclusion, until that goal can be reached, we encourage
the regulators to pause any additional cyber regulation which,
if issued, will only serve to extend the problems I have
described. When a chief information security officer (CISO) at
one of our largest member firms estimates that 40 percent of
his group's time is spent trying to unravel the web of
cybersecurity regulations rather than focusing on protecting
systems, that is a serious problem. We must ensure this issue
does not fall prey to regulatory oneupmanship or jurisdictional
turf battles. We must collaborate to maintain the cyber
integrity of the U.S. financial system.
Thank you, Mr. Chairman, and I look forward to your
questions.
Chairman Johnson. Thank you, Mr. Feeney.
Our next witness is Dean Garfield. Mr. Garfield currently
serves as president and CEO of the Information Technology
Industry (ITI) Council. Through this role, ITI has helped
defined the national and international technology agenda,
expanded its membership, and launched a leading innovation
foundation. Before joining ITI, Mr. Garfield served as
executive vice president and chief strategic officer for the
Motion Picture Association of America (MPAA) and vice president
of legal affairs at the Recording Industry Association of
America (RIAA). Mr. Garfield.
TESTIMONY OF DEAN C. GARFIELD,\1\ PRESIDENT AND CHIEF EXECUTIVE
OFFICER, INFORMATION TECHNOLOGY INDUSTRY COUNCIL
Mr. Garfield. Thank you. Chairman Johnson, Ranking Member
McCaskill, and Members of the Committee, on behalf of 60 of the
most dynamic and innovative companies in the world, I would
like to thank you for engaging us in this conversation. The
issues we are talking about today are immensely important, and
so I would like to thank you as well for putting the focus on
this issue.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Garfield appears in the Appendix
on page 58.
---------------------------------------------------------------------------
We have submitted my testimony for the record, so rather
than repeat it, I will presume you have already read it and
hone in on three things: one, our definition of the problem;
two, what we are doing to help solve for it; and, three, where
we see gaps that Congress, and this Committee specifically, can
be helpful.
Our definition of the problem is really how do we go about
preserving the vibrancy and vitality of the Internet while
protecting it against those who seek to do damage to the
ecosystem through cyber insecurity. For us, success looks like
enhancing the societal and economic benefits of the Internet,
its openness, its interoperability, its integrated and
international nature, while making sure we are protecting it
against cyber insecurity.
Like many shared spaces, whether it is a community play
area or the Internet, we know that when there are
encroachments, the instinct is to react by adding regulation
and adding new rules. In the case of Internet and cyberspace,
to do so would be a colossal mistake.
What are we doing to try to help? We are focused on a
multifaceted approach, largely targeted in three areas:
One, doing what we do best, which is innovating, making
sure that we are thinking about cybersecurity in the first
instance as a design feature both at the hardware and software
level.
Second is recognizing that because this is a shared space,
it is a shared responsibility, and so working in public-private
partnerships to make sure that we are advancing cybersecurity.
My colleague Mr. Feeney referenced the NIST framework, which we
think should be the foundational strategy for how we go about
protecting cyberspace.
Third, we are endeavoring to cascade best practices through
our supply chains and more broadly. For businesses like the
ones I represent, cybersecurity is a CEO issue, and we put the
emphasis and the resources that are necessary behind it. For
small businesses, they may not have the resources or the know-
how to do so, and so we are endeavoring to do what we can to
help solve for that.
How can this Committee and Congress help? There are a
number of gaps that we have identified, including the ones that
are the point of this hearing.
One, there is a lack of coordination. There are three
Executive Orders (EO) in the last 5 years focused on
cybersecurity and driving greater coordination. That has not
occurred.
Second, the point that I made earlier about small
businesses and making sure that they are contemplated as part
of the solution in this area is another gap that we see.
What we recommend this Committee and Congress do generally
is using its oversight powers to ensure that the level of
coordination that is called out in those Executive Orders
actually happens, built around the strategy that exists in the
NIST framework, which is incredibly flexible, adaptable. In the
same way that those who are endeavoring to create cyber
insecurity are adapting all the time, the NIST framework is
really a broader strategy around which we can build.
Second is streamlining. The Department of Homeland
Security, which Ranking Member McCaskill noted earlier is
working on these issues, last year I spent some time looking at
all of the different Federal cybersecurity initiatives around
the Internet of Things (IOT), and recognized and identified
that there were 30, often competing, different initiatives
built solely around IOT. That is simply emblematic of the
broader problem, and I know Mr. Feeney's exhibit over there to
our right, in the context of his world, in the financial
services sector I think does a good job of capturing the
redundancies that occur more broadly.
Third, it is critical, since this is a shared issue, that
we take a multifaceted approach. Part of the solution here,
including
for the private sector but government as well, is our
procurement practice. The procurement system actually helps to
create these redundancies and complexities, and so streamlining
and simplifying our procurement process will help to advance
our goals in this area. I know this Committee is contemplating
and considering the MGT Act, and from our perspective, moving
that in a way that is consistent with your goals is a part of
the solution in this area as well.
I thank you for the opportunity to testify, and I look
forward to your questions.
Chairman Johnson. Thank you, Mr. Garfield.
Our next witness is Daniel Nutkis. Mr. Nutkis currently
serves as founder and chief executive officer at the Health
Information Trust Alliance (HITRUST) Alliance. Mr. Nutkis has
over 25 years of experience in risk management and health
information technology. Before founding HITRUST, he served as
executive vice president of strategy and president of care
delivery at Zix Corporation, a security technology company. He
also served as the national director for Ernst & Young LLP's
health care emerging technology practice. Mr. Nutkis.
TESTIMONY OF DANIEL NUTKIS,\1\ CHIEF EXECUTIVE OFFICER, HEALTH
INFORMATION TRUST (HITRUST) ALLIANCE
Mr. Nutkis. Chairman Johnson, Ranking Member McCaskill, and
Members of the Committee, I am pleased to appear today to
discuss the health care industry's experiences in engaging with
government Agencies relating to cybersecurity regulatory
harmonization and efforts we believe will provide the greatest
benefit to industry. I am Dan Nutkis, CEO and founder of the
Health Information Trust Alliance. HITRUST was founded in 2007
and endeavored and continues to endeavor to elevate the level
of information protection in the health care industry and its
collaborators, especially between industry and government.
While I prepared my written statement for the record, in my
testimony today I will highlight three areas where
cybersecurity regulatory harmonization should occur to reduce
redundancy, unnecessary expense, and delays to better support
the private sector in defending against cyber threats, thereby
improving cyber resilience and management of cyber risk.
---------------------------------------------------------------------------
\1\ The prepared statment of Mr. Nutkis appears in the Appendix on
page 74.
---------------------------------------------------------------------------
First is the area of information sharing. In 2010, HITRUST
established a mechanism to share Indicators of Compromise
(IOCs) and other cyber threat information with organizations of
varying cyber maturity. HITRUST has led the industry in the
collection and distribution of cyber threat information and
continuously evaluates and innovates to support organizations
in managing their cyber threats.
From the beginning, HITRUST participated with the DHS Cyber
Information Sharing and Collaboration Program (CISCP). We
operate the largest and most active Information Sharing and
Analysis Organization (ISAO) in health care. We are the first
health care organization to begin sharing bidirectionally with
the Department of Homeland Security's Automated Indicator
Sharing (AIS) program.
It was a surprise to learn that the Department of Health
and Human Services recently established its healthcare-specific
cybersecurity and communications center to focus its efforts on
analyzing and disseminating cyber threats across the health
care industry.
There is a significant level of effort required for
organizations like HITRUST in coordination with its thousands
of constituents to engage in cyber information sharing programs
with government. We undertake these efforts because we see the
value in the program and participation with government and
believe we are all operating toward a common goal. More can and
should be done to ensure the role of industry and government
are clearly defined when it comes to information sharing.
The second is the area of government as a partner. HITRUST
values its partners and recognizes the burden, responsibility,
and authority beholden on them to protect the private sector.
However, we should expect in areas where the private sector has
made a significant investment in establishing an effective
program or approach, the government would give it due
consideration before seeking a government alternative that
replicates or devalues industry efforts.
For instance, last year, the Health and Public Health
Sector Coordinating Council (SCC) and Government Coordinating
Council (GCC), with input from HITRUST and other sector members
including the DHS Critical Infrastructure Cyber Community,
developed the Health Sector implementation guide for the NIST
Cybersecurity Framework, specifically referred to as the
``Healthcare Sector Cybersecurity Framework Implementation
Guide.'' Yet despite the significant public and private effort
that went into its publication, HHS is working toward the
development of yet another health care-based implementation
guide of the NIST Cybersecurity Framework despite the broad
adoption of the existing guidance by private sector
organizations. We are perplexed as to why HHS would not partner
with industry by leveraging programs already in place and
offering assistance to improve them instead of replicating and
dismissing the hard work of industry. We would ask that
Congress require Federal Agencies to give due consideration to
existing standards and best practices already in place before
developing new ones.
The third is the area of government as a regulator. The
Department of Health and Human Services is responsible for
overseeing the implementation of the Health Insurance
Portability and Accountability Act (HIPAA), and the HHS Office
for Civil Rights (OCR) is responsible for assessing compliance
with and enforcement of the HIPAA Privacy, Security and Breach
Notification Rules, including issuance of civil and criminal
penalties.
In support of their role, they conduct annual random audits
that are designed to enhance industry awareness of compliance
obligations. We have documented that these random audits are,
in fact, causing organizations to divert their attention and
resources from enhancing their information protection programs
based on the potential for random audits.
We propose that policymakers consider a system whereby
organizations that can demonstrate a comprehensive information
security program that complies with the privacy and security
provisions of HIPAA can receive some form of safe harbor or
similar relief, and focus HIPAA audits on those organizations
that cannot demonstrate their compliance in meeting the
criteria.
I hope my testimony illuminates areas where individual
activities may seem innocuous, but in totality begin to create
confusion and concern. I have highlighted where additional
clarity in regulation and guidance will ensure the private
sector understands how to best engage with government and also
the complex issues that arise when a regulator is partnering
with industry.
Thank you again for the opportunity to join you today and
share these insights. I look forward to your questions.
Chairman Johnson. Thank you, Mr. Nutkis.
Our final witness is Bo Reese. Mr. Reese currently serves
as the chief information officer (CIO) for the State of
Oklahoma and vice president of the National Association of
State Chief Information Officers (NASCIO). Mr. Reese has been
in State government for 25 years and was appointed the Oklahoma
State CIO by Governor Mary Fallin in 2014. Prior to this role,
he was CIO and deputy administrator and chief operations
officer at HealthChoice, the State's self-funded health plan.
From 2013 to 2014, Mr. Reese served as the chief operations and
accountability officer at the Office of Management and
Enterprise Services, Information Services. That is a pretty
good mouthful. Mr. Reese.
TESTIMONY OF JAMES ``BO'' REESE,\1\ VICE PRESIDENT, NATIONAL
ASSOCIATION OF STATE CHIEF INFORMATION OFFICERS, AND CHIEF
INFORMATION OFFICER, INFORMATION SERVICES, OFFICE OF MANAGEMENT
AND ENTERPRISE SERVICES, STATE OF OKLAHOMA
Mr. Reese. Chairman Johnson, Ranking Member McCaskill, and
Members of the Committee, thank you for inviting me to testify
before you today on Federal data security regulations and their
impact to State governments.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Reese appears in the Appendix on
page 79.
---------------------------------------------------------------------------
My name is Bo Reese, and I serve as the chief information
officer for the State of Oklahoma. I also serve as the vice
president of the National Association of State Chief
Information Officers. All 50 States and 2 territories are
members of NASCIO, and we represent the interests of Governor-
appointed State CIOs who act as the top IT official for State
government.
Today, I would like to provide the Committee an overview of
how Federal cybersecurity regulations impact our work to
introduce efficiencies and generate savings for State
taxpayers. I will also touch upon how the complex Federal
regulatory environment is duplicative in nature, contributes to
inconsistent Federal audits, and drives cybersecurity
investments based on compliance and not risk, which is the more
secure approach.
Based on a 2009 assessment and prior to IT consolidation,
the State of Oklahoma was supporting 76 financial systems, 22
unique time and attendance systems, 17 different imaging
systems, 48 reporting and analytic applications, and 30 data
center locations.
Over the past 5 years, we have reduced these redundancies,
made large strides in unifying technology, and completed
consolidation of 76 of the 78 mandated State Agencies and more
than 30 voluntary agencies. Consolidation has resulted in $283
million of estimated reduced spending and projected savings.
One of the biggest hurdles in achieving savings through IT
consolidation has been compliance with Federal security
regulations.
State CIOs and chief information security officers must
comb through thousands of pages of Federal regulations to
ensure that States are in compliance with rules from our
Federal partners, and even though many Federal regulations are
similar in nature in that they aim to protect high-risk
information, they are mostly duplicative and have minor
differences which can obscure the goal of IT consolidation, the
whole point of which is to streamline IT applications and
simplify the enterprise IT environment to produce savings for
taxpayers.
For example, Internal Revenue Service (IRS) Publication
1075 and the Federal Bureau of Investigation (FBI) both protect
very high risk information, but their password policies vary
enormously. Also, the IRS requires incident notification within
24 hours, but Center for Medicare and Medicaid Services (CMS)
requires notification of a breach without unreasonable delay.
Additionally, the FBI requires us to keep audit logs for
one year. The IRS requires us to retain audit records for 7
years.
Further, duplicative regulations also contribute to
inconsistent Federal audits. State governments are often
audited multiple times by the same Federal agency and have
different audit findings, even though they are auditing the
exact same IT environment. For example, in Oklahoma, the IRS
audited one of the State Agencies twice because it viewed two
programmatic elements of the agency as separate entities. My
office had to answer questions, attend meetings, and deliver
additional explanatory materials twice for one agency because
it is seen as two by the IRS auditors. Additionally, one audit
team had a finding, and the other did not, despite only one IT
environment being the subject of both audits.
In Louisiana, five State Agencies were assessed by five
different IRS auditors and ended up with five different
outcomes. One agency had 32 findings; another, 27; one had 23;
one had 14; and another had only 11. We have several more
similar examples in our attachment to the written testimony.
Inconsistent regulations in audits are problematic because
it leads CIOs to make cybersecurity investments based on
compliance and not risk. When Federal data security audits are
conducted and produce findings of a critical nature, State CIOs
must direct their attention and resources to remediating and
addressing those findings to satisfy Federal auditors and avoid
any potential negative impact to citizens. This approach is
problematic for State government cybersecurity because it
encourages State CIOs to make check-the-box compliance
investments instead of ones based on risk, which is the more
secure approach to managing sensitive data.
We appreciate efforts by the Federal Government to secure
and protect sensitive citizen information because we also share
that responsibility at the State level. But, we must accomplish
our shared goal without overly burdening State governments,
ensuring that we are delivering government services to citizens
in the most efficient and cost-effective manner. In recognition
of that shared mission and responsibility, we want to work with
our Federal Government partners to harmonize disparate
regulatory requirements and normalize the audit process.
Thank you for your attention, and I look forward to
answering your questions.
Chairman Johnson. Thank you, Mr. Reese.
If we could put that diagram back up on the board, I would
appreciate it.
I think the witnesses have really laid out through
anecdotal stories the problem here that I think is pretty
obvious and pretty clear. I think the solution is actually
pretty clear as well, but, as a diagram, this is pretty good. I
do not know how long we actually had printers that could print
something this complex. [Laughter.]
But, Mr. Garfield, you mentioned the fact that there have
been three Executive Orders basically asking the Federal
Government to harmonize the regulation in the space, and you
went on to testify that they have not been implemented.
First of all, describe why not. I mean, is there any
explanation of why a step that is so obvious, something that is
just so imperative that we do, why has it required three
Executive Orders and those Executive Orders have gone
unimplemented?
Mr. Garfield. I think in part it is because of the
challenge of putting someone in charge. So, in order to have
the level of coordination that is needed to avoid the kind of
redundancy that we see reflected in that chart, you need
someone who is a center point for coordination. So, we have a
strategy, which is the NIST framework, around which we can
build, but that strategy has to be driven by a particular
entity or person.
For example, in the most recent Executive Order, 13800,
from President Trump, he pushes all of the Agencies and
actually requires the Agencies to say what they are doing to
act consistent with the NIST framework. The second part of it
is not asked, and that is, What are the additional regulations
that you are advancing related to cybersecurity? It is one
thing to say you are implementing the NIST framework. It is
another thing to actually do so in a fashion that does not
create replication, redundancy, and complete lack of
coordination.
So, I think having a center point that is coordinating and
advancing this to avoid duplication is central to helping to
solve for this.
Chairman Johnson. You are not saying there has been some
bureaucratic infighting in terms of who wants--so let us--I
mean, who should coordinate this? Because in the end, you need
some department, some agency, somebody in the Federal
Government to take charge of this, to be given the
responsibility, to be held accountable to coordinate this
action, to make sure that everybody comes into line so that
the--again, Mr. Reese, I cannot remember how many you said, the
number of different requirements that are required are actually
answered in the same way. Who do you think is the best--and I
will have all of you answer that question. Which agency, which
department of government ought to take control of this? We will
start with you.
Mr. Feeney. I think for us it is important to keep Treasury
in the role they are in. They are chartered to be our sector-
specific agency through DHS, and that has been very useful.
They sit between both the industry and also the regulators.
They chair the Federal Banking Infrastructure Council (FBIC),
that specifically works with the Federal regulators, plus
others like market regulators. So, in our world, that is the
logical place. They understand us; they know our business. They
understand financial systems and have been a good steward.
Chairman Johnson. But, again, the problem with that is you
are the financial industry. Then you have the health care
industry over there.
Mr. Feeney. Right.
Chairman Johnson. And, now you have different Agencies of
government basically trying to ask the same questions, trying
to do the same type of regulation to ensure cybersecurity. And,
Mr. Nutkis' group's regulators is going to have something
completely different. Is that not the problem, Mr. Nutkis?
Mr. Nutkis. Well, I think for us there are multiple
problems. I think some of the guidance that is out there puts
DHS squarely in the middle when it comes to cyber information
sharing. So, we did not think we had any ambiguity, which I
testified in March in a similar hearing, which was we were
somewhat confused because we thought the Presidential directive
created the ISAOs and then CISA clarified the role of
government, which the Presidential directive kind of said you
share with government, CISA clarified which part of government
you shared with, so industry started moving down a path to do
that.
We may see things slightly different. We see HHS as a
regulator. They fine, they enforce. So, sometimes when it comes
to how openly and willingly you want to share with your
regulator makes things a little tough as well. So, I think
there is a role for the regulator in the role that they play,
but as we look at looking for things like standards and how we
apply these, we want them to be applicable across all
industries. They can apply to ours as well.
I think also health care is not a box. You have
organizations that make fitness equipment. You have
organizations that have supplements. You have organizations
that deliver care. The lines get fuzzy, so we sometimes find
that they do not work in small boxes.
Chairman Johnson. So, again, you have the departments, you
have the Agencies regulating different industries, and, again,
that would be appropriate. What we are talking about here is
something over all of those to completely coordinate and
harmonize cybersecurity.
Mr. Reese, as a State, you are not dealing with just one
Federal agency. You are dealing with a bunch of them. I mean,
industries might be dealing with a limited number. You are
dealing with all of them. Is that not what you are asking for,
give us basically kind of a one-stop shop to go to, to pretty
well dictate--and I hate to say this--within the Federal
Government, this is how you are going to develop--this is the
framework under which you are going to regulate cybersecurity
so we do not have that?
Mr. Reese. Right, so most of the discussions we have had in
the past have not been so much about who but how. And, as
States, we have an organization like NASCIO where we as States
come together and collaborate on a regular basis, and they help
facilitate opportunities where we can begin conversations. And,
we have begun some conversations with our Federal partners. We
have not made a whole lot of headway, and we certainly are
looking to this group to help champion some real change,
hopefully; but really the how, and I think that is through a
collaborative effort. We really want to avoid making those kind
of decisions in a vacuum, getting everybody at the table, and
making sure that we are in a collaborative environment where we
are looking across the board at the different industries and
then looking at the impact to States and looking for that true
collaboration and shaping and sculpting something maybe from
the ground up that is more functional and efficient.
Chairman Johnson. Yes, from the ground up, but it has to
come eventually to a point, to the top of that pyramid where
the decisions are made and things are harmonized. Mr. Garfield,
I will let you have the last word on this.
Mr. Garfield. Yes, the infrastructure is there, so NIST
develops the standards. You do not want a regulatory body
developing the standards, as Mr. Nutkis pointed out. And so,
the actual strategy, the framework, NIST is there. They are
doing it. They are doing it well.
Chairman Johnson. But, everybody is going off in different
directions on that.
Mr. Garfield. Yes.
Chairman Johnson. So great, you have NIST. But, you still
need somebody to have the power to make sure that everybody is
handling it the same way.
Mr. Garfield. We also have a cybersecurity coordinator. In
the previous Administration, it was Michael Daniel. Now it is
Mr. Joyce. I think part of what we are encouraging is that that
role or some other role play this part in driving coordination
and avoiding redundancy.
That does not mean we are getting rid of the Agencies and
their role in cybersecurity. This is multifaceted, and it has
to be dealt with in that way. But, it would be helpful to have
an entity, a person, a group of people coordinating all of the
Agencies, bringing it together, making sure it is working in a
holistic risk management approach.
Chairman Johnson. The last point I will make is if it is
just a person in an Administration, that could change every 4
years, or sooner than that. I think we really need to identify
a department--if that is going to be DHS and the NCCIC, we need
to identify that. We need to empower that department so that
there is consistency long term in this. Senator McCaskill.
Senator McCaskill. Thank you, Mr. Chairman.
Yes, in fact, the ``I'' in CCIC stands for ``Integration,''
and when we passed the bill, I think we envisioned that DHS
would be the locus of the integration, while NIST provided the
standards. That is why I am so concerned about this effort at
Health and Human Services.
Mr. Nutkis, when did you learn about the effort at HHS to
essentially duplicate what we were trying to accomplish through
the legislation that we signed into law at the Department of
Homeland Security?
Mr. Nutkis. I am not exactly sure when I found out, but I
do know I found out through the media. I did not find out
through our partnership with HHS, and it was not that long ago.
Senator McCaskill. And, are you confident that it is going
to duplicate efforts that are already underway? Is there any
additional benefit you see coming from HHS trying to create its
own entity for integration of cybersecurity policy?
Mr. Nutkis. I cannot state that there is no value and I am
not sure that I am cognizant of all the potential that--and
what they want to focus on. I can only talk about what we
understood the rules to be and how the role of industry and the
role of government were supposed to play and now we have
changed the rules.
The rules were there was supposed to be information sharing
organizations that we established either at a sector level, a
segment level, or a community of interest level to be able to
facilitate information sharing and share with government, and
that provided the organizations to be able to understand which
ones provided the most value. And, we could have sub-
information sharing organizations so that they were value-based
and there was transparency around--as a matter of fact, DHS was
establishing a standard. So, it was not one size fits all, and
you could have a best of breed, so if you felt that you were a
small organization, there was a community of interest for you.
So, those ISAOs were able to innovate.
What we have now done is say we are just going to--the
government is going to come in and help us, and we are not sure
exactly where the help is needed. There is no question more can
be done. The question is: Did we evaluate what was going on and
where the help is really needed?
Senator McCaskill. I think this is probably another issue
around this we have to talk about. One of the reasons the
Cybersecurity Act of 2015 is so important is because of the
safe harbor it provides. We are trying to incentivize this
integration so that we can evaluate real risk and real threats.
And, some of the briefings we have had around here in the last
few months, classified briefings, have only tightened my grip
on the sense of urgency that this is a real danger that our
country faces, this threat from cyber warfare.
Do you have confidence that the safe harbor liability
protections that we put in that act that apply to DHS even
apply to the HHS effort, HCCIC?
Mr. Nutkis. I only know from reading the CISA Act, like
everybody else. It is not a listed agency in CISA.
Senator McCaskill. Right. So, are you all currently sharing
information with HCCIC?
Mr. Nutkis. We do not. We share information with the NCCIC.
Senator McCaskill. And, I assume that this is a common view
of people that are regulated by HHS that it is safer and my
understanding is that they want you to share directly without
redacting?
Mr. Nutkis. I am not aware of the expectations of the
HCCIC. I do know that the expectations of the thousands of
organizations that share with us is we anonymize the
information before sending it on to DHS and that we also spent
a considerable amount of time having to go back to thousands of
organizations to ask them to provide us with the waiver
necessary for them to do that.
Senator McCaskill. Have you voiced the concern you have
about a regulator that has the ability to levy fines also being
the point for information sharing? Have you shared that with
HHS?
Mr. Nutkis. I believe we have.
Senator McCaskill. And, what was their response?
Mr. Nutkis. I am not fully sure we ever got an answer.
Senator McCaskill. Let me talk to you, Mr. Reese. While I
would hope that we would all kind of join hands and try to
force as much integration as possible through the NCCIC,
through the Department of Homeland Security, because of the
efforts we made to codify not only protections for the private
sector but also integration in that locus for cybersecurity
information sharing with the private sector, but maybe the help
that might kind of tell HHS to back off or tell other Agencies
we are going to do integration through NCCIC, we are going to
do standards through NIST, would maybe be the Federal CIO. Do
you believe that the Federal CIO--it would be important for the
President to nominate a new Federal Chief Information Officer
so that you would have an identified contact that has similar
responsibilities at the Federal level that you have in your
State?
Mr. Reese. I think that is certainly a very interesting
conversation because that is one of the challenges we certainly
have, is when we are dealing with so many different Agencies
and so many different disparate frameworks and regulations,
where do you contact, who do you contact, who do you call for a
particular one, and that they all overlap. And, when you are
dealing in our environments where we have unified across a
State an entire Executive Branch, we are dealing with public
safety information, health information, IRS information, all
collectively on similar systems. And so, when we have some of
these challenges, we are not even sure who we should be seeking
out guidance from because there is not a single contact. And,
when we often get that guidance, it is usually not something
that is very consistent.
Senator McCaskill. Well, I certainly would like to join
with the Chairman in a bipartisan effort to contact the
Administration and let them know that not only are we anxious
for them to nominate someone, that we would like to empower
them to be somebody who is identifying the conflicts and
identifying this issue of NCCIC versus HCCIC, and why is this
even happening, because then maybe they would be in a position
that they could throughout the government be a point of contact
to deconflict and help all of these various private sector
entities that are struggling with we want to do the right thing
but we just cannot--we cannot do all of the right things
because they are not even consistent with one another. Maybe
you and I could join----
Chairman Johnson. I am happy to work with you. In fact, we
have three Executive Orders on this. It is obviously recognized
as a problem.
Senator McCaskill. Yes, but we do not have the guy in
charge.
Chairman Johnson. Right. So, we will work with you on that.
Senator McCaskill. So, it would be great if we could get
that nomination done, and maybe this would be a letter they
would look at since maybe you would sign it.
Chairman Johnson. They are looking at all your letters.
[Laughter.] Senator Daines.
Senator McCaskill. I winked when I said that. I was not
being confrontational to my friend, the Chairman. [Laughter.]
OPENING STATEMENT OF SENATOR DAINES
Senator Daines. Thank you, Mr. Chairman, Ranking Member
McCaskill, and thank you all for testifying today about this
critical area of national security. I was struck by the chart.
I thought we were going to be talking about regulations. I did
not know it was about spaghetti today. [Laughter.]
That is a sobering-looking flow chart. I am not sure you
could use the word ``flow'' with that chart. Let us just say
that redefines complexity.
Policymakers continue to debate the best approach to
implement cybersecurity standards. Despite Congress' attempt to
get ahead of cyber crimes in 1986--that is going back to
President Reagan's second term--with the Computer Fraud and
Abuse Act, most legislation and regulation in this area has
been in response to a high-profile breach, arguably very
reactionary.
Over the years, best practices have emerged. They apply
broadly but certainly, as we all know here, it is all about the
details, and the devil is in those details. I spent 12 years in
the cloud computing industry before I came to the Hill. I
understand how important it is for business to guard networks
and sensitive data. And, I do not believe we can mitigate this
threat by burdening companies with more one-size-fits-all
regulations. If there is something that ought to frighten the
private sector, it is when Congress, who does not really grasp
the details and the challenges, dictating technologies to
industry. Some of our best and brightest in the tech sector
are, I am always a bit nervous with tech mandates. To quote
Senator Mike Mansfield of Montana, he used the words ``Tap 'er
light.'' I think that is appropriate advice as we think about
this. However, we need to encourage and share best practices
and, importantly, punish the criminals and enforce the law.
The debate over cybersecurity standards typically leads
policymakers to one of two conclusions: first, the Federal
Government should mandate baseline requirements; or voluntary
standards, such as the NIST framework should be kept for
companies to apply as they see fit. I might argue there is
perhaps a third option. There is an old adage in the private
sector: ``If you aim at nothing, you will hit it.'' Consider
your credit score for a moment, an industry-recognized ranking
system based on quantitative data, so taking something that can
be somewhat complex and qualitative in nature and quantifying
it, your credit score. It enables informed decisions about
risk. A score that ranks an organization's cybersecurity
practices based on empirical data would allow consumers to make
informed decisions. This approach allows the market to decide
and incentivize companies to strive beyond the threshold of
regulatory compliance to become industry leaders in
cybersecurity.
I know when we were running a cloud computing company, we
hosted in our data centers many Fortune 500 companies. We had,
as is the best practice in the industry, outside groups that
would seek to penetrate our systems here and issue reports to
us good guys acting like bad guys and telling us what they
found. That is a very helpful way to think about security, and
I know it is generally a best practice in the industry.
Mr. Garfield, would you agree that neither purely voluntary
frameworks nor overly specific Federal mandates are the best
approach?
Mr. Garfield. I think the answer to that is yes. As it
turns out, NIST is engaged in an exercise in updating the
cybersecurity framework where it is looking at metrics and
measurements. To the point you made earlier about ``tap 'er
light,'' I think we have to be thoughtful in the approach that
we take.
For example, the Fair Isaac Corporation (FICO) score that
you mentioned is fairly straightforwardly quantitative. How we
do that and turn something that is complex, sometimes
spaghetti, into something that is fairly straightforward and
makes sense will require the kind of multi-stakeholder
engagement that you are talking about.
Senator Daines. The only thing worse than doing nothing is
doing something that drives the wrong behaviors, the wrong
outcomes, certainly, and it will take thoughtful dialogue. And,
I am pretty confident--spending some time with our best and
brightest in the private sector, and as well engaging those in
the Federal Government and State governments--we could come up
with something here that would be a quantitative indicator.
But, it is just an idea to throw out there, something that
would be actionable going forward.
I want to talk about the support for Rapid Innovation Act.
This concept for an empirically driven cybersecurity score was
the product of research funded by DHS's Science and Technology
Directorate. Through technology transfer, this investment is
becoming a viable market-based solution that can adapt to
trends in cybersecurity as they emerge. I believe as a
government we should be investing in forward-looking solutions
like these as precisely the objective of my Support for Rapid
Innovation Act, which would allow DHS to foster and enable
progress rather than impeding it by setting these static
requirements that oftentimes would be obsolete by the time
Congress got around to acting.
To the panel, the question is: Where is the Federal
Government currently expanding resources for negligible
benefit? And, where should it focus its resources as it relates
to cybersecurity? I am throwing that question out to see who
would like to take it first.
Do not jump all at once.
Mr. Garfield. Well, I think we have given some examples.
For example, the--and by saying ``negligible,'' I do not mean
to suggest that it is not important. So, whenever there is a
new area of innovation, there is a rush to jump in and
regulate. So, the Internet of Things is one area. As I pointed
out earlier, there are 30 different initiatives aimed at
regulating that. I think there is negligible benefit to
approaching IOT and IOT security in that fashion. And so, I
would say that is one area where resources are being
misdirected. The National Highway Traffic Safety Administration
(NHTSA) is undertaking an effort looking at cybersecurity
solely in the automobile instead of engaging and coordinating
its efforts through NIST, which is advancing an initiative
based on cyber physical systems, and so the very thing that
they are also advancing. And so, I think that effort is also
going to be negligible because the experts are elsewhere and
the likelihood that you are going to be as forthcoming with a
regulator as you would with a scientist I think is misguided,
as some of the other witnesses have pointed out. So, those are
two examples where I think we can streamline and reduce
redundancy.
Senator Daines. That is very kindly put. Thank you.
Mr. Feeney. I think it is good money spent when you fund
NIST, especially relative to some of their innovation work. So,
they are doing considerable work in quantum. For instance, they
are looking at IOT. Both of those are relevant and important.
They will be upon soon, if not already. So, when you can focus
on programs like that, they make real sense for the fuller
marketplace. So, that is where I would spend time and effort.
We are a little bit unique in that we are working with
independent regulators. They are not subject to the Federal
mandates, if you will. So, our view of it is really
concentrated within the industry. But, innovation is important.
A number of our regulators are working on innovation as well.
Senator Daines. Thank you. I am out of time. The thoughtful
conversation, I appreciate it. This is a town that has a
culture of rewarding activity and not results, and we have to
get focused back on outcomes here versus checking a box, well,
we did all these things here and think that Members of Congress
are going to nod their head and think they are bluffed. But, I
think we need to focus on the result.
Thank you, Mr. Chairman.
Chairman Johnson. Senator Heitkamp, and I do want to thank
you for switching the order here to accommodate Senator Daines.
OPENING STATEMENT OF SENATOR HEITKAMP
Senator Heitkamp. You bet. Not a problem.
I am going to give you another analogy, and one is a bike
lock. When I was in college, you had a chain. It had a little
padlock, right? And, that was enough of a deterrent. And then,
pretty soon people came with wire cutters, and, now we have
titanium locks, and people are taking their bike seat off, and
the bottom line is it is always going to change. And, if we do
not have a system that is adaptable, if we do not have
communication and adaptability, then all of this means nothing,
I mean, because there is a back door somewhere.
And so, the innovation that Steve talked so eloquently
about is absolutely critical, staying ahead of where the threat
is and being nimble and being diverse. And, that is the
challenge that I see, which is one size fits all may be the
most dangerous thing we can do, is applying, one system to all
of this because, number one, it will tap down innovation, but
it also will create greater vulnerabilities if we are only
doing the same thing over and over again.
And so, this is an area that I think there is incredible
bipartisan concern, but also a willingness to look at that, and
we can all say that is not where we want to be. And, as a
former State official, I can only say I feel your pain. Back in
the day before we had all of this technology, I was the tax
commissioner--and he nods, and he knows what those IRS audits
are, and rightfully so. They want to protect their information.
There is a lot of great information sharing. We could not do
what we do in terms of enforcement without a relationship with
the IRS. But, a lot of that is box checking. It is not real
security. It is you have the checklist, you go out there, you
ding someone because there is the wrong kind of door as opposed
to what is the actual breach.
And so, I want to go to what you are seeing in State
government because State government is not as complicated as
this, but it definitely is a laboratory for innovation and a
laboratory for coordination. And, I want to give you a chance,
Mr. Reese, to tell us what you have learned in your role not
just in Oklahoma but your role as heading up the Chief
Information Officers organization and give us the five things
you want us to do.
Mr. Reese. Fantastic. So, what a great opportunity, right?
Because being a part of NASCIO, we work with all 50 States and
2 territories, and I assure you what we hear across every State
is the same story over and over again. There is overregulation,
there is duplicity, there is inefficiency. We can give multiple
examples where we are making check-the-box decisions instead of
being allowed to work with our Federal partners and make good
business decisions.
Things like cybersecurity and dealing with these odds is
not just a simple check-the-box type of technology. You have to
look at the opportunities. I have had scenarios where, in
Oklahoma, because for the last 5 years we have been in a State
of flux--we have been going through this consolidation of all
of our IT within the Executive Branch and have made tremendous
strides and have found tremendous savings and efficiencies.
However, we still run up against a lot of hurdles because it
becomes very troublesome trying to align with our Federal
partners who still treat us as if we are siloed. Here I am
working and am incentivized by our Federal partners to
consolidate, but when I go engage with my Federal partners,
they are not consolidated, and they still treat me as if I am
siloed, and, therefore, I end up losing all of my efficiencies
because I have to do these repetitive processes.
Senator Heitkamp. Right.
Mr. Reese. I also make these decisions where, if I know I
am working with an agency, and I have great examples of some
aging hardware at an agency that was reaching end of life, and
I knew I had a plan during the consolidation that I was going
to be moving all of that network infrastructure over onto our
on-prem shared solution, and, therefore, would be on a newer
solution. But, when the auditors came in and identified that
hardware was not on their list of approved versions of
hardware, they said no, we have to replace that. We said, wait
a minute. We are going to replace it. We have purchased
extended maintenance on it so we have mitigated the risk, and
we would like to take those dollars and go apply them somewhere
else, say on an application layer security, because we know
that we are also going to be absorbing it later. Did not
matter. We had to check the box. We were forced with making a
decision of spending the money to go ahead and replace a piece
of hardware before we were prepared, before it was even an
appropriate return on investment, and we ended up making that
check-the-box decision instead of getting to make a good
business decision, which is what I was charged to do in this
role, was to go make good business decisions with our Agencies.
Those type of scenarios come up over and over and over.
Senator Heitkamp. So, if we gave you a place that was
responsive to this, that was an override that was looking at a
broader kind of spectrum of concerns--so let us say in that
case they say go buy this equipment, you go, I am going to take
this to the Council of, You Are Crazy, and I am going to plead
my case that that is not reasonable. I think one of these
things that you get is that when things are siloed here, the
right hand does not know what the left hand is doing. They are
not familiar. They are just like do not confuse me with the
facts and your problems. This is my problem, and I have to make
sure that you have this.
So, if there were a place, and maybe thinking about this,
if there were a place where you could go or industry could go
to say, no, I am not going to do that, and I do not want to be
dinged for it; I have a logical reason; I am going to appeal
your decision someplace so that you have to be accountable for
the disruption that you are creating that does not make a lot
of sense, because States are very similar in this role to
industry. They are the users. They are the regulated in this
case.
And so, it seems to me that if we had some place where you
could go to say this is not smart in terms of overall security,
and you did not get forced into this by the time crunch of an
audit or dinged on an audit, that might be helpful.
Mr. Reese. Absolutely. Timing is such a challenge. The
Oklahoma Tax Commission is a fantastic partner to me and my
organization. They have been great at working with us to find
efficiencies in what we can do together, and we have been able
to achieve some really good things with those folks. But, yet
it comes down to some things that you think would be simple,
but because the technology is ahead of the regulations, we find
ourselves struggling for guidance.
The Oklahoma Tax Commission recently worked with us on
moving to a hosted voice solution, and in trying to determine
how we deploy and meet all the Federal requirements for the IRS
and others for this solution, we found ourselves struggling
with trying to determine what set of standards do we use. Is it
the voice regulations or is it cloud-based or hosted solution-
type regulations? They do not match. And so, we end up seeking
guidance, and it takes months.
Senator Heitkamp. I think Mr. Garfield wants to add to
this.
Mr. Garfield. If I could just add that what Mr. Reese is
saying is so real, and we hear it so often at the State level,
but we also experience and see it at the Federal level as well.
And so, this is a broad-based problem that requires a solution.
Senator Heitkamp. I just want to make one final point, and
that is about risk taking. Everybody has a checklist, and they
want to meet that checklist because if something happens, they
want to say, ``I did my job''; as opposed to ``I am part of an
evolving, necessary, very dynamic industry that needs to be
mobile and agile,'' and we need to tolerate to some degree--and
I am not saying that this--but we need to tolerate that this
will not be perfect, and we are going to learn as time goes on.
And so, we need to tell people, ``Do not do things that do not
make sense, and if it did not make sense, we are not going to
ding you if something happens.''
So, that is part of the problem here, that when you have
enforcement actions, the dinging or the risk taking does not
happen because people are so afraid that they will be held
accountable.
Mr. Nutkis. Can I add one more thing? Because I think in
industry we have tried to innovate, and I think this has been
the concern that we have had is we have looked at things for
years from risk. We transitioned from compliance-based to risk-
based. We have worked with cyber insurance actually to be able
to understand how risk scores actually work and how we can
develop better frameworks to do this. But, we are driven by a
compliance and a regulatory environment that says, just as you
said, here is the box. But, I would not--I would certainly look
at what industries are doing because there is a lot of work
already in place. In industries, we have been doing it for 10
years. We have thousands upon thousands of organizations, tens
of thousands, that get assessed against this every year, and it
does meet the requirement of HIPAA, but, again, the requirement
here is to manage risk, not to check the box.
Senator Heitkamp. And, we need to be sending the message to
the people who are reviewing it, because they are box checkers
and they need to be in the risk assessment business. I totally
agree.
Chairman Johnson. At an earlier hearing on a separate
subject, at the end of Senator Heitkamp's questioning--and I am
paraphrasing. Maybe this is not an exact quote. ``This is
crazy. This is insane.'' I was kind of actually waiting for
that. I think what you are seeing here is we are kind of
working toward what hopefully will be a bipartisan solution and
working together on this. So, thank you, Senator Heitkamp.
Senator Lankford.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. Thank you, Mr. Chairman. And, I thank all
of you for being here. Mr. Reese, good to see you again. Glad
you are here. Thank you for the work that you do in Oklahoma
all the time.
I want to be able to highlight several things with you
today. One is a point of reference on different Agencies and
entities that you interact with. DHS and the FBI, just to be
able to give you a point of reference for all of the four of
you as well, I just walked out of an Intel hearing that is an
open hearing today dealing with cyber attacks from Russia and
how they are influencing that, and specifically going after
State election systems.
There is this myth that all of you know well is just a myth
that foreign actors, whether they be North Korea, Iran, Russia,
or China, are interested in hacking into the Pentagon, but they
are really not interested in anyone else. That is completely
false. We have 21 States during the last election time period
that Russians were trying to hack into specific State election
systems. They were not able to get to any of the vote tally
areas or controlling voting machines, but they were able to get
to things like voter registration rolls. And, it raises the
question: If they can get into a voter registration roll, could
they add people? Could they delete people? Could they change
data? Could they complicate the process on election day? If
they can get to that data, what else could they get to?
So, you have in front of you the now famous--I should say
``infamous''--email that was sent to a DNC employee named Billy
Rinehart.\1\ Billy never intended to be a national example, but
he suddenly became a national example as an employee of the
DNC. He was on vacation, was in Hawaii, actually, and he opened
up his email and saw this email from Google. And, the email
simply reads, ``Someone just used your password to try to log
into your Google account,'' had his email address there, and
said the location was from the Ukraine. So, it encouraged him
to change his password, which he promptly clicked on that,
changed his password, and went back to bed. What he actually
did was just opened up a portal from Russia into the DNC, and
they began exfiltrating data of large quantities based on that.
Billy was not the only one that clicked on that. There were
others that did from that same email.
---------------------------------------------------------------------------
\1\ The email submitted by Senator Lankford appears in the Appenidx
on page 92.
---------------------------------------------------------------------------
So, the question is for the Federal Government and for
State governments, it is always the conversation about the
weakest link. And, you have regulators hanging over you asking
you how many connection points, how many possibilities of
logging in. Where is your latest hardware? Have you updated
this router in this place? There is a vulnerability. Do you use
certain software for virus protection? Where does that
information get routed? Has it stayed in the United States? Is
it routed through Russia? All of those basic questions that are
coming at you all the time.
The issue that we are trying to figure out is how to be
able to give you a consistent voice and where does that even
go.
Mr. Reese, your statement before that in the consolidation
that we did in Oklahoma, which was a very real consolidation
where we saved a quarter billion dollars through the work that
you did and the others that are around you did through the work
that happened there, your testimony that the biggest hurdle
that you had was not the consolidation; it was the Federal
Government and the regulations and the multiple answers that
you were trying to get in the multiple audits that are now
coming at you. How do we manage this? This is a real threat.
Ninety-one percent of the hacks that come into our Agencies
come in through a phishing attack just like that. Some employee
clicked it; they now have access. If they now have access to
health care data, to tax data, it is connected by forms to
other places. How do we manage this best? And, do we need a
single point of contact to be able to manage this from a
Federal side, as all of you are doing on the State sides? Or
what is the best way to be able to continue to manage how that
data flows rather than having multiple entities?
That is a long, rambling question, but somewhat I want to
be able to expose this issue, because I think a lot of
Americans think somehow it is some hack that got into a system.
Most often it looks just like that. That is just how they got
into the system.
Mr. Reese, do you want to try to attack my rambling
question?
Mr. Reese. Absolutely. So, to be able to manage these types
of scenarios, which we see every day, when we tackle this one,
there will be another one tomorrow, right? That takes a
tremendous amount of resources. Today we find ourselves--
training and awareness is in the forefront of how we protect a
State. We have 33,000-plus employees statewide that have access
to some degree or level to secure State information. And so,
obviously things like this are very difficult because it is
about end-user awareness and training, and all the systems we
have put in place may not be able to protect us from this.
However, being able to commit those resources and the team
that we have and being able to manage the staffing, that is a
huge challenge to manage, to actually retain staff, the talent
we need in Oklahoma to do this.
Now, NASCIO, polling all 50 States, finds on average the
State CIO's office for each State has anywhere from 5 to 15
cybersecurity analysts full-time. That is not a very deep
bench. And, where we are constantly struggling to be able to
train and retain these folks and trying not to lose them to
private industry for sometimes better, higher-paying jobs, we
also find that they get very frustrated because when they are
working within the State government, they are working with all
the different Federal Agencies that we touch. We find this
scenario kind of like a well-trained physician who has gone to
school for many years and practiced and wants to go heal
people, and he finds himself in a practice where he is being
told, ``Just put a Band-aid on it and move on. You do not have
time to treat the illness. You have to just put a Band-aid on
it.''
Our cybersecurity folks feel like that is what they are
being told, ``Put a Band-aid on it. Check the box. Move on.''
There are too many things behind this to worry about, so they
cannot go focus on the true issues. They cannot go out and find
the next innovative solutions, look at the tools that are
available to them, or develop the tools that are necessary in
many cases to protect the way we know we could. And, that is
kind of the struggle we have, which is----
Senator Lankford. So, how do we fix that?
Mr. Reese. So, I think we have to simplify the
communication, first off, like you said. I can just only
imagine the man-hours that could be saved within a State if we
were to simplify these regulatory challenges we have. I could
focus these folks more on these type of issues and less on just
doing audits alone.
Some great examples we have, like the State of Maine
documented last year they spent over 11,000 hours in audits.
These are the same folks that are trying to address these
problems. Eleven thousand hours were spent on audits, working
with six Federal Agencies and trying to review over 1,000 pages
of regulatory compliance. They could do some pretty amazing
things if those man-hours could have been truly focused on
forward-thinking solutions rather than just trying to check the
box and appease----
Senator Lankford. Filling out paperwork, trying to track
down answers to someone's questions, yet another audit from yet
another agency, multiply the audit that just came 6 months ago
from somebody else, and on and on.
Mr. Reese. Exactly.
Senator Lankford. Let me make just a quick comment, and
then let me get this back to the Chair. I can assure you the
Russians were probing our systems in 2016. They are actively
pursuing what they are going to do for 2018 elections. Each
State manages their State's integrity of their voting systems
and what happens there. I know you are all actively involved in
that. But, if they are able to engage in any State election
system, alter any data or exfiltrate any data in 2018, I cannot
imagine the pressure both on that State and on the Federal
Government to be able to explain when we had 2 years of
warning.
So, that is all something you are all aware of. That is
nothing new to any of you. You deal with those issues all the
time. But, it is something that we have to pay attention to
here, and I know you are paying attention to, and I appreciate
what you are doing to be able to protect the integrity of the
systems and a lot of very personal data that our systems have.
Chairman Johnson. Thank you, Senator Lankford.
I will also point out, just pay attention to the trial in
Montenegro about what Russia did, basically a coup attempt
prior to their election. So, this is not something unusual or
they just do in America. They are attacking countries across
the world. Senator Peters.
OPENING STATEMENT OF SENATOR PETERS
Senator Peters. Well, thank you, Mr. Chairman, and I will
concur with that last comment. I just came back from Lithuania
and Latvia, which are also subjected to constant attacks from
the Russians as well, and very concerned about their security,
and being right on the border with Russia puts them at
significant risk. This is something we have to grapple with in
a broad-based way, and I appreciate this hearing. And, I
certainly appreciate each of the folks who have testified
today. I think without question cyber is the most significant
national security risk that we face, and the fact that we are
coming together to figure out how to do this in a more
effective way is incredibly important.
But, I want to focus on one particular industry that I have
been actively engaged with, will continue to be actively
engaged with as a Senator from Michigan, and it is the auto
industry. Perhaps the most transformative new technology that
is coming down the pike that will be every bit as big if not
bigger as when the first car came off of the assembly line, and
that is autonomous vehicles, which will be changing how we
think about mobility. It is going to offer some incredible
promises in terms of safety. We can eliminate most auto
accidents, and at a time when 40,000 people die on our highways
every year, that is a big deal, in addition to all of the other
injuries that occur. You will be able to change the way
vehicles are out on the road as far as spacing, as well as how
we organize our communities, all of those wonderful things.
But, by the same token, all these vehicles are going to be
connected to each other, and it only works with vehicle-to-
vehicle technologies, where a Ford is speaking to a Toyota and
a Toyota is speaking to a Nissan and then a GM, and the
infrastructure will be talking to these vehicles as well. We
will have bridges that will tell our cars that they are icing
over, and the cars will automatically respond to that
incredibly important and exciting technology.
But, with a shift in technology, we also have to make sure
our policies are keeping up with that and, in particular, when
it comes to cyber. As I have often said, it is one thing for
someone to break into your bank account and steal your money.
You are pretty angry about that. If someone breaks into your
car and drives you into a wall, that is existential. That is
considerably worse. So, we have to make sure we are hardening
these systems.
SAE International, a standards development organization for
engineering professionals, has begun to promulgate some basic
standards for the automobile industry, such as taxonomy and
definitions that currently have been serving as a basis for
Federal AV guidance. In fact, I am working on legislation now
with Senator Thune to deal with some AV guidance issues as
well.
But, Mr. Feeney, I am going to start with you. For the auto
industry, even a small number of conflicting or duplicative
regulations would obviously significantly impact AV technology
development. To maintain the current pace of innovation, what
are your thoughts on the role of voluntary risk-based
guidelines as a technical basis for future AV cybersecurity
standards?
Mr. Feeney. Right. Thank you for that question. I think it
is critical. I have been a control owner, if you will, in cloud
operations. I have been a CIO, and now I am doing more work on
the policy and governance side. And, what I find is that the
closer you get to a framework--we happen to like NIST, and we
actually think about it in a customized way. It incorporates
risk, it incorporates judgment, it incorporates flexibility to
adapt, which is something that is critical in the space you
just described, and it will adapt fast. It allows you to be
nimble.
So, I think if you set standards, you adopt them ahead of
time, you build in by design the approach you want to take
versus bolting it on later, that is a critical aspect of
getting it right. It will never be 100 percent right. We
mentioned some of the things that go on in this space. It is a
dynamic threat environment from the external side. But, you
have to have those bases in place in order to accomplish what
you are looking to do, and I think that is an appropriate and
probably best practices way to go about it.
Senator Peters. Any thoughts?
Mr. Nutkis. Yes, I would agree with that. So, from our
perspective, we certainly develop and are based on risk-based.
Because we saw the whole threat landscaping and our previous
iterations were based on our breach data and how we looked at
the threat based on a retrospective, we actually went
prospective now to say that we are going to look at the
emerging threats and actually build those into our framework so
the framework becomes more threat-based, even risk-based. So,
based on the threats that we see emerging, the framework
actually evolves.
The one caution I would make is understanding how you
measure the effectiveness of the framework and then also
transparency. Just because you have a framework, how do you
ensure that they are actually complying with it effectively?
And then, when one person looks at it, just as we heard from
Mr. Reese, you could have 14 audits using the exact same set of
guidance and get 14 different results. So, ensuring that
everybody knows how to do that.
Senator Peters. Mr. Garfield.
Mr. Garfield. Yes, I think the example that you just gave
speaks to the convergence that is taking place in our world,
but also the lack of convergence that is taking place on the
policy side. And so, that is why standards are so important,
because they speak to and accomplish all of the things that the
other witnesses have pointed to. But, as well, the oversight
both from the Congressional level but a central point in the
Executive Branch where we can avoid these redundancies on top
of that broader strategy and that flexible framework is
absolutely essential and important as well.
Senator Peters. Mr. Reese.
Mr. Reese. So, in Oklahoma, from a State perspective, when
we look at things such as autonomous vehicles, you start
looking at from a State perspective the intelligent
transportation systems, we work very closely with our Oklahoma
Department of Transportation, and we have done a great job
focusing on where we can help them with financial systems and
administrative systems alike. And, when we get into things that
are really specific niche areas, such as intelligent
transportation systems and how they manage and share those, the
challenges we get into when we sit down at the table and we
start talking about how we are going to leverage the State's
infrastructure or how we are going to leverage the State's
cybersecurity efforts and the things that our security
information officer has put in place to protect all of these
systems, they start feeling challenges and pushback from their
Federal partners who tell them, ``No, no, no, no, no. When it
comes to intelligent transportation systems, you are basing a
lot of that infrastructure and building it out on Federal
dollars.'' And, their Federal partners are telling them if that
control in any way shifts to a centralized IT office, such as
the CIO's office, they are going to lose funding. And, that is
truly the mind-set that a lot of Agencies have because they are
basing that on past audit experiences they have had, from
third-party auditors that came in, and they are making the
determinations and setting that example of how those Agencies
now interpret what they should be doing and how they should be
engaging with my office and moving forward, and often, without
proper guidance and being able to get questions answered
timely, we end up using the most restrictive interpretation of
the Federal guidelines and it costs us more money, and it slows
us down.
Senator Peters. All right. Well, thank you for your
thoughtful responses from all of you. I appreciate it.
Chairman Johnson. Thank you, Senator Peters.
I want to thank all of our witnesses. Normally, I say this
before the hearing, but we had the business meeting. But, I
talk to the witnesses, and I say the purpose of this hearing,
of every hearing, literally is to lay out a reality, to define
the problem so that you can find areas of agreement, to work
toward a bipartisan solution. I think you saw that is exactly
what happened here today. I want to thank all the Committee
Members, Senator Peters, my Ranking Member--who is at a Finance
Committee hearing. We are juggling a lot of balls here. But, I
think what you have witnessed here is by laying out a reality,
by defining the problem, by looking for areas of agreement, I
think this is an important hearing. I will encourage everybody
to take a look at your thoughtful testimony, which is in far
greater detail than what you were able to provide just in terms
of your verbal testimony. We have really described the problem
in a way that we can all take a look at what the solution needs
to be. And, it is about harmonizing. It is about integrating.
And so, I am looking forward to working with my colleagues
that were here and asked great questions, and let us write a
piece of legislation. Working with the witnesses, working with
your groups, let us get that central point within government so
we can streamline this, so that we can certainly take the
burden off of States, the health care industry, the financial
industry, every industry, so that we can secure our cyber
assets. This is an enormous threat. We have to recognize that.
But, again, that is what this hearing really pointed out. So,
again, I just want to thank all of our witnesses for your
written testimony, your thoughtful answers to our questions,
and your verbal testimony.
With that, the hearing record will remain open for 15 days
until July 6th at 5 p.m. for the submission of statements and
questions for the record. This hearing is adjourned.
[Whereupon, at 11:51 a.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]